SSSD 2.10-beta1 Release Notes
Highlights
General information
-
IMPORTANT note for downstream maintainers!
This release features significant improvements of "running with less privileges (under unprivileged service user)" feature. There is still a
./configure
option--with-sssd-user=
available that allows downstream package maintainers to choose if support of non-root service user should be built. In case such support is built, a preferred way to configure service user is simply by starting SSSD under this user; for example, usingUser=/Group=
options of systemd sssd.service file. Upstream defaults are to build--with-sssd-user=sssd
and to install systemd service withUser=/Group=sssd
. In this case, only several helper processes -ldap_child
,krb5_child
andselinux_child
- are executed with elevated capabilities (that are now granted using fine grained file capabilities instead of SUID bit). All other SSSD components run without any capabilities. In this scenario it's still possible to re-configure SSSD to run underroot
(if needed for some reason): besides changingUser/Group=
options, some other tweaks of systemd service files are required.A legacy method to configure a service user - sssd.conf
user
option - is now deprecated and its support isn’t built by default. It can be enabled using--with-conf-service-user-support
./configure
option if needed (for example, due to backward compatibility requirements of stable releases).Further, no matter if SSSD is built
--with-sssd-user=sssd
or--with-sssd-user=root
, when it's configured to run underroot
(in both cases) it still runs without capabilities, the same way as when it's configured to run undersssd
user. The only difference is from the DAC perspective.Important note: owner of
/etc/sssd/sssd.conf
file (and snippets) should match the user configured to start SSSD service. Upstream spec file changes ownership of existingsssd.conf
tosssd
during package installation for seamless upgrades.Additionally, this release fixes a large number of issues with "socket activation of responders" feature, making it operable out-of-the-box when the package is built
--with-sssd-user=sssd
. Please take a note, that user configured to run main sssd.service and socket activated responders (if used) should match (i.e. if sssd.service is re-configured from upstream defaults toroot
then responders services also should be re-configured).Downstream package maintainers are advised to carefully inspect changes in
contrib/sssd.spec.in
,src/sysv/systemd/*
and./configure
options that this release brings! -
sssctl
cache-upgrade
command was removed. SSSD performs automatic upgrades at startup when needed. -
Support of
enumeration
feature (i.e. ability to list all users/groups usinggetent passwd/group
without argument) for AD/IPA providers is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using--with-extended-enumeration-support
./configure option.
New features
- The new tool
sss_ssh_knownhosts
can be used with ssh's KnownHostsCommand configuration option to retrieve the host's public keys from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more reliable, replacessss_ssh_knownhostsproxy
. Please consider switching to using the new tool as the old one will be removed.
Packaging changes
- Building SSSD now unconditionally requires availability of
ucred
/SO_PEERCRED
to enforce certain security checks at runtime (seeman 7 unix
for details). - SSSD now requires
libini
not older than v1.3 - Explicit
--with-semanage
./configure switch was removed, going forward--with-selinux
includes this.
Configuration changes
- Default
ldap_id_use_start_tls
value changed fromfalse
totrue
for improved security. - Added a
ldap_use_ppolicy
option for backends with broken ppolicy extension handling. - Obsolete
config_file_version
option was removed.