SSSD 1.15.1

Highlights

Several issues related to starting the SSSD services on-demand via socket activation were fixed. In particular, it is no longer possible to have a service started both by sssd and socket-activated. Another bug which might have caused the responder to start before SSSD started and cause issues especially on system startup was fixed.
A new files provider was added. This provider mirrors the contents of /etc/passwd and /etc/group into the SSSD database. The purpose of this new provider is to make it possible to use SSSD's interfaces, such as the D-Bus interface for local users and enable leveraging the in-memory fast cache for local users as well, as a replacement for nscd. In future, we intend to extend the D-Bus interface to also provide setting and retrieving additional custom attributes for the files users.
SSSD now autogenerates a fallback configuration that enables the files domain if no SSSD configuration exists. This allows distributions to enable the sssd service when the SSSD package is installed. Please note that SSSD must be build with the configuration option --enable-files-domain for this functionality to be enabled.
Support for public-key authentication with Kerberos (PKINIT) was added. This support will enable users who authenticate with a Smart Card to obtain a Kerberos ticket during authentication.

The new files provider comes as a new shared library libsss_files.so and a new manual page
A new helper binary called sssd_check_socket_activated_responders was added. This binary is used in the ExecStartPre directive to check if the service that corresponds to socket about to be started was also started explicitly and abort the socket startup if it was.

A new PAM module option prompt_always was added. This option is related to fixing <https://github.com/SSSD/sssd/issues/4025which changed the behaviour of the PAM module so that pam_sss always uses an auth token that was on stack. The new prompt_always option makes it possible to restore the previous behaviour.