github SSSD/sssd 2.11.0
sssd-2.11.0
on GitHub

latest release: 2.11.1
3 months ago

SSSD 2.11.0 Release Notes

Highlights

General information

  • The deprecated tool sss_ssh_knownhostsproxy was finally removed, together
    with the ./configure option --with-ssh-known-host-proxy used to build it.
    It is now replaced by a stub which displays an error message. Instead of this
    tool, you must now use sss_ssh_knownhosts. Please check the
    sss_ssh_knownhosts(1) man page for detailed information.
  • Support for the previously deprecated sssd.conf::user option
    (--with-conf-service-user-support ./configure option) was removed.
  • When both IPv4 and IPv6 address families are resolvable, but the primary is
    blocked on firewall, SSSD attempts to connect to the server on the secondary
    family.
  • During startup SSSD won't check NSCD configuration to issue a warning in a
    case of potential conflict.
  • Previously deprecated --with-files-provider configure option and thus
    support of id_provider = files were removed.
  • Previously deprecated --with-libsifp configure option and `sss_simpleifp'
    library were removed.
  • krb5-child-test was removed. Corresponding tests under src/tests/system/
    are aimed to provide a comprehensive test coverage of krb5_child
    functionality.
  • SSSD doesn't create any more missing path components of DIR:/FILE: ccache
    types while acquiring user's TGT. The parent directory of requested ccache
    directory must exist and the user trying to log in must have rwx access to
    this directory. This matches behavior of kinit.
  • The DoT for dynamic DNS updates is supported now. It requires new version of
    nsupdate from BIND 9.19+.
  • The option default_domain_suffix is deprecated. Consider using the more
    flexible domain_resolution_order instead.

New features

  • New generic id and auth provider for Identity Providers (IdPs), as a start
    Keycloak and Entra ID are supported. Given suitable credentials this provider
    can read users and groups from IdPs and can authenticate IdP users with the
    help of the OAUTH 2.0 Device Authorization Grant (RFC 8628)
  • SSSD IPA provider now supports IPA subdomains, not only Active Directory. This
    IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the
    full usable feature coming in a later FreeIPA release. Trusted domain
    configuration options are specified in the sssd-ipa man page.

Important fixes

  • sssd_kcm memory leak was fixed.
  • If the ssh responder is not running, sss_ssh_knownhosts will not fail (but
    it will not return the keys).

Packaging changes

  • Important note for downstream maintainers.

    A set of capabilities required by privileged binaries was further reduced to: 

    krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
ldap_child cap_dac_read_search=p
selinux_child cap_setgid,cap_setuid=p
sssd_pam cap_dac_read_search=p

    Keep in mind that even with a limited set of fine grained capabilities, usual
    precautions still should be taken while packaging binaries with file
    capabilities: it's very important to make sure that those are executable only
    by root/sssd service user. For this reason upstream spec file packages it as: 

    -rwxr-x---. 1 root sssd

    Failing to do so (i.e. allowing non-privileged users to execute those
    binaries) can impose systems installing the package to a security risk.

  • New configure option --with-id-provider-idp to enable and disable building
    SSSD's IdP id provider, default is enabled.

  • --with-nscd-conf ./configure option was removed.

  • Support of deprecated ad_allow_remote_domain_local_groups sssd.conf option
    isn't built by default. It can be enabled using
    --with-allow-remote-domain-local-groups ./configure option.

Configuration changes

  • The id_provider and auth_provider options support a new value idp. Details
    about how to configure the IdP provider can be found in the sssd-idp man page.
  • New optional fourth value for AD provider configuration option
    ad_machine_account_password_renewal_opts to select the command to update the
    keytab, currently adcli and realm are allowed values
  • The pam_sss.so module gained a new option named "allow_chauthtok_by_root". It
    allows changing realm password for an arbitrary user via PAM when invoked by
    root.
  • New ldap_read_rootdse option allows you to specify how SSSD will read
    RootDSE from the LDAP server. Allowed values are "anonymous", "authenticated"
    and "never"
  • Until now dyndns_iface option supported only "" for all interfaces or exact
    names. With this update it is possible to use shell wildcard patterns (e. g.
    eth    , eth[01], ...).
  • ad_allow_remote_domain_local_groups option is deprecated and will be removed
    in future releases.
  • the dyndns_server option is extended so it can be in form of URI
    (dns+tls://1.2.3.4:853#servername). New set of options dyndns_dot_cacert,
    dyndns_dot_cert and dyndns_dot_key allows to configure DNS-over-TLS
    communication.
  • Added exop_force value for configuration option ldap_pwmodify_mode. This
    can be used to force a password change even if no grace logins are left.
    Depending on the configuration of the LDAP server it might be expected that
    the password change will fail.

See full release notes here.

Check out latest releases or
releases around SSSD/sssd 2.11.0

Don't miss a new sssd release

NewReleases is sending notifications on new releases.

Get notifications