Hi,
I would really like to release 1.15.3 soon (like, today, at worst
tomorrow if we can't merge PR #328 and #331 today). The release notes
are here:
https://pagure.io/fork/jhrozek/SSSD/docs
You can either clone the repo and run 'make html' or, for your
convenience, I'm pasting the RST-formatted release notes below:
SSSD 1.15.3
===========
Highlights
----------
New Features
^^^^^^^^^^^^
* In a setup where an IPA domain trusts an Active Directory domain,
it is now possible to `define the domain resolution order
<http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names>`_.
Starting with this version, SSSD is able to read and honor the domain
resolution order, providing a way to resolve Active Directory users by
just their short name. SSSD also supports a new option
``domain_resolution_order`` applicable in the ``[sssd]`` section
that allows to configure short names for AD users in setup with
``id_provider=ad`` or in a setup with an older IPA server that doesn't
support the ``ipa config-mod --domain-resolution-order``
configuration option. Also, it is now possible to use
``use_fully_qualified_names=False`` in a subdomain configuration, but
please note that the user and group output from trusted domains will
always be qualified to avoid conflicts.
* Design page - `Shortnames in trusted domains
<https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_
* SSSD ships with a new service called KCM. This service acts as a
storage for Kerberos tickets when ``libkrb5`` is configured to use
``KCM:`` in ``krb5.conf``. Compared to other Kerberos credential
cache types, KCM is better suited for containerized environments and
because the credential caches are managed by a stateful daemon, in
future releases will also allow to renew tickets acquired outside SSSD
(e.g. with ``kinit``) or provide notifications about ticket changes.
* Design page - `KCM server for SSSD
<https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>`_
* `NOTE`: There are several known issues in the ``KCM`` responder that
will be handled in the next release such as
`issues with very large tickets <https://pagure.io/SSSD/sssd/issue/3386>`_
or `tracking the SELinux label of the peer
<https://pagure.io/SSSD/sssd/issue/3434>`_
* Support for user and group resolution through the D-Bus interface and
authentication and/or authorization through the PAM interface even
for setups without UIDs or Windows SIDs present on the LDAP directory
side. This enhancement allows SSSD to be used together with `apache
modules <https://github.com/adelton/mod_lookup_identity>`_ to provide
identities for applications
* Design page - `Support for non-POSIX users and groups
<https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_
* SSSD ships a new public library called ``libsss_certmap`` that allows
a flexible and configurable way of mapping a certificate to a user
identity. This is required e.g. in environments where it is not possible
to add the certificate to the LDAP user entry, because the certificates
are issued externally or the LDAP schema cannot be modified. Additionally,
specific matching rules allow a specific certificate on a smart card to
be selected for authentication.
* Design page - `Matching and Mapping Certificates
<https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html>`_
* The Kerberos locator plugin can be disabled using an environment variable
``SSSD_KRB5_LOCATOR_DISABLE``. Please refer to the
``sssd_krb5_locator_plugin`` manual page for mode details.
* The ``sssctl`` command line tool supports a new command ``user-checks``
that enables the administrator to check whether a certain user should be
allowed or denied access to a certain PAM service.
* The ``secrets`` responder now forwards requests to a proxy Custodia
back end over a secure channel.
Notable bug fixes
^^^^^^^^^^^^^^^^^
* The IPA HBAC evaluator no longer relies on ``originalMemberOf``
attributes to construct the list of groups the user is a member of.
Maintaining the ``originalMemberOf`` attribute was unreliable and
was causing intermittent HBAC issues.
* A bug where the cleanup operation might erroneously remove cached users
during their cache validation in case SSSD was set up with
``enumerate=True`` was fixed.
* Several bugs related to configuration of trusted domains were fixed, in
particular handling of custom LDAP search bases set for trusted domains.
* Password changes for users from trusted Active Directory domains
were fixed
Packaging Changes
-----------------
* A new KCM responder was added along with a manpage. The upstream
reference specfile packages the responder in its own subpackage called
``sssd-kcm`` and a krb5.conf snippet that enables the ``KCM``
credentials cache simply by installing the subpackage
* The ``libsss_certmap`` library was packaged in a separate package. There
is also a ``libsss_certmap-devel`` subpackage in the upstream packaging.
Documentation Changes
---------------------
* ``sssd-kcm`` and ``libsss_certmap`` are documented in their own
manual pages.
* A new option ``domain_resolution_order`` was added. This option allows to
specify the lookup order (especially w.r.t. trusted domains) that sssd will
follow. Please see the `Shortnames in trusted domains
<https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_ design
page.
for mode details.
* New options ``pam_app_services`` and ``domain_type`` were added. These
options can be used to only limit certain PAM services to reach certain
SSSD domains that should only be exposed to non-OS applications. For
more details, refer to the `Support for non-POSIX users and groups
<https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_
design page.
* The ``secrets`` responder supports several new options related to TLS
setup and handling including ``verify_peer``, ``verify_host``,
``capath``, ``cacert`` and ``cert``. These options are all described
in the ``sssd-secrets`` manual page.
Tickets Fixed
-------------
* `#3447 <https://pagure.io/SSSD/sssd/issue/#3447>`_ - files provider should
not use LOCAL_pam_handler but call the backend
* `#3435 <https://pagure.io/SSSD/sssd/issue/#3435>`_ - Create a function to
copy search bases between sdap_domain structures
* `#3431 <https://pagure.io/SSSD/sssd/issue/#3431>`_ - Loading enterprise
principals doesn't work with a primed cache
* `#3426 <https://pagure.io/SSSD/sssd/issue/#3426>`_ - IPA client cannot
change AD Trusted User password
* `#3418 <https://pagure.io/SSSD/sssd/issue/#3418>`_ - Segfault in
access_provider = krb5 is set in sssd.conf due to an off-by-one error when
constructing the child send buffer
* `#3410 <https://pagure.io/SSSD/sssd/issue/#3410>`_ - python-sssdconfig
doesn't parse hexadecimal debug_level, resulting in set_option():
/usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError
* `#3408 <https://pagure.io/SSSD/sssd/issue/#3408>`_ - Accept changed
principal if krb5_canonicalize=True
* `#3404 <https://pagure.io/SSSD/sssd/issue/#3404>`_ - man: Update option
"ipa_server_mode=True" in "man sssd-ipa"
* `#3403 <https://pagure.io/SSSD/sssd/issue/#3403>`_ - SSSD doesn't handle
conflicts between users from trusted domains with the same name when shortname
user resolution is enabled
* `#3398 <https://pagure.io/SSSD/sssd/issue/#3398>`_ - MAN: The timeout option
doesn't say after how many heartbeats will the process be killed
* `#3397 <https://pagure.io/SSSD/sssd/issue/#3397>`_ - ad provider: Child
domains always use autodiscovered search bases
* `#3393 <https://pagure.io/SSSD/sssd/issue/#3393>`_ - sss_nss_getlistbycert()
does not return results from multiple domains
* `#3391 <https://pagure.io/SSSD/sssd/issue/#3391>`_ - sss_override doesn't
work with files provider
* `#3389 <https://pagure.io/SSSD/sssd/issue/#3389>`_ - subdomain_homedir is
not present in cfg_rules.ini
* `#3378 <https://pagure.io/SSSD/sssd/issue/#3378>`_ - domain_to_basedn()
function should use SDAP_SEARCH_BASE value from the domain code
* `#3377 <https://pagure.io/SSSD/sssd/issue/#3377>`_ - sssd-ad man page should
clarify that GSSAPI is used
* `#3375 <https://pagure.io/SSSD/sssd/issue/#3375>`_ - minor typo fix that
might have big impact
* `#3361 <https://pagure.io/SSSD/sssd/issue/#3361>`_ - sssd_be crashes if
ad_enabled_domains is selected
* `#3359 <https://pagure.io/SSSD/sssd/issue/#3359>`_ - Allow to disable krb5
locator plugin selectively
* `#3358 <https://pagure.io/SSSD/sssd/issue/#3358>`_ - [abrt] [faf] sssd:
vfprintf(): /usr/libexec/sssd/sssd_be killed by 11
* `#3354 <https://pagure.io/SSSD/sssd/issue/#3354>`_ - ifp:
Users.FindByCertificate fails when certificate contains data before
encapsilation boundary
* `#3344 <https://pagure.io/SSSD/sssd/issue/#3344>`_ - Include sssd-secrets in
SEE ALSO section of sssd.conf man page
* `#3343 <https://pagure.io/SSSD/sssd/issue/#3343>`_ - Properly fall back to
local Smartcard authentication
* `#3340 <https://pagure.io/SSSD/sssd/issue/#3340>`_ - The option
enable_files_domain does not work if sssd is not compiled with
--enable-files-domain
* `#3339 <https://pagure.io/SSSD/sssd/issue/#3339>`_ - sssd failed to start
with missing /etc/sssd/sssd.conf if compiled without --enable-files-domain
* `#3332 <https://pagure.io/SSSD/sssd/issue/#3332>`_ - Issue processing ssh
keys from certificates in ssh respoder
* `#3448 <https://pagure.io/SSSD/sssd/issue/#3448>`_ - Idle nss file
descriptors should be closed
* `#3428 <https://pagure.io/SSSD/sssd/issue/#3428>`_ - getent failed to fetch
netgroup information after changing default_domain_suffix to ADdomin in
/etc/sssd/sssd.conf
* `#3356 <https://pagure.io/SSSD/sssd/issue/#3356>`_ - Config file validator
doesn't process entries from application domain
* `#3331 <https://pagure.io/SSSD/sssd/issue/#3331>`_ - Wrong pam return code
for user from subdomain with
* `#3329 <https://pagure.io/SSSD/sssd/issue/#3329>`_ - Wrong principal found
with ad provider and long host name
* `#3421 <https://pagure.io/SSSD/sssd/issue/#3421>`_ - Wrong search base used
when SSSD is directly connected to AD child domain
* `#3406 <https://pagure.io/SSSD/sssd/issue/#3406>`_ - sssd goes offline when
renewing expired ticket
* `#3394 <https://pagure.io/SSSD/sssd/issue/#3394>`_ - LDAP to IPA migration
doesn't work in master
* `#3392 <https://pagure.io/SSSD/sssd/issue/#3392>`_ -
org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names
with AD
* `#3382 <https://pagure.io/SSSD/sssd/issue/#3382>`_ - SSSD should use
memberOf, not originalMemberOf to evaluate group membership for HBAC rules
* `#3381 <https://pagure.io/SSSD/sssd/issue/#3381>`_ - Per-subdomain LDAP
filter is not applied for subsequent subdomains
* `#3373 <https://pagure.io/SSSD/sssd/issue/#3373>`_ - Infopipe method
ListByCertificate does not return the users with overrides
* `#3372 <https://pagure.io/SSSD/sssd/issue/#3372>`_ - crash in sssd-kcm due
to a race-condition between two concurrent requests
* `#3369 <https://pagure.io/SSSD/sssd/issue/#3369>`_ -
ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the
cleanup task kicks in
* `#3362 <https://pagure.io/SSSD/sssd/issue/#3362>`_ - fiter_users and
filter_groups stop working properly in v 1.15
* `#3351 <https://pagure.io/SSSD/sssd/issue/#3351>`_ - User lookup failure due
to search-base handling
* `#3347 <https://pagure.io/SSSD/sssd/issue/#3347>`_ - gpo_child fails when
log is enabled in smb
* `#3318 <https://pagure.io/SSSD/sssd/issue/#3318>`_ - SSSD in server mode
iterates over all domains for group-by-GID requests, causing unnecessary
searches
* `#3310 <https://pagure.io/SSSD/sssd/issue/#3310>`_ - Support delivering
non-POSIX users and groups through the IFP and PAM interfaces
* `#3050 <https://pagure.io/SSSD/sssd/issue/#3050>`_ - [RFE] Use one smartcard
and certificate for authentication to distinct logon accounts
* `#3001 <https://pagure.io/SSSD/sssd/issue/#3001>`_ - [RFE] Short name input
format with SSSD for users from all domains when domain autodiscovery is used
or when SSSD acts as an IPA client for server with IPA-AD trusts
* `#2887 <https://pagure.io/SSSD/sssd/issue/#2887>`_ - [RFE] KCM ccache daemon
in SSSD
* `#3419 <https://pagure.io/SSSD/sssd/issue/#3419>`_ - krb5: properly handle
'password expired' information retured by the KDC during PKINIT/Smartcard
authentication
* `#3407 <https://pagure.io/SSSD/sssd/issue/#3407>`_ - IPA: do not lookup IPA
users via extdom plugin
* `#3405 <https://pagure.io/SSSD/sssd/issue/#3405>`_ - Handle certmap errors
gracefully during user lookups
* `#3395 <https://pagure.io/SSSD/sssd/issue/#3395>`_ - Properly support IPA's
promptusername config option
* `#3387 <https://pagure.io/SSSD/sssd/issue/#3387>`_ - Dbus activate InfoPipe
does not answer some initial request
* `#3385 <https://pagure.io/SSSD/sssd/issue/#3385>`_ - Smart card login fails
if same cert mapped to IdM user and AD user
* `#3355 <https://pagure.io/SSSD/sssd/issue/#3355>`_ - application domain
requires inherit_from and cannot be used separately
* `#3327 <https://pagure.io/SSSD/sssd/issue/#3327>`_ - expect
sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into
sssd-common package
* `#3297 <https://pagure.io/SSSD/sssd/issue/#3297>`_ - selinux_provider fails
in a container if libsemanage is not available
* `#3268 <https://pagure.io/SSSD/sssd/issue/#3268>`_ - D-Bus GetUserGroups
method of sssd is always qualifying all group names
* `#3240 <https://pagure.io/SSSD/sssd/issue/#3240>`_ - Smartcard
authentication with UPN as logon name might fail
* `#3210 <https://pagure.io/SSSD/sssd/issue/#3210>`_ - [RFE] Read prioritized
list of trusted domains for unqualified ID resolution from IDM server
* `#3192 <https://pagure.io/SSSD/sssd/issue/#3192>`_ - [sssd-secrets] https
proxy talks plain http
* `#3182 <https://pagure.io/SSSD/sssd/issue/#3182>`_ - sssd does not refresh
expired cache entries with enumerate=true
* `#3065 <https://pagure.io/SSSD/sssd/issue/#3065>`_ - sssctl: distinguish
between autodiscovered and joined domains
* `#2940 <https://pagure.io/SSSD/sssd/issue/#2940>`_ - The member link is not
removed when the last group's nested member goes away
* `#2714 <https://pagure.io/SSSD/sssd/issue/#2714>`_ - Add SSSD domain as
property to user on D-Bus
* `#1498 <https://pagure.io/SSSD/sssd/issue/#1498>`_ - sss_ssh_knownhostsproxy
prevents connection if the network is unreachable via one IP address
* `#3330 <https://pagure.io/SSSD/sssd/issue/#3330>`_ - sssctl config-check
does not give any error when default configuration file is not present
* `#3292 <https://pagure.io/SSSD/sssd/issue/#3292>`_ - RFE: Create
troubleshooting tool to check authentication, authorization and extended
attribute lookup
* `#3133 <https://pagure.io/SSSD/sssd/issue/#3133>`_ - RFE to add option of
check user access in SSSD
Detailed Changelog
------------------
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
