FFE: sssd 1.5.8 -> 1.5.13

Status changed to 'Confirmed' because the bug affects multiple users.

Hmm, hit some issues with the packaging failing to run dpkg-shlibdeps.

Ok, new version builds fine, and functionality was tested by upstream.

Build log available

https://launchpad.net/~tjaalton/+archive/ppa/+build/2809244/+files/buildlog_ubuntu-oneiric-amd64.sssd_1.5.13-0%7Etja2_BUILDING.txt.gz

and diffstat from changes to the debian-directory:

 changelog | 24 ++
 control | 5
 libpam-sss.pam-auth-update | 2
 patches/00list | 2
 patches/fix-configure.dpatch | 20 +
 patches/fix-python-api-path.dpatch | 389 +++++++++++++++++++++++++++++++++++++
 rules | 4
 sssd.default | 2
 sssd.init | 3
 sssd.install | 3
 sssd.upstart | 12 -
 11 files changed, 454 insertions(+), 12 deletions(-)

(fix-python-api-path.dpatch just changes a bunch of path strings)

bug 860488 is affecting all versions we've had (local users not being able to log in if sssd is not running, due to missing pam_localuser in common-account), the version above doesn't have the needed change to libpam-sss.pam-auth-update yet.

current changelog snippet for reference

  * FFE: New upstream release. (LP: #860297)
  * Rebuild against current libldb1, and use the multiarch path
    for libldb modules. (LP: #746981)
  * sssd.default:
    - Move the option to run as daemon here.
    - Add option that makes the daemon to use logfiles. (LP: #859602)
  * sssd.upstart:
    - Don't start before net-device-up. (LP: #812943)
    - Source /etc/default/sssd. (LP: #812943)
  * rules: Install the Python API files to /usr/share/sssd, as discussed
    with upstream. (LP: #859611)
  * fix-python-api-path.dpatch: Use the new location for the API files.
    (LP: #859611)
  * libpam-sss.pam-auth-update: Add 'forward_pass' to fix pam_ecryptfs
    (LP: #826643)
  * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is
    mostly useless without them. (LP: #767337)
  * control: Add libunistring-dev to build-depends.
  * sssd.install: Include libipa_hbac.so*.

@Timo, thanks for the report. Please can you add rational why this new upstream version is better than cherry-picking specific fixes please?

Dave: not the right answer, but less work for me this way :)

One option is to skip the FFE and just get the packaging changes for oneiric.

The repeated mention of regressions in the upstream changelog concerns me; I'd like to see evidence of some thorough testing before considering the FFe.

Otherwise cherry-picks / packaging fixes + doing the upstream update early in P would make me more comfortable.

Marko Myllynen (upstrem dev, subscribed here) tested it against FreeIPA, and we debugged the package live on irc. As I said, the current version has been around for over a month, and the stable tree has no important patches to fix regressions etc. But either way, I just want to get something in :)

SSSD 1.5.9 saw a large series of changes to our LDAP code, mostly to be able to better support Active Directory as an identity source. However, we had to quickly turn out 1.5.10 and 1.5.11 as we discovered that the new features were breaking some existing configurations.

The 1.5.12 release saw a complete rewrite to the HBAC code (support for SSSD acting as a client to a FreeIPA server) due to late changes to the FreeIPA HBAC (host-based access control) design. We then needed to release 1.5.13 to address a few regressions discovered during the HBAC rewrite. It also included a bugfix to a long-standing issue seen when waking from a sleep that disconnected a VPN.

SSSD 1.5.x is our current long-term maintenance release, which means that upstream will continue to support it with bugfixes and new features for at least one year, and security fixes for at least two (or one year after RHEL no longer ships a 1.5.x release, whichever comes later).

I'll admit that we had a bit of a rough period between 1.5.9 and 1.5.12, but in general the latest releases are working well. It's also worth noting that 1.5.x contains the set of fixes being tested by Red Hat QA for inclusion in RHEL.

Where can I download the proposed new packaging? Can I see a diff of the debian/ directory please?

On Thu, 29 Sep 2011, Iain Lane wrote:

> Where can I download the proposed new packaging? Can I see a diff of the
> debian/ directory please?

roughly the same version is on my ppa, i've only done a small addition to
the libpam-sss.pam-auth-update -file to actually allow local users logging
in (a bug in the current package as well)

i can provide the real diff when i get back home :)

Ian: diff attached.

ok, so the previous diff didn't have 'forward_pass', but this one does.

Looks like it fixes a lot of bugs and has the approval of upstream; approved by ubuntu-release subject to reverting the priority change as discussed on IRC.

Please consider subscribing to LP bugs for the package. :-)

This bug was fixed in the package sssd - 1.5.13-0ubuntu1

---------------
sssd (1.5.13-0ubuntu1) oneiric; urgency=low

  * FFE: New upstream release. (LP: #860297)
    - control: Add libunistring-dev to build-depends.
    - sssd.install: Include libipa_hbac.so*.
  * Rebuild against current libldb1, and use the multiarch path
    for libldb modules. (LP: #746981)
  * sssd.default:
    - Move the option to run as daemon here.
    - Add option that makes the daemon to use logfiles. (LP: #859602)
  * sssd.upstart:
    - Don't start before net-device-up. (LP: #812943)
    - Source /etc/default/sssd. (LP: #812943)
  * rules: Install the Python API files to /usr/share/sssd, as discussed
    with upstream. (LP: #859611)
  * fix-python-api-path.dpatch: Use the new location for the API files.
    (LP: #859611)
  * libpam-sss.pam-auth-update:
    - Add 'forward_pass' to auth stack to fix ecryptfs mounts. (LP: #826643)
    - Add pam_localuser.so to account stack to allow local users to log in.
      (LP: #860488)
  * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is
    mostly useless without them. (LP: #767337)
 -- Timo Aaltonen <email address hidden> Tue, 27 Sep 2011 06:03:41 +0300