wiki:Releases/Notes-1.11.7
Last modified 3 years ago Last modified on 09/17/14 13:23:55

Highlights

  • This release focuses on delivering bug fixes and smaller features backported from the 1.12 line
  • Several fixes related to retrieving the correct group memberships in the AD provider configured to use POSIX attributes were fixed.
  • The Active Directory provider now correctly detects Windows Server 2012 R2. Previous versions would fall back to the slower non-AD path with 2012 R2.
  • Groups without full POSIX information can now be used to enroll group membership (fixes CVE-2014-0249)
  • Detection of transition from offline to online state was improved, resulting in fewer timeouts when SSSD is offline.
  • If referrals are disabled with a config option (or by default in the AD provider), any returned referral would be ignored. Previously, the back end would switch to offline mode on encountering a referral.

Documentation Changes

  • A new option override_space was added. When this option is set, a space character in user or group names is replaced by the character specified in this option
  • A small random value is now added to the offline_timeout parameter value to avoid flooding servers with periodical online checks

Tickets Fixed

#1854
[RFE] Add option for sssd to replace space with specified character in LDAP group
#2212
[RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no ldap_sudorule_runasuser mapping has been defined in SSSD
#2323
Expired shadow policy user(shadowLastChange=0) is not prompted for password change
#2343
CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group [fedora-all]
#2345
tokengroups do not work with id_provider=ldap
#2349
public key validator is too strict and does not allow newlines anywhere in the public key string, not even at the end
#2355
Requests queued during transition from offline to online mode
#2360
The SSSD dbus service should retry system bus connection if it fails
#2364
RFE: Be able to configure sssd to honor openldap account lock to restrict access via ssh key
#2377
sudo: invalid sudoHost filter with asterisk
#2380
Race condition in the client code
#2383
dereferencing control failure against openldap server
#2385
ad: group membership is empty when id mapping is off and tokengroups are enabled
#2389
Problems with tokengroups and ldap_group_search_base
#2390
Failover does not always happen from SRV to hostname resolution(via /etc/hosts)
#2391
sssd_be segfaults in ldb_msg_find_element
#2397
Auth fails when space in username is replaced with character set by override_default_whitespace
#2399
RHEL6.6 sssd not running after upgrade
#2400
sssd can't retrieve sudo rules when using the "default_domain_suffix" option
#2401
clarify the offline timeout in man page
#2402
IFP: FQDN lookups are broken
#2405
use-after-free in dyndns code
#2406
Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
#2407
simple_allow_groups does not lookup groups from other AD domains
#2409
On error, libnss_sss can mistakenly close descriptors it doesn't "own"
#2410
Race condition between sudo refresh
#2418
sssd does not recognize Windows server 2012 R2's LDAP as AD
#2421
Dereference code errors out when dereferencing entries protected by ACIs
#2436
ipa user private group not found

Detailed Changelog

Ian Lee (1):

  • Add user lookup and session dependencies to systemd service file.

Jakub Hrozek (32):

  • Updating the version for the 1.11.7 release
  • BUILD: dbusintrospectdir is not used anymore
  • IFP: Fix DEBUG messages
  • IFP: Return a specific value on failure connecting to the system bus
  • IFP: Provide a SBUS method to reconnect to sysbus
  • MONITOR: Signal InfoPipe? to reconnect on SIGUSR2
  • TOOLS: New helper tool sss_signal
  • BUILD: Add the DBus service activation
  • IFP: Fix lookups with fully-qualified names
  • RPM: Restart service in %posttrans, not %post
  • NSS: Ignore default_domain for netgroups
  • Only replace space with the specified substitution
  • Make the space override responder-agnostic
  • PAM: Use the override_space option
  • IFP: Use the override_space option
  • SUDO: Use the override_space option
  • IPA: handle searches by SID in apply_subdomain_homedir
  • Revert "IPA: new attribute map for non-posix groups"
  • Revert "IPA: process non-posix nested groups"
  • Revert "IPA: try to resolve nested groups as poxix group"
  • LDAP: Do not shortcut on ret != EOK during password expiry check
  • LDAP: Split out linking primary group members into a separate function
  • LDAP: Don't add a user member twice when adding a primary group
  • LDAP: Use tmp_ctx in ldap_child for temporary data
  • LDAP: Use randomized ccname for storing credentials
  • LDAP: Add Windows Server 2012 R2 functional level
  • LDAP: Fall back to functional level of Windows Server 2003
  • LDAP: Enable tokenGroups with Windows Server 2003
  • LDAP: Ignore returned referrals if referral support is disabled
  • LDAP: Skip dereferenced entries that we are not permitted to read
  • Ignore referrals in deref and ASQ, too
  • Updating the translations for the 1.11.7 release

Jan Cholasta (1):

  • SSH: Allow newline at the end of public key values in LDAP

Lukas Slebodnik (19):

  • Don't use macro _XOPEN_SOURCE for function strptime
  • sss_client: thread safe initialisation of sss_cli_mc_ctx
  • sss_client: Fix memory leak in nss_mc_{group,passwd}
  • LDAP: Remove unused option ldap_netgroup_uuid
  • LDAP: Remove unused option ldap_group_uuid
  • LDAP: Remove unused option ldap_user_uuid
  • test_utils: Use common header file for libsss_util tests.
  • UTIL: Add functions for replacing whitespaces.
  • NSS: Replace spaces with specified string in names.
  • dyndns_test: Use right socket length of for IPv4 address.
  • responder-get-domains-tests: fix checking of leaks
  • test_dyndns: Use different talloc context in wrapped functions.
  • TESTS: leak_check functions shouldn't be called with NULL context
  • dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
  • test_dyndns: sss_iface_addr_list_get can return more values
  • SDAP: free subrequest in sdap_dyndns_update_addrs_done
  • SDAP: Immediately finish request for empty array
  • SDAP: Use different talloc_context for array of names
  • SDAP: Update groups for user just once.

Michal Zidek (6):

  • ptask: Allow adding random_offset to scheduled execution time
  • ptask: Add backoff feature to the ptask api.
  • Exit offline mode only if server is available.
  • MAN: How much time sssd spends offline
  • Add alternative objectClass to group attribute maps
  • Use the alternative objectclass in group maps.

Michal Šrubař (1):

  • LDAP SUDO: sudo provider doesn't fetch 'EntryUSN'

Nalin Dahyabhai (1):

  • sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors

Nikolai Kondrashov (1):

  • build: Switch back to DISTCHECK_CONFIGURE_FLAGS

Pavel Březina (9):

  • sbus_request: fix potential NULL dereference
  • ad: comment ENOENT when id mapping is disabled
  • ad: update membership after SIDs are resolved
  • sudo: fetch sudoRunAs attribute
  • sudo: use dbus array for rules refresh
  • sudo: replace asterisk with escape sequence in host filter
  • failover: set port status to not working if previous srv lookup failed
  • ad initgroups: continue if resolved SID is still missing
  • sudo: work with correct D-Bus iterator

Pavel Reichl (18):

  • TESTS: sss_ssh - textual public key format
  • LDAP: tokengroups do not work with id_provider=ldap
  • SDAP: Continue resolving SID even if some fail
  • IPA: new attribute map for non-posix groups
  • IPA: process non-posix nested groups
  • IPA: try to resolve nested groups as poxix group
  • SDAP: split sdap_access_filter_get_access_done
  • SDAP: refactor sdap_access_filter_send
  • SDAP: nitpicks in sdap_access_filter_get_access_done
  • SDAP: refactor sdap_access_filter_done
  • SDAP: don't log error on access denied
  • SDAP: refactor AC offline checks
  • SDAP: new option - DN to ppolicy on LDAP
  • SDAP: account lockout to restrict access via ssh key
  • MAN: options 'lockout' and 'ldap_pwdlockout_dn'
  • IPA: process non-posix nested groups
  • AD: process non-posix nested groups w/o tokenGroups
  • AD: process non-posix nested groups using tokenGroups

Sumit Bose (1):

  • Replace space: add some checks