2023-11-21 19:20:32 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2024-01-12 15:08:36 +01:00
|
|
|
|
Fri Jan 12 14:02:10 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.9.4
|
|
|
|
|
* Fixes a crash when PAM passkey processing incorrectly handles
|
|
|
|
|
non-passkey data.
|
|
|
|
|
* Fixed group membership handling when members are coming from
|
|
|
|
|
different forest domains and using ldap token groups is
|
|
|
|
|
prohibited.
|
|
|
|
|
* Files provider was erroneously taking into consideration
|
|
|
|
|
``local_auth_policy`` config option, thus breaking smartcard
|
|
|
|
|
authentication of local user in setups that did not explicitly
|
|
|
|
|
specify this option. This is now fixed.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2023-11-21 19:20:32 +01:00
|
|
|
|
Tue Nov 21 09:43:57 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714);
|
|
|
|
|
* Remove package sssd-common, merged into sssd
|
|
|
|
|
* Continue building deprecated files provider and infopipe
|
|
|
|
|
responder
|
|
|
|
|
* Disable selinux and semanage
|
|
|
|
|
* Provide rcsssd shortcut
|
|
|
|
|
|
2023-11-17 15:14:26 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2023-11-20 11:17:08 +01:00
|
|
|
|
Fri Nov 17 14:52:30 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Fix spec file for Leap
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2023-11-17 15:14:26 +01:00
|
|
|
|
Fri Nov 17 12:30:33 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after
|
|
|
|
|
update (bsc#1216865)
|
|
|
|
|
- Do not install the KRB5 IDP plugin, it is useless without the
|
|
|
|
|
OIDC child
|
|
|
|
|
- Drop no longer valid --without-secrets configure switch
|
|
|
|
|
|
2023-11-13 13:51:39 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 13 12:48:09 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.9.3
|
|
|
|
|
* The proxy provider is now able to handle certificate mapping
|
|
|
|
|
and matching rules and users handled by the proxy provider can
|
|
|
|
|
be configured for local Smartcard authentication. Besides the
|
|
|
|
|
mapping rule local Smartcard authentication should be enabled
|
|
|
|
|
with the `local_auth_policy` option in the backend and with
|
|
|
|
|
`pam_cert_auth` in the PAM responder.
|
|
|
|
|
|
2023-11-02 17:17:06 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 2 16:09:55 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Offer the sssd.conf template as %doc (for examples, do actually
|
|
|
|
|
see the "Examples" section of the sssd.conf(5) manpage)
|
|
|
|
|
|
2023-10-31 17:18:26 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 31 15:20:37 UTC 2023 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Update dependencies to require the same subpackages version and
|
|
|
|
|
release
|
|
|
|
|
- Fix /usr/etc migration fragment in wrong "%pre kcm" instead of
|
|
|
|
|
"%pre"
|
|
|
|
|
- Move sss_analyze to sssd-tools package
|
|
|
|
|
|
2023-10-31 12:18:57 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 31 11:04:57 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Default config is unworkable, just stop installing it altogether
|
|
|
|
|
[boo#1216739]
|
|
|
|
|
|
2023-09-07 14:13:07 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 7 12:07:10 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.9.2
|
|
|
|
|
* sssctl cert-show and cert-show cert-eval-rule can now be run as
|
|
|
|
|
non-root user.
|
|
|
|
|
* New option local_auth_policy is added to control which offline
|
|
|
|
|
authentication methods will be enabled by SSSD.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Fix sssd entering failed state under heavy load by adding
|
|
|
|
|
watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283);
|
2023-11-27 17:49:07 +01:00
|
|
|
|
Drop SLE patch 0001-sssd-watchdog.patch
|
2023-09-07 14:13:07 +02:00
|
|
|
|
|
2023-06-23 16:55:47 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 23 14:49:30 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to relese 2.9.1
|
|
|
|
|
* A regression was fixed that prevented autofs lookups to
|
|
|
|
|
function correctly when cache_first is set to True.
|
|
|
|
|
* A regression where SSSD failed to properly watch for changes
|
|
|
|
|
in ``/etc/resolv.conf`` when it was a symbolic link or was a
|
|
|
|
|
relative path, was fixed.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* ldap password policy: return failure if there are no grace logins
|
2023-11-27 17:49:07 +01:00
|
|
|
|
left; (bsc#1214434); Drop SLE patch
|
|
|
|
|
0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch
|
2023-06-23 16:55:47 +02:00
|
|
|
|
|
2023-01-26 17:18:05 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2023-05-05 14:12:31 +02:00
|
|
|
|
Fri May 5 10:47:41 UTC 2023 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.9
|
|
|
|
|
* The sss_simpleifp library is deprecated (and for openSUSE,
|
|
|
|
|
already removed)
|
|
|
|
|
* The "Files provider" (i.e. id_provider = files) is deprecated
|
|
|
|
|
(and for openSUSE, already removed)
|
|
|
|
|
* SSSD will no longer warn about changed defaults when using
|
|
|
|
|
ldap_schema = rfc2307 and default autofs mapping.
|
|
|
|
|
* New passkey functionality, which will allow the use of FIDO2
|
|
|
|
|
compliant devices to authenticate a centrally managed user
|
|
|
|
|
locally.
|
|
|
|
|
* Add support for ldapi:// URLs to allow connections to local
|
|
|
|
|
LDAP servers.
|
|
|
|
|
* NSS IDMAP has two new methods: getsidbyusername and
|
|
|
|
|
getsidbygroupname.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2023-01-26 17:18:05 +01:00
|
|
|
|
Thu Jan 26 15:23:54 UTC 2023 - Callum Farmer <gmbr3@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Move dbus-1 system.d file to /usr (bsc#1207586)
|
|
|
|
|
|
2023-01-03 16:05:05 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 3 12:01:41 UTC 2023 - Stefan Schubert <schubi@suse.com>
|
|
|
|
|
|
2023-10-31 17:18:26 +01:00
|
|
|
|
- Migration of PAM settings to /usr/lib/pam.d.
|
2023-01-03 16:05:05 +01:00
|
|
|
|
|
2022-12-21 20:31:49 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 21 19:29:45 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Take systemd units off the restart list that have
|
|
|
|
|
RefuseManualStart=yes [boo#1206592]
|
2023-11-16 14:47:02 +01:00
|
|
|
|
- Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166]
|
2022-12-21 20:31:49 +01:00
|
|
|
|
|
2022-12-11 15:22:43 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Dec 11 14:17:23 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.8.2
|
|
|
|
|
* New mapping template for serial number, subject key id, SID,
|
|
|
|
|
certificate hashes and DN components are added to
|
|
|
|
|
libsss_certmap.
|
|
|
|
|
|
2022-11-04 13:32:42 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 4 12:28:27 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.8.1
|
|
|
|
|
* A regression when running sss_cache when no SSSD domain is
|
|
|
|
|
enabled would produce a syslog critical message was fixed.
|
|
|
|
|
|
2022-10-07 14:15:04 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 7 12:05:29 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.8.0
|
|
|
|
|
* Introduced the dbus function
|
|
|
|
|
org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value,
|
|
|
|
|
limit) listing upto limit users matching the filter
|
|
|
|
|
attr=value.
|
|
|
|
|
* sssctl is now able to create, list and delete indexes on the
|
|
|
|
|
local caches. Indexes are useful for the new D-Bus
|
|
|
|
|
ListByAttr() function.
|
|
|
|
|
* sssctl is now able to read and set each component's debug
|
|
|
|
|
level independently.
|
|
|
|
|
* A number of new configuration options are available,
|
|
|
|
|
cf. https://sssd.io/release-notes/sssd-2.8.0.html .
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Fix sdap_access_host No matching host rule found;
|
2023-11-27 17:49:07 +01:00
|
|
|
|
(bsc#1202559); Drop SLE patch
|
|
|
|
|
0001-Fix-sdap_access_host-No-matching-host-rule-found.patch
|
|
|
|
|
* Accept krb5 1.20 for building the PAC plugin; Drop SLE patch
|
|
|
|
|
0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch
|
2022-10-07 14:15:04 +02:00
|
|
|
|
|
2022-09-01 18:02:29 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 1 13:45:36 UTC 2022 - Stefan Schubert <schubi@suse.com>
|
|
|
|
|
|
|
|
|
|
- Migration to /usr/etc: Saving user changed configuration files
|
2023-10-31 17:18:26 +01:00
|
|
|
|
in /etc and restoring them while an RPM update.
|
2022-09-01 18:02:29 +02:00
|
|
|
|
|
2022-08-26 22:57:50 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 26 20:54:33 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.7.4
|
|
|
|
|
* Lock-free client support will be only built if libc provides
|
|
|
|
|
pthread_key_create() and pthread_once(). For glibc this means
|
|
|
|
|
version 2.34+.
|
|
|
|
|
|
2022-07-04 15:10:54 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 4 12:11:11 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.7.3
|
|
|
|
|
* All SSSD client libraries (nss, pam, etc) won't serialize
|
|
|
|
|
requests anymore by default, i.e. requests from multiple
|
|
|
|
|
threads can be executed in parallel. Old behavior
|
|
|
|
|
(serialization) can be enabled by setting environment
|
|
|
|
|
variable "SSS_LOCKFREE" to "NO".
|
|
|
|
|
|
2022-06-21 15:46:05 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 21 10:19:54 UTC 2022 - Stefan Schubert <schubi@localhost>
|
|
|
|
|
|
|
|
|
|
- Removed %config flag for files in /usr directory.
|
|
|
|
|
|
2022-06-21 10:13:19 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 21 06:43:27 UTC 2022 - Stefan Schubert <schubi@suse.com>
|
|
|
|
|
|
2022-06-21 15:46:05 +02:00
|
|
|
|
- Moved logrotate files from user-specific directory /etc/logrotate.d
|
2022-06-21 10:13:38 +02:00
|
|
|
|
to vendor-specific directory /usr/etc/logrotate.d.
|
2022-06-21 10:13:19 +02:00
|
|
|
|
|
2022-06-15 14:27:00 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 15 11:28:35 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Use pam rpm macros to avoid hardcoding the directory names;
|
|
|
|
|
(bsc#1191047);
|
|
|
|
|
- Do not take ownership of %_pam_confdir directory, it is owned by
|
|
|
|
|
pam package
|
|
|
|
|
|
2022-06-13 16:50:26 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 13 14:48:28 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.7.2
|
|
|
|
|
* A sssd-2.7.1 regression preventing successful authentication of
|
|
|
|
|
IPA users was fixed.
|
|
|
|
|
* Default value of pac_check changed to check_upn,
|
|
|
|
|
check_upn_dns_info_ex (for AD and IPA provider).
|
|
|
|
|
|
2022-06-02 17:32:20 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 2 15:24:57 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.7.1
|
|
|
|
|
* SSSD can now handle multi-valued RDNs if a unique name must
|
|
|
|
|
be determined with the help of the RDN.
|
|
|
|
|
* A regression in pam_sss_gss module causing a failure if
|
|
|
|
|
KRB5CCNAME environment variable was not set was fixed.
|
|
|
|
|
* New option `implicit_pac_responder` to control if the PAC
|
|
|
|
|
responder is started for the IPA and AD providers; the
|
|
|
|
|
default is true.
|
|
|
|
|
* New option `krb5_check_pac` to control the PAC validation
|
|
|
|
|
behavior.
|
|
|
|
|
* Multiple `crl_file` arguments can be used in the
|
|
|
|
|
`certificate_verification` option.
|
|
|
|
|
|
2022-05-16 23:49:53 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 16 21:49:38 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Enable subid_sss
|
|
|
|
|
|
2022-04-15 01:20:29 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 14 22:43:03 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.7.0
|
|
|
|
|
* Better default for IPA/AD re_expression. Tunning for group
|
|
|
|
|
names containing '@' is no longer needed.
|
|
|
|
|
* A new debug level is added to show statistical and
|
|
|
|
|
performance data.
|
|
|
|
|
* Added support for anonymous PKINIT to get FAST credentials.
|
|
|
|
|
* SSSD now correctly falls back to UPN search if the user was
|
|
|
|
|
not found even with `cache_first = true`.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Add 'ldap_ignore_unreadable_references' parameter to skip
|
|
|
|
|
unreadable objects referenced by 'member' attributte;
|
2023-11-27 17:49:07 +01:00
|
|
|
|
(bsc#1190775); (gh#SSSD/sssd#4893); Drop SLE patch
|
|
|
|
|
0001-ldap-ignore-unreadable-references.patch
|
2022-04-15 01:20:29 +02:00
|
|
|
|
|
2022-02-21 18:10:16 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 21 14:50:38 UTC 2022 - Callum Farmer <gmbr3@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Enable selinux support
|
|
|
|
|
- Update Supplements to new format
|
|
|
|
|
|
2022-02-10 17:12:31 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 9 13:17:30 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Remove caches only when performing a package downgrade. The sssd
|
|
|
|
|
daemon takes care of upgrading the database format when necessary
|
|
|
|
|
(bsc#1195552)
|
|
|
|
|
|
2022-01-25 13:17:13 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 25 11:32:10 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.6.3
|
|
|
|
|
* A regression introduced in sssd-2.6.2 in the IPA provider
|
|
|
|
|
that prevented users from login was fixed. Access control
|
|
|
|
|
always denied access because the selinux_child returned an
|
|
|
|
|
unexpected reply.
|
|
|
|
|
* A critical regression that prevented authentication of users
|
|
|
|
|
via AD and IPA providers was fixed. LDAP port was reused for
|
|
|
|
|
Kerberos communication and this provider would send
|
|
|
|
|
incomprehensible information to this port.
|
|
|
|
|
* When authenticating AD users, backtrace was triggered even
|
|
|
|
|
though everything was working correctly. This was caused by a
|
|
|
|
|
search in the global catalog. Servers from the global catalog
|
|
|
|
|
are filtered out of the list before writing the KDC info
|
|
|
|
|
file. With this fix, SSSD does not attempt to write to the
|
|
|
|
|
KDC info file when performing a GC lookup.
|
|
|
|
|
|
2022-01-17 18:29:28 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 17 17:27:40 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Upgrade LDB_DIR shell variable to %ldbdir macro.
|
|
|
|
|
|
2021-12-23 17:11:27 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2022-01-12 00:42:34 +01:00
|
|
|
|
Tue Jan 11 18:04:46 UTC 2022 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Remove libsmbclient-devel BuildRequires in favor of
|
|
|
|
|
pkgconfig(smbclient)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2021-12-23 17:11:27 +01:00
|
|
|
|
Thu Dec 23 14:52:55 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.6.2
|
|
|
|
|
* Quick log out and log in did not correctly refresh user's
|
|
|
|
|
initgroups in no_session PAM schema due to lingering systemd
|
|
|
|
|
processes.
|
|
|
|
|
|
2021-11-25 13:04:46 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
|
|
|
|
|
* harden_sssd-ifp.service.patch
|
|
|
|
|
* harden_sssd-kcm.service.patch
|
|
|
|
|
|
2021-11-09 17:12:49 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Nov 9 15:35:58 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.6.1
|
|
|
|
|
* New infopipe method FindByValidCertificate().
|
|
|
|
|
* The default value of the "ssh_hash_known_hosts" setting was
|
|
|
|
|
changed to false for the sake of consistency with OpenSSH
|
|
|
|
|
that does not hash host names by default.
|
|
|
|
|
|
2021-10-16 13:07:49 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.6.0
|
2021-10-16 13:09:53 +02:00
|
|
|
|
* Support of legacy json format for ccaches was dropped.
|
|
|
|
|
* Support of long time deprecated secrets responder was dropped.
|
|
|
|
|
* Support of long time deprecated local provider was dropped.
|
|
|
|
|
* The sssctl command was vulnerable to shell command injection
|
|
|
|
|
via the logs-fetch and cache-expire subcommands,
|
2023-11-27 17:49:07 +01:00
|
|
|
|
which was fixed; (CVE-2021-3621); (bsc#1189492); Drop SLE patch
|
|
|
|
|
0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch
|
2021-10-16 13:09:53 +02:00
|
|
|
|
* Basic support of user's 'subuid and subgid ranges' for IPA
|
|
|
|
|
provider and corresponding plugin for shadow-utils were added.
|
2021-10-16 13:07:49 +02:00
|
|
|
|
|
2021-07-12 22:21:49 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
2023-11-16 14:47:02 +01:00
|
|
|
|
- Update to release 2.5.2; (jsc#SLE-17763);
|
2021-07-12 22:21:49 +02:00
|
|
|
|
* originalADgidNumber attribute in the SSSD cache is now indexed.
|
|
|
|
|
* Add new config option fallback_to_nss.
|
|
|
|
|
|
2021-06-08 18:41:51 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 8 16:35:25 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.5.1
|
|
|
|
|
* auto_private_groups option can be set centrally through ID
|
|
|
|
|
range setting in IPA (see ipa idrange commands family). This
|
|
|
|
|
feature requires SSSD update on both client and server. This
|
|
|
|
|
feature also requires freeipa 4.9.4 and newer.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Fix getsidbyname issues with IPA users with a user-private-group.
|
2021-06-08 18:41:51 +02:00
|
|
|
|
* Default value of ldap_sudo_random_offset changed to 0
|
|
|
|
|
(disabled). This makes sure that sudo rules are available as
|
|
|
|
|
soon as possible after SSSD start in default configuration.
|
|
|
|
|
|
2021-04-13 12:11:40 +02:00
|
|
|
|
-------------------------------------------------------------------
|
2021-05-10 16:02:56 +02:00
|
|
|
|
Mon May 10 13:58:04 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.5.0
|
|
|
|
|
* Added support for automatic renewal of renewable TGTs that
|
|
|
|
|
are stored in KCM ccache. This can be enabled by setting
|
|
|
|
|
tgt_renewal = true. See the sssd-kcm man page for more
|
|
|
|
|
details. This feature requires MIT Kerberos
|
|
|
|
|
krb5-1.19-0.beta2.3 or higher.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Backround sudo periodic tasks (smart and full refresh) periods are
|
|
|
|
|
now extended by a random offset to spread the load on the server in
|
|
|
|
|
environments with many clients.
|
|
|
|
|
* Completing a sudo full refresh now postpones the smart refresh by
|
|
|
|
|
ldap_sudo_smart_refresh_interval value. This ensure that the smart
|
|
|
|
|
refresh is not run too soon after a successful full refresh.
|
|
|
|
|
* If debug_backtrace_enabled is set to true then on any error all prior
|
|
|
|
|
debug messages (to some limit) are printed even if debug_level is set
|
|
|
|
|
to low value.
|
|
|
|
|
* Besides trusted domains known by the forest root, trusted domains known
|
|
|
|
|
by the local domain are used as well.
|
|
|
|
|
* New configuration option offline_timeout_random_offset to control random
|
|
|
|
|
factor in backend probing interval when SSSD is in offline mode.
|
2021-05-10 16:02:56 +02:00
|
|
|
|
* ad_gpo_implicit_deny is now respected even if there are no
|
|
|
|
|
applicable GPOs present.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* During the IPA subdomains request a failure in reading a single specific
|
|
|
|
|
configuration option is not considered fatal and the request will
|
|
|
|
|
continue.
|
|
|
|
|
* Unknown IPA id-range types are not considered as an error
|
2021-05-10 16:02:56 +02:00
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2021-04-13 12:11:40 +02:00
|
|
|
|
Tue Apr 6 12:08:29 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Move sssctl command from sssd to sssd-tools package; (bsc#1184289);
|
|
|
|
|
|
2021-04-02 00:35:08 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 1 15:08:14 UTC 2021 - jeffm@suse.com
|
|
|
|
|
|
|
|
|
|
- Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285).
|
|
|
|
|
|
2021-03-19 15:41:35 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 23 12:43:38 UTC 2021 - Aurelien Aptel <aaptel@suse.com>
|
|
|
|
|
|
|
|
|
|
- Make cifs-idmap plugin (cifs_idmap_sss.so) use update-alternatives
|
|
|
|
|
mechanism to be able to switch between cifs-utils and sssd;
|
|
|
|
|
(bsc#1182682).
|
|
|
|
|
|
2021-02-19 19:09:29 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 19 17:30:58 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.4.2
|
|
|
|
|
* Default value of "user" config option was fixed into
|
|
|
|
|
accordance with man page, i.e. default is "root".
|
|
|
|
|
* pam_sss_gss now support authentication indicators to further
|
|
|
|
|
harden the authentication.
|
|
|
|
|
|
2021-02-19 19:34:39 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 12 15:55:37 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Pass --with-pid-path=%{_rundir} to configure: adjust rundir
|
|
|
|
|
according the distro settings, i.e. /run on modern systems.
|
|
|
|
|
Eliminates a systemd warning like this one in the journal:
|
|
|
|
|
Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13:
|
|
|
|
|
PIDFile= references a path below legacy directory /var/run/,
|
|
|
|
|
updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly.
|
|
|
|
|
|
2021-02-05 13:58:17 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.4.1
|
|
|
|
|
* New PAM module pam_sss_gss for authentication using GSSAPI.
|
|
|
|
|
* case_sensitive=Preserving can now be set for trusted domains
|
|
|
|
|
with AD and IPA providers.
|
|
|
|
|
* krb5_use_subdomain_realm=True can now be used when sub-domain
|
|
|
|
|
user principal names have upnSuffixes which are not known in
|
|
|
|
|
the parent domain. SSSD will try to send the Kerberos request
|
|
|
|
|
directly to a KDC of the sub-domain.
|
|
|
|
|
* SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald
|
|
|
|
|
output, to avoid issues with PID parsing in rsyslog
|
|
|
|
|
(BSD-style forwarder) output.
|
|
|
|
|
* Added pam_gssapi_check_upn to enforce authentication only
|
|
|
|
|
with principal that can be associated with target user.
|
|
|
|
|
* Added pam_gssapi_services to list PAM services that can
|
|
|
|
|
authenticate using GSSAPI.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Create timestamp attribute in cache objects if missing;
|
|
|
|
|
(bsc#1182637);
|
2021-02-05 13:58:17 +01:00
|
|
|
|
|
2020-10-12 15:20:36 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 12 13:10:26 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.4.0
|
|
|
|
|
* Session recording can now exclude specific users or groups
|
|
|
|
|
when scope is set to all (see exclude_users and
|
|
|
|
|
exclude_groups options).
|
|
|
|
|
* Active Directory provider now sends CLDAP pings over UDP
|
|
|
|
|
protocol to Domain Controllers in parallel to determine site
|
|
|
|
|
and forest to speed up server discovery.
|
|
|
|
|
|
2020-08-10 14:55:49 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 10 12:55:05 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Build sssd's KCM.
|
|
|
|
|
|
2020-07-24 21:59:43 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 24 16:57:58 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.3.1
|
|
|
|
|
* Domains can be now explicitly enabled or disabled using
|
|
|
|
|
enable option in domain section. This can be especially used
|
|
|
|
|
in configuration snippets.
|
|
|
|
|
* New configuration options memcache_size_passwd,
|
|
|
|
|
memcache_size_group, memcache_size_initgroups that can be
|
|
|
|
|
used to control memory cache size.
|
|
|
|
|
* Fixed several regressions in GPO processing introduced in
|
|
|
|
|
sssd-2.3.0
|
|
|
|
|
* Fixed regression in PAM responder: failures in cache only
|
|
|
|
|
lookups are no longer considered fatal.
|
|
|
|
|
* Fixed regression in proxy provider: pwfield=x is now default
|
|
|
|
|
value only for sssd-shadowutils target.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Rotate child debug file descriptors on SIGHUP (bsc#1080156)
|
2020-07-24 21:59:43 +02:00
|
|
|
|
- sssd-wbclient is obsolete and no longer shipped
|
|
|
|
|
|
2020-05-19 13:46:11 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 19 11:32:22 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.3.0
|
|
|
|
|
* SSSD can now handle hosts and networks nsswitch databases
|
|
|
|
|
(see resolve_provider option).
|
|
|
|
|
* By default, authentication request only refresh user's
|
|
|
|
|
initgroups if it is expired or there is not active user's
|
|
|
|
|
session (see pam_initgroups_scheme option).
|
|
|
|
|
* OpenSSL is used as default crypto provider, NSS is deprecated.
|
|
|
|
|
* The AD provider now defaults to GSS-SPNEGO SASL mechanism
|
|
|
|
|
(see ldap_sasl_mech option).
|
|
|
|
|
* The AD provider can now be configured to use only ldaps port
|
|
|
|
|
(see ad_use_ldaps option).
|
|
|
|
|
* SSSD now accepts host entries from GPO's security filter.
|
|
|
|
|
* New debug level (0x10000) added for low level LDB messages
|
|
|
|
|
only (see sssd.conf man page).
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Update samba secrets after changing machine password; (jsc#SLE-11503);
|
|
|
|
|
* Delete linked local user overrides when deleting a user
|
|
|
|
|
(bsc#1133168)
|
2020-05-19 13:46:11 +02:00
|
|
|
|
- Drop sssd-gpo_host_security_filter-2.2.2.patch,
|
|
|
|
|
0001-Resolve-computer-lookup-failure-when-sam-cn.patch,
|
|
|
|
|
0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged)
|
|
|
|
|
- Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
|
|
|
|
|
(unapplicable)
|
|
|
|
|
|
2020-03-24 13:27:02 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to 2.2.3
|
|
|
|
|
* New features:
|
|
|
|
|
* allow_missing_name now treats empty strings the same as
|
|
|
|
|
missing names.
|
|
|
|
|
* "soft_ocsp" and "soft_crl" options have been added to make
|
|
|
|
|
the checks for revoked certificates more flexible if the
|
|
|
|
|
system is offline.
|
|
|
|
|
* Smart card authentication in polkit is now allowed by default.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Handling of FreeIPA users and groups containing ‘@’ sign now works.
|
|
|
|
|
* Issue when autofs was unable to mount shares was fixed.
|
2020-03-24 13:27:02 +01:00
|
|
|
|
* SSSD was unable to hande ldap_uri containing URIs with
|
|
|
|
|
different port numbers, which has been rectified.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Fix domain offline after first boot when resolv.conf is a symlink
|
|
|
|
|
(bsc#1136139)
|
2020-03-24 13:27:02 +01:00
|
|
|
|
- Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
|
|
|
|
|
|
2020-03-16 19:49:22 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 16 16:44:23 UTC 2020 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Fix dynamic DNS updates not using FQDN (bsc#1160587); Add
|
|
|
|
|
0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch
|
|
|
|
|
|
2020-01-20 10:37:01 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jan 19 23:54:34 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
|
|
|
|
|
|
|
|
|
|
- Remove leftover python2 build dependencies
|
|
|
|
|
- Remove python3-devel BuildRequires in favor of pkgconfig(python3)
|
|
|
|
|
|
2020-01-13 21:59:00 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 13 14:40:11 UTC 2020 - David Mulder <dmulder@suse.com>
|
|
|
|
|
|
|
|
|
|
- SSSD GPO host entries are ignored if computer cn does not
|
2020-01-13 21:59:37 +01:00
|
|
|
|
match its samaccountname, add
|
2020-01-13 21:59:00 +01:00
|
|
|
|
0001-Resolve-computer-lookup-failure-when-sam-cn.patch;
|
|
|
|
|
(jsc#SLE-9298); (bsc#1160688)
|
|
|
|
|
|
2020-01-02 22:52:15 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 02 17:17:00 UTC 2020 - David Mulder <dmulder@suse.com>
|
|
|
|
|
|
|
|
|
|
- SSSD should accept host entries from GPO's security filter, add
|
|
|
|
|
sssd-gpo_host_security_filter-2.2.2.patch; (jsc#SLE-9298)
|
|
|
|
|
|
2019-12-17 17:30:17 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 22 13:31:54 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Install infopipe dbus service (bsc#1106598)
|
2019-12-23 13:14:51 +01:00
|
|
|
|
- Add systemd service unit files to manage socket or bus activated responders.
|
|
|
|
|
- All responders except infopipe are also managed by a socket unit file.
|
|
|
|
|
- Add missing post and postun hooks for libsss_certmap0 package.
|
2019-12-17 17:30:17 +01:00
|
|
|
|
|
2019-11-21 14:03:02 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 21 12:56:28 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to release 2.2.2
|
|
|
|
|
* New options were added which allow sssd-kcm to handle bigger
|
|
|
|
|
data. See manual pages for max_ccaches, max_uid_caches and
|
|
|
|
|
max_ccache_size.
|
|
|
|
|
* SSSD can now automatically refresh cached user data from
|
|
|
|
|
subdomains in IPA/AD trust.
|
|
|
|
|
* Fixed issue with SSSD hanging when connecting to
|
|
|
|
|
non-responsive server with ldaps://.
|
|
|
|
|
* SSSD is now restarted by systemd after crashes.
|
|
|
|
|
|
2019-06-18 10:59:42 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 18 08:00:46 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 2.2.0
|
|
|
|
|
* The Kerberos provider can now include more KDC addresses or
|
|
|
|
|
host names when writing data for the Kerberos locator plugin.
|
|
|
|
|
* The 2FA prompting can now be configured.
|
|
|
|
|
* The LDAP authentication provider now allows to use a
|
|
|
|
|
different method of changing LDAP passwords using a modify
|
|
|
|
|
operation in addition to the default extended operation.
|
|
|
|
|
* The "auto_private_groups" configuration option now takes a
|
|
|
|
|
new value hybrid.
|
|
|
|
|
* A new option "ad_gpo_ignore_unreadable" was added.
|
|
|
|
|
* The "cached_auth_timeout" parameter is now inherited by
|
|
|
|
|
trusted domains.
|
|
|
|
|
* The "ldap_sasl_mech" option now accepts another mechanism
|
|
|
|
|
"GSS-SPNEGO" in addition to "GSSAPI".
|
|
|
|
|
* The sssctl tool has two new commands, "cert-show" and
|
|
|
|
|
"cert-map".
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Added an option to skip GPOs that have groupPolicyContainers,
|
|
|
|
|
unreadable by SSSD (bsc#1124194) (CVE-2018-16838)
|
|
|
|
|
* Fix fallback_homedir returning '/' for empty home directories
|
|
|
|
|
(CVE-2019-3811) (bsc#1121759)
|
2019-06-18 10:59:42 +02:00
|
|
|
|
|
2019-06-18 09:57:40 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 26 10:59:25 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Create directory to download and cache GPOs (bsc#1132879)
|
|
|
|
|
|
2019-03-16 13:05:57 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Mar 16 11:50:58 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 2.1.0
|
|
|
|
|
* Any provider can now match and map certificates to user
|
|
|
|
|
identities.
|
|
|
|
|
* pam_sss can now be configured to only perform Smart Card
|
|
|
|
|
authentication or return an error if this is not possible.
|
|
|
|
|
* pam_sss can also prompt the user to insert a Smart Card if,
|
|
|
|
|
during an authentication it is not available.
|
|
|
|
|
* A new configuration option ad_gpo_implicit_deny was added.
|
|
|
|
|
This option (when set to True) can be used to deny access to
|
|
|
|
|
users even if there is not applicable GPO.
|
|
|
|
|
* The dynamic DNS update can now batch DNS updates to include
|
|
|
|
|
all address family updates in a single transaction.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Fix sss_cache spurious error messages when invoked from shadow-utils;
|
|
|
|
|
(bsc#1185017);
|
|
|
|
|
* Fix building with newer samba versions (bsc#1137876)
|
|
|
|
|
* Fix memory leak in nss netgroup enumeration (bsc#1139247);
|
2019-03-16 13:05:57 +01:00
|
|
|
|
|
2019-02-21 14:28:33 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 20 16:01:52 UTC 2019 - Samuel Cabrero <scabrero@suse.de>
|
|
|
|
|
|
|
|
|
|
- Install systemd service unit file created from source's template
|
2023-11-16 14:47:02 +01:00
|
|
|
|
(bsc#1120852); (bsc#1185185);
|
2019-02-21 14:28:33 +01:00
|
|
|
|
- Install logrotate configuration (bsc#1004220)
|
|
|
|
|
- Set journald as system logger
|
|
|
|
|
|
2019-02-15 18:36:42 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 15 17:36:22 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Add krb-noversion.diff so sssd_pac builds even with newer krb.
|
|
|
|
|
|
2018-10-01 16:44:53 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 1 13:34:56 UTC 2018 - ckowalczyk@suse.com
|
|
|
|
|
|
|
|
|
|
- Add dependency to adcli for sssd-ad
|
|
|
|
|
(SLE15: fate#326619, bsc#1109849)
|
|
|
|
|
(SLE12SP4: fate#326620, bsc#1110121)
|
|
|
|
|
|
2018-09-07 21:39:51 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 7 18:52:18 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 2.0.0
|
|
|
|
|
* The Python API for managing users and groups in local domains
|
|
|
|
|
(id_provider=local) was removed completely. The local
|
|
|
|
|
provider (id_provider=local) and the command line tools to
|
|
|
|
|
manage users and groups in the local domains, such as
|
|
|
|
|
sss_useradd is not built anymore.
|
|
|
|
|
* The LDAP provider had a special-case branch for evaluating
|
|
|
|
|
group memberships with the RFC2307bis schema when group
|
|
|
|
|
nesting was explicitly disabled. This codepath is removed.
|
|
|
|
|
* The "ldap_sudo_include_regexp" option changed its default
|
|
|
|
|
value from true to false. Wildcards in the sudoHost LDAP
|
|
|
|
|
attribute are no longer evaluated. This was costly to
|
|
|
|
|
evaluate on the LDAP server side and at the same time rarely
|
|
|
|
|
used.
|
|
|
|
|
* The list of PAM services which are allowed to authenticate
|
|
|
|
|
using a Smart Card is now configurable using a new option
|
|
|
|
|
pam_p11_allowed_services.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Allow defaults sudoRole without sudoUser attribute (bsc#1135247)
|
2018-09-07 21:39:51 +02:00
|
|
|
|
|
2018-08-31 13:12:24 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
|
|
|
|
|
|
|
|
|
|
- Update to upstream release 1.16.3
|
2018-08-31 13:20:00 +02:00
|
|
|
|
* New Features:
|
|
|
|
|
* kdcinfo files for informing krb5 about discovered KDCs are
|
|
|
|
|
now also generated for trusted domains in setups that use
|
|
|
|
|
id_provider=ad and IPA masters in a trust relationship with
|
|
|
|
|
an AD domain.
|
|
|
|
|
* The Kerberlos locator plugin can now process multiple
|
|
|
|
|
address if SSSD generates more than one. A
|
|
|
|
|
* Bug fixes:
|
|
|
|
|
* Fixed information leak due to incorrect permissions on
|
|
|
|
|
/var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
|
|
|
|
|
* Cached password are now stored with a salt. Old ones will be
|
|
|
|
|
regenerated on next authentication, and the auth server needs
|
|
|
|
|
to be reachable for that.
|
|
|
|
|
* The sss_ssh proces leaked file descriptors when converting
|
|
|
|
|
more than one X.509 certificate to an SSH public key.
|
|
|
|
|
* The PAC responder is now able to process Domain Local in case
|
|
|
|
|
the PAC uses SID compression (Windows Server 2012+).
|
|
|
|
|
* Address the issue that some versions of OpenSSH would close
|
|
|
|
|
the pipe towards sss_ssh_authorizedkeys when the matching key
|
|
|
|
|
is found before the rest of the output is read.
|
|
|
|
|
* User lookups no longer fail if user's e-mail address
|
|
|
|
|
conflicts with another user's fully qualified name.
|
|
|
|
|
* The override_shell and override_homedir options are no longer
|
|
|
|
|
applied to entries from the files domain.
|
|
|
|
|
* The grace logins with an expired password when authenticating
|
|
|
|
|
against certain newer versions of the 389DS/RHDS LDAP server
|
|
|
|
|
did not work.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Fix login not possible when email address is duplicated in ldap
|
|
|
|
|
attributes (bsc#1149597)
|
|
|
|
|
* Strip whitespaces in netgroup triples (bsc#1087320)
|
2018-08-31 13:20:00 +02:00
|
|
|
|
- Removed patches that are included upstream now:
|
|
|
|
|
0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
|
|
|
|
|
0002-intg-Do-not-hardcode-nsslibdir.patch,
|
|
|
|
|
0003-Fix-build-for-1-16-2-version.patch
|
2018-08-31 13:12:24 +02:00
|
|
|
|
|
2018-07-01 15:19:46 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- Fixed patch name.
|
2018-07-01 15:19:46 +02:00
|
|
|
|
|
2018-06-20 10:48:06 +02:00
|
|
|
|
-------------------------------------------------------------------
|
2018-06-28 01:04:40 +02:00
|
|
|
|
Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com
|
|
|
|
|
|
|
|
|
|
- Introduce patches:
|
|
|
|
|
* Create sockets with right permissions:
|
|
|
|
|
0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
|
|
|
|
(bsc#1098377, CVE-2018-10852)
|
|
|
|
|
* Fix for sssd upstream integration tests
|
|
|
|
|
0002-intg-Do-not-hardcode-nsslibdir.patch
|
2019-02-15 21:56:08 +01:00
|
|
|
|
(bsc#1098163)
|
2018-06-28 01:04:40 +02:00
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2018-06-20 10:48:06 +02:00
|
|
|
|
Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com
|
|
|
|
|
|
|
|
|
|
- Update to new minor upstream release 1.16.2
|
|
|
|
|
New Features:
|
|
|
|
|
* The smart card authentication, or in more general certificate
|
|
|
|
|
authentication code now supports OpenSSL in addition to previously
|
|
|
|
|
supported NSS (#3489). In addition, the SSH responder can now
|
|
|
|
|
return public SSH keys derived from the public keys stored in a
|
|
|
|
|
X.509 certificate. Please refer to the ssh_use_certificate_keys
|
|
|
|
|
option in the man pages.
|
|
|
|
|
* The files provider now supports mirroring multiple passwd or
|
|
|
|
|
group files. This enhancement can be used to use the SSSD files
|
|
|
|
|
provider instead of the nss_altfiles module
|
|
|
|
|
Bugfixes:
|
|
|
|
|
* A memory handling issue in the nss_ex interface was fixed. This
|
|
|
|
|
bug would manifest in IPA environments with a trusted AD domain
|
|
|
|
|
as a crash of the ns-slapd process, because a ns-slapd plugin
|
|
|
|
|
loads the nss_ex interface (#3715)
|
|
|
|
|
* Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
|
|
|
|
|
* The ad_site override is now honored in GPO code as well (#3646)
|
|
|
|
|
* Several potential crashes in the NSS responder’s netgroup code
|
|
|
|
|
were fixed (#3679, #3731)
|
|
|
|
|
* A potential crash in the autofs responder’s code was fixed (#3752)
|
|
|
|
|
* The LDAP provider now supports group renaming (#2653)
|
|
|
|
|
* The GPO access control code no longer returns an error if one
|
|
|
|
|
of the relevant GPO rules contained no SIDs at all (#3680)
|
|
|
|
|
* A memory leak in the IPA provider related to resolving external
|
|
|
|
|
AD groups was fixed (#3719)
|
|
|
|
|
* Setups that used multiple domains where one of the domains had
|
|
|
|
|
its ID space limited using the min_id/max_id options did not
|
|
|
|
|
resolve requests by ID properly (#3728)
|
|
|
|
|
* Overriding IDs or names did not work correctly when the domain
|
|
|
|
|
resolution order was set as well (#3595)
|
|
|
|
|
* A version mismatch between certain newer Samba versions (e.g.
|
|
|
|
|
those shipped in RHEL-7.5) and the Winbind interface provided
|
|
|
|
|
by SSSD was fixed. To further prevent issues like this in the
|
|
|
|
|
future, the correct interface is now detected at build time (#3741)
|
|
|
|
|
* The files provider no longer returns a qualified name in case
|
|
|
|
|
domain resolution order is used (#3743)
|
|
|
|
|
* A race condition between evaluating IPA group memberships and
|
|
|
|
|
AD group memberships in setups with IPA-AD trusts that would
|
|
|
|
|
have manifested as randomly losing IPA group memberships assigned
|
|
|
|
|
to an AD user was fixed (#3744)
|
|
|
|
|
* Setting an SELinux login label was broken in setups where the
|
|
|
|
|
domain resolution order was used (#3740)
|
|
|
|
|
* SSSD start up issue on systems that use the libldb library
|
|
|
|
|
with version 1.4.0 or newer was fixed.
|
2023-11-16 14:47:02 +01:00
|
|
|
|
* Update winbind idmap plugin to support interface version 6
|
|
|
|
|
(jsc#SLE-9819)
|
|
|
|
|
* Add a netgroup counter to struct nss_enum_index (bsc#1132657)
|
|
|
|
|
* Fix sssd not starting in foreground mode (bsc#1125277)
|
2018-07-01 15:19:46 +02:00
|
|
|
|
Introduce a patch:
|
|
|
|
|
* Fix build of sssd of 1.16.2 version:
|
|
|
|
|
0003-Fix-build-for-1-16-2-version.patch
|
|
|
|
|
(back then called fix-build.patch)
|
2018-06-20 10:48:06 +02:00
|
|
|
|
|
2018-04-28 11:49:26 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com
|
|
|
|
|
|
|
|
|
|
- Update to new minor upstream release 1.16.1 (fate#323340):
|
|
|
|
|
|
|
|
|
|
New Features:
|
|
|
|
|
* A new option auto_private_groups was added. If this option is
|
|
|
|
|
enabled, SSSD will automatically create user private groups based
|
|
|
|
|
on user’s UID number. The GID number is ignored in this case.
|
|
|
|
|
* The SSSD smart card integration now supports a special type of PAM
|
|
|
|
|
conversation implemented by GDM which allows the user to select
|
|
|
|
|
the appropriate smrt card certificate in GDM.
|
|
|
|
|
* A new API for accessing user and group information was added.
|
|
|
|
|
This API is similar to the tradiional Name Service Switch API, but
|
|
|
|
|
allows the consumer to talk to SSSD directly as well as to
|
|
|
|
|
fine-tune the query with e.g. how cache should be evaluated.
|
|
|
|
|
* The sssctl command line tool gained a new command access-report,
|
|
|
|
|
which can generate who can access the client machine. Currently
|
|
|
|
|
only generating the report on an IPA client based on HBAC rules
|
|
|
|
|
is supported.
|
|
|
|
|
* The hostid provider was moved from the IPA specific code to
|
|
|
|
|
the generic LDAP code. This allows SSH host keys to be access by
|
|
|
|
|
the generic LDAP provider as well. See the ldap_host_* options in
|
|
|
|
|
the sssd-ldap manual page for more details.
|
|
|
|
|
* Setting the memcache_timeout option to 0 disabled creating
|
|
|
|
|
the memory cache files altogether. This can be useful in cases
|
|
|
|
|
there is a bug in the memory cache that needs working around.
|
|
|
|
|
|
2018-02-27 10:36:30 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2018-04-24 21:16:52 +02:00
|
|
|
|
Tue Apr 24 13:09:35 UTC 2018 - ckowalczyk@suse.com
|
|
|
|
|
|
|
|
|
|
- Updated sssd.spec:
|
|
|
|
|
The IPA provider depends on AD provider's PAC executable, hence
|
|
|
|
|
introducing the package dependency. (bsc#1021441, bsc#1062124)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2018-02-27 10:36:30 +01:00
|
|
|
|
Tue Feb 27 09:24:46 UTC 2018 - hguo@suse.com
|
|
|
|
|
|
|
|
|
|
- Remove package descriptions for the python 2 packages that are
|
|
|
|
|
no longer distributed:
|
|
|
|
|
* python-ipa_hbac
|
|
|
|
|
* python-sss-murmur
|
|
|
|
|
* python-sss_nss_idmap
|
|
|
|
|
* python-sssd-config
|
|
|
|
|
- Correct python version dependency of tools package. (bsc#1082108)
|
|
|
|
|
|
2017-12-04 11:27:54 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 4 10:03:59 UTC 2017 - hguo@suse.com
|
|
|
|
|
|
|
|
|
|
- Correct dependency of sss_obfuscate command line program.
|
|
|
|
|
|
2017-12-01 15:37:44 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 1 14:35:08 UTC 2017 - hguo@suse.com
|
|
|
|
|
|
|
|
|
|
- In an ongoing effort to reduce dependency on python version 2,
|
|
|
|
|
the following python libraries are no longer built. Nevertheless
|
|
|
|
|
their python3 counterparts remain in place:
|
|
|
|
|
* python-ipa_hbac
|
|
|
|
|
* python-sss-murmur
|
|
|
|
|
* python-sss_nss_idmap
|
|
|
|
|
* python-sssd-config
|
|
|
|
|
|
2017-10-25 13:56:22 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 23 16:31:54 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.16.0
|
|
|
|
|
|
|
|
|
|
Security fixes
|
|
|
|
|
* This release fixes CVE-2017-12173: Unsanitized input when searching in
|
|
|
|
|
local cache database. SSSD stores its cached data in an LDAP like local
|
|
|
|
|
database file using libldb. To lookup cached data LDAP search filters
|
|
|
|
|
like (objectClass=user)(name=user_name) are used. However, in
|
|
|
|
|
sysdb_search_user_by_upn_res(), the input was not sanitized and
|
|
|
|
|
allowed to manipulate the search filter for cache lookups. This would
|
|
|
|
|
allow a logged in user to discover the password hash of a different user.
|
|
|
|
|
|
|
|
|
|
New Features
|
|
|
|
|
* SSSD now supports session recording configuration through tlog. This
|
|
|
|
|
feature enables recording of everything specific users see or type
|
|
|
|
|
during their sessions on a text terminal. For more information, see
|
|
|
|
|
the sssd-session-recording(5) manual page.
|
|
|
|
|
* SSSD can act as a client agent to deliver
|
|
|
|
|
Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander>
|
|
|
|
|
policies defined on an IPA server. Fleet Commander provides a
|
|
|
|
|
configuration management interface that is controlled centrally and
|
|
|
|
|
that covers desktop, applications and network configuration.
|
|
|
|
|
* Several new systemtap <https://sourceware.org/systemtap/> probes
|
|
|
|
|
were added into various locations in SSSD code to assist in
|
|
|
|
|
troubleshooting and analyzing performance related issues. Please see the
|
|
|
|
|
sssd-systemtap(5) manual page for more information.
|
|
|
|
|
* A new LDAP provide access control mechanism that allows to restrict
|
|
|
|
|
access based on PAM's rhost data field was added. For more details,
|
2019-02-15 21:56:08 +01:00
|
|
|
|
please consult the sssd-ldap(5) manual page, in particular the
|
2017-10-25 13:56:22 +02:00
|
|
|
|
options ldap_user_authorized_rhost and the rhost value of
|
|
|
|
|
ldap_access_filter.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jul 25 15:46:23 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.15.3 (KCM disabled)
|
|
|
|
|
|
|
|
|
|
New Features
|
|
|
|
|
* In a setup where an IPA domain trusts an Active Directory domain,
|
|
|
|
|
it is now possible to define the domain resolution order
|
|
|
|
|
(see http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names).
|
|
|
|
|
* Design page - Shortnames in trusted domains <https://docs.pagure.org/SSSD.sssd/design_pages/shortnames.html>
|
|
|
|
|
* SSSD ships with a new service called KCM. This service acts as a
|
|
|
|
|
storage for Kerberos tickets when "libkrb5" is configured to use
|
|
|
|
|
"KCM:" in "krb5.conf".
|
|
|
|
|
* Design page - KCM server for SSSD <https://docs.pagure.org/SSSD.sssd/design_pages/kcm.html>
|
|
|
|
|
* NOTE: There are several known issues in the "KCM" responder that
|
|
|
|
|
will be handled in the next release.
|
|
|
|
|
* Support for user and group resolution through the D-Bus interface and
|
|
|
|
|
authentication and/or authorization through the PAM interface even
|
|
|
|
|
for setups without UIDs or Windows SIDs present on the LDAP directory
|
|
|
|
|
side. This enhancement allows SSSD to be used together with apache
|
|
|
|
|
modules <https://github.com/adelton/mod_lookup_identity> to provide
|
|
|
|
|
identities for applications
|
|
|
|
|
* Design page - Support for non-POSIX users and groups <https://docs.pagure.org/SSSD.sssd/design_pages/non_posix_support.html>
|
|
|
|
|
* SSSD ships a new public library called "libsss_certmap" that allows
|
|
|
|
|
a flexible and configurable way of mapping a certificate to a user
|
|
|
|
|
identity.
|
|
|
|
|
* Design page - Matching and Mapping Certificates <https://docs.pagure.org/SSSD.sssd/design_pages/matching_and_mapping_certificates.html>
|
|
|
|
|
* The Kerberos locator plugin can be disabled using an environment variable
|
|
|
|
|
"SSSD_KRB5_LOCATOR_DISABLE". Please refer to the
|
|
|
|
|
"sssd_krb5_locator_plugin" manual page for mode details.
|
|
|
|
|
* The "sssctl" command line tool supports a new command "user-checks"
|
|
|
|
|
that enables the administrator to check whether a certain user should be
|
|
|
|
|
allowed or denied access to a certain PAM service.
|
|
|
|
|
* The "secrets" responder now forwards requests to a proxy Custodia
|
|
|
|
|
back end over a secure channel.
|
|
|
|
|
|
2017-03-16 00:57:39 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2017-03-16 14:36:38 +01:00
|
|
|
|
Thu Mar 16 13:32:12 UTC 2017 - hguo@suse.com
|
|
|
|
|
|
|
|
|
|
- Introduce mandatory runtime requirement "cyrus-sasl-gssapi" to
|
|
|
|
|
krb5-common sub-package. Address bsc#1024836.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2017-03-16 00:57:39 +01:00
|
|
|
|
Wed Mar 15 22:18:03 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.15.2
|
2017-03-16 01:13:21 +01:00
|
|
|
|
* It is now possible to configure certain parameters of a
|
|
|
|
|
trusted domain in a configuration file sub-section.
|
|
|
|
|
* Several issues related to socket-activating the NSS service,
|
|
|
|
|
especially if SSSD was configured to use a non-privileged
|
|
|
|
|
userm were fixed. The NSS service now does not change the
|
|
|
|
|
ownership of its log files to avoid triggering a name-service
|
|
|
|
|
lookup while the NSS service is not running yet.
|
|
|
|
|
Additionally, the NSS service is started before any other
|
|
|
|
|
service to make sure username resolution works and the other
|
|
|
|
|
service can resolve the SSSD user correctly.
|
|
|
|
|
* A new option "cache_first" allows the administrator to change
|
|
|
|
|
the way multiple domains are searched. When this option is
|
|
|
|
|
enabled, SSSD will first try to "pin" the requested name or
|
|
|
|
|
ID to a domain by searching the entries that are already
|
|
|
|
|
cached and contact the domain that contains the cached entry
|
|
|
|
|
first. Previously, SSSD would check the cache and the remote
|
|
|
|
|
server for each domain. This option brings performance
|
|
|
|
|
benefit for setups that use multiple domains (even
|
|
|
|
|
auto-discovered trusted domains), especially for ID lookups
|
|
|
|
|
that would previously iterate over all domains. Please note
|
|
|
|
|
that this option must be enabled with care as the
|
|
|
|
|
administrator must ensure that the ID space of domains does
|
|
|
|
|
not overlap.
|
2017-03-16 00:57:39 +01:00
|
|
|
|
* The SSSD D-Bus interface gained two new methods:
|
2017-03-16 01:13:21 +01:00
|
|
|
|
"FindByNameAndCertificate" and "ListByCertificate". These
|
|
|
|
|
methods will be used primarily by IPA and
|
|
|
|
|
`mod_lookup_identity
|
|
|
|
|
<https://github.com/adelton/mod_lookup_identity/> to
|
|
|
|
|
correctly match multple users who use the same certificate
|
|
|
|
|
for Smart Card login.
|
|
|
|
|
* A bug where SSSD did not properly sanitize a username with a
|
|
|
|
|
newline character in it was fixed.
|
2017-03-16 00:57:39 +01:00
|
|
|
|
|
2017-03-11 23:35:00 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Mar 11 22:34:41 UTC 2017 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Switch *all* URLs after fedorahosted.org retirement
|
|
|
|
|
|
2017-03-05 09:29:21 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Mar 4 19:57:33 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Updated project URL
|
|
|
|
|
- Update to new upstream release 1.15.1
|
|
|
|
|
* Several issues related to starting the SSSD services on-demand via
|
|
|
|
|
socket activation were fixed. In particular, it is no longer possible
|
|
|
|
|
to have a service started both by sssd and socket-activated. Another
|
|
|
|
|
bug which might have caused the responder to start before SSSD started
|
|
|
|
|
and cause issues especially on system startup was fixed.
|
|
|
|
|
* A new 'files' provider was added. This provider mirrors the contents
|
|
|
|
|
of '/etc/passwd' and '/etc/shadow' into the SSSD database. The purpose
|
|
|
|
|
of this new provider is to make it possible to use SSSD's interfaces,
|
|
|
|
|
such as the D-Bus interface for local users and enable leveraging the
|
|
|
|
|
in-memory fast cache for local users as well, as a replacement for `nscd`.
|
|
|
|
|
In future, we intend to extend the D-Bus interface to also provide setting
|
|
|
|
|
and retrieving additional custom attributes for the files users.
|
|
|
|
|
* SSSD now autogenerates a fallback configuration that enables the
|
|
|
|
|
files domain if no SSSD configuration exists. This allows distributions
|
|
|
|
|
to enable the 'sssd' service when the SSSD package is installed. Please
|
|
|
|
|
note that SSSD must be build with the configuration option
|
|
|
|
|
'--enable-files-domain' for this functionality to be enabled.
|
|
|
|
|
* Support for public-key authentication with Kerberos (PKINIT) was
|
|
|
|
|
added. This support will enable users who authenticate with a Smart Card
|
|
|
|
|
to obtain a Kerberos ticket during authentication.
|
|
|
|
|
|
2017-02-18 08:44:39 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Feb 18 08:35:13 CET 2017 - kukuk@suse.de
|
|
|
|
|
|
|
|
|
|
- Remove obsolete insserv call
|
|
|
|
|
|
2017-01-26 15:22:39 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2017-02-10 08:40:27 +01:00
|
|
|
|
Wed Feb 8 19:58:55 UTC 2017 - luizluca@gmail.com
|
|
|
|
|
|
|
|
|
|
- Added /etc/sssd/conf.d/ for configuration snippets
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2017-01-26 15:22:39 +01:00
|
|
|
|
Wed Jan 25 19:25:09 UTC 2017 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Removed 0001-krb5-1.15-build-fix.patch obsoleted by upstream update
|
|
|
|
|
- Update to new upstream release 1.15.0
|
|
|
|
|
* SSSD now allows the responders to be activated by the systemd service
|
|
|
|
|
manager and exit when idle. This means the services line in sssd.conf is
|
|
|
|
|
optional and the responders can be started on-demand, simplifying the sssd
|
|
|
|
|
configuration. Please note that this change is backwards-compatible and
|
|
|
|
|
the responders listed explicitly in sssd.conf's services line are managed
|
|
|
|
|
by sssd in the same manner as in previous releases. Please refer to man
|
|
|
|
|
sssd.conf(5) for more information
|
|
|
|
|
* The sudo provider is no longer disabled for configurations that do not
|
|
|
|
|
explicitly include the sudo responder in the services list. In order to
|
|
|
|
|
disable the sudo-related back end code that executes the periodic LDAP
|
|
|
|
|
queries, set the sudo_provider to none explicitly
|
|
|
|
|
* The watchdog signal handler no longer uses signal-unsafe functions. This
|
|
|
|
|
bug was causing a deadlock in case the watchdog was about to kill a
|
|
|
|
|
stuck process
|
|
|
|
|
* A bug that prevented TLS to be set up correctly on systems where libldap
|
|
|
|
|
links with GnuTLS was fixed
|
|
|
|
|
* The functionality to alter SSSD configuration through the D-Bus interface
|
|
|
|
|
provided by the IFP responder was removed. This functionality was not used to
|
|
|
|
|
the best of our knowledge, had no tests and prevented the InfoPipe responder
|
|
|
|
|
from running as a non-privileged user.
|
|
|
|
|
* A bug that prevented statically-linked applications from using libnss_sss
|
|
|
|
|
was fixed by removing dependency on -lpthreads from the libnss_sss library
|
|
|
|
|
(please see https://sourceware.org/bugzilla/show_bug.cgi?id=20500 for
|
|
|
|
|
an example on why linking with -lpthread from an NSS modules is problematic)
|
|
|
|
|
* Previously, SSSD did not ignore GPOs that were missing the
|
|
|
|
|
gPCFunctionalityVersion attribute and failed the whole GPO
|
|
|
|
|
processing. Starting with this version, the GPOs without the
|
|
|
|
|
gPCFunctionalityVersion are skipped.
|
|
|
|
|
|
2016-12-12 14:46:31 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 12 13:36:18 UTC 2016 - dimstar@opensuse.org
|
|
|
|
|
|
|
|
|
|
- BuildRequire pkgconfig(libsystemd) instead of
|
|
|
|
|
pkgconfig(libsystemd-login): the latter has been deprecated since
|
|
|
|
|
systemd 209 and finally removed with systemd 230.
|
|
|
|
|
|
2016-12-07 11:14:54 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2016-12-07 11:52:05 +01:00
|
|
|
|
Wed Dec 7 10:39:30 UTC 2016 - jengelh@inai.de
|
2016-12-07 11:14:54 +01:00
|
|
|
|
|
2016-12-07 11:52:05 +01:00
|
|
|
|
- Add 0001-krb5-1.15-build-fix.patch to unlock building
|
|
|
|
|
against future KRB versions.
|
2016-12-07 11:14:54 +01:00
|
|
|
|
|
2016-10-20 08:50:49 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Oct 19 22:21:30 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.14.2
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* Several more regressions caused by cache refactoring to use qualified
|
|
|
|
|
names internally were fixed, including a regression that prevented the
|
2016-10-20 08:50:49 +02:00
|
|
|
|
krb5_map_user option from working correctly.
|
|
|
|
|
* A regression when logging in with a smart card using the GDM login manager
|
|
|
|
|
was fixed
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* SSSD now removes the internal timestamp on startup cache when the
|
|
|
|
|
persistent cache is removed. This enables admins to follow their existing
|
2016-10-20 08:50:49 +02:00
|
|
|
|
workflow of just removing the persistent cache and start from a fresh slate
|
|
|
|
|
* Several fixes to the sssd-secrets responder are present in this release
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* A bug in the autofs responder that prevented automounter maps from being
|
2016-10-20 08:50:49 +02:00
|
|
|
|
returned when sssd_be was offline was fixed
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* A similar bug in the NSS responder that prevented netgroups from being
|
2016-10-20 08:50:49 +02:00
|
|
|
|
returned when sssd_be was offline was fixed
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* Disabling the netlink integration can now be done with a new option
|
|
|
|
|
disable_netlink. Previously, the netlink integration could be disabled with
|
2016-10-20 08:50:49 +02:00
|
|
|
|
a sssd command line switch, which is being deprecated in this release.
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* The internal watchdog no longer kills sssd processes in case time shifts
|
2016-10-20 08:50:49 +02:00
|
|
|
|
during sssd runtime
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* The fail over code is able to cope with concurrent SRV resolution
|
2016-10-20 08:50:49 +02:00
|
|
|
|
requests better in this release
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* The proxy provider gained a new option proxy_max_children that allows the
|
|
|
|
|
administrator to control the maximum number of child helper processes that
|
2016-10-20 08:50:49 +02:00
|
|
|
|
authenticate users with auth_provider=proxy
|
2019-02-15 21:56:08 +01:00
|
|
|
|
* The InfoPipe D-Bus responder exports the UUIDs of user and group objects
|
2016-10-20 08:50:49 +02:00
|
|
|
|
through a uniqueID property
|
|
|
|
|
|
2016-08-19 21:28:03 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 19 18:38:35 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.14.1
|
|
|
|
|
* The IPA provider now supports logins with enterprise principals (also
|
|
|
|
|
known as additional UPN suffixes). This functionality also enabled Active
|
|
|
|
|
Directory users from trusted AD domains who use an additional UPN suffix
|
|
|
|
|
to log in. Please note that this feature requires a recent IPA server.
|
|
|
|
|
* When a user name is overriden in an IPA domain, resolving a group these
|
|
|
|
|
users are a member of now returns the overriden user names
|
|
|
|
|
* Users can be looked up by and log in with their e-mail address as an
|
|
|
|
|
identifier. In order to do so, an attribute that represents the user's
|
|
|
|
|
e-mail address is fetched by default. This attribute can by customized
|
|
|
|
|
by setting the ldap_user_email configuration option.
|
|
|
|
|
* A new ad_enabled_domains option was added. This option lets the
|
|
|
|
|
administrator select domains that SSSD should attempt to reach in the
|
|
|
|
|
AD forest SSSD is joined to. This option is useful for deployments where
|
|
|
|
|
not all domains are reachable on the network level, yet the administrator
|
|
|
|
|
needs to access some trusted domains and therefore disabling the subdomains
|
|
|
|
|
provider completely is not desirable.
|
|
|
|
|
* The sssctl tool has two new commands active-server and servers that
|
|
|
|
|
allow the administrator to observe the server that SSSD is bound to and
|
|
|
|
|
the servers that SSSD autodiscovered
|
|
|
|
|
* SSSD used to fail to start when an attribute name is present in both
|
|
|
|
|
the default SSSD attribute map and the custom ldap_user_extra_attrs map
|
|
|
|
|
* GPO policy procesing no longer fails if the gPCMachineExtensionNames
|
|
|
|
|
attribute only contains whitespaces
|
|
|
|
|
* Several commits fix regressions related to switching all user and group
|
|
|
|
|
names to fully qualified format, such as running initgroups for a user
|
|
|
|
|
who is only a member of a primary group
|
|
|
|
|
* Several patches fix regressions caused by splitting the database into
|
|
|
|
|
two ldb files, such as when user attributes change without increasing
|
|
|
|
|
the modifyTimestamp attribute value
|
|
|
|
|
* systemd unit files are now shipped for the sssd-secrets responder,
|
|
|
|
|
allowing the responder to be socket-activated. To do so, administrators
|
|
|
|
|
should enable the sssd-secrets.socket and sssd-secrets.service systemd
|
|
|
|
|
units.
|
|
|
|
|
* The sssd binary has a new switch --disable-netlink that lets sssd skip
|
|
|
|
|
messages from the kernel's netlink interface.
|
|
|
|
|
* A crash when entries with special characters such as '(' were requested
|
|
|
|
|
was fixed
|
|
|
|
|
* The ldap_rfc_2307_fallback_to_local_users option was broken in the
|
|
|
|
|
previous version. This release fixes the functionality.
|
|
|
|
|
|
2016-07-08 18:12:31 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 8 10:46:59 UTC 2016 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.14.0
|
|
|
|
|
* The AD provider is now able to look up users from Active
|
|
|
|
|
Directory domains by certificate. This change enables logins for
|
|
|
|
|
Active Directory users with the help of a smart card.
|
|
|
|
|
* The sss_override tool is now able to add certificates as local
|
|
|
|
|
overrides in the SSSD cache. Please note that the certificate
|
|
|
|
|
overrides are stored in the local cache, so removing the cache
|
|
|
|
|
also removes all the certificates!
|
|
|
|
|
* Invalid certificates are skipped instead of aborting the whole
|
|
|
|
|
operation when logging in with a smart card using SSH.
|
|
|
|
|
* This version allows several OCSP-related options such as the OCSP
|
|
|
|
|
responder to be configured during smart card authentication.
|
|
|
|
|
* SSSD is now able to determine the name of the user who logs in
|
|
|
|
|
from the inserted smart card without having to type in the
|
|
|
|
|
username. Note that this functionality must be enabled with the
|
|
|
|
|
allow_missing_name pam_sss option.
|
|
|
|
|
* The sss_cache command line tool is now able to invalidate SUDO
|
|
|
|
|
rules with its new -r/-R switches. Note that the sudo rules ar
|
|
|
|
|
not refreshed with the sss_cache tool immediately.
|
|
|
|
|
* A new command line tool called sssctl was added. This tool
|
|
|
|
|
allows to observe the status of SSSD.
|
|
|
|
|
* A new option local_negative_timeout was added. This option
|
|
|
|
|
allows the admin to specify the time during which lookups for
|
|
|
|
|
users that are not handled by SSSD but are present on the
|
|
|
|
|
system (typically in /etc/passwd and /etc/group) and prevents
|
|
|
|
|
repeated lookups of local users on the remote server during
|
|
|
|
|
initgroups operation.
|
|
|
|
|
* An ID-mapping plugin for the winbind deamon was added. With
|
|
|
|
|
this plugin, it's possible for winbind to use the same
|
|
|
|
|
ID-mapping scheme as SSSD uses, producing consistent ID values.
|
|
|
|
|
- Remove 0001-build-detect-endianness-at-configure-time.patch
|
|
|
|
|
(included upstream)
|
|
|
|
|
|
2016-04-18 14:29:12 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 18 12:24:29 UTC 2016 - hguo@suse.com
|
|
|
|
|
|
|
|
|
|
- Enable PAC responder.
|
|
|
|
|
PAC is an extension element returned by domain controller, to speed
|
|
|
|
|
up resolution of authorisation data such as group memberships.
|
|
|
|
|
|
2016-04-14 20:01:48 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 14 17:20:11 UTC 2016 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.13.4
|
|
|
|
|
* The IPA sudo provider was reimplemented. The new version reads the
|
|
|
|
|
data from IPA's LDAP tree (as opposed to the compat tree populated by
|
|
|
|
|
the slapi-nis plugin that was used previously). The benefit is that
|
|
|
|
|
deployments which don't require the compat tree for other purposes,
|
|
|
|
|
such as support for non-SSSD clients can disable those autogenerated
|
|
|
|
|
LDAP trees to conserve resources that slapi-nis otherwise requires. There
|
|
|
|
|
should be no visible changes to the end user.
|
|
|
|
|
* SSSD now has the ability to renew the machine credentials (keytabs)
|
|
|
|
|
when the ad provider is used. Please note that a recent version of
|
|
|
|
|
the adcli (0.8 or newer) package is required for this feature to work.
|
|
|
|
|
* The automatic ID mapping feature was improved so that the administrator
|
|
|
|
|
is no longer required to manually set the range size in case a RID in
|
|
|
|
|
the AD domain is larger than the default range size
|
|
|
|
|
* A potential infinite loop in the NFS ID mapping plugin that was
|
|
|
|
|
resulting in an excessive memory usage was fixed
|
|
|
|
|
* Clients that are pinned to a particular AD site using the ad_site
|
|
|
|
|
option no longer communicate with DCs outside that site during service
|
|
|
|
|
discovery.
|
|
|
|
|
* The IPA identity provider is now able to resolve external
|
|
|
|
|
(typically coming from a trusted AD forest) group members during
|
|
|
|
|
get-group-information requests. Please note that resolving external
|
|
|
|
|
group memberships for AD users during the initgroup requests used to
|
|
|
|
|
work even prior to this update. This feature is mostly useful for cases
|
|
|
|
|
where an IPA client is using the compat tree to resolve AD trust users.
|
|
|
|
|
* The IPA ID views feature now works correctly even for deployments
|
|
|
|
|
without a trust relationship. Previously, the subdomains IPA provider
|
|
|
|
|
failed to read the views data if no master domain record was created
|
|
|
|
|
on the IPA server during trust establishment.
|
|
|
|
|
* A race condition in the client libraries between the SSSD closing
|
|
|
|
|
the socket as idle and the client application using the socket was
|
|
|
|
|
fixed. This bug manifested with a Broken Pipe error message on the
|
|
|
|
|
client.
|
|
|
|
|
* SSSD is now able to resolve users with the same usernames in different
|
|
|
|
|
OUs of an AD domain
|
|
|
|
|
* The smartcard authentication now works properly with gnome-screensaver
|
|
|
|
|
|
2016-02-11 08:15:11 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 10 16:38:37 UTC 2016 - mpluskal@suse.com
|
|
|
|
|
|
|
|
|
|
- Enable internal testsuite
|
|
|
|
|
|
2015-12-16 15:09:08 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 16 14:08:01 UTC 2015 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new maintenance release 1.13.3
|
|
|
|
|
* A bug that prevented user lookups and logins after migration from
|
|
|
|
|
winsync to IPA-AD trusts was fixed.
|
|
|
|
|
* A bug that prevented the ignore_group_members option from working
|
|
|
|
|
correctly in AD provider setups that use a dedicated primary
|
|
|
|
|
group (as opposed to a user-private group) was fixed.
|
|
|
|
|
* Offline detection and offline login timeouts were improved for AD
|
|
|
|
|
users logging in from a domain trusted by an IPA server.
|
|
|
|
|
* The AD provider supports setting up autofs_provider=ad .
|
|
|
|
|
|
2015-12-07 09:26:52 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 20 10:39:56 UTC 2015 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.13.2
|
|
|
|
|
* Initial support for Smart Card authentication was added.
|
|
|
|
|
* The PAM prompting was enhanced so that when Two-Factor
|
|
|
|
|
Authentication is used, both factors (password and token) can be
|
|
|
|
|
entered separately on separate prompts.
|
|
|
|
|
* This release supports authenticating againt a KDC proxy.
|
|
|
|
|
|
2015-09-30 15:29:05 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.13.1
|
2015-09-30 19:16:14 +02:00
|
|
|
|
* Initial support for Smart Card authentication was added. The
|
|
|
|
|
feature can be activated with the new pam_cert_auth option.
|
|
|
|
|
* The PAM prompting was enhanced so that when Two-Factor
|
|
|
|
|
Authentication is used, both factors (password and token) can
|
|
|
|
|
be entered separately on separate prompts. At the same time,
|
|
|
|
|
only the long-term password is cached, so offline access would
|
|
|
|
|
still work using the long term password.
|
|
|
|
|
* A new command line tool sss_override is present in this
|
|
|
|
|
release. The tools allows to override attributes on the SSSD
|
|
|
|
|
side. It's helpful in environment where e.g. some hosts need to
|
|
|
|
|
have a different view of POSIX attributes than others. Please
|
|
|
|
|
note that the overrides are stored in the cache as well, so
|
|
|
|
|
removing the cache will also remove the overrides.
|
|
|
|
|
* Several enhancements to the dynamic DNS update code. Notably,
|
|
|
|
|
clients that update multiple interfaces work better with this
|
|
|
|
|
release.
|
|
|
|
|
* This release supports authenticating againt a KDC proxy
|
|
|
|
|
* The fail over code was enhanced so that if a trusted domain is
|
|
|
|
|
not reachable, only that domain will be marked as inactive but
|
|
|
|
|
the backed would stay in online mode.
|
2015-09-30 15:29:05 +02:00
|
|
|
|
|
2015-08-20 10:53:21 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.13
|
|
|
|
|
* Support for separate prompts when using two-factor authentication
|
|
|
|
|
* Added support for one-way trusts between an IPA and Active
|
|
|
|
|
Directory environment. (Depends on IPA 4.2)
|
|
|
|
|
* The fast memory cache now also supports the initgroups operation.
|
|
|
|
|
* The PAM responder is now capable of caching authentication for
|
|
|
|
|
configurable period, which might reduce server load in cases
|
|
|
|
|
where accounts authenticate very frequently.
|
|
|
|
|
Refer to the "cached_auth_timeout" option in sssd.conf(5).
|
|
|
|
|
* The Active Directory provider has changed the default value of
|
|
|
|
|
the "ad_gpo_access_control" option from permissive to enforcing.
|
|
|
|
|
As a consequence, the GPO access control now affects all clients
|
|
|
|
|
that set access_provider to ad. In order to restore the previous
|
|
|
|
|
behaviour, set ad_gpo_access_control to permissive or use a
|
|
|
|
|
different access_provider type.
|
|
|
|
|
* Group Policy objects defined in a different AD domain that the
|
|
|
|
|
computer object is defined in are now supported.
|
|
|
|
|
* Credential caching and Offline authentication are also available
|
|
|
|
|
when using two-factor authentication
|
|
|
|
|
* The Python bindings are now built for both Python2 and Python3.
|
|
|
|
|
* The LDAP bind timeout, StartTLS timeout and password change
|
|
|
|
|
timeout are now configurable using the ldap_opt_timeout option.
|
|
|
|
|
|
2015-08-12 20:28:40 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 12 18:20:25 UTC 2015 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Kill unused libsss_sudo-devel solvable.
|
|
|
|
|
|
2015-08-12 19:46:44 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 11 07:41:07 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
|
|
- Obsolete/provide libsss_sudo in sssd main package.
|
|
|
|
|
Sudo capability is an integral feature in SSSD and the library
|
|
|
|
|
is not supposed to be used separately.
|
|
|
|
|
|
2015-06-25 20:18:07 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 25 16:44:49 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- sssd.service: add Before= and Wants=nss-user-lookup.target
|
|
|
|
|
correct fix for bsc#926961
|
|
|
|
|
|
2015-06-14 22:48:52 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.12.5
|
2015-06-14 22:54:24 +02:00
|
|
|
|
* The background refresh tasks now supports refreshing users and
|
|
|
|
|
groups as well. See the "refresh_expired_interval" parameter in
|
|
|
|
|
the sssd.conf manpage.
|
|
|
|
|
* A new option subdomain_inherit was added.
|
|
|
|
|
* When an expired account attempts to log in, a configurable
|
|
|
|
|
error message can be displayed with sufficient pam_verbosity
|
|
|
|
|
setting. See the "pam_account_expired_message" option.
|
|
|
|
|
* OpenLDAP ppolicy can be honored even when an alternate login
|
|
|
|
|
method (such as SSH key) is used. See the "ldap_access_order"
|
|
|
|
|
option.
|
|
|
|
|
* A new option :krb5_map_user" was added, allowing the admin to
|
|
|
|
|
map UNIX usernames to Kerberos principals.
|
|
|
|
|
* BUG FIXES:
|
|
|
|
|
* Fixed AD-specific bugs that resulted in the incorrect set of
|
|
|
|
|
groups being displayed after the initgroups operation.
|
|
|
|
|
* Fixes related to the IPA ID views feature. Setups using this
|
|
|
|
|
should update sssd on both IPA servers and clients.
|
|
|
|
|
* The AD provider now handles binary GUIDs correctly.
|
|
|
|
|
* A bug that prevented the `ignore_group_members` parameter to be
|
|
|
|
|
used with the AD provider was fixed.
|
|
|
|
|
* The failover code now reads and honors TTL value for SRV
|
|
|
|
|
queries as well.
|
|
|
|
|
* Race condition between setting the timeout in the back ends and
|
|
|
|
|
reading it in the front end during initgroup operation was
|
|
|
|
|
fixed. This bug affected applications that perform the
|
|
|
|
|
initgroups(3) operation in multiple processes simultaneously.
|
|
|
|
|
* Setups that only want to use the domain SSSD is connected to,
|
|
|
|
|
but not the autodiscovered trusted domains by setting
|
|
|
|
|
`subdomains_provider=none` now work correctly as long as the
|
|
|
|
|
domain SID is set manually in the config file.
|
|
|
|
|
* In case only "allow" rules are used, the simple access provider
|
|
|
|
|
is now able to skip unresolvable groups.
|
|
|
|
|
* The GPO access control code now handles situations where user
|
|
|
|
|
and computer objects were in different domains.
|
2015-06-14 22:48:52 +02:00
|
|
|
|
|
2015-02-19 12:27:30 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.12.4 (Changelog highlights following)
|
|
|
|
|
* This is mostly a bug fixing release with only minor enhancements
|
|
|
|
|
visible to the end user.
|
|
|
|
|
* Contains many fixes and enhancements related to the ID views
|
|
|
|
|
functionality of FreeIPA servers.
|
|
|
|
|
* Several fixes related to retrieving AD group membership in an
|
|
|
|
|
IPA-AD trust scenario.
|
|
|
|
|
* Fixes a bug where the GPO access control previously didn't work
|
|
|
|
|
at all if debugging was enabled in smb.conf.
|
|
|
|
|
* SSSD can now be pinned to a particular AD site instead of
|
|
|
|
|
autodiscovering the site.
|
|
|
|
|
* A regression that caused setting the SELinux context for IPA users
|
|
|
|
|
to fail, was fixed.
|
|
|
|
|
* Fixed a potential crash caused by a double-free error when an SSSD
|
|
|
|
|
service was killed by the monitor process.
|
|
|
|
|
|
2015-02-16 11:34:43 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 16 10:09:18 UTC 2015 - howard@localhost
|
|
|
|
|
|
|
|
|
|
- A minor rpmspec cleanup to get rid of five rpmlint warnings
|
|
|
|
|
* Remove mentioning of system-wide dbus configuration file from comments.
|
|
|
|
|
* Remove traditional init script.
|
|
|
|
|
* Remove compatibility for producing packages on older OpenSUSE releases.
|
|
|
|
|
|
2015-01-08 23:43:40 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 8 22:23:42 UTC 2015 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.12.3
|
|
|
|
|
* SSSD now allows the IPA client to move from one ID view to
|
|
|
|
|
another after SSSD restart.
|
|
|
|
|
* It is possible to apply ID views to IPA domains as well.
|
|
|
|
|
Previous SSSD versions only allowed views to be applied to AD
|
|
|
|
|
trusted domains.
|
|
|
|
|
* Overriding SSH public keys is supported in this release.
|
|
|
|
|
* Move semanage related functions to a separate library.
|
|
|
|
|
|
2015-01-02 00:00:25 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 1 22:01:02 UTC 2015 - meissner@suse.com
|
|
|
|
|
|
|
|
|
|
- build with PIE
|
|
|
|
|
|
2014-12-08 23:59:07 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 10 00:37:00 UTC 2014 - Led <ledest@gmail.com>
|
|
|
|
|
|
|
|
|
|
- fix bashism in postun script
|
|
|
|
|
|
2014-10-30 14:18:09 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 30 12:22:06 UTC 2014 - jengelh@inai.de
|
|
|
|
|
|
2014-10-30 21:04:24 +01:00
|
|
|
|
- Update to new upstream release 1.12.2 (bugfix release, bnc#900159)
|
2014-10-30 14:18:09 +01:00
|
|
|
|
* Fixed a regression where the IPA provider did not fetch User
|
|
|
|
|
Private Groups correctly
|
|
|
|
|
* An important bug in the GPO access control which resulted in a
|
|
|
|
|
wrong principal being used, was fixed.
|
|
|
|
|
* Several new options are available for deployments that need to
|
|
|
|
|
restrict a certain PAM service from connecting to a certain SSSD
|
|
|
|
|
domain. For more details, see the description of
|
|
|
|
|
pam_trusted_users and pam_public_domains options in the
|
|
|
|
|
sssd.conf(5) man page and the domains option in the pam_sss(8)
|
|
|
|
|
man page.
|
|
|
|
|
* When SSSD is acting as an IPA client in setup with trusted AD
|
|
|
|
|
domains, it is able to return group members or full group
|
|
|
|
|
memberships for users from trusted AD domains.
|
|
|
|
|
* Support for the "views" feature of IPA.
|
|
|
|
|
- Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch
|
|
|
|
|
(merged upstream)
|
|
|
|
|
|
2014-10-11 15:39:47 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Oct 11 13:36:48 UTC 2014 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch
|
|
|
|
|
to workaround bad autoconf invocation
|
|
|
|
|
|
2014-10-11 14:40:55 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Oct 11 00:16:15 UTC 2014 - crrodriguez@opensuse.org
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- 0001-build-detect-endianness-at-configure-time.patch
|
2014-10-11 14:40:55 +02:00
|
|
|
|
Correct defective endianness test.
|
|
|
|
|
|
2014-10-10 09:25:15 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 6 13:25:23 UTC 2014 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.12.1
|
|
|
|
|
* The GPO access control was further enhanced to allow the access
|
|
|
|
|
control decisions while offline and map the Windows logon
|
|
|
|
|
rights onto Linux PAM services.
|
|
|
|
|
* The SSSD now ships a plugin for the rpc.idmapd daemon,
|
|
|
|
|
sss_rpcidmapd(5).
|
|
|
|
|
* A MIT Kerberos localauth plugin was added to SSSD. This plugin
|
|
|
|
|
helps translating principals to user names in IPA-AD trust
|
|
|
|
|
scenarios, allowing the krb5.conf configuration to be less
|
|
|
|
|
complex.
|
|
|
|
|
* A libwbclient plugin implementation is now part of the SSSD.
|
|
|
|
|
The main purpose is to map Active Directory users and groups
|
|
|
|
|
identified by their SID to POSIX users and groups for the
|
|
|
|
|
file-server use-case.
|
|
|
|
|
* Active Directory users ca nnow use their User Logon Name to log
|
|
|
|
|
in.
|
|
|
|
|
* The sss_cache tool was enhanced to allow invalidating the SSH
|
|
|
|
|
host keys.
|
|
|
|
|
* Groups without full POSIX information can now be used to enroll
|
|
|
|
|
group membership (CVE-2014-0249).
|
|
|
|
|
* Detection of transition from offline to online state was
|
|
|
|
|
improved, resulting in fewer timeouts when SSSD is offline.
|
|
|
|
|
* The Active Directory provider now correctly detects Windows
|
|
|
|
|
Server 2012 R2. Previous versions would fall back to the slower
|
|
|
|
|
non-AD path with 2012 R2.
|
|
|
|
|
* Several other bugs related to deployments where SSSD is acting
|
|
|
|
|
as an AD client were fixed.
|
|
|
|
|
|
2014-08-22 21:03:55 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 22 15:44:14 UTC 2014 - lchiquitto@suse.com
|
|
|
|
|
|
|
|
|
|
- The utility sss_obfuscate uses the Python module pysss, so add a
|
|
|
|
|
dependency on python-sssd-config to sssd-tools (bnc#890242)
|
|
|
|
|
|
2014-08-10 16:40:01 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Aug 10 12:20:50 UTC 2014 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.12.0
|
|
|
|
|
* A new responder, called InfoPipe was added. This responder
|
|
|
|
|
provides a public D-Bus interface accessible over the system bus.
|
|
|
|
|
In this release, methods for retrieving user attributes and list
|
|
|
|
|
of groups were added as well as objects representing SSSD domains
|
|
|
|
|
and processes. (The next 1.12.x releases will publish objects
|
|
|
|
|
representing users and groups, too.)
|
|
|
|
|
* SSSD provides an ID-mapping plugin for cifs-utils so that Windows
|
|
|
|
|
SIDs can be mapped onto POSIX IDs and/or names without requiring
|
|
|
|
|
Winbind and using the same code as the SSSD uses for identity
|
|
|
|
|
information.
|
|
|
|
|
* First phase of Group Policy-based access control for the AD
|
|
|
|
|
provider was added. At the moment, the gpo-ldap component that
|
|
|
|
|
downloads the list of GPOs that apply for the specific client has
|
|
|
|
|
been implemented as well as the gpo-smb component that retrieves
|
|
|
|
|
the group policy files and determines the access control check
|
|
|
|
|
results based on those files. Future improvements will focus on
|
|
|
|
|
storing the GPO policies as local files and mapping the Windows
|
|
|
|
|
logon rights onto Linux PAM services.
|
|
|
|
|
* Added a new library called sss_sifp that provides a simple
|
|
|
|
|
synchronous API for communication with our new InfoPipe responder
|
2019-02-15 21:56:08 +01:00
|
|
|
|
over the system bus.
|
2014-08-10 16:40:01 +02:00
|
|
|
|
- Remove 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch
|
|
|
|
|
(merged upstream)
|
2014-08-10 17:23:36 +02:00
|
|
|
|
- Provide "rcsssd" in systemd environments
|
|
|
|
|
- Ensure sssd is always startable by removing /var/lib/sss/db/*.ldb
|
|
|
|
|
on package installation so as to avoid potentially cache
|
|
|
|
|
format incompatibility which would cause sssd to exit
|
2014-08-10 16:40:01 +02:00
|
|
|
|
|
2014-06-12 16:36:57 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 12 14:18:30 UTC 2014 - ckornacker@suse.com
|
|
|
|
|
|
|
|
|
|
- fix %postun to not erroneously remove sss pam module
|
|
|
|
|
|
2014-05-27 19:40:18 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 27 16:56:42 UTC 2014 - crrodriguez@opensuse.org
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- Switch to libnl-3 so we can get rid of libnl-1.
|
2014-05-27 19:40:18 +02:00
|
|
|
|
|
2014-05-24 16:38:26 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat May 24 14:36:43 UTC 2014 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Redo 0001-build-detect-endianness-at-configure-time.patch to be -p1
|
|
|
|
|
- Add 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch
|
|
|
|
|
to resolve runtime loading problems
|
|
|
|
|
(http://lists.opensuse.org/opensuse-factory/2014-05/msg00181.html )
|
|
|
|
|
|
2014-05-13 13:38:19 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 13 11:11:59 UTC 2014 - varkoly@suse.com
|
|
|
|
|
|
|
|
|
|
- bnc#877457 - 78 Configuration file /usr/lib/systemd/system/sssd.service is marked executable.
|
|
|
|
|
Please remove executable permission bits.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 6 14:01:29 UTC 2014 - ddiss@suse.com
|
|
|
|
|
|
|
|
|
|
- Detect endianness at configure time, for use by Samba's byteorder.h header;
|
|
|
|
|
(bnc#876544).
|
|
|
|
|
+ 0001-build-detect-endianness-at-configure-time.patch
|
|
|
|
|
|
2014-04-29 12:03:23 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 29 10:00:57 UTC 2014 - varkoly@suse.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.11.5.1
|
|
|
|
|
* sssd crashes after upgrade from 1.11.4 to 1.11.5 when using a samba4 domain
|
|
|
|
|
* SSSD pam module accepts usernames with leading spaces
|
|
|
|
|
* [RFE] Expose the list of trusted domains to IPA
|
|
|
|
|
* If both IPA and LDAP are set up with enumeration on, two enum tasks are running
|
|
|
|
|
* sssd.conf man pages don't list a configuration option.
|
|
|
|
|
* Make SSSD compilable on systems with non-standard paths to krb5 includes
|
|
|
|
|
* [freebsd] pam_sss: add ignore_unknown_user option
|
|
|
|
|
* MAN: Remove misleading memberof example from ldap_access_filter example
|
|
|
|
|
* not retrieving homedirs of AD users with posix attributes
|
|
|
|
|
* Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes
|
|
|
|
|
* Check IPA idranges before saving them to the cache
|
|
|
|
|
* Evaluate usage of sudo LDAP provider together with the AD provider
|
|
|
|
|
* Setting int option to 0 yields the default value
|
|
|
|
|
* ipa-server-mode: Use lower-case user name component in home dir path
|
|
|
|
|
* SSSD Does not cache SELinux map from FreeIPA correctly
|
|
|
|
|
* IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in
|
|
|
|
|
* sssd fails to handle expired passwords when OTP is used
|
|
|
|
|
* Add another Kerberos error code to trigger IPA password migration
|
|
|
|
|
* Double OK when starting the service
|
|
|
|
|
* SSSD should create the SELinux mapping file with format expected by pam_selinux
|
|
|
|
|
* Valgrind: Invalid read of int while processing netgroup
|
|
|
|
|
* other subdomains are unavailable when joined to a subdomain in the ad forest
|
|
|
|
|
* Error during password change
|
|
|
|
|
* configure time variables not expanded when running ./configure
|
|
|
|
|
* RHEL7 IPA selinuxusermap hbac rule not always matching
|
|
|
|
|
|
2014-03-07 16:22:25 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Mar 7 15:18:34 UTC 2014 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.11.4
|
|
|
|
|
* The simple access provider supports specifying users and groups
|
|
|
|
|
using their NetBIOS domain name (such as DOMAIN\username)
|
|
|
|
|
* Support for enumerating users and groups from trusted AD domains
|
|
|
|
|
was added to the AD provider
|
|
|
|
|
* The Active Directory site discovery was made more robust for
|
|
|
|
|
configurations which use multiple trusted domains
|
|
|
|
|
* Several bugs in the LDAP provider that affected setups which
|
|
|
|
|
mapped Windows SIDs to POSIX IDs were fixed
|
|
|
|
|
* The SSSD is now able to use One Time Password (OTP)
|
|
|
|
|
authentication configured on an IPA server.
|
|
|
|
|
|
2013-12-22 17:55:08 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 20 21:54:58 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.11.3
|
|
|
|
|
* The AD provider is able to resolve group memberships for groups
|
|
|
|
|
with Global and Universal scope
|
|
|
|
|
* The initgroups (get groups for user) operation for users from
|
|
|
|
|
trusted AD domains was made more reliable by reading the required
|
|
|
|
|
tokenGroups attribute from LDAP instead of Global Catalog
|
|
|
|
|
* A new option ad_enable_gc was added to the AD provider. This
|
|
|
|
|
option allows the administrator to force SSSD to talk to LDAP
|
|
|
|
|
port only and never try the Global Catalog
|
|
|
|
|
* The AD provider is now able to leverage the tokenGroups attribute
|
|
|
|
|
even when POSIX attributes are used, providing better performance
|
|
|
|
|
during logins.
|
|
|
|
|
* A memory leak in the NSS responder that affected long-lived
|
|
|
|
|
clients that requested netgroup data was fixed
|
|
|
|
|
- Remove sssd-ldflags.diff (merged upstream)
|
|
|
|
|
|
2013-12-18 13:36:44 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 28 16:51:39 UTC 2013 - ckornacker@suse.com
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- Migrate deprecated krb5_kdcip variable to krb5_server (bnc#851048)
|
2013-12-18 13:36:44 +01:00
|
|
|
|
|
2013-11-01 23:16:40 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 1 22:12:03 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.11.2
|
|
|
|
|
* A new option ad_access_filter was added. This option allows the
|
|
|
|
|
administrator to easily configure LDAP search filter that the users
|
|
|
|
|
logging in must match in order to be granted access.
|
|
|
|
|
* The Kerberos provider will no longer try to create public
|
|
|
|
|
directories when evaluating the krb5_ccachedir option.
|
|
|
|
|
- Remove 0005-implicit-decl.diff (merged upstream)
|
|
|
|
|
|
2013-09-14 18:34:44 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 3 21:12:37 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.11.0
|
|
|
|
|
* The sudo integration was made more robust. SSSD is now able to
|
|
|
|
|
gracefully handle situations where it is not able to resolve the
|
|
|
|
|
client host name or sudo rules have multiple name attributes.
|
|
|
|
|
* Several nested group membership bugs were fixed
|
|
|
|
|
* The PAC responder was made more robust and efficient, modifying
|
|
|
|
|
existing cache entries instead of always recreating them.
|
|
|
|
|
* The Kerberos provider now supports the new KEYRING ccache type.
|
|
|
|
|
- Remove sssd-no-ldb-check.diff, now implemented through a
|
|
|
|
|
configure argument --disable-ldb-version-check
|
|
|
|
|
|
2013-06-16 18:15:48 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jun 16 16:11:42 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Explicitly formulate SASL BuildRequires
|
|
|
|
|
|
2013-05-02 11:38:26 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.9.5
|
|
|
|
|
* Includes a fix for CVE-2013-0287: A simple access provider flaw
|
|
|
|
|
prevents intended ACL use when SSSD is configured as an Active
|
|
|
|
|
Directory client.
|
|
|
|
|
* Fixed spurious password expiration warning that was printed on
|
|
|
|
|
login with the Kerberos back end.
|
|
|
|
|
* A new option ldap_rfc2307_fallback_to_local_users was added. If
|
|
|
|
|
this option is set to true, SSSD is be able to resolve local
|
|
|
|
|
group members of LDAP groups.
|
|
|
|
|
* Fixed an indexing bug that prevented the contents of autofs maps
|
|
|
|
|
from being returned to the automounter deamon in case the map
|
|
|
|
|
contained a large number of entries.
|
|
|
|
|
* Several fixes for safer handling of Kerberos credential caches
|
|
|
|
|
for cases where the ccache is set to be stored in a DIR: type.
|
|
|
|
|
- Remove Provide-a-be_get_account_info_send-function.patch,
|
|
|
|
|
Add-unit-tests-for-simple-access-test-by-groups.patch,
|
|
|
|
|
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch,
|
|
|
|
|
Resolve-GIDs-in-the-simple-access-provider.patch
|
|
|
|
|
(CVE-2013-0287 material is in upstream),
|
|
|
|
|
sssd-sysdb-binary-attrs.diff (merged upstream)
|
|
|
|
|
|
2013-03-20 11:22:42 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2013-04-05 18:35:50 +02:00
|
|
|
|
Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Implement signature verification
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2013-03-20 11:22:42 +01:00
|
|
|
|
Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com
|
|
|
|
|
|
|
|
|
|
- Fixed security issue: CVE-2013-0287 (bnc#809153):
|
|
|
|
|
When SSSD is configured as an Active Directory client by using
|
|
|
|
|
the new Active Directory provider or equivalent configuration
|
|
|
|
|
of the LDAP provider, the Simple Access Provider does not
|
|
|
|
|
handle access control correctly. If any groups are specified
|
|
|
|
|
with the simple_deny_groups option, the group members are
|
|
|
|
|
permitted access. New patches:
|
|
|
|
|
* Provide-a-be_get_account_info_send-function.patch
|
|
|
|
|
* Add-unit-tests-for-simple-access-test-by-groups.patch
|
|
|
|
|
* Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
|
|
|
|
|
* Resolve-GIDs-in-the-simple-access-provider.patch
|
|
|
|
|
|
2013-02-26 09:35:16 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Resolve user retrieval problems when encountering binary data
|
|
|
|
|
in LDAP attributes (bnc#806078),
|
|
|
|
|
added sssd-sysdb-binary-attrs.diff
|
|
|
|
|
- Added sssd-no-ldb-check.diff so that SSSD continues to start
|
|
|
|
|
even after an LDB update.
|
|
|
|
|
|
2013-02-08 11:32:37 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 8 10:31:52 UTC 2013 - rhafer@suse.com
|
|
|
|
|
|
|
|
|
|
- fix package name in baselibs.conf (bnc#796423)
|
|
|
|
|
|
2013-01-31 17:44:29 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com
|
|
|
|
|
|
|
|
|
|
- update to 1.9.4 (bnc#801036):
|
2013-01-31 18:32:07 +01:00
|
|
|
|
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race
|
2013-01-31 17:44:29 +01:00
|
|
|
|
conditions when creating or removing home directories for users
|
|
|
|
|
in local domain
|
2013-01-31 18:32:07 +01:00
|
|
|
|
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds
|
2013-01-31 17:44:29 +01:00
|
|
|
|
reads in autofs and ssh responder
|
2013-01-31 18:32:07 +01:00
|
|
|
|
* The sssd_pam responder processes pending requests after
|
2013-01-31 17:44:29 +01:00
|
|
|
|
reconnect
|
2013-01-31 18:32:07 +01:00
|
|
|
|
* A serious memory leak in the NSS responder was fixed
|
|
|
|
|
* Requests that were processing group entries with DNs pointing
|
2013-01-31 17:44:29 +01:00
|
|
|
|
out of any configured search bases were not terminated
|
|
|
|
|
correctly, causing long timeouts
|
2013-01-31 18:32:07 +01:00
|
|
|
|
* Kerberos tickets are correctly renewed even after SSSD daemon
|
2013-01-31 17:44:29 +01:00
|
|
|
|
restart
|
2013-01-31 18:32:07 +01:00
|
|
|
|
* Multiple fixes related to SUDO integration, in particular
|
2013-01-31 17:44:29 +01:00
|
|
|
|
fixing functionality when the sssd back end process was
|
|
|
|
|
changing its online/offline status
|
2013-01-31 18:32:07 +01:00
|
|
|
|
* The pwd_exp_warning option was fixed to function as documented
|
2013-01-31 17:44:29 +01:00
|
|
|
|
in the manual page
|
|
|
|
|
- refreshed sssd-ldflags.diff to apply cleanly
|
|
|
|
|
|
2012-12-10 10:57:21 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com
|
|
|
|
|
|
|
|
|
|
- Removed left-over "Requires" for no longer existing sssd-client
|
|
|
|
|
subpackage.
|
2012-12-12 13:00:43 +01:00
|
|
|
|
- New patch: sssd-ldflags.diff to fix link failures due to erroneous
|
|
|
|
|
LDFLAGS usage
|
2012-12-10 10:57:21 +01:00
|
|
|
|
|
2012-12-06 13:32:20 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 6 10:38:59 UTC 2012 - rhafer@suse.com
|
|
|
|
|
|
|
|
|
|
- Switch back to using libcrypto instead of mozilla-nss as it seems
|
2012-12-06 13:35:38 +01:00
|
|
|
|
to be supported upstream again, cf.
|
|
|
|
|
https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010202.html
|
|
|
|
|
- Cleanup PAM configuration after uninstalling sssd (bnc#788328)
|
2012-12-06 13:32:20 +01:00
|
|
|
|
|
2012-12-06 10:16:16 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 6 09:05:29 UTC 2012 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.9.3
|
|
|
|
|
* Many fixes related to deployments where the SSSD is running as
|
|
|
|
|
a client of IPA server with trust relation established with an
|
|
|
|
|
Active Directory server
|
|
|
|
|
* Multiple fixes related to correct reporting of group
|
|
|
|
|
memberships, especially in setups that use nested groups
|
|
|
|
|
* Fixed a bug that prevented upgrade from the 1.8 series if the
|
|
|
|
|
cache contained nested groups before the upgrade
|
|
|
|
|
* Restarting the responders is more robust for cases where the
|
|
|
|
|
machine is under heavy load during back end restart
|
|
|
|
|
* The default_shell option can now be also set per-domain in
|
|
|
|
|
addition to global setting.
|
|
|
|
|
|
2012-11-15 03:31:26 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Nov 10 00:27:06 UTC 2012 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.9.2
|
|
|
|
|
* Users or groups from trusted domains can be retrieved by UID or
|
|
|
|
|
GID as well
|
|
|
|
|
* Several fixes that mitigate file descriptor leak during logins
|
|
|
|
|
* SSH host keys are also removed from the cache after being
|
|
|
|
|
removed from the server
|
|
|
|
|
* Fix intermittent crash in responders if the responder was
|
|
|
|
|
shutting down while requests were still pending
|
|
|
|
|
* Catch an error condition that might have caused a tight loop in
|
|
|
|
|
the sssd_nss process while refreshing expired enumeration request
|
|
|
|
|
* Fixed memory hierarchy of subdomains discovery requests that
|
|
|
|
|
caused use-after-free access bugs
|
|
|
|
|
* The krb5_child and ldap_child processes can print libkrb5 tracing
|
2019-02-15 21:56:08 +01:00
|
|
|
|
information in the debug logs
|
2012-11-15 03:31:26 +01:00
|
|
|
|
|
2012-06-27 14:37:11 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.8.93 (1.9.0~beta3)
|
|
|
|
|
* Add native support for autofs to the IPA provider
|
|
|
|
|
* Support for id mapping when connecting to Active Directory
|
|
|
|
|
* Support for handling very large (> 1500 users) groups in
|
|
|
|
|
Active Directory
|
|
|
|
|
* Add a new fast in-memory cache to speed up lookups of cached data
|
|
|
|
|
on repeated requests
|
|
|
|
|
* Add support for the Kerberos DIR cache for storing multiple TGTs
|
|
|
|
|
automatically
|
|
|
|
|
* Add a new PAC responder for dealing with cross-realm Kerberos
|
|
|
|
|
trusts
|
|
|
|
|
* Terminate idle connections to the NSS and PAM responders
|
|
|
|
|
|
2012-05-12 01:41:20 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.8.3
|
|
|
|
|
* LDAP: Handle situations where the RootDSE is not available
|
|
|
|
|
anonymously
|
|
|
|
|
* LDAP: Fix regression for users using non-standard LDAP attributes
|
|
|
|
|
for user information
|
|
|
|
|
- Switch from openssl to mozilla-nss, as this is the officially
|
|
|
|
|
supported crypto integration
|
|
|
|
|
|
2012-04-13 22:32:22 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com
|
|
|
|
|
|
|
|
|
|
- Fix build error on SLES 11 builds
|
|
|
|
|
|
2012-03-15 13:56:41 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2012-04-10 19:58:50 +02:00
|
|
|
|
Mon Apr 9 21:45:45 PDT 2012 - ben.kevan@gmail.com
|
|
|
|
|
|
|
|
|
|
- Add suse_version condition for glib over libunistring for
|
2019-02-15 21:56:08 +01:00
|
|
|
|
SLES 11 SP2.
|
2012-04-10 19:58:50 +02:00
|
|
|
|
- Update to new upstream release 1.8.2
|
2012-04-13 01:43:09 +02:00
|
|
|
|
* Fix for GSSAPI binds when the keytab contains unrelated
|
|
|
|
|
principals
|
|
|
|
|
* Workarounds added for LDAP servers with unreadable RootDSE
|
2012-04-10 19:58:50 +02:00
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.8.1
|
2012-04-13 01:43:09 +02:00
|
|
|
|
* Resolve issue where we could enter an infinite loop trying to
|
|
|
|
|
connect to an auth server
|
2012-04-10 19:58:50 +02:00
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
2012-03-15 13:56:41 +01:00
|
|
|
|
Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.8.0
|
|
|
|
|
* Support for the service map in NSS
|
|
|
|
|
* Support for setting default SELinux user context from FreeIPA
|
|
|
|
|
* Support for retrieving SSH user and host keys from LDAP
|
|
|
|
|
* Support for caching autofs LDAP requests
|
|
|
|
|
* Support for caching SUDO rules
|
|
|
|
|
* Include the IPA AutoFS provider
|
|
|
|
|
* Fixed several memory-corruption bugs
|
|
|
|
|
* Fixed a regression in the proxy provider
|
|
|
|
|
|
2011-09-22 11:27:12 +02:00
|
|
|
|
-------------------------------------------------------------------
|
2011-10-19 16:17:34 +02:00
|
|
|
|
Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Fixed systemd related packaging issues (bnc#724157)
|
|
|
|
|
- fixed build on older openSUSE releases
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2011-09-22 11:27:12 +02:00
|
|
|
|
Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de
|
|
|
|
|
|
|
|
|
|
- Resolve "have choice for libnl-devel:
|
|
|
|
|
libnl-1_1-devel libnl3-devel"
|
|
|
|
|
|
2011-08-02 11:16:11 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Fixed typos in configure args
|
|
|
|
|
- Cherry-picked password policy fixes from 1.5 branch (bnc#705768)
|
|
|
|
|
- switched to fd-leak fix cherry-picked from 1.5 branch
|
|
|
|
|
- Add /usr/sbin to the search path to make configure find nscd
|
|
|
|
|
(bnc#709747)
|
|
|
|
|
|
2011-08-02 09:04:28 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de
|
|
|
|
|
|
|
|
|
|
- Add patches to fix an fd leak in sssd_pam
|
|
|
|
|
|
2011-07-28 13:47:45 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de
|
|
|
|
|
|
|
|
|
|
- Update to new upstream release 1.5.11
|
|
|
|
|
* Support for overriding home directory, shell and primary GID
|
|
|
|
|
locally
|
|
|
|
|
* Properly honor TTL values from SRV record lookups
|
|
|
|
|
* Support non-POSIX groups in nested group chains (for RFC2307bis
|
|
|
|
|
LDAP servers)
|
|
|
|
|
* Properly escape IPv6 addresses in the failover code
|
|
|
|
|
* Do not crash if inotify fails (e.g. resource exhaustion)
|
|
|
|
|
- Remove redundant %clean section; delete .la files more
|
|
|
|
|
efficiently
|
|
|
|
|
|
2011-06-17 12:12:54 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Update to 1.5.8:
|
|
|
|
|
* Support for the LDAP paging control
|
|
|
|
|
* Support for multiple DNS servers for name resolution
|
|
|
|
|
* Fixes for several group membership bugs
|
|
|
|
|
* Fixes for rare crash bugs
|
|
|
|
|
|
2011-05-04 11:56:24 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Update to 1.5.7
|
|
|
|
|
* A flaw was found in the handling of cached passwords when
|
|
|
|
|
kerberos renewal tickets is enabled. Due to a bug, the cached
|
|
|
|
|
password was overwritten with a (moderately) predictable
|
|
|
|
|
filename, which could allow a user to authenticate as someone
|
|
|
|
|
else if they knew the name of the cache file (bnc#691135,
|
|
|
|
|
CVE-2011-1758)
|
|
|
|
|
- Changes in 1.5.6:
|
|
|
|
|
* Fixed a serious memory leak in the memberOf plugin
|
|
|
|
|
* Fixed a regression with the negative cache that caused it to be
|
|
|
|
|
essentially nonfunctional
|
|
|
|
|
* Fixed an issue where the user's full name would sometimes be
|
|
|
|
|
removed from the cache
|
|
|
|
|
* Fixed an issue with password changes in the kerberos provider
|
|
|
|
|
not working with kpasswd
|
|
|
|
|
|
2011-04-14 14:10:44 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Update to 1.5.5
|
|
|
|
|
* Fixes for several crash bugs
|
|
|
|
|
* LDAP group lookups will no longer abort if there is a
|
|
|
|
|
zero-length member attribute
|
|
|
|
|
* Add automatic fallback to 'cn' if the 'gecos' attribute does not
|
|
|
|
|
exist
|
|
|
|
|
|
2011-03-30 11:48:40 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Should build in SLE-11-SP1 now
|
|
|
|
|
|
2011-03-29 17:33:02 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Updated to 1.5.4
|
|
|
|
|
* Fixes for Active Directory when not all users and groups have
|
|
|
|
|
POSIX attributes
|
|
|
|
|
* Fixes for handling users and groups that have name aliases
|
|
|
|
|
(aliases are ignored)
|
|
|
|
|
* Fix group memberships after initgroups in the IPA provider
|
|
|
|
|
|
2011-03-24 17:02:03 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Updated to 1.5.3
|
|
|
|
|
* Support for libldb >= 1.0.0
|
|
|
|
|
* Proper detection of manpage translations
|
|
|
|
|
* Changes between 1.5.1 and 1.5.2
|
|
|
|
|
* Fixes for support of FreeIPA v2
|
|
|
|
|
* Fixes for failover if DNS entries change
|
|
|
|
|
* Improved sss_obfuscate tool with better interactive mode
|
|
|
|
|
* Fix several crash bugs
|
|
|
|
|
* Don't attempt to use START_TLS over SSL. Some LDAP servers
|
|
|
|
|
can't handle this
|
|
|
|
|
* Delete users from the local cache if initgroups calls return
|
|
|
|
|
'no such user' (previously only worked for getpwnam/getpwuid)
|
|
|
|
|
* Use new Transifex.net translations
|
|
|
|
|
* Better support for automatic TGT renewal (now survives
|
|
|
|
|
restart)
|
|
|
|
|
* Netgroup fixes
|
|
|
|
|
|
2011-03-08 17:25:23 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- Updated to 1.5.1
|
|
|
|
|
* Vast performance improvements when enumerate = true
|
|
|
|
|
* All PAM actions will now perform a forced initgroups lookup
|
|
|
|
|
instead of just a user information lookup This guarantees that
|
|
|
|
|
all group information is available to other providers, such as
|
|
|
|
|
the simple provider.
|
|
|
|
|
* For backwards-compatibility, DNS lookups will also fall back to
|
|
|
|
|
trying the SSSD domain name as a DNS discovery domain.
|
|
|
|
|
* Support for more password expiration policies in LDAP
|
|
|
|
|
- 389 Directory Server
|
|
|
|
|
- FreeIPA
|
|
|
|
|
- ActiveDirectory
|
|
|
|
|
* Support for ldap_tls_{cert,key,cipher_suite} config options
|
|
|
|
|
* Assorted bugfixes
|
|
|
|
|
|
2011-01-19 10:36:47 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- /var/lib/sss/pubconf was missing (bnc#665442)
|
|
|
|
|
|
2011-01-18 11:13:29 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de
|
|
|
|
|
|
|
|
|
|
- It was possible to make sssd hang forever inside a loop in the
|
|
|
|
|
PAM responder by sending a carefully crafted packet to sssd.
|
|
|
|
|
This could be exploited by a local attacker to crash sssd and
|
|
|
|
|
prevent other legitimate users from logging into the system.
|
|
|
|
|
(bnc#660481, CVE-2010-4341)
|
|
|
|
|
|
2011-01-04 10:14:28 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de
|
|
|
|
|
|
|
|
|
|
- Own /etc/systemd directories to fix build.
|
|
|
|
|
|
2010-11-25 17:31:37 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- install systemd service file
|
2010-11-25 17:31:37 +01:00
|
|
|
|
|
2010-11-16 12:12:19 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
|
|
|
|
- Updated to 1.4.1
|
|
|
|
|
* Add support for netgroups to the LDAP and proxy providers
|
|
|
|
|
* Fixes a minor bug with UIDs/GIDs >= 2^31
|
|
|
|
|
* Fixes a segfault in the kerberos provider
|
|
|
|
|
* Fixes a segfault in the NSS responder if a data provider crashes
|
|
|
|
|
* Correctly use sdap_netgroup_search_base
|
|
|
|
|
* the utility libraries libpath_utils1, libpath_utils-devel,
|
|
|
|
|
libref_array1 and libref_array-devel moved to their own
|
|
|
|
|
separate upstream project (ding-libs)
|
|
|
|
|
* Performance improvements made to group processing of RFC2307
|
|
|
|
|
LDAP servers
|
|
|
|
|
* Fixed nested group issues with RFC2307bis LDAP servers without
|
|
|
|
|
a memberOf plugin
|
|
|
|
|
* Manpage reviewed and updated
|
|
|
|
|
|
2010-09-18 01:33:16 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com
|
|
|
|
|
|
|
|
|
|
- remove hard coded python version
|
|
|
|
|
|
2010-09-03 16:48:38 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
|
|
|
|
- No dependencies on %{release}
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
|
|
|
|
- Updated to 1.3.1
|
|
|
|
|
* Fixes to the HBAC backend for obsolete or removed HBAC entries
|
|
|
|
|
* Improvements to log messages around TLS and GSSAPI for LDAP
|
|
|
|
|
* Support for building in environments using --as-needed LDFLAGS
|
|
|
|
|
* Vast performance improvement for initgroups on RFC2307 LDAP servers
|
|
|
|
|
* Long-running SSSD clients (e.g. GDM) will now reconnect properly to the
|
|
|
|
|
daemon if SSSD is restarted
|
|
|
|
|
* Rewrote the internal LDB cache API. As a synchronous API it is now faster
|
|
|
|
|
to access and easier to work with
|
|
|
|
|
* Eugene Indenbom contributed a sizeable amount of code to the LDAP provider
|
|
|
|
|
- We now handle failover situations much more reliably than we did
|
|
|
|
|
previously
|
|
|
|
|
- We also will now monitor the GSSAPI kerberos ticket and automatically
|
|
|
|
|
renew it when appropriate, instead of waiting for a connection to fail
|
|
|
|
|
* Support for netlink now allows us to more quickly detect situations
|
|
|
|
|
where we may have come online
|
|
|
|
|
* New option "dns_discovery_domain" allows better configuration for
|
2019-02-15 21:56:08 +01:00
|
|
|
|
using SRV records for failover
|
2010-09-03 16:48:38 +02:00
|
|
|
|
- New subpackages: libpath_utils1, libpath_utils-devel, libref_array1
|
|
|
|
|
and libref_array-devel
|
|
|
|
|
|
2010-08-30 11:22:01 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
|
|
|
|
- Package pam- and nss-Modules as baselibs
|
|
|
|
|
- cleaned up file list and dependencies
|
|
|
|
|
- fixed init script dependencies
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- Updated to 1.1.0
|
2010-08-30 11:22:01 +02:00
|
|
|
|
* Support for IPv6
|
|
|
|
|
* Support for LDAP referrals
|
|
|
|
|
* Offline failed login counter
|
|
|
|
|
* Fix for the long-standing cache cleanup performance issues
|
|
|
|
|
* libini_config, libcollection, libdhash, libref_array and
|
|
|
|
|
libpath_utils are now built as shared libraries for general
|
|
|
|
|
consumption (libref_array and libpath_utils are currently not
|
|
|
|
|
packaged, as no component in sssd links against them)
|
|
|
|
|
* Users get feedback from PAM if they authenticated offline
|
|
|
|
|
* Native local backend now has a utility to show nested memberships
|
|
|
|
|
(sss_groupshow)
|
|
|
|
|
* New "simple" access provider for easy restriction of users
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- Backported libcrypto support from master to avoid Mozilla NSS
|
2010-08-30 11:22:01 +02:00
|
|
|
|
dependency
|
|
|
|
|
- Backported password policy improvments for LDAP provider from
|
|
|
|
|
master
|
|
|
|
|
|
2010-03-08 18:24:35 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2010-03-19 10:05:35 +01:00
|
|
|
|
Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- use logfiles for debug messages by default
|
2010-03-19 10:05:35 +01:00
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2010-03-08 18:24:35 +01:00
|
|
|
|
Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
|
|
|
|
- subpackages for commandline tools, ipa-provider plugin and
|
|
|
|
|
python API
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 26 14:48:50 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
|
|
|
|
- Updated to 1.0.5. Highlights:
|
|
|
|
|
* Removed some dead code (libreplace
|
|
|
|
|
* Clarify licenses throughout the code
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 4 17:04:01 UTC 2010 - rhafer@novell.com
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- Updated to 1.0.4
|
2010-03-08 18:24:35 +01:00
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 8 15:10:47 UTC 2009 - rhafer@novell.com
|
|
|
|
|
|
2019-02-15 21:56:08 +01:00
|
|
|
|
- Update to 0.6.0
|
2010-03-08 18:24:35 +01:00
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 4 08:59:21 UTC 2009 - rhafer@novell.com
|
|
|
|
|
|
|
|
|
|
- fix LDAP filter for initgroups() with rfc2307bis setups
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 1 08:58:37 UTC 2009 - rhafer@novell.com
|
|
|
|
|
|
|
|
|
|
- initial package submission
|
2023-10-31 17:18:26 +01:00
|
|
|
|
|