[Freeipa-interest] Announcing SSSD 1.10.0 Beta 2

Jakub Hrozek jhrozek at redhat.com
Tue Jun 11 21:26:28 UTC 2013


                       === SSSD 1.10 Beta 2 ===

The SSSD team is proud to announce the second beta release of version 1.10
of the System Security Services Daemon.

This beta release includes the rest of the new features planned for 1.10. The
features are mostly targeted at better integration with Microsoft Active
Directory.

As always, the source is available from https://fedorahosted.org/sssd.
RPM packages will be made available for Fedora 19 and rawhide shortly.

With this release, the 1.10 version is considered feature complete and
the strings are frozen. We will release the final 1.10.0 version once we
fix all the known crashes and regressions. The 1.10.0 release is
tentatively scheduled for the end of this week. Because the short period
between this beta and the final release would not allow the translators
to provide updated translations, the strings will remain frozen even for
the 1.10.1 release.

== Feedback ==

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

== Highlights ==
 * The Active Directory provider now includes support for retrieving
   identity information and authentication as users from trusted domains
   in the same forest. The SSSD looks up the information using the Global
   Catalog. Currently this feature is only supported when the SSSD is
   connected to the forest root.
 * The group memberships for Active Directory users are read from the PAC
   during login. If the PAC is not available (such as when group membership
   is requested for a user who has never logged in), the SSSD falls back to
   using tokenGroups.
 * The Active Directory provider is able to autodiscover the NetBIOS
   (flat) name of the domain it connects to. The NetBIOS name is discovered
   automatically on startup.
 * The full_name_format option now accepts a new parameter that expands
   to the NetBIOS name of the domain
 * The new krb5_use_kdcinfo option allows the administrator to disable the
   Kerberos locator plugin and rely on information read from the krb5.conf
   file completely.
 * A new option ldap_disable_range_retrieval was added. Switching this
   option to True skips large Active Directory groups that might otherwise
   take a long time to download and process.
 * A new option refresh_expired_interval was added. This option allows to
   configure a background task that would automatically refresh entries that
   are nearing their expiration time. In this release, only refreshing
   netgroups is implemented.

== Packaging Changes ==
 * The Makefile has been amended so that it no longer uses overlinking
   which is disabled by default on some distributions (such as Debian and
   its derivatives)
 * The upstream RPM specfile now packages each provider separately. The SSSD
   deamon and the responders are now included in the sssd-common package,
   while the sssd package has become a "meta package" that Requires all the
   existing providers for backwards compatibility.
 * The libsss_sudo and libsss_autofs libraries are now part of the
   sssd-common package

== Tickets Fixed ==
 https://fedorahosted.org/sssd/ticket/1510
    Split providers into their own subpackages
 https://fedorahosted.org/sssd/ticket/1797
    Use hardened flags for building RPMs
 https://fedorahosted.org/sssd/ticket/1976
    Copy-n-paste error in AD provider
 https://fedorahosted.org/sssd/ticket/1883
    Add a new option to disable the Kerberos locator plugin completely
 https://fedorahosted.org/sssd/ticket/1713
    [RFE] Add a task to the SSSD to periodically refresh cached entries
 https://fedorahosted.org/sssd/ticket/1891
    unite periodic refresh API
 https://fedorahosted.org/sssd/ticket/1789
    ldap_access_order improvements (man page fix)
 https://fedorahosted.org/sssd/ticket/1972
    Dereference after a NULL check in tests/common_dom.c
 https://fedorahosted.org/sssd/ticket/1971
    Dereference before NULL check in nscd.c
 https://fedorahosted.org/sssd/ticket/1816
    Non-fatal errors looking up trusted domains with IPA back end
 https://fedorahosted.org/sssd/ticket/1845
    move libsss_sudo and libsss_autofs back into the main sssd package
 https://fedorahosted.org/sssd/ticket/364
    [RFE] Recognize trusted domains in AD provider
 https://fedorahosted.org/sssd/ticket/1557
    [RFE] Use the Global Catalog in SSSD for the AD provider
 https://fedorahosted.org/sssd/ticket/1558
    [RFE] Use MS-PAC to retrieve user's group list
 https://fedorahosted.org/sssd/ticket/1951
    NetBIOS domain name should be read at startup
 https://fedorahosted.org/sssd/ticket/1929
    Junk character in sssd_domain.log for domain string when sssd tries to go online from offline mode
 https://fedorahosted.org/sssd/ticket/1928
    Libtool fails to find dependent libraries
 https://fedorahosted.org/sssd/ticket/1950
    segfault while processing ASQ request
 https://fedorahosted.org/sssd/ticket/1924
    MAN: Make it clear which address is used to update DNS records
 https://fedorahosted.org/sssd/ticket/1648
    Fully qualified account names form should be able to use flatname in the fq format
 https://fedorahosted.org/sssd/ticket/1930
    Crash with negative values in ldap_idmap_range_size
 https://fedorahosted.org/sssd/ticket/1823
    getgrnam / getgrgid for large user groups is too slow due to range retrieval functionality
 https://fedorahosted.org/sssd/ticket/1927
    Provide a script to create a SRPM without having to run configure
 https://fedorahosted.org/sssd/ticket/1785
    NSCD warning is irritating
 https://fedorahosted.org/sssd/ticket/1934
    sssd crashes if junk is present in sssd.conf
 https://fedorahosted.org/sssd/ticket/1772
    Rename or alias the SAFEALIGN macros
 https://fedorahosted.org/sssd/ticket/1909
    Clarify the AD site discovery in sssd-ad man page
 https://fedorahosted.org/sssd/ticket/1921
    Login failure: Enterprise Principal enabled by default for AD Provider
 https://fedorahosted.org/sssd/ticket/1905
    pysss_nss_idmap improvements
 https://fedorahosted.org/sssd/ticket/1914
    pysss_nss_idmap: Support also Unicode strings and return them by default
 https://fedorahosted.org/sssd/ticket/1922
    sssd_be crashes when looking up users in the LDAP provider with ID mapping
 https://fedorahosted.org/sssd/ticket/1910
    Clarify that AD DNS updates are performed using GSS-TSIG
 https://fedorahosted.org/sssd/ticket/1915
    Turn on dyndns updates by default in the AD provider
 https://fedorahosted.org/sssd/ticket/1912
    SUDO is not working for users from trusted AD domain
 https://fedorahosted.org/sssd/ticket/1468
    [RFE] AD: Should be able to log in as long or short domains

== Detailed Changelog ==
Jakub Hrozek (45):
      * Update the version for the 1.10 beta2 release
      * Actually use the index parameter in resolv_get_sockaddr_address_index
      * Fix a typo in sssd-ad man page
      * tests: Do not set cwd twice
      * Enable the AD dynamic DNS updates by default
      * man: Clarify that AD dyndns updates are secured using GSS-TSIG
      * LDAP: Always initialize idmap object
      * Re-add a useful DEBUG message
      * man: Clarify the AD site discovery documentation
      * man: Note that IPA updates are secured with GSS-TSIG
      * Remove unneeded parameter of setup_child and namespace it
      * Fix dyndns timer initialization
      * IPA: Check for ENOMEM
      * Remove unneeded comment
      * FO: Fix setting status of duplicates
      * AD dyndns: extract the host name from URI
      * Add utility functions for formatting fully-qualified names
      * Check the validity of FQname format prior to using it
      * Allow flat name in the FQname format
      * Remove branching to improve readability
      * tests: Link fqnames_tests with libsss_test_common.la
      * Do not obfuscate calls with booleans
      * LDAP: sdap_id_ctx might contain several connections
      * LDAP: Refactor account info handler into a tevent request
      * LDAP: Pass in a connection to ID functions
      * LDAP: new SDAP domain structure
      * LDAP: return sdap search return code to ID
      * Move domain_to_basedn outside IPA subtree
      * New utility function sss_get_domain_name
      * LDAP: split a function to create search bases
      * LDAP: store FQDNs for trusted users and groups
      * Split generating primary GID for ID mapped users into a separate function
      * LDAP: Do not store separate GID for subdomain users
      * AD: Add additional service to support Global Catalog lookups
      * AD ID lookups - choose GC or LDAP as appropriate
      * AD: Store trusted AD domains as subdomains
      * rpm: Fold libsss_sudo and libsss_autofs back into the main SSSD package
      * dyndns: Fix NULL check
      * man: document the need to set ldap_access_order
      * A new option krb5_use_kdcinfo
      * Fix allocation check in the AD provider
      * rpm: Use hardened flags for RPM build
      * rpm: Split providers into separate subpackages
      * Update transifex URL to transifex.com
      * Updating translations for the 1.10 beta2 release

Jan Cholasta (4):
      * UTIL: Add function sss_names_init_from_args
      * SSH: Fix parsing of names from client requests
      * SSH: Use separate field for domain name in client requests
      * SSH: Do not skip domains with use_fully_qualified_names in host key requests

Lukas Slebodnik (13):
      * Fixes compilation without selinux.
      * Fix broken build with selinux.
      * Fix segfault in AD Subdomains Module
      * Fixing critical format string issues.
      * Adding script to create a SRPM
      * Removing unused functions.
      * Adding option to disable retrieving large AD groups.
      * Making order in tests.
      * Remove empty directories after tests run.
      * Prevent segfault while processing ASQ request
      * Fix compilation with disabled link_all_deplibs.
      * Use deep copy for dns_domain and discovery_domain
      * Fix dereference after a NULL check in tests.

Michal Zidek (1):
      * Rename SAFEALIGN macros.

Ondrej Kos (8):
      * Fix segfault in DYNDNS
      * DB: Fix segfault when configuration file cannot be parsed
      * Move nscd.c from tools to util
      * Check NSCD configuration file
      * Fail with misconfigured id-mapping ranges
      * MAN: state default dyndns interface
      * DB: Don't add invalid ranges
      * Don't test for NULL in nscd config check

Pavel Březina (5):
      * sudo responder: search rules for subdomains in parent domain subtree
      * back end: periodic task API
      * back end: periodical refresh of expired records API
      * back end: add refresh expired records periodic task
      * providers: refresh expired netgroups

Stef Walter (1):
      * Add a domain config attribute for realmd

Stephen Gallagher (2):
      * Remove old hash support from example spec
      * Add 'description' attribute to SSSDConfig API

Sumit Bose (21):
      * AD: read flat name and SID of the AD domain
      * Add missing \n to debug string
      * Fix missing initialization in Python bindings for libsss_nss_idmap
      * Add support for tuples and unicode pysss_nss_idmap.so
      * Always update cached upn if enterprise principals are used
      * Fix return code for AD subdomain request
      * pysss_nss_idmap: do not treat strings as sequences
      * IPA: Always initialize ID mapping
      * Handle SID strings in sdap_attrs_get_sid_str() as well
      * IPA: read user and group SID
      * Add SID related requests to the LDAP provider
      * Set canonicalize flag if enterprise principals are used
      * Lookup domains at startup
      * Add be request queue
      * Use queue for get_subdomains
      * Read SIDs of groups with sysdb_initgroups() as well
      * Enhance PAC responder for AD users
      * Intermittent fix for get_user_and_group_users_done
      * Always send the PAC to the PAC responder
      * Implicitly activate the PAC responder for AD provider
      * Fix some doxygen warnings

Yuri Chornoivan (1):
      * Fix minor typos




More information about the Freeipa-interest mailing list