Hi, I would really like to release 1.15.3 soon (like, today, at worst tomorrow if we can't merge PR #328 and #331 today). The release notes are here: https://pagure.io/fork/jhrozek/SSSD/docs
You can either clone the repo and run 'make html' or, for your convenience, I'm pasting the RST-formatted release notes below: SSSD 1.15.3 =========== Highlights ---------- New Features ^^^^^^^^^^^^ * In a setup where an IPA domain trusts an Active Directory domain, it is now possible to `define the domain resolution order <http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names>`_. Starting with this version, SSSD is able to read and honor the domain resolution order, providing a way to resolve Active Directory users by just their short name. SSSD also supports a new option ``domain_resolution_order`` applicable in the ``[sssd]`` section that allows to configure short names for AD users in setup with ``id_provider=ad`` or in a setup with an older IPA server that doesn't support the ``ipa config-mod --domain-resolution-order`` configuration option. Also, it is now possible to use ``use_fully_qualified_names=False`` in a subdomain configuration, but please note that the user and group output from trusted domains will always be qualified to avoid conflicts. * Design page - `Shortnames in trusted domains <https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_ * SSSD ships with a new service called KCM. This service acts as a storage for Kerberos tickets when ``libkrb5`` is configured to use ``KCM:`` in ``krb5.conf``. Compared to other Kerberos credential cache types, KCM is better suited for containerized environments and because the credential caches are managed by a stateful daemon, in future releases will also allow to renew tickets acquired outside SSSD (e.g. with ``kinit``) or provide notifications about ticket changes. * Design page - `KCM server for SSSD <https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>`_ * `NOTE`: There are several known issues in the ``KCM`` responder that will be handled in the next release such as `issues with very large tickets <https://pagure.io/SSSD/sssd/issue/3386>`_ or `tracking the SELinux label of the peer <https://pagure.io/SSSD/sssd/issue/3434>`_ * Support for user and group resolution through the D-Bus interface and authentication and/or authorization through the PAM interface even for setups without UIDs or Windows SIDs present on the LDAP directory side. This enhancement allows SSSD to be used together with `apache modules <https://github.com/adelton/mod_lookup_identity>`_ to provide identities for applications * Design page - `Support for non-POSIX users and groups <https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_ * SSSD ships a new public library called ``libsss_certmap`` that allows a flexible and configurable way of mapping a certificate to a user identity. This is required e.g. in environments where it is not possible to add the certificate to the LDAP user entry, because the certificates are issued externally or the LDAP schema cannot be modified. Additionally, specific matching rules allow a specific certificate on a smart card to be selected for authentication. * Design page - `Matching and Mapping Certificates <https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html>`_ * The Kerberos locator plugin can be disabled using an environment variable ``SSSD_KRB5_LOCATOR_DISABLE``. Please refer to the ``sssd_krb5_locator_plugin`` manual page for mode details. * The ``sssctl`` command line tool supports a new command ``user-checks`` that enables the administrator to check whether a certain user should be allowed or denied access to a certain PAM service. * The ``secrets`` responder now forwards requests to a proxy Custodia back end over a secure channel. Notable bug fixes ^^^^^^^^^^^^^^^^^ * The IPA HBAC evaluator no longer relies on ``originalMemberOf`` attributes to construct the list of groups the user is a member of. Maintaining the ``originalMemberOf`` attribute was unreliable and was causing intermittent HBAC issues. * A bug where the cleanup operation might erroneously remove cached users during their cache validation in case SSSD was set up with ``enumerate=True`` was fixed. * Several bugs related to configuration of trusted domains were fixed, in particular handling of custom LDAP search bases set for trusted domains. * Password changes for users from trusted Active Directory domains were fixed Packaging Changes ----------------- * A new KCM responder was added along with a manpage. The upstream reference specfile packages the responder in its own subpackage called ``sssd-kcm`` and a krb5.conf snippet that enables the ``KCM`` credentials cache simply by installing the subpackage * The ``libsss_certmap`` library was packaged in a separate package. There is also a ``libsss_certmap-devel`` subpackage in the upstream packaging. Documentation Changes --------------------- * ``sssd-kcm`` and ``libsss_certmap`` are documented in their own manual pages. * A new option ``domain_resolution_order`` was added. This option allows to specify the lookup order (especially w.r.t. trusted domains) that sssd will follow. Please see the `Shortnames in trusted domains <https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>`_ design page. for mode details. * New options ``pam_app_services`` and ``domain_type`` were added. These options can be used to only limit certain PAM services to reach certain SSSD domains that should only be exposed to non-OS applications. For more details, refer to the `Support for non-POSIX users and groups <https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>`_ design page. * The ``secrets`` responder supports several new options related to TLS setup and handling including ``verify_peer``, ``verify_host``, ``capath``, ``cacert`` and ``cert``. These options are all described in the ``sssd-secrets`` manual page. Tickets Fixed ------------- * `#3447 <https://pagure.io/SSSD/sssd/issue/#3447>`_ - files provider should not use LOCAL_pam_handler but call the backend * `#3435 <https://pagure.io/SSSD/sssd/issue/#3435>`_ - Create a function to copy search bases between sdap_domain structures * `#3431 <https://pagure.io/SSSD/sssd/issue/#3431>`_ - Loading enterprise principals doesn't work with a primed cache * `#3426 <https://pagure.io/SSSD/sssd/issue/#3426>`_ - IPA client cannot change AD Trusted User password * `#3418 <https://pagure.io/SSSD/sssd/issue/#3418>`_ - Segfault in access_provider = krb5 is set in sssd.conf due to an off-by-one error when constructing the child send buffer * `#3410 <https://pagure.io/SSSD/sssd/issue/#3410>`_ - python-sssdconfig doesn't parse hexadecimal debug_level, resulting in set_option(): /usr/lib/python2.7/site-packages/SSSDConfig/__init__.py killed by TypeError * `#3408 <https://pagure.io/SSSD/sssd/issue/#3408>`_ - Accept changed principal if krb5_canonicalize=True * `#3404 <https://pagure.io/SSSD/sssd/issue/#3404>`_ - man: Update option "ipa_server_mode=True" in "man sssd-ipa" * `#3403 <https://pagure.io/SSSD/sssd/issue/#3403>`_ - SSSD doesn't handle conflicts between users from trusted domains with the same name when shortname user resolution is enabled * `#3398 <https://pagure.io/SSSD/sssd/issue/#3398>`_ - MAN: The timeout option doesn't say after how many heartbeats will the process be killed * `#3397 <https://pagure.io/SSSD/sssd/issue/#3397>`_ - ad provider: Child domains always use autodiscovered search bases * `#3393 <https://pagure.io/SSSD/sssd/issue/#3393>`_ - sss_nss_getlistbycert() does not return results from multiple domains * `#3391 <https://pagure.io/SSSD/sssd/issue/#3391>`_ - sss_override doesn't work with files provider * `#3389 <https://pagure.io/SSSD/sssd/issue/#3389>`_ - subdomain_homedir is not present in cfg_rules.ini * `#3378 <https://pagure.io/SSSD/sssd/issue/#3378>`_ - domain_to_basedn() function should use SDAP_SEARCH_BASE value from the domain code * `#3377 <https://pagure.io/SSSD/sssd/issue/#3377>`_ - sssd-ad man page should clarify that GSSAPI is used * `#3375 <https://pagure.io/SSSD/sssd/issue/#3375>`_ - minor typo fix that might have big impact * `#3361 <https://pagure.io/SSSD/sssd/issue/#3361>`_ - sssd_be crashes if ad_enabled_domains is selected * `#3359 <https://pagure.io/SSSD/sssd/issue/#3359>`_ - Allow to disable krb5 locator plugin selectively * `#3358 <https://pagure.io/SSSD/sssd/issue/#3358>`_ - [abrt] [faf] sssd: vfprintf(): /usr/libexec/sssd/sssd_be killed by 11 * `#3354 <https://pagure.io/SSSD/sssd/issue/#3354>`_ - ifp: Users.FindByCertificate fails when certificate contains data before encapsilation boundary * `#3344 <https://pagure.io/SSSD/sssd/issue/#3344>`_ - Include sssd-secrets in SEE ALSO section of sssd.conf man page * `#3343 <https://pagure.io/SSSD/sssd/issue/#3343>`_ - Properly fall back to local Smartcard authentication * `#3340 <https://pagure.io/SSSD/sssd/issue/#3340>`_ - The option enable_files_domain does not work if sssd is not compiled with --enable-files-domain * `#3339 <https://pagure.io/SSSD/sssd/issue/#3339>`_ - sssd failed to start with missing /etc/sssd/sssd.conf if compiled without --enable-files-domain * `#3332 <https://pagure.io/SSSD/sssd/issue/#3332>`_ - Issue processing ssh keys from certificates in ssh respoder * `#3448 <https://pagure.io/SSSD/sssd/issue/#3448>`_ - Idle nss file descriptors should be closed * `#3428 <https://pagure.io/SSSD/sssd/issue/#3428>`_ - getent failed to fetch netgroup information after changing default_domain_suffix to ADdomin in /etc/sssd/sssd.conf * `#3356 <https://pagure.io/SSSD/sssd/issue/#3356>`_ - Config file validator doesn't process entries from application domain * `#3331 <https://pagure.io/SSSD/sssd/issue/#3331>`_ - Wrong pam return code for user from subdomain with * `#3329 <https://pagure.io/SSSD/sssd/issue/#3329>`_ - Wrong principal found with ad provider and long host name * `#3421 <https://pagure.io/SSSD/sssd/issue/#3421>`_ - Wrong search base used when SSSD is directly connected to AD child domain * `#3406 <https://pagure.io/SSSD/sssd/issue/#3406>`_ - sssd goes offline when renewing expired ticket * `#3394 <https://pagure.io/SSSD/sssd/issue/#3394>`_ - LDAP to IPA migration doesn't work in master * `#3392 <https://pagure.io/SSSD/sssd/issue/#3392>`_ - org.freedesktop.sssd.infopipe.GetUserGroups does not resolve groups into names with AD * `#3382 <https://pagure.io/SSSD/sssd/issue/#3382>`_ - SSSD should use memberOf, not originalMemberOf to evaluate group membership for HBAC rules * `#3381 <https://pagure.io/SSSD/sssd/issue/#3381>`_ - Per-subdomain LDAP filter is not applied for subsequent subdomains * `#3373 <https://pagure.io/SSSD/sssd/issue/#3373>`_ - Infopipe method ListByCertificate does not return the users with overrides * `#3372 <https://pagure.io/SSSD/sssd/issue/#3372>`_ - crash in sssd-kcm due to a race-condition between two concurrent requests * `#3369 <https://pagure.io/SSSD/sssd/issue/#3369>`_ - ldap_purge_cache_timeout in RHEL7.3 invalidate most of the entries once the cleanup task kicks in * `#3362 <https://pagure.io/SSSD/sssd/issue/#3362>`_ - fiter_users and filter_groups stop working properly in v 1.15 * `#3351 <https://pagure.io/SSSD/sssd/issue/#3351>`_ - User lookup failure due to search-base handling * `#3347 <https://pagure.io/SSSD/sssd/issue/#3347>`_ - gpo_child fails when log is enabled in smb * `#3318 <https://pagure.io/SSSD/sssd/issue/#3318>`_ - SSSD in server mode iterates over all domains for group-by-GID requests, causing unnecessary searches * `#3310 <https://pagure.io/SSSD/sssd/issue/#3310>`_ - Support delivering non-POSIX users and groups through the IFP and PAM interfaces * `#3050 <https://pagure.io/SSSD/sssd/issue/#3050>`_ - [RFE] Use one smartcard and certificate for authentication to distinct logon accounts * `#3001 <https://pagure.io/SSSD/sssd/issue/#3001>`_ - [RFE] Short name input format with SSSD for users from all domains when domain autodiscovery is used or when SSSD acts as an IPA client for server with IPA-AD trusts * `#2887 <https://pagure.io/SSSD/sssd/issue/#2887>`_ - [RFE] KCM ccache daemon in SSSD * `#3419 <https://pagure.io/SSSD/sssd/issue/#3419>`_ - krb5: properly handle 'password expired' information retured by the KDC during PKINIT/Smartcard authentication * `#3407 <https://pagure.io/SSSD/sssd/issue/#3407>`_ - IPA: do not lookup IPA users via extdom plugin * `#3405 <https://pagure.io/SSSD/sssd/issue/#3405>`_ - Handle certmap errors gracefully during user lookups * `#3395 <https://pagure.io/SSSD/sssd/issue/#3395>`_ - Properly support IPA's promptusername config option * `#3387 <https://pagure.io/SSSD/sssd/issue/#3387>`_ - Dbus activate InfoPipe does not answer some initial request * `#3385 <https://pagure.io/SSSD/sssd/issue/#3385>`_ - Smart card login fails if same cert mapped to IdM user and AD user * `#3355 <https://pagure.io/SSSD/sssd/issue/#3355>`_ - application domain requires inherit_from and cannot be used separately * `#3327 <https://pagure.io/SSSD/sssd/issue/#3327>`_ - expect sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy manuals to be packaged into sssd-common package * `#3297 <https://pagure.io/SSSD/sssd/issue/#3297>`_ - selinux_provider fails in a container if libsemanage is not available * `#3268 <https://pagure.io/SSSD/sssd/issue/#3268>`_ - D-Bus GetUserGroups method of sssd is always qualifying all group names * `#3240 <https://pagure.io/SSSD/sssd/issue/#3240>`_ - Smartcard authentication with UPN as logon name might fail * `#3210 <https://pagure.io/SSSD/sssd/issue/#3210>`_ - [RFE] Read prioritized list of trusted domains for unqualified ID resolution from IDM server * `#3192 <https://pagure.io/SSSD/sssd/issue/#3192>`_ - [sssd-secrets] https proxy talks plain http * `#3182 <https://pagure.io/SSSD/sssd/issue/#3182>`_ - sssd does not refresh expired cache entries with enumerate=true * `#3065 <https://pagure.io/SSSD/sssd/issue/#3065>`_ - sssctl: distinguish between autodiscovered and joined domains * `#2940 <https://pagure.io/SSSD/sssd/issue/#2940>`_ - The member link is not removed when the last group's nested member goes away * `#2714 <https://pagure.io/SSSD/sssd/issue/#2714>`_ - Add SSSD domain as property to user on D-Bus * `#1498 <https://pagure.io/SSSD/sssd/issue/#1498>`_ - sss_ssh_knownhostsproxy prevents connection if the network is unreachable via one IP address * `#3330 <https://pagure.io/SSSD/sssd/issue/#3330>`_ - sssctl config-check does not give any error when default configuration file is not present * `#3292 <https://pagure.io/SSSD/sssd/issue/#3292>`_ - RFE: Create troubleshooting tool to check authentication, authorization and extended attribute lookup * `#3133 <https://pagure.io/SSSD/sssd/issue/#3133>`_ - RFE to add option of check user access in SSSD Detailed Changelog ------------------ _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org