SSSD 2.9.7 Release Notes

  • When both IPv4 and IPv6 address families are resolvable, but the primary is blocked on firewall, SSSD attempts to connect to the server on the secondary family.

  • SSSD IPA provider now supports IPA subdomains, not only Active Directory. This IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the full usable feature coming in a later FreeIPA release. Trusted domain configuration options are specified in the ‘sssd-ipa’ man page.

  • ‘sssd_kcm’ memory leak was fixed.

  • New ‘ldap_read_rootdse’ option allows you to specify how SSSD will read RootDSE from the LDAP server. Allowed values are “anonymous”, “authenticated” and “never”

  • Until now dyndns_iface option supported only “*” for all interfaces or exact names. With this update it is possible to use shell wildcard patterns (e. g. eth*, eth[01], …).

  • #6601 - smartcard login fails when network disconnected

  • #6665 - LDAP auth happens after search failure

  • #6910 - SSSD dyndns_ifname with wildcard

  • #7209 - Tests: util-tests fails if time zone is not UTC

  • #7746 - krb5_child couldn’t parse pkcs11 objects if token label contains semicolon

  • #7793 - Disk cache failure with large db sizes

  • #7876 - Group enumeration does not work if group name contains ‘#’

  • #7931 - LDAPU1 Local auth mapping rule error

$ git shortlog --pretty=format:"%h  %s" -w0,4 2.9.6..2.9.7

Alexander Bokovoy (1):
    b237fe960  oidc_child: fallback to ID and access tokens when looking up configured user identity

Alexey Tikhonov (41):
    15e0eef9d  Ignore '--dumpable' argument in 'krb5_child' and 'ldap_child' to avoid leaking host keytab accidentially.
    90a6a1ff9  CERT: mistype fix
    60b1ae48d  certmap: remove stray export declaration
    6aba9a7dd  KCM: fix memory leak
    3bd7461fd  TESTS: fix issue reported by 'black'
    e7c76df8c  KCM: another memory leak fixed
    ed9fe4cb1  CI: update list of target platforms
    addb1a781  SYSDB: don't add group members if 'ignore_group_members == true'
    73f6c4a70  SYSDB: update in sysdb_add_group_member_overrides()
    ccc90e2fb  SYSDB: update in sysdb_add_group_member_overrides()
    f7964c992  SYSDB: update in sysdb_add_group_member_overrides()
    648404964  SYSDB: fix sysdb_add_group_member_overrides()
    638b904c1  SYSDB: update in sysdb_add_group_member_overrides()
    c4100177b  SYSDB: update in sysdb_add_group_member_overrides()
    3477221b9  SYSDB: update in sysdb_add_group_member_overrides()
    02a599530  SYSDB: update in sysdb_add_group_member_overrides()
    668533424  SYSDB: make `sysdb_get_user_members_recursively()` static
    b64d205c0  SYSDB: update in get_user_members_recursively()
    e1eae1cae  SYSDB: update in sysdb_add_group_member_overrides()
    0e479b71b  SYSDB: update in sysdb_add_group_member_overrides()
    8b4b4e334  SYSDB: debug message fixed
    e6216ef4b  SYSDB: update in sysdb_add_group_member_overrides()
    c3b37ab4f  SYSDB: update in get_user_members_recursively()
    03cef2f42  DEBUG: a new helper that skips backtrace
    9a7ecff04  Avoid logging to the backtrace unconditionally in hot paths.
    87d105420  UTIL: sss_parse_internal_fqname() optimization
    0088d4095  UTIL: sss_parse_internal_fqname() optimization
    c44fbb651  UTIL: sized_domain_name() optimization
    3b1d79b92  RESPONDER: sized_output_name() optimization
    84322c3d6  UTIL: sss_output_name() optimization
    23f06186a  RESPONDER: delete sss_resp_create_fqname()
    5698ee0c9  UTIL: remake sss_*replace_space() to inplace version
    7e064f6fe  UTIL: delete sss_fqname()
    50e9b7aa8  UTIL: sss_tc_fqname2() optimization
    cb6350b2f  SPEC: relax Samba version req a bit
    6ab380f5a  DB: skip sysdb_add_group_member_overrides() completely
    bf034fa70  DB: don't provide 'expect_override_dn' to `sysdb_add_group_member_overrides()`
    8cef0a5d9  UTIL: mark non string array properly
    ecaa49c91  IPA: return ENOENT if `ipa_get_config` yields nothing
    9878ac25d  PAM: fixes following issue:
    19bd4c497  Release sssd-2.9.7

André Boscatto (2):
    cf0d337af  man: Updating sssd-simple(5) man page
    5f37296b4  TESTS: Add access control simple filter tests

Dan Lavu (5):
    e4e9dc495  tests: test_kcm.py fixing confusing error message
    4381cc510  tests: extending sss_override testcase to assert overridden user group memberships
    139dfc71a  moving ad topology test to it's own file test_ad.py
    e4bd8b987  tests: adding generic password change tests * user is forced to changed password at login * user logins and issues a password change
    2c1cbe850  tests: removed overlapping test scenarios from authentication tests * few scenarios have been removed * ppolicy tests have been made into ppolicy tests only, since normal ldap is covered by the generic provider now * renamed some of the test cases * removed su from a password change test * removed some test cases that are now covered by the new test cases

Dominika Borges (1):
    de0220070  doc: improve description of ldap_disable_range_retrieval

Iker Pedrosa (2):
    f068ba004  tests: add feature presence automation
    eafffce6f  tests: improve feature presence automation

Ivan Korytov (1):
    91fe7678b  tests: Update mock date to postpone timezone related failures

Jakub Vávra (2):
    5607973de  tests: Update mhc.yaml for relocated /data and /enrollment
    f944b00ca  tests: Move /exports to /var/exports for autofs tests

Jan Engelhardt (1):
    f34626a5e  sssd: always print path when config object is rejected

Justin Stephenson (23):
    384f67ed7  DEBUG: lower missing passkey data debug level
    d0d8b0a5e  tests: have analyzer request child parse child log
    2b5168214  ci: Remove internal covscan workflow
    33855f726  ci: Add workflow for 'coverity' label in PRs
    95d198dfd  CI: Fix coverity label multiline conditional
    1bf60984f  ci: Have coverity workflow run against PR code
    dfef948f3  SYSDB: Store IPA trust type
    af30e1f93  Rename struct ipa_ad_server_ctx, and add id_ctx union member
    19e30002b  ipa: Make ipa_service_init() like ad_failover_init()
    a05dc1e2a  ad: Combine 1+2way trust options creation functions
    e34d8d7df  ipa: Make ipa server ad* functions generic
    07f0cdbd3  ipa: Add ipa subdomain provider initialization
    cb53396e0  ipa: Support ipa subdomain account info requests
    e23431014  ipa s2n: Remove check for SYSDB_UPN
    69566f1fa  ipa: Rename ipa_create_ad_1way_trust_ctx()
    f811d944c  Handle missing SID for user private group
    b234d1ea5  ipa s2n: Ignore trusted IPA user private group
    f23428673  AD: Remove unused AD_AT_TRUST_TYPE attribute
    49e3bcb3b  man: IPA subdomain changes to sssd-ipa
    3bc17c672  ipa: Set proper domain basedn for subdomain options
    5c480941f  ci: include build description for covscan
    b24c151d1  ci: Use pull_request_target for conditional
    bbb7b7967  IPA: ipa_get_config_send() was updated

Krzesimir Nowak (1):
    ee195e776  Assume that callbacks are not broken in OpenLDAP when cross-compiling

Michael Stone (3):
    a6273e7ff  return here so MINOR_FAILURE isn't auto-promoted to FATAL_FAILURE
    1eee5a4c4  make log line match preceeding function name
    1341a970e  add SSS_AUTHTOK_TYPE_PAM_STACKED

Pavel Březina (2):
    910575e8a  ci: grab ipa logs from ipa host
    9200ee29a  ci: print duration of each test case

Samuel Cabrero (1):
    4f9fb5fd3  SYSDB: Use SYSDB_NAME from cached entry when updating users and groups

Sumit Bose (5):
    2a8349049  krb5_child: ignore Smartcard identifiers with a ':'
    50ebb7441  sdap: include sub-domain memberships in updates
    42805f875  certmap: allow prefix in rule in sssd.conf
    29506a5b7  oidc_child: change verify_token() to decode_token()
    67c6d3fa0  Revert "sdap: include sub-domain memberships in updates"

Tomas Halman (9):
    5239cdab1  Pattern support for dyndns_iface option
    d9ee62797  man: clarify %o and %h homedir substitution
    1e9205d28  Configure how SSSD should access RootDSE.
    53365dcfd  test: enumeration with # in the group name
    116d6221c  Enumerate object with escaped characters in name
    c1693bbce  failover: Make failover work over IP families
    511003c8b  failover: fix fo_is_ip_address check
    47df70968  tests: Check failover to secondary IP family
    3ae9b5aab  p11_child: Add timeout parameter

aborah-sudo (1):
    4d2a09eb5  Tests: Add proxy provider test cases for SSSD

fossdd (1):
    ec174a043  Fix missing include sys/types.h

shridhargadekar (1):
    001069311  Tests: add importance marker for sssctl analyze