sssd security, bug fix, and enhancement update

[1.16.4-21]

• Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization
• Rebuild japanese gmo file explicitly
  [1.16.4-20]
• Resolves: rhbz#1714952 - [sssd] RHEL 7.7 Tier 0 Localization
  [1.16.4-19]
• Resolves: rhbz#1707959 - sssd does not properly check GSS-SPNEGO
  [1.16.4-18]
• Resolves: rhbz#1710286 - The server error message is not returned if
  password change fails
  [1.16.4-17]
• Resolves: rhbz#1711832 - The files provider does not handle resetOffline
  properly
  [1.16.4-16]
• Resolves: rhbz#1707759 - Error accessing files on samba share randomly
  [1.16.4-15]
• Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover subdomains
  /trusts
  [1.16.4-14]
• Resolves: rhbz#1684979 - The HBAC code requires dereference to be enabled
  and fails otherwise
  [1.16.4-12]
• Resolves: rhbz#1576524 - RHEL STIG pointing sssd Packaging issue
  - This was partially fixed by the rebase, but one
  spec file change was missing.
  [1.16.4-12]
• Resolves: rhbz#1524566 - FIPS mode breaks using pysss.so (sss_obfuscate)
  [1.16.4-11]
• Resolves: rhbz#1350012 - kinit / sssd kerberos fail over
• Resolves: rhbz#720688 - [RFE] return multiple server addresses to the
  Kerberos locator plugin
  [1.16.4-10]
• Resolves: rhbz#1402056 - [RFE] Make 2FA prompting configurable
  [1.16.4-9]
• Resolves: rhbz#1666819 - SSSD can trigger a NSS lookup when parsing the
  filter_users/groups lists on startup, this can
  block the startup
  [1.16.4-8]
• Resolves: rhbz#1645461 - Slow ldb search causes blocking during startup
  which might cause the registration to time out
  [1.16.4-7]
• Resolves: rhbz#1685581 - Extend cached_auth_timeout to cover
  subdomains / trusts
  [1.16.4-6]
• Resolves: rhbz#1671138 - User is unable to perform sudo as a user on IPA
  Server, even though ‘sudo -l’ shows permissions
  to do so
  [1.16.4-5]
• Resolves: rhbz#1657806 - [RFE]: Optionally disable generating auto private
  groups for subdomains of an AD provider
  [1.16.4-4]
• Resolves: rhbz#1641131 - [RFE] Need an option in SSSD so that it will skip
  GPOs that have groupPolicyContainers, unreadable
  by SSSD.
• Resolves: rhbz#1660874 - CVE-2018-16838 sssd: improper implementation of
  GPOs due to too restrictive permissions [rhel-7]
  [1.16.4-3]
• Resolves: rhbz#1631656 - KCM: kinit: Matching credential not found while
  getting default ccache
  [1.16.4-2]
• Resolves: rhbz#1406678 - sssd service is starting before network service
• Resolves: rhbz#1616853 - SSSD always boots in Offline mode
  [1.16.4-1]
• Resolves: rhbz#1658994 - Rebase SSSD to 1.16.x
  [1.16.2-17]
• Resolves: rhbz#1603311 - Enable generating user private groups only for
  users with uid == gid where gid does not
  correspond to a real LDAP group
  [1.16.2-16]
• Resolves: rhbz#1602172 - SSSDs LDAP authentication provider does not work
  if ID provider is authenticated with GSSAPI
  [1.16.2-15]
• Resolves: rhbz#1622109 - SSSD not fetching all sudo rules from AD
  [1.16.2-14]
• Resolves: rhbz#1619706 - sssd only sets the SELinux login context if it
  differs from the default