[Pkg-sssd-devel] sssd: Changes to 'refs/tags/debian/1.14.1-1'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Wed Oct 5 11:26:27 UTC 2016
Tag 'debian/1.14.1-1' created by Timo Aaltonen <tjaalton at debian.org> at 2016-10-05 11:24 +0000
tagging package sssd version debian/1.14.1-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJX9OLmAAoJEMtwMWWoiYTc+SEQAJiEWZ6GSjbNjic0dRDZ7OUT
6Tti7nUhUBlPpYXmNktPHeNtTUwh5/rQLZYXKktGTWDeahs4zxRn2sKvh/6R0ybE
aBV4z/BK/vDklKu9EuYbgQb4OFmXkuGcFoSMd1zImTt2MMOR5UYiOECvddVKk5mp
LCK5LgFElJJrDidqfQ2Pwi36c+4CYRS9PXWxkIohOD7nDynjrL8VWM6wEjpRyIwt
d/y8vopVjTh5ikW3ariEzNP6fHnjdXcHai/xm9tE1RW/il9mBmlFf2zoL1pumaUV
DoGwksOkfVtIQdEWYrawdArOa+s4qwaI9HvyAtC+ojDAw379fcLpUdpQimDgSpcM
ak6Nstz2MpiZgQ2/U7Ao05erZ+nI/SnWHUwLAuJVtsXK9kwHwkTCOUos6AZLkHS+
J4Bq/qZ8jScyhKR+D6YBo4Wgu+zThWOa3MeicQIVJeC6u53Ctg2NP63N7w6IIq4t
BF0f4VYHekb75/ZSROdB1bZD39ms+vgLacPBrdGoLDdHRwUObOIQszQdnb2u5D23
RDXpwIx7azEN1zDdHLWcFNSdbWms3sSxy+lvACRDKsTM9jwleCuxeKQ/u5DUCa/G
WLM9DWzSk1mQAMqlLvsF4gMOoWcyblLozmDckHvBQ8ziaMriM2toh8+cVnBWn9Xz
suG+4W6dFOKH1aGm4yHf
=ycyG
-----END PGP SIGNATURE-----
Changes since debian/1.13.4-3:
Alexander Bokovoy (1):
SPEC: Move polkit rules into sssd-polkit-rules subpackage
Christian Heimes (1):
Secrets: m4 macros for jansson and http-parser
Dan Lavu (6):
sss_override: Add restart requirements to man page
MAN: Clarify that subdomain_inherit only works for IPA and AD
URL in BUILD.txt is incorrect
Clarify that subdomains always use service discovery
PAM: Fix man for pam_account_{expired,locked}_message
MAN: Update description of sssctl
David Disseldorp (1):
build: detect endianness at configure time
Fabiano Fidêncio (9):
sysdb: move add_string() convenience to sysdb.c
sysdb: add sysdb_{add,replace,delete}_string()
sysdb: move add_ulong() convenience to sysdb.c
sysdb: add sysdb_{add,replace,delete}_ulong()
sssctl: Use localtime for time stamps
RESPONDERS: Decrease debug level for failures in SELINUX_getpeercon()
RESPONDERS: Show a bit more info in case of SELINUX_getpeercon() failure
RESPONDERS: Pass errno to strerror() when SELINUX_getpeercon() fails
SDAP: Don't log an op failure when no users are found
Graham Leggett (1):
Add underlying diagnostic message for SSL errors.
Jakub Hrozek (174):
Updating the version to track 1.14 development
MAN: Clarify pam_trusted_users option description
MAN: proxy and krb5 are valid access control modules
contrib: Add a pre-push hook to warn about commits without Reviewed-By
AD: Provide common connection list construction functions
AD: Consolidate connection list construction on ad_common.c
tests: Fix compilation warning
FO: Don't free rc-allocated structure
tests: Reduce failover code duplication
FO: Use refcount to keep track of servers returned to callers
tools: Don't shadow 'exit'
IFP: Skip non-POSIX groups properly
SSSD: Add a new option diag_cmd
DP: Drop dp_pam_err_to_string
DP: Check callback messages for valid UTF-8
sbus: Check string arguments for valid UTF-8 strings
DP: Do not confuse static analysers with dead code
CONTRIB: Add a gdb pretty-printer for ldb and sysdb_attrs
BUILD: Only install polkit rules if the directory is available
AD: Add autofs provider
KRB5: Handle preauth request timeout more gracefully
KRB5: Handle KRB5_REALM_UNKNOWN as ERR_NETWORK_IO
FO: Use tevent_req_defer_callback() when notifying callers
IPA: Use search timeout, not enum timeout for searching overrides
DP: Reduce code duplication in the callback handlers
DP: Reduce code duplication in Data Provider handlers
MAN: Clarify when should TGs be disabled for group nesting restriction
DP: Print warning when the handler is not configured
tests: use unittest.TestCase.assertCountEqual if possible
Fix pep8 warnings in pyhbac-test.py
SDAP: Make it possible to silence errors from dereference
Add a new option ldap_group_external_member
IPA: Add interface to call into IPA provider from LDAP provider
LDAP: Use the IPA provider interface to resolve external group members
IPA: Use the common if-else coding style
tests: Extend test_child_common.c to include tests for the only_extra_args functionality
NSS: Move a DEBUG message so that it's less confusing
MAN: Move subdomain_inherit to the correct man section
MAN: Move proxy_fast_alias to the correct man section
memberof: Don't allocate on a NULL context
tests: Add a unit test for the external groups resolution
libipa_hbac: Do not use C99
libipa_hbac: Add more debug messages
libipa_hbac: Fix typo in constant name
libipa_hbac: Move the library to src/lib/ipa_hbac
MAN: Remove duplicate description of the pam_account_locked_message option
AD: Recognize Windows Server 2016
memberof: Fix a memory leak when removing ghost users
memberof: Don't allocate on NULL when deleting memberUids
tests: Check NULL context in sysdb-tests when removing group members
MAN: Drop the reference to IPAv2 in the man page
Make sdap_process_group_send() static
MAN: Remove references to the obsolete PubkeyAgent ssh option
UTIL: Add ERR_SBUS_REQUEST_HANDLED
IFP: Do not crash on invalid arguments to GetUserAttr
UTIL: exit() the forked process if exec()-ing a child process fails
AD: Do not schedule the machine renewal task if adcli is not executable
AD: Do not leak file descriptors during machine password renewal
Do not leak fds in case of failures setting up a child process
LDAP: Try also the AD access control for IPA users
RESPONDER: Fix error check in cache_req.c
UTIL: Add a PROBE macro into probes.h
BUILD: Add build infrastructure for systemtap scripts
SYSDB: Track transaction nesting in sysdb_ctx
SYSDB: Add systemtap probes to track sysdb transactions
STAP: Add helper functions to for human-readable account request representation
LDAP: Decorate the hot paths in the LDAP provider with systemtap probes
CONTRIB: Add a systemtap script to analyze the performance of the 'id' command
CONTRIB: Add a systemstap script to measure nested group code performance
BUILD: Enable systemtap during RPM build and CI
Updating the translations for the 1.14 alpha release
Updating the version for the 1.14 beta release
SYSDB: Move sysdb initialization into a new module sysdb_init.c
UTIL: Add error codes for sysdb too old or too new
SYSDB: Refactor database connection
SYSDB: Add a second, timestamp-only ldb cache
SYSDB: Open a timestamps cache for caching domains
SYSDB: Wrap sysdb_store_group in a transaction and split it into smaller functions
SYSDB: Search the timestamp caches in addition to the sysdb cache
SYSDB: If modifyTimestamp is the same, only update the TS cache
SYSDB: Check if group attributes differ before saving a group
SYSDB: Refactor sysdb_store_user
SYSDB: Only update user attributes if needed
TESTS: Add a unit test for timestamps caches
TESTS: Add an integration test for the timestamps cache
LDAP: Shortcut looking up for group members sooner
Contrib: Add a gdbinit file
BUILD: Fall back to non-strict http parser, if strict is not available
MAN: Include idmap_sss.8.xml in the manpage sources
Updating the translations for the 1.14 beta release
Updating the version for the next release
SSH: Do not print an error message if sss_ssh_authorizedkeys is asked for a local user
LDAP: Change the default rfc2307 autofs attribute mappings
TESTS: Add a test for sss_parse_internal_fqname
TESTS: Add a test for sss_create_internal_fqname
UTIL: Add a utility function to create a list of qualified names
UTIL: Add a utility function sss_output_name
BUILD: Temporarily disable unit and integration tests until we fix them to cope with qualified names in sysdb
SYSDB: add_name_and_aliases_for_name_override no longer needs to special case subdomain users
SDAP: Search functions don't need to construct per-domain names
TESTS: Fix sysdb tests to work with the new format
TESTS: Amend sysdb_view tests for the FQDN schema
SIMPLE: Make the simple access provider work with qualified names
TESTS: Convert the simple access provider to cmocka
RESPONDER: Use fqnames for cache_req lookups of users and groups
RESPONDER: Add a helper function sss_resp_create_fqname
UTIL: expand_homedir_template manages usernames internally
TESTS: Fix the nested group tests to cope with FQDNs
NCACHE: Store FQDNs internaly, check for shortnames in files
NSS: Fix NSS responder to cope with fully-qualified usernames
PAM: Use qualified names internally in the PAM responder
SSH: Use a qualified name for user searches in the SSH responder
LDAP: Rename DP filter value from name to filter_value
LDAP: Use shortname for LDAP queries
LDAP: save users with FQDN
LDAP: Convert RFC2307 member attribute values to FQDN-style ghostnames before acting on them
SYSDB: Add a utility function to return a list of qualified names
LDAP: make it clear that sdap_add_incomplete_groups operates on sysdb names
LDAP: Use fqdns during nested RFC2307 initgroups
LDAP: Use FQDNs when saving incomplete groups
LDAP: Delete cache entry if not found by UPN
LDAP: The access control filter just needs the plain username
PROXY: Use fully qualified names internally
TOOLS: Make the local domain operate on FQDNs
SSS_CACHE: Make internal functions static
SSS_CACHE: Don't use sss_get_domain_name, but create the internal fqname instead for users and groups
SSS_SEED: Use FQDN for accessing sysdb
SSS_OVERRIDE: Fixes for fully qualified names
KRB5: Rely on internal fqname when constructing UPNs
KRB5: Rely on sysdb names for the renewal task
KRB5: Use shortname when expanding the user template in Kerberos ccache
AD: No need to separately qualify subdomain users anymore
SYSDB: Construct internal fqnames, not NSS names in sysdb_add_group_member_overrides
IPA: Use internal fqname format instead of parsing NSS names
IPA: HBAC evaluator consumes shortnames
SELINUX: Parse the internal fqname before using it
RESPONDERS: Return the sysdb name from cache_req
IPA: Save sudoUser qualified in the cache
LDAP: Qualify user and group names when saving the sudo users
IFP: Amend the InfoPipe responder for fqdns
TOOLS: sssctl: Work with trusted users
UTIL: Parse internal fqnames in find_domain_by_object_name
UTIL: Remove unused functions
TESTS: Convert the tests to use qualified names for ldb lookups
SYSDB: Remove useless parameter from sysdb_init()
SYSDB: Allow passing a context to sysdb upgrade functions
SYSDB: Fix small issues during db upgrade
SYSDB: Remove the timestamps cache on update
MEMBEROF: Allow bypassing memberof during upgrade
SYSDB: Upgrade sysdb to use qualified names for users and groups, sudo rules and override objects
TOOLS: Some tools command might not need initialization to succeed
TOOLS: Add the upgrade-cache command
SUDO: Add more low-level tracing messages
LDAP: Lookup services by all protocols unless a protocol is specified
Updating the translations for the 1.14.0 release
Updating the version for the 1.14.0 release
Updating the version for the 1.14.1 release
FO: Set port to NOT_WORKING when trying a next server
LDAP: Fix storing initgroups for users with no supplementary groups
LDAP: Use FQDN when linking parent LDAP groups
SYSDB: Fix setting dataExpireTimestamp if sysdb is supposed to set the current time
PAM: Do not act on ldb_message in case of a failure
IPA: Check the return value of sss_parse_internal_fqname
SIMPLE: Do not parse names on startup
SIMPLE: Fail on any error parsing the access control list
SIMPLE: Make the DP handlers testable
TESTS: Use the DP handlers in simple provider tests, add more tests
CONFIG: full_name_format is an allowed option for all domains
CONFIG: re_expression is an allowed option for all domains
SPEC: Own the secrets DB path
UTIL: Use sss_atomic_read_s in generate_csprng_buffer
SECRETS: Use sss_atomic_read/write for better readability
BUILD: Ship systemd service file for sssd-secrets
Updating the translations for the 1.14.1 release
Justin Stephenson (4):
Make resolv_is_address() function public and create some basic tests
Warn if IP address is used as option for ipa_server/ad_server
Monitor: Add support for disabling netlink
SSSCTL: More helpful error message when InfoPipe is disabled
Lukas Slebodnik (160):
CONTRIB: pre-push hook could work with python3
BUILD: Link just libsss_crypto with crypto libraries
BUILD: Link crypto_tests with existing library
BUILD: Remove unused variable TEST_MOCK_OBJ
BUILD: Avoid symlinks with python modules
SSSDConfigTest: Try load saved config
SSSDConfigTest: Test real config without config_file_version
intg_tests: Fix PEP8 warnings
responder_common_tests: Removed unused libraries
BUILD: Remove unused variables
BUILD: Remove SSS_CRYPTO_LIBS from common libraries
BUILD: Accept krb5 1.14 for building the PAC plugin
BUILD: Fix detection of pthread with strict CFLAGS
sbus_codegen_tests: Suppress warning Wmaybe-uninitialized
BUILD: Fix cleanup without NLS
SDAP: Remove unused sdap_id_ctx from sdap_id_conn_cache_create
BUILD: Fix doc directory for sss_simpleifp
LDAP: Fix leak of file descriptors
BUILD: Remove sudo doxygen file
CI: Workaroung for code coverage with old gcc
FAIL_OVER: Fix warning value computed is not used
cache_req: Fix warning -Wshadow
SBUS: Fix warnings -Wshadow
TESTS: Fix warnings -Wshadow
INIT: Drop syslog.target from service file
AD: Remove unused memory context from ad_user_conn_list
DP_PTASK: Fix warning may be used uninitialized
UTIL: Fix memory leak in switch_creds
TESTS: Initialize leak check
TESTS: Check return value of check_leaks_pop
TESTS: Make check_leaks static function
TESTS: Add warning for unused result of leak check functions
sss_client: Fix underflow of active_threads
sssd_client: Do not use removed memory cache
test_memory_cache: Test removing mc without invalidation
Revert "intg: Invalidate memory cache before removing files"
CONFIGURE: Bump AM_GNU_GETTEXT_VERSION
test_sysdb_subdomains: Do not use assignment in assertions
ldap_local_override_test: Fix failure with python2.6
sbus_codegen_tests: Use portable definition of large constants
CI: Update suppression file for 32bit el6
DEBUG: Add missing new lines
AD: Log SID in debug message
SPEC: Change package ownership of %{pubconfpath}/krb5.include.d
SPEC: Move libsss_sudo.so outside sssd-common
SPEC: Fix unowned directories
SPEC: Use systemd macros
pam-srv-tests: Reuse test directory for IO tests
FAILOVER: Improve reporting of errors
TOOLS: Fix warning Wsign-compare
pysss_murmur: Fix warning Wsign-compare
pyhbac: Fix warning Wsign-compare
SPEC: Remove unnecessary clean-up of buildroot
SPEC: Fix packaging of libsss_simpleifp
CONFIGURE: Replace obsoleted macro AC_PROG_LIBTOOL
TESTS: Fix race condition in python test
server-tests: Fix clean-up after successful test
PYTHON: sss_obfuscate should work with python3
PYTHON: Fix pep8 errors in sss_obfuscate
intg: Change preference of openldap module path
SPEC: Move libsss_autofs.so outside sssd-common
SPEC: Remove unnecessary requirements
sss_idmap-tests: Fix segmentation fault
krb5_child: Warn if user cannot read krb5.conf
Fix typos reported by lintian
UTIL: Use prefix for debug function
UTIL: Provide varargs version of debug_fn
IPA: Use sss_vdebug_fn in hbac_debug_messages
IPA: log real hbac function
HBAC: Check format string in hbac log function
UTIL: Use sss_vdebug_fn for callbacks
Revert "DEBUG: Preventing chown_debug_file if journald on"
DEBUG: Ignore ENOENT for change owner of log files
TOOLS: Fix minor memory leak in sss_colondb_writeline
CI: Use yum-deprecated instead of dnf
BUILD: Remove unused include directories
BUILD: Simplify build of cwrap tests
UTIL: Fix indentation in dlinklist.h
UTIL: Fix warning misleading-indentation
CLIENT: Reduce code duplication
CLIENT: Retry request after EPIPE
libipa_hbac: Ensure we always build with C90
UTIL: Do not call stderr with negative number
UTIL: Move debug part from util.h -> new debug.h
UTIL: Allow to append new line in sss_vdebug_fn
AUTOMAKE: Force usage of parallel test harness
CI: Use make check instead of make-check-wrap
IPA: Remove unused parameter from ipa_ext_group_member_check
SDAP: Remove unused parameter talloc context
test_ipa_subdom_server: Workaround for slow krb5 + SELinux
SPEC: Run extra unit tests with epel
GPO: Soften umask in gpo_child
GPO_CHILD: Create directories in gpo_cache with right permissions
GPO: Process GPOS in offline mode if ldap search failed
IPA: Check RDN in ipa_add_ad_memberships_get_next
dp_ptask: Fix memory leak in synchronous ptask
test_be_ptask: Check leaks in tests
test_ad_common: Include missing header if building with NSS
SYSDB_SUDO: Remove useless test
IPA_SUDO: Prevent dereference of NULL pointer
intg: Use different uid range for add_remove tests
LDAP: Print port in sdap_print_server
TOOLS: Fix warning maybe-uninitialized
pam-srv-tests: Increase cached_auth_timeout
CI: Exclude files in /tmp during coverage runs
pam-srv-tests: Fix warning unused-function
SPEC: Run sssd as privileged user
Prepare ini schema with rules for validation
UTIL: Fix debug message in sssd_async_connect_done
UTIL: Revent connection handling in sssd_async_connect_send
Downcast to errno_t after tevent_req_is_error
BUILD: Fix detection of systemd
BUILD: Detect libsystemd-daemon or libsystemd
Secrets: Fix format string
UTIL: Fix warning Wmissing-braces
Fix warning sign-compare
MAN: Update documentation of sss_cache
IPA: Fix uninitialized pointer read (UNINIT)
DOC: Fix few typos in doxygen comments
MAN: Remove leading spaces from elements programlisting
test_sysdb_ts_cache: Do not use wrong pointer for output argument
sysdb: Use ldb_result as output in sysdb_search_ts_{users,groups}
CONFIGURE: Inform about optional build dependencies
sssctl: Fix error handling after memory allocation failure
sssctl: Fix format string for size_t
doxygen: Fix path to header file ipa_hbac.h
ipa_hbac: Fix documentation for hbac_enable_debug
sssctl: Fix warning maybe-uninitialized
nss-srv-tests: Fix prototype of wrapped ncache functions
TOOLS: Prevent dereference of null pointer
sysdb-tests: Fix cast from pointer to integer
SPEC: Move nfsidmap plugin to separate package
test_utils: Clean files after sss_write_krb5_conf_snippet
CI: Use /bin/sh as a CONFIG SHELL
SECRETS: Log message for failures with removing file
Amend debug messages after failure of unlink
SYSDB: Do not try to modify ts cache for unsupported DNs
SDAP: sanitize member name before using in filter
SDAP: sysdb_search_users does not set users_count for failures
SYSDB: Sanitize dn in sysdb_get_user_members_recursively
LDAP: Fix Dereference after NULL check
NSS: Do not check local users with disabled local_negative_timeout
config_schema: Add ldap_user_email to schema
intg: Make location of sssd nss module configurable
intg: Allow to test netgroups
NSS: Use correct name for invalidating memory cache
SYSDB: Avoid optimisation with modifyTimestamp for users
dyndns-tests: Fix false positive failures
LDAP: Log autofs rfc2307 config changes only with enabled responder
DP: Add log message for get account info
ds.py: Do not call teardown in destructor
test_local_domain: Restore correct env variable
intg: rename test with enumeration
test_enumeration: Remove test without enumeration
intg: create ldap test without enumeration
sssd_id.py: Primary group should be returned for initgroups
intg: Fix pep8 warnings
test_ldap: test nested membership with rfc2307bis
test_ldap: test resolving of names with special characters
intg: Test extra attributes duplicate
Mathieu Deaudelin-Lemay (1):
Changes to allow SSSD to be used for access control with a machine account belonging to a domain controller.
Michal Zidek (12):
Remove misleading comment
UTIL: Add function to parse internal fqname format
UTIL: Add function to create internal fqname
SYSDB: convert sysdb_group_membership_mod to operate on qualified names
SYSDB: Search functions don't need to construct per-domain names
SDAP: Save user and group aliases qualified
SDAP: Store SID members during AD initgroups with a qualified name
TESTS: Fix the ldap_id_cleanup test for using qualified names in sysdb
TESTS: First pass on converting the sysdb tests to the fqname format
TESTS: Start converting the sysdb views tests to the fqname format
TESTS: Start fixing the NSS test for fully qualified names in sysdb
TESTS: Start fixing the PAM responder tests for fully qualified names in sysdb
Michal Židek (35):
SSSDConfig: Do not raise exception if config_file_version is missing
spec: Missing initgroups mmap file
util: Update get_next_domain's interface
tests: Add get_next_domain_flags test
sysdb: Include disabled domains in link_forest_roots
sysdb: Use get_next_domain instead of dom->next
Refactor some conditions
util: Continue if setlocale fails
server_setup: Log failed attempt to set locale
tests: Run intgcheck without libsemanage
tests: Regression test with wrong LC_ALL
ldap_local_override_test: Remove sss_cache from teardown
MAN: sssd.conf should mention SSS_NSS_USE_MEMCACHE
NSS: do not skip cache check for netgoups
GPO: log specific ini parse error messages
GPO: ignore non-KVP lines if possible
confdb: Make it possible to use config snippets
confdb: Check for config file errors on sssd startup
config: Fix filename matching regex
sss_ini: Small refacoring of sss_ini_call_validators
sssctl: Add config-check command
MAN: Config file merging
sssctl: config-check access check report
config: override_space is monitor's option
config: Fix user_attributes
config: Allow timeout for all sevices
config: Add config_file_version to schema
dyndns: Add checks for NULL
sdap: Fix ldap_rfc_2307_fallback_to_local_users
sss_ini: Change debug level of config error msgs
sssctl: Consistent commands naming
tools: Add missing gettext macro
sssctl: Generic help for cache-upgrade and config-check
gpo: gPCMachineExtensionNames with just whitespaces
sdap: Skip exact duplicates when extending maps
Nikolai Kondrashov (16):
CI: Exclude whitespace_test from Valgrind checks
TESTS: Make whitespace_test pass without whitespace
man: Mention groups in filter_groups description
man: Note filter_groups are not affecting nesting
intg: Get base DN from LDAP connection object
intg: Add support for specifying all user attrs
intg: Split LDAP test fixtures for flexibility
intg: Reduce sssd.conf duplication in test_ldap.py
intg: Fix RFC2307bis group member creation
intg: Do not use non-existent pre-increment
CI: Do not skip tests not checked with Valgrind
CI: Handle dashes in valgrind-condense
intg: Fix all PEP8 issues
CI: Enforce coverage make check failures
intg: Add more LDAP tests
Fix packet size calculation in sss_packet_new
Pavel Březina (177):
sbus codegen tests: free ctx
sss tools: improve option handling
cache_req: provide extra flag for oob request
cache_req: add support for UPN
cache_req tests: reduce code duplication
cache_req: remove raw_name and do not touch orig_name
intg: fix typos
sss_override: fix comment describing format
sss_override: explicitly set ret = EOK
sss_override: steal msgs string to objs
nss: send original name and id with local views if possible
sudo: search with view even if user is found
sudo: send original name and id with local views if possible
sss_tools: always show common and help options
sss_override: fix exporting multiple domains
sss_override: add user-find
sss_override: add group-find
sss_override: add user-show
sss_override: add group-show
sss_override: do not free ldb_dn in get_object_dn()
sss_override: use more generic help text
sss_tools: do not allow unexpected free argument
BE: Add IFP to known clients
AD: remove annoying debug message
man sssd-ad: fix typo
SYSDB: Add missing include to sysdb_services.h
LDAP: Mark globals in ldap_opts.h as extern
AD: Mark globals in ad_opts.h as extern
IPA: Mark globals in ipa_opts.h as extern
KRB5: Mark globals in krb5_opts.h as extern
SUDO: convert periodical refreshes to be_ptask
SUDO: move refreshes from sdap_sudo.c to sdap_sudo_refresh.c
SUDO: move offline check to handler
SUDO: simplify error handling
SUDO: fix sdap_id_op logic
SUDO: fix tevent style
SUDO: fix sdap_sudo_smart_refresh_recv()
SUDO: sdap_sudo_load_sudoers improve iterator
SUDO: set USN inside sdap_sudo_refresh request
SUDO: built host filter inside sdap_sudo_refresh request
SUDO: do not imitate full refresh if usn is unknown in smart refresh
SUDO: fix potential memory leak in sdap_sudo_init
SUDO: obtain host information when going online
SUDO: remove finalizer
SUDO: make sdap_sudo_handler static
SUDO: use size_t instead of int in for cycles
SUDO: get srv_opts after we are connected
AD SRV: prefer site-local DCs in LDAP ping
SDAP: handle ret properly in ldap_get_options()
SDAP: do not fail if refs are found but not processed
SDAP: Add request that iterates over all search bases
SDAP: rename sdap_get_id_specific_filter
SDAP: support empty filters in sdap_combine_filters()
SUDO: use sdap_search_bases instead custom sb iterator
SUDO: make sudo sysdb interface more reusable
SUDO: move code shared between ldap and ipa to separate module
SUDO: allow to disable ptask
SUDO: fail on failed request that cannot be retry
IPA: add ipa_get_rdn and ipa_check_rdn
SDAP: use ipa_get_rdn() in nested groups
IPA SUDO: choose between IPA and LDAP schema
IPA SUDO: Add ipasudorule mapping
IPA SUDO: Add ipasudocmdgrp mapping
IPA SUDO: Add ipasudocmd mapping
IPA SUDO: Implement sudo handler
IPA SUDO: Implement full refresh
IPA SUDO: Implement rules refresh
IPA SUDO: Remember USN
SDAP: Add sdap_or_filters
IPA SUDO: Implement smart refresh
SUDO: sdap_sudo_set_usn() do not steal usn
SUDO: remove full_refresh_in_progress
SUDO: assume zero if usn is unknown
SUDO: allow disabling full refresh
SUDO: remember usn as number instead of string
SUDO: simplify usn filter
IPA SUDO: Add support for ipaSudoRunAsExt* attributes
sdap_connect_send: fail if uri or sockaddr is NULL
MAKE: Do not compile generated header files
cache_req: simplify cache_req_cache_check()
cache_req: do not lookup views if possible
remove user certificate if not found on the server
IPA SUDO: download externalUser attribute
cache_req: bring together search parameters
cache_req: fix typo in debug message
cache_req: break cache_req_input_create into more functions
cache_req: rename debug_fqn to debugobj
cache_req: improve debugging
cache_req tests: remove unused users and groups
mock domain: reset ldb errors
cache_req tests: use leak check in test fixtures
cache_req tests: improve user and group creation
utils: return const char ** from dup_string_list
cache_req: add SID lookups
cache_req test: add lookup by sid
cache_req: hide input and pass parameters in struct
cache_req: rename cache_req_input to cache_req
cache_req: remove old comment
IPA SUDO: fix typo
IPA SUDO: support old ipasudocmd rdn
SUDO: be able to parse modifyTimestamp correctly
sudo: remove unused structure sudo_dp_request
sudo: use cache_req for initgroups
sudo: do not use tevent when parsing query
sudo: convert get_sudorules to tevent
Inform about (un)successful connection
Failover to next server if authentication fails
Remove braces from DEBUG statements
Rename dp_ptask to be_ptask
Rename dp_refresh.h to be_refresh.h
Rename dp_refresh.c to be_refresh.c
Rename dp_dyndns.h to be_dyndns.h
Rename dp_dyndns.c to be_dyndns.c
Rename dp_backend.h to backend.h
SBUS: Add sbus_conn_register_iface_map
SBUS: Add data provider errors
SBUS: Print debug message when handler fails
ERRORS: Add ERR_OFFLINE
ERRORS: Add ERR_TERMINATED
ERRORS: Add ERR_INVALID_DATA_TYPE
ERRORS: Add ERR_MISSING_DP_TARGET
sdap_search_bases: allow map to be NULL
sdap_search_bases: allow returning only the first reply
sdap ops: add support for deref
DP: Introduce new interface for backend
DP: Add callback for backward compatibility
DP TESTS: Mock data_provider
DP TESTS: Add unit tests for dp_request_table.c
DP: Switch to new interface
RESPONDER: New interface for client registration
DP: Move be_req_acct and remove discard_const
IFP: Add domain nodes
IFP: new header file that contains interface definitions
sss_sifp: make it compatible with latest version of the infopipe
sss_sifp: return context even on IO error
sss_sifp: bump version to 1:0:1
sss_tools: add command description
sss_tools: add help commands to usage message
sss_tools: unify description of --debug
sss_tools: tell whether an option was provided
sss_tools: add commands delimiter
sss_tools: pad help message properly
sss_tools: return errno_t instead of system code
sss_tools: add test if sssd is running
sss_tools: create confdb if not exist
sss_override: return EXIT_SUCCESS even when no overrides are found
sss_override: return EXIT_FAILURE if file does not exist during import
ERRORS: Add errors to indicated whether SSSD is running or not
SBUS ERRORS: Add unknown domain
SBUS: Fix typo in comment
SBUS: Add string helper macros
DP: Add function to get be_ctx directly from dp_client
DP: Add org.freedesktop.sssd.DataProvider.Backend
DP: Add org.freedesktop.sssd.DataProvider.Failover
IFP: Provide domain and failover status
sssctl: new tool
sssctl: restart SSSD when removing cache
sssctl: remove also ccache
sudo: solve problems with fully qualified names
sssctl: manual page
sssctl: move filter creation to separate function
sssctl: improve readability of a condition
DP: rename be_acct_req to dp_id_data
DP: Initialize D-Bus as soon as possible
utils: add remove_subtree
sssctl: use internal API to remove files
rdp: add ability to forward reply to the client request
sbus: add sbus_request_reply_error()
sbus: add utility function to simplify message and reply handling
sssctl: use talloc with sifp
failover: mark subdomain service with sd_ prefix
sssctl: print active server and server list
sifp: fix coverity warning
sbus: allow freeing msg through dbus api when using talloc
PROXY: Do not abuse data provider interface
DP: Remove old data provider interface
NSS: Remove unused functions
Pavel Reichl (39):
SDAP: Relax POSIX check
AD: fix minor memory leak
IPA: fix minor memory leak
SDAP: fix minor memory leak
PROXY: fix minor memory leak
sss_override: amend man page - overrides do not stack
DYNDNS: use realm and server commands only as fallback
DYNDNS: improve nsupdate_msg_add_fwd()
intg: fix assert messages in test_memory_cache
HBAC: remove misleading comment about deny rules
sudo: remove unused param. in ldap_get_sudo_options
autofs: remove unused params in del_autofs_entries
LDAP: remove unused param. in sdap_fallback_local_user
PAM: remove unused parameter cdb
sss_override: Remove unused parameter tool_ctx
SDAP: optional warning - sizelimit exceeded in POSIX check
SDAP: allow_paging in sdap_get_generic_ext_send()
SDAP: change type of attrsonly in sdap_get_generic_ext_state
SDAP: pass params in sdap_get_and_parse_generic_send
sss_override: Removed overrides might be in memcache
sudo: remove unused param name in sdap_sudo_get_usn()
pam-srv-tests: split pam_test_setup() so it can be reused
pam-srv-tests: Add UT for cached 'online' auth.
intg: Add test for user and group local overrides
sysdb-tests: Fix warning - incompatible pointer type
IDMAP: Fix computing max id for slice range
IDMAP: New structure for domain range params
IDMAP: Add support for automatic adding of ranges
IDMAP: Fix minor memory leak
IDMAP: Man change for ldap_idmap_range_size option
NSS: Fix memory leak netgroup
SDAP: Add error code to debug message
IDMAP: Add test to validate off by one bug
SDAP: Add return code ERR_ACCOUNT_LOCKED
PAM: Pass account lockout status and display message
IDMAP: Add minor performance improvements
IDMAP: Make parameter names more descriptive
DP TESTS: Add unit tests for dp_request.c
DP TESTS: Add unit tests for dp_builtin.c
Petr Cech (74):
TESTS: Fixing of uninitialized pointer.
HBAC: Better libhbac debugging
REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)
REFACTOR: DFL_RSP_UMASK constant in responder code
REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)
REFACTOR: SCKT_RSP_UMASK constant in responder code
P11_CHILD_NSS: More restrictive permissions
UTILS: More restrictive permissions in domain_info
UTIL-TESTS: More restrictive permissions
TESTS: More restrictive permissions in debug_tests
TESTS: Restrictive permissions in check_and_open
DEBUG: Preventing chown_debug_file if journald on
KRB5_CHILD: More restrictive umask
UTIL: More restrictive umask on sss_unique_file()
TOOLS: DFL_UMASK --> SSS_DFL_UMASK
TEST: Add test_user_by_recent_filter_valid
TEST: Refactor of test_responder_cache_req.c
TEST: Refactor of test_responder_cache_req.c
TEST: Add common function are_values_in_array()
TEST: Add test_users_by_recent_filter_valid
TEST: Add test_group_by_recent_filter_valid
TEST: Refactor of test_responder_cache_req.c
TEST: Add test_groups_by_recent_filter_valid
IPA_PROVIDER: Explicit no handle of services
KRB5_CHILD: Debug logs for PAC timeout
KRB5: Adding DNS SRV lookup for krb5 provider
TOOLS: Fix memory leak after getline() failed
TOOLS: Add comments on functions in colondb
TEST_TOOLS_COLONDB: Add tests for sss_colondb_*
TESTS: global_talloc_context push/pop remove
NEGCACHE: Fixing typo in test_sss_ncache_gid()
NEGCACHE: Removing of condition for ttl = -1
SYSDB: Add new funtions into sysdb_sudo
TESTS: Test of sysdb_search_sudo_rules
SSS_CACHE: Refactor
TOOL: Invalidation of sudo rules at sss_cache
AUTOFS: Removing of redudant debug message
TEST: Removing duplication of mock_rctx
NEGCACHE: Adding timeout to struct sss_nc_ctx
NEGCACHE: Removing timeout from sss_ncache_check_*
NEGCACHE: Adding getter for timeout
RESPONDER: Removing neg_timeout from pam responder
RESPONDER: Removing neg_timeout from pac_ctx
RESPONDER: Removing neg_timeout from sudo resp.
RESPONDER: Removing neg_timeout from ifp repsonder
RESPONDER: Removing neg_timeout from nss responder
RESPONDERS: Negcache in resp_ctx preparing
RESPONDER: Removing ncache from nss_ctx
RESPONDER: Removing ncache from ifp_ctx
RESPONDER: Removing ncache from pac_ctx
RESPONDER: Removing ncache from pam_ctx
RESPONDER: Removing ncache from sudo_ctx
RESPONDER: Removing of redudant function
AD_PROVIDER: Fix constant char *
RESPONDERS: Negative caching of local users
TEST: New tests for negative caching of locals
SYSDB: Fixing DB update
PROVIDERS: Setting right {u,g}id if unprivileged
SYSDB: Removing of duplication of sysdb_ts_cache_attrs
test_utils: Fixing assignment discards 'const' qualifier
LDAP: Changing of confusing debug message
IPA: Changing of confusing debug message
Revert "LDAP: Lookup services by all protocols unless a protocol is specified"
PROVIDER: Conversion empty string from D-Bus to NULL
LDAP: Fixing wrong pam error code for passwd
UTILS: Fixing duplication of pid file declaration
AD_PROVIDER: Add ad_enabled_domains option
AD_PROVIDER: Initializing of ad_enabled_domains
AD_PROVIDER: ad_enabled_domains - only master
AD_PROVIDER: ad_enabled_domains - other then master
TESTS: Adding tests for ad_enabled_domains option
LDAP: Adding support for SIGTERM signal
LDAP: Adding SIGTERM signal before SIGKILL
LDAP: Adding SIGCHLD callback
Robert Antoni Buj Gelonch (1):
Add Catalan translation to LINGUAS
Simo Sorce (20):
Krb5/PAM: Fix account lockout error handling
Util: Improve code to get connection credentials
Util: Move socket setup in a common utility file
Util: Set socket options and flags separately
Util Sockets: Tidy up connect() handling
Responders: Fix client destructor
Util: Add watchdog helper
Server: Enable Watchdog in all daemons
Monitor: Remove ping infrastructure
Responders: Make the client context more generic
Responders: Add support for socket activation
ConfDB: Add helper function to get "subsections"
Secrets: Add autoconf macros to build with secrets
Secrets: Add initial responder code for secrets service
Add initial providers infrastructure.
Secrets: Add encryption at rest
Secrets: Add Proxy backend
Local secrets provider Content-Type handling
Secrets: Add local container entries support
Monitor: Add mode to generate confdb only
Stephen Gallagher (11):
LDAP: Inform about small range size
Monitor: Show service pings at debug level 8
GPO: Add Cockpit to the Remote Interactive defaults
GPO: Add other display managers to interactive logon
Netlink: Ignore RTM_NEWADDR signals from link-local
GPO: Add "unity" to ad_gpo_map_interactive
UTIL: Add secure copy function
Internal: Rename CONFDB_DEFAULT_CONFIG_FILE
CONFIG: Use default config when none provided
GPO: Add "polkit-1" to ad_gpo_map_allow
DEBUG: Add `debug` alias for debug_level
Sumit Bose (118):
PAM: only allow missing user name for certificate authentication
fix ldb_search usage
fix upn cache_req for sub-domain users
nss: fix UPN lookups for sub-domain users
DP: successful authentication sets explicitly PAM_SUCCESSS
NSS: fix a use-after-free issue
pam-srv-tests: Change service name
cache_req: check all domains for lookups by certificate
IPA: fix override with the same name
p11: allow p11_child to run completely unprivileged
p11: check if cert is valid before selecting it
p11: enable ocsp checks
ldap: skip sdap_save_grpmem() if ignore_group_members is set
initgr: only search for primary group if it is not already cached
LDAP: check early for missing SID in mapping check
nfs idmap: fix infinite loop
ipa_s2n_save_objects(): use configured user and group timeout
Use right domain for user lookups
sdap_save_grpmem: determine domain by SID if possible
ldap: remove originalMeberOf if there is no memberOf
UTIL: allow to skip default options for child processes
DP_TASK: add be_ptask_get_timeout()
AD: add task to renew the machine account password if needed
FO: add fo_get_active_server()
FO: add be_fo_get_active_server_name()
AD: try to use current server in the renewal task
p11: add gnome-screensaver to list of allowed services
Just return NULL if tevent_req_create() fails
subdomains: inherit ldap_krb5_keytab
IPA: lookup idview name even if there is no master domain record
IPA: invalidate override data if original view is missing
sdap: improve filtering of multiple results in GC lookups
pam_sss: reorder pam_message array
SDAP: make some AD specific calls public
LDAP: refactor sdap_ad_tokengroups_initgr_mapping_done()
util: make concatenate_string_array() reusable
AD: process PAC during initgroups request
IPA: rename ipa_s2n_get_fqlist* to ipa_s2n_get_list*
IPA: ipa_s2n_get_list_send() allow other list types
IPA: resolve PAC for trusted users on IPA clients
PAC: only save PAC blob into the cache
sss_override: do not generate DN, search object
tools: read additional data of the master domain
sss_override: only add domain if name is not fully qualified
intg: local override for user with mixed case name
krb5_auth_store_creds: silence spurious debug message
build: move ndr_krb5pac check to the other Samba checks
IPA: terminate properly if view name lookup fails
IPA: use forest name when looking up the Global Catalog
libwbclient: wbcSidsToUnixIds() don't fail on errors
AD: use krb5_keytab for subdomain initialization
p11: add missing man page entry and config API
p11: add no_verification option
p11: add OCSP default responder options
PAM: add pam_sss option allow_missing_name
p11: add PKCS11_LOGIN_TOKEN_NAME environment variable
sysdb: add sysdb_attrs_add_base64_blob()
sysdb: add searches by certificate with overrides
cache_req: use overide aware call for lookup by certificate
ipa: add support for certificate overrides
nss: include certificates in full result list
ipa: save cert as blob in the cache
AD: read user certificate if available
nss: return user certificate base64 encoded
sss_override: add certificate support
IPA: allow lookups by cert in sub-domains on the client
NSS: add SSS_NSS_GETNAMEBYCERT request
nss-idmap: add sss_nss_getnamebycert()
ssh: skip invalid certificates
Add winbind idmap plugin
localauth: remove enable_only sssd from config snippet
localauth: make plugin non-authoritative on failures
utils: add sss_write_krb5_snippet_common()
IPA/AD: globally set krb5 canonicalization flag
NSS: Fix domain for UPN based lookups
TESTS; orig_name does not need to be expanded to sysdb format
LDAP: fix typo
IPA: expand name in ipa_add_ad_memberships_get_next()
IPA: add missing user name to homedir_ctx
IPA: make get_object_from_cache() aware of UPN searches
SYSDB: qualify_attr: create new attribute only once
fix some 'might be used uninitialized' warnings
PAM/KRB5: optional otp and password prompting
SSH-CERT: always initialize cert_verify_opts
cert_to_ssh_key: properly add leading 0 to bignums
views: allow override added for non-default views at runtime
IPA: read ipaNTAdditionalSuffixes for master and trusted domains
sysdb: add UPN suffix support for the master domain
sysdb: make subdomain calls aware of upn_suffixes
DP: add dp_get_module_data()
IPA: add ipa_init_get_krb5_auth_ctx()
IPA: enable enterprise principals if server supports them
IPA: fix [capaths] output
UTIL: make domain mapping content testable
tests: add tests for sss_get_domain_mappings_content()
AD: avoid memory leak in netlogon_get_domain_info() and make it public
AD: netlogon_get_domain_info() allow missing arguments and empty results
tests: add tests for netlogon_get_domain_info
AD: replace ad_get_client_site_parse_ndr() with netlogon_get_domain_info()
sysdb_master_domain_add_info: properly set do_update
IPA: make ipa_resolve_user_list_{send|recv} public and allow AD users
IPA: expand ghost members of AD groups in server-mode
sysdb: add sysdb_get_user_members_recursively()
views: properly override group member names
IPA: fix lookup by UPN for subdomains
LDAP: allow multiple user principals
LDAP: new attribute option ldap_user_email
sysdb: include email in UPN searches
LDAP: include email in UPN searches
NSS: add user email to fill_orig()
utils: add is_email_from_domain()
LDAP/IPA: add local email address to aliases
NSS: continue with UPN/email search if name was not found
PAM: continue with UPN/email search if name was not found
NSS: use different neg cache name for UPN searches
PAM: Fix domain for UPN based lookups
SDAP: add special handling for IPA Kerberos enterprise principal strings
SDAP: add enterprise principal strings for user searches
Thorsten Scherf (1):
Fixed some typos in man pages
Timo Aaltonen (11):
Merge tag 'sssd-1_13_4' into m
Merge branch 'master' into m
update changelog, drop upstream patches
sssd-common.dirs: Add etc/sssd/conf.d for config snippets.
control: Add libhttp-parser-dev and libjansson-dev to build-deps.
sssd-tools.install: Add sssctl.
sssd-common.install: Add sssd-secrets and winbind idmap plugin.
Drop the upstart job, it was only shipped on Ubuntu which has switched to systemd.
rules, default, import-daemon-opts.diff: Import daemon options from default/sssd also with systemd.
rules: Don't install a default config file.
releasing package sssd version 1.14.1-1
---
BUILD.txt | 3
Makefile.am | 634 ++
configure.ac | 26
contrib/ci/configure.sh | 1
contrib/ci/deps.sh | 5
contrib/ci/run | 5
contrib/ci/sssd.supp | 2
contrib/gdb/sssd_gdb_plugin.py | 196
contrib/gdbinit | 2
contrib/git/pre-push | 73
contrib/sssd.spec.in | 193
contrib/systemtap/id_perf.stp | 165
contrib/systemtap/nested_group_perf.stp | 333 +
debian/changelog | 18
debian/control | 2
debian/patches/gpo-add-unity-to-ad-gpo-map-interactive.diff | 52
debian/patches/import-daemon-opts.diff | 13
debian/patches/ipa-terminate-if-view-name-fails.diff | 37
debian/patches/series | 3
debian/rules | 9
debian/sssd-common.dirs | 1
debian/sssd-common.install | 5
debian/sssd-common.sssd.default | 8
debian/sssd-common.sssd.upstart.in | 29
debian/sssd-tools.install | 2
po/LINGUAS | 1
po/bg.po | 822 +--
po/ca.po | 965 ++--
po/de.po | 834 +--
po/es.po | 828 +--
po/eu.po | 826 +--
po/fr.po | 834 +--
po/hu.po | 822 +--
po/id.po | 821 +--
po/it.po | 823 +--
po/ja.po | 832 +--
po/nb.po | 821 +--
po/nl.po | 829 +--
po/pl.po | 832 +--
po/pt.po | 823 +--
po/pt_BR.po | 817 +--
po/ru.po | 821 +--
po/sssd.pot | 815 +--
po/sv.po | 832 +--
po/tg.po | 821 +--
po/tr.po | 821 +--
po/uk.po | 832 +--
po/zh_CN.po | 821 +--
po/zh_TW.po | 821 +--
src/conf_macros.m4 | 56
src/confdb/confdb.c | 94
src/confdb/confdb.h | 42
src/confdb/confdb_setup.c | 160
src/confdb/confdb_setup.h | 8
src/config/SSSDConfig/__init__.py.in | 15
src/config/SSSDConfigTest.py | 12
src/config/cfg_rules.ini | 627 ++
src/config/etc/sssd.api.conf | 16
src/config/etc/sssd.api.d/sssd-ad.conf | 2
src/config/etc/sssd.api.d/sssd-ipa.conf | 1
More information about the Pkg-sssd-devel
mailing list