SSSD 2.2.3
==========


Highlights
----------

New features
^^^^^^^^^^^^
* allow_missing_name now treats empty strings the same as missing names.
* 'soft_ocsp' and 'soft_crl options have been added to make the checks for
  revoked certificates more flexible if the system is offline.
* Smart card authentication in polkit is now allowed by default.
* ssh_use_certificate_matching_rules now allows no_rules and all_rules values
  (see man page for description).

Notable bug fixes
^^^^^^^^^^^^^^^^^
* Fixed several memory management errors that caused SSSD to crash under some
  circumstances.
* Handling of FreeIPA users and groups containing '@' sign now works.
* Issue when autofs was unable to mount shares was fixed.
* SSSD was unable to hande ldap_uri containing URIs with different port numbers.
  This was fixed.

Packaging Changes
-----------------
* Added sssd-ldap-attributes man page.

Documentation Changes
---------------------
* Added new sssd-ldap-attributes man page.
* Added option monitor_resolv_conf.
* Added option ssh_use_certificate_matching_rules
* Improved AD GPO options man page.
* Improved sssd-systemtap man page.

Tickets Fixed
-------------

 * `2607 <https://pagure.io/SSSD/sssd/issue/2607>`_ - sssd should not always read entire autofs map from ldap
 * `2660 <https://pagure.io/SSSD/sssd/issue/2660>`_ - SSSD service is crashing: dbus_watch_handle() is invoked with corrupted 'watch' value
 * `2710 <https://pagure.io/SSSD/sssd/issue/2710>`_ - Propagate error about multiple entries found from cache_req to responder
 * `3078 <https://pagure.io/SSSD/sssd/issue/3078>`_ - use the ERROR and PRINT macros consistently
 * `3219 <https://pagure.io/SSSD/sssd/issue/3219>`_ - [RFE] Regular expression used in sssd.conf not being able to consume an @-sign in the user/group name.
 * `3583 <https://pagure.io/SSSD/sssd/issue/3583>`_ - Stop calling umask(0) in selinux_child now that libsemanage has been fixed
 * `3677 <https://pagure.io/SSSD/sssd/issue/3677>`_ - [RFE] SSSD smart smard card, configure to soft fail when CRL not available
 * `3864 <https://pagure.io/SSSD/sssd/issue/3864>`_ - sss_ssh_authorizedkeys: no output when attribute value contains trailing whitespace
 * `3914 <https://pagure.io/SSSD/sssd/issue/3914>`_ - test_pam_responder.py needs improvement
 * `3938 <https://pagure.io/SSSD/sssd/issue/3938>`_ - sssctl config-check giving the wrong error message when there are only snippet files and no sssd. conf
 * `3995 <https://pagure.io/SSSD/sssd/issue/3995>`_ - SSSDConfig: some options are unknown
 * `4024 <https://pagure.io/SSSD/sssd/issue/4024>`_ - Non FIPS140 compliant usage of PRNG
 * `4030 <https://pagure.io/SSSD/sssd/issue/4030>`_ - sss_obfuscate fails to rewriting comments
 * `4073 <https://pagure.io/SSSD/sssd/issue/4073>`_ - Let IPA client read IPA objects via LDAP and not via extdom plugin when resolving trusted users and groups
 * `4078 <https://pagure.io/SSSD/sssd/issue/4078>`_ - Trusted domain user logins succeed after using ipa trustdomain-disable
 * `4080 <https://pagure.io/SSSD/sssd/issue/4080>`_ - Improve `sssd_nss` debug messages
 * `4081 <https://pagure.io/SSSD/sssd/issue/4081>`_ - systemctl status sssd says No such file or directory about "default" when keytab exists but is empty file
 * `4085 <https://pagure.io/SSSD/sssd/issue/4085>`_ - support for defaults entry is failing in sssd sudo against Openldap server
 * `4094 <https://pagure.io/SSSD/sssd/issue/4094>`_ - sss_client: usage of srand()/rand() may be disruptive for the user of lib
 * `4100 <https://pagure.io/SSSD/sssd/issue/4100>`_ - KCM: ccache is created with kdc_offset=INT32_MAX
 * `4101 <https://pagure.io/SSSD/sssd/issue/4101>`_ - [RFE] pam_sss allow_missing_name should allow whitespace-only string
 * `4102 <https://pagure.io/SSSD/sssd/issue/4102>`_ - Null dereference in sssctl/sssctl_domains.c:sssctl_domain_status_active_server()
 * `4111 <https://pagure.io/SSSD/sssd/issue/4111>`_ - automount on RHEL7 gives the message 'lookup(sss): setautomntent: No such file or directory'
 * `4112 <https://pagure.io/SSSD/sssd/issue/4112>`_ - ldap_uri failover doesn't work with different ports
 * `4114 <https://pagure.io/SSSD/sssd/issue/4114>`_ - sssd failover leads to delayed and failed logins
 * `4115 <https://pagure.io/SSSD/sssd/issue/4115>`_ - Smart Card authentication in polkit
 * `4116 <https://pagure.io/SSSD/sssd/issue/4116>`_ - autofs: delete possible duplicate of an autofs entry
 * `689 <https://pagure.io/SSSD/sssd/issue/689>`_ - Split sssd-ldap man page


Detailed changelog
------------------

* Alex Rodin (7):
     * Added ERROR and PRINT macros to the tools
     * Update sss_ssh.c
     * Update __init__.py.in
     * Added PRINT macro in the sssctl tool
     * Update README.md
     * Updated test_pam_responder.py
     * Created a new sssd-ldap-attributes.5 man page

* Alexey Tikhonov (39):
     * providers/ipa/: add_v1_user_data() amended
     * responder/cache_req: added debug helper function
     * responder/nss: improved debug messages
     * responder/nss: DCE
     * responder: log cmdline of client pid
     * SSS_CLIENT: got rid of using PRNG
     * util/server: amended close_low_fds()
     * util/sss_krb5.c: elimination of unreachable code
     * util/sss_krb5: find_principal_in_keytab() was amended
     * util/sss_krb5: fixed few memory handling issues
     * util/sss_krb5: debug messages fixes
     * sssctl/sssctl_domains.c: null dereference fixed
     * MMAP_CACHE: use CSPRNG to init hash table seed
     * Moved unsecure sss_rand() out of crypto lib
     * Reduces code duplication
     * sss_ssh_knownhostsproxy: relocated O_NONBLOCK setting
     * sss_ssh_knownhostsproxy: fixed Coverity issue
     * util/sss_krb5: amended sss_krb5_get_error_message()
     * Amended sss_krb5_get_error_message() usage.
     * ldap_child: sanitization of error handling
     * KEYTAB_CLEAN_NAME macro was replaced
     * SBUS: defer deallocation of sbus_watch_ctx
     * util/server.c: become_daemon() made static
     * server:become_daemon(): got rid of unused codepath
     * server:become_daemon(): handle fail of fork()
     * server:become_daemon(): fixed waitpid()-loop
     * server:become_daemon(): fix read of uninitialized value
     * server:become_daemon(): change handling of chdir() fail
     * server:become_daemon(): handle fail of setsid()
     * util/memory: sanitization
     * util/memory: helper(s) to securely erase mem was reworked
     * tools/sss_seed: proper zeroization of sensitive data
     * util: fixed potential mem leak in s3crypt_gen_salt()
     * util/sha512_crypt_r: got rid of redundant mem align
     * util/sha512_crypt_r: removed misleading comments
     * util/sha512_crypt_r: proper zeroization of sensitive data
     * db/sysdb_ops: proper zeroization of sensitive data
     * util/authtok: set destructor in sss_authtok_new()
     * LDAP: proper handling of master password

* Ariel O. Barria (1):
     * sss_obfuscate: do not fail if sssd.conf contains non-ascii characters

* Fabiano Fidêncio (1):
     * TESTS: Re-add tests for `kdestroy -A`

* Jakub Hrozek (3):
     * KCM: Fix typo in allocation check
     * KCM: Set kdc_offset to zero initially
     * sudo: use objectCategory instead of objectClass in ad sudo provider

* Jakub Jelen (1):
     * Allow smart card authentication in polkit

* Lukas Slebodnik (1):
     * IFP: Fix talloc hierarchy for members of struct ifp_list_domains_state

* MIZUTA Takeshi (4):
     * sss_client/idmap/common_ex.c: fix sss_nss_timedlock() to return errno
     * util/server.c: fix handling when error occurs in waitpid()
     * Fix timing to save errno
     * Add processing to save errno before outputting DEBUG

* Michal Židek (8):
     * Bumping the version to track the 2.2.3 development
     * SPECFILE: Add 'make' as build dependency
     * memcache: Stop using the word fastcache for memcache
     * MAN: GPO and built-in groups
     * bash_rc: Build with systemtap
     * MAN: Missing man pages in src/man/po/po4a.cfg
     * MAN: Fix errors in Japanese translation
     * Update the translations for the 2.2.3 release

* Niranjan M.R (4):
     * pytest: Use idm:DL1 module to install 389-ds
     * pytest: Update README with instructions to execute tests
     * pytest/testlib: Add python-ldap as dependency
     * Makefile.am: Use README.md instead of README

* Pavel Březina (49):
     * sss_ptr_hash: keep value pointer when destroying spy
     * autofs: fix typo in test tool
     * sysdb: add expiration time to autofs entries
     * sysdb: add sysdb_get_autofsentry
     * sysdb: add enumerationExpireTimestamp
     * sysdb: store enumeration expiration time in autofs map
     * sysdb: store original dn in autofs map
     * sysdb: add sysdb_del_autofsentry_by_key
     * cache_req: add autofs map entries plugin
     * cache_req: add autofs map by name plugin
     * cache_req: add autofs entry by name plugin
     * autofs: convert code to cache_req
     * autofs: use cache_req to obtain single entry in getentrybyname
     * autofs: use cache_req to obtain map in setent
     * dp: add dp_error_to_ret
     * dp: add dp_no_output type to be used in dp_set_method
     * dp: add additional autofs methods
     * dp: replace autofs handler with enumerate method
     * ldap: add base_dn to sdap_search_bases
     * ldap: rename sdap_autofs_get_map to sdap_autofs_enumerate
     * ldap: implement autofs get map
     * ldap: implement autofs get entry
     * autofs: allow to run only setent without enumeration in test tool
     * autofs: always refresh auto.master
     * sysdb: invalidate also autofs entries
     * sss_cache: invalidate also autofs entries
     * ci: allow distribution specific supression files
     * ci: suppress Debian valgrind errors
     * ci: add Debian 10
     * ifp: call tevent_req_post in case of error in ifp_user_get_attr_send
     * sudo: get timezone information from previous value when constructing new usn
     * ci: enable on demand runs
     * ci: set build name to pull request or branch name
     * ci: notify that build awaits executor
     * ci: convert to scripted pipeline
     * db: fix potential memory leak in sysdb_store_selinux_config
     * ldap: do not store empty attribute with ldap_rfc2307_fallback_to_local_users = true
     * sss_ptr_hash: pass new hash_entry_t to custom delete callback
     * failover: make sure we switch to anoter server if only port differs
     * autofs: remove unused enum
     * autofs: delete possible duplicate of an autofs entry
     * ci: store artifacts in jenkins for on-demand runs
     * ci: allow to specify systems where tests should be run for on-demand tests
     * ci: add Fedora 31
     * ci: install python2 on Fedora 31 and RHEL 8 so python2 bindings can be built
     * ci: disable python2 bindings on Fedora 32+
     * man: add missing new line to autofs_attributes.xml
     * pam_sss: treat whitespace name as missing name if allow_missing_name is set
     * sudo: add ldap_sudorule_object_class_attr

* Paweł Poławski (2):
     * selinux: Keep explicite umask() calls
     * files_ops: Remove unused functions parameter

* REIM THOMAS (1):
     * MAN: Provide minimum information on GPO access control

* Samuel Cabrero (12):
     * SYSDB: Delete linked local user overrides when deleting a user
     * SYSDB: Convert cached domain 'enumerated' attribute from bool to uint
     * SDAP: Add provider name to enumeration and cleanup tasks
     * LDAP: Return errno_t for ldap id enumeration task setup functions
     * LDAP: Rename enumeration and cleanup functions to contain the provider
     * AD: Rename enumeration functions to contain the provider name
     * LDAP: Improve ldap_id_setup_enumeration error logic
     * LDAP: Remove unnecessary task pointer
     * LDAP: Move enum fields to id provider context
     * MONITOR: Propagate error when resolv.conf does not exists in polling mode
     * MONITOR: Add a new option to control resolv.conf monitoring
     * MONITOR: Resolve symlinks setting the inotify watchers

* Sumit Bose (15):
     * ipa: use LDAP not extdom to lookup IPA users and groups
     * utils: extend some find_domain_* calls to search disabled domain
     * ipa: support disabled domains
     * ipa: ignore objects from disabled domains on the client
     * sysdb: add sysdb_subdomain_content_delete()
     * ipa: delete content of disabled domains
     * ipa: use the right context for autofs
     * ssh: add ssh_use_certificate_keys option to config checks
     * ssh: apply certificate matching rules
     * ssh: add option ssh_use_certificate_matching_rules
     * ssh: enable p11_child logging
     * p11_child: allow verification with no_verification option
     * p11_child: add 'soft_ocsp' and 'soft_crl options
     * ipa: add failover to override lookups
     * ipa: add failover to access checks

* Thorsten Scherf (1):
     * Fix option type for ldap_group_type

* Tomas Halman (9):
     * LDAP: Systemtap ldap probes fail without filter
     * LDAP: extend LDAP systemtap probes of attr list
     * LDAP: Add probes to be able print ldap attributes
     * MAN: update systemtap man page
     * TESTS: tests have to be linked with systemtap
     * MAN: Update SystemTap man page
     * IPA: Utilize new protocol in IPA extdom plugin
     * INI: sssctl config-check giving the wrong message
     * TESTS: check "sssctl config-check" output

* pedrosam (1):
     * cache_req: propagate multiple entries error to the caller