[Pkg-sssd-devel] sssd: Changes to 'refs/tags/debian/1.13.1-1'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Sat Oct 3 08:31:47 UTC 2015
Tag 'debian/1.13.1-1' created by Timo Aaltonen <tjaalton at debian.org> at 2015-10-03 05:38 +0000
tagging package sssd version debian/1.13.1-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWD2nmAAoJEMtwMWWoiYTcJrEP/108WYAF4Fg+T2PwjMEjlnvw
uRvRcDLie1knlZLi3kdUIuxaMR08BDBUywT63WXUopuHtLen+Nl9MHLRnkTb6tXu
QJAqiXK7huxpB17JN6Tgo+5NYnuq62tkXbmwi0PbdkpufOGLr9wx7mOmhy3YD5Qe
B2tc925BXE4ilFziONy1mmFO7JBSLn60qkG9Zrn3Targe41S13EsP3IaantUbXOa
xdiTrLn2UxZcgTUypt2uoEWVo3zfhq0QF60QP0pbTL7fo4mQ2Vxajk/JdPuO7ULu
1cjkY4HBGF8C0XV2XT+4duifJAlNlGdZY5GVD4c0XcSw5RpCLbZiX9P3jGWJ6To6
HCVcXpZVMCl5LMe6d+frSrsa11u6GqHuEB9qEKeQveFdUQnC8euK86rhN+Z7NXXZ
gKEEJsEVDVdZfVJnX28VNuw8+NtVdxz0Po1jaBqb9qUia3Twx5lGI1VBti3k2sA0
/0ywMmkOctqBV+mDSfKhUu+4ujYcQMcUUv/9xEn1GtZNjIoMdZfDw5ylebKddncX
IwLyE/yrz3YMxey4T/SShmX6LEQrzgAWrhzAqItX5PaQ4zzDxtkGLiN39YmWJ9d1
f35doiwplp4YntUDODuuU6llnUY/MYFS5qggM+5/11eaCWxwMG+BpwMtymja4coV
s8Yw/C3EfcdRe36EXsSh
=xNgf
-----END PGP SIGNATURE-----
Changes since debian/1.12.5-3:
Adam Tkac (1):
Option filter_users had no effect for retrieving sudo rules
Aron Parsons (2):
IPA: fix segfault in ipa_s2n_exop
autofs: fix 'Cannot allocate memory' with FQDNs
Bohuslav Kabrda (1):
Python3 support in SSSD
Daniel Hjorth (1):
LDAP: unlink ccname_file_dummy if there is an error
Jakub Hrozek (178):
GPO: Ignore ENOENT result from sysdb_gpo_get_gpo_result_setting()
TESTS: Cover sysdb_gpo.c with unit tests
MAN: Fix a typo
GPO: Set libsmb debugging to stderr
UTIL: Allow dup-ing child pipe to a different FD
GPO: Don't use stdout for output in gpo_child
GPO: Extract server hostname after connecting
SYSDB: Reduce code duplication in sysdb_gpo.c
krb5_child: Return ERR_NETWORK_IO on KRB5_KDCREP_SKEW
UTIL: Make two child_common.c functions static
TESTS: Cover child_common.c with unit tests
LDAP: Use child_io_destructor instead of child_cleanup in a custom desctructor
UTIL: Remove child_cleanup
UTIL: Unify the fd_nonblocking implementation
Open the PAC socket from krb5_child before dropping root
BUILD: Include python-test.py in the tarball
IPA: Use attr's dom for users, too
SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root
SELINUX: Set and reset umask when caling set_seuser from deamon code
LDAP: Add UUID when saving incomplete groups
IPA: Resolve IPA user groups' overrideDN in non-default view
LDAP: Rename the _res output parameter to avoid clashing with libresolv in tests
RESOLV: Add an internal function to read TTL from a DNS packet
RESOLV: Remove obsolete in-tree implementation of SRV and TXT parsing
resolv: Fix a typo
SELINUX: Check the return value of setuid and setgid
GPO: Better debugging for gpo_child's mkdir
LDAP: Add better DEBUG messages to the cleanup task
LDAP: Handle ENOENT better in the cleanup task
PAM: print the pam status as string, too
resolv: Use the same default timeout for SRV queries as previously
FO: Use SRV TTL in fail over code
selinux: Delete existing user mapping on empty default
KRB5: More debugging for create_ccache()
build: Only run cmocka tests if cmocka 1.0 or newer is available
RPM: BuildRequire libcmocka >= 1.0
tests: convert all unit tests to cmocka 1.0 or later
tests: ncache_hit must be an int to test UPNs
tests: Add a getpwnam-by-UPN test
NSS: Handle ENOENT when doing initgroups by UPN
Add unit tests for initgroups
selinux: Handle setup with empty default and no configured rules
SDAP: Make simple bind timeout configurable
SDAP: Make password change timeout configurable with ldap_opt_timeout
SDAP: Make StartTLS bind configurable with ldap_opt_timeout
SDAP: Decorate the sdap_op functions with DEBUG messages
tests: Use cmocka-1.0+ API in test_sysdb_utils
Resolv: re-read SRV query every time if its TTL is 0
IPA: Use custom error codes when validating HBAC rules
IPA: Drop useless sysdb parameter
IPA: Only treat malformed HBAC rules as fatal if deny rules are enabled
IPA: Deprecate the ipa_hbac_treat_deny_as option
IPA: Remove the ipa_hbac_treat_deny_as option
MAN: Clarify debug_level a bit
SSH: Ignore the default_domain_suffix
LDAP: Set sdap handle as explicitly connected in LDAP auth
tests: Revert strcmp condition
ncache: Fix sss_ncache_reset_permanent
ncache: Silence critical error from filter_users when default_domain_suffix is set
ncache: Add sss_ncache_reset_repopulate_permanent
responders: reset ncache after domains are discovered during startup
NSS: Reset negcache after checking domains
MAN: Clarify how are GPO mappings called in GPO editor
UTIL: Add a simple function to get the fd of debug_file
dyndns: Log nsupdate stderr with a high debug level
nsupdate: Append -d/-D to nsupdate with a high debug level
selinux: Disconnect before closing the handle
selinux: Begin and end the transaction on the same nesting level
selinux: Only call semanage if the context actually changes
subdom: Remove unused function get_flat_name_from_subdomain_name
sysdb: Add cache_expire to the default sysdb_search_object_by_str_attr set
nss: Use negcache for getbysid requests
tests: Add NSS responder tests for bysid requests
SELINUX: Avoid disconnecting disconnected handle
LDAP: return after tevent_req_error
LDAP: disable the cleanup task by default
MAN: refresh_expired_interval also supports users and groups
Download complete groups if ignore_group_members is set with tokengroups
DP: Set extra_value to NULL for enum requests
Skip enumeration requests in IPA and AD providers as well
TESTS: Use the right testcase
TESTS: Add test for get_next_domain
LDAP: Do not print verbose DEBUG messages from providers that don't set UUID
confdb: Add new option subdomain_inherit
DP: Add a function to inherit DP options, if set
SDAP: Add sdap_copy_map_entry
UTIL: Inherit ignore_group_members
subdomains: Inherit cleanup period and tokengroup settings from parent domain
SYSDB: Store trust direction for subdomains
UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it private
TESTS: Add a test for sysdb_subdomains.c
SYSDB: Add realm to sysdb_master_domain_add_info
SYSDB: Add a forest root attribute to sss_domain_info
IPA: Add ipa_subdomains_handler_get_{start,cont} wrappers
IPA: Check master domain record before subdomain records
IPA: Fold ipa_subdom_enumerates into ipa_subdom_store
IPA: Also update master domain when initializing subdom handler
IPA: Move server-mode functions to a separate module
IPA: Split two functions to new module ipa_subdomains_utils.c
IPA: Include ipaNTTrustDirection in the attribute set for trusted domains
IPA: Read forest name for trusted forest roots as well
IPA: Make constructing an IPA server mode context async
TESTS: Split off keytab creation into a common module
TESTS: Add a common mock_be_ctx function
TESTS: Add a common function to set up sdap_id_ctx
TESTS: Move krb5_try_kdcip to nested group test
TESTS: Add unit test for the subdomain_server.c module
IPA: Fetch keytab for 1way trusts
AD: Rename ad_set_ad_id_options to ad_set_sdap_options
AD: Rename ad_create_default_options to ad_create_2way_trust_options
AD: Split off ad_create_default_options
IPA/AD: Set up AD domain in ad_create_2way_trust_options
IPA: Do not set AD_KRB5_REALM twice
AD: Add ad_create_1way_trust_options
IPA: Utility function for setting up one-way trust context
LDAP: Do not set keytab through environment variable
LDAP: Consolidate SDAP_SASL_REALM/SDAP_KRB5_REALM behaviour
CONFIG: Add SSS_STATEDIR as VARDIR/lib/sss
BUILD: Store keytabs in /var/lib/sss/keytabs
Updating the translations for the 1.13 Alpha release
Updating the version.m4 file for the 1.13 Beta release
tests: Reduce duplication with new function test_ev_done
KRB5: Add and use krb5_auth_queue_send to queue requests by default
PAM: Only cache first-factor
Updating the translations for the 1.13.0 release
Updating the version for the 1.13.0 release
Updating the version for 1.13.1 development
tests: Move N_ELEMENTS definition to tests/common.h
SYSDB: Add functions to look up multiple entries including name and custom filter
DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP
cache_req: Extend cache_req with wildcard lookups
UTIL: Add sss_filter_sanitize_ex
LDAP: Fetch users and groups using wildcards
LDAP: Add sdap_get_and_parse_generic_send
LDAP: Use sdap_get_and_parse_generic_/_recv
LDAP: Add sdap_lookup_type enum
LDAP: Add the wildcard_limit option
IFP: Add wildcard requests
Use NSCD path in execl()
KRB5: Use the right domain for case-sensitive flag
IPA: Better debugging
UTIL: Lower debug level in perform_checks()
IPA: Handle sssd-owned keytabs when running as root
IPA: Remove MPG groups if getgrgid was called before getpw()
LDAP: use ldb_binary_encode when printing attribute values
IPA: Change the default of ldap_user_certificate to userCertificate;binary
UTIL: Provide a common interface to safely create temporary files
IPA: Always re-fetch the keytab from the IPA server
DYNDNS: Add a new option dyndns_server
p11child: set restrictive umask and clear environment
KRB5: Use sss_unique file in krb5_child
KRB5: Use sss_unique_file when creating kdcinfo files
LDAP: Use sss_unique_filename in ldap_child
SSH: Use sss_unique_file_ex to create the known hosts file
SYSDB: Index the objectSIDString attribute
sbus: Initialize errno if constructing message fails and add debug messages
sbus: Add a special error code for messages sent by the bus itself
GPO: Use sss_unique_file and close fd on failure
SDAP: Remove unused function
KRB5: Don't error out reading a minimal krb5.conf
UTIL: Convert domain->disabled into tri-state with domain states
DP: Provide a way to mark subdomain as disabled and auto-enable it later with offline_timeout
SDAP: Do not set is_offline if ignore_mark_offline is set
AD: Only ignore errors from SDAP lookups if there's another connection to fallback to
KRB5: Offline operation with disabled domain
AD: Do not mark the whole back end as offline if subdomain lookup fails
AD: Set ignore_mark_offline=false when resolving AD root domain
IPA: Do not allow the AD lookup code to set backend as offline in server mode
BUILD: link dp tests with LDB directly to fix builds on Debian
LDAP: imposing sizelimit=1 for single-entry searches breaks overlapping domains
tests: Move named_domain from test_utils to common test code
LDAP: Move sdap_create_search_base from ldap to sdap code
LDAP: Filter out multiple entries when searching overlapping domains
IPA: Change ipa_server_trust_add_send request to be reusable from ID code
FO: Add an API to reset all servers in a single service
FO: Also reset the server common data in addition to SRV
IPA: Retry fetching keytab if IPA user lookup fails
Updating translations for the 1.13.1 release
John Dickerson (1):
MAN: Amend the description of ignore_group_members
Lukas Slebodnik (146):
logrotate: Fix warning file size changed while zipping
MAN: Remove indentation in element programlistening
Fix warning: for loop has empty body
Bump version to track 1.13 development
SPEC: Use libnl3 for epel6
MAKE: Don't include autoconf generated file to tarball
PROXY: Fix use after free
pysss: Fix double free
TESTS: Mock return value of sdap_get_generic_recv
test_nested_groups: Additional unit tests
Fix warning: equality comparison with extraneous parentheses
MONITOR: Fix double free
SSSDConfig: Remove unused exception name
SSSDConfig: Port missing parts to python3
Remove strict requirements of python2
CONFIGURE: Do not use macro AC_PROG_MKDIR_P twice
RESPONDERS: Warn to syslog about colliding objects
LDAP: Conditional jump depends on uninitialised value
BUILD: Remove unused libraries for pysss.so
BUILD: Remove unused variables
BUILD: Remove detection of type Py_ssize_t
UTIL: Remove python wrapper sss_python_set_new
UTIL: Remove python wrapper sss_python_set_add
UTIL: Remove python wrapper sss_python_set_check
UTIL: Remove compatibility macro PyModule_AddIntMacro
UTIL: Remove python wrapper sss_python_unicode_from_string
BUILD: Use python-config for detection *FLAGS
SPEC: Use new convention for python packages
SPEC: Move python bindings to separate packages
BUILD: Add possibility to build python{2,3} bindings
TESTS: Run python tests with all supported python versions
SPEC: Replace python_ macros with python2_
SPEC: Build python3 bindings on available platforms
BUILD: Uninstall also symbolic links to python bindings
Remove unused argument from be_nsupdate_create_fwd_msg
IPA: Remove unused argument from ipa_id_get_group_uuids
Remove useless assignment to function parameter
PAC: Fix memory leak
Log reason in debug message why ldb_modify failed
sbus_codegen: Port to python3
ipa_selinux: Fix warning may be used uninitialized
responder_cache: Fix warning may be used uninitialized
Add missing new lines to debug messages
debug-tests: Fix test with new line in debug message
memberof: Do not create request with 0 attribute values
BUILD: Add missing header file to tarball
pam_client: fix casting to const pointer
test_expire: Use right assertion macro for standard functions
test_ldap_auth: Use right assertion for integer comparison
test_resolv_fake: Fix alignment warning
PAC: Remove unused function
GPO: Check return value of ad_gpo_store_policy_settings
KRB5: Unify prototype and definition
CLIENT: Clear errno with enabled sss-default-nss-plugin
util-tests: Initialize boolean variable to default value
SPEC: Drop workaround for old libtool
SPEC: Drop workarounds for old rpmbuild
SPEC: Remove unused option
SPEC: Few cosmetic changes
SDAP: Do not set gid 0 twice
SDAP: Extract filtering AD group to function
SDAP: Filter ad groups in initgroups
simple_access-tests: Simplify assertion
sysdb-tests: Add missing assertions
sysdb-tests: test return value before output arguments
ad_opts: Use different default attribute for group name
BUILD: Write hints about optional python bindings
GPO: Do not ignore missing attrs for GPOs
sss_nss_idmap-tests: Use different prepared buffers for big endian
SDAP: Fix id mapping with disabled subdomains
SPEC: Fix cyclic dependencies between sssd-{krb5,}-common
sss_client: Fix mixed enums
LDAP: Remove dead assignment
negcache: Soften condition for expired entries
test_nss_srv: Use right function for storing time_t
nss: Do not ignore default vaue of SYSDB_INITGR_EXPIRE
SDAP: Set initgroups expire attribute at the end
SDAP: Remove unnecessary argument from sdap_save_user
sss_client: Fix warning "_" redefined
SSSDConfigTest: Use unique temporary directory
PROXY: proxy_child should work in non-root mode
PROXY: Do not register signal with SA_SIGINFO
util-tests: Add validation of internal error messages
SDAP: Check return value before using output arguments
SDAP: Log failure from sysdb_handle_original_uuid
test_ipa_subdomains_server: Run clean-up after success
IFP: Fix warnings with enabled optimisation
SDAP: Remove user from cache for missing user in LDAP
test_ipa_subdom_server: Add missing assert
test_ipa_subdomains_server: Fix build with --coverage
nss: Store entries in responder to initgr mmap cache
mmap_cache: Invalidate entry in right memory cache
nss: Invalidate entry in initgr mmap cache
sss_client: Use initgr mmap cache in client code
sss_cache: Clear also initgroups fast cache
sss_client: Use unique lock for memory cache
sss_client: Re-check memcache after acquiring the lock
KRB5: Return right data provider error code
Update few debug messages
intg: Invalidate memory cache before removing files
SPEC: Update spec file for krb5_local_auth_plugin
SSSDConfig: Return correct types in python3
intg: Modernize 'except' clauses
mmap_cache: Rename variables
mmap_cache: "Override" functions for initgr mmap cache
mmap: Invalidate initgroups memory cache after any change
sss_client: Update integrity check of records in mmap cache
intg_test: Add module for simulation of utility id
intg_test: Add integration test for memory cache
NSS: Initgr memory cache should work with fq names
test_memory_cache: Add test for initgroups mc with fq names
SPEC: Workaround for build with rpm 4.13
KRB5: Do not try to remove missing ccache
test_memory_cache: Test mmap cache after initgroups
test_memory_cache: Test invalidation with sss_cache
krb5_utils-tests: Remove unused variables
sss_cache: Wait a while for invalidation of mc by nss responder
test_memory_cache: Fix few python issues
NSS: Fix use after free
NSS: Don't ignore backslash in usernames with ldap provider
intg_tests: Add regression test for 2163
BUILD: Build libdlopen_test_providers.la as a dynamic library
BUILD: Speed up build of some tests
BUILD: Simplify build of simple_access_tests
CI: Set env variable for all tabs in screen
dyndns-tests: Simulate job in wrapped execv
AUTOMAKE: Disable portability warnings
tests: Use unique name for TEST_PATH
tests: Move test_dom_suite_setup to different module
test_ipa_subdomains_server: Use unique dorectory for keytabs
test_copy_keytab: Create keytabs in unique directory
test_ad_common: Use unique directory for keytabs
Revert "LDAP: end on ENOMEM"
Partially revert "LDAP: sanitize group name when used in filter"
LDAP: Sanitize group dn before using in filter
test_ldap_id_cleanup: Fix coding style issues
DYNDNS: Return right error code in case of failure
BUILD: Simplify build of test_data_provider_be
BUILD: Remove unused variable CHECK_OBJ
BUILD: Do not build libsss_ad_common.la as library
BUILD: Remove unused variable SSSD_UTIL_OBJ
CONFIGURE: Remove bashism
IFP: Suppress warning from static analyzer
BUILD: Link test_data_provider_be with -ldl
sysdb-tests: Use valid base64 encoded certificate for search
test_pam_srv: Run cert test only with NSS
Michal Zidek (4):
Use FQDN if default domain was set
MAN: default_domain_suffix with use_fully_qualified_names.
DEBUG: Add missing strings for error messages
test: Check ERR_LAST
Michal Židek (16):
views: Add is_default_view helper function
MONITOR: Poll for resolv.conf if not available during boot
MONITOR: Do not report missing file as fatal in monitor_config_file
DEBUG: Add new debug category for fail over.
pam: Incerease p11 child timeout
sdap_async: Use specific errmsg when available
TESTS: ldap_id_cleanup timeouts
sssd: incorrect checks on length values during packet decoding
CONFDB: Assume config file version 2 if missing
Makefile.am: Add missing AM_CFLAGS
SYSDB: Add function to expire entry
cleanup task: Expire all memberof targets when removing user
CI: Add regression test for #2676
intg: Fix some PEP 8 violations
PAM: Make p11_child timeout configurable
tests: Set p11_child_timeout to 30 in tests
Nikolai Kondrashov (4):
BUILD: Add AM_PYTHON2_MODULE macro
Add integration tests
BUILD: Fix variable substitution in cwrap.m4
TESTS: Add trailing whitespace test
Pavel Březina (80):
spec: sifp requires sssd-dbus
tests: refactor create_dom_test_ctx()
tests: add create_multidom_test_ctx()
tests: add test_multidom_suite_cleanup()
tests: remove code duplication in single domain cleanup
responders: new interface for cache request
responders: enable views in cache request
IFP: use new cache interface
server-tests: use strtouint32 instead strtol
sbus: add new iface via sbus_conn_register_iface()
sbus: move iface and object path code to separate file
sbus: use 'path/*' to represent a D-Bus fallback
sbus: support multiple interfaces on single path
sbus: add object path to sbus request
sbus: add sbus_opath_hash_lookup_supported()
sbus: support org.freedesktop.DBus.Introspectable
sbus: support org.freedesktop.DBus.Properties
sbus: unify naming of handler data variable
sbus: move common opath functions from ifp to sbus code
sbus: add sbus_opath_get_object_name()
ifp: fix potential memory leak in check_and_get_component_from_path()
sbus: use hard coded getters instead of generated
sbus: remove unused 'reply as' functions
IFP: move interface definitions from ifpsrv.c into separate file
IFP: unify generated interfaces names
sbus codegen: do not prefix getters with iface name
IFP: simplify object path constant names
sbus: add constant to represent subtree
be_refresh: refresh all domains in backend
sdap_handle_acct_req_send: remove be_req
be_refresh: refactor netgroups refresh
be_refresh: add sdap_refresh_init
be_refresh: support users
be_refresh: support groups
be_refresh: get rid of callback pointers
sysdb: use sysdb_user/group_dn
cache_req tests: rename test_user to test_user_by_name
cache_req tests: define user name constant
cache_req: preparations for different input type
cache_req: add support for user by uid
cache_req: add support for group by name
cache_req: remove default branch from switches
cache_req: add support for group by id
cmocka: include mock_parse_inp in header file
cache_req: parse input name if needed
cache_req: return ERR_INTERNAL if more than one entry is found
enumeration: fix talloc context
sudo: sanitize filter values
sbus: provide custom error names
sbus: add sbus_opath_decompose[_exact]
sbus: add a{sas} get invoker
IFP: add org.freedesktop.sssd.infopipe.Users
IFP: add org.freedesktop.sssd.infopipe.Users.User
IFP: add org.freedesktop.sssd.infopipe.Groups
IFP: add org.freedesktop.sssd.infopipe.Groups.Group
IFP: deprecate GetUserAttr
IFP: Implement org.freedesktop.sssd.infopipe.Cache[.Object]
SBUS: Use default GetAll invoker if none is set
SBUS: Add support for <node /> in introspection
IFP: Export nodes
sbus: add support for incoming signals
sbus: listen to NameOwnerChanged
VIEWS TEST: add null-check
SYSDB: prepare for LOCAL view
TOOLS: add common command framework
TOOLS: add sss_override for local overrides
AD: Use ad_site also when site search fails
IFP: use default limit if provided is 0
sudo: use "higher value wins" when ordering rules
sss_override: print input name if unable to parse it
sss_override: support domains that require fqname
TOOLS: add sss_colondb API
sss_override: decompose code better
sss_override: support import and export
sss_override: document --debug options
sss_override: support fqn in override name
views: do not require overrideDN in grous when LOCAL view is set
views: fix two typos in debug messages
views: allow ghost members for LOCAL view
sss_override: remove -d from manpage
Pavel Reichl (67):
GPO: add systemd-user to gpo default permit list
MAN: dyndns_iface supports only one interface
MAN: add dots as valid character in domain names
AD: add new option ad_site
AD: support for AD site override
MAN: amend sss_ssh_authorizedkeys
add missing '\n' in debug messages
PAM: do not reject abruptly
PAM: new option pam_account_expired_message
PAM: warn all services about account expiration
PAM: check return value of confdb_get_string
PROXY: add missing space in debug message
BUILD: fix chmake not to generate warning
SDAP: log expired accounts at lower severity level
SDAP: refactor pwexpire policy
SDAP: enable change phase of pw expire policy check
UTIL: convert GeneralizedTime to unix time
SDAP: Lock out ssh keys when account naturally expires
SDAP: fix minor neglect in is_account_locked()
ldap_child: fix coverity warning
MAN: libkrb5 and SSSD use different expansions
IPA: set EINVAL if dn can't be linearized
KRB5: add debug hint
LDAP: remove unused code
TESTS: test expiration
ldap: refactor check_pwexpire_kerberos to use util func
ldap: refactor nds_check_expired to use util func
LDAP: fix a typo in debug message
Fix a few typos in comments
MAN: Update ppolicy description
simple-access-provider: make user grp res more robust
sbus: sbus_opath_hash_add_iface free tmp talloc ctx
krb5: remove field run_as_user
LDAP: warn about lockout option being deprecated
localauth plugin: fix coverity warning
krb5: new option krb5_map_user
dyndns: remove dupl declaration of ipa_dyndns_update
dyndns: don't pass zone directive to nsupdate
dyndns: ipa_dyndns.h missed declaration of used data
krb: remove duplicit decl. of write_krb5info_file
IPA: Don't override homedir with subdomain_homedir
sysdb: new attribute lastOnlineAuthWithCurrentToken
PAM: authenticate agains cache
Minor code improvements
DYNDNS: sss_iface_addr_list_get return ENOENT
DYNDNS: support mult. interfaces for dyndns_iface opt
DYNDNS: special value '*' for dyndns_iface option
TESTS: dyndns tests support AAAA addresses
DYNDNS: support for dualstack
TESTS: fix compiler warnings
SDAP: rename SDAP_CACHE_PURGE_TIMEOUT
IPA: Improve messages about failures
DYNDNS: Don't use server cmd in nsupdate by default
DYNDNS: remove redundant talloc_steal()
DYNDNS: remove zone command
DYNDNS: rename field of sdap_dyndns_update_state
DYNDNS: remove code duplication
TESTS: UT for sss_iface_addr_list_as_str_list()
LDAP: sanitize group name when used in filter
LDAP: minor improvements in ldap id cleanup
TESTS: fix fail in test_id_cleanup_exp_group
LDAP: end on ENOMEM
AD: send less logs to syslog
Remove trailing whitespace
GPO: fix memory leak
DDNS: execute nsupdate for single update of PTR rec
AD: inicialize root_domain_attrs field
Petr Cech (6):
BUILD: Repair dependecies on deprecated libraries
TESTS: Removing part of responder_cache_req-tests
UTIL: Function 2string for enum sss_cli_command
UTIL: Fixing Makefile.am for util/sss_cli_cmd.h
DATA_PROVIDER: BE_REQ as string in log message
IPA PROVIDER: Resolve nested netgroup membership
Rob Crittenden (1):
Add user_attributes to ifp section of API schema
Robin McCorkell (1):
man: List alternative schema defaults for LDAP AutoFS parameters
Stephen Gallagher (9):
AD: Clean up ad_access_gpo
AD: Always get domain-specific ID connection
AD GPO: Always look up GPOs from machine domain
LDAP: Support returning referral information
AD GPO: Support processing referrals
AD GPO: Change default to "enforcing"
Add Vagrant configuration for SSSD
GPO: Fix incorrect strerror on GPO access denial
AD: Handle cases where no GPOs apply
Sumit Bose (88):
IPA: add get_be_acct_req_for_user_name()
IPA: resolve ghost members if a non-default view is applied
sysdb: fix group members with overridden names
IPA: ipa_resolve_user_list_send() take care of overrides
IPA: do not look up overrides on client with default view
IPA: make version check more precise
IPA: add missing break
IPA: process_members() optionally return missing members list
IPA: rename ipa_s2n_get_groups_send() to ipa_s2n_get_fqlist_send()
IPA: resolve missing members
IPA: set SYSDB_INITGR_EXPIRE for RESP_USER_GROUPLIST
krb5: fix entry order in MEMORY keytab
nss: make fill_orig() multi-value aware
nss: refactor fill_orig()
nss: Add original DN and memberOf to origbyname request
views: fix GID overrride for mpg domains
IPA: properly handle mixed-case trusted domains
nss: fix SID lookups
sysdb: remove ghosts in all sub-domains as well
IPA: resolve IPA group-memberships for AD users
IPA: process_members() add ghosts only once
ipa_s2n_save_objects: properly handle fully-qualified group names
AD: use GC for SID requests as well
fill_id() fix LE/BE issue with wrong data type
ldap_child: initialized ccname_file_dummy
PAM: use the logon_name as the key for the PAM initgr cache
pam_initgr_check_timeout: add debug output
ipa: do not treat missing sub-domain users as error
ipa: make sure extdom expo data is available
LDAP/AD: do not resolve group members during tokenGroups request
IPA idviews: check if view name is set
IPA: make sure output variable is set
sdap: properly handle binary objectGuid attribute
GPO: error out instead of leaving array element uninitialized
IPA: do not try to save override data for the default view
IPA: use sysdb_attrs_add_string_safe to add group member
IPA: check ghosts in groups found by uuid as well
IPA: allow initgroups by SID for AD users
IPA: do initgroups if extdom exop supports it
IPA: update initgr expire timestamp conditionally
IPA: enhance ipa_initgr_get_overrides_send()
IPA: search for overrides during initgroups in sever mode
IPA: do not add domain name unconditionally
NSS: check for overrides before calling backend
IPA: allow initgroups by UUID for FreeIPA users
Add leak check and command line option to test_authtok
utils: add sss_authtok_[gs]et_2fa
pam: handle 2FA authentication token in the responder
Add pre-auth request
krb5-child: add preauth and split 2fa token support
IPA: create preauth indicator file at startup
pam_sss: add pre-auth and 2fa support
Add cache_credentials_minimal_first_factor_length config option
sysdb: add sysdb_cache_password_ex()
krb5: save hash of the first authentication factor to the cache
krb5: try delayed online authentication only for single factor auth
2FA offline auth
pam_sss: move message encoding into separate file
PAM: add PAM responder unit test
SDAP: use DN to update entry
IPA: do not fail if view name lookup failed on older versions
libwbclient-sssd: update interface to version 0.12
ldap: use proper sysdb name in groups_by_user_done()
adding ldap_user_auth_type where missing
LDAP: add ldap_user_certificate option
certs: add PEM/DER conversion utilities
sysdb: add sysdb_search_user_by_cert() and sysdb_search_object_by_cert()
LDAP/IPA: add user lookup by certificate
ncache: add calls for certificate based searches
utils: add get_last_x_chars()
IFP: add FindByCertificate method for User objects
test common: sss_dp_get_account_recv() fix assignment
nss_check_name_of_well_known_sid() improve name splitting
negcache: allow domain name for UID and GID
nss: use negative cache for sid-by-id requests
krb5: do not send SSS_OTP if two factors were used
utils: add NSS version of cert utils
Add NSS version of p11_child
pack_message_v3: allow empty name
authok: add support for Smart Card related authtokens
PAM: add certificate support to PAM (pre-)auth requests
pam_sss: add sc support
ssh: generate public keys from certificate
krb5 utils: add sss_krb5_realm_has_proxy()
krb5: do not create kdcinfo file if proxy configuration exists
krb5: assume online state if KDC proxy is configured
GPO: use SDAP_SASL_AUTHID as samAccountName
utils: make sss_krb5_get_primary() private
Thomas Oulevey (1):
Fix memory leak in sssdpac_verify()
Timo Aaltonen (24):
Merge branch 'upstream' into m-n
Merge branch 'master' into master-next
update the changelog
{common,ipa,krb5,proxy}.postinst: Create a sssd system user & group, and migrate various bits to their ownership.
Add sssd-dbus to libsss-simpleifp0 Depends.
ipa: Add /var/lib/sss/keytabs.
use -f with chmod/chown
Build PEM/DER conversion tool, add libssl-dev to build-depends.
Add support for python3 modules.
Merge branch 'upstream-next' into master-next
tools: Add sss_override.
update the changelog
drop libssl-dev build-dep, the cert lib now has a NSS version.
common: Add p11_child.
ad: Drop libsss_ad_common, it was for tests only and not shipped anymore.
common: Move libsss_krb5_common here from sssd-krb5-common to satisfy libsss_ldap_common depending on it.
libsystemd.diff: Dropped, fixed upstream.
fix-python-modules.diff: Don't add symlinks to python modules, rename the built modules instead.
rules, postinst: Avoid running dpkg-architecture in postinst and instead mangle them in post-dh_installdeb.
postinst: various fixes
common: remove sssd user on postinst
common: Add depends on adduser.
sssd.conf must be owned by root:root
releasing package sssd version 1.13.1-1
Tyler Gates (1):
CONTRIB: Gentoo daemon startup options as declared in conf.d/sssd
Yuri Chornoivan (1):
Fix minor typos
---
Makefile.am | 825 +
README | 2
Vagrantfile | 77
configure.ac | 85
contrib/ci/configure.sh | 7
contrib/ci/deps.sh | 15
contrib/ci/run | 9
contrib/ci/sssd.supp | 18
contrib/fedora/bashrc_sssd | 3
contrib/sssd.spec.in | 265
contrib/vagrant/bootstrap.sh | 21
debian/changelog | 24
debian/control | 69
debian/patches/fix-python-modules.diff | 35
debian/patches/libsystemd.diff | 32
debian/patches/series | 2
debian/python-libipa-hbac.install | 2
debian/python-libsss-nss-idmap.install | 2
debian/python-sss.install | 6
debian/python3-libipa-hbac.install | 1
debian/python3-libsss-nss-idmap.install | 1
debian/python3-sss.install | 3
debian/rules | 11
debian/sssd-ad.install | 1
debian/sssd-common.install | 3
debian/sssd-common.postinst | 26
debian/sssd-common.postrm | 3
debian/sssd-ipa.dirs | 1
debian/sssd-ipa.postinst | 16
debian/sssd-krb5-common.install | 1
debian/sssd-krb5-common.postinst | 14
debian/sssd-proxy.postinst | 13
debian/sssd-tools.install | 2
po/bg.po | 679 -
po/ca.po | 1141 -
po/de.po | 690 -
po/es.po | 681 -
po/eu.po | 678 -
po/fr.po | 725 -
po/hu.po | 679 -
po/id.po | 678 -
po/it.po | 679 -
po/ja.po | 688 -
po/nb.po | 666 -
po/nl.po | 690 -
po/pl.po | 741 -
po/pt.po | 679 -
po/ru.po | 679 -
po/sssd.pot | 664 -
po/sv.po | 690 -
po/tg.po | 672 -
po/tr.po | 666 -
po/uk.po | 708 -
po/zh-CN.po | 1899 --
po/zh-TW.po | 1898 --
po/zh_CN.po | 666 -
po/zh_TW.po | 672 -
src/conf_macros.m4 | 91
src/confdb/confdb.c | 112
src/confdb/confdb.h | 44
src/confdb/confdb_setup.c | 48
src/config/SSSDConfig/__init__.py.in | 19
src/config/SSSDConfig/sssd_upgrade_config.py | 3
src/config/SSSDConfigTest.py | 46
src/config/SSSDConfigTest.py2.sh | 5
src/config/SSSDConfigTest.py3.sh | 5
src/config/etc/sssd.api.conf | 6
src/config/etc/sssd.api.d/sssd-ad.conf | 3
src/config/etc/sssd.api.d/sssd-ipa.conf | 4
src/config/etc/sssd.api.d/sssd-ldap.conf | 3
src/db/sysdb.c | 7
src/db/sysdb.h | 94
src/db/sysdb_gpo.c | 75
src/db/sysdb_ops.c | 232
src/db/sysdb_private.h | 22
src/db/sysdb_search.c | 199
src/db/sysdb_subdomains.c | 282
src/db/sysdb_upgrade.c | 59
src/db/sysdb_views.c | 17
src/external/cwrap.m4 | 7
src/external/glib.m4 | 4
src/external/intgcheck.m4 | 32
src/external/ldap.m4 | 4
src/external/libcares.m4 | 14
src/external/pac_responder.m4 | 2
src/external/pkg.m4 | 6
src/external/python.m4 | 124
src/external/systemd.m4 | 40
src/krb5_plugin/sssd_krb5_localauth_plugin.c | 5
src/krb5_plugin/sssd_krb5_locator_plugin.c | 1
src/man/Makefile.am | 8
src/man/include/debug_levels.xml | 19
src/man/po/br.po | 2476 ++-
src/man/po/ca.po | 2654 ++--
src/man/po/cs.po | 2460 ++-
src/man/po/de.po | 2744 ++--
src/man/po/es.po | 2706 ++--
src/man/po/eu.po | 2450 ++-
src/man/po/fr.po | 2847 ++--
src/man/po/ja.po | 2704 ++--
src/man/po/lv.po | 2464 ++-
src/man/po/nl.po | 2493 ++-
src/man/po/po4a.cfg | 1
src/man/po/pt.po | 2530 ++-
src/man/po/ru.po | 2456 ++-
src/man/po/sssd-docs.pot | 2379 ++-
src/man/po/tg.po | 2456 ++-
src/man/po/uk.po | 3010 ++--
src/man/po/zh-CN.po |10227 ----------------
src/man/po/zh_CN.po | 2464 ++-
src/man/sss_override.8.xml | 212
src/man/sssd-ad.5.xml | 76
src/man/sssd-ifp.5.xml | 15
src/man/sssd-ipa.5.xml | 75
src/man/sssd-krb5.5.xml | 8
src/man/sssd-ldap.5.xml | 98
src/man/sssd-simple.5.xml | 6
src/man/sssd.conf.5.xml | 115
src/monitor/monitor.c | 59
src/monitor/monitor_iface_generated.c | 57
src/monitor/monitor_sbus.c | 8
src/p11_child/p11_child_nss.c | 639
src/providers/ad/ad_common.c | 109
src/providers/ad/ad_common.h | 15
src/providers/ad/ad_dyndns.c | 1
src/providers/ad/ad_gpo.c | 524
src/providers/ad/ad_gpo.h | 7
src/providers/ad/ad_gpo_child.c | 40
src/providers/ad/ad_id.c | 93
src/providers/ad/ad_init.c | 42
src/providers/ad/ad_opts.h | 10
src/providers/ad/ad_srv.c | 12
src/providers/ad/ad_subdomains.c | 87
src/providers/data_provider.h | 23
src/providers/data_provider_be.c | 129
src/providers/data_provider_fo.c | 49
src/providers/data_provider_iface_generated.c | 57
src/providers/data_provider_req.c | 58
src/providers/data_provider_req.h | 51
src/providers/dp_backend.h | 17
src/providers/dp_dyndns.c | 429
src/providers/dp_dyndns.h | 29
src/providers/dp_pam_data_util.c | 25
src/providers/dp_refresh.c | 98
src/providers/fail_over.c | 32
src/providers/fail_over.h | 2
src/providers/ipa/hbac_evaluator.c | 1
src/providers/ipa/ipa_access.c | 14
src/providers/ipa/ipa_access.h | 1
src/providers/ipa/ipa_auth.c | 20
src/providers/ipa/ipa_common.h | 1
src/providers/ipa/ipa_dyndns.c | 16
src/providers/ipa/ipa_dyndns.h | 7
src/providers/ipa/ipa_hbac_common.c | 49
src/providers/ipa/ipa_hbac_rules.c | 29
src/providers/ipa/ipa_hbac_rules.h | 1
src/providers/ipa/ipa_id.c | 11
src/providers/ipa/ipa_id.h | 9
src/providers/ipa/ipa_init.c | 72
src/providers/ipa/ipa_netgroups.c | 29
src/providers/ipa/ipa_opts.h | 6
src/providers/ipa/ipa_s2n_exop.c | 55
src/providers/ipa/ipa_selinux.c | 6
src/providers/ipa/ipa_subdomains.c | 642 -
src/providers/ipa/ipa_subdomains.h | 54
src/providers/ipa/ipa_subdomains_ext_groups.c | 7
src/providers/ipa/ipa_subdomains_id.c | 243
src/providers/ipa/ipa_subdomains_server.c | 1114 +
src/providers/ipa/ipa_subdomains_utils.c | 100
src/providers/ipa/ipa_views.c | 2
src/providers/ipa/selinux_child.c | 6
src/providers/krb5/krb5_auth.c | 103
src/providers/krb5/krb5_auth.h | 19
src/providers/krb5/krb5_ccache.c | 5
src/providers/krb5/krb5_child.c | 355
src/providers/krb5/krb5_child_handler.c | 14
src/providers/krb5/krb5_common.c | 23
src/providers/krb5/krb5_common.h | 3
src/providers/krb5/krb5_delayed_online_authentication.c | 11
src/providers/krb5/krb5_keytab.c | 5
src/providers/krb5/krb5_renew_tgt.c | 6
src/providers/krb5/krb5_wait_queue.c | 184
src/providers/ldap/ldap_auth.c | 54
src/providers/ldap/ldap_child.c | 31
src/providers/ldap/ldap_common.c | 19
src/providers/ldap/ldap_common.h | 14
src/providers/ldap/ldap_id.c | 160
src/providers/ldap/ldap_id_cleanup.c | 79
src/providers/ldap/ldap_id_enum.c | 20
src/providers/ldap/ldap_options.c | 63
src/providers/ldap/ldap_opts.h | 6
src/providers/ldap/sdap.c | 122
src/providers/ldap/sdap.h | 20
src/providers/ldap/sdap_access.c | 51
src/providers/ldap/sdap_async.c | 349
src/providers/ldap/sdap_async.h | 48
src/providers/ldap/sdap_async_connection.c | 44
src/providers/ldap/sdap_async_enum.c | 9
src/providers/ldap/sdap_async_groups.c | 89
src/providers/ldap/sdap_async_initgroups.c | 6
src/providers/ldap/sdap_async_initgroups_ad.c | 2
src/providers/ldap/sdap_async_users.c | 78
src/providers/ldap/sdap_child_helpers.c | 41
src/providers/ldap/sdap_dyndns.c | 239
src/providers/ldap/sdap_dyndns.h | 1
src/providers/ldap/sdap_fd_events.c | 4
src/providers/ldap/sdap_id_op.c | 2
src/providers/ldap/sdap_utils.c | 11
src/providers/proxy/proxy_auth.c | 6
src/providers/proxy/proxy_child.c | 8
src/providers/proxy/proxy_id.c | 4
src/providers/proxy/proxy_init.c | 11
src/python/pyhbac.c | 30
src/resolv/ares/ares_data.c | 140
src/resolv/ares/ares_data.h | 68
src/resolv/ares/ares_dns.h | 91
src/resolv/ares/ares_parse_srv_reply.c | 183
src/resolv/ares/ares_parse_srv_reply.h | 35
src/resolv/ares/ares_parse_txt_reply.c | 204
src/resolv/ares/ares_parse_txt_reply.h | 33
src/resolv/async_resolv.c | 19
src/resolv/async_resolv.h | 6
src/responder/autofs/autofssrv.c | 2
src/responder/common/negcache.c | 105
src/responder/common/negcache.h | 21
src/responder/common/responder.h | 9
src/responder/common/responder_cache_req.c | 1191 +
src/responder/common/responder_cache_req.h | 168
src/responder/common/responder_common.c | 38
src/responder/common/responder_dp.c | 26
src/responder/common/responder_get_domains.c | 42
src/responder/ifp/ifp_cache.c | 344
src/responder/ifp/ifp_cache.h | 59
src/responder/ifp/ifp_components.c | 81
src/responder/ifp/ifp_components.h | 6
src/responder/ifp/ifp_domains.c | 22
src/responder/ifp/ifp_domains.h | 4
src/responder/ifp/ifp_groups.c | 949 +
src/responder/ifp/ifp_groups.h | 97
src/responder/ifp/ifp_iface.c | 178
src/responder/ifp/ifp_iface.xml | 107
src/responder/ifp/ifp_iface_generated.c | 1188 +
src/responder/ifp/ifp_iface_generated.h | 315
src/responder/ifp/ifp_iface_nodes.c | 129
src/responder/ifp/ifp_private.h | 50
src/responder/ifp/ifp_users.c | 984 +
src/responder/ifp/ifp_users.h | 116
src/responder/ifp/ifpsrv.c | 122
src/responder/ifp/ifpsrv_cmd.c | 391
src/responder/ifp/ifpsrv_util.c | 326
src/responder/ifp/org.freedesktop.sssd.infopipe.conf | 6
src/responder/nss/nsssrv.c | 22
src/responder/nss/nsssrv.h | 1
src/responder/nss/nsssrv_cmd.c | 300
src/responder/nss/nsssrv_mmap_cache.c | 83
src/responder/nss/nsssrv_mmap_cache.h | 10
src/responder/nss/nsssrv_private.h | 3
src/responder/pac/pacsrv.c | 2
src/responder/pac/pacsrv_cmd.c | 17
src/responder/pac/pacsrv_utils.c | 35
src/responder/pam/pam_helpers.c | 1
src/responder/pam/pam_helpers.h | 4
src/responder/pam/pamsrv.c | 36
src/responder/pam/pamsrv.h | 25
src/responder/pam/pamsrv_cmd.c | 636
src/responder/pam/pamsrv_dp.c | 8
src/responder/pam/pamsrv_p11.c | 527
src/responder/ssh/sshsrv.c | 11
src/responder/ssh/sshsrv_cmd.c | 77
src/responder/ssh/sshsrv_private.h | 1
src/responder/sudo/sudosrv.c | 13
src/responder/sudo/sudosrv_get_sudorules.c | 54
src/responder/sudo/sudosrv_private.h | 1
src/sbus/sbus_codegen | 167
src/sbus/sssd_dbus.h | 143
src/sbus/sssd_dbus_common_signals.c | 91
src/sbus/sssd_dbus_connection.c | 408
src/sbus/sssd_dbus_errors.h | 29
src/sbus/sssd_dbus_interface.c | 1116 +
src/sbus/sssd_dbus_introspect.c | 510
src/sbus/sssd_dbus_invokers.c | 583
src/sbus/sssd_dbus_invokers.h | 124
src/sbus/sssd_dbus_meta.h | 15
src/sbus/sssd_dbus_private.h | 58
src/sbus/sssd_dbus_properties.c | 553
src/sbus/sssd_dbus_request.c | 196
src/sbus/sssd_dbus_signals.c | 292
src/sss_client/common.c | 22
src/sss_client/libwbclient/wbc_pwd_sssd.c | 12
src/sss_client/libwbclient/wbc_sid_common.c | 2
src/sss_client/nss_group.c | 93
src/sss_client/nss_mc.h | 5
src/sss_client/nss_mc_common.c | 8
src/sss_client/nss_mc_group.c | 19
src/sss_client/nss_mc_initgr.c | 165
src/sss_client/nss_mc_passwd.c | 20
src/sss_client/nss_passwd.c | 42
src/sss_client/pam_message.c | 179
src/sss_client/pam_message.h | 66
src/sss_client/pam_sss.c | 509
src/sss_client/ssh/sss_ssh_client.c | 12
src/sss_client/sss_cli.h | 29
More information about the Pkg-sssd-devel
mailing list