[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-devel
Subject: [SSSD] Announcing SSSD 1.9.0
From: jgalipea () redhat ! com (Jenny Galipeau)
Date: 2012-09-25 15:46:11
Message-ID: 5061D1C3.3050105 () redhat ! com
[Download RAW message or body]
Bravo! :)
On 09/24/2012 05:52 PM, Jakub Hrozek wrote:
> === SSSD 1.9.0 ===
>
> The SSSD team is proud to announce the release of the System Security
> Services Daemon version 1.9.0.
>
> As always, the source is available from https://fedorahosted.org/sssd
>
> RPM packages will be made available for Fedora shortly, initially for F-18
> and rawhide and later also backported to F-17.
>
> == Feedback ==
>
> Please provide comments, bugs and other feedback via the sssd-devel
> or sssd-users mailing lists:
> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
> == Highlights ==
>
> === New Features ===
> * Add a new AD provider to improve integration with Active Directory 2008
> R2 or later servers
> - Support for ID-mapping when connecting to Active Directory
> - Support for handling very large (> 1500 users) groups in Active Directory
> * The SSSD is able to act as an IPA client in cases where the IPA server
> has established a trust setup with an Active Directory server
> - Support for sub-domains for dealing with trust relationships
> - Add a new PAC responder for dealing with cross-realm Kerberos trusts
> - The IPA authentication provider now supports subdomains
> - In scenarios, where the SSSD is acting as an IPA client, it is able
> to discover and save the DNS domain-Kerberos realm mappings between an
> IPA server and a trusted Active Directory server.
> * Add a new fast in-memory cache to speed up lookups of cached data on
> repeated requests
> * Many fixes for the support for setting default SELinux user context from
> FreeIPA, most notably fixed the specificity evaluation
> * Add support for the Kerberos DIR cache for storing multiple TGTs automatically
> * SUDO integration was completely rewritten. The new implementation works
> with multiple domains and uses an improved refresh mechanism to download
> only the necessary rules
> * The SSSD supports the concept of a Primary Server and a Back Up
> Server. If the SSSD switches to a back up server because a primary server
> is not available, it would later try to re-establish a connection to the
> primary server.
> * Add native support for autofs to the IPA provider
> * A new command-line tool sss_seed is available. This tool is able to
> prime the internal cache with a user record and a cached password to
> support the scenario when a user needs to log in to the client before
> the network connection to the centralized identity source is established,
> such as the first log in to a new machine.
> * A new option, override_shell was added. If this option is set, all users
> managed by SSSD will have their shell set to its value.
>
> === Important Fixes and Enhancements ===
> * Major performance enhancement when storing large groups in the cache
> * Major performance enhancement when performing initgroups() against Active \
> Directory
> * Terminate idle connections to the NSS and PAM responders
> * The shadowLastChange attribute value is now correctly updated with the
> number of days since the Epoch, not seconds
> * Mutexes in the nss_sss module are now released correctly if one thread
> in a multithreaded application is cancelled while the mutex is locked
> * The fail over code works correctly when the IPA provider is not able to
> establish a GSSAPI-encrypted connection to an IPA server
> * The SSSD correctly accepts -1 as a valid value of the shadow attributes
> * When the SSSD is unable to resolve a host name, it tries the next
> configured server now instead of going offline
> * The default SELinux login context for IPA users was changed to unconfined_t
> when there are no rules on the server
> * A file descriptor leak in cases the SSSD was unable to establish SSL
> connection to an LDAP server was fixed
> * Potential crash when one of two parallel requests would expire the list
> of servers resolved from a SRV query
> * Fixed a crash that occured when a service was requested by both name
> and protocol
>
> === Packaging Changes ===
> * SSSDConfig data file default locations can now be set during configure
> for easier packaging
> * Switch from libunistring to glib2 for unicode support
> * A new Python wrapper around the murmur hash library has been introduced. It
> is only useful to the FreeIPA server at the moment.
> * a new binary, called sss_seed is available. The binary is installed to
> /usr/sbin/sss_seed by default and includes its own manual page.
> * The SSSD uses a new directory to store the DNS domain - Kerberos realm
> mappings. The default location is /var/lib/sss/pubconf/krb5.include.d
>
> == Tickets fixes ==
> https://fedorahosted.org/sssd/ticket/1331
> Off-by-one error in sss_hmac_sha1
> https://fedorahosted.org/sssd/ticket/1364
> [abrt] sssd-1.8.3-11.fc16: set_server_common_status: Process \
> /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) \
> https://fedorahosted.org/sssd/ticket/1438 SSSD crashes at boot time
> https://fedorahosted.org/sssd/ticket/1452
> Authentication fails if kpasswd cannot be resolved
> https://fedorahosted.org/sssd/ticket/1454
> if allocation fails, sss_mmap_cache_init may dereference NULL pointer
> https://fedorahosted.org/sssd/ticket/1458
> Full sudo refresh is scheduled even if there is no sudo responder
> https://fedorahosted.org/sssd/ticket/1466
> Proxy: Cannot retrieve an user after a group he is a member of was retrieved
> https://fedorahosted.org/sssd/ticket/1467
> enumeration is broken in the proxy provider
> https://fedorahosted.org/sssd/ticket/1479
> Hbac logs show wrong rule name granting access
> https://fedorahosted.org/sssd/ticket/1486
> [abrt] sssd-1.8.4-14.fc17: sss_ldap_init_send: Process /usr/libexec/sssd/sssd_be \
> was killed by signal 11 (SIGSEGV) https://fedorahosted.org/sssd/ticket/1496
> [abrt] sssd-1.8.4-14.fc17: ldap_pvt_sasl_getmechs: Process \
> /usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV) \
> https://fedorahosted.org/sssd/ticket/1505 sudo with sss backend should use \
> ipa_hostname https://fedorahosted.org/sssd/ticket/1509
> libsss_sudo is not updated when yum update sssd is called
> https://fedorahosted.org/sssd/ticket/1513
> Change the processing of the SELinux default map
> https://fedorahosted.org/sssd/ticket/1515
> pam_sss report System Error on wrong password
> https://fedorahosted.org/sssd/ticket/1516
> krb5_mod_ccname should cancel the transaction at one place only
> https://fedorahosted.org/sssd/ticket/1519
> membership of IPA hostgroups is not evaluated when treating them as netgroups
> https://fedorahosted.org/sssd/ticket/734
> on reconnect we need to detect that a ipa/ds server has been reinitialized
> https://fedorahosted.org/sssd/ticket/1156
> Do not use "goto" to jump backwards in the proxy code
> https://fedorahosted.org/sssd/ticket/1194
> when nesting limit is reached, the LDAP provider tries to establish link to members \
> outside the nesting limit https://fedorahosted.org/sssd/ticket/1345
> sssd does not warn into sssd.log for broken configurations
> https://fedorahosted.org/sssd/ticket/1365
> ipv6 address with square brackets doesn't work for krb5_server
> https://fedorahosted.org/sssd/ticket/1388
> domain.remove_provider() does not work
> https://fedorahosted.org/sssd/ticket/1390
> Add support for nested automount maps
> https://fedorahosted.org/sssd/ticket/1393
> shadow attributes should accept -1
> https://fedorahosted.org/sssd/ticket/1396
> Kerberos validation algorithm is insufficient for cross-realm trusts
> https://fedorahosted.org/sssd/ticket/1415
> Group lookups no longer work when fastcache cannot be initialized
> https://fedorahosted.org/sssd/ticket/1416
> sssd_be crashes on using inappropriate keytab file
> https://fedorahosted.org/sssd/ticket/1430
> Password change prompt doesn't appear when "User must change password on next \
> logon" is set for a AD user. https://fedorahosted.org/sssd/ticket/1436
> LOCAL domain lookups don't work
> https://fedorahosted.org/sssd/ticket/1446
> sssd does not try another server when unable to resolve hostname
> https://fedorahosted.org/sssd/ticket/1447
> Fail over does not work correctly when IPA server is establishing a \
> GSSAPI-encrypted LDAP connection https://fedorahosted.org/sssd/ticket/1453
> proxy provider: value stored to status is never read in get_pw_name
> https://fedorahosted.org/sssd/ticket/1455
> SELinux code must fall back to default only if there are no rules on the server
> https://fedorahosted.org/sssd/ticket/1456
> Attempt to close the same file stream twice
> https://fedorahosted.org/sssd/ticket/1457
> Insecure temporary file in IPA subdomain provider
> https://fedorahosted.org/sssd/ticket/1459
> SRV servers are always marked as back up
> https://fedorahosted.org/sssd/ticket/1460
> SSSD thread issue can cause the application to not get any identity information
> https://fedorahosted.org/sssd/ticket/1470
> FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user \
> context https://fedorahosted.org/sssd/ticket/1472
> Duplicate detection in fail over does not work
> https://fedorahosted.org/sssd/ticket/1478
> ldap_autofs_* options missing from /usr/share/sssd/sssd.api.d/sssd-ldap.conf
> https://fedorahosted.org/sssd/ticket/1480
> 1.9.0b6 does not build with SELinux disabled
> https://fedorahosted.org/sssd/ticket/1488
> Segfault in IPA subdomain provider
> https://fedorahosted.org/sssd/ticket/1490
> SSSD does not close TCP connections when SSL fails
> https://fedorahosted.org/sssd/ticket/1491
> Consolidate functions that make a realm upper-case
> https://fedorahosted.org/sssd/ticket/1492
> There is no /etc/selinux/targeted/logins on RHEL5
> https://fedorahosted.org/sssd/ticket/1500
> SSSD's default ccache location needs to be updated (again), and the man pages \
> should reflect it https://fedorahosted.org/sssd/ticket/904
> Create tool to seed a user for first-boot
> https://fedorahosted.org/sssd/ticket/1087
> RFE: Allow Forcing User Shell
> https://fedorahosted.org/sssd/ticket/1128
> Introduce the concept of a Primary Server in SSSD
> https://fedorahosted.org/sssd/ticket/1185
> [Feature] AD Extensions
> https://fedorahosted.org/sssd/ticket/1318
> RFE: make the NSS memory cache timeout configurable
> https://fedorahosted.org/sssd/ticket/1368
> Missing hostid and subdomains sections in sssd-ipa.conf
> https://fedorahosted.org/sssd/ticket/1380
> domain_realm mappings manipulation by sssd
> https://fedorahosted.org/sssd/ticket/1418
> document how sudo works with sssd
> https://fedorahosted.org/sssd/ticket/1420
> sudo: provide automatic configuration of machine hostnames
> https://fedorahosted.org/sssd/ticket/1427
> Don't refersh HBAC rules when looking up SELinux rules
> https://fedorahosted.org/sssd/ticket/1429
> IPA session code returns error when SELinux mapping rule links to an HBAC rule
> https://fedorahosted.org/sssd/ticket/1432
> Mention AD Provider in manpage of sssd.conf
> https://fedorahosted.org/sssd/ticket/1433
> Suggested additions to manpage of sssd-ad
> https://fedorahosted.org/sssd/ticket/1435
> SELinux specifity does not work with HBAC rules
> https://fedorahosted.org/sssd/ticket/1439
> sss_pam needs to write out SELinux login file during the account phase
> https://fedorahosted.org/sssd/ticket/1445
> The SELinux login file needs to be created by the responder, not PAM module
> https://fedorahosted.org/sssd/ticket/1448
> sss_seed tool review issues
> https://fedorahosted.org/sssd/ticket/1360
> format of file for pam_selinux is incorrect
> https://fedorahosted.org/sssd/ticket/1379
> Possible use of uninitialized values
> https://fedorahosted.org/sssd/ticket/1395
> SELinux rule matching ignores specificity requirement
> https://fedorahosted.org/sssd/ticket/1417
> Several unowned directories
> https://fedorahosted.org/sssd/ticket/1419
> sssd incorrectly sets shadowLastChange in seconds not days
> https://fedorahosted.org/sssd/ticket/1421
> selinux rules are never deleted from sysdb
> https://fedorahosted.org/sssd/ticket/1422
> When ldap_sasl_minssf is assigned large values, appropriate error message should be \
> logged sssd_DOMAIN log https://fedorahosted.org/sssd/ticket/1431
> Set "krb5_canonicalize = False" for password change to work
> https://fedorahosted.org/sssd/ticket/1239
> [RFE] sudo: send username and uid while requesting default options
> https://fedorahosted.org/sssd/ticket/1299
> Per domain formats for qualified user names
> https://fedorahosted.org/sssd/ticket/1352
> [RFE] Add the subdomain functionality to IPA auth provider
> https://fedorahosted.org/sssd/ticket/1377
> [RFE] Add AD provider
> https://fedorahosted.org/sssd/ticket/1382
> pac responder interface needs checks
> https://fedorahosted.org/sssd/ticket/1385
> heimdal: compile time diference
> https://fedorahosted.org/sssd/ticket/1398
> Dependency issue while "yum update libsss_sudo"
> https://fedorahosted.org/sssd/ticket/1403
> Combine keytab options for AD provider
> https://fedorahosted.org/sssd/ticket/1404
> AD provider should default to case-insensitive operation
> https://fedorahosted.org/sssd/ticket/1407
> Revert sssd patch for limiting enctypes to keytab
> https://fedorahosted.org/sssd/ticket/1409
> Resource leak in sssdpac_import_authdata
> https://fedorahosted.org/sssd/ticket/1410
> Dead code in ipa_subdomains_handler_done()
> https://fedorahosted.org/sssd/ticket/1412
> Starting SSSD with a domain using the LOCAL provider segfaults the responders
> https://fedorahosted.org/sssd/ticket/1163
> [Feature] SSSD AD Integration Feature (Cross Realm Kerberos Trusts)
> https://fedorahosted.org/sssd/ticket/1354
> Add support for terminating idle connections in sssd_nss
> https://fedorahosted.org/sssd/ticket/1383
> sssd_nss segfaults performing netgroup lookups without a specified domain
> https://fedorahosted.org/sssd/ticket/974
> [RFE] Support DIR: credential caches for multiple TGT support
> https://fedorahosted.org/sssd/ticket/984
> RFE: sssd should support Netscape LDAP password expiration controls
> https://fedorahosted.org/sssd/ticket/1213
> Warn to syslog when dereference requests fail
> https://fedorahosted.org/sssd/ticket/1240
> sudo: contact data provider only once
> https://fedorahosted.org/sssd/ticket/1255
> RFE: change the way we deal with fake users
> https://fedorahosted.org/sssd/ticket/1256
> Document the expectations about ghost users showing in the lookups
> https://fedorahosted.org/sssd/ticket/1330
> Potential NULL dereference in sss_krb5_read_etypes_for_keytab
> https://fedorahosted.org/sssd/ticket/1336
> Please only use named parameters in translatable strings
> https://fedorahosted.org/sssd/ticket/1337
> Minor typos in SSSD messages and man pages
> https://fedorahosted.org/sssd/ticket/1346
> in-memory cache causes nss to segfault if it cannot be initialized properly
> https://fedorahosted.org/sssd/ticket/1367
> Optimize AD memberOf lookups with LDAP_MATCHING_RULE_IN_CHAIN
> https://fedorahosted.org/sssd/ticket/357
> SSSD should provide fast in memory cache to provide similar functionality as NSCD \
> currently provides https://fedorahosted.org/sssd/ticket/783
> Support range retrievals
> https://fedorahosted.org/sssd/ticket/887
> Implement mechanism to fetch and store domain info
> https://fedorahosted.org/sssd/ticket/917
> Document sss_tools better
> https://fedorahosted.org/sssd/ticket/949
> Filter out inappropriate IP addresses from IPA dynamic DNS update
> https://fedorahosted.org/sssd/ticket/996
> RFE: Allow Constructing uid from Active Directory objectSid
> https://fedorahosted.org/sssd/ticket/1031
> [RFE] Implement "AD friendly" schema mapping
> https://fedorahosted.org/sssd/ticket/1064
> Sub-Domains: define new get_domains method
> https://fedorahosted.org/sssd/ticket/1065
> Sub-Domains: implement new get_domains method in IPA provider
> https://fedorahosted.org/sssd/ticket/1067
> Sub-Domains: add new get_domains method to responders
> https://fedorahosted.org/sssd/ticket/1114
> get_uid_from_pid() perfoms an improper read
> https://fedorahosted.org/sssd/ticket/1119
> Monitor SIGKILL time should be configurable
> https://fedorahosted.org/sssd/ticket/1140
> RFE Request for including pam_pwd_expiration_warning = 0 in sssd.conf
> https://fedorahosted.org/sssd/ticket/1170
> sss_cache should support invalidating services and autofs maps
> https://fedorahosted.org/sssd/ticket/1172
> Bad check for id_provider=local and access_provider=permit
> https://fedorahosted.org/sssd/ticket/1174
> sssd.conf has wrong defaults for the "command" parameter
> https://fedorahosted.org/sssd/ticket/1176
> SSH: Add dp_get_host_send to common responder code
> https://fedorahosted.org/sssd/ticket/1181
> Typos in sssd manual
> https://fedorahosted.org/sssd/ticket/1203
> Hash the hostname/port information in the known_hosts file.
> https://fedorahosted.org/sssd/ticket/1209
> Convert all read and write loops to use atomic I/O function
> https://fedorahosted.org/sssd/ticket/1233
> Memory leak in sss_sudo_send_recv_generic
> https://fedorahosted.org/sssd/ticket/1250
> Add default home directory mapping
> https://fedorahosted.org/sssd/ticket/1271
> Stop using HTML_FOOTER_DESCRIPTION in doxygen docs
> https://fedorahosted.org/sssd/ticket/1281
> Add unit test for compatibility of ldap options between schemas
> https://fedorahosted.org/sssd/ticket/1289
> Create a way to define a default shell for cases when there no shell
> https://fedorahosted.org/sssd/ticket/1297
> Use keytab to select etypes for krb5_get_init_creds_keytab()
> https://fedorahosted.org/sssd/ticket/1298
> Invalid cache file created when canoning principals during \
> krb5_get_init_creds_keytab() https://fedorahosted.org/sssd/ticket/1301
> sss_cache does nothing when executed without any options.
> https://fedorahosted.org/sssd/ticket/1305
> sss_cache should return a warning/error while validating unknown user/group
> https://fedorahosted.org/sssd/ticket/1306
> sss_cache should return an error, when executed against inactive domains
> https://fedorahosted.org/sssd/ticket/1313
> exec_child, execv and friends don't return success
> https://fedorahosted.org/sssd/ticket/1316
> kpasswd server status set to working when Kerberos auth succeeds
>
> == Detailed Changelog ==
> Ariel Barria (6):
> * Bad check for id_provider=local and access_provider=permit
> * Potential NULL dereference in proxy provider
> * Warn to syslog when dereference requests fail
> * Clarify how comments work in sssd.conf
> * SIGUSR2 should force SSSD to reread resolv.conf as well
> * Missing resolv.conf should be non-fatal
>
> George McCollister (1):
> * libcrypto fully implemented
>
> Jakub Hrozek (205):
> * Fix SSH compilation on RHEL5
> * AUTOFS: IPA provider
> * Two sssd-ldap manual pages fixes
> * Fix group enumeration
> * Only fetch SELinux string if the user is found
> * Remove setent structure when callback is called
> * Allocate setent structure on state, not on the client context
> * Fix memory hierarchy when processing nested group memberships
> * Fix case insensitive service lookups
> * Include the fd_limit configuration option
> * End request if ldap_parse_result fails
> * remove unused function
> * Save errno value before calling DEBUG
> * libnl: fix the path to phy80211 subdirectory
> * AUTOFS: Invoke implicit setautomntent if needed
> * AUTOFS: Search all search bases for automounter map entries
> * AUTOFS: speed up the client by requesting multiple entries at once
> * Use proper errno code
> * Only do one cycle when resolving a server
> * krb5_child: set debugging sooner
> * Search netgroups by alias, too
> * Detect cycle in the fail over on subsequent resolve requests only
> * Autofs: operate on contents of double-pointer, not address
> * Only free returned values on success
> * Save original name into the in-memory cache
> * Handle errors from lookup_netgr_step gracefully
> * Fix nested groups processing
> * Fix netgroup error handling
> * Handle empty elements in proxy netgroups:
> * Fix uninitialized variable
> * Free entry found in negative cache
> * Make the string_equal() function public
> * Save alias of the primary name, too
> * NSS: Look for services with correct case when cache is updated
> * AUTOFS: fix copy-and-paste bug in the autofs client
> * LDAP services: Keep the protocol around
> * Silence Coverity warning in the autofs test tool
> * Return correct resolv_status on resolver timeout
> * Add sss_get_cased_name_list utility function
> * LDAP services: Save lowercased protocol names in case-insensitive domains
> * Proxy services: Save lowercased protocol names and aliases in case-insensitive \
> domains
> * Fix off-by-one error in principal selection
> * Catch cases where D-Bus connection is NULL
> * Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTION
> * Fix regression in SSSDConfig.py
> * netlink integration: ensure that interface name is NULL-terminated
> * Remove forgotten DEBUG message
> * autofs: load the correct option
> * man: document that referral chasing might bring performance penalty
> * Prevent printing NULL from DEBUG messages
> * Do not call sdap_auth if not needed
> * pam_sss: improve error handling in SELinux code
> * Remove the "command" option from documentation
> * Add sysdb_set_service_attr and sysdb_set_autofsmap_attr
> * sss_cache: support invalidating services and autofs maps
> * autofs: Raise the maximum key length to PATH_MAX
> * sss_cache: Better error reporting
> * MAN: timeout can be specified for services, too
> * MAN: document the hostid and autofs providers
> * proxy: Canonicalize user and group names
> * proxy: new option proxy_fast_alias
> * Free controls in sdap_rebind_proc
> * Make the monitor SIGKILL time configurable
> * sdap_check_aliases must not error when detects the same user
> * sss_atomic_io: Do not fail reads with EPIPE if there is not enough data to read
> * Move atomic io function to a separate module
> * Convert read and write operations to sss_atomic_read
> * Document sss_tools better
> * Warn on 'make update-po' if there are manpages not listed in po4a.cfg
> * Test RFC2307bis and RFC2307 option maps
> * Get the RootDSE after binding if not successfull before
> * Lowercase group members in case-insensitive domains
> * NSS: Only return data from initgroups once
> * SUDO: Return ret, not EOK
> * SYSDB: return EOK if empty message is passed into get_rm_msg
> * SYSDB: check return value
> * SSH: return NULL on error in ssh_host_pubkeys_format_known_host_plain
> * SERVER: use the correct return code of sss_atomic_write_s
> * LDAP: check return value of sysdb_attrs_get_el
> * RESPONDER: check return value from confdb_get_int
> * PYHBAC: Return NULL on failure
> * PAM_SSS: report error code if write fails
> * NSS: Check return code of sss_mmap_cache_gr_store
> * IPA netgroups: return EOK when there are no netgroups to process
> * ipa_get_config_send: remove unused assignment
> * HBAC: Prevent NULL dereference in hbac_evaluate
> * DP: return correct error message when subdomains back end target is not \
> configured
> * NSS: fix returning group from cache
> * SSS_DEBUGLEVEL: silence analyzer warnings
> * PROXY: return correct return codes
> * IPA: Check return values
> * AUTOFS: remove unused assignments
> * Rename split_service_name_filter
> * SSH: Add dp_get_host_send to common responder code
> * Read sysdb attribute name, not LDAP attribute map name
> * Kerberos locator: Include the correct krb5.h header file
> * Special-case LDAP_SIZELIMIT_EXCEEDED
> * krb5 locator: Do not leak addrinfo
> * Only reset kpasswd server status when performing a chpass operation
> * Try all KDCs when getting TGT for LDAP
> * Send the correct enumeration request
> * subdomains: Fix error handling in Data Provider
> * Filter out IP addresses inappropriate for DNS forward records
> * sysdb: return proper error code from sysdb_sudo_purge_all
> * SYSDB: Handle user and group renames better
> * NSS: keep a pointer to body after body is reallocated
> * Use sized_string correctly in FQDN domains
> * Use the sysdb attribute name, not LDAP attribute name
> * LDAP nested groups: Do not process callback with _post deep in the nested \
> structure
> * Send 16bit protocol numbers from the sss_client
> * Revert the client packet length, too, after reverting the packet protocol
> * Fix the default sssd.conf path
> * Fix the 0.11 sysdb upgrade
> * sss_names_init: Report correct error code if allocation failed
> * Two small krb5_child fixes
> * Provide more debugging in krb5_child and ldap_child
> * Allow redefining the KRB5_CHILD path
> * Split parse_krb5_child_response so it can be reused
> * Add a krb5_child test tool
> * Residual util functions
> * Handle trailing slash in the ccname template
> * Add a credential cache back end structure
> * Add support for storing credential caches in the DIR: back end
> * Use Kerberos context in KRB5_DEBUG
> * Make krb5_ccname_template and krb5_ccachedir configurable
> * Print based on pointer contents not address
> * Cast uid_t to unsigned long long in DEBUG messages
> * Update translations for 1.9.0 beta 4 release
> * Bumping version to 1.9.0 beta 5
> * Add newline to DEBUG messages
> * RPM: Own several directories
> * Add missing "%" to specfile
> * IPA: Download defaults even if there are no SELinux mappings
> * SYSDB: Delete SELinux mappings
> * IPA: Return and save all SELinux rules in the provider
> * PAM: Fix off-by-one-error in the SELinux session code
> * Update translations for 1.9.0 beta 5 release
> * Bumping version to 1.9.0 beta 6
> * Fix sysdb_search_selinux_usermap_by_username return value
> * Fix SSSDConfigTest
> * Fix bad check
> * Create a domain-realm mapping for krb5.conf to be included
> * Update translations for 1.9.0 beta 6 release
> * Bumping version for the 1.9.0 release
> * Don't call fo_set_{server,port}_status for SRV servers
> * Fix the version number
> * SYSDB: Check the return value
> * SYSDB: Use ldb_msg_add_string for simple string additions
> * Failover: Return last tried server if it's still being tried
> * Subdomains: Send the DP reply in the correct format
> * Always mark SRV servers as primary
> * Allocate on top of a talloc context, not NULL
> * Abort PAM access phase if HBAC does not return PAM_SUCCESS
> * Change default for ldap_idmap_range_min to 200000
> * Don't use server after SRV data collapsed
> * Document entry_cache_autofs_timeout
> * Add autofs-related options to configAPI
> * sss_client: Group lookups should work even when fastcache cannot be initialized
> * FO: Don't retry the same server if it's not working
> * FO: Return EAGAIN if there are more servers to try
> * KRB5: Only return PAM error for unreachable kpasswd when performing chpass
> * Build SELinux code in responder conditionally
> * Do not try to remove the temp login file if already renamed
> * Only create the SELinux login file if there are mappings on the server
> * Fix compilation error in Python murmurhash bindings
> * Process all groups from a single nesting level
> * Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client
> * RPM: Switch the default ccache location
> * RPM: Always include the patch file
> * Check if the SELinux login directory exists
> * SYSDB: Commit transaction in sysdb_store_user
> * SYSDB: Abort unit test if sysdb_getpwnam fails
> * Retry the next server if bind during LDAP auth times out
> * Don't terminate the same connection twice
> * Update translations for 1.9.0 beta 7 release
> * Bumping version for the 1.9.0 beta 7 release
> * libsss_sudo should have a versioned dependency on SSSD
> * KRB5: cancel the sysdb transaction on one place only
> * KRB5: Return PAM_AUTH_ERR on incorrect password
> * RPM: BuildRequire selinux-policy-targeted
> * SYSDB: NULL-terminate the output of sysdb_get_{ranges,subdomains}
> * KRB5: Add a missing string argument
> * NSS: Fix off-by-one error in parse_getservbyname
> * FO: Check server validity before setting status
> * DB: Always write the SELinux object to sysdb
> * SELinux: Always use the default if it exists on the server
> * Updating the translations for the 1.9.0 RC1 release
> * Updating the version for the RC1 release
> * KRB5 child: Don't return System Error on empty password
> * KRB5 child: handle more error codes gracefully
> * DB: Cancel transaction in sysdb_store_user if sysdb_add_user fails
> * Mark the fastcache files in the spec file as %ghost
> * autofs, sudo, ssh and PAC are not experimental anymore
> * AUTOFS: Do not fail if search base is not provided
> * AUTOFS: Add sysdb tests
> * AUTOFS: Add entry objects below map objects
> * AUTOFS: Use both key and value in entry RDN
> * AUTOFS: convert the existing autofs entries during a sysdb upgrade
> * SYSDB: Remove unnecessary domain parameter from several sysdb calls
> * DB: Use TALLOC_CTX for talloc context
> * KRB5: Recover gracefully if the ccache file could not be reused
> * Detect LDAPDerefRes in configure script
> * RPM: Create ghost files during install
> * Set the version number to 1.9.0 for the release
> * Updating translations for the 1.9.0 release
>
> Jan Cholasta (29):
> * Add methods for activating and deactivating services to SSSDConfig
> * Add ssh service to sssd.api.conf
> * SSH: Verify that names received from client are valid UTF-8 in responder
> * SSH: Build man pages conditionally
> * SSH: Save SSH host name aliases
> * SSH: Refactor responder and client common code
> * UTIL: Add function for atomic I/O
> * SSH: Continue connecting to SSH server even when SSSD is not running in \
> sss_ssh_knownhostsproxy
> * SSH: Manage global known_hosts file in the responder
> * SSH: Don't abort known_hosts update when host search fails
> * SSH: Add more debugging messages
> * SSH: Add missing break statements to sss_ssh_format_pubkey
> * SSH: Use fchmod instead of chmod on known_hosts file
> * SSH: Replace blocking getaddrinfo call in the responder with asynchronous \
> resolver code
> * SSH: Remove unused --file option of sss_ssh_knownhostsproxy
> * SSH: Update sss_ssh_knownhostsproxy manual page
> * Include missing source files to the list of source files which contain \
> translatable strings
> * SSH: Allow clients to explicitly specify host alias
> * SSH: Canonicalize host name and do reverse DNS lookup in sss_ssh_knownhostsproxy
> * SSH: Fix infinite loop in sss_ssh_knownhostsproxy
> * UTIL: Add HMAC-SHA-1 function
> * SSH: Add support for hashed known_hosts
> * SSH: Update sss_ssh_knownhostsproxy manual page
> * SSH: Supress error message output in sss_ssh_knownhostsproxy
> * SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are \
> missing
> * SSH: Return error code in SSH utility functions
> * SSH: Simplify public key formatting function
> * SSH: Add support for OpenSSH-style public keys
> * SSH: Fix possible infinite loop when updating known_hosts
>
> Jan Engelhardt (1):
> * build: resolve link failure
>
> Jan Vcelak (1):
> * LDAP: Properly cast type for MINSSF value
>
> Jan Zeleny (87):
> * Fixed issue with netgroup update in IPA provider
> * Don't give memory context in confdb where not needed
> * IPA hosts refactoring
> * SELinux related attributes added to config API
> * Delete missing attributes from netgroups to be stored
> * Modifications to simplify list_missing_attrs
> * Fix the script path
> * Fixed uninitialized pointer in SSH known host proxy
> * Fixed uninitialized pointer in SSH authorized keys client
> * Add umask before mkstemp() call in SSH responder
> * Fixed resource leak in ssh client code
> * Removed a block of dead code in sdap_async_groups.c
> * Removed unused block of code is sdap_fill_memberships()
> * Removed unused function sysdb_attrs_users_from_ldb_vals()
> * Fixed memory context in sdap_fill_memberships()
> * Fixed minor memory leak in ldap provider
> * Sysdb routines for subdomains
> * Add some utility functions for subdomains
> * Add conn_name to allow different names for domains and connections
> * Responder part of the subdomain retrieval work
> * Modified responder_get_domain()
> * Retrieve subdomains if there is a request for fully qualified user
> * Ask for subdomains in responder in the first request after startup
> * New config option for subdomains
> * Moved expand_homedir_template() from NSS responder to utility code
> * Add ID operations in subdomains
> * Send PAM requests for subdomains to the right provider
> * Basic support for subdomains in auth provider
> * Carry sysdb context and domain info in be_req structure
> * Accept be_req instead if be_ctx in LDAP access provider
> * Detect subdomain request in IPA access provider
> * Utilize sysdb context within be_req in HBAC
> * Two fixes in responder subdomain code
> * Modify behavior of pam_pwd_expiration_warning
> * Fixed two minor memory leaks
> * Fixed issue in SELinux user maps
> * Ghost members - add the ghost attribute to sysdb
> * Ghost members - support in LDAP provider
> * Ghost members - support in proxy provider
> * Ghost members - modifications in sysdb
> * Ghost members - modifications in memberof plugin
> * Ghost members - sysdb upgrade routine
> * Ghost members - NSS responder changes
> * Ghost members - removed sdap_check_aliases()
> * Ghost members - modified sss_groupshow
> * Ghost members - various small changes
> * Add support for filtering atributes
> * Utilize attribute exclusion in LDAP initgroups
> * Fixed setting of debug level in test suite
> * IPA subdomains - ask for information about master domain
> * Allow fast memcache timeout to be configurable
> * Fix an issue in ghost users
> * Provide "service filter" for SELinux context
> * Fixed debug message in sdap_save_group()
> * Fix possible segfault in sdap_save_group()
> * PAC responder: add some utility functions
> * PAC responder: test suite
> * Fix re_expression matching with subdomains
> * SELinux user maps: pick just one map
> * Fixed wrong number in shadowLastChange
> * Add function sysdb_attrs_copy_values()
> * Modify priority evaluation in SELinux user maps
> * Added some DEBUG statements into SELinux related code
> * Extend category support in SELinux user maps
> * Remove ipa_selinux_map_merge()
> * Fix linking of HBAC rules and SELinux user maps
> * Provide counter of possible matches in SELinux IPA provider
> * Always free request in data provider PAM callback
> * Renamed session provider to selinux provider
> * Move SELinux processing from session to account PAM stack
> * Remove unused member of be_req
> * Write SELinux config files in responder instead of PAM module
> * Modify hbac_get_cached_rules() so it can be used outside of HBAC code
> * Support fetching of HBAC rules from sysdb in SELinux code
> * Support fetching of host from sysdb in SELinux code
> * Primary server support: introduce concept of reconnection
> * Primary server support: basic support in failover code
> * Primary server support: support for "disconnecting" connections in LDAP
> * Primary server support: IPA adaptation
> * Primary server support: krb5 adaptation
> * Primary server support: LDAP adaptation
> * Primary server support: AD adaptation
> * Primary server support: man page, failover section
> * Primary server support: new option in ldap provider
> * Primary server support: new options in krb5 provider
> * Primary server support: new option in IPA provider
> * Primary server support: new option in AD provider
>
> Joshua Roys (1):
> * Simple implementation of Netscape password warning expiration control
>
> Marco Pizzoli (1):
> * Two manual pages fixes
>
> Michal Zidek (18):
> * Fixed: Unchecked return value from dp_opt_set_int.
> * Fixed: Uninitialized value in krb5_child-test if ccname was specified.
> * Added unit test for sysdb_ssh.c
> * Return value of fread in src/tools/sss_debuglevel.c no longer ignored.
> * Change default value of ldap_sasl_string to host/hostname at REALM in man page.
> * SRV resolution for backup servers should not be permitted.
> * When ldap_group_nesting_level was reached, the LDAP provider tried to link group \
> members with groups outside nesting limit.
> * Duplicate detection in fail over did not work.
> * Typo in debug message (SSSd -> SSSD).
> * Unify usage of sysdb transactions
> * Fix: IPv6 address with square brackets doesn't work.
> * Adding -std=gnu99 flag.
> * Unify usage of sysdb transactions (part 2).
> * LDB_ERR_INVALID_ATTRIBUTE_SYNTAX added to sysdb_error_to_errno.
> * SSSD fails to store users if any of the requested attribute is empty.
> * tools_util.h provides signal_sssd function.
> * sss_cache tool invalidates records in memory cache.
> * Bad debug message when no dns_discovery_domain specified.
>
> Nick Guay (4):
> * added DEBUG messages to krb5_child and ldap_child
> * Fix uninitialized values
> * First-boot sss_seed tool
> * remove duplicate sss_obfuscate reference in seealso manpage section
>
> Ondrej Kos (7):
> * Removed unused variable assignment
> * Replaced "id_max"& "id_min"
> * Backward GOTOs rewritten into do-while loops.
> * AD context was set to null due to type mismatch
> * Consolidation of functions that make realm upper-case
> * Out-of-bounds read fix in hmac-sha-1
> * Add more debuginfo into ldap_child
>
> Pavel Březina (96):
> * Improve debug messages in sysdb_sudo_check_time()
> * SUDO responder: check if the input is a UTF-8 string
> * Refactor sss_result into sss_sudo_result
> * Redesign purging of the sudo cache
> * Honor case_sensitive option in sudo responder
> * Move sudo_dom_ctx.user to local variable
> * Hide --debug option in sss_debuglevel
> * Two memory leaks in sss_sudo_get_values
> * Missing debug message if sdap_sudo_refresh_set_timer fails
> * Use of unininitialized value in sudosrv_cache_set_entry and \
> sudosrv_cache_lookup_internal
> * Use of unininitialized value in sss_sudo_parse_response
> * Potential NULL-dereference in sudosrv_cmd_get_sudorules
> * sudo api: check sss_status instead of errnop in sss_sudo_send_recv_generic()
> * Install and uninstall all documentation
> * fix copy and paste error in comment
> * Fix typo in debug message
> * sudo api: remove EOK
> * sudo responder: remove code duplication in commands
> * sudo responder: get rid of dctx where possible
> * sudo sysdb: make sysdb_get_sudo_user_info more configurable
> * sudo api: send uid, username and domainname
> * sudo responder: change protocol version to 1
> * libsss_sudo: bump version to 2:0:1
> * sudo responder: discard in-memory cache
> * sudo ldap provider: move async routines to sdap_async_sudo.c
> * sudo ldap provider: give sdap_sudo_refresh_send() search and purge filters
> * confdb: add entry_cache_sudo_timeout option
> * sudo ldap provider: add sysdb ctx in sdap_sudo_refresh_state
> * sudo ldap provider: add domain info in sdap_sudo_refresh_state
> * sudo ldap provider: add expiration time to each rule
> * sysdb: add getter/setter for last sudo full refresh time
> * sudo ldap provider: provide API for full refresh
> * sudo ldap provider: add support for on demand full refresh
> * sudo ldap provider: provide API for refresh of specific rules
> * sudo ldap provider: add support for on demand refresh of specific rules
> * sudo backend - support only on demand full refresh
> * sudo backend - add support for on demand refresh of specific rules
> * sudo provider: add ldap_sudo_full_refresh_interval
> * sudo provider: remove old timer
> * sudo ldap provider: add new timer API
> * sysdb: remove sudo_set/get_refreshed
> * sudo ldap provider: support periodical full refresh
> * ldap provider: add sudo usn value
> * sudo ldap provider: find highest USN
> * sudo ldap provider: add sdap_sudo_set_usn()
> * sudo ldap provider: remember highest usn after full refresh
> * sudo ldap provider: add smart refresh API
> * sudo ldap provider: when sysdb filter is NULL remove downloaded rules
> * sudo provider: add ldap_sudo_smart_refresh_interval
> * sudo ldap provider: add periodical smart refresh API
> * sudo ldap provider: support periodical smart refresh
> * sudo responder: new request enum type
> * sudo sysdb: add expiration time to the filter
> * sudo responder: allow fetching only expired rules in \
> sudosrv_get_sudorules_query_cache()
> * sudo responder: update dp interface
> * sudo responder: refresh expired rules
> * sudo ldap provider: return number of downloaded rules in sdap_sudo_refresh_recv()
> * sudo ldap provider: notify responder when an expired rule has been deleted
> * sudo responder: schedule OOB full refresh when expired rule is deleted
> * sudo: clean up
> * sudo ldap provider: modify highest USN in sdap_sudo_rules_refresh_done()
> * sdap_sudo.c: move _recv after _done
> * sudo ldap provider: pass sudo_ctx instead of id_ctx
> * sudo: add host info options
> * sudo ldap provider: load host filter configuration on init
> * sudo ldap provider: mark sdap_sudo_setup_periodical_refresh() as static
> * sudo ldap provider: do per-host updates
> * sudo ldap provider: support autoconfiguration of IP addresses
> * sudo: manpage updated
> * resolv_gethostbyname_send: strdup hostname to work properly when hostname is \
> allocated on stack
> * sudo test client: avoid SIGSEGV when run without arguments
> * sdap_sudo.c: add missing end of line in few debug messages
> * add hostid and subdomains sections in sssd-ipa.conf
> * manpage: seealso - include ssh conditionally
> * tests: allow changing cwd in all tests
> * manpage: sssd-sudo - documents how sudo works with sssd
> * sudo ldap provider: support autoconfiguration of hostnames
> * Unbreak SASL
> * tests: build sysdb ssh tests conditionally
> * shadow attributes can contain -1
> * Add end of line to debug message
> * monitor: set debug level when unable to load configuration
> * Remove redefinition of some SYSDB_* macros
> * Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC
> * Remove SYSDB_SUDO_CACHE_OC from attribute lists
> * Fix LOCAL domain lookups
> * Close LDAP connection when unable to install TLS
> * Unbreak build on RHEL5: replace ldap_destroy() with ldap_unbind_ext()
> * Remove compilation warning: ret may be uninitialized
> * Clean up cache on server reinitialization
> * netgroup: resolve hostgroup membership correctly
> * be_process_init(): free ctx on error
> * backend: initialize sudo only when it is enabled in services
> * Failover: use _srv_ when no primary server is defined
> * rpm: put localized sssd_krb5_locator_plugin manpages into client
> * sdap_add_incomplete_groups(): fix ret may be uninitialized warning
>
> Rambaldi (2):
> * heimdal: fix compile error in krb5-child-test
> * heimdal: use sss_krb5_princ_realm to access realm
>
> Shantanu Goel (4):
> * Set return errno to the value prior to calling close().
> * Log message if close() fails in destructor.
> * Do not send SIGPIPE on disconnection
> * Add support for terminating idle connections
>
> Simo Sorce (31):
> * nss_group: Cache the result from sssd when the glibc provided buffer is too \
> small.
> * pam_sss: keep selinux optional
> * Use the correct hash table for pending requests
> * util: Helper headers for shared memory cache
> * nsssrv: shared memory cache server initialization
> * nsssrv: Add memory cache record handling utils
> * nsssrv: add handling of memory cache passwd map
> * sss_client: Add common shared memory cache utils
> * sss_client: shared memory cache passwd map support
> * nsssrv: add handling of memory cache group map
> * sss_client: shared memory cache group map support
> * Do not leak file descriptors in client libs.
> * Add close on exec support for old platforms
> * Fix segfault when sudo is not configured.
> * Change subdomain_info
> * tests: Remove useless consts
> * 80 columns police
> * Fix double semi-colons
> * Fix wrong elements used in comparison
> * Use ldb_msg_add_string with bare strings
> * Fix return error and debug message
> * Make structure initializer more readable
> * 80 col and style fixes
> * Use a more tractable name for subdomain request
> * Add realm paramter to subdomain list
> * Expose an initializer function from subdomain
> * Change refreshing of subdomains
> * Limit refreshes keeping track of last refresh time
> * Add online callback to enumerate subdomains
> * Add automatic periodic retrieval of subdomains
> * Remove obsolete comment
>
> Stef Walter (10):
> * Fix erronous reference to the 'allow' access_provider
> * execv, excvp and exec_child never return EOK
> * If canon'ing principals, write ccache with updated default principal
> * Remove erroneous failure message in find_principal_in_keytab
> * Limit krb5_get_init_creds_keytab() to etypes in keytab
> * Clearer documentation for use_fully_qualified_names
> * Make re_expression and full_name_format per domain options
> * Move some debug lines to new debug log levels
> * Fix crash when interface doesn't have an address
> * Revert commit 4c157ecedd52602f75574605ef48d0c48e9bfbe8
>
> Stephen Gallagher (178):
> * Set version to 1.9dev
> * Updating translatable strings for string freeze
> * Updating translations
> * Remove dead code
> * Fix missing NULL check after malloc
> * Avoid uninitialized value comparison
> * Add missing breaks to switch statements
> * Fix uninitialized in_transaction
> * Fix bad failure handling in be_sudo_handler()
> * Check for failure in sss_packet_grow()
> * Fix uninitialized value error in proxy provider
> * Ensure NULL-termination in get_uid_from_pid()
> * Move sss_ssh_* binaries to the main 'sssd' package
> * Always include all manpage XML files in the distribution tarball
> * Fix missing %endif in sssd.spec.in
> * NSS: Always return the same protocol that was requested
> * LDAP: Ignore group member users that do not have name attributes
> * RESPONDERS: Allow increasing the file-descriptor limit
> * RESPONDERS: Make the fd_limit setting configurable
> * Add tool to convert debug levels
> * IPA: Add ipa_parse_search_base()
> * LDAP: Properly assign orig_dn
> * LDAP: Only use paging control on requests for multiple entries
> * LDAP: Remove unnecessary filter sanitize
> * Eliminate build-time requirement for nscd
> * PAM: Don't send PAM_SYSTEM_INFO message if module unset
> * Fix typo in autofs option description
> * Include the debug_level upgrade tool in the tarball
> * Include new manpages in translations
> * Fix typo in script name
> * Handle cases where UID is -1
> * IPA: Set the DNS discovery domain to match ipa_domain
> * IPA: Fix segfault with srchost functionality enabled
> * DP: Reorganize memory hierarchy of requests
> * Prune python provides correctly
> * Make RPM spec more explicit
> * Build experimental features by default in RPMs
> * Properly terminate GIT_CHECKOUT
> * LDAP: Make sdap_access_send/recv public
> * IPA: Check nsAccountLock during PAM_ACCT_MGMT
> * PROXY: Create fake user entries for group lookups
> * SSH: Fix missing semicolon
> * IPA: Initialize hbac_ctx to NULL
> * i18n: Remove empty translations
> * LDAP: Add AD 2008r2 schema
> * IPA: Allow service lookups
> * SYSDB: Save only lowercased aliases in case-insensitive domains
> * LDAP: Errors retrieving the RootDSE should not be fatal
> * NSS: Fix debug message
> * Start SSSD earlier and stop it later
> * LDAP: Add better error logging when ldap_result() fails
> * LDAP: Fix memory leaks in synchronous_tls_setup
> * BUILDSYS: Create common libs for LDAP and KRB5 sources
> * Put dp_option maps in their own file
> * Add terminator for dp_option
> * Add better dp_option tests
> * Add terminator for sdap_attr_map
> * Add better tests for sdap_attr compability
> * Remove old compatibility tests
> * Fix building manpages in parallel build dirs
> * Clean up log messages about keytab_name
> * MAN: Improve ldap_disable_paging documentation
> * MAN: Add ldap_sasl_minssf to the manpage
> * Fix linker issue with pam_sss
> * murmurhash: Relax inline requirement
> * Handle endianness issues on older systems
> * SYSDB: Handle upgrade script failures better
> * LDAP: Add objectSID config option
> * LDAP: Add id-mapping option
> * SYSDB: Add sysdb routines for ID-mapping
> * LDAP: Add helper routines for ID-mapping
> * LDAP: Add ID mapping range settings
> * LDAP: Initialize ID mapping when configured
> * LDAP: Enable looking up ID-mapped users by name
> * LDAP: Add autorid compatibility mode
> * LDAP: Allow setting a default domain for id-mapping slice 0
> * LDAP: Add routine to extract domain SID from an object SID
> * LDAP: Allow automatically-provisioning a domain and range
> * LDAP: Enable looking up id-mapped users by UID
> * LDAP: Allow looking up ID-mapped groups by name
> * LDAP: Enable looking up id-mapped groups by GID
> * LDAP: Map the user's primaryGroupID
> * LDAP: Add helper routine to convert LDAP blob to SID string
> * LDAP: Do not remove uidNumber and gidNumber attributes when saving id-mapped \
> entries
> * LDAP: Add helper function to map IDs
> * LDAP: Treat groups with unmappable SIDs as non-POSIX groups
> * MAN: Add manpage for ID mapping
> * LDAP: Add support for enumeration of ID-mapped users and groups
> * SSSDConfigAPI: Fix missing option in tests
> * NSS: Add fallback_homedir option
> * NSS: Add default_shell option
> * SYSDB: Add better error logging to sysdb_set_entry_attr()
> * LDAP: Add attr_count return value to build_attrs_from_map()
> * LDAP: Handle very large Active Directory groups
> * Updating translations for 1.9.0 beta 1 release
> * Bumping version to 1.8.91 for 1.9.0 beta 1 release
> * Bumping version ton 1.8.92 for beta 2 development
> * RPM: Allow running 'make rpms' on RHEL 5 machines
> * NSS: Expire in-memory netgroup cache before the nowait timeout
> * Always use positional arguments in translatable strings
> * KRB5: Avoid NULL-dereference with empty keytab
> * Update translation sources
> * NSS: Fix segfault when mmap cache cannot be initialized
> * NSS: Restore original protocol for getservbyport
> * SSSDConfig: Make SSSDConfig a package
> * SSSDConfig: Make default config and schema file locations configurable
> * PAM: Better pam_reply message
> * SYSDB: Reduce noise level of debug messages in lookups
> * LDAP: Remove redundant check
> * LDAP: Fix incorrect switch statement in sdap_get_initgr_done()
> * LDAP: Add helper function to get list of a user's groups from sysdb
> * LDAP: Make sdap_initgr_common_store() non-static
> * LDAP: Add ldap_*_use_matching_rule_in_chain options
> * LDAP: Add support for AD chain matching extension in group lookups
> * LDAP: Add support for AD chain matching extension in initgroups
> * LDAP: Auto-detect support for the ldap match rule
> * LDAP: Fix missing variable in debug message
> * SSS_CLIENT: Fix uninitialized value error
> * Fix compilation on older little-endian systems
> * KRB5: Update DEBUG macros for create_ccache_dir and find_ccdir_parent_data
> * KRB5: Auto-detect DIR cache support in configure
> * KRB5: Avoid shadowing dirname
> * Updating translations for 1.9.0 beta 2 release
> * Bumping version to 1.9.0 beta 3
> * Fix typo breaking DIR cache detection
> * Make the client idle timeout configurable
> * UTILS: Fix segfault due to sss_parse_name_for_domains
> * BUILD: Change default unicode library to glib2
> * Update translations for 1.9.0 beta 3 release
> * Bumping version to 1.9.0 beta 4
> * TESTS: Print messages when LDAP options do not match
> * DEBUG: Log to syslog if we are unable to open a debug fd
> * KRB5: Initialize the credential cache type properly
> * IPA: Don't hang onto memory longer than necessary
> * LDAP: Print extended failure message for SASL bind
> * MAN: Unify "SEE ALSO" sections
> * KRB5: Some logging enhancements for krb5_child
> * KRB5_LOCATOR: Print the filename that couldn't be opened
> * KRB5: Drop memctx parameter of krb5_try_kdcip
> * KRB5: Create a common init routine for krb5_child options
> * LDAP: Rename user and group maps for AD
> * AD: Add AD identity provider
> * AD: Add AD auth and chpass providers
> * AD: Add AD access-control provider
> * AD: Add AD provider to the spec file
> * AD: use krb5_keytab for validation and GSSAPI
> * AD: Add manpages and SSSDConfig entries
> * CONFDB: Add the ability to set a boolean value in the confdb
> * AD: Force case-insensitive operation in AD provider
> * Fix use-after-free
> * Fix uninitialized variable
> * Fix potential NULL-dereference
> * Fix potential NULL-dereference
> * Fix incorrect return value in tests
> * Fix potential NULL-dereference
> * Fix uninitialized value return
> * Fix uninitialized memcpy error
> * Avoid NULL-dereference in error-handling
> * Add missing return value check
> * Check for errors from krb5_unparse_name
> * Fix incorrect error-check
> * Fix segfault when using local provider
> * AD: Add missing DP option terminator
> * AD: Fix defaults for krb5_canonicalize
> * MAN: List all available backends for provider options
> * MAN: Improvements to the AD provider manpage
> * NSS: Add override_shell option
> * SYSDB: Add log message for unexpected LDB errors
> * SSSDConfig: Fix nonfunctional SSSDDomain.remove_provider()
> * IPA: Do not attempt to close the same file twice
> * IPA: Securely set umask for mkstemp in subdomain provider
> * MAN: Fix minor typo in ldap_search_base section
> * MAN: Improve description of ldap_*_search_base options
> * SYSDB: Make sysdb_attrs_get_el_int() public
> * AD: autorid compatibility should recommend the use of default domain
> * AD: Detect domain controller compatibility version
> * AD: Optimize initgroups lookups with tokenGroups
> * AD: Handle sysdb lookup failure during tokenGroups processing
>
> Sumit Bose (40):
> * Use curly braces in pkgconfig metadata file
> * Keep sysdb context in domain info struct
> * Remove sysdb_get_ctx_from_list()
> * Always initialize the returned data in sss_krb5_princ_realm()
> * Add idmap library
> * Check sub-domains in nss_cmd_get{pwuid|grgid}_search()
> * data provider: added subdomains
> * IPA: Add get-domains target
> * Add domain name to get_account_info request
> * Add s2n extended operation
> * Allow different SID representations in libidmap
> * Fix typo in spec file
> * Fix endian issue in SID conversion
> * Rename struct dom_sid to struct sss_dom_sid
> * Fix libsss_hbac library version
> * sss_idmap: add support for samba struct dom_sid
> * sss_idmap: fix typo which prevents sub auth larger then 2^31
> * PAC responder: add basic infrastructure
> * PAC responder: add the core functionality
> * PAC responder: support in spec file
> * PAC client: add basic support in common client code
> * PAC client: add krb5 authdata plugin
> * Add support for ID ranges
> * Add range support to PAC responder
> * Try to build PAC responder only if all dependencies are available
> * Build pac responder tests only if pac responder is build
> * Add man page section for the PAC responder
> * Set default for subdomain_homedir
> * Fix SSSDConfigTest for separate build directories
> * Set file descriptor limits in pac responder
> * Remove resource leak in sssdpac_import_authdata
> * Remove dead code in ipa_subdomains_handler_done()
> * pac responder: limit access by checking UIDs
> * Add python bindings for murmurhash3
> * accept_fd_handler: add missing return
> * Fix fallback in validate_tgt()
> * Use new debug levels in validate_tgt()
> * Check flat names when searching for sub-domains as well
> * Add provider specific default regular expressions
> * Make subdomain discovery less noisy
>
> Ville Skyttä (1):
> * Require and call ldconfig from subpackages if appropriate
>
> Yuri Chornoivan (5):
> * fix typos in manual
> * Fix typo: retreiving->retrieving
> * Fix typos in message and man pages.
> * Fix typo: exhasution->exhaustion.
> * Fix various typos in documentation.
> _______________________________________________
> sssd-devel mailing list
> sssd-devel at lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
--
Jenny Galipeau<jgalipea at redhat.com>
Manager, Quality Assurance
Red Hat, Inc. Identity Management Engineering
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic