SSSD 2.3.0

Highlights

New features

• SSSD can now handle hosts and networks nsswitch databases (see resolve_provider option)
• By default, authentication request only refresh user's initgroups if it is expired or there is not active user's session (see pam_initgroups_scheme option)
• OpenSSL is used as default crypto provider, NSS is deprecated
• Active Directory provider now defaults to GSS-SPNEGO SASL mechanism (see ldap_sasl_mech option)
• Active Directory provider can now be configured to use only ldaps port (see ad_use_ldaps option)
• SSSD now accepts host entries from GPO's security filter
• Format of debug messages has changed to be shorter and better sortable
• New debug level (0x10000) was added for low level ldb messages only (see sssd.conf man page)

Packaging changes

• New configure option --enable-gss-spnego-for-zero-maxssf

Documentation Changes

• Default value of ldap_sasl_mech has changed to GSS-SPNEGO for AD provider
• Return code of pam_sss.so are documented in pam_sss manpage
• Added option ad_update_samba_machine_account_password
• Added option ad_use_ldaps
• Added option ldap_iphost_object_class
• Added option ldap_iphost_name
• Added option ldap_iphost_number
• Added option ldap_ipnetwork_object_class
• Added option ldap_ipnetwork_name
• Added option ldap_ipnetwork_number
• Added option ldap_iphost_search_base
• Added option ldap_ipnetwork_search_base
• Added option ldap_connection_expire_offset
• Added option ldap_sasl_maxssf
• Added option pam_initgroups_scheme
• Added option entry_cache_resolver_timeout
• Added option entry_cache_computer_timeout
• Added option resolver_provider
• Added option proxy_resolver_lib_name
• Minor text improvements

See full release notes here.