SSSD 2.4.1 Release Notes

Highlights

General information

• SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald output, to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.

New features

• New PAM module pam_sss_gss for authentication using GSSAPI
• case_sensitive=Preserving can now be set for trusted domains with AD provider
• case_sensitive=Preserving can now be set for trusted domains with IPA provider. However, the option needs to be set to Preserving on both client and the server for it to take effect.
• case_sensitive option can be now inherited by subdomains
• case_sensitive can be now set separately for each subdomain in [domain/parent/subdomain] section
• krb5_use_subdomain_realm=True can now be used when sub-domain user principal names have upnSuffixes which are not known in the parent domain. SSSD will try to send the Kerberos request directly to a KDC of the sub-domain.

Important fixes

• krb5_child uses proper umask for DIR type ccaches
• Memory leak in the simple access provider
• KCM performance has improved dramatically for cases where large amount of credentials are stored in the ccache.

Packaging changes

• Added pam_sss_gss.so PAM module and pam_sss_gss.8 manual page

Configuration changes

• New default value of debug_level is 0x0070
• Added pam_gssapi_check_upn to enforce authentication only with principal that can be associated with target user.
• Added pam_gssapi_services to list PAM services that can authenticate using GSSAPI

See full release notes here.