SSSD 1.13.4

Highlights

• The IPA sudo provider was reimplemented. The new version reads the data from IPA's LDAP tree (as opposed to the compat tree populated by the slapi-nis plugin that was used previously). The benefit is that deployments which don't require the compat tree for other purposes, such as support for non-SSSD clients can disable those autogenerated LDAP trees to conserve resources that slapi-nis otherwise requires. There should be no visible changes to the end user.
• SSSD now has the ability to renew the machine credentials (keytabs) when the ad provider is used. Please note that a recent version of the adcli (0.8 or newer) package is required for this feature to work.
• The automatic ID mapping feature was improved so that the administrator is no longer required to manually set the range size in case a RID in the AD domain is larger than the default range size
• A potential infinite loop in the NFS ID mapping plugin that was resulting in an excessive memory usage was fixed
• Clients that are pinned to a particular AD site using the ad_site option no longer communicate with DCs outside that site during service discovery.
• The IPA identity provider is now able to resolve external (typically coming from a trusted AD forest) group members during get-group-information requests. Please note that resolving external group memberships for AD users during the initgroup requests used to work even prior to this update. This feature is mostly useful for cases where an IPA client is using the compat tree to resolve AD trust users.
• The IPA ID views feature now works correctly even for deployments without a trust relationship. Previously, the subdomains IPA provider failed to read the views data if no master domain record was created on the IPA server during trust establishment.
• A race condition in the client libraries between the SSSD closing the socket as idle and the client application using the socket was fixed. This bug manifested with a Broken Pipe error message on the client.
• SSSD is now able to resolve users with the same usernames in different OUs of an AD domain
• The smartcard authentication now works properly with gnome-screensaver

Packaging Changes

• The krb5.include.d directory is now owned by the sssd user and packaged in the krb5-common subpackage

Documentation Changes

• A new option ldap_idmap_helper_table_size was added. This option can help tune allocation of new ID mapping slices for AD domains with a high RID values. Most deployments can use the default value of this option.
• Several PAM services were added to the lists that are used to map Windows logon services to GNU/Linux PAM services. The newly added PAM services include login managers (lightdm, lxdm, sddm and xdm) as well as the cockpit service.
• The AD machine credentials renewal task can be fine-tuned using the ad_machine_account_password_renewal_opts to change the initial delay and period of the credentials renewal task. In addition, the new ad_maximum_machine_account_password_age option allows the administrator to select how old the machine credential must be before trying to renew it.
• The administrator can use the new option pam_account_locked_message to set a custom informational message when the account logging in is locked.

See full release notes here.