Releases: SSSD/sssd
Releases · SSSD/sssd
sssd-2.6.2
SSSD 2.6.2 Release Notes
Highlights
Important fixes
- Quick log out and log in did not correctly refresh user's initgroups in
no_session
PAM schema due to lingering systemd processes.
sssd-2.6.1
SSSD 2.6.1 Release Notes
Highlights
New features
- New infopipe method
FindByValidCertificate()
which accepts the certificate as input, validates it against configured CAs, and outputs the user path on success. This is similar to the existingFindByCertificate()
, but that does not do any trust validation.
Packaging changes
subid ranges
support was enabled by default.
Configuration changes
- Default value of
ssh_hash_known_hosts
setting was changed to false for the sake of consistency with OpenSSH that does not hash host names by default.
sssd-2.6.0
SSSD 2.6.0 Release Notes
Highlights
General information
- Support of legacy json format for ccaches was dropped
- Support of long time deprecated
secrets
responder was dropped. - Support of long time deprecated
local
provider was dropped. - This release drops support of
--with-unicode-lib
configure option.libunistring
will be used unconditionally for Unicode processing. - This release removes pcre1 support. pcre2 is used unconditionally.
- p11_child does not stop at the first empty slot when searching for tokens
- A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This patch fixes a flaw by replacing
system()
withexecvp()
.
New features
- Basic support of user's 'subuid and subgid ranges' for IPA provider and corresponding plugin for shadow-utils were introduced. Limitations: - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid ranges) Take a note, this is MVP of experimental feature. Significant changes might be required later, after initial feedback. Corresponding support in shadow-utils was merged upstream, but since there is no upstream release available yet, SSSD feature isn't built by default. Build can be enabled with
--with-subid
configure option. Plugin's install path can be configured with--with-subid-lib-path=
(${libdir}
by default)
Important fixes
- KCM now replace the old credential with new one when storing an updated credential that is however already present in the ccache to avoid unnecessary growth of the ccache.
- Improve mpg search filter to be more reliable with id-overrides and the new auto_private_groups options.
- Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root.
- ccache files are created with the right ownership during offline Smartcard authentication
- AD ping is now sent over
ldap
ifcldap
support is not available during build. This helps to build SSSD on distributions withoutcldap
support inlibldap
. - CVE-2021-3621
Configuration changes
- New IPA provider's option
ipa_subid_ranges_search_base
allows configuration of search base for user's subid ranges. Default:cn=subids,%basedn
sssd-2.5.2
sssd 2.5.2 Release Notes
Highlights
General information
originalADgidNumber
attribute in the SSSD cache is now indexed
New features
- Debug messages in data provider include a unique request ID that can be used to track the request from its start to its end (requires
libtevent
>= 0.11.0)
Important fixes
- Update large files in the files provider in batches to avoid timeouts
Configuration changes
- Add new config option
fallback_to_nss
sssd-2.5.1
sssd 2.5.1 Release Notes
Highlights
New features
auto_private_groups
option can be set centrally through ID range setting in IPA (seeipa idrange
commands family). This feature requires SSSD update on both client and server. This feature also requiresfreeipa 4.9.4
and newer.
Important fixes
- Fix
getsidbyname
issues with IPA users with a user-private-group
Configuration changes
- Default value of
ldap_sudo_random_offset
changed to0
(disabled). This makes sure that sudo rules are available as soon as possible after SSSD start in default configuration.
sssd-2.5.0
SSSD 2.5.0 Release Notes
Highlights
General information
secrets
support is deprecated and will be removed in one of the next versions of SSSD.local-provider
is deprecated and will be removed in one of the next versions of SSSD.- SSSD's implementation of
libwbclient
was removed as incompatible with modern version of Samba. - This release deprecates
pcre1
support. This support will be removed completely in following releases. - A home directory from a dedicated user override, either local or centrally managed by IPA, will have a higher precedence than the
override_homedir
option. debug-to-files
,debug-to-stderr
command line and undocumenteddebug_to_files
config options were removed.
New features
- Added support for automatic renewal of renewable TGTs that are stored in KCM ccache. This can be enabled by setting
tgt_renewal = true
. See the sssd-kcm man page for more details. This feature requires MIT Kerberos krb5-1.19-0.beta2.3 or higher. - Backround sudo periodic tasks (smart and full refresh) periods are now extended by a random offset to spread the load on the server in environments with many clients. The random offset can be changed with
ldap_sudo_random_offset
. - Completing a sudo full refresh now postpones the smart refresh by
ldap_sudo_smart_refresh_interval
value. This ensure that the smart refresh is not run too soon after a successful full refresh. - If
debug_backtrace_enabled
is set totrue
then on any error all prior debug messages (to some limit) are printed even ifdebug_level
is set to low value (for details seeman sssd.conf
:debug_backtrace_enabled
description). - Besides trusted domains known by the forest root, trusted domains known by the local domain are used as well.
- New configuration option
offline_timeout_random_offset
to control random factor in backend probing interval when SSSD is in offline mode.
Important fixes
ad_gpo_implicit_deny
is now respected even if there are no applicable GPOs present- During the IPA subdomains request a failure in reading a single specific configuration option is not considered fatal and the request will continue
- unknown IPA id-range types are not considered as an error
- SSSD spec file
%postun
no longer tries to restart services that can not be restarted directly to stop produce systemd warnings
Configuration changes
- Added
tgt_renewal
,tgt_renewal_inherit
, andkrb5_*
KCM options to enable, and tune behavior of new KCM renewal feature. - Added
ldap_sudo_random_offset
(default to30
) to add a random offset to backround sudo periodic tasks (smart and full refresh). - Introduced new option 'debug_backtrace_enabled' to control debug backtrace.
- Added
offline_timeout_random_offset
configuration option to control maximum size of random offset added to offline timeout SSSD backend probing interval. - Long time deprecated and undocumented
debug_to_files
option was removed.
sssd-2.4.2
SSSD 2.4.2 Release Notes
Highlights
General information
- Default value of 'user' config option was fixed into accordance with man page, i.e. default is 'root'
- Example systemd service configs now makes use of CapabilityBoundingSet option as a security hardening measure.
New features
pam_sss_gss
now support authentication indicators to further harden the authentication
Configuration changes
- Added
pam_gssapi_indicators_map
to configure authentication indicators requirements
sssd-2.4.1
SSSD 2.4.1 Release Notes
Highlights
General information
SYSLOG_IDENTIFIER
was renamed toSSSD_PRG_NAME
in journald output, to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.
New features
- New PAM module
pam_sss_gss
for authentication using GSSAPI case_sensitive=Preserving
can now be set for trusted domains with AD providercase_sensitive=Preserving
can now be set for trusted domains with IPA provider. However, the option needs to be set toPreserving
on both client and the server for it to take effect.case_sensitive
option can be now inherited by subdomainscase_sensitive
can be now set separately for each subdomain in[domain/parent/subdomain]
sectionkrb5_use_subdomain_realm=True
can now be used when sub-domain user principal names have upnSuffixes which are not known in the parent domain. SSSD will try to send the Kerberos request directly to a KDC of the sub-domain.
Important fixes
- krb5_child uses proper umask for DIR type ccaches
- Memory leak in the simple access provider
- KCM performance has improved dramatically for cases where large amount of credentials are stored in the ccache.
Packaging changes
- Added
pam_sss_gss.so
PAM module andpam_sss_gss.8
manual page
Configuration changes
- New default value of
debug_level
is 0x0070 - Added
pam_gssapi_check_upn
to enforce authentication only with principal that can be associated with target user. - Added
pam_gssapi_services
to list PAM services that can authenticate using GSSAPI
sssd-2.4.0
SSSD 2.4.0
Highlights
libnss
support was dropped, SSSD now supports onlyopenssl
cryptography
New features
- Session recording can now exclude specific users or groups when
scope
is set toall
(seeexclude_users
andexclude_groups
options) - Active Directory provider now sends CLDAP pings over UDP protocol to Domain Controllers in parallel to determine site and forest to speed up server discovery
Packaging changes
- python2 bindings are disable by default, use
--with-python2-bindings
to build it
Documentation Changes
- Default value of
client_idle_timeout
changed from 60 to 300 seconds for KCM, this allows more time for user interaction (e.g. duringkinit
) - Added
exclude_users
andexclude_groups
option tosession_recording
section, this allows to exclude user or groups from session recording whenscope
is set toall
- Added
ldap_library_debug_level
option to enable debug messages fromlibldap
- Added
dyndns_auth_ptr
to set authentication mechanism for PTR DNS records update - Added
ad_allow_remote_domain_local_groups
to be compatible with other solutions
sssd-2.3.1
SSSD 2.3.1
Highlights
New features
- Domains can be now explicitly enabled or disabled using
enable
option in
domain section. This can be especially used in configuration snippets. - New configuration options
memcache_size_passwd
,memcache_size_group
,
memcache_size_initgroups
that can be used to control memory cache size.
Notable bug fixes
- Fixed several regressions in GPO processing introduced in sssd-2.3.0
- Fixed regression in PAM responder: failures in cache only lookups are no longer considered fatal
- Fixed regression in proxy provider:
pwfield=x
is now default value only forsssd-shadowutils
target
Packaging changes
libwbclient
is now deprecated and is not being built by default (use--with-libwibclient
to build it)
Documentation Changes
- Added option
memcache_size_passwd
- Added option
memcache_size_group
- Added option
memcache_size_initgroups
- Added option
enable
in domain sections - Minor text improvements