SSSD 1.15.3

Highlights

New Features

• In a setup where an IPA domain trusts an Active Directory domain, it is now possible to define the domain resolution order. Starting with this version, SSSD is able to read and honor the domain resolution order, providing a way to resolve Active Directory users by just their short name. SSSD also supports a new option domain_resolution_order applicable in the [sssd] section that allows to configure short names for AD users in setup with id_provider=ad or in a setup with an older IPA server that doesn't support the ipa config-mod --domain-resolution-order configuration option. Also, it is now possible to use use_fully_qualified_names=False in a subdomain configuration, but please note that the user and group output from trusted domains will always be qualified to avoid conflicts.
  • Design page - Shortnames in trusted domains
• SSSD ships with a new service called KCM. This service acts as a storage for Kerberos tickets when libkrb5 is configured to use KCM: in krb5.conf. Compared to other Kerberos credential cache types, KCM is better suited for containerized environments and because the credential caches are managed by a stateful daemon, in future releases will also allow to renew tickets acquired outside SSSD (e.g. with kinit) or provide notifications about ticket changes. This feature is optional and can be disabled by selecting --without-kcm when configuring the SSSD build.
  • Design page - KCM server for SSSD
  • `NOTE`: There are several known issues in the KCM responder that will be handled in the next release such as issues with very large tickets or tracking the SELinux label of the peer or even one intermittent crash. There are also some differences between how SSSD's KCM server works compared to Heimdal's KCM server such as visibility of ccaches by root.
• Support for user and group resolution through the D-Bus interface and authentication and/or authorization through the PAM interface even for setups without UIDs or Windows SIDs present on the LDAP directory side. This enhancement allows SSSD to be used together with apache modules to provide identities for applications
  • Design page - Support for non-POSIX users and groups
• SSSD ships a new public library called libsss_certmap that allows a flexible and configurable way of mapping a certificate to a user identity. This is required e.g. in environments where it is not possible to add the certificate to the LDAP user entry, because the certificates are issued externally or the LDAP schema cannot be modified. Additionally, specific matching rules allow a specific certificate on a smart card to be selected for authentication.
  • Design page - Matching and Mapping Certificates
• The Kerberos locator plugin can be disabled using an environment variable SSSD_KRB5_LOCATOR_DISABLE. Please refer to the sssd_krb5_locator_plugin manual page for mode details.
• The sssctl command line tool supports a new command user-checks that enables the administrator to check whether a certain user should be allowed or denied access to a certain PAM service.
• The secrets responder now forwards requests to a proxy Custodia back end over a secure channel.

Notable bug fixes

• The IPA HBAC evaluator no longer relies on originalMemberOf attributes to construct the list of groups the user is a member of. Maintaining the originalMemberOf attribute was unreliable and was causing intermittent HBAC issues.
• A bug where the cleanup operation might erroneously remove cached users during their cache validation in case SSSD was set up with enumerate=True was fixed.
• Several bugs related to configuration of trusted domains were fixed, in particular handling of custom LDAP search bases set for trusted domains.
• Password changes for users from trusted Active Directory domains were fixed

Packaging Changes

• A new KCM responder was added along with a manpage. The upstream reference specfile packages the responder in its own subpackage called sssd-kcm and a krb5.conf snippet that enables the KCM credentials cache simply by installing the subpackage
• The libsss_certmap library was packaged in a separate package. There is also a libsss_certmap-devel subpackage in the upstream packaging.

Documentation Changes

• sssd-kcm and libsss_certmap are documented in their own manual pages.
• A new option domain_resolution_order was added. This option allows to specify the lookup order (especially w.r.t. trusted domains) that sssd will follow. Please see the Shortnames in trusted domains design page. for mode details.
• New options pam_app_services and domain_type were added. These options can be used to only limit certain PAM services to reach certain SSSD domains that should only be exposed to non-OS applications. For more details, refer to the Support for non-POSIX users and groups design page.

• The secrets responder supports several new options related to TLS setup and handling including verify_peer, verify_host, capath, cacert and cert. These options are all described in the sssd-secrets manual page.

See full release notes here.