sssd-2.10.0
SSSD 2.10.0 Release Notes
Highlights
General information
-
IMPORTANT note for downstream maintainers!
This release features significant improvements of "running with less
privileges (under unprivileged service user)" feature. There is still a
./configure
option--with-sssd-user=
available that allows downstream
package maintainers to choose if support of non-root service user should be
built. In case such support is built, a preferred way to configure service
user is simply by starting SSSD under this user; for example, using
User=/Group=
options of systemd sssd.service file. Upstream defaults are
to build--with-sssd-user=sssd
and to install systemd service with
User=/Group=sssd
. In this case, only several helper processes -
ldap_child
,krb5_child
andselinux_child
- are executed with
elevated capabilities (that are now granted using fine grained file
capabilities instead of SUID bit). All other SSSD components run without any
capabilities. In this scenario it's still possible to re-configure SSSD to run
underroot
(if needed for some reason): besides changingUser/Group=
options, some other tweaks of systemd service files are required.A legacy method to configure a service user - sssd.conf
user
option - is
now deprecated and its support isn’t built by default. It can be enabled using
--with-conf-service-user-support
./configure
option if needed (for
example, due to backward compatibility requirements of stable releases).Further, no matter if SSSD is built
--with-sssd-user=sssd
or
--with-sssd-user=root
, when it's configured to run underroot
(in both
cases) it still runs without capabilities, the same way as when it's
configured to run undersssd
user. The only difference is from the DAC
perspective.Important note: owner of
/etc/sssd/sssd.conf
file (and snippets) should
match the user configured to start SSSD service. Upstream spec file and
service files change ownership of existingsssd.conf
to sssd during
package installation and at runtime for seamless upgrades / transition period
only.Additionally, this release fixes a large number of issues with "socket
activation of responders" feature, making it operable out-of-the-box when the
package is built--with-sssd-user=sssd
. Please take a note, that user
configured to run main sssd.service and socket activated responders (if used)
should match (i.e. if sssd.service is re-configured from upstream defaults to
root
then responders services also should be re-configured).Downstream package maintainers are advised to carefully inspect changes in
contrib/sssd.spec.in
,src/sysv/systemd/*
and./configure
options
that this release brings! -
sssctl
cache-upgrade
command was removed. SSSD performs automatic upgrades
at startup when needed. -
Support of
enumeration
feature (i.e. ability to list all users/groups
usinggetent passwd/group
without argument) for AD/IPA providers is
deprecated and might be removed in further releases. Those who are interested
to keep using it awhile should configure its build explicitly using
--with-extended-enumeration-support
./configure option. -
A number of minor glitches of
sssd-2.10.0-beta1
around building and
packaging were fixed.
New features
- The new tool
sss_ssh_knownhosts
can be used with ssh's
KnownHostsCommand
configuration option to retrieve the host's public keys
from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more
reliable, replacessss_ssh_knownhostsproxy
. The latter is no longer built
by default, but its build can be forced with the./configure
option
--with-ssh-known-hosts-proxy
.
Packaging changes
-
Building SSSD now unconditionally requires availability of
ucred
/
SO_PEERCRED
to enforce certain security checks at runtime (seeman 7 unix
for details). -
SSSD now requires
libini
not older than v1.3 -
Explicit
--with-semanage
./configure switch was removed, going forward
--with-selinux
includes this. -
sssd_pam
binary lost publicrx
bits and gotcap_dac_read_search=p
file capability to be able to use GSSAPI -
Support of OpenSSL older than 1.0.1 was dropped
-
Support of
--without-infopipe
./configure
option was dropped. Feature
is long time out of experimental state. Since building it doesn't require any
additional dependencies, there is not much sense to keep option available.
Those who not interested in feature can skip installing sssd-ifp sub-package.
Configuration changes
-
Default
ldap_id_use_start_tls
value changed fromfalse
totrue
for
improved security. -
Added a
ldap_use_ppolicy
option for backends with broken ppolicy extension
handling. -
Obsolete
config_file_version
option was removed. -
Option
reconnection_retries
was removed since it is no longer used. SSSD
switch to a new architecte of internal IPC between SSSD processes where
responders do not connect to backend anymore and therefore this option is no
longer used.