From b39414e572e55148d9ca93f9bfa409fa5db32b13ddc458eaad4474843a1c2b35 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 14 Jun 2015 20:48:52 +0000 Subject: [PATCH 1/2] Accepting request 311988 from home:stroeder:branches:network:ldap update to 1.12.5 OBS-URL: https://build.opensuse.org/request/show/311988 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=148 --- sssd-1.12.4.tar.gz | 3 --- sssd-1.12.4.tar.gz.asc | 7 ----- sssd-1.12.5.tar.gz | 3 +++ sssd-1.12.5.tar.gz.asc | 7 +++++ sssd.changes | 61 ++++++++++++++++++++++++++++++++++++++++++ sssd.spec | 2 +- 6 files changed, 72 insertions(+), 11 deletions(-) delete mode 100644 sssd-1.12.4.tar.gz delete mode 100644 sssd-1.12.4.tar.gz.asc create mode 100644 sssd-1.12.5.tar.gz create mode 100644 sssd-1.12.5.tar.gz.asc diff --git a/sssd-1.12.4.tar.gz b/sssd-1.12.4.tar.gz deleted file mode 100644 index 4396546..0000000 --- a/sssd-1.12.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ea3be3a40b20284bd3126481dd0747cd07e39d5ef7ef7026d4902d96fc3e9edf -size 4226841 diff --git a/sssd-1.12.4.tar.gz.asc b/sssd-1.12.4.tar.gz.asc deleted file mode 100644 index cea6482..0000000 --- a/sssd-1.12.4.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlTk1dAACgkQHsardTLnvCWfnwCg4JrLxP6Jjm9GYlTAqQS5N5cb -ufYAniGjhC+1IBPQVJYiYiCkzjoYDpq3 -=XPd1 ------END PGP SIGNATURE----- diff --git a/sssd-1.12.5.tar.gz b/sssd-1.12.5.tar.gz new file mode 100644 index 0000000..edd0deb --- /dev/null +++ b/sssd-1.12.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:243d8db7c72ecb21aa9db8a09fe9f9b10049dbdb35a1cc2f55e214f21e3ce256 +size 4300869 diff --git a/sssd-1.12.5.tar.gz.asc b/sssd-1.12.5.tar.gz.asc new file mode 100644 index 0000000..7841619 --- /dev/null +++ b/sssd-1.12.5.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlV6uQEACgkQHsardTLnvCWZCwCdEWMU5ry/swLp5y/DGPXp6GkH +4U4AnjTVtz1Vj1R7hyzVKKL6uqsR6kdR +=dk0K +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 0add0b0..3612026 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,64 @@ +------------------------------------------------------------------- +Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com + +- Update to new upstream release 1.12.5 + +== Highlights == + * This release adds several new enhancements and fixes many bugs + * Notable new enhancements: + * The background refresh tasks now supports refreshing users and groups + as well. Please see the description of the `refresh_expired_interval` + parameter in the `sssd.conf` man page. + * A new option subdomain_inherit was added. Options included in + the subdomain_inherit option also apply for trusted domains, if + supported. This release supports inheriting ignore_group_members, + ldap_purge_cache_timeout, ldap_use_tokengroups and + ldap_user_principal. + * When an expired account attempts to log in, a configurable error + message can be displayed with sufficient pam_verbosity setting. Please + see the description of the pam_account_expired_message option for + more information. + * OpenLDAP ppolicy can be honored even when an alternate login method + (such as SSH key) is used. Please see the description of the new + ppolicy value of the ldap_access_order option. + * A new option krb5_map_user was added. This option allows the admin + to map UNIX usernames to Kerberos principals. The option would be + mostly useful for setups that wish to continue using UNIX file-based + identities together with SSSD Kerberos authentication + * The important bug fixes include: + * Several AD-specific bugs that resulted in the incorrect set of groups + being displayed after the initgroups operation were fixed + * Many fixes related to the IPA ID views feature are included. Setups + using the ID views feature should update the SSSD instance on both + IPA servers and clients. + * The AD provider now handles binary GUIDs correctly. This bug was + manifested with an error message saying ldb_modify failed: Invalid + attribute syntax. + * The AD provider no longer downloads full group objects during + initgroups request if POSIX attributes are used. This fix may speed + up the login times significantly. + * A bug that prevented the `ignore_group_members` parameter to be used + with the AD provider was fixed + * The fail over code now reads and honors TTL value for SRV queries + as well. Previously, SRV queries used a hardcoded timeout + * The SELinux context set up during login with an IPA provider is only + called if the context had changed. This fixes a performance regression + with the IPA provider. + * Race condition between setting the timeout in the back ends and + reading it in the front end during initgroup operation was fixed. This + bug affected applications that perform the `initgroups(3)` operation + in multiple processes simultaneously. + * Setups that only want to use the domain SSSD is connected to, but not + the autodiscovered trusted domains by setting `subdomains_provider=none` + now work correctly as long as the domain SID is set manually in the + config file + * In case only allow rules are used, the simple access provider is + now able to skip unresolvable groups. + * The GPO access control code now handles situations where user and + computer objects were in different domains. Previously, an attempt to + log in as user from a different domain than computer always resulted + in login failure. + ------------------------------------------------------------------- Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com diff --git a/sssd.spec b/sssd.spec index ac3af7f..342166c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.12.4 +Version: 1.12.5 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ From 48ad59e2293ddc70974705fe407614272b34f265c070b56909b1a22094352540 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sun, 14 Jun 2015 20:54:24 +0000 Subject: [PATCH 2/2] Trim changelog by smart grammatical reordering OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=149 --- sssd.changes | 90 ++++++++++++++++++++-------------------------------- sssd.spec | 2 +- 2 files changed, 35 insertions(+), 57 deletions(-) diff --git a/sssd.changes b/sssd.changes index 3612026..1ff7aff 100644 --- a/sssd.changes +++ b/sssd.changes @@ -2,62 +2,40 @@ Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com - Update to new upstream release 1.12.5 - -== Highlights == - * This release adds several new enhancements and fixes many bugs - * Notable new enhancements: - * The background refresh tasks now supports refreshing users and groups - as well. Please see the description of the `refresh_expired_interval` - parameter in the `sssd.conf` man page. - * A new option subdomain_inherit was added. Options included in - the subdomain_inherit option also apply for trusted domains, if - supported. This release supports inheriting ignore_group_members, - ldap_purge_cache_timeout, ldap_use_tokengroups and - ldap_user_principal. - * When an expired account attempts to log in, a configurable error - message can be displayed with sufficient pam_verbosity setting. Please - see the description of the pam_account_expired_message option for - more information. - * OpenLDAP ppolicy can be honored even when an alternate login method - (such as SSH key) is used. Please see the description of the new - ppolicy value of the ldap_access_order option. - * A new option krb5_map_user was added. This option allows the admin - to map UNIX usernames to Kerberos principals. The option would be - mostly useful for setups that wish to continue using UNIX file-based - identities together with SSSD Kerberos authentication - * The important bug fixes include: - * Several AD-specific bugs that resulted in the incorrect set of groups - being displayed after the initgroups operation were fixed - * Many fixes related to the IPA ID views feature are included. Setups - using the ID views feature should update the SSSD instance on both - IPA servers and clients. - * The AD provider now handles binary GUIDs correctly. This bug was - manifested with an error message saying ldb_modify failed: Invalid - attribute syntax. - * The AD provider no longer downloads full group objects during - initgroups request if POSIX attributes are used. This fix may speed - up the login times significantly. - * A bug that prevented the `ignore_group_members` parameter to be used - with the AD provider was fixed - * The fail over code now reads and honors TTL value for SRV queries - as well. Previously, SRV queries used a hardcoded timeout - * The SELinux context set up during login with an IPA provider is only - called if the context had changed. This fixes a performance regression - with the IPA provider. - * Race condition between setting the timeout in the back ends and - reading it in the front end during initgroup operation was fixed. This - bug affected applications that perform the `initgroups(3)` operation - in multiple processes simultaneously. - * Setups that only want to use the domain SSSD is connected to, but not - the autodiscovered trusted domains by setting `subdomains_provider=none` - now work correctly as long as the domain SID is set manually in the - config file - * In case only allow rules are used, the simple access provider is - now able to skip unresolvable groups. - * The GPO access control code now handles situations where user and - computer objects were in different domains. Previously, an attempt to - log in as user from a different domain than computer always resulted - in login failure. +* The background refresh tasks now supports refreshing users and + groups as well. See the "refresh_expired_interval" parameter in + the sssd.conf manpage. +* A new option subdomain_inherit was added. +* When an expired account attempts to log in, a configurable + error message can be displayed with sufficient pam_verbosity + setting. See the "pam_account_expired_message" option. +* OpenLDAP ppolicy can be honored even when an alternate login + method (such as SSH key) is used. See the "ldap_access_order" + option. +* A new option :krb5_map_user" was added, allowing the admin to + map UNIX usernames to Kerberos principals. +* BUG FIXES: +* Fixed AD-specific bugs that resulted in the incorrect set of + groups being displayed after the initgroups operation. +* Fixes related to the IPA ID views feature. Setups using this + should update sssd on both IPA servers and clients. +* The AD provider now handles binary GUIDs correctly. +* A bug that prevented the `ignore_group_members` parameter to be + used with the AD provider was fixed. +* The failover code now reads and honors TTL value for SRV + queries as well. +* Race condition between setting the timeout in the back ends and + reading it in the front end during initgroup operation was + fixed. This bug affected applications that perform the + initgroups(3) operation in multiple processes simultaneously. +* Setups that only want to use the domain SSSD is connected to, + but not the autodiscovered trusted domains by setting + `subdomains_provider=none` now work correctly as long as the + domain SID is set manually in the config file. +* In case only "allow" rules are used, the simple access provider + is now able to skip unresolvable groups. +* The GPO access control code now handles situations where user + and computer objects were in different domains. ------------------------------------------------------------------- Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com diff --git a/sssd.spec b/sssd.spec index 342166c..711e847 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed