Release sssd-2.10.0

src/release-notes/sssd-2.10.0.rst

@@ -0,0 +1,128 @@
+SSSD 2.10.0 Release Notes
+===============================
+
+Highlights
+----------
+
+General information
+~~~~~~~~~~~~~~~~~~~
+
+* **IMPORTANT note for downstream maintainers!**
+
+  This release features significant improvements of "running with less
+  privileges (under   unprivileged service user)" feature. There is still a
+  ``./configure`` option ``--with-sssd-user=`` available that allows downstream
+  package maintainers to choose if support of non-root service user should be
+  built. In case such support is built, a preferred way to configure service
+  user is simply by starting SSSD under this user; for example, using
+  ``User=/Group=`` options of systemd sssd.service file. Upstream defaults are
+  to build ``--with-sssd-user=sssd`` and to install systemd service with
+  ``User=/Group=sssd``. In this case, only several helper processes -
+  ``ldap_child``, ``krb5_child`` and ``selinux_child`` - are executed with
+  elevated capabilities (that are now granted using fine grained file
+  capabilities instead of SUID bit). All other SSSD components run without any
+  capabilities. In this scenario it's still possible to re-configure SSSD to run
+  under ``root`` (if needed for some reason): besides changing ``User/Group=``
+  options, some other tweaks of systemd service files are required.
+
+  A legacy method to configure a service user - sssd.conf ``user`` option - is
+  now deprecated and its support isn’t built by default. It can be enabled using
+  ``--with-conf-service-user-support`` ``./configure`` option if needed (for
+  example, due to backward compatibility requirements of stable releases).
+
+  Further, no matter if SSSD is built ``--with-sssd-user=sssd`` or
+  ``--with-sssd-user=root``, when it's configured to run under ``root`` (in both
+  cases) it still runs without capabilities, the same way as when it's
+  configured to run under ``sssd`` user. The only difference is from the DAC
+  perspective.
+
+  Important note: owner of ``/etc/sssd/sssd.conf`` file (and snippets) should
+  match the user configured to start SSSD service. Upstream spec file and
+  service files change ownership of existing ``sssd.conf`` to sssd during
+  package installation and at runtime for seamless upgrades / transition period
+  only.
+
+  Additionally, this release fixes a large number of issues with "socket
+  activation of responders" feature, making it operable out-of-the-box when the
+  package is built ``--with-sssd-user=sssd``. Please take a note, that user
+  configured to run main sssd.service and socket activated responders (if used)
+  should match (i.e. if sssd.service is re-configured from upstream defaults to
+  ``root`` then responders services also should be re-configured).
+
+  Downstream package maintainers are advised to carefully inspect changes in
+  ``contrib/sssd.spec.in``, ``src/sysv/systemd/*`` and ``./configure`` options
+  that this release brings!
+
+* sssctl ``cache-upgrade`` command was removed. SSSD performs automatic upgrades
+  at startup when needed.
+
+* Support of ``enumeration`` feature (i.e. ability to list all users/groups
+  using ``getent passwd/group`` without argument) for AD/IPA providers is
+  deprecated and might be removed in further releases. Those who are interested
+  to keep using it awhile should configure its build explicitly using
+  ``--with-extended-enumeration-support`` ./configure option.
+
+* A number of minor glitches of ``sssd-2.10.0-beta1`` around building and
+  packaging were fixed.
+
+* Support of ``--without-infopipe`` ``./configure`` option was dropped. Feature
+  is long time out of experimental state. Since building it doesn't require any
+  additional dependencies, there is not much sense to keep option available.
+  Those who not interested in feature can skip installing sssd-ifp sub-package.
+
+New features
+~~~~~~~~~~~~
+
+* The new tool ``sss_ssh_knownhosts`` can be used with ssh's
+  ``KnownHostsCommand`` configuration option to retrieve the host's public keys
+  from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more
+  reliable, replaces ``sss_ssh_knownhostsproxy``. The latter is no longer built
+  by default, but its build can be forced with configure
+  ``--with-ssh-known-hosts-proxy``.
+
+Packaging changes
+~~~~~~~~~~~~~~~~~
+
+* Building SSSD now unconditionally requires availability of ``ucred``/
+  ``SO_PEERCRED`` to enforce certain security checks at runtime (see ``man 7
+  unix`` for details).
+
+* SSSD now requires ``libini`` not older than v1.3
+
+* Explicit ``--with-semanage`` ./configure switch was removed, going forward
+  ``--with-selinux`` includes this.
+
+* ``sssd_pam`` binary lost public ``rx`` bits and got ``cap_dac_read_search=p``
+  file capability to be able to use GSSAPI
+
+* Support of OpenSSL older than 1.0.1 was dropped
+
+Configuration changes
+~~~~~~~~~~~~~~~~~~~~~
+
+* Default ``ldap_id_use_start_tls`` value changed from ``false`` to ``true`` for
+  improved security.
+
+* Added a ``ldap_use_ppolicy`` option for backends with broken ppolicy extension
+  handling.
+
+* Obsolete ``config_file_version`` option was removed.
+
+* Option ``reconnection_retries`` was removed since it is no longer used. SSSD
+  switch to a new architecte of internal IPC between SSSD processes where
+  responders do not connect to backend anymore and therefore this option is no
+  longer used.
+
+Tickets Fixed
+-------------
+
+TBD
+
+Detailed Changelog
+------------------
+
+.. code-block:: release-notes-shortlog
+
+    $ git shortlog --pretty=format:"%h  %s" -w0,4 2.9.0..2.10.0
+
+    TBD

src/releases.rst

@@ -8,6 +8,10 @@ SSSD Releases
 
 .. releases::
 
+    .. release:: sssd-2.10.0
+        :date: 2024-10-16
+        :download: https://github.com/SSSD/sssd/releases/tag/2.10.0
+
     .. release:: sssd-2.10.0-beta2
         :date: 2024-06-26
         :download: https://github.com/SSSD/sssd/releases/tag/2.10.0-beta2