SSSD 2.2.0
Highlights
New features
- The Kerberos provider (and composite authentication providers based on it, like AD or IPA) can now include more KDC addresses or host names when writing data for the Kerberos locator plugin (see
sssd_krb5_locator_plugin(8)
). This means that Kerberos client applications, such askinit
would be able to switch between multiple KDC servers discovered by SSSD. Please see description of the optionkrb5_kdcinfo_lookahead
in thesssd-krb5(5)
manual page for more information or refer to the design page (#3973, #3974, #3975) - The 2FA prompting can now be configured. The administrator can set custom prompts for first or second factor or select a single prompt for both factors. This can be configured per-service. Please see the section called "Prompting configuration" in the
sssd.conf(5)
manual page for more details or refer to the design page (#3264). - The LDAP authentication provider now allows to use a different method of changing LDAP passwords using a modify operation in addition to the default extended operation. This is meant to support old LDAP servers that do not implement the extended operation. The password change using the modification operation can be selected with
ldap_pwmodify_mode = "ldap_modify"
. More information can also be found in the design page (#1314) - The
auto_private_groups
configuration option now takes a new valuehybrid
. This mode autogenerates private groups for user entries where the UID and GID values have the same value and at the same time the GID value does not correspond to a real group entry in LDAP (#3822) - A new option
ad_gpo_ignore_unreadable
was added. This option, which defaults to false, can be used to ignore group policy containers in AD with unreadable or missing attributes. This is for the case when server contains GPOs that have very strict permissions on their attributes in AD but are unrelated to access control (#3867) - The
cached_auth_timeout
parameter is now inherited by trusted domains (#3960). The pre-authentication request is now cached as well when this option is in effect (#3960) - The
ldap_sasl_mech
option now accepts another mechanismGSS-SPNEGO
in addition toGSSAPI
. Using SPNEGO might be preferable with newer Active Directory servers especially with hardened configurations. SSSD might switch to using SPNEGO by default in a future release (#4006) - The
sssctl
tool has two new commandscert-show
andcert-map
which can help in troubleshooting Smart-Card and in general user certificate related issues
Notable bug fixes
- A potential race condition between SSSD receiving a notification to try switching to online mode and the network being actually reachable is now handled better. SSSD now tries to go online three times with an increasing delay between online checks up to 4s (#3467).
- A potential deadlock in user resolution when the IPA provider fetches the keytab used to authenticate to a trusted AD domain was fixed (#3992)
- When checking if objects that cannot be looked up exist locally and thus should be added to a negative cache with a longer negative TTL (see
local_negative_timeout
insssd.conf(5)
), the blocking NSS API is no longer used. The blocking calls which might have caused a timeout especially during SSSD startup (#3963) - Some cache attributes used by the Kerberos ticket renewal code are now indexed, which speeds up the cache searches which might have otherwise caused SSSD to appear blocked and killed by the internal watchdog (#3968)
- Cached objects from an Active Directory domain trusted by an IPA domain that no longer exist on the server are now properly removed from the cache (#3984)
- The
sudoRunAsUser/Group
now work correctly with an IPA configuration that also uses thedomain_resolution_order
, either set locally or centrally (#3957) - Certificates that are completely missing the Key Usage (KU) certificate extension are now handled gracefully (rhbz#1660899)
- The sudo smart refresh (see man
sssd-sudo
) now correctly uses the highest USN number, which results in more efficient queries (#3997) - The
pam_sss
module now returns PAM_USER_UNKNOWN if the PAM socket is missing completely. This could have been the case if SSSD is running with the files domain only and a user resolved by a completely different PAM module logs in (#3988) - Netgroups lookups now honor the midpoint refresh interval set by
cache_refresh_percent
(#3947) - The list of users or groups from the
filter_users/filter_groups
lists which will be negatively cached, avoiding lookups of those entries, are now correctly evaluated for domains that are discovered after sssd had started (#3983). These lists can also now include UPNs (#3978) - The IPA access provider no longer fails if the configuration file completely disables dereference by setting
ldap_deref_threshold=0
(#3979) - The
sss_cache
tool does not print loud warnings in case the sssd cache cannot be written to, typically this was occuring when/var
was mounted read-only during anrpm-ostree
update. - The command line tools such as
sssctl
can now operate on the implicit files domain (#3769) - The files and proxy provider no longer crash on receiving a request to go online, which they don't implement (#4014)
- A potential crash in the online check callback was fixed (#3990)
- The winbind ID-mapping plugin now works with recent Samba releases again (#4005)
Packaging Changes
None
Documentation Changes
- A new option
ad_gpo_ignore_unreadable
was added - A new option
krb5_kdcinfo_lookahead
was added - A new option
ldap_pwmodify_mode
was added - The option
ldap_sasl_mech
now accepts a new valueGSS-SPNEGO
- The option
auto_private_groups
now accepts a new valuehybrid
- Multi-factor prompting can now be configured in a separate section called
[prompting]