sssd-2.9.9

See full release notes here.

What's Changed

• [autobackport: sssd-2-9] Config rules: allow 'ldap_subuid_*' attrs by @sssd-bot in #8404
• CHILD HELPERS: use less severe debug level -- sssd-2.9 backport by @alexey-tikhonov in #8433
• [autobackport: sssd-2-9] man: add details about 'an2ln' by @sssd-bot in #8434
• [autobackport: sssd-2-9] Test: Update misc ipa tests to work correctly on stig by @sssd-bot in #8424
• [autobackport: sssd-2-9] sdap: do not require GID for non-POSIX group by @sssd-bot in #8455
• [autobackport: sssd-2-9] Bunch of assorted perf improvements of hot path functions by @sssd-bot in #8458
• [autobackport: sssd-2-9] Fix compilation errors by @sssd-bot in #8476
• [autobackport: sssd-2-9] tests: Fix test_sudo__case_sensitive_false: use /bin/ls and /bin/cat instead of less/more by @sssd-bot in #8478
• [autobackport: sssd-2-9] sdap: eliminate O(N^2) loop in sdap_add_incomplete_groups() by @sssd-bot in #8477
• [autobackport: sssd-2-9] LDAP: free tmp var within the loop by @sssd-bot in #8488
• [autobackport: sssd-2-9] ci: bump actions/upload-artifact from 6 to 7 by @sssd-bot in #8499
• [autobackport: sssd-2-9] memberOf plugin :: mbof_add_operation() optimizations by @sssd-bot in #8507
• [autobackport: sssd-2-9] Use macro rather than shell expansion for string processing in spec file by @sssd-bot in #8520
• [autobackport: sssd-2-9] KRB5: fix mem leak in authenticate_stored_users() by @sssd-bot in #8537
• [autobackport: sssd-2-9] SDAP: reduce logger load in the hot paths by @sssd-bot in #8549
• [autobackport: sssd-2-9] KRB5: log level adjusted by @sssd-bot in #8550
• [autobackport: sssd-2-9] adding subid test by @sssd-bot in #8294
• [autobackport: sssd-2-9] Generalize combined user and group lookup by @sssd-bot in #8526
• [autobackport: sssd-2-9] memberOf plugin: mbof_append_muop() optimization by @sssd-bot in #8560
• [autobackport: sssd-2-9] memberOf plugin: avoid ldb_dn_compare() in mbof_append_addop() by @sssd-bot in #8559
• [autobackport: sssd-2-9] ci: bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by @sssd-bot in #8576
• [autobackport: sssd-2-9] KCM: fix use-after-free in kcm_read_options() by @sssd-bot in #8594
• [autobackport: sssd-2-9] Fix contents of release tarball by @sssd-bot in #8593
• Tests: Add sleep time in multihost test by @madhuriupadhye in #8597
• [autobackport: sssd-2-9] Fix spelling in AD provider code comments by @sssd-bot in #8589
• [autobackport: sssd-2-9] Improve the performance when using enumeration by @sssd-bot in #8558
• [autobackport: sssd-2-9] Add missing include by @sssd-bot in #8603
• [autobackport: sssd-2-9] Automatically generate release notes when creating new release by @sssd-bot in #8598
• [backport] Tests: Housekeeping and Clean Sweep of Sevice/Logging suite by @jakub-vavra-cz in #8609
• [autobackport: sssd-2-9] pam: apply SIDs from PAC to authentication indicators by @sssd-bot in #8618
• [autobackport: sssd-2-9] dp_target_id.c: Fix typo "lenght" -> "length" by @sssd-bot in #8627
• [autobackport: sssd-2-9] pam: fix out-of-bounds read in pam_passkey_child_read_data by @sssd-bot in #8623
• [autobackport: sssd-2-9] pam: gate PAC indicator code on BUILD_SAMBA by @sssd-bot in #8628
• [autobackport: sssd-2-9] More trivial spelling/grammatical fixes by @sssd-bot in #8600
• [autobackport: sssd-2-9] IPA: memory leak fixed by @sssd-bot in #8637
• [autobackport: sssd-2-9] tests: mark KCM TGT renewal test as flaky by @sssd-bot in #8642
• [autobackport: sssd-2-9] tests: reorganize infopipe tests by interface by @sssd-bot in #8460
• [autobackport: sssd-2-9] tests: poll for KCM TGT renewal instead of fixed sleep by @sssd-bot in #8656
• Translations update from Fedora Weblate by @weblate in #8539

Full Changelog: 2.9.8...2.9.9

sssd-2.13.0

See full release notes here.

What's Changed

• removing netgroup intg test by @danlavu in #8356
• Update version in version.m4 to track the next release by @pbrezina in #8359
• Tests: Handle SELinux in proxy provider tests by @aborah-sudo in #8348
• SPEC: since Fedora 44 Samba provides dedicated 'samba-ndr-libs' package by @alexey-tikhonov in #8372
• SBUS: increase SBUS_MESSAGE_TIMEOUT to 5 mins by @alexey-tikhonov in #8367
• tests: python black 26.1.0 style changes by @justin-stephenson in #8379
• Add GDM Smartcard tests by @spoore1 in #8216
• Makefile cleanup by @alexey-tikhonov in #8354
• FreeBSD CI: Switch to 15.0-RELEASE and enable testing by @arrowd in #8306
• scripts: fetch branch before checkout in release script by @pbrezina in #8394
• Add OAuth2 prompting config by @eisenmann-b1 in #8251
• krb5_child: fix enterprise principal parsing in keep-alive sessions by @ikerexxe in #8351
• Config rules: allow 'ldap_subuid_*' attrs by @alexey-tikhonov in #8403
• krb5: check for PIN locked in error message by @sumit-bose in #8398
• RESPONDER: fix responder_set_fd_limit() by @alexey-tikhonov in #8371
• platform.m4: Fix case when we have to source /etc/os-release by @arrowd in #8397
• PO: remove stray from translation by @alexey-tikhonov in #8413
• Fix libini_config related includes. by @alexey-tikhonov in #8409
• Refactor sdap_cli_connect by @pbrezina in #8282
• Test: Update misc ipa tests to work correctly on stig by @jakub-vavra-cz in #8421
• CHILD HELPERS: use less severe debug level by @alexey-tikhonov in #8416
• man: add details about 'an2ln' by @sumit-bose in #8396
• updating subid test case to test provider_ldap config by @danlavu in #8400
• sdap: do not require GID for non-POSIX group by @sumit-bose in #8442
• Bunch of assorted perf improvements of hot path functions by @alexey-tikhonov in #8447
• tests: reorganize infopipe tests by interface by @aborah-sudo in #8451
• systemd: relaunch sssd after unclean exit by @Squiddim in #8407
• ci: Skip GPG checks when installing sssd build by @justin-stephenson in #8465
• Fix compilation errors by @alexey-tikhonov in #8469
• sdap: eliminate O(N^2) loop in sdap_add_incomplete_groups() by @alexey-tikhonov in #8454
• tests: Fix test_sudo__case_sensitive_false: use /bin/ls and /bin/cat instead of less/more by @madhuriupadhye in #8449
• FreeBSD CI: Pass correct paths to adcli and realm programs by @arrowd in #8472
• sdap_select_principal_from_keytab_sync: waitpid() synchronously by @arrowd in #8473
• get_client_cred: Pass correct option level value on FreeBSD by @arrowd in #8471
• LDAP: free tmp var within the loop by @alexey-tikhonov in #8484
• adding sss_ssh_knownhosts test case by @danlavu in #8448
• ci: load kernel module for passkey testing with vfido by @ikerexxe in #8489
• src/sss_client/common.c: Use getpwnam_r to avoid clobbering struct passwd by @salahcoronya in #8487
• ci: bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #8486
• memberOf plugin :: mbof_add_operation() optimizations by @alexey-tikhonov in #8464
• Add support for Plasma Login Manager as a supported PAM service by @Conan-Kudo in #8506
• updated kcm flaky test by @danlavu in #8508
• Use macro rather than shell expansion for string processing in spec file by @nforro in #8511
• Generalize combined user and group lookup by @sumit-bose in #8127
• Tests: Fix ipa multihost test_authentication_indicators by @aborah-sudo in #8525
• KRB5: fix mem leak in authenticate_stored_users() by @alexey-tikhonov in #8517
• SDAP: reduce logger load in the hot paths by @alexey-tikhonov in #8540
• KRB5: log level adjusted by @alexey-tikhonov in #8548
• Test: combine gdm tests into one file by @spoore1 in #8543
• Honor ldap filters by @ondrejv2 in #8534
• krb5: improve reporting failure on reading keytab by @257 in #8530
• Improve the performance when using enumeration by @aplopez in #8395
• memberOf plugin: avoid ldb_dn_compare() in mbof_append_addop() by @alexey-tikhonov in #8546
• memberOf plugin: mbof_append_muop() optimization by @alexey-tikhonov in #8551
• Tests: Add integration tests validating SSSD socket by @aborah-sudo in #8481
• parameterize entra_idp url by @ezrizhu in #8491
• ci: bump crazy-max/ghaction-import-gpg from 6.3.0 to 7.0.0 by @dependabot[bot] in #8572
• Tests: Clean sweep in logging suite by @jakub-vavra-cz in #8512
• rewriting memcache tests by @danlavu in #8485
• Fix spelling in AD provider code comments by @striker314 in #8565
• Fix contents of release tarball by @pbrezina in #8582
• KCM: fix use-after-free in kcm_read_options() by @alexey-tikhonov in #8592
• krb5: make sure keytab is a FILE before checking for access by @257 in #8556
• idp: do not update cache timeout if member is added by @sumit-bose in #8545
• Automatically generate release notes when creating new release by @pbrezina in #8568
• More trivial spelling/grammatical fixes by @striker314 in #8591
• Refresh OAuth2 tokens automatically by @eisenmann-b1 in #8355
• Add missing include by @alexey-tikhonov in #8602
• tests: port LDAP+Kerberos tests to pytest by @madhuriupadhye in #8544
• pam: apply SIDs from PAC to authentication indicators by @sumit-bose in #8571
• pam: fix out-of-bounds read in pam_passkey_child_read_data by @xuraoqing in #8622
• removing unstable topologies from memecache tests by @danlavu in #8624
• oidc_child: add new option return-tokens by @sumit-bose in #8617
• dp_target_id.c: Fix typo "lenght" -> "length" by @arrowd in #8621
• pam: gate PAC indicator code on BUILD_SAMBA by @padelsbach in #8620
• PAM/PASSKEY: avoid unnecessary memcpy by @alexey-tikhonov in #8630
• Translations update from Fedora Weblate by @weblate in #8361

New Contributors

• @eisenmann-b1 made their first contribution in #8251
• @Squiddim made their first contribution in #8407
• @salahcoronya made their first contribution in #8487
• @Conan-Kudo made their first contribution in #8506
• @nforro made their first contribution in #8511
• @ondrejv2 made their first contribution in #8534
• @257 made their first contribution in #8530
• @aplopez made their first contribution in #8395
• @ezrizhu made their first contribution in #8491
• @striker314 made their first contribution in #8565
• @xuraoqing made their first contribution in #8622
• @padelsbach made their first contribution in #8620

Full Changelog: 2.12.0...2.13.0

sssd-2.9.8

See full release notes here.

While we plan to maintain this branch providing critical bug fixes upstream, we don't commit to regular releases off this branch going forward. We recommend switching to the latest upstream release 2.12.0.

What's Changed

• [autobackport: sssd-2-9] ci: fix dependabot.yml schema validation by @sssd-bot in #8167
• [autobackport: sssd-2-9] [autobackport: sssd-2-10] build(deps): bump actions/upload-artifact from 4 to 5 by @sssd-bot in #8197
• Tests: Add umockdev and virtsmarcard as test dependencies by @jakub-vavra-cz in #8165
• [autobackport: sssd-2-9] [autobackport: sssd-2-10] ci: run long jobs only if Accepted label is not set by @sssd-bot in #8199
• [autobackport: sssd-2-9] man: Clarify the user_attributes option by @sssd-bot in #8208
• [autobackport: sssd-2-9] ipa: filter DNs for ipa_add_trusted_memberships_send() by @sssd-bot in #8209
• [autobackport: sssd-2-9] tests: add test_pac_responder.py by @sssd-bot in #8206
• [autobackport: sssd-2-9] Dont store gid 0 for non-posix groups by @sssd-bot in #8184
• [autobackport: sssd-2-9] fixing and making automatic kcm renewal test more forgiving by @sssd-bot in #8232
• [autobackport: sssd-2-9] SPEC: require reasonably up to date 'libldb' version by @sssd-bot in #8242
• [autobackport: sssd-2-9] Test migration sssctl by @sssd-bot in #8234
• [autobackport: sssd-2-9] krb5_child: use ERR_CHECK_NEXT_AUTH_TYPE instead of EAGAIN by @sssd-bot in #8229
• [autobackport: sssd-2-9] Filter IPv6 addresses not suitable for DNS updates by @sssd-bot in #8249
• Tests:cache_credentials = true not working for 2-9 by @shridhargadekar in #8032
• [autobackport: sssd-2-9] SUBID: add LDAP provider support by @sssd-bot in #8253
• [autobackport: sssd-2-9] ipa: check for empty trusts in ipa_get_trust_type() by @sssd-bot in #8257
• [autobackport: sssd-2-9] CONFIG: disable 'session_provider' by default by @sssd-bot in #8260
• [autobackport: sssd-2-9] Tests: ADuser external group cache update by @sssd-bot in #8247
• [autobackport: sssd-2-9] tests: add pysss_nss_idmap system test by @sssd-bot in #8189
• [autobackport: sssd-2-9] intg: remove test_session_recording.py by @sssd-bot in #8268
• [autobackport: sssd-2-9] IPA: remove 'ipa_enable_dns_sites' option by @sssd-bot in #8273
• [autobackport: sssd-2-9] intg: remove ent_test.py by @sssd-bot in #8286
• Passkey local fix and improvements - backport sssd-2-9 by @justin-stephenson in #8276
• [autobackport: sssd-2-9] tests: Add incomplete triples and complex hierarchy netgroup tests by @sssd-bot in #8281
• [autobackport: sssd-2-9] ipa trust bugfix and improvement of handling unknown trust type error by @sssd-bot in #8274
• [autobackport: sssd-2-9] Replacing provider conditionals with set_server method by @sssd-bot in #8220
• [autobackport: sssd-2-9] Fix for test_access_control_simple__permits_user_login_based_on_group samba failure by @sssd-bot in #8293
• [autobackport: sssd-2-9] sbus: defer notification callbacks by @sssd-bot in #8265
• [autobackport: sssd-2-9] tests: Add netgroup offline and nested hierarchy by @sssd-bot in #8303
• [autobackport: sssd-2-9] SSSCTL: config-check: do not return an error if snippets directory does not exists by @sssd-bot in #8310
• [autobackport: sssd-2-9] KCM: root can't access arbitrary KCM cache by @sssd-bot in #8311
• [autobackport: sssd-2-9] SSSD on IPA should fail with short names by @sssd-bot in #8302
• spec: clarify description of sssd-idp package by @sumit-bose in #8317
• [autobackport: sssd-2-9] pac: fix issue with pac_check=no_check by @sssd-bot in #8327
• [autobackport: sssd-2-9] test: check is an2ln plugin is disabled or not by @sssd-bot in #8204
• [autobackport: sssd-2-9] ci: bump actions/checkout from 4 to 6 by @sssd-bot in #8334
• [autobackport: sssd-2-9] ci: bump actions/upload-artifact from 5 to 6 by @sssd-bot in #8338
• [autobackport: sssd-2-9] ipa s2n: do not try to update user-private-group by @sssd-bot in #8347
• [autobackport: sssd-2-9] tests: python black 26.1.0 style changes by @sssd-bot in #8385
• [autobackport: sssd-2-9] SBUS: increase SBUS_MESSAGE_TIMEOUT to 5 mins by @sssd-bot in #8380
• [autobackport: sssd-2-9] cache_req: use sysdb_search_user_by_upn_with_view_res() by @sssd-bot in #8323
• [autobackport: sssd-2-9] Tests: Add missing infopipe tests to remaining branched by @sssd-bot in #8377

Full Changelog: 2.9.7...2.9.8

sssd-2.12.0

See full release notes here.

What's Changed

• ci: fix dependabot.yml schema validation by @ikerexxe in #8160
• sssd: add ldb-modules-path by @liberodark in #8116
• build(deps): bump github/codeql-action from 3 to 4 by @dependabot[bot] in #8163
• OIDC_CHILD: a couple of cosmetic fixes by @alexey-tikhonov in #8172
• build(deps): bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #8164
• Dont store gid 0 for non-posix groups by @justin-stephenson in #8075
• Tests:Added IPA Certificate Authority Tests by @krishnavema in #8159
• tests: add pysss_nss_idmap system test by @sumit-bose in #8133
• ci: run long jobs only if Accepted label is not set by @pbrezina in #8182
• man: Clarify the user_attributes option by @justin-stephenson in #8193
• test: check is an2ln plugin is disabled or not by @sumit-bose in #8145
• tests: add test_pac_responder.py by @sumit-bose in #8151
• ipa: filter DNs for ipa_add_trusted_memberships_send() by @sumit-bose in #8147
• Test migration sssldap by @thalman in #8120
• removing intg infopipe tests and made some minor updates to infopipe by @danlavu in #8161
• Unifying boilerplate code for handling child processes - part 2 by @alexey-tikhonov in #8174
• Replacing provider conditionals with set_server method by @danlavu in #8081
• krb5_child: use ERR_CHECK_NEXT_AUTH_TYPE instead of EAGAIN by @sumit-bose in #8176
• fixing and making automatic kcm renewal test more forgiving by @danlavu in #8183
• Test migration sssctl by @thalman in #8114
• file_watch.c: Do not pass IN_IGNORED to inotify_add_watch by @arrowd in #8228
• Tests: Adding GDM Passkey tests by @spoore1 in #8150
• SPEC: require reasonably up to date 'libldb' version by @alexey-tikhonov in #8240
• Tests: ADuser external group cache update by @shridhargadekar in #8046
• Filter IPv6 addresses not suitable for DNS updates by @thalman in #8142
• SUBID: add LDAP provider support by @alexey-tikhonov in #8097
• config/cfg_rules.ini: Make regexp's more POSIX compliant by @arrowd in #8227
• ipa: check for empty trusts in ipa_get_trust_type() by @sumit-bose in #8254
• Unifying boilerplate code for handling child processes - part 3 by @alexey-tikhonov in #8203
• CONFIG: disable 'session_provider' by default by @alexey-tikhonov in #8250
• Fix file ownership tests on FreeBSD by @arrowd in #8226
• sbus: defer notification callbacks by @pbrezina in #8202
• Passwordless-gdm by @ikerexxe in #8212
• intg: remove test_session_recording.py by @spoore1 in #8243
• Tests: Rectify the docstring n testcode by @shridhargadekar in #8255
• IPA: remove 'ipa_enable_dns_sites' option by @alexey-tikhonov in #8264
• ipa trust bugfix and improvement of handling unknown trust type error by @justin-stephenson in #8258
• Passkey local fix and improvements by @justin-stephenson in #8185
• IPA HBAC test cases by @madhuriupadhye in #7987
• tests: standardize HBAC test name format by @madhuriupadhye in #8279
• tests: Add incomplete triples and complex hierarchy netgroup tests by @madhuriupadhye in #8262
• intg: remove ent_test.py by @pbrezina in #8283
• Fix for test_access_control_simple__permits_user_login_based_on_group samba failure by @justin-stephenson in #8263
• adding subid test by @danlavu in #8225
• krb5: fix OTP authentication by @sumit-bose in #8296
• SSSD on IPA should fail with short names by @thalman in #8261
• tests: Add netgroup offline and nested hierarchy by @madhuriupadhye in #8272
• SSSCTL: config-check: do not return an error if snippets directory does not exists by @scabrero in #7962
• KCM: root can't access arbitrary KCM cache by @alexey-tikhonov in #8301
• spec: clarify description of sssd-idp package by @sumit-bose in #8316
• cache_req: use sysdb_search_user_by_upn_with_view_res() by @sumit-bose in #7998
• KRB5: let 'krb5_child' tolerate missing cap-set-id by @alexey-tikhonov in #8312
• pac: fix issue with pac_check=no_check by @sumit-bose in #8318
• sysdb: do not treat missing id-override as an error by @sumit-bose in #8325
• ci: bump cross-platform-actions/action from 0.29.0 to 0.32.0 by @dependabot[bot] in #8322
• ci: bump actions/checkout from 4 to 6 by @dependabot[bot] in #8321
• ci: bump actions/upload-artifact from 5 to 6 by @dependabot[bot] in #8320
• adding enumeration system tests by @danlavu in #8280
• ipa s2n: do not try to update user-private-group by @sumit-bose in #8002
• IDP: avoid logging value of 'idp_client_secret' by @alexey-tikhonov in #8332
• Tests: Update test_0003_ad_parameters_junk_domain_invalid_keytab by @jakub-vavra-cz in #8350
• Changes around FILE:/DIR: ccache checks by @alexey-tikhonov in #8344
• Translations update from Fedora Weblate by @weblate in #8009
• scripts: authenticate git push for release by @pbrezina in #8352
• scripts: use sssd-bot token for release script by @pbrezina in #8353

New Contributors

• @liberodark made their first contribution in #8116
• @dependabot[bot] made their first contribution in #8163
• @krishnavema made their first contribution in #8159
• @pbrezina made their first contribution in #8182
• @thalman made their first contribution in #8120
• @arrowd made their first contribution in #8228
• @spoore1 made their first contribution in #8150
• @scabrero made their first contribution in #7962

Full Changelog: 2.11.0...2.12.0

sssd-2.11.1

SSSD 2.11.1 Release Notes

This is a minor bugfix update.

Fixed Issues

• #7921 - AD user in external group is not cleared when expiring the cache
• #7968 - cache_credentials = true not working in sssd master
• #8005 - Socket activation doesn't work for 'sssd_pam'

See full release notes here.

sssd-2.11.0

SSSD 2.11.0 Release Notes

Highlights

General information

• The deprecated tool sss_ssh_knownhostsproxy was finally removed, together
  with the ./configure option --with-ssh-known-host-proxy used to build it.
  It is now replaced by a stub which displays an error message. Instead of this
  tool, you must now use sss_ssh_knownhosts. Please check the
  sss_ssh_knownhosts(1) man page for detailed information.
• Support for the previously deprecated sssd.conf::user option
  (--with-conf-service-user-support ./configure option) was removed.
• When both IPv4 and IPv6 address families are resolvable, but the primary is
  blocked on firewall, SSSD attempts to connect to the server on the secondary
  family.
• During startup SSSD won't check NSCD configuration to issue a warning in a
  case of potential conflict.
• Previously deprecated --with-files-provider configure option and thus
  support of id_provider = files were removed.
• Previously deprecated --with-libsifp configure option and `sss_simpleifp'
  library were removed.
• krb5-child-test was removed. Corresponding tests under src/tests/system/
  are aimed to provide a comprehensive test coverage of krb5_child
  functionality.
• SSSD doesn't create any more missing path components of DIR:/FILE: ccache
  types while acquiring user's TGT. The parent directory of requested ccache
  directory must exist and the user trying to log in must have rwx access to
  this directory. This matches behavior of kinit.
• The DoT for dynamic DNS updates is supported now. It requires new version of
  nsupdate from BIND 9.19+.
• The option default_domain_suffix is deprecated. Consider using the more
  flexible domain_resolution_order instead.

New features

• New generic id and auth provider for Identity Providers (IdPs), as a start
  Keycloak and Entra ID are supported. Given suitable credentials this provider
  can read users and groups from IdPs and can authenticate IdP users with the
  help of the OAUTH 2.0 Device Authorization Grant (RFC 8628)
• SSSD IPA provider now supports IPA subdomains, not only Active Directory. This
  IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the
  full usable feature coming in a later FreeIPA release. Trusted domain
  configuration options are specified in the sssd-ipa man page.

Important fixes

• sssd_kcm memory leak was fixed.
• If the ssh responder is not running, sss_ssh_knownhosts will not fail (but
  it will not return the keys).

Packaging changes

• Important note for downstream maintainers.

  A set of capabilities required by privileged binaries was further reduced to:

  krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
  ldap_child cap_dac_read_search=p
  selinux_child cap_setgid,cap_setuid=p
  sssd_pam cap_dac_read_search=p
  

  Keep in mind that even with a limited set of fine grained capabilities, usual
  precautions still should be taken while packaging binaries with file
  capabilities: it's very important to make sure that those are executable only
  by root/sssd service user. For this reason upstream spec file packages it as:

  -rwxr-x---. 1 root sssd
  

  Failing to do so (i.e. allowing non-privileged users to execute those
  binaries) can impose systems installing the package to a security risk.

• New configure option --with-id-provider-idp to enable and disable building
  SSSD's IdP id provider, default is enabled.

• --with-nscd-conf ./configure option was removed.

• Support of deprecated ad_allow_remote_domain_local_groups sssd.conf option
  isn't built by default. It can be enabled using
  --with-allow-remote-domain-local-groups ./configure option.

Configuration changes

• The id_provider and auth_provider options support a new value idp. Details
  about how to configure the IdP provider can be found in the sssd-idp man page.
• New optional fourth value for AD provider configuration option
  ad_machine_account_password_renewal_opts to select the command to update the
  keytab, currently adcli and realm are allowed values
• The pam_sss.so module gained a new option named "allow_chauthtok_by_root". It
  allows changing realm password for an arbitrary user via PAM when invoked by
  root.
• New ldap_read_rootdse option allows you to specify how SSSD will read
  RootDSE from the LDAP server. Allowed values are "anonymous", "authenticated"
  and "never"
• Until now dyndns_iface option supported only "" for all interfaces or exact
  names. With this update it is possible to use shell wildcard patterns (e. g.
  eth, eth[01], ...).
• ad_allow_remote_domain_local_groups option is deprecated and will be removed
  in future releases.
• the dyndns_server option is extended so it can be in form of URI
  (dns+tls://1.2.3.4:853#servername). New set of options dyndns_dot_cacert,
  dyndns_dot_cert and dyndns_dot_key allows to configure DNS-over-TLS
  communication.
• Added exop_force value for configuration option ldap_pwmodify_mode. This
  can be used to force a password change even if no grace logins are left.
  Depending on the configuration of the LDAP server it might be expected that
  the password change will fail.

See full release notes here.

sssd-2.9.7

SSSD 2.9.7 Release Notes

Highlights

General information

• When both IPv4 and IPv6 address families are resolvable, but the primary is blocked on firewall, SSSD attempts to connect to the server on the secondary family.

New features

• SSSD IPA provider now supports IPA subdomains, not only Active Directory. This IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the full usable feature coming in a later FreeIPA release. Trusted domain configuration options are specified in the 'sssd-ipa' man page.

Important fixes

• 'sssd_kcm' memory leak was fixed.

Configuration changes

• New 'ldap_read_rootdse' option allows you to specify how SSSD will read RootDSE from the LDAP server. Allowed values are "anonymous", "authenticated" and "never"
• Until now dyndns_iface option supported only "*" for all interfaces or exact names. With this update it is possible to use shell wildcard patterns (e. g. eth*, eth[01], ...).

See full release notes here.

sssd-2.10.2

SSSD 2.10.2 Release Note

Highlights

This release fixes a number of minor issues in the spec and services files,
affecting mainly rpm-ostree based systems.

Important fixes

• If the ssh responder is not running, sss_ssh_knownhosts will not fail (but
  it will not return the keys).

• A wrong path to a pid file in SSSD logrotate configuration snippet was
  corrected.

• SSSD is now capable of handling multiple services associated with the same
  port.

• sssd_pam, being a privileged binary, now clears the environment and
  doesn't allow configuration of the PR_SET_DUMPABLE flag as a precaution.

See full release notes here.

sssd-2.10.1

SSSD 2.10.1 Release Notes

Highlights

General information

• krb5-child-test was removed. Corresponding tests under 'src/tests/system/'
  are aimed to provide a comprehensive test coverage of 'krb5_child'
  functionality.
• SSSD doesn't create anymore missing path components of DIR:/FILE: ccache types
  while acquiring user's TGT. The parent directory of requested ccache directory
  must exist and the user trying to log in must have 'rwx' access to this
  directory. This matches behavior of 'kinit'.
• The DoT (DNS over TLS) for dynamic DNS updates is supported now. It requires
  new version of nsupdate from BIND 9.19+.
• The option default_domain_suffix is deprecated. Consider using the more
  flexible domain_resolution_order instead.

Packaging changes

• Important note for downstream maintainers.

  A set of capabilities required by privileged binaries was further reduced to:

  krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
  ldap_child cap_dac_read_search=p
  selinux_child cap_setgid,cap_setuid=p
  sssd_pam cap_dac_read_search=p
  

  Keep in mind that even with a limited set of fine grained capabilities, usual
  precautions still should be taken while packaging binaries with file
  capabilities: it's very important to make sure that those are executable only
  by root/sssd service user. For this reason upstream spec file packages it as:

  -rwxr-x---. 1 root sssd
  

  Failing to do so (i.e. allowing non-privileged users to execute those
  binaries) can impose systems installing the package to a security risk.

• Support of deprecated 'ad_allow_remote_domain_local_groups' sssd.conf option
  isn't built by default. It can be enabled using
  '--with-allow-remote-domain-local-groups' ./configure option.

Configuration changes

• ad_allow_remote_domain_local_groups option is deprecated and will be removed
  in future releases.
• the dyndns_server option is extended so it can be in form of URI
  (dns+tls://1.2.3.4:853#servername). New set of options dyndns_dot_cacert,
  dyndns_dot_cert and dyndns_dot_key allows to configure DNS-over-TLS
  communication.
• Added exop_force value for configuration option ldap_pwmodify_mode. This
  can be used to force a password change even if no grace logins are left.
  Depending on the configuration of the LDAP server it might be expected that
  the password change will fail.

See full release notes here.

sssd-2.9.6

SSSD 2.9.6 Release Notes

Highlights

General information

• The DoT for dynamic DNS updates is supported now. It requires new version of
  nsupdate from BIND 9.19+.

• The option default_domain_suffix is deprecated. Consider using the more
  flexible domain_resolution_order instead.

Important fixes

• When the DP_OPT_DYNDNS_REFRESH_OFFSET enumerator was created, the
  associated struct dp_option was not. Because these structures are part of
  an array and the enumerator is used as the index, the wrong structure would be
  accessed when trying to use this index. This problem was fixed by creating the
  missing structure.

Configuration changes

• The dyndns_server option is extended so it can be in form of URI
  (dns+tls://1.2.3.4:853#servername). New set of options
  dyndns_dot_cacert, dyndns_dot_cert and dyndns_dot_key allows to
  configure DNS-over-TLS communication.

• Added exop_force value for configuration option ldap_pwmodify_mode.
  This can be used to force a password change even if no grace logins are left.
  Depending on the configuration of the LDAP server it might be expected that
  the password change will fail.

See full release notes here.