Группа :: Система/Серверы
Пакет: sssd
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
28 июля 2023 Ivan A. Melnikov <iv at altlinux.org> 2.8.1-alt3.1
- NMU: Backport upstream commit to fix build with krb5 1.21*
- NMU: using forward_pass for pam_sss.so in system-auth-sss-only.pam
- Backported fix for sssd#6505.
- Update to latest 2.8 major release.
- Important fixes:
+ A regression when running sss_cache when no SSSD domain is enabled would
produce a syslog critical message was fixed.
+ Several fixes in D-Bus infopipe functions:
ListByName(), Groups.ListByName() and Groups.ListByDomainAndName().
- Redesign become_user patch to should assign supplementary groups for server
part of code only (due race condition in krb5_child, for example).
- AD GPO: Fix support processing referrals for hostname
- New features
+ Introduced the dbus function
org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, limit)
listing upto limit users matching the filter attr=value.
+ sssctl is now able to create, list and delete indexes on the local caches.
Indexes are useful for the new D-Bus ListByAttr() function.
+ sssctl is now able to read and set each component's debug level
independently. - Important fixes:
+ domains option in [sssd] section can now be completely omitted if domains
are enabled via domains/enabled option. - New options:
+ core_dumpable, ldap_enumeration_refresh_offset,
subdomain_refresh_interval_offset, dyndns_refresh_interval_offset
refresh_expired_interval_offset, ldap_purge_cache_offset. - Configuration changes:
+ Option 'ad_machine_account_password_renewal_opts' now accepts an optional
third part as the maximum deviation in the provided period (first part) and
initial delay (second part). If the period and initial delay are provided
but not the offset, the offset is assumed to be 0. If no part is provided,
the default is 86400:750:300.
+ override_homedir now recognizes the %h template which is replaced by the
original home directory retrieved from the identity provider, but in lower
case.
- Update to latest 2.7 major release.
- Lock-free client support will be only built if libc provides
pthread_key_create() and pthread_once().
For glibc this means version 2.34+ - Add requirement of adcli to sssd-ad.
- Update to latest 2.7 major release:
+ CLIENT: use thread local storage for socket to a.void the need for a lock.
+ SSS_CLIENT: got rid of code duplication.
+ SSS_CLIENT: mem-cache: fixed missing error code.
+ PAM P11: fixed minor mem-leak.
- Update russian translations (by Elena Mishina <lepata@basealt.ru>)
- Update to 2.7 major release:
+ Added a new krb5 plugin idp and a new binary oidc_child which performs
OAuth2 authentication against FreeIPA.
+ Better default for IPA/AD re_expression. Tunning for group names
containing '@' is no longer needed.
+ Added support for anonymous PKINIT to get FAST credentials.
+ SSSD now correctly falls back to UPN search if the user was not found even
with cache_first = true.
+ SSSD can now handle multi-valued RDNs if a unique name must be determined
with the help of the RDN.
+ New option implicit_pac_responder to control if the PAC responder is started
for the IPA and AD providers, default is true.
+ New option krb5_check_pac to control the PAC validation behavior.
+ Multiple crl_file arguments can be used in the certificate_verification
option.
- AD Domain in the AD Forest Missing after sssd latest update
- sdap_idmap.c/sssd_idmap.c incorrectly calculates rangesize from upper/lower
- Regression on rawhide with ssh auth using password
- sssd-ad broken in 2.6.2, 389 used as kerberos port
- sssd error triggers backtrace: write_krb5info_file_from_fo_server
- Update to latest release:
+ Lookup with fully-qualified name does not work with cache_first is True.
+ sssd_be segfault due to empty forest root name.
+ Groups are missing while performing id lookup as SSSD switching to offline
mode due to the wrong domain name in the ldap-pings(netlogon).
+ LDAP sp_expire policy does not match other libraries.
+ Passwordless (GSSAPI) SSH not working due to missing
includedir /var/lib/sss/pubconf/krb5.include.d directive in /etc/krb5.conf.
+ pam responder does not call initgroups to refresh the user entry.
+ FindByValidCertificate() treats unconfigured CA as Invalid certificate provide.
+ sssd does not use kerberos port that is set.
- Update with latest libldb-2.3.2-alt2 fixes.
- Backport newest fixes from upstream:
+ utils: ignore systemd and sd-pam process in get_active_uid_linux()
+ cldap: use dns_resolver_server_timeout timeout for cldap ping
+ ad: only send cldap-ping to our local domain
+ ad: make ad_srv_plugin_ctx_switch_site() public
+ ad: use already discovered forest name
- Revert reverted patch with change owner/permissions of user deskprofile path
due it still needed.
- Update to 2.6.1 stable release.
- Revert "Don't change owner/permissions of user deskprofile path" patch
due CAP_DAC_OVERRIDE was added to systemd configs in 2.4.2 release.
- Update to 2.6.0 (with upstream fixes from master - 7bfdd3db8e4c).
- Security issue in the sssctl command - shell command injection via the
logs-fetch and cache-expire subcommands (fixes: CVE-2021-3621). - pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC
- Add filter for Active Directory trusted domains which are not trusted (one-way
trust) or are from a different forest (direct trust). Both should be ignored
because they are not trusted or can currently not be handled properly.
- FTBFS: disable LTO
- Update to 2.5.2:
+ auto_private_groups option can be set centrally through ID range setting
in IPA (see ipa idrange commands family).
+ Default value of ldap_sudo_random_offset changed to 0 (disabled).
+ originalADgidNumber attribute in the SSSD cache is now indexed.
+ Add new config option fallback_to_nss.
- Update to 2.5.0:
+ Deprecated support of secrets, local-provider, libwbclient, pcre1.
+ Added support for automatic renewal of renewable TGTs stored in KCM cache.
+ Backround sudo periodic tasks (smart and full refresh) periods are now
extended by a random offset.
+ Completing a sudo full refresh now postpones the smart refresh by
ldap_sudo_smart_refresh_interval value.
+ Besides trusted domains known by the forest root, trusted domains known by
the local domain are used as well.
+ New configuration option offline_timeout_random_offset to control random
factor in backend probing interval when SSSD is in offline mode.
- Apply internal, domain and service fixes from upstream.
- Add compatibility support of unprivileged mode with "user = _sssd"
due from sssd-2.4.2 default user is set to root.
- Update to 2.4.2
- Add CapabilityBoundingSet option as a security hardening measure
for systemd service configs
- Update authentication features:
+ pam_sss: Don't fail on deskprofiles phase for AD users
+ pam_sss_gss: support authentication indicators
- Fixate that upstream fixed the memory leak in the
simple access provider (fixes: OVE-20210209-0001)
- Update to 2.4.1
- Add PAM module pam_sss_gss for authentication using GSSAPI
- Add krb5_use_subdomain_realm=True to support upnSuffixes for trusted domains
- Allow to set case_sensitive=Preserving in subdomain section
- Add auto_private_groups to subdomain_inherit
- Add /var/lib/sss/.cache directory for gencache.tdb using samba gpo libraries
- Reapply patch with ignore GPO if SecEdit/GptTmpl.inf is missing
- Update to 2.4.0
- Update to 2.3.1
- Remove derecated libwbclient-sssd
- Rebuild with libldb-2.0.12
- Rebuild with libldb-2.0.11
- Update to 2.3.0
- Rewrite PAM rules for sss system-auth method with new pam-config-1.9.0 scheme
using pam_localuser.so to separate configuration for local and remote users. - Added dependency sssd-client to pam-config-1.9.0 supported configurable
session substack system-policy. - Added dependency sssd-ad to winbind-idmap for compatibility installation.
- Updated sss system-auth method with pam_auth_common substack
- Added requires to pam-config-1.8.0 supported pam_auth_common substack
- Rebuild with libldb-2.0.10
- Update to 2.2.3
- Rebuild with libldb-2.0.9
- Rebuild with latest version on libldb-2.0.8 with release of Samba 4.11
- Rebuild with latest version libldb-1.5.6
- Update to 2.2.2
- Update to 2.2.1
- Rebuild with latest version libldb-1.5.5
- Fix sssd-ad System error during access deny to sysvol when it not replicated
or not configured with 'samba-tool ntacl sysvolreset' command - Clean spec compatibility base on ubt macroses
- Update to 2.2.0
- Update libwbclient-sssd interface to version 0.15 (Closes: 36750)
- Update to 2.1.0 for samba-4.10.0
- Rebuild with latest version libldb
- Revert strict requirement to version of libldb
- Fixed FleetCommander integration.
- Stopped build Python2 bindings.
- Remove build requires for selinux-policy-targeted
- Applied an upstream snapshot due to a huge amount of issues in 2.0.0.
- Fixed start under a non-privileged user (Closes: #35545).
- 2.0.0
- New upstream version 1.16.3
+ Dropped patch `nss: skip incomplete groups instead of bailing out',
included by upstream
+ Refreshed become_user patch (unit test passes now)
- build with Python3 bindings
- New upstream release 1.16.2
- Rebuild with latest version on libldb-1.3.3
- Disable strict requirement to version of libldb
- Applied patches fixing AD and generic issues from Fedora 1.16.2 pre-release
(https://src.fedoraproject.org/rpms/sssd/tree/5f75f7e4f25f4844)
+ 0001-IPA-Handle-empty-nisDomainName.patch
+ 0002-intg-enhance-netgroups-test.patch
+ 0003-CONFDB-Start-a-ldb-transaction-from-sss_ldb_modify_p.patch
+ 0004-TOOLS-Take-into-consideration-app-domains.patch
+ 0005-TESTS-Move-get_call_output-to-util.py.patch
+ 0006-TESTS-Make-get_call_output-more-flexible-about-the-s.patch
+ 0007-TESTS-Add-a-basic-test-of-sssctl-domain-list.patch
+ 0008-KCM-Use-json_loadb-when-dealing-with-sss_iobuf-data.patch
+ 0009-KCM-Remove-mem_ctx-from-kcm_new_req.patch
+ 0010-KCM-Introduce-kcm_input_get_payload_len.patch
+ 0011-KCM-Do-not-use-2048-as-fixed-size-for-the-payload.patch
+ 0012-KCM-Adjust-REPLY_MAX-to-the-one-used-in-krb5.patch
+ 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
+ 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
+ 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
+ 0019-SERVER-Tone-down-shutdown-messages-for-socket-activa.patch
+ 0025-AD-Missing-header-in-ad_access.h.patch
+ 0026-GPO-Add-ad_options-to-ad_gpo_process_som_state.patch
+ 0027-GPO-Use-AD-site-override-if-set.patch
+ 0030-sssctl-Showing-help-even-when-sssd-not-configured.patch
+ 0031-sssctl-move-check-for-version-error-to-correct-place.patch
+ 0032-MAN-Add-sss-certmap-man-page-regarding-priority-proc.patch
+ 0033-SDAP-Improve-a-DEBUG-message-about-GC-detection.patch
+ 0034-MAN-Improve-docs-about-GC-detection.patch
+ 0035-nss-idmap-do-not-set-a-limit.patch
+ 0036-nss-idmap-use-right-group-list-pointer-after-sss_get.patch
+ 0037-NSS-Add-InvalidateGroupById-handler.patch
+ 0038-DP-Add-dp_sbus_invalidate_group_memcache.patch
+ 0039-ERRORS-Add-ERR_GID_DUPLICATED.patch
+ 0040-LDAP-Augment-the-sdap_opts-structure-with-a-data-pro.patch
+ 0041-SDAP-Add-sdap_handle_id_collision_for_incomplete_gro.patch
+ 0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
+ 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
+ 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
+ 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
+ 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
+ 0047-GPO-Fix-bug-with-empty-GPO-rules.patch
+ 0057-AD-Warn-if-the-LDAP-schema-is-overriden-with-the-AD-.patch
+ 0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch
+ 0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch
+ 0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
+ 0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch
- Set ownership of sssd.ldb even if local provider is not used
- Build for e2k without selinux-policy-targeted
- libnfsidmap soname bump
- Revert libwbclient-sssd interface to version 0.14 for samba-4.7
- Update to latest stable release
- Revert libwbclient-sssd interface to version 0.13 for samba-4.6
- Rebuild with fixes from p8
- Rebuild with http-parser-2.8.0
- backport fix for building the PAC plugin with krb5 1.16
- Fix logrotate insecure parent directory permissions (closes: 34335)
- Fix trouble with incomplete group object found during initgroups
- Backport sssd to legacy stable branches
- Fix trouble with ubt macros id on branch c8
- Don't restart sssd services until reboot or manual restart (ALT #34054)
- relocate nfs-idmap plugin back under %_libdir
- Avoid build another trouble with ubt macros id on branch c8
- Avoid build trouble with ubt macros id on branch c8
- Update to latest release with:
+ SSSD Kerberos credentials manager (sssd-kcm)
+ SSSD Certficate Mapping Library (libsss_certmap)
- Rebuild new version with latest fixes for p7 and c7
- Fix PAM config with pam_localuser.so
- Update PAM config with pam_localuser.so
- Add PAM auth config with pam_localuser.so
- Fix PAM config with pam_localuser.so for separate configuration for local and global users
- Rebuild with http-parser-2.7.1
- Updated to last spring release
- Rebuild with libldb-1.1.29
- Add _sssd user to _keytab group
- Set right group privileges: use initgroups() instead of setgroups()
- Set selinux provider none only if selinux disabled
- Set default selinux provider to none
- Set sssd.conf owner to root:root
due it hardcoded in sss_ini_config_access_check()
- 1.14.2
- Rebuild with libldb-1.1.27
- 1.14.1
- 1.14.0
- 1.13.4
- Rebuild with libldb-1.1.26
- Rebuild with libldb-1.1.25
- 1.13.3
- Rebuild with libldb-1.1.24
- 1.13.2
- Rebuild with libldb-1.1.23
- upstram snapshot
- 1.13.0
- add alternatives for libwbclient
- add alternatives for cifs-idmap plugin
- use _sssd user for run services
- branch upstream/sssd-1-12 bdb7e7f514629696e73902b2af3a93839be3e8a4
- 1.12.4
- 1.12.3
- rebuild with libldb-1.1.18
- 1.12.2
- 1.12.1
- add libwbclient package
- 1.12.0
- 1.11.6
- rebuild with new libldb
- 1.11.5.1
- add pam config files
- add libsasl2-plugin-gssapi to Requires for krb5-common
- 1.11.4
- initial build