FFE: sssd 1.5.8 -> 1.5.13

Bug #860297 reported by Timo Aaltonen on 2011-09-27
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Wishlist
Unassigned

Bug Description

There is a new release available from the stable branch. The latest one was released in 2011-08-29, so no showstoppers in there whereas the current version has a few.

Here's a breakup of the release notes from each one since 1.5.8. So while there are a couple of new features, they are more for admin flexibility or related to FreeIPA (which is not packaged).

1.5.9:
New Features

    Support for overriding home directory, shell and primary GID locally
    Properly honor TTL values from SRV record lookups
    Support non-POSIX groups in nested group chains (for RFC2307bis LDAP servers)

Important Bugfixes

    Properly escape IPv6 addresses in the failover code
    Do not crash if inotify fails (e.g. resource exhaustion)
    Don't add multiple TGT renewal callbacks (too many log messages)

1.5.10:
    Fixed a regression introduced in 1.5.9 that could result in blocking calls to LDAP
1.5.11:
    Fix a serious regression that prevented SSSD from working with ldaps:// URIs
    IPA Provider: Fix a bug with dynamic DNS that resulted in the wrong IPv6 address being saved to the AAAA record.
1.5.12:
    Fixes a regression introduced in 1.5.11 with hostname resolution
    Fixes an issue where sssd_pam would leak file descriptors until resource exhaustion
    Complete rewrite of the FreeIPA Host-Based Access Control (HBAC) resolver
    New shared library for HBAC access-control
    Fixes for password expiration handling with LDAP auth
    New option to veto certain centrally-managed shells (Patch by John Hodrien)
1.5.13:
    Fixes a serious issue with LDAP connections when the communication is dropped (e.g. VPN disconnection, waking from sleep)
    SSSD is now less strict when dealing with users/groups with multiple names when a definitive primary name cannot be determined
    The LDAP provider will no longer attempt to canonicalize by default when using SASL. An option to re-enable this has been provided.
    Fixes for non-standard LDAP attribute names (e.g. those used by Active Directory)
    Three HBAC regressions have been fixed.

Timo Aaltonen (tjaalton) on 2011-09-27
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Timo Aaltonen (tjaalton) wrote :

Hmm, hit some issues with the packaging failing to run dpkg-shlibdeps.

Changed in sssd (Ubuntu):
status: Confirmed → Incomplete
Timo Aaltonen (tjaalton) wrote :

Ok, new version builds fine, and functionality was tested by upstream.

Changed in sssd (Ubuntu):
importance: Undecided → Wishlist
status: Incomplete → Confirmed
status: Confirmed → New
Timo Aaltonen (tjaalton) wrote :

Build log available

https://launchpad.net/~tjaalton/+archive/ppa/+build/2809244/+files/buildlog_ubuntu-oneiric-amd64.sssd_1.5.13-0%7Etja2_BUILDING.txt.gz

and diffstat from changes to the debian-directory:

 changelog | 24 ++
 control | 5
 libpam-sss.pam-auth-update | 2
 patches/00list | 2
 patches/fix-configure.dpatch | 20 +
 patches/fix-python-api-path.dpatch | 389 +++++++++++++++++++++++++++++++++++++
 rules | 4
 sssd.default | 2
 sssd.init | 3
 sssd.install | 3
 sssd.upstart | 12 -
 11 files changed, 454 insertions(+), 12 deletions(-)

(fix-python-api-path.dpatch just changes a bunch of path strings)

Timo Aaltonen (tjaalton) wrote :

bug 860488 is affecting all versions we've had (local users not being able to log in if sssd is not running, due to missing pam_localuser in common-account), the version above doesn't have the needed change to libpam-sss.pam-auth-update yet.

Timo Aaltonen (tjaalton) wrote :

current changelog snippet for reference

  * FFE: New upstream release. (LP: #860297)
  * Rebuild against current libldb1, and use the multiarch path
    for libldb modules. (LP: #746981)
  * sssd.default:
    - Move the option to run as daemon here.
    - Add option that makes the daemon to use logfiles. (LP: #859602)
  * sssd.upstart:
    - Don't start before net-device-up. (LP: #812943)
    - Source /etc/default/sssd. (LP: #812943)
  * rules: Install the Python API files to /usr/share/sssd, as discussed
    with upstream. (LP: #859611)
  * fix-python-api-path.dpatch: Use the new location for the API files.
    (LP: #859611)
  * libpam-sss.pam-auth-update: Add 'forward_pass' to fix pam_ecryptfs
    (LP: #826643)
  * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is
    mostly useless without them. (LP: #767337)
  * control: Add libunistring-dev to build-depends.
  * sssd.install: Include libipa_hbac.so*.

Dave Walker (davewalker) wrote :

@Timo, thanks for the report. Please can you add rational why this new upstream version is better than cherry-picking specific fixes please?

Timo Aaltonen (tjaalton) wrote :

Dave: not the right answer, but less work for me this way :)

One option is to skip the FFE and just get the packaging changes for oneiric.

Iain Lane (laney) wrote :

The repeated mention of regressions in the upstream changelog concerns me; I'd like to see evidence of some thorough testing before considering the FFe.

Otherwise cherry-picks / packaging fixes + doing the upstream update early in P would make me more comfortable.

Timo Aaltonen (tjaalton) wrote :

Marko Myllynen (upstrem dev, subscribed here) tested it against FreeIPA, and we debugged the package live on irc. As I said, the current version has been around for over a month, and the stable tree has no important patches to fix regressions etc. But either way, I just want to get something in :)

SSSD 1.5.9 saw a large series of changes to our LDAP code, mostly to be able to better support Active Directory as an identity source. However, we had to quickly turn out 1.5.10 and 1.5.11 as we discovered that the new features were breaking some existing configurations.

The 1.5.12 release saw a complete rewrite to the HBAC code (support for SSSD acting as a client to a FreeIPA server) due to late changes to the FreeIPA HBAC (host-based access control) design. We then needed to release 1.5.13 to address a few regressions discovered during the HBAC rewrite. It also included a bugfix to a long-standing issue seen when waking from a sleep that disconnected a VPN.

SSSD 1.5.x is our current long-term maintenance release, which means that upstream will continue to support it with bugfixes and new features for at least one year, and security fixes for at least two (or one year after RHEL no longer ships a 1.5.x release, whichever comes later).

I'll admit that we had a bit of a rough period between 1.5.9 and 1.5.12, but in general the latest releases are working well. It's also worth noting that 1.5.x contains the set of fixes being tested by Red Hat QA for inclusion in RHEL.

Iain Lane (laney) wrote :

Where can I download the proposed new packaging? Can I see a diff of the debian/ directory please?

On Thu, 29 Sep 2011, Iain Lane wrote:

> Where can I download the proposed new packaging? Can I see a diff of the
> debian/ directory please?

roughly the same version is on my ppa, i've only done a small addition to
the libpam-sss.pam-auth-update -file to actually allow local users logging
in (a bug in the current package as well)

i can provide the real diff when i get back home :)

Timo Aaltonen (tjaalton) wrote :

Ian: diff attached.

Timo Aaltonen (tjaalton) wrote :

ok, so the previous diff didn't have 'forward_pass', but this one does.

Iain Lane (laney) wrote :

Looks like it fixes a lot of bugs and has the approval of upstream; approved by ubuntu-release subject to reverting the priority change as discussed on IRC.

Please consider subscribing to LP bugs for the package. :-)

Changed in sssd (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.5.13-0ubuntu1

---------------
sssd (1.5.13-0ubuntu1) oneiric; urgency=low

  * FFE: New upstream release. (LP: #860297)
    - control: Add libunistring-dev to build-depends.
    - sssd.install: Include libipa_hbac.so*.
  * Rebuild against current libldb1, and use the multiarch path
    for libldb modules. (LP: #746981)
  * sssd.default:
    - Move the option to run as daemon here.
    - Add option that makes the daemon to use logfiles. (LP: #859602)
  * sssd.upstart:
    - Don't start before net-device-up. (LP: #812943)
    - Source /etc/default/sssd. (LP: #812943)
  * rules: Install the Python API files to /usr/share/sssd, as discussed
    with upstream. (LP: #859611)
  * fix-python-api-path.dpatch: Use the new location for the API files.
    (LP: #859611)
  * libpam-sss.pam-auth-update:
    - Add 'forward_pass' to auth stack to fix ecryptfs mounts. (LP: #826643)
    - Add pam_localuser.so to account stack to allow local users to log in.
      (LP: #860488)
  * control: sssd now Recommends libpam-sss and libnss-sss, since sssd is
    mostly useless without them. (LP: #767337)
 -- Timo Aaltonen <email address hidden> Tue, 27 Sep 2011 06:03:41 +0300

Changed in sssd (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers