-
sssd (1.9.1-0ubuntu1.3) quantal-proposed; urgency=low
* rules: Really install the new pam-auth-update file for password
changes. (LP: #1086272)
* rules: Pass --datadir, so the path in autogenerated python files is
correctly substituted. (LP: #1079938)
-- Timo Aaltonen <email address hidden> Wed, 06 Feb 2013 01:13:23 +0200
-
sssd (1.9.1-0ubuntu1.2) quantal-proposed; urgency=low
* fix-linking.diff: Link sss_ssh_autorizedkeys and
sss_ssh_knownhostsproxy with -lpthread (FTBFS).
sssd (1.9.1-0ubuntu1.1) quantal-proposed; urgency=low
* libpam-sss.pam-auth-update*: Add a separate file for the password stack,
and drop it from the main file. It needs to have a higher priority
from the rest so that password changes work with both the default install
and when pam_cracklib is installed.
(LP: #1086272)
* rules: Drop remnants of cdbs, use proper paths for configure.
(LP: #1079938)
* fix-cve-2013-0219-1.diff, fix-cve-2013-0219-2.diff:
Fix race conditions when creating or removing home directories for
users in local domain. (LP: #1105893)
* fix-cve-2013-0220.diff:
Fix out-of-bounds reads in autofs and ssh responder. (LP: #1105898)
-- Timo Aaltonen <email address hidden> Sat, 26 Jan 2013 23:42:16 +0200
-
sssd (1.9.1-0ubuntu1) quantal; urgency=low
* Merge from unreleased debian git
- bugfix release 1.9.1
* Revert the PAC responder changes to packaging for now, since samba4 is
in universe.
-- Timo Aaltonen <email address hidden> Mon, 08 Oct 2012 12:21:50 +0300
-
sssd (1.9.0-0ubuntu1) quantal; urgency=low
* Merge from unreleased debian git.
- final 1.9.0 release
-- Timo Aaltonen <email address hidden> Mon, 01 Oct 2012 10:25:23 +0300
-
sssd (1.9.0~rc1-0ubuntu1) quantal; urgency=low
* Merge from unreleased debian git
- new bugfix release (LP: #1049123)
-- Timo Aaltonen <email address hidden> Fri, 14 Sep 2012 11:32:01 +0300
-
sssd (1.9.0~beta6-0ubuntu1) quantal; urgency=low
* Merge from unreleased debian git. (LP: #1012900)
sssd (1.9.0~beta6-1) UNRELEASED; urgency=low
* New upstream prerelease 1.9.0beta6. Highlights:
- Add native support for autofs to the IPA provider
- Support for ID-mapping when connecting to Active Directory
- Support for handling very large (> 1500 users) groups in Active
Directory
- Support for sub-domains (will be used for dealing with trust
relationships)
- Add a new fast in-memory cache to speed up lookups of cached data
on repeated requests
- Add support for the Kerberos DIR cache for storing multiple TGTs
automatically
- Major performance enhancement when storing large groups in the cache
- Major performance enhancement when performing initgroups() against
Active Directory
- SSSDConfig data file default locations can now be set during
configure for easier packaging
- Add a new PAC responder for dealing with cross-realm Kerberos trusts
- Terminate idle connections to the NSS and PAM responders
- Switch from libunistring to glib2 for unicode support
- Add a new AD provider to improve integration with Active Directory
2008 R2 or later servers
- SUDO integration was completely rewritten. The new implementation
works with multiple domains and uses an improved refresh mechanism to
download only the necessary rules
- The IPA authentication provider now supports subdomains
- Fixed regression for setups that were setting default_tkt_enctypes
manually by reverting a previous workaround.
- Many fixes for the support for setting default SELinux user context
from FreeIPA, most notably fixed the specificity evaluation
- Fixed an incorrect default in the krb5_canonicalize option of the AD
provider which was preventing password change operation
- The shadowLastChange attribute value is now correctly updated with the
number of days since the Epoch, not seconds
- A new option, override_shell was added. If this option is set, all
users managed by SSSD will have their shell set to its value.
- Many fixes for the support for setting default SELinux user context
from FreeIPA. Most notably, the SELinux mappings can now link to HBAC
rules as the source of users and hosts they apply to.
- Fixed a regression introduced in beta 5 that prevented LDAP SASL binds
from working unless the value of ldap_sasl_minssf was explicitly
specified.
- The SSSD supports the concept of a Primary Server and a Back Up
Server. Certain servers in the fail over list can be marked as back up
only. If the SSSD switches to a back up server because a primary server
is not available, it would later try to re-establish a connection to the
primary server. This feature would mainly benefit users who configure
fail over servers from different data centers or geographies.
- A new command-line tool sss_seed is available. This tool is able to
prime the internal cache with a user record and a cached password to
support the scenario when a user needs to log in to the client before
the network connection to the centralized identity source is established,
such as the first log in to a new machine.
- In scenarios, where the SSSD is acting as an IPA client, it is able to
discover and save the DNS domain-Kerberos realm mappings between an IPA
server and a trusted Active Directory server.
* Update the packaging for the new version, thanks Esko Järnfors!
- Add libsss-idmap0, libsss-idmap-dev packages
- Add sssd Depends on libsss-idmap0
- Add /var/lib/sss/mc directory for the new mmap cache
* Added fix-CVE-2012-3462.diff from upstream git.
* control: Drop libunistring-dev from build-depends and add libglib2.0-dev
for unicode support.
* sssd.install, sssd-tools.install: Add sssd-ad.5*, sssd-sudo.5* to
sssd.install, and sss_seed{,.8*) to sssd-tools.
* python-sss.install: py-files got moved under SSSDConfig.
* control, rules: Use default build flags, bump dpkg-dev build-dep to
1.16.1~.
* Bump libsss-sudo soname.
* rules: Install the apparmor profile with -m644.
sssd (1.8.4-2) UNRELEASED; urgency=low
* rules: Fix the current date format, and move the date mangling to
happen before dh_install is run. (Closes: #670019)
* sssd.{preinst,postrm}: Install the apparmor profile in force-complain
mode on install, and remove the profile directory on purge (if empty). Also
migrate from previous setup which installed it as disabled.
-- Timo Aaltonen <email address hidden> Wed, 22 Aug 2012 18:24:32 +0300
-
sssd (1.8.4-1ubuntu1) quantal; urgency=low
* Merge from Debian unstable, remaining changes:
- control, rules: Drop libsemanage-dev from build-depends, it's not
in main. Configure --with-semanage=no.
sssd (1.8.4-1) unstable; urgency=low
* New upstream bugfix release 1.8.2.
- Several fixes to case-insensitive domain functions
- Fix for GSSAPI binds when the keytab contains unrelated
principals
- Fixed several segfaults
- Workarounds added for LDAP servers with unreadable RootDSE
- SSH knownhostproxy will no longer enter an infinite loop
preventing login
- The provided SYSV init script now starts SSSD earlier at startup
and stops it later during shutdown
- Assorted minor fixes for issues discovered by static analysis
tools
* New upstream bugfix release 1.8.3.
- Numerous manpage and translation updates
- LDAP: Handle situations where the RootDSE isn't available anonymously
- LDAP: Fix regression for users using non-standard LDAP attributes for
user information
* New upstream bugfix release 1.8.4. (LP: #981125, #985031)
- Fix a bug causing AD servers not to fail over properly when the KDC
on the primary server is down
- Fix an endianness bug on big-endian systems when looking up services
- Fix a segfault dealing with nested groups (LP: #981125)
- Make the nowait cache updates work for netgroups
- Fix a regression that broke domains with use_fully_qualified_names = True
(LP: #985031)
* control: Move the dependency of libsasl2-modules-gssapi-mit to
Recommends.
* control: sssd works with Heimdal gssapi modules too, add
libsasl2-modules-gssapi-mit as an option for the Recommends.
(LP: #966146)
* libpam-sss.pam-auth-update:
- Drop the dependency to 128, since pam_sss should always be below
pam_unix. (LP: #957486)
- Drop 'use_authtok' from the password stack, since it only works when
pam_cracklib is installed. This will allow password changes on the
default install.
* sssd.postrm: Try to remove /etc/sssd only if it exists.
(Closes: #666226)
* Add disabled by default Apparmor profile (LP: #933342)
- debian/sssd.upstart.in: load the profile during pre-start
- add debian/apparmor-profile, install to /etc/apparmor.d
- debian/rules: use dh_apparmor to install profile before sssd is
restarted
- debian/control: sssd Suggests apparmor (>= 2.3)
- debian/control: Add dh-apparmor to build-depends
- debian/sssd.preinst: disable profile on clean install or upgrades
from earlier than when we shipped the profile
* rules: Mangle the date stamp on pam_sss.8 so that the compressed file is
identical across all archs. (Closes: #670019)
* control: Add build-depends on libnl-dev to enable Netlink support.
* control: Add build-depends on libkeyutil-dev to enable support for
kernel keyring manipulation.
* sssd.logrotate: Rotate logs weekly, keep four previous rotations.
(Closes: #672984)
* sssd.upstart.in: Delete an invisible control character from the pre-start
script. (LP: #1003845)
-- Timo Aaltonen <email address hidden> Mon, 04 Jun 2012 09:51:20 +0300
-
sssd (1.8.3-0ubuntu1) quantal; urgency=low
* Merge from Debian git, remaining changes:
- control, rules: Drop libsemanage-dev from build-depends, it's not
in main. Configure --with-semanage=no.
sssd (1.8.3-1) UNRELEASED; urgency=low
* New upstream bugfix release 1.8.2.
- Several fixes to case-insensitive domain functions
- Fix for GSSAPI binds when the keytab contains unrelated
principals
- Fixed several segfaults
- Workarounds added for LDAP servers with unreadable RootDSE
- SSH knownhostproxy will no longer enter an infinite loop
preventing login
- The provided SYSV init script now starts SSSD earlier at startup
and stops it later during shutdown
- Assorted minor fixes for issues discovered by static analysis
tools
* New upstream bugfix release 1.8.3.
- Numerous manpage and translation updates
- LDAP: Handle situations where the RootDSE isn't available anonymously
- LDAP: Fix regression for users using non-standard LDAP attributes for
user information
* control: Move the dependency of libsasl2-modules-gssapi-mit to
Recommends.
* control: sssd works with Heimdal gssapi modules too, add
libsasl2-modules-gssapi-mit as an option for the Recommends.
(LP: #966146)
* libpam-sss.pam-auth-update:
- Drop the dependency to 128, since pam_sss should always be below
pam_unix. (LP: #957486)
- Drop 'use_authtok' from the password stack, since it only works when
pam_cracklib is installed. This will allow password changes on the
default install.
* sssd.postrm: Try to remove /etc/sssd only if it exists.
(Closes: #666226)
* Add disabled by default Apparmor profile (LP: #933342)
- debian/sssd.upstart.in: load the profile during pre-start
- add debian/apparmor-profile, install to /etc/apparmor.d
- debian/rules: use dh_apparmor to install profile before sssd is
restarted
- debian/control: sssd Suggests apparmor (>= 2.3)
- debian/control: Add dh-apparmor to build-depends
- debian/sssd.preinst: disable profile on clean install or upgrades
from earlier than when we shipped the profile
* rules: Mangle the date stamp on pam_sss.8 so that the compressed file is
identical across all archs. (Closes: #670019)
* control: Add build-depends on libnl-dev to enable Netlink support.
* control: Add build-depends on libkeyutil-dev to enable support for
kernel keyring manipulation.
* sssd.logrotate: Rotate logs weekly, keep four previous rotations.
(Closes: #672984)
* Pull patches from the stable branch to fix an issue that results in broken
credential cache (LP: #985031)
- patches/fix-upstream-1298.diff
If canon'ing principals, write ccache with updated default principal
- patches/fix-upstream-1297.diff
Limit krb5_get_init_creds_keytab() to etypes in keytab
- patches/fix-upstream-1330.diff
KRB5: Avoid NULL-dereference with empty keytab
* patches/fix-upstream-1343.diff
- LDAP nested groups: Do not process callback with _post deep in the nested
structure (LP: #981125)
* sssd.upstart.in: Delete an invisible control character from the pre-start
script. (LP: #1003845)
-- Timo Aaltonen <email address hidden> Thu, 24 May 2012 14:02:36 +0300
-
sssd (1.8.2-0ubuntu1) precise; urgency=low
* Merge from Debian git, remaining changes:
- control, rules: Drop libsemanage-dev from build-depends, it's not
in main and will not be for precise. Configure --with-semanage=no.
sssd (1.8.2-1) UNRELEASED; urgency=low
* New upstream bugfix release 1.8.2.
- Several fixes to case-insensitive domain functions
- Fix for GSSAPI binds when the keytab contains unrelated
principals
- Fixed several segfaults
- Workarounds added for LDAP servers with unreadable RootDSE
- SSH knownhostproxy will no longer enter an infinite loop
preventing login
- The provided SYSV init script now starts SSSD earlier at startup
and stops it later during shutdown
- Assorted minor fixes for issues discovered by static analysis
tools
* control: Move the dependency of libsasl2-modules-gssapi-mit to
Recommends.
* control: sssd works with Heimdal gssapi modules too, add
libsasl2-modules-gssapi-mit as an option for the Recommends.
(LP: #966146)
* libpam-sss.pam-auth-update: Drop the dependency to 128, since pam_sss
should always be below pam_unix. (LP: #957486)
* sssd.postrm: Try to remove /etc/sssd only if it exists.
(Closes: #666226)
-- Timo Aaltonen <email address hidden> Wed, 11 Apr 2012 11:48:56 +0300