This bug was fixed in the package sssd - 1.9.0~beta6-0ubuntu1 --------------- sssd (1.9.0~beta6-0ubuntu1) quantal; urgency=low * Merge from unreleased debian git. (LP: #1012900) sssd (1.9.0~beta6-1) UNRELEASED; urgency=low * New upstream prerelease 1.9.0beta6. Highlights: - Add native support for autofs to the IPA provider - Support for ID-mapping when connecting to Active Directory - Support for handling very large (> 1500 users) groups in Active Directory - Support for sub-domains (will be used for dealing with trust relationships) - Add a new fast in-memory cache to speed up lookups of cached data on repeated requests - Add support for the Kerberos DIR cache for storing multiple TGTs automatically - Major performance enhancement when storing large groups in the cache - Major performance enhancement when performing initgroups() against Active Directory - SSSDConfig data file default locations can now be set during configure for easier packaging - Add a new PAC responder for dealing with cross-realm Kerberos trusts - Terminate idle connections to the NSS and PAM responders - Switch from libunistring to glib2 for unicode support - Add a new AD provider to improve integration with Active Directory 2008 R2 or later servers - SUDO integration was completely rewritten. The new implementation works with multiple domains and uses an improved refresh mechanism to download only the necessary rules - The IPA authentication provider now supports subdomains - Fixed regression for setups that were setting default_tkt_enctypes manually by reverting a previous workaround. - Many fixes for the support for setting default SELinux user context from FreeIPA, most notably fixed the specificity evaluation - Fixed an incorrect default in the krb5_canonicalize option of the AD provider which was preventing password change operation - The shadowLastChange attribute value is now correctly updated with the number of days since the Epoch, not seconds - A new option, override_shell was added. If this option is set, all users managed by SSSD will have their shell set to its value. - Many fixes for the support for setting default SELinux user context from FreeIPA. Most notably, the SELinux mappings can now link to HBAC rules as the source of users and hosts they apply to. - Fixed a regression introduced in beta 5 that prevented LDAP SASL binds from working unless the value of ldap_sasl_minssf was explicitly specified. - The SSSD supports the concept of a Primary Server and a Back Up Server. Certain servers in the fail over list can be marked as back up only. If the SSSD switches to a back up server because a primary server is not available, it would later try to re-establish a connection to the primary server. This feature would mainly benefit users who configure fail over servers from different data centers or geographies. - A new command-line tool sss_seed is available. This tool is able to prime the internal cache with a user record and a cached password to support the scenario when a user needs to log in to the client before the network connection to the centralized identity source is established, such as the first log in to a new machine. - In scenarios, where the SSSD is acting as an IPA client, it is able to discover and save the DNS domain-Kerberos realm mappings between an IPA server and a trusted Active Directory server. * Update the packaging for the new version, thanks Esko Järnfors! - Add libsss-idmap0, libsss-idmap-dev packages - Add sssd Depends on libsss-idmap0 - Add /var/lib/sss/mc directory for the new mmap cache * Added fix-CVE-2012-3462.diff from upstream git. * control: Drop libunistring-dev from build-depends and add libglib2.0-dev for unicode support. * sssd.install, sssd-tools.install: Add sssd-ad.5*, sssd-sudo.5* to sssd.install, and sss_seed{,.8*) to sssd-tools. * python-sss.install: py-files got moved under SSSDConfig. * control, rules: Use default build flags, bump dpkg-dev build-dep to 1.16.1~. * Bump libsss-sudo soname. * rules: Install the apparmor profile with -m644. sssd (1.8.4-2) UNRELEASED; urgency=low * rules: Fix the current date format, and move the date mangling to happen before dh_install is run. (Closes: #670019) * sssd.{preinst,postrm}: Install the apparmor profile in force-complain mode on install, and remove the profile directory on purge (if empty). Also migrate from previous setup which installed it as disabled. -- Timo Aaltonen