sssd security, bug fix, and enhancement update

[1.13.0-40]

• Resolves: rhbz#1270827 - local overrides: don’t contact server with
  overridden name/id
  [1.13.0-39]
• Resolves: rhbz#1267837 - sssd_be crashed in ipa_srv_ad_acct_lookup_step
  [1.13.0-38]
• Resolves: rhbz#1267176 - Memory leak / possible DoS with krb auth.
  [1.13.0-37]
• Resolves: rhbz#1267836 - PAM responder crashed if user was not set
  [1.13.0-36]
• Resolves: rhbz#1266107 - AD: Conditional jump or move depends on
  uninitialised value
  [1.13.0-35]
• Resolves: rhbz#1250135 - Detect re-established trusts in the IPA
  subdomain code
  [1.13.0-34]
• Fix a Coverity warning in dyndns code
• Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead
  of processing other commands
  [1.13.0-33]
• Resolves: rhbz#1261155 - nsupdate exits on first GSSAPI error instead
  of processing other commands
  [1.13.0-32]
• Resolves: rhbz#1263735 - Could not resolve AD user from root domain
  [1.13.0-31]
• Remove -d from sss_override manpage
• Related: rhbz#1259512 - sss_override : The local override user is not found
  [1.13.0-30]
• Patches required for better handling of failover with one-way trusts
• Related: rhbz#1250135 - Detect re-established trusts in the IPA subdomain
  code
  [1.13.0-29]
• Resolves: rhbz#1263587 - sss_override --name doesn’t work with RFC2307
  and ghost users
  [1.13.0-28]
• Resolves: rhbz#1259512 - sss_override : The local override user is not found
  [1.13.0-27]
• Resolves: rhbz#1260027 - sssd_be memory leak with sssd-ad in GPO code
  [1.13.0-26]
• Resolves: rhbz#1256398 - sssd cannot resolve user names containing
  backslash with ldap provider
  [1.13.0-25]
• Resolves: rhbz#1254189 - sss_override contains an extra parameter --debug
  but is not listed in the man page or in
  the arguments help
  [1.13.0-24]
• Resolves: rhbz#1254518 - Fix crash in nss responder
  [1.13.0-23]
• Support import/export for local overrides
• Support FQDNs for local overrides
• Resolves: rhbz#1254184 - sss_override does not work correctly when
  ‘use_fully_qualified_names = True’
  [1.13.0-22]
• Resolves: rhbz#1244950 - Add index for ‘objectSIDString’ and maybe to
  other cache attributes
  [1.13.0-21]
• Resolves: rhbz#1250415 - sssd: p11_child hardening
  [1.13.0-20]
• Related: rhbz#1250135 - Detect re-established trusts in the IPA
  subdomain code
  [1.13.0-19]
• Resolves: rhbz#1202724 - [RFE] Add a way to lookup users based on CAC
  identity certificates
  [1.13.0-18]
• Resolves: rhbz#1232950 - [IPA/IdM] sudoOrder not honored as expected
  [1.13.0-17]
• Fix wildcard_limit=0
• Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface
  [1.13.0-16]
• Fix race condition in invalidating the memory cache
• Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups
  [1.13.0-15]
• Resolves: rhbz#1249015 - KDC proxy not working with SSSD krb5_use_kdcinfo
  enabled
  [1.13.0-14]
• Bump release number
• Related: rhbz#1246489 - sss_obfuscate fails with ‘ImportError: No module
  named pysss’
  [1.13.0-13]
• Fix missing dependency of sssd-tools
• Resolves: rhbz#1246489 - sss_obfuscate fails with ‘ImportError: No module
  named pysss’
  [1.13.0-12]
• More memory cache related fixes
• Related: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups
  [1.13.0-11]
• Remove binary blob from SC patches as patch(1) can’t handle those
• Related: rhbz#854396 - [RFE] Support for smart cards
  [1.13.0-10]
• Resolves: rhbz#1244949 - getgrgid for user’s UID on a trust client
  prevents getpw*
  [1.13.0-9]
• Fix memory cache integration tests
• Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups
• Resolves: rhbz#854396 - [RFE] Support for smart cards
  [1.13.0-8]
• Remove OTP from PAM stack correctly
• Related: rhbz#1200873 - [RFE] Allow smart multi step prompting when
  user logs in with password and token code from IPA
• Handle sssd-owned keytabs when sssd runs as root
• Related: rhbz#1205144 - RFE: Support one-way trusts for IPA
  [1.13.0-7]
• Resolves: rhbz#1183747 - [FEAT] UID and GID mapping on individual clients
  [1.13.0-6]
• Resolves: rhbz#1206565 - [RFE] Add dualstack and multihomed support
• Resolves: rhbz#1187146 - If v4 address exists, will not create nonexistant
  v6 in ipa domain
  [1.13.0-5]
• Resolves: rhbz#1242942 - well-known SID check is broken for NetBIOS prefixes
  [1.13.0-4]
• Resolves: rhbz#1234722 - sssd ad provider fails to start in rhel7.2
  [1.13.0-3]
• Add support for InfoPipe wildcard requests
• Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface
  [1.13.0-2]
• Also package the initgr memcache
• Related: rhbz#1205554 - Rebase SSSD to 1.13.x
  [1.13.0-1]
• Rebase to 1.13.0 upstream
• Related: rhbz#1205554 - Rebase SSSD to 1.13.x
• Resolves: rhbz#910187 - [RFE] authenticate against cache in SSSD
• Resolves: rhbz#1206575 - [RFE] The fast memory cache should cache initgroups
  [1.13.0.3alpha]
• Don’t default to SSSD user
• Related: rhbz#1205554 - Rebase SSSD to 1.13.x
  [1.13.0.2alpha]
• Related: rhbz#1205554 - Rebase SSSD to 1.13.x
• GPO default should be permissve
  [1.13.0.1alpha]
• Resolves: rhbz#1205554 - Rebase SSSD to 1.13.x
• Relax the libldb requirement
• Resolves: rhbz#1221992 - sssd_be segfault at 0 ip sp error 6 in
  libtevent.so.0.9.21
• Resolves: rhbz#1221839 - SSSD group enumeration inconsistent due to
  binary SIDs
• Resolves: rhbz#1219285 - Unable to resolve group memberships for AD
  users when using sssd-1.12.2-58.el7_1.6.x86_64
  client in combination with
  ipa-server-3.0.0-42.el6.x86_64 with AD Trust
• Resolves: rhbz#1217559 - [RFE] Support GPOs from different domain controllers
• Resolves: rhbz#1217350 - ignore_group_members doesn’t work for subdomains
• Resolves: rhbz#1217127 - Override for IPA users with login does not list
  user all groups
• Resolves: rhbz#1216285 - autofs provider fails when default_domain_suffix
  and use_fully_qualified_names set
• Resolves: rhbz#1214719 - Group resolution is inconsistent with group
  overrides
• Resolves: rhbz#1214718 - Overridde with --login fails trusted adusers
  group membership resolution
• Resolves: rhbz#1214716 - idoverridegroup for ipa group with --group-name
  does not work
• Resolves: rhbz#1214337 - Overrides with --login work in second attempt
• Resolves: rhbz#1212489 - Disable the cleanup task by default
• Resolves: rhbz#1211830 - external users do not resolve with
  ‘default_domain_suffix’ set in IPA server sssd.conf
• Resolves: rhbz#1210854 - Only set the selinux context if the context
  differs from the local one
• Resolves: rhbz#1209483 - When using id_provider=proxy with
  auth_provider=ldap, it does not work as expected
• Resolves: rhbz#1209374 - Man sssd-ad(5) lists Group Policy Management
  Editor naming for some policies but not for all
• Resolves: rhbz#1208507 - sysdb sudo search doesn’t escape special characters
• Resolves: rhbz#1206571 - [RFE] Expose D-BUS interface
• Resolves: rhbz#1206566 - SSSD does not update Dynamic DNS records if
  the IPA domain differs from machine hostname’s
  domain
• Resolves: rhbz#1206189 - [bug] sssd always appends default_domain_suffix
  when checking for host keys
• Resolves: rhbz#1204203 - sssd crashes intermittently
• Resolves: rhbz#1203945 - [FJ7.0 Bug]: getgrent returns error because
  sss is written in nsswitch.conf as default
• Resolves: rhbz#1203642 - GPO access control looks for computer object
  in user’s domain only
• Resolves: rhbz#1202245 - SSSD’s HBAC processing is not permissive enough
  with broken replication entries
• Resolves: rhbz#1201271 - sssd_nss segfaults if initgroups request is by
  UPN and doesn’t find anything
• Resolves: rhbz#1200873 - [RFE] Allow smart multi step prompting when
  user logs in with password and token code from IPA
• Resolves: rhbz#1199541 - Read and use the TTL value when resolving a
  SRV query
• Resolves: rhbz#1199533 - [RFE] Implement background refresh for users,
  groups or other cache objects
• Resolves: rhbz#1199445 - Does sssd-ad use the most suitable attribute
  for group name?
• Resolves: rhbz#1198477 - ccname_file_dummy is not unlinked on error
• Resolves: rhbz#1187103 - [RFE] User’s home directories are not taken
  from AD when there is an IPA trust with AD
• Resolves: rhbz#1185536 - In ipa-ad trust, with ‘default_domain_suffix’ set
  to AD domain, IPA user are not able to log unless
  use_fully_qualified_names is set
• Resolves: rhbz#1175760 - [RFE] Have OpenLDAP lock out ssh keys when
  account naturally expires
• Resolves: rhbz#1163806 - [RFE]ad provider dns_discovery_domain option:
  kerberos discovery is not using this option
• Resolves: rhbz#1205160 - Complain loudly if backend doesn’t start due
  to missing or invalid keytab
  [1.12.2-61]
• Resolves: rhbz#1226119 - Properly handle AD’s binary objectGUID
  [1.12.2-60]
• Filter out domain-local groups during AD initgroups operation
• Related: rhbz#1201840 - SSSD downloads too much information when fetching
  information about groups
  [1.12.2-59]
• Resolves: rhbz#1201840 - SSSD downloads too much information when fetching
  information about groups