SHA256
1
0
forked from jengelh/sssd

Compact overly long changelog, wrap to 66 cols as demanded

OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=207
This commit is contained in:
Jan Engelhardt 2018-08-31 11:20:00 +00:00 committed by Git OBS Bridge
parent 77a4f94e77
commit c5d8619327

View File

@ -2,67 +2,37 @@
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
- Update to upstream release 1.16.3
New Features
- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were
discovered for a Kerberos realm used to be only generated for the joined
domain, not the trusted domains. Starting with this release, the kdcinfo files
are generated automatically also for trusted domains in setups that use
id_provider=ad and IPA masters in a trust relationship with an AD domain.
- The SSSD Kerberos locator plugin which processes the kdcinfo files and
actually tells libkrb5 about the available KDCs can now process multiple
address if SSSD generates more than one. At the moment, this feature is only
used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8)
manual page for more information about the Kerberos locator plugin.
- On IPA clients, the AD DCs or the AD site which should be used to
authenticate users can now be listed in a subdomain section. Please see the
feature design page or the section “trusted domains configuration” for more
details.
Notable bug fixes
- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read
anyone elses sudo rules. This was considered an information leak and
assigned CVE-2018-10852 (bsc#1098377)
- The 1.16.2 release was storing the cached passwords without a salt prefix
string. This bug was fixed in this release, but any password hashes generated
by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is
that upgrade from 1.16.2 to 1.16.3 should be done when the authentication
server is reachable so that the first authentication after the upgrade fix the
cached password.
- The sss_ssh proces leaked file descriptors when converting more than one x509
certificate to SSH public key
- SSSD, when configured with id_provider=ad was using too expensive LDAP search
to find out whether the required POSIX attributes were replicated to the
Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which
is much more effective
- The PAC responder is now able to process Domain Local in case the PAC uses
SID compression. Typicaly this is the case with Windows Server 2012 and newer
- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys
when the matching key is found before the rest of the output is read. The
sss_ssh_authorizedkeys helper was not handling this behaviour well and would
exit with SIGPIPE, which also meant the public key authentication failed
- User lookups no longer fail if users e-mail address conflicts with another
users fully qualified name
- The override_shell and override_homedir options are no longer applied to
entries from the files domain.
- Several bugs related to the FleetCommander integration were fixed
- The grace logins with an expired password when authenticating against certain
newer versions of the 389DS/RHDS LDAP server did not work
- Whitespace around netgroup triple separator is now stripped
- The sss_ssh_knownhostproxy utility can now print the host key without
proxying the connection.
- Due to an overly restrictive check, the fast in-memory cache was sometimes
skipped, which caused a high load on the sssd_nss process
Removed patches that are included upstream now:
- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
- 0002-intg-Do-not-hardcode-nsslibdir.patch
- 0003-Fix-build-for-1-16-2-version.patch
* New Features:
* kdcinfo files for informing krb5 about discovered KDCs are
now also generated for trusted domains in setups that use
id_provider=ad and IPA masters in a trust relationship with
an AD domain.
* The Kerberlos locator plugin can now process multiple
address if SSSD generates more than one. A
* Bug fixes:
* Fixed information leak due to incorrect permissions on
/var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
* Cached password are now stored with a salt. Old ones will be
regenerated on next authentication, and the auth server needs
to be reachable for that.
* The sss_ssh proces leaked file descriptors when converting
more than one X.509 certificate to an SSH public key.
* The PAC responder is now able to process Domain Local in case
the PAC uses SID compression (Windows Server 2012+).
* Address the issue that some versions of OpenSSH would close
the pipe towards sss_ssh_authorizedkeys when the matching key
is found before the rest of the output is read.
* User lookups no longer fail if user's e-mail address
conflicts with another user's fully qualified name.
* The override_shell and override_homedir options are no longer
applied to entries from the files domain.
* The grace logins with an expired password when authenticating
against certain newer versions of the 389DS/RHDS LDAP server
did not work.
- Removed patches that are included upstream now:
0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
0002-intg-Do-not-hardcode-nsslibdir.patch,
0003-Fix-build-for-1-16-2-version.patch
-------------------------------------------------------------------
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com