SSSD 1.16.1
Highlights
New Features
- A new option
auto_private_groups
was added. If this option is enabled, SSSD will automatically create user private groups based on user's UID number. The GID number is ignored in this case. Please see <../../design_pages/auto_private_groups.mdfor more details on the feature. - The SSSD smart card integration now supports a special type of PAM conversation implemented by GDM which allows the user to select the appropriate smrt card certificate in GDM. Please refer to <../../design_pages/smartcard_multiple_certificates.mdfor more details about this feature.
- A new API for accessing user and group information was added. This API is similar to the tradiional Name Service Switch API, but allows the consumer to talk to SSSD directly as well as to fine-tune the query with e.g. how cache should be evaluated. Please see <../../design_pages/enhanced_nss_api.mdfor more information on the new API.
- The
sssctl
command line tool gained a new commandaccess-report
, which can generate who can access the client machine. Currently only generating the report on an IPA client based on HBAC rules is supported. Please see <../../design_pages/attestation_report.mdfor more information about this new feature. - The
hostid
provider was moved from the IPA specific code to the generic LDAP code. This allows SSH host keys to be access by the generic LDAP provider as well. See theldap_host_*
options in thesssd-ldap
manual page for more details. - Setting the
memcache_timeout
option to 0 disabled creating the memory cache files altogether. This can be useful in cases there is a bug in the memory cache that needs working around.
Performance enhancements
- Several internal changes to how objects are stored in the cache improve SSSD performance in environments with large number of objects of the same type (e.g. many users, many groups). In particular, several useless indexes were removed and the most common object types no longer use the indexed
objectClass
attribute, but use unindexedobjectCategory
instead (#3503) - In setups with
id_provider=ad
that use POSIX attributes which are replicated to the Global Catalog, SSSD uses the Global Catalog to determine which domain should be contacted for a by-ID lookup instead of iterating over all domains. More details about this feature can be found at <../../design_pages/uid_negative_global_catalog.md>
Notable bug fixes
- A crash in
sssd_nss
that might have happened if a list of domains was refreshed while a NSS lookup using this request was fixed (#3551) - A potential crash in
sssd_nss
during netgroup lookup in case the netgroup object kept in memory was already freed (#3523) - Fixed a potential crash of
sssd_be
with two concurrent sudo refreshes in case one of them failed (#3562) - A memory growth issue in
sssd_nss
that occured when an entry was removed from the memory cache was fixed (#3588) - Two potential memory growth issues in the
sssd_be
process that could have hit configurations withid_provider=ad
were fixed (#3639) - The
selinux_child
process no longer crashes on a system where SSSD is compiled with SELinux support, but at the same time, the SELinux policy is not even installed on the machine (#3618) - The memory cache consistency detection logic was fixed. This would prevent printing false positive memory cache corruption messages (#3571)
- SSSD now remembers the last successfuly discovered AD site and use this for DNS search to lookup a site and forest during the next lookup. This prevents time outs in case SSSD was discovering the site using the global list of DCs where some of the global DCs might be unreachable. (#3265)
- SSSD no longer starts the implicit file domain when configured with
id_provider=proxy
andproxy_lib_name=files
. This bug prevented SSSD from being used in setups that combine identities from UNIX files together with authentication against a remote source unless a files domain was explicitly configured (#3590) - The IPA provider can handle switching between different ID views better (#3579)
- Previously, the IPA provider kept SSH public keys and certificates from an ID view in its cache and returned them even if the public key or certificate was then removed from the override (#3602, #3603)
- FleetCommander profiles coming from IPA are applied even if they are assigned globally (to
category: ALL
), previously, only profiles assigned to a host or a hostgroup were applied (#3449) - It is now possible to reset an expired password for users with 2FA authentication enabled (#3585)
- A bug in the AD provider which could have resulted in built-in AD groups being incorrectly cached was fixed (#3610)
- The SSSD watchdog can now cope better with time drifts (#3285)
- The
nss_sss
NSS module's return codes for invalid cases were fixed - A bug in the LDAP provider that prevented setups with id_provider=proxy and auth_provider=ldap with LDAP servers that do not allow anonymous binds from working was fixed (#3451)
Packaging Changes
- The FleetCommander desktop profile path now uses stricter permissions, 751 instead of 755 (#3621)
- A new option
--logger
was added to thesssd(8)
binary. This option obsoletes old options such as--debug-to-files
, although the old options are kept for backwards compatibility. - The file
/etc/systemd/system/sssd.service.d/journal.conf
is not installed anymore In order to change logging to journald, please use the--logger
option. The logger is set using theEnvironment=DEBUG_LOGGER
directive in the systemd unit files. The default value isEnvironment=DEBUG_LOGGER=--logger=files
Documentation Changes
There are no notable documentation changes such as options changing default values etc in this release.