From 237213909d20a397889f5334a26ea411ee939e81 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Aug 12 2018 13:43:47 +0000 Subject: Add 1.16.3 release notes --- diff --git a/users/releases.rst b/users/releases.rst index 10671e5..ff595dc 100644 --- a/users/releases.rst +++ b/users/releases.rst @@ -9,6 +9,8 @@ for a longer time than other releases. 1.16.x Series ^^^^^^^^^^^^^ +-----------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------+----------------+---------------------------------------------+--------------------------------------------------------------+ +|`*sssd-1.16.3.tar.gz `_ |`sssd-1.16.3.tar.gz.asc `_ |SHA1SUM: ``4a2512a59930c79d416d74b62e6bd580c874824f``|Date: 2018-08-12|:doc:`Release notes ` |`Manpages `_| ++-----------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------+----------------+---------------------------------------------+--------------------------------------------------------------+ |`sssd-1.16.2.tar.gz `_ |`sssd-1.16.2.tar.gz.asc `_ |SHA1SUM: ``46c59f189e5ae3286ef7878faf4801068d7bf2a7``|Date: 2018-06-08|:doc:`Release notes ` |`Manpages `_| +-----------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+-----------------------------------------------------+----------------+---------------------------------------------+--------------------------------------------------------------+ |`sssd-1.16.1.tar.gz `_ |`sssd-1.16.1.tar.gz.asc `_ |SHA1SUM: ``a840f0244b580f79e4c332f97d2722c2269b1f8d``|Date: 2018-03-09|:doc:`Release notes ` |`Manpages `_| diff --git a/users/relnotes/notes_1_16_3.rst b/users/relnotes/notes_1_16_3.rst new file mode 100644 index 0000000..8182c38 --- /dev/null +++ b/users/relnotes/notes_1_16_3.rst @@ -0,0 +1,229 @@ +SSSD 1.16.3 +=========== + +Highlights +---------- + +New Features +^^^^^^^^^^^^ + * The ``kdcinfo`` files that SSSD uses to inform libkrb5 about which KDCs + were discovered for a Kerberos realm used to be only generated for the + joined domain, not the trusted domains. Starting with this release, the + ``kdcinfo`` files are generated automatically also for trusted domains in + setups that use ``id_provider=ad`` and IPA masters in a trust relationship + with an AD domain. + * The SSSD Kerberos locator plugin which processes the kdcinfo files and + actually tells libkrb5 about the available KDCs can now process multiple + address if SSSD generates more than one. At the moment, this feature + is only used on IPA clients (see below). Please see the + ``sssd_krb5_locator_plugin(8)`` manual page for more information about + the Kerberos locator plugin. + * On IPA clients, the AD DCs or the AD site which should be used to + authenticate users can now be listed in a subdomain section. Please + see `the feature design page `_ + or the section "trusted domains configuration" for more details. + +Notable bug fixes +^^^^^^^^^^^^^^^^^ + * SECURITY: The permissions on ``/var/lib/sss/pipes/sudo`` were set + so that anyone could read anyone else's sudo rules. This was considered + an information leak and assigned CVE-2018-10852 (#3766) + * IMPORTANT: The 1.16.2 release was storing the cached passwords without + a salt prefix string. This bug was fixed in this release, but any + password hashes generated by 1.16.2 are incompatible with the hashes + generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 + should be done when the authentication server is reachable so that the + first authentication after the upgrade fix the cached password. + * The ``sss_ssh`` proces leaked file descriptors when converting more than + one x509 certificate to SSH public key (#3794) + * SSSD, when configured with ``id_provider=ad`` was using too expensive + LDAP search to find out whether the required POSIX attributes + were replicated to the Global Catalog. Instead, SSSD now consults + the Partial Attribute Set, which is much more effective (#3755) + * The PAC responder is now able to process Domain Local in case the + PAC uses SID compression. Typicaly this is the case with Windows Server + 2012 and newer (#3767) + * Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would + close the pipe towards ``sss_ssh_authorizedkeys`` when the matching + key is found before the rest of the output is read. The + ``sss_ssh_authorizedkeys`` helper was not handling this behaviour + well and would exit with SIGPIPE, which also meant the public key + authentication failed (#3747) + * User lookups no longer fail if user's e-mail address conflicts with + another user's fully qualified name (#3607) + * The ``override_shell`` and ``override_homedir`` options are no longer + applied to entries from the files domain. (#3758) + * Several bugs related to the FleetCommander integration were fixed (#3773, + #3774) + * The grace logins with an expired password when authenticating against + certain newer versions of the 389DS/RHDS LDAP server did not work (#3597) + * Whitespace around netgroup triple separator is now stripped + * The ``sss_ssh_knownhostproxy`` utility can now print the host key without + proxying the connection. + * Due to an overly restrictive check, the fast in-memory cache was sometimes + skipped, which caused a high load on the ``sssd_nss`` process (#3776). + + +Packaging Changes +----------------- + * The python2 bindings are not built by default on Fedora 29 or newer + * The sssd-secrets responder is now packaged in the sssd-kcm subpackage + and might be removed in a future release + +Documentation Changes +--------------------- + * ``sss_ssh_knownhostsproxy`` has a new option `-k/--print`. + +Tickets Fixed +------------- + * `3796 `_ - The IPA selinux provider can return an error if SELinux is completely disabled + * `3794 `_ - sssd_ssh leaks file descriptors when more than one certificate is converted into an SSH key + * `3791 `_ - The cached password does not store the salt prefix + * `3778 `_ - When sssd is running as non-root user, the sudo pipe is created as sssd:sssd but then the private pipe ownership fails + * `3777 `_ - If access check for a privileged pipe fails, the responder loops indefinitely + * `3776 `_ - Spurious check in the sssd nss memcache can cause the memory cache to be skipped + * `3774 `_ - Desktop Profile: The 10th policy is producing a wrong file name + * `3773 `_ - SSSD bails out saving desktop profiles in case an invalid profile is found + * `3767 `_ - Groups go missing with PAC enabled in sssd + * `3766 `_ - CVE-2018-10852: information leak from the sssd-sudo responder + * `3758 `_ - override_homedir should not apply to the files provider + * `3755 `_ - The search filter for detecting POSIX attributes in global catalog is too broad and can cause a high load on the servers + * `3754 `_ - SSSD AD uses LDAP filter to detect POSIX attributes stored in AD GC also for regular AD DC queries + * `3747 `_ - sss_ssh_authorizedkeys exits abruptly if SSHD closes its end of the pipe before reading all the SSH keys + * `3652 `_ - kdcinfo doesn't get populated for other domains + * `3607 `_ - Handle conflicting e-mail addresses more gracefully + * `3597 `_ - sssd doesn't allow user with expired password to login when PasswordgraceLimit set + * `3596 `_ - A combination of the same qualified and unqualified sudoUser causes Error: 17: File exists + * `3542 `_ - Get host key without proxying connection + * `3475 `_ - Full information regarding priority of lookup of principal in keytab not in man page + * `3291 `_ - RFE: sssd in cross realm trust configuration should be use AD KDC from a list or site defined in the config file + +Detailed Changelog +------------------ + + +* Alexander Bokovoy (2): + + * ipa provider: always use a special keytab to talk to a trusted DC + * ipa provider: expand search base to cover trusted domain objects + +* Alexey Sheplyakov (1): + + * nss: skip incomplete groups instead of bailing out + +* Amit Kumar (1): + + * Responder: simplify if-else structure in sss_dp_get_account_msg() + +* Fabiano Fidêncio (18): + + * intg: Do not hardcode nsslibdir + * files: do not apply override_homedir to files provider + * tests: add override_homedir tests for files provider + * files: do not apply override_shell to files provider + * tests: add override_shell tests for files provider + * util: add is_files_provider() helper + * files: make use of is_files_provider() helper + * cache_req: keep the files provider as the first domain to be searched + * tests: add basic tests for cache_req_domain_new_list_from_domain_resolution_order() + * tests: add a test to ensure the output_fqnames is false for files provider + * deskprofile: don't bail if we fail to save one profile + * sdap: respect passwordGracelimit + * deskprofile: fix a typo in _get_filename_path() + * tests: add tests for ipa_deskprofile_get_filename_path() + * util: introduce sss_ssh_print_pubkey() + * ssh: make use of sss_ssh_print_pubkey() + * sss_ssh_knownhostsproxy: add option to only print the pubkey + * nss: remove unused label + +* Jakub Hrozek (38): + + * Bumping the version to track the 1.16.3 development + * TESTS: Extend the schema with sshPublicKey attribute + * TESTS: Allow adding sshPublicKey for users + * TESTS: Add a basic SSH responder test + * SSH: Do not exit abruptly if SSHD closes its end of the pipe before reading all the SSH keys + * TESTS: Add a helper binary that can trigger the SIGPIPE to authorizedkeys + * TESTS: Add a regression test for SIGHUP handling in sss_ssh_authorizedkeys + * Revert "LDAP/IPA: add local email address to aliases" + * util: Remove the unused function is_email_from_domain + * TESTS: Allow storing e-mail address for users + * TESTS: Add regression test for looking up users with conflicting e-mail addresses + * AD/LDAP: Do not misuse the ignore_mark_offline to check if a connection needs to be checked for POSIX attribute presence + * MAN: Remove outdated notes from the re_expression description + * MAN: Document the re_expression needed to suport @-signs in the groupnames + * SUDO: Create the socket with stricter permissions + * AD: expose the helper function to format the site DNS query + * RESOLV: Add a resolv_hostport_list request + * KRB5/IPA/AD: Add a utility function to create a krb5_service instance + * KRB5: Allow writing multiple addresses to the kdcinfo plugin + * IPA: Add the options that the IPA subdomains code will read for trusted domains on the client + * IPA: Populate kdcinfo files on trust clients with configured AD servers + * MAN: Document the options available for AD trusted domains + * SDAP: Detect schemaNamingContext from the rootDSE + * AD: Add Global Catalog usability check in subdomain code by looking at the schema + * AD: Remove the legacy check from ad_get_account_domain_posix_check request + * LDAP/AD: Remove the legacy POSIX check from user, group and enumeration searches + * LDAP: Remove the legacy POSIX check itself + * sudo testcli: Use hand-crafted JSON for output so that the test CLI is usable in tests + * TESTS: Load the sudo schema in the default OpenLDAP test instance and create ou=sudoers + * TESTS: Add API to add sudo rules in tests + * TESTS: Add a simple sudo LDAP test + * SUDO: Don't save duplicates when saving qualified names + * crypto: Silence a Coverity warning in OpenSSL version of sss_hmac_sha1() + * crypto: Make one condition more defensive in NSS version of sss_hmac_sha1() + * SDAP: Improve a confusing DEBUG message when initgroups search matches multiple entries + * RESP: Terminate client connection if the permissions check on the priv pipe fails + * SELINUX: Also call is_selinux_enabled as a check for selinux child + * P11: Don't return int failure from a bool function + +* Josef Cejka (1): + + * Strip whitespaces in netgroup triple. + +* Lukas Slebodnik (15): + + * sss_seed: Remove unused parameter from seed_domain_user_info + * SUDO: Fix running in unprivileged responder + * SUDO: Root should be able to read/write sssd-sudo socket + * SPEC: Drop unnecessary check for minor version of el7 + * test_ssh_client: Do not ignore failure from read + * SPEC: Move openssl deps away from unit tests deps + * PYTHON: Avoid warnings with python3.7 + * SPEC: Move secrets responder to the package sssd-kcm + * SPEC: Do not build python2 bindings on latest distros + * BUILD: Replace also runstatedir in templates + * SYSTEMD: Allow to use "/run" in ListenStream + * Revert "Revert "CRYPTO: Suppress warning Wstringop-truncation"" + * CRYPTO: Save prefix in s3crypt_sha512 + * crypto-tests: Add unit test for s3crypt_sha512 + * SSS_CERT: Close file descriptors after executing p11_child + +* Michal Židek (1): + + * Revert "CRYPTO: Suppress warning Wstringop-truncation" + +* Stanislav Levin (1): + + * Fix "test-find-uid" and "find_uid-tests" tests + +* Sumit Bose (14): + + * krb5 locator: add support for multiple addresses + * krb5 locator: fix IPv6 support + * krb5 locator: make plugin more robust + * krb5 locator: add unit tests + * AD/IPA: Create kdcinfo file for sub-domains + * krb5: refactor removal of krb5info files + * krb5_common: add callback only once + * data provider: run offline callbacks only once + * utils: add libsss_child dependency to libsss_cert + * AD: consider resource_groups in PAC as well + * utils: make create_ipa_preauth_indicator() public as create_preauth_indicator() + * PAM: create pre-auth indicator file + * MC: Remove check if record is in the mapped address space + * tests: fix sss_nss_idmap-tests + +* amitkumar50 (1): + + * MAN: Give information regarding priority of ldap lookup