forked from jengelh/sssd
Compact overly long changelog, wrap to 66 cols as demanded
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=207
This commit is contained in:
parent
77a4f94e77
commit
c5d8619327
92
sssd.changes
92
sssd.changes
@ -2,67 +2,37 @@
|
||||
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
|
||||
|
||||
- Update to upstream release 1.16.3
|
||||
|
||||
New Features
|
||||
|
||||
- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were
|
||||
discovered for a Kerberos realm used to be only generated for the joined
|
||||
domain, not the trusted domains. Starting with this release, the kdcinfo files
|
||||
are generated automatically also for trusted domains in setups that use
|
||||
id_provider=ad and IPA masters in a trust relationship with an AD domain.
|
||||
|
||||
- The SSSD Kerberos locator plugin which processes the kdcinfo files and
|
||||
actually tells libkrb5 about the available KDCs can now process multiple
|
||||
address if SSSD generates more than one. At the moment, this feature is only
|
||||
used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8)
|
||||
manual page for more information about the Kerberos locator plugin.
|
||||
|
||||
- On IPA clients, the AD DCs or the AD site which should be used to
|
||||
authenticate users can now be listed in a subdomain section. Please see the
|
||||
feature design page or the section “trusted domains configuration” for more
|
||||
details.
|
||||
|
||||
Notable bug fixes
|
||||
|
||||
- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read
|
||||
anyone else’s sudo rules. This was considered an information leak and
|
||||
assigned CVE-2018-10852 (bsc#1098377)
|
||||
- The 1.16.2 release was storing the cached passwords without a salt prefix
|
||||
string. This bug was fixed in this release, but any password hashes generated
|
||||
by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is
|
||||
that upgrade from 1.16.2 to 1.16.3 should be done when the authentication
|
||||
server is reachable so that the first authentication after the upgrade fix the
|
||||
cached password.
|
||||
- The sss_ssh proces leaked file descriptors when converting more than one x509
|
||||
certificate to SSH public key
|
||||
- SSSD, when configured with id_provider=ad was using too expensive LDAP search
|
||||
to find out whether the required POSIX attributes were replicated to the
|
||||
Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which
|
||||
is much more effective
|
||||
- The PAC responder is now able to process Domain Local in case the PAC uses
|
||||
SID compression. Typicaly this is the case with Windows Server 2012 and newer
|
||||
- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys
|
||||
when the matching key is found before the rest of the output is read. The
|
||||
sss_ssh_authorizedkeys helper was not handling this behaviour well and would
|
||||
exit with SIGPIPE, which also meant the public key authentication failed
|
||||
- User lookups no longer fail if user’s e-mail address conflicts with another
|
||||
user’s fully qualified name
|
||||
- The override_shell and override_homedir options are no longer applied to
|
||||
entries from the files domain.
|
||||
- Several bugs related to the FleetCommander integration were fixed
|
||||
- The grace logins with an expired password when authenticating against certain
|
||||
newer versions of the 389DS/RHDS LDAP server did not work
|
||||
- Whitespace around netgroup triple separator is now stripped
|
||||
- The sss_ssh_knownhostproxy utility can now print the host key without
|
||||
proxying the connection.
|
||||
- Due to an overly restrictive check, the fast in-memory cache was sometimes
|
||||
skipped, which caused a high load on the sssd_nss process
|
||||
|
||||
Removed patches that are included upstream now:
|
||||
|
||||
- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
||||
- 0002-intg-Do-not-hardcode-nsslibdir.patch
|
||||
- 0003-Fix-build-for-1-16-2-version.patch
|
||||
* New Features:
|
||||
* kdcinfo files for informing krb5 about discovered KDCs are
|
||||
now also generated for trusted domains in setups that use
|
||||
id_provider=ad and IPA masters in a trust relationship with
|
||||
an AD domain.
|
||||
* The Kerberlos locator plugin can now process multiple
|
||||
address if SSSD generates more than one. A
|
||||
* Bug fixes:
|
||||
* Fixed information leak due to incorrect permissions on
|
||||
/var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
|
||||
* Cached password are now stored with a salt. Old ones will be
|
||||
regenerated on next authentication, and the auth server needs
|
||||
to be reachable for that.
|
||||
* The sss_ssh proces leaked file descriptors when converting
|
||||
more than one X.509 certificate to an SSH public key.
|
||||
* The PAC responder is now able to process Domain Local in case
|
||||
the PAC uses SID compression (Windows Server 2012+).
|
||||
* Address the issue that some versions of OpenSSH would close
|
||||
the pipe towards sss_ssh_authorizedkeys when the matching key
|
||||
is found before the rest of the output is read.
|
||||
* User lookups no longer fail if user's e-mail address
|
||||
conflicts with another user's fully qualified name.
|
||||
* The override_shell and override_homedir options are no longer
|
||||
applied to entries from the files domain.
|
||||
* The grace logins with an expired password when authenticating
|
||||
against certain newer versions of the 389DS/RHDS LDAP server
|
||||
did not work.
|
||||
- Removed patches that are included upstream now:
|
||||
0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
|
||||
0002-intg-Do-not-hardcode-nsslibdir.patch,
|
||||
0003-Fix-build-for-1-16-2-version.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com
|
||||
|
Loading…
Reference in New Issue
Block a user