diff --git a/sssd.changes b/sssd.changes index bedd0c3..64369e0 100644 --- a/sssd.changes +++ b/sssd.changes @@ -2,197 +2,26 @@ Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com - Update to new upstream release 1.13.1 -- libsss_ad_common.so not installed anymore - -== Highlights == - * Initial support for Smart Card authentication was added. The feature - can be activated with the new pam_cert_auth option - * The PAM prompting was enhanced so that when Two-Factor Authentication - is used, both factors (password and token) can be entered separately - on separate prompts. At the same time, only the long-term password is - cached, so offline access would still work using the long term password - * A new command line tool sss_override is present in this release. The - tools allows to override attributes on the SSSD side. It's helpful in - environment where e.g. some hosts need to have a different view of POSIX - attributes than others. Please note that the overrides are stored in - the cache as well, so removing the cache will also remove the overrides - * New methods were added to the SSSD D-Bus interface. Notably support - for looking up a user by certificate and looking up multiple users - using a wildcard was added. Please see the interface introspection or - the design pages for full details - * Several enhancements to the dynamic DNS update code. Notably, clients - that update multiple interfaces work better with this release - * This release supports authenticating againt a KDC proxy - * The fail over code was enhanced so that if a trusted domain is not - reachable, only that domain will be marked as inactive but the backed - would stay in online mode - * Several fixes to the GPO access control code are present - -== Packaging Changes == - * The Smart Card authentication feature requires a helper process - p11_child that needs to be marked as setgid if SSSD needs to be able - to. Please note the p11_child requires the NSS crypto library at the moment - * The sss_override tool was added along with its own manpage - * The upstream RPM can now build on RHEL/CentOS 6.7 - -== Documentation Changes == - * The config_file_version configuration option now defaults to 2. As - an effect, this option doesn't have to be set anymore unless the config - file format is changed again by SSSD upstream - * It is now possible to specify a comma-separated list of interfaces in - the dyndns_iface option - * The InfoPipe responder and the LDAP provider gained a new option - wildcard_lookup that specifies an upper limit on the number of entries - that can be returned with a wildcard lookup - * A new option dyndns_server was added. This option allows to attempt - a fallback DNS update against a specific DNS server. Please note this - option only works as a fallback, the first attempt will always be - performed against autodiscovered servers. - * The PAM responder gained a new option ca_db that allows the storage - of trusted CA certificates to be specified - * The time the p11_child is allowed to operate can be specified using - a new option p11_child_timeout - -== Tickets Fixed == - -https://fedorahosted.org/sssd/ticket/546 - [RFE] Support for smart cards -https://fedorahosted.org/sssd/ticket/1697 - sssd: incorrect checks on length values during packet decoding -https://fedorahosted.org/sssd/ticket/1926 - [RFE] Start the dynamic DNS update after the SSSD has been setup for - the first time -https://fedorahosted.org/sssd/ticket/1994 - Complain loudly if backend doesn't start due to missing or invalid keytab -https://fedorahosted.org/sssd/ticket/2275 - nested netgroups do not work in IPA provider -https://fedorahosted.org/sssd/ticket/2283 - test dyndns failed. -https://fedorahosted.org/sssd/ticket/2335 - Investigate using the krb5 responder for driving the PAM conversation - with OTPs -https://fedorahosted.org/sssd/ticket/2463 - Pass error messages via the extdom plugin -https://fedorahosted.org/sssd/ticket/2495 - [RFE]Allow sssd to add a new option that would specify which server - to update DNS with -https://fedorahosted.org/sssd/ticket/2549 - RFE: Support multiple interfaces with the dyndns_iface option -https://fedorahosted.org/sssd/ticket/2553 - RFE: Add support for wildcard-based cache updates -https://fedorahosted.org/sssd/ticket/2558 - Add dualstack and multihomed support -https://fedorahosted.org/sssd/ticket/2561 - Too much logging -https://fedorahosted.org/sssd/ticket/2579 - TRACKER: Support one-way trusts for IPA -https://fedorahosted.org/sssd/ticket/2581 - Re-check memcache after acquiring the lock in the client code -https://fedorahosted.org/sssd/ticket/2584 - RFE: Support client-side overrides -https://fedorahosted.org/sssd/ticket/2597 - Add index for 'objectSIDString' and maybe to other cache attributes -https://fedorahosted.org/sssd/ticket/2637 - RFE: Don't mark the main domain as offline if SSSD can't connect to - a subdomain -https://fedorahosted.org/sssd/ticket/2639 - RFE: Detect re-established trusts in the IPA subdomain code -https://fedorahosted.org/sssd/ticket/2652 - KDC proxy not working with SSSD krb5_use_kdcinfo enabled -https://fedorahosted.org/sssd/ticket/2676 - Group members are not turned into ghost entries when the user is purged - from the SSSD cache -https://fedorahosted.org/sssd/ticket/2682 - sudoOrder not honored as expected -https://fedorahosted.org/sssd/ticket/2688 - Default to config_file_version=2 -https://fedorahosted.org/sssd/ticket/2691 - GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode -https://fedorahosted.org/sssd/ticket/2692 - GPO: Access denied due to using wrong sam_account_name -https://fedorahosted.org/sssd/ticket/2694 - CI: Fix ramshackle test_ipa_subdomains_server (FAIL: - test_ipa_subdom_server) -https://fedorahosted.org/sssd/ticket/2699 - SSSDConfig: wrong return type returned on python3 -https://fedorahosted.org/sssd/ticket/2700 - krb5_child should always consider online state to allow use of - MS-KKDC proxy -https://fedorahosted.org/sssd/ticket/2708 - Logging messages from user point of view -https://fedorahosted.org/sssd/ticket/2711 - [RFE] Provide interface for SSH to fetch user certificate -https://fedorahosted.org/sssd/ticket/2712 - Initgroups memory cache does not work with fq names -https://fedorahosted.org/sssd/ticket/2716 - Initgroups mmap cache needs update after db changes -https://fedorahosted.org/sssd/ticket/2717 - well-known SID check is broken for NetBIOS prefixes -https://fedorahosted.org/sssd/ticket/2718 - SSSD keytab validation check expects root ownership -https://fedorahosted.org/sssd/ticket/2719 - IPA: returned unknown dp error code with disabled migration mode -https://fedorahosted.org/sssd/ticket/2722 - Missing config options in gentoo init script -https://fedorahosted.org/sssd/ticket/2723 - Could not resolve AD user from root domain -https://fedorahosted.org/sssd/ticket/2724 - getgrgid for user's UID on a trust client prevents getpw* -https://fedorahosted.org/sssd/ticket/2725 - If AD site detection fails, not even ad_site override skipped -https://fedorahosted.org/sssd/ticket/2729 - Do not send SSS_OTP if both factors were entered separately -https://fedorahosted.org/sssd/ticket/2731 - searching SID by ID always checks all domains -https://fedorahosted.org/sssd/ticket/2733 - Don't use deprecated libraries (libsystemd-*) -https://fedorahosted.org/sssd/ticket/2737 - sss_override: add import and export commands -https://fedorahosted.org/sssd/ticket/2738 - Cannot build rpms from upstream spec file on rawhide -https://fedorahosted.org/sssd/ticket/2742 - When certificate is added via user-add-cert, it cannot be looked up - via org.freedesktop.sssd.infopipe.Users.FindByCertificate -https://fedorahosted.org/sssd/ticket/2743 - memory cache can work intermittently -https://fedorahosted.org/sssd/ticket/2744 - cleanup_groups should sanitize dn of groups -https://fedorahosted.org/sssd/ticket/2746 - the PAM srv test often fails on RHEL-7 -https://fedorahosted.org/sssd/ticket/2748 - test_memory_cache failed in invalidation cache before stop -https://fedorahosted.org/sssd/ticket/2749 - Fix crash in nss responder -https://fedorahosted.org/sssd/ticket/2754 - Clear environment and set restrictive umask in p11_child -https://fedorahosted.org/sssd/ticket/2757 - sss_override does not work correctly when 'use_fully_qualified_names - = True' -https://fedorahosted.org/sssd/ticket/2758 - sss_override contains an extra parameter --debug but is not listed in - the man page or in the arguments help -https://fedorahosted.org/sssd/ticket/2762 - [RFE] sssd: better feedback form constraint password change -https://fedorahosted.org/sssd/ticket/2768 - Test 'test_id_cleanup_exp_group' failed -https://fedorahosted.org/sssd/ticket/2772 - sssd cannot resolve user names containing backslash with ldap provider -https://fedorahosted.org/sssd/ticket/2773 - Make p11_child timeout configurable -https://fedorahosted.org/sssd/ticket/2777 - Fix memory leak in GPO -https://fedorahosted.org/sssd/ticket/2782 - sss_override : The local override user is not found -https://fedorahosted.org/sssd/ticket/2783 - REGRESSION: Dyndns soes not update reverse DNS records -https://fedorahosted.org/sssd/ticket/2790 - sss_override --name doesn't work with RFC2307 and ghost users -https://fedorahosted.org/sssd/ticket/2799 - unit tests do not link correctly on Debian -https://fedorahosted.org/sssd/ticket/2803 - Memory leak / possible DoS with krb auth. -https://fedorahosted.org/sssd/ticket/2805 - AD: Conditional jump or move depends on uninitialised value +* Initial support for Smart Card authentication was added. The + feature can be activated with the new pam_cert_auth option. +* The PAM prompting was enhanced so that when Two-Factor + Authentication is used, both factors (password and token) can + be entered separately on separate prompts. At the same time, + only the long-term password is cached, so offline access would + still work using the long term password. +* A new command line tool sss_override is present in this + release. The tools allows to override attributes on the SSSD + side. It's helpful in environment where e.g. some hosts need to + have a different view of POSIX attributes than others. Please + note that the overrides are stored in the cache as well, so + removing the cache will also remove the overrides. +* Several enhancements to the dynamic DNS update code. Notably, + clients that update multiple interfaces work better with this + release. +* This release supports authenticating againt a KDC proxy +* The fail over code was enhanced so that if a trusted domain is + not reachable, only that domain will be marked as inactive but + the backed would stay in online mode. ------------------------------------------------------------------- Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de