Bug #1754746 “FFE: Please update to 1.16.1 for bionic” : Bugs : sssd package : Ubuntu

Jim Campbell (jwcampbell) on 2018-03-09

tags:

added: upgrade-software-version

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2018-03-09:

#1

Directly subscribed Andreas Hasenack, he uploaded the last merge from Debian.

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-03-26:

#2

Download full text (6.5 KiB)

I saw some memleak fixes in 1.16.1, but also new features and new behavior. This bug was filed past the ubuntu feature freeze, so it would need a feature freeze exception (https://wiki.ubuntu.com/FreezeExceptionProcess).

Here is the list of changes from upstream. I'm not sure we would be able to get a FFe for this:

New Features
^^^^^^^^^^^^
  * A new option ``auto_private_groups`` was added. If this option is
    enabled, SSSD will automatically create user private groups based on
    user's UID number. The GID number is ignored in this case. Please
    see https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html
    for more details on the feature.

  * The SSSD smart card integration now supports a special type of PAM
    conversation implemented by GDM which allows the user to select the
    appropriate smrt card certificate in GDM. Please refer to
    https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificates.html
    for more details about this feature.

  * A new API for accessing user and group information was added. This API
    is similar to the tradiional Name Service Switch API, but allows
    the consumer to talk to SSSD directly as well as to fine-tune
    the query with e.g. how cache should be evaluated. Please see
    https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html
    for more information on the new API.

  * The ``sssctl`` command line tool gained a new command ``access-report``,
    which can generate who can access the client machine. Currently only generating
    the report on an IPA client based on HBAC rules is supported. Please see
    https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html
    for more information about this new feature.

  * The ``hostid`` provider was moved from the IPA specific code to the generic
    LDAP code. This allows SSH host keys to be access by the generic LDAP provider
    as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual page
    for more details.

  * Setting the ``memcache_timeout`` option to 0 disabled creating the
    memory cache files altogether. This can be useful in cases there is a
    bug in the memory cache that needs working around.

Performance enhancements
^^^^^^^^^^^^^^^^^^^^^^^^
  * Several internal changes to how objects are stored in the cache improve
    SSSD performance in environments with large number of objects of the same
    type (e.g. many users, many groups). In particular, several useless indexes
    were removed and the most common object types no longer use the indexed
    ``objectClass`` attribute, but use unindexed ``objectCategory`` instead
    (#3503)

  * In setups with ``id_provider=ad`` that use POSIX attributes which
    are replicated to the Global Catalog, SSSD uses the Global Catalog to
    determine which domain should be contacted for a by-ID lookup instead
    of iterating over all domains. More details about this feature can
    be found at
    https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalog.html

Notable bug fixes
^^^^^^^^^^^^^^^^^
* A crash in ``sssd_nss`` that might have happened if a list of domains
was refreshed whi...

I saw some memleak fixes in 1.16.1, but also new features and new behavior. This bug was filed past the ubuntu feature freeze, so it would need a feature freeze exception (https://wiki.ubuntu.com/FreezeExceptionProcess).

Here is the list of changes from upstream. I'm not sure we would be able to get a FFe for this:

New Features
^^^^^^^^^^^^
  * A new option ``auto_private_groups`` was added.  If this option is
    enabled, SSSD will automatically create user private groups based on
    user's UID number. The GID number is ignored in this case. Please
    see https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html
    for more details on the feature.

* The SSSD smart card integration now supports a special type of PAM
    conversation implemented by GDM which allows the user to select the
    appropriate smrt card certificate in GDM. Please refer to
    https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificates.html
    for more details about this feature.

* A new API for accessing user and group information was added. This API
    is similar to the tradiional Name Service Switch API, but allows
    the consumer to talk to SSSD directly as well as to fine-tune
    the query with e.g. how cache should be evaluated. Please see
    https://docs.pagure.org/SSSD.sssd/design_pages/enhanced_nss_api.html
    for more information on the new API.

* The ``sssctl`` command line tool gained a new command ``access-report``,
    which can generate who can access the client machine. Currently only generating
    the report on an IPA client based on HBAC rules is supported. Please see
    https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html
    for more information about this new feature.

* The ``hostid`` provider was moved from the IPA specific code to the generic
    LDAP code. This allows SSH host keys to be access by the generic LDAP provider
    as well. See the ``ldap_host_*`` options in the ``sssd-ldap`` manual page
    for more details.

* Setting the ``memcache_timeout`` option to 0 disabled creating the
    memory cache files altogether. This can be useful in cases there is a
    bug in the memory cache that needs working around.

Performance enhancements
^^^^^^^^^^^^^^^^^^^^^^^^
  * Several internal changes to how objects are stored in the cache improve
    SSSD performance in environments with large number of objects of the same
    type (e.g. many users, many groups). In particular, several useless indexes
    were removed and the most common object types no longer use the indexed
    ``objectClass`` attribute, but use unindexed ``objectCategory`` instead
    (#3503)

* In setups with ``id_provider=ad`` that use POSIX attributes which
    are replicated to the Global Catalog, SSSD uses the Global Catalog to
    determine which domain should be contacted for a by-ID lookup instead
    of iterating over all domains.  More details about this feature can
    be found at
    https://docs.pagure.org/SSSD.sssd/design_pages/uid_negative_global_catalog.html

Notable bug fixes
^^^^^^^^^^^^^^^^^
 * A crash in ``sssd_nss`` that might have happened if a list of domains
   was refreshed while a NSS lookup using this request was fixed (#3551)

* A potential crash in ``sssd_nss``  during netgroup lookup in case the
   netgroup object kept in memory was already freed (#3523)

* Fixed a potential crash of ``sssd_be`` with two concurrent sudo refreshes
   in case one of them failed (#3562)

* A memory growth issue in ``sssd_nss`` that occured when an entry was
   removed from the memory cache was fixed (#3588)

* Two potential memory growth issues in the ``sssd_be`` process that could
   have hit configurations with ``id_provider=ad`` were fixed (#3639)

* The ``selinux_child`` process no longer crashes on a system where SSSD
   is compiled with SELinux support, but at the same time, the SELinux policy
   is not even installed on the machine (#3618)

* The memory cache consistency detection logic was fixed. This would prevent
   printing false positive memory cache corruption messages (#3571)

* SSSD now remembers the last successfuly discovered AD site and use this
   for DNS search to lookup a site and forest during the next lookup. This
   prevents time outs in case SSSD was discovering the site using the global
   list of DCs where some of the global DCs might be unreachable. (#3265)

* SSSD no longer starts the implicit file domain when configured with
   ``id_provider=proxy`` and ``proxy_lib_name=files``. This bug prevented
   SSSD from being used in setups that combine identities from UNIX files
   together with authentication against a remote source unless a files
   domain was explicitly configured (#3590)

* The IPA provider can handle switching between different ID views better
   (#3579)

* Previously, the IPA provider kept SSH public keys and certificates from
   an ID view in its cache and returned them even if the public key or
   certificate was then removed from the override (#3602, #3603)

* FleetCommander profiles coming from IPA are applied even if they are
   assigned globally (to ``category: ALL``), previously, only profiles
   assigned to a host or a hostgroup were applied (#3449)

* It is now possible to reset an expired password for users with 2FA
   authentication enabled (#3585)

* A bug in the AD provider which could have resulted in built-in AD groups
   being incorrectly cached was fixed (#3610)

* The SSSD watchdog can now cope better with time drifts (#3285)

* The ``nss_sss`` NSS module's return codes for invalid cases were fixed

* A bug in the LDAP provider that prevented setups with id_provider=proxy
   and auth_provider=ldap with LDAP servers that do not allow anonymous
   binds from working was fixed (#3451)

Packaging Changes
-----------------
 * The FleetCommander desktop profile path now uses stricter permissions,
   751 instead of 755 (#3621)

* A new option ``--logger`` was added to the ``sssd(8)`` binary. This option
   obsoletes old options such as ``--debug-to-files``, although the old options
   are kept for backwards compatibility.

* The file ``/etc/systemd/system/sssd.service.d/journal.conf`` is not
   installed anymore In order to change logging to journald, please use the
   ``--logger`` option. The logger is set using the
   ``Environment=DEBUG_LOGGER`` directive in the systemd unit files. The
   default value is ``Environment=DEBUG_LOGGER=--logger=files``

Documentation Changes
---------------------
There are no notable documentation changes such as options changing default
values etc in this release.

Changed in sssd (Ubuntu):
status:	New → Triaged
importance:	Undecided → Low

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2018-03-27:

#3

just do it, sssd has a standing MRE too, btw

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2018-03-27:

#4

Hm, https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases has some criteria, and I'm not sure the above changelog meets it. I also don't see an explicit exception for sssd in https://wiki.ubuntu.com/StableReleaseUpdates#Documentation_for_Special_Cases.

Do you have upload rights for this, Timo?

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2018-03-28:

#5

I'm a core-dev, so yes

Revision history for this message

Timo Aaltonen (tjaalton) wrote on 2018-04-09:

#6

I've uploaded 1.16.1-1u1 for bionic, the list of bugfixes makes it worth it

In general, the first point-release to sssd usually have some new features too, but the focus is still on bugfixes.

Changed in sssd (Ubuntu):
assignee:	nobody → Timo Aaltonen (tjaalton)

Revision history for this message

Jim Campbell (jwcampbell) wrote on 2018-04-09:

#7

Thank you Timo, Andreas and Simon. This is a big help to us.

Timo Aaltonen (tjaalton) on 2018-04-09

summary:

- Please update to 1.16.1 for bionic
+ FFE: Please update to 1.16.1 for bionic

Timo Aaltonen (tjaalton) on 2018-04-09

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-04-09:

#8

This bug was fixed in the package sssd - 1.16.1-1ubuntu1

---------------
sssd (1.16.1-1ubuntu1) bionic; urgency=medium

* Merge from Debian. (LP: #1754746)
* d/p/restart_providers_on_timeshift.patch: Dropped, upstream.

sssd (1.16.1-1) unstable; urgency=medium

  * New upstream release.
  * common.dirs, common.postinst: Add dir for secrets with correct
    permissions. (Closes: #892315)
  * common: Add support for Fleet Commander, create deskprofile dir with
    correct permissions.
  * control: Add libgdm-dev to build-depends to support multiple
    certificates.
  * control, rules, common.install: Add support for systemtap.
  * control: Bump policy to 4.1.3, no changes.

-- Timo Aaltonen <email address hidden> Mon, 09 Apr 2018 13:45:29 +0300

Changed in sssd (Ubuntu):
status:	Triaged → Fix Released

Ubuntu
sssd package

FFE: Please update to 1.16.1 for bionic

Bug Description

Other bug subscribers

Remote bug watches

Ubuntusssd package

FFE: Please update to 1.16.1 for bionic

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
sssd package