- This release is the last supported upstream release in the 1.9.x series. Users of sssd-1.9 are advised to upgrade to sssd-1.11
- A memory leak in the netgroup code of the NSS responder was fixed
- Subdomains inherit min_id/max_id limits of parent domains. The user-visible effect of this bug was that adding system users or groups with shadow-utils took too long.
- The default_domain_suffix is ignored in the autofs responder, making it possible to use default_domain_suffix along with autofs integration
- Several fixes related to Kerberos DIR cache support were backported from later releases
- https://fedorahosted.org/sssd/ticket/1936 - GSSAPI working only on first login
- https://fedorahosted.org/sssd/ticket/2153 - If both IPA and LDAP are set up with enumeration on, two enum tasks are running
- https://fedorahosted.org/sssd/ticket/2170 - sssd_nss grows memory footprint when netgroups are requested
- https://fedorahosted.org/sssd/ticket/2157 - sssd_be segfaults if empty grop is resolved using ad_matching_rule
- https://fedorahosted.org/sssd/ticket/2077 - [RFE] If originalDN is not available during LDAP auth, the SSSD should look it up
- https://fedorahosted.org/sssd/ticket/2051 - Do not fail if initgroups returns NOT_FOUND
- https://fedorahosted.org/sssd/ticket/2123 - Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM.
Aron Parsons (1):
- do not use default_domain_suffix with autofs
Jakub Hrozek (7):
- Bumping the version for 1.9.7
- Inherit ID limits of parent domains if set
- PROXY: Handle empty GECOS
- LDAP: Split out a request to search for a user w/o saving
- LDAP: Search for original DN during auth if it's missing
- LDAP: Initialize user count for AD matching rule
- Updating translations for the 1.9.7 release
Lukas Slebodnik (6):
- NSS: Fix memory leak in sss_setnetgrent
- AUTOTOOLS: krb5 1.12 is also supported krb5 libs
- LDAP: Setup periodic task only once.
- Fix wrong detection of krb5 ccname
- Every time return directory for krb5 cache collection.
- Do not switch to credentials everytime.
Simo Sorce (1):
- proxy: Allow initgroup to return NOTFOUND