SSSD 1.13.4
===========

Highlights
----------

-  The IPA sudo provider was reimplemented. The new version reads the
   data from IPA's LDAP tree (as opposed to the compat tree populated by
   the ``slapi-nis`` plugin that was used previously). The benefit is
   that deployments which don't require the compat tree for other
   purposes, such as support for non-SSSD clients can disable those
   autogenerated LDAP trees to conserve resources that slapi-nis
   otherwise requires. There should be no visible changes to the end
   user.
-  SSSD now has the ability to renew the machine credentials (keytabs)
   when the ``ad`` provider is used. Please note that a recent version
   of the ``adcli`` (0.8 or newer) package is required for this feature
   to work.
-  The automatic ID mapping feature was improved so that the
   administrator is no longer required to manually set the range size in
   case a RID in the AD domain is larger than the default range size
-  A potential infinite loop in the NFS ID mapping plugin that was
   resulting in an excessive memory usage was fixed
-  Clients that are pinned to a particular AD site using the ``ad_site``
   option no longer communicate with DCs outside that site during
   service discovery.
-  The IPA identity provider is now able to resolve external (typically
   coming from a trusted AD forest) group members during
   get-group-information requests. Please note that resolving external
   group memberships for AD users during the initgroup requests used to
   work even prior to this update. This feature is mostly useful for
   cases where an IPA client is using the compat tree to resolve AD
   trust users.
-  The IPA ID views feature now works correctly even for deployments
   without a trust relationship. Previously, the ``subdomains`` IPA
   provider failed to read the views data if no master domain record was
   created on the IPA server during trust establishment.
-  A race condition in the client libraries between the SSSD closing the
   socket as idle and the client application using the socket was fixed.
   This bug manifested with a ``Broken Pipe`` error message on the
   client.
-  SSSD is now able to resolve users with the same usernames in
   different OUs of an AD domain
-  The smartcard authentication now works properly with
   ``gnome-screensaver``

Packaging Changes
-----------------

-  The ``krb5.include.d`` directory is now owned by the ``sssd`` user
   and packaged in the ``krb5-common`` subpackage

Documentation Changes
---------------------

-  A new option ``ldap_idmap_helper_table_size`` was added. This option
   can help tune allocation of new ID mapping slices for AD domains with
   a high RID values. Most deployments can use the default value of this
   option.
-  Several PAM services were added to the lists that are used to map
   Windows logon services to GNU/Linux PAM services. The newly added PAM
   services include login managers (``lightdm``, ``lxdm``, ``sddm`` and
   ``xdm``) as well as the ``cockpit`` service.
-  The AD machine credentials renewal task can be fine-tuned using the
   ``ad_machine_account_password_renewal_opts`` to change the initial
   delay and period of the credentials renewal task. In addition, the
   new ``ad_maximum_machine_account_password_age`` option allows the
   administrator to select how old the machine credential must be before
   trying to renew it.
-  The administrator can use the new option
   ``pam_account_locked_message`` to set a custom informational message
   when the account logging in is locked.

Tickets Fixed
-------------

.. raw:: html

   <div>

`#1041 <https://pagure.io/SSSD/sssd/issue/1041>`__
    [RFE] Support Automatic Renewing of Kerberos Host Keytabs
`#1108 <https://pagure.io/SSSD/sssd/issue/1108>`__
    [RFE] SUDO: Support the IPA schema
`#2188 <https://pagure.io/SSSD/sssd/issue/2188>`__
    automatically assign new slices for any AD domain
`#2522 <https://pagure.io/SSSD/sssd/issue/2522>`__
    [RFE] IPA: resolve external group memberships of IPA groups during
    getgrnam and getgrgid
`#2626 <https://pagure.io/SSSD/sssd/issue/2626>`__
    Retry EPIPE from clients
`#2764 <https://pagure.io/SSSD/sssd/issue/2764>`__
    the colondb intreface has no unit tests
`#2765 <https://pagure.io/SSSD/sssd/issue/2765>`__
    ad\_site parameter does not work
`#2785 <https://pagure.io/SSSD/sssd/issue/2785>`__
    incompatibility between sparkleshare and sss\_ssh\_knownhostsproxy
    due to setlocale()
`#2791 <https://pagure.io/SSSD/sssd/issue/2791>`__
    sssd dereference processing failed : Input/output error
`#2829 <https://pagure.io/SSSD/sssd/issue/2829>`__
    collapse\_srv\_lookups frees fo\_server structure that is returned
    by fail over API
`#2839 <https://pagure.io/SSSD/sssd/issue/2839>`__
    Allow SSSD to notify user of denial due to AD account lockout
`#2849 <https://pagure.io/SSSD/sssd/issue/2849>`__
    cache\_req: don't search override values in LDAP when using LOCAL
    view
`#2865 <https://pagure.io/SSSD/sssd/issue/2865>`__
    sssd\_nss memory usage keeps growing on sssd-1.12.4-47.el6.x86\_64
    (RHEL6.7) when trying to retrieve non-existing netgroups
`#2881 <https://pagure.io/SSSD/sssd/issue/2881>`__
    MAN: Clarify that subdomains always use service discovery
`#2888 <https://pagure.io/SSSD/sssd/issue/2888>`__
    SRV lookups with id\_provider=proxy and auth\_provider=krb5
`#2899 <https://pagure.io/SSSD/sssd/issue/2899>`__
    [sssd] Trusted (AD) user's info stays in sssd cache for much more
    than expected.
`#2902 <https://pagure.io/SSSD/sssd/issue/2902>`__
    Review and update wiki pages for 1.13.4
`#2904 <https://pagure.io/SSSD/sssd/issue/2904>`__
    sssd\_be AD segfaults on missing A record
`#2906 <https://pagure.io/SSSD/sssd/issue/2906>`__
    Cannot retrieve users after upgrade from 1.12 to 1.13
`#2909 <https://pagure.io/SSSD/sssd/issue/2909>`__
    extreme memory usage in libnfsidmap sss.so plug-in when resolving
    groups with many members
`#2910 <https://pagure.io/SSSD/sssd/issue/2910>`__
    sssd mixup nested group from AD trusted domains
`#2912 <https://pagure.io/SSSD/sssd/issue/2912>`__
    refresh\_expired\_interval stops sss\_cache from working
`#2917 <https://pagure.io/SSSD/sssd/issue/2917>`__
    Properly remove OriginalMemberOf attribute in SSSD cache if user has
    no secondary groups anymore
`#2922 <https://pagure.io/SSSD/sssd/issue/2922>`__
    ID mapping - bug in computing max id for slice range
`#2925 <https://pagure.io/SSSD/sssd/issue/2925>`__
    Add gnome-screensaver to the list of PAM services considered for
    Smartcard authentication
`#2931 <https://pagure.io/SSSD/sssd/issue/2931>`__
    Warn if user cannot read krb5.conf
`#2934 <https://pagure.io/SSSD/sssd/issue/2934>`__
    After removing certificate from user in IPA and even after
    sss\_cache, FindByCertificate still finds the user
`#2937 <https://pagure.io/SSSD/sssd/issue/2937>`__
    sss\_obfuscate: SyntaxError: Missing parentheses in call to 'print'
`#2938 <https://pagure.io/SSSD/sssd/issue/2938>`__
    Cannot start sssd after switching to non-root
`#2959 <https://pagure.io/SSSD/sssd/issue/2959>`__
    The delete operation of the memberof plugin allocates memory on NULL
    context
`#2960 <https://pagure.io/SSSD/sssd/issue/2960>`__
    IPA view: view name not stored properly with default FreeIPA
    installation
`#2961 <https://pagure.io/SSSD/sssd/issue/2961>`__
    Initgroups in AD provider might fail if user is stored in a
    non-default ou
`#2962 <https://pagure.io/SSSD/sssd/issue/2962>`__
    GPO: Access denied in non-root mode
`#2964 <https://pagure.io/SSSD/sssd/issue/2964>`__
    GPO: Access denied after blocking connection to AD.
`#2969 <https://pagure.io/SSSD/sssd/issue/2969>`__
    sudorule not working with ipa sudo\_provider on older freeipa
`#2970 <https://pagure.io/SSSD/sssd/issue/2970>`__
    sudo smart refresh does not work correctly on openldap
`#2971 <https://pagure.io/SSSD/sssd/issue/2971>`__
    SSSD PAM module does not support multiple password prompts (e.g.
    Password + Token) with sudo
`#2972 <https://pagure.io/SSSD/sssd/issue/2972>`__
    IPA sudo: support the externalUser attribute
`#2980 <https://pagure.io/SSSD/sssd/issue/2980>`__
    sssd\_be[11010]: segfault at 0 ip 00007ff889ff61bb sp
    00007ffc7d66a3b0 error 4 in libsss\_ipa.so[7ff889fcf000+5d000]
`#2989 <https://pagure.io/SSSD/sssd/issue/2989>`__
    local overrides: issues with sub-domain users and mixed case names

.. raw:: html

   </div>

Detailed Changelog
------------------

Dan Lavu (1):

-  PAM: Fix man for pam\_account\_{expired,locked}\_message

David Disseldorp (1):

-  build: detect endianness at configure time

Jakub Hrozek (17):

-  Upgrading the version for the 1.13.4 release
-  SDAP: Make it possible to silence errors from dereference
-  Add a new option ldap\_group\_external\_member
-  IPA: Add interface to call into IPA provider from LDAP provider
-  LDAP: Use the IPA provider interface to resolve external group
   members
-  FO: Don't free rc-allocated structure
-  tests: Reduce failover code duplication
-  FO: Use refcount to keep track of servers returned to callers
-  FO: Use tevent\_req\_defer\_callback() when notifying callers
-  memberof: Don't allocate on a NULL context
-  tests: Add a unit test for the external groups resolution
-  MAN: Remove duplicate description of the
   pam\_account\_locked\_message option
-  AD: Recognize Windows Server 2016
-  memberof: Fix a memory leak when removing ghost users
-  memberof: Don't allocate on NULL when deleting memberUids
-  tests: Check NULL context in sysdb-tests when removing group members
-  Updating translations for the 1.13.4 release

Lukas Slebodnik (33):

-  SPEC: Change package ownership of %{pubconfpath}/krb5.include.d
-  CONFIGURE: Replace obsoleted macro AC\_PROG\_LIBTOOL
-  TESTS: Fix race condition in python test
-  PYTHON: sss\_obfuscate should work with python3
-  PYTHON: Fix pep8 errors in sss\_obfuscate
-  UTIL: Backport error code ERR\_ACCOUNT\_LOCKED
-  sss\_idmap-tests: Fix segmentation fault
-  krb5\_child: Warn if user cannot read krb5.conf
-  Fix typos reported by lintian
-  UTIL: Use prefix for debug function
-  UTIL: Provide varargs version of debug\_fn
-  UTIL: Use sss\_vdebug\_fn for callbacks
-  Revert "DEBUG: Preventing chown\_debug\_file if journald on"
-  DEBUG: Ignore ENOENT for change owner of log files
-  TOOLS: Fix minor memory leak in sss\_colondb\_writeline
-  CI: Use yum-deprecated instead of dnf
-  FAIL\_OVER: Fix warning value computed is not used
-  UTIL: Fix indentation in dlinklist.h
-  UTIL: Fix warning misleading-indentation
-  CLIENT: Reduce code duplication
-  CLIENT: Retry request after EPIPE
-  UTIL: Move debug part from util.h -> new debug.h
-  UTIL: Allow to append new line in sss\_vdebug\_fn
-  AUTOMAKE: Force usage of parallel test harness
-  CI: Use make check instead of make-check-wrap
-  test\_ipa\_subdom\_server: Workaround for slow krb5 + SELinux
-  SPEC: Run extra unit tests with epel
-  GPO: Soften umask in gpo\_child
-  GPO\_CHILD: Create directories in gpo\_cache with right permissions
-  GPO: Process GPOS in offline mode if ldap search failed
-  IPA: Check RDN in ipa\_add\_ad\_memberships\_get\_next
-  dp\_ptask: Fix memory leak in synchronous ptask
-  test\_be\_ptask: Check leaks in tests

Michal Židek (6):

-  NSS: do not skip cache check for netgoups
-  util: Continue if setlocale fails
-  server\_setup: Log failed attempt to set locale
-  tests: Run intgcheck without libsemanage
-  tests: Regression test with wrong LC\_ALL
-  GPO: log specific ini parse error messages

Pavel Březina (37):

-  AD SRV: prefer site-local DCs in LDAP ping
-  SDAP: do not fail if refs are found but not processed
-  SDAP: Add request that iterates over all search bases
-  SDAP: rename sdap\_get\_id\_specific\_filter
-  SDAP: support empty filters in sdap\_combine\_filters()
-  SUDO: use sdap\_search\_bases instead custom sb iterator
-  SUDO: make sudo sysdb interface more reusable
-  SUDO: move code shared between ldap and ipa to separate module
-  SUDO: allow to disable ptask
-  SUDO: fail on failed request that cannot be retry
-  IPA: add ipa\_get\_rdn and ipa\_check\_rdn
-  SDAP: use ipa\_get\_rdn() in nested groups
-  IPA SUDO: choose between IPA and LDAP schema
-  IPA SUDO: Add ipasudorule mapping
-  IPA SUDO: Add ipasudocmdgrp mapping
-  IPA SUDO: Add ipasudocmd mapping
-  IPA SUDO: Implement sudo handler
-  IPA SUDO: Implement full refresh
-  IPA SUDO: Implement rules refresh
-  IPA SUDO: Remember USN
-  SDAP: Add sdap\_or\_filters
-  IPA SUDO: Implement smart refresh
-  SUDO: sdap\_sudo\_set\_usn() do not steal usn
-  SUDO: remove full\_refresh\_in\_progress
-  SUDO: assume zero if usn is unknown
-  SUDO: allow disabling full refresh
-  SUDO: remember usn as number instead of string
-  SUDO: simplify usn filter
-  IPA SUDO: Add support for ipaSudoRunAsExt\* attributes
-  sdap\_connect\_send: fail if uri or sockaddr is NULL
-  cache\_req: simplify cache\_req\_cache\_check()
-  cache\_req: do not lookup views if possible
-  remove user certificate if not found on the server
-  IPA SUDO: download externalUser attribute
-  IPA SUDO: fix typo
-  IPA SUDO: support old ipasudocmd rdn
-  SUDO: be able to parse modifyTimestamp correctly

Pavel Reichl (11):

-  sudo: remove unused param name in sdap\_sudo\_get\_usn()
-  sudo: remove unused param. in ldap\_get\_sudo\_options
-  IDMAP: Fix computing max id for slice range
-  IDMAP: New structure for domain range params
-  IDMAP: Add support for automatic adding of ranges
-  IDMAP: Fix minor memory leak
-  IDMAP: Man change for ldap\_idmap\_range\_size option
-  NSS: Fix memory leak netgroup
-  IDMAP: Add test to validate off by one bug
-  SDAP: Add return code ERR\_ACCOUNT\_LOCKED
-  PAM: Pass account lockout status and display message

Petr Cech (6):

-  KRB5: Adding DNS SRV lookup for krb5 provider
-  TOOLS: Fix memory leak after getline() failed
-  TOOLS: Add comments on functions in colondb
-  TEST\_TOOLS\_COLONDB: Add tests for sss\_colondb\_\*
-  REFACTOR: umask(077) --> umask(SSS\_DFL\_X\_UMASK)
-  REFACTOR: umask(0177) --> umask(SSS\_DFL\_UMASK)

Stephen Gallagher (2):

-  GPO: Add Cockpit to the Remote Interactive defaults
-  GPO: Add other display managers to interactive logon

Sumit Bose (20):

-  nfs idmap: fix infinite loop
-  Use right domain for user lookups
-  sdap\_save\_grpmem: determine domain by SID if possible
-  ipa\_s2n\_save\_objects(): use configured user and group timeout
-  ldap: remove originalMeberOf if there is no memberOf
-  UTIL: allow to skip default options for child processes
-  DP\_TASK: add be\_ptask\_get\_timeout()
-  AD: add task to renew the machine account password if needed
-  FO: add fo\_get\_active\_server()
-  FO: add be\_fo\_get\_active\_server\_name()
-  AD: try to use current server in the renewal task
-  p11: add gnome-screensaver to list of allowed services
-  IPA: lookup idview name even if there is no master domain record
-  IPA: invalidate override data if original view is missing
-  sdap: improve filtering of multiple results in GC lookups
-  pam\_sss: reorder pam\_message array
-  sss\_override: do not generate DN, search object
-  tools: read additional data of the master domain
-  sss\_override: only add domain if name is not fully qualified
-  intg: local override for user with mixed case name