Releases: SSSD/sssd
Releases · SSSD/sssd
sssd-1.14.0.beta1
sssd-1_14_0_beta1 Tagging the 1.14 beta1 release
sssd-1.13.91
sssd-1_13_91 Tagging the 1.13.92 release
sssd-1.14.0.alpha1
sssd-1_14_0_alpha1 Tagging the 1.14 Alpha release
sssd-1.13.90
sssd-1_13_90 Tagging the 1.14 alpha release
sssd-1.13.4
SSSD 1.13.4
Highlights
- The IPA sudo provider was reimplemented. The new version reads the data from IPA's LDAP tree (as opposed to the compat tree populated by the
slapi-nis
plugin that was used previously). The benefit is that deployments which don't require the compat tree for other purposes, such as support for non-SSSD clients can disable those autogenerated LDAP trees to conserve resources that slapi-nis otherwise requires. There should be no visible changes to the end user. - SSSD now has the ability to renew the machine credentials (keytabs) when the
ad
provider is used. Please note that a recent version of theadcli
(0.8 or newer) package is required for this feature to work. - The automatic ID mapping feature was improved so that the administrator is no longer required to manually set the range size in case a RID in the AD domain is larger than the default range size
- A potential infinite loop in the NFS ID mapping plugin that was resulting in an excessive memory usage was fixed
- Clients that are pinned to a particular AD site using the
ad_site
option no longer communicate with DCs outside that site during service discovery. - The IPA identity provider is now able to resolve external (typically coming from a trusted AD forest) group members during get-group-information requests. Please note that resolving external group memberships for AD users during the initgroup requests used to work even prior to this update. This feature is mostly useful for cases where an IPA client is using the compat tree to resolve AD trust users.
- The IPA ID views feature now works correctly even for deployments without a trust relationship. Previously, the
subdomains
IPA provider failed to read the views data if no master domain record was created on the IPA server during trust establishment. - A race condition in the client libraries between the SSSD closing the socket as idle and the client application using the socket was fixed. This bug manifested with a
Broken Pipe
error message on the client. - SSSD is now able to resolve users with the same usernames in different OUs of an AD domain
- The smartcard authentication now works properly with
gnome-screensaver
Packaging Changes
- The
krb5.include.d
directory is now owned by thesssd
user and packaged in thekrb5-common
subpackage
Documentation Changes
- A new option
ldap_idmap_helper_table_size
was added. This option can help tune allocation of new ID mapping slices for AD domains with a high RID values. Most deployments can use the default value of this option. - Several PAM services were added to the lists that are used to map Windows logon services to GNU/Linux PAM services. The newly added PAM services include login managers (
lightdm
,lxdm
,sddm
andxdm
) as well as thecockpit
service. - The AD machine credentials renewal task can be fine-tuned using the
ad_machine_account_password_renewal_opts
to change the initial delay and period of the credentials renewal task. In addition, the newad_maximum_machine_account_password_age
option allows the administrator to select how old the machine credential must be before trying to renew it. - The administrator can use the new option
pam_account_locked_message
to set a custom informational message when the account logging in is locked.
sssd-1.11.8
sssd-1_11_8 Tagging the 1.11.8 release
sssd-1.13.3
SSSD 1.13.3
Highlights
- A bug that prevented user lookups and logins after migration from winsync to IPA-AD trusts was fixed
- The OCSP certificate validation checks are enabled for smartcard logins if SSSD was compiled with the NSS crypto library.
- A bug that prevented the
ignore_group_members
option from working correctly in AD provider setups that use a dedicated primary group (as opposed to a user-private group) was fixed - Offline detection and offline login timeouts were improved for AD users logging in from a domain trusted by an IPA server
- The AD provider supports setting up
autofs_provider=ad
- Several usability improvements to our debug messages
Packaging Changes
- The
p11_child
helper binary is able to run completely unprivileged and no longer requires the setgid bit to be set
Documentation Changes
- A new option
certificate_verification
was added. This option allows the administrator to disable OCSP checks in case the OCSP server is not reachable
sssd-1.13.2
SSSD 1.13.2
Highlights
- This is primarily a bugfix release, with minor features added to the local overrides feature
- The
sss_override
tool gained newuser-show
,user-find
,group-show
andgroup-find
commands - The PAM responder was crashing if PAM_USER was set to an empty string. This bug was fixed
- The
sssd_be
process could crash when looking up groups in setups with IPA-AD trusts that use POSIX attributes but do not replicate them to the Global Catalog - A socket leak in case SSSD couldn't establish a connection to an LDAP server was fixed
- SSSD's memory cache now behaves better when used by long-running applications such as system daemons and the administrator invalidates the cache
- The SSSDConfig Python API no longer throws an exception when config_file_version is missing
- The InfoPipe D-Bus interface is able to retrieve user groups correctly if the user is a member of non-POSIX groups like ipausers as well
- Lookups by certificate now work correctly in multi-domain environment
- The lookup of POSIX attributes after startup was relaxed to only check attribute presence, not validity. The POSIX check was also made less verbose.
- A bug when looking up a subdomain user by UPN users was fixed
Packaging Changes
- The memory cache for initgroups results was previously not packaged. This bug was fixed.
- Python 2/3 packaging in the RPM specfile was improved
sssd-1.13.1
SSSD 1.13.1
Highlights
- Initial support for Smart Card authentication was added. The feature can be activated with the new
pam_cert_auth
option - The PAM prompting was enhanced so that when Two-Factor Authentication is used, both factors (password and token) can be entered separately on separate prompts. At the same time, only the long-term password is cached, so offline access would still work using the long term password
- A new command line tool
sss_override
is present in this release. The tools allows to override attributes on the SSSD side. It's helpful in environment where e.g. some hosts need to have a different view of POSIX attributes than others. Please note that the overrides are stored in the cache as well, so removing the cache will also remove the overrides - New methods were added to the SSSD D-Bus interface. Notably support for looking up a user by certificate and looking up multiple users using a wildcard was added. Please see the interface introspection or the design pages for full details
- Several enhancements to the dynamic DNS update code. Notably, clients that update multiple interfaces work better with this release
- This release supports authenticating againt a KDC proxy
- The fail over code was enhanced so that if a trusted domain is not reachable, only that domain will be marked as inactive but the backed would stay in online mode
- Several fixes to the GPO access control code are present
Packaging Changes
- The Smart Card authentication feature requires a helper process
p11_child
that needs to be marked as setgid if SSSD needs to be able to. Please note thep11_child
requires the NSS crypto library at the moment - The
sss_override
tool was added along with its own manpage - The upstream RPM can now build on RHEL/CentOS 6.7
Documentation Changes
- The
config_file_version
configuration option now defaults to 2. As an effect, this option doesn't have to be set anymore unless the config file format is changed again by SSSD upstream - It is now possible to specify a comma-separated list of interfaces in the
dyndns_iface
option - The InfoPipe responder and the LDAP provider gained a new option
wildcard_lookup
that specifies an upper limit on the number of entries that can be returned with a wildcard lookup - A new option
dyndns_server
was added. This option allows to attempt a fallback DNS update against a specific DNS server. Please note this option only works as a fallback, the first attempt will always be performed against autodiscovered servers. - The PAM responder gained a new option
ca_db
that allows the storage of trusted CA certificates to be specified - The time the
p11_child
is allowed to operate can be specified using a new optionp11_child_timeout
sssd-1.13.0
SSSD 1.13.0
Highlights
- Support for separate prompts when using two-factor authentication was added
- Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that will be released in the IPA 4.2 version
- The fast memory cache now also supports the initgroups operation.
- The PAM responder is now capable of caching authentication for configurable period, which might reduce server load in cases where accounts authenticate very frequently. Please refer to the
cached_auth_timeout
option in thesssd.conf
manual page. - The Active Directory provider has changed the default value of the
ad_gpo_access_control
option frompermissive
toenforcing
. As a consequence, the GPO access control now affects all clients that setaccess_provider
toad
. In order to restore the previous behaviour, setad_gpo_access_control
topermissive
or use a differentaccess_provider
type. - Group Policy objects defined in a different AD domain that the computer object is defined in are now supported.
- Credential caching and Offline authentication are also available when using two-factor authentication
- Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output
- The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD.
- The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the
ldap_purge_cache_timeout
option in case your environment requires the cleanup task - The Python bindings are now built for both Python2 and Python3
- The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the
ldap_opt_timeout
option
Packaging Changes
- A new directory
/var/lib/sss/keytabs
is present and owned by thesssd-ipa
subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service. - Several packaging changes are present in this release to support the Python3 bindings, notably new
python-sss
andpython-sss-murmur
subpackages are introduced in upstream RPM packaging - All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme
- The OpenSSL development library such as
openssl-devel
on RHEL/Fedora or Debian/Ubuntulibssl-dev
is now required to support certificate operations - A new internal library
libsss_cert.so
is present in this release. - The fast initgroups memcache is represented by a new file
/var/lib/sss/mc/initgroups
Documentation Changes
- The
ad_gpo_access_control
option default has changed frompermissive
toenforcing
- The default value of
ldap_purge_cache_timeout
changed to 0, thus effectivelly disabling the cleanup task. - A new option
cache_credentials_minimal_first_factor_length
was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see thesssd.conf(5)
man page for more details - The cached authentication is controlled by new option
cached_auth_timeout
. By default the cached authentication is disabled.