-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The SSSD team is proud to announce the release of the System Security Services Daemon, version 1.2.91. Please give it a spin and report any bugs you find!
As always, SSSD 1.2.91 is available for download at https://fedorahosted.org/sssd == Highlights == * Rewrote the internal LDB cache API. As a synchronous API it is now faster to access and easier to work with * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider * We now handle failover situations much more reliably than we did previously * If a request fails partway through (due to a remote server ceasing to function) we will now restart the conversation with the next server in the failover list * We also will now monitor the GSSAPI kerberos ticket and automatically renew it when appropriate, instead of waiting for a connection to fail * Support for netlink now allows us to more quickly detect situations where we may have come online * New option {{{dns_discovery_domain}}} allows better configuration for using SRV records for failover == Detailed Changelog == Alexander Gordeev (1): * Add explicit requests for several operational attrs David O'Brien (1): * Copy-edit and format review sssd.conf Dmitri Pal (16): * Adding metadata interface * Adding content to the metadata * Resolve paths for reporting purposes * Acess control and config change checks * Add ability to trace 64bit numbers * Fixing spec file to match version. * Fixing build * Code restructuring * Extending refarray interface * Introducing a comment object * Adding support for explicit 32/64 types (attempt 2). * Addressing initialization issues. * Fixing types in queue and stack interfaces * Fixing memory leaks in the unit test. * Fixing NULL dereferencing in ini_config * Memory leak in case of empty value Héctor Daniel Cabrera (1): * Updating ES translation Jakub Hrozek (32): * Treat server names as case-insensitive in failover code * Do not mark a request as failed twice * Sort SRV replies according to RFC 2782 * Remove freed server_common entities from list * Support SRV servers in failover * Silence warnings with -O2 * Fix uninitialized variable * Add a README file * Use all available servers in LDAP provider * Improve the offline authentication message * Fix memory hierarchy in the ipa timerules * Use service discovery in backends * SSSDConfigAPI fixes * Try all servers during Kerberos auth * Remove dead code from the PAM responder * Man page fixes * Don't return uninitialized value in proxy provider * Skip empty attributes with warning * Fix realm_str dereference * Fix potential NULL dereference in fail_over.c * Fix Incorrect NULL check in get_server_common() * Add missing break to switch statement * get_uid_from_pid should use fstat rather than lstat * Remove krb5_changepw_principal option * Remove the -g option from useradd * Fix potential resource leak in copy_tree_ctx() * Potential memory leak in _nss_sss_*_r() * Check closedir call in find_uid * Print correct return code * Resend SIGINT as SIGTERM in services * Add dns_discovery_domain option * Use netlink to detect going online Petter Reinholdtsen (2): * Allow Debian/Ubuntu build to pass --install-layout=deb to setup.py * Remove bash-isms from configure macros Piotr Drąg (1): * Update Polish translation Rui Gouveia (2): * Updating pt translation * Update pt translation Simo Sorce (45): * sysdb: start conversion from async to sync * sysdb: use sysdb_delete_entry in recursive delete * sysdb: convert sysdb_delete_custom * sysdb: convert sysdb_search_entry and sysdb_delete_recursive * sysdb: convert sysdb_search_user_by_name/uid * sysdb: convert sysdb_search_group_by_name/gid * sysdb: convert sysdb_set_entry/user/group_attr * sysdb: convert sysdb_get_new_id * sysdb: convert sysdb_store/add(_basic)_user * sysdb: convert sysdb_store/add(_basic)_group * sysdb: convert sysdb_mod/add/remove_group_member * sysdb: convert sysdb_cache_password * sysdb: convert sysdb_search_custom * sysdb: convert sysdb_store_custom * sysdb: convert sysdb_asq_search * sysdb remove sldb_request_send, not used anymore * sysdb: convert sysdb_search_users * sysdb: convert sysdb_delete_user * sysdb: delete sysdb_delete_group * sysdb: convert sysdb_search_groups * sysdb: convert sysdb_cache_auth * sysdb: remove sysdb_check_handle * tests: remove use of asynchronus transactions * sysdb: add synchronous transaction functions * proxy: complete conversion to synchronous sysdb * Use the sysdb synchronous transaction functions * Remove remaining use of sysdb_transaction_send * sysdb: remove async transactions * sysdb: add automatic transactions where needed * sysdb: convert sysdb_getpwnam * sysdb: convert sysdb_getpwuid * sysdb: convert sysdb_getgrnam * sysdb: convert sysdb_getgrgid * sysdb: convert sysdb_get_user_attr * sysdb: convert sysdb_enumpwent * sysdb: convert sysdb_enumgrent * Adjust fill_pwent and fill_grent * sysdb: convert sysdb_initgroups * sysdb: remove obsolete helpers from sysdb * sysdb: remove remaining traces of sysdb_handle * sysydb: Finally stop using a common event context * Make groupshow synchronous. * tools: remove creation of event_context * Better handle sdap_handle memory from callers. * Avoid freeing sdap_handle too early Stephen Gallagher (68): * Support docdir and abs_builddir * sysdb: convert sysdb_delete_entry * Bumping version on master to 1.2.90 * Update translations for master branch * Fix merge error for sss_userdel.c * Remove unused configure macro * Fix warning in sysdb-tests.c * Fix ini_config unit test * Give information about ldap_schema in the sample config * Make ID provider init functions clearer * Remove the NSS_LIBS and KRB5_LIBS variables from sssd.spec * Add dns_resolver_timeout option * Fix segfault in GSSAPI reconnect code * Make krb5_kpasswd available for any krb5 provider * Clean up kdcinfo and kpasswdinfo files when exiting * Add callback when the ID provider switches from offline to online * Add dynamic DNS updates to FreeIPA * Revert "Add dynamic DNS updates to FreeIPA" * Properly set up SIGCHLD handlers * Add dynamic DNS updates to FreeIPA * Don't report a fatal error for an HBAC denial * Add a better error message for TLS failures * Add enumerate details to the manpage and examples * Revert "Copy pam data from DBus message" * Display name of PAM action in pam_print_data() * Make data provider id_callback public * Fix error reporting for be_pam_handler * Proxy provider PAM handling in child process * Support password changes in chpass_provider = proxy * Add ldap_access_filter option * Fix typo in Makefile * Fix broken build against older versions of OpenLDAP * Fix typo in Makefile.am * Disable connection callbacks when going online * Change default min_id to 1 * Allow ldap_access_filter values wrapped in parentheses * Properly handle read() and write() throughout the SSSD * Fix misuse of errno in find_uid.c * Avoid potential NULL dereference * Properly handle missing originalMemberOf entry in initgroups * Don't leak directory access resources on errors in directory_list() * Check the correct variable for NULL after creating timer * Properly check that the timeout event was created for cleanup/enum * Check return code of hash_delete in proxy_child_destructor * Eliminate unused variable from pc_init_timeout() * Make sure to close varargs before returning from a function * Properly null-terminate socket path * Add ldap_force_upper_case_realm to example AD config * Don't segfault if ldap_access_filter is unspecified * Handle (ignore) unknown options in get_domain() and get_service() * Remove references to the DP service from the SSSDConfig API tests * Standardize on correct spelling of "principal" for krb5 * Initialize len before looping to read the pidfile * Ensure that all domains are checked for users/groups * Refactor the negative cache * Move setup of filter_users and filter_groups to negcache.c * Honor filter_users in PAM * Fix potential resource leak in remove_tree_with_ctx() * Fix return value from remove_connection_callback() destructor * Protect against segfault in remove_ldap_connection_callbacks * Drop release requirement from versions * Bump libini_config version to 0.6.0 * Replace %define with %global in example spec * Make RootDSE optional * Rename proxy_ctx to proxy_id_ctx for clarity * Split proxy.c into smaller files * Add try_inotify option * Release SSSD 1.2.91 (1.3.0rc1) Sumit Bose (50): * Revert "Add better checks on PAM socket" * Use SO_PEERCRED on the PAM socket * Set LDAP_OPT_RESTART for all LDAP connections * Fix a potential memory violation * Make the handling of fd events opaque * Unset authentication tokens if password change fails * Display a message if a password reset by root fails * Fix wrong return value * Fix a wrong return value in IPA HBAC * Split pam_data utilities into a separate file * Create kdcinfo and kpasswdinfo file at startup * Compare the full service name * Add retry option to pam_sss * Add more warnings about nearly expired passwords * Make Kerberos authentication a tevent_req * New version of IPA auth and password migration * Add ldap_krb5_ticket_lifetime option * Defer sbus_dispatch() for 30ms during reconnect * Copy pam data from DBus message * Do not modify IPA_DOMAIN when setting Kerberos realm * Handle Krb5 password expiration warning * Add support for delayed kinit if offline * Fix handling of ccache file when going offline * Move parse_args() to util * Copy pam data from DBus message * Revert "Create kdcinfo and kpasswdinfo file at startup" * Refactor data provider callbacks * Add offline callbacks * Refactor krb5_finalize() * Add run_callbacks flag * Add callback to remove krb5 info files when going offline * Krb5 locator plugin returns KRB5_PLUGIN_NO_HANDLE * Refactor krb5 SIGTERM handler installation * Add krb5 SIGTERM handler to ipa auth provider * Add offline callback to disconnect global SDAP handle * Reset run_online_cb flag even if there are no callbacks * Fix check if LDAP id provider is already initialized * Remove signal event if child was terminated by a signal * Check ipaEnabledFlag * Add sysdb_attrs_get_string_array() * Use sysdb_attrs_get_string_array() instead of sysdb_attrs_get_el() * Use new schema for HBAC service checks * Remove service groups * Compare full service name * Unify sdap and sysdb data handling * Initialize pam_data in Kerberos child. * Avoid a potential double-free * Add a missing initializer * Add a missing free() * Fix SASL authentication Yuri Chornoivan (1): * Update Ukrainian translation eindenbom (14): * Avoid accessing half-deallocated memory when using talloc_zfree macro. * GSSAPI ticket expiry time is returned from ldap_child and stored in sdap_handle for future reference. * Added an interface to query number of configured (and currently resolved through SRV records) failover servers. * LDAP connection usage tracking, sharing and failover retry framework. * Add an interface to try next fail-over server after connection to the active server was unexpectedly dropped. * Use new LDAP connection framework to get user account info from LDAP. * Use new LDAP connection framework to get group account info from LDAP. * Use new LDAP connection framework to get user account groups from LDAP. * Use new LDAP connection framework for LDAP user and group enumeration. * Use new LDAP connection framework in LDAP access backend. * Use new LDAP connection framework in IPA access backend. * Use new LDAP connection framework in IPA dynamic DNS forwarder. * Remove remainder of now unused global LDAP connection handle. * Eliminate delayed sdap_handle destruction after fail-over retry. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkw3avYACgkQeiVVYja6o6Pd6ACgjbMCAzOebbdZK8la/ERGe9j1 htIAn3urF0A8YIjMAhlfCpDnkF145fvd =Qis7 -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel