sssd-2.10.1

SSSD 2.10.1 Release Notes

Highlights

General information

• krb5-child-test was removed. Corresponding tests under 'src/tests/system/'
  are aimed to provide a comprehensive test coverage of 'krb5_child'
  functionality.
• SSSD doesn't create anymore missing path components of DIR:/FILE: ccache types
  while acquiring user's TGT. The parent directory of requested ccache directory
  must exist and the user trying to log in must have 'rwx' access to this
  directory. This matches behavior of 'kinit'.
• The DoT (DNS over TLS) for dynamic DNS updates is supported now. It requires
  new version of nsupdate from BIND 9.19+.
• The option default_domain_suffix is deprecated. Consider using the more
  flexible domain_resolution_order instead.

Packaging changes

• Important note for downstream maintainers.

  A set of capabilities required by privileged binaries was further reduced to:

  krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
  ldap_child cap_dac_read_search=p
  selinux_child cap_setgid,cap_setuid=p
  sssd_pam cap_dac_read_search=p
  

  Keep in mind that even with a limited set of fine grained capabilities, usual
  precautions still should be taken while packaging binaries with file
  capabilities: it's very important to make sure that those are executable only
  by root/sssd service user. For this reason upstream spec file packages it as:

  -rwxr-x---. 1 root sssd
  

  Failing to do so (i.e. allowing non-privileged users to execute those
  binaries) can impose systems installing the package to a security risk.

• Support of deprecated 'ad_allow_remote_domain_local_groups' sssd.conf option
  isn't built by default. It can be enabled using
  '--with-allow-remote-domain-local-groups' ./configure option.

Configuration changes

• ad_allow_remote_domain_local_groups option is deprecated and will be removed
  in future releases.
• the dyndns_server option is extended so it can be in form of URI
  (dns+tls://1.2.3.4:853#servername). New set of options dyndns_dot_cacert,
  dyndns_dot_cert and dyndns_dot_key allows to configure DNS-over-TLS
  communication.
• Added exop_force value for configuration option ldap_pwmodify_mode. This
  can be used to force a password change even if no grace logins are left.
  Depending on the configuration of the LDAP server it might be expected that
  the password change will fail.

See full release notes here.

sssd-2.9.6

SSSD 2.9.6 Release Notes

Highlights

General information

• The DoT for dynamic DNS updates is supported now. It requires new version of
  nsupdate from BIND 9.19+.

• The option default_domain_suffix is deprecated. Consider using the more
  flexible domain_resolution_order instead.

Important fixes

• When the DP_OPT_DYNDNS_REFRESH_OFFSET enumerator was created, the
  associated struct dp_option was not. Because these structures are part of
  an array and the enumerator is used as the index, the wrong structure would be
  accessed when trying to use this index. This problem was fixed by creating the
  missing structure.

Configuration changes

• The dyndns_server option is extended so it can be in form of URI
  (dns+tls://1.2.3.4:853#servername). New set of options
  dyndns_dot_cacert, dyndns_dot_cert and dyndns_dot_key allows to
  configure DNS-over-TLS communication.

• Added exop_force value for configuration option ldap_pwmodify_mode.
  This can be used to force a password change even if no grace logins are left.
  Depending on the configuration of the LDAP server it might be expected that
  the password change will fail.

See full release notes here.

sssd-2.10.0

SSSD 2.10.0 Release Notes

Highlights

General information

• IMPORTANT note for downstream maintainers!

  This release features significant improvements of "running with less
  privileges (under unprivileged service user)" feature. There is still a
  ./configure option --with-sssd-user= available that allows downstream
  package maintainers to choose if support of non-root service user should be
  built. In case such support is built, a preferred way to configure service
  user is simply by starting SSSD under this user; for example, using
  User=/Group= options of systemd sssd.service file. Upstream defaults are
  to build --with-sssd-user=sssd and to install systemd service with
  User=/Group=sssd. In this case, only several helper processes -
  ldap_child, krb5_child and selinux_child - are executed with
  elevated capabilities (that are now granted using fine grained file
  capabilities instead of SUID bit). All other SSSD components run without any
  capabilities. In this scenario it's still possible to re-configure SSSD to run
  under root (if needed for some reason): besides changing User/Group=
  options, some other tweaks of systemd service files are required.

  A legacy method to configure a service user - sssd.conf user option - is
  now deprecated and its support isn’t built by default. It can be enabled using
  --with-conf-service-user-support ./configure option if needed (for
  example, due to backward compatibility requirements of stable releases).

  Further, no matter if SSSD is built --with-sssd-user=sssd or
  --with-sssd-user=root, when it's configured to run under root (in both
  cases) it still runs without capabilities, the same way as when it's
  configured to run under sssd user. The only difference is from the DAC
  perspective.

  Important note: owner of /etc/sssd/sssd.conf file (and snippets) should
  match the user configured to start SSSD service. Upstream spec file and
  service files change ownership of existing sssd.conf to sssd during
  package installation and at runtime for seamless upgrades / transition period
  only.

  Additionally, this release fixes a large number of issues with "socket
  activation of responders" feature, making it operable out-of-the-box when the
  package is built --with-sssd-user=sssd. Please take a note, that user
  configured to run main sssd.service and socket activated responders (if used)
  should match (i.e. if sssd.service is re-configured from upstream defaults to
  root then responders services also should be re-configured).

  Downstream package maintainers are advised to carefully inspect changes in
  contrib/sssd.spec.in, src/sysv/systemd/* and ./configure options
  that this release brings!

• sssctl cache-upgrade command was removed. SSSD performs automatic upgrades
  at startup when needed.

• Support of enumeration feature (i.e. ability to list all users/groups
  using getent passwd/group without argument) for AD/IPA providers is
  deprecated and might be removed in further releases. Those who are interested
  to keep using it awhile should configure its build explicitly using
  --with-extended-enumeration-support ./configure option.

• A number of minor glitches of sssd-2.10.0-beta1 around building and
  packaging were fixed.

New features

• The new tool sss_ssh_knownhosts can be used with ssh's
  KnownHostsCommand configuration option to retrieve the host's public keys
  from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more
  reliable, replaces sss_ssh_knownhostsproxy. The latter is no longer built
  by default, but its build can be forced with the ./configure option
  --with-ssh-known-hosts-proxy.

Packaging changes

• Building SSSD now unconditionally requires availability of ucred/
  SO_PEERCRED to enforce certain security checks at runtime (see man 7 unix for details).

• SSSD now requires libini not older than v1.3

• Explicit --with-semanage ./configure switch was removed, going forward
  --with-selinux includes this.

• sssd_pam binary lost public rx bits and got cap_dac_read_search=p
  file capability to be able to use GSSAPI

• Support of OpenSSL older than 1.0.1 was dropped

• Support of --without-infopipe ./configure option was dropped. Feature
  is long time out of experimental state. Since building it doesn't require any
  additional dependencies, there is not much sense to keep option available.
  Those who not interested in feature can skip installing sssd-ifp sub-package.

Configuration changes

• Default ldap_id_use_start_tls value changed from false to true for
  improved security.

• Added a ldap_use_ppolicy option for backends with broken ppolicy extension
  handling.

• Obsolete config_file_version option was removed.

• Option reconnection_retries was removed since it is no longer used. SSSD
  switch to a new architecte of internal IPC between SSSD processes where
  responders do not connect to backend anymore and therefore this option is no
  longer used.

See full release notes here.

sssd-2.10.0-beta2

SSSD sssd-2.10.0~beta2 Release Notes

Highlights

General information

• A number of minor glitches of sssd-2.10.0-beta1 around building and packaging were fixed.

Packaging changes

• sssd_pam binary lost public rx bits and got cap_dac_read_search=p file capability to be able to use GSSAPI

See full release notes here.

sssd-2.10.0-beta1

SSSD 2.10-beta1 Release Notes

Highlights

General information

• IMPORTANT note for downstream maintainers!

  This release features significant improvements of "running with less privileges (under unprivileged service user)" feature. There is still a ./configure option --with-sssd-user= available that allows downstream package maintainers to choose if support of non-root service user should be built. In case such support is built, a preferred way to configure service user is simply by starting SSSD under this user; for example, using User=/Group= options of systemd sssd.service file. Upstream defaults are to build --with-sssd-user=sssd and to install systemd service with User=/Group=sssd. In this case, only several helper processes - ldap_child, krb5_child and selinux_child - are executed with elevated capabilities (that are now granted using fine grained file capabilities instead of SUID bit). All other SSSD components run without any capabilities. In this scenario it's still possible to re-configure SSSD to run under root (if needed for some reason): besides changing User/Group= options, some other tweaks of systemd service files are required.

  A legacy method to configure a service user - sssd.conf user option - is now deprecated and its support isn’t built by default. It can be enabled using --with-conf-service-user-support ./configure option if needed (for example, due to backward compatibility requirements of stable releases).

  Further, no matter if SSSD is built --with-sssd-user=sssd or --with-sssd-user=root, when it's configured to run under root (in both cases) it still runs without capabilities, the same way as when it's configured to run under sssd user. The only difference is from the DAC perspective.

  Important note: owner of /etc/sssd/sssd.conf file (and snippets) should match the user configured to start SSSD service. Upstream spec file changes ownership of existing sssd.conf to sssd during package installation for seamless upgrades.

  Additionally, this release fixes a large number of issues with "socket activation of responders" feature, making it operable out-of-the-box when the package is built --with-sssd-user=sssd. Please take a note, that user configured to run main sssd.service and socket activated responders (if used) should match (i.e. if sssd.service is re-configured from upstream defaults to root then responders services also should be re-configured).

  Downstream package maintainers are advised to carefully inspect changes in contrib/sssd.spec.in, src/sysv/systemd/* and ./configure options that this release brings!

• sssctl cache-upgrade command was removed. SSSD performs automatic upgrades at startup when needed.

• Support of enumeration feature (i.e. ability to list all users/groups using getent passwd/group without argument) for AD/IPA providers is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-extended-enumeration-support ./configure option.

New features

• The new tool sss_ssh_knownhosts can be used with ssh's KnownHostsCommand configuration option to retrieve the host's public keys from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more reliable, replaces sss_ssh_knownhostsproxy. Please consider switching to using the new tool as the old one will be removed.

Packaging changes

• Building SSSD now unconditionally requires availability of ucred/ SO_PEERCRED to enforce certain security checks at runtime (see man 7 unix for details).
• SSSD now requires libini not older than v1.3
• Explicit --with-semanage ./configure switch was removed, going forward --with-selinux includes this.

Configuration changes

• Default ldap_id_use_start_tls value changed from false to true for improved security.
• Added a ldap_use_ppolicy option for backends with broken ppolicy extension handling.
• Obsolete config_file_version option was removed.

See full release notes here.

sssd-2.9.5

SSSD 2.9.5 Release Notes

Highlights

Security

• Moderate: CVE-2023-3758. Fixed a race condition flaw in GPO policy application. GHSA-7pwr-cfrc-px4f

Configuration changes

• Added failover_primary_timout configuration option. This can be used to configure how often SSSD tries to reconnect to a primary server after a successful connection to a backup server. This was previously hardcoded to 31 seconds which is kept as the default value.

See full release notes here.

sssd-2.9.4

SSSD 2.9.4 Release Notes

Highlights

Important fixes

• Fixes a crash when PAM passkey processing incorrectly handles non-passkey data.
• A workaround was implemented to handle gracefully misbehaving applications that destroy internal state of SSSD client librarires. A particular example of such application is described in TigerVNC/tigervnc#1709.
• An error when rotating KCM's logs was fixed. When KCM's logs were rotated by logrotate, KCM would still use the old file (renamed sssd_kcm.log.1). Only after KCM was restarted (either manually or automatically) the new log file would be used. This problem is now solved and KCM uses the new file immediately.
• Fixed group membership handling when members are coming from different forest domains and using ldap token groups is prohibited.
• Files provider was erroneously taking into consideration local_auth_policy config option, thus breaking smartcard authentication of local user in setups that didn't explicitly specify this option. This is now fixed.

See full release notes here.

sssd-2.9.3

SSSD 2.9.3 Release Notes

Highlights

General information

• The proxy provider is now able to handle certificate mapping and matching rules and users handled by the proxy provider can be configured for local Smartcard authentication. Besides the mapping rule local Smartcard authentication should be enabled with the 'local_auth_policy' option in the backend and with 'pam_cert_auth' in the PAM responder.

Important fixes

Passkey doesn't fail when using FreeIPA server-side authentication and require-user-verification=false.

New features

• When adding a new credential to KCM and the user has already reached their limit, the oldest expired credential will be removed to free some space. If no expired credential is found to be removed, the operation will fail as it happened in the previous versions.

See full release notes here.

sssd-2.9.2

SSSD 2.9.2 Release Notes

Highlights

SSSD 2.9 branch is now in long-term maintenance (LTM) phase.

General information

• libkrb5-1.21 can now be used to build PAC plugin.
• sssctl cert-show and cert-show cert-eval-rule can now be run as non-root user.

Important fixes

• SSSD does no longer crash if PIN is introduced but the tactile trigger isn't pressed during passkey authentication.
• SSSD can now recover if memory-cache files under /var/lib/sss/mc where truncated while SSSD is running.
• Chaining of identical D-Bus requests that run in parallel to avoid multiple backend queries works again.

Configuration changes

• New option local_auth_policy is added to control which offline authentication methods will be enabled by SSSD. This option is relevant for authentication methods which have online, and offline capability such as passkey, and smartcard authentication. The default value match sets the offline methods to their corresponding online value. This enables offline authentication when online kerberos pre-authentication such as PKINIT, or passkey is supported by the backend, note that online methods will still be attempted first. Option value only can be used to disable online authentication entirely, or the value enable:method to explicitly enable specific authentication methods, e.g. enable:passkey.

See full release notes here.

sssd-2.9.1

SSSD 2.9.1 Release Notes

Highlights

New features

• Passkey: added option to write key mapping data to file.

Important fixes

• A regression was fixed that prevented autofs lookups to function correctly when cache_first is set to True. Since this was set as a new default value in sssd-2.9.0, it is considered as a regression.
• A regression where SSSD failed to properly watch for changes in '/etc/resolv.conf' when it was a symbolic link or was a relative path, was fixed.

See full release notes here.