Releases: SSSD/sssd
Releases · SSSD/sssd
sssd-1.15.3
SSSD 1.15.3
Highlights
New Features
- In a setup where an IPA domain trusts an Active Directory domain, it is now possible to define the domain resolution order. Starting with this version, SSSD is able to read and honor the domain resolution order, providing a way to resolve Active Directory users by just their short name. SSSD also supports a new option
domain_resolution_order
applicable in the[sssd]
section that allows to configure short names for AD users in setup withid_provider=ad
or in a setup with an older IPA server that doesn't support theipa config-mod --domain-resolution-order
configuration option. Also, it is now possible to useuse_fully_qualified_names=False
in a subdomain configuration, but please note that the user and group output from trusted domains will always be qualified to avoid conflicts.- Design page - Shortnames in trusted domains
- SSSD ships with a new service called KCM. This service acts as a storage for Kerberos tickets when
libkrb5
is configured to useKCM:
inkrb5.conf
. Compared to other Kerberos credential cache types, KCM is better suited for containerized environments and because the credential caches are managed by a stateful daemon, in future releases will also allow to renew tickets acquired outside SSSD (e.g. withkinit
) or provide notifications about ticket changes. This feature is optional and can be disabled by selecting--without-kcm
when configuring the SSSD build.- Design page - KCM server for SSSD
- `NOTE`: There are several known issues in the
KCM
responder that will be handled in the next release such as issues with very large tickets or tracking the SELinux label of the peer or even one intermittent crash. There are also some differences between how SSSD's KCM server works compared to Heimdal's KCM server such as visibility of ccaches by root.
- Support for user and group resolution through the D-Bus interface and authentication and/or authorization through the PAM interface even for setups without UIDs or Windows SIDs present on the LDAP directory side. This enhancement allows SSSD to be used together with apache modules to provide identities for applications
- Design page - Support for non-POSIX users and groups
- SSSD ships a new public library called
libsss_certmap
that allows a flexible and configurable way of mapping a certificate to a user identity. This is required e.g. in environments where it is not possible to add the certificate to the LDAP user entry, because the certificates are issued externally or the LDAP schema cannot be modified. Additionally, specific matching rules allow a specific certificate on a smart card to be selected for authentication.- Design page - Matching and Mapping Certificates
- The Kerberos locator plugin can be disabled using an environment variable
SSSD_KRB5_LOCATOR_DISABLE
. Please refer to thesssd_krb5_locator_plugin
manual page for mode details. - The
sssctl
command line tool supports a new commanduser-checks
that enables the administrator to check whether a certain user should be allowed or denied access to a certain PAM service. - The
secrets
responder now forwards requests to a proxy Custodia back end over a secure channel.
Notable bug fixes
- The IPA HBAC evaluator no longer relies on
originalMemberOf
attributes to construct the list of groups the user is a member of. Maintaining theoriginalMemberOf
attribute was unreliable and was causing intermittent HBAC issues. - A bug where the cleanup operation might erroneously remove cached users during their cache validation in case SSSD was set up with
enumerate=True
was fixed. - Several bugs related to configuration of trusted domains were fixed, in particular handling of custom LDAP search bases set for trusted domains.
- Password changes for users from trusted Active Directory domains were fixed
Packaging Changes
- A new KCM responder was added along with a manpage. The upstream reference specfile packages the responder in its own subpackage called
sssd-kcm
and a krb5.conf snippet that enables theKCM
credentials cache simply by installing the subpackage - The
libsss_certmap
library was packaged in a separate package. There is also alibsss_certmap-devel
subpackage in the upstream packaging.
Documentation Changes
sssd-kcm
andlibsss_certmap
are documented in their own manual pages.- A new option
domain_resolution_order
was added. This option allows to specify the lookup order (especially w.r.t. trusted domains) that sssd will follow. Please see the Shortnames in trusted domains design page. for mode details. - New options
pam_app_services
anddomain_type
were added. These options can be used to only limit certain PAM services to reach certain SSSD domains that should only be exposed to non-OS applications. For more details, refer to the Support for non-POSIX users and groups design page.
- The
secrets
responder supports several new options related to TLS setup and handling includingverify_peer
,verify_host
,capath
,cacert
andcert
. These options are all described in thesssd-secrets
manual page.
sssd-1.15.2
SSSD 1.15.2
Highlights
- It is now possible to configure certain parameters of a trusted domain in a configuration file sub-section. In particular, it is now possible to configure which Active Directory DCs the SSSD talks to with a configuration like this:
[domain/ipa.test]
# IPA domain configuration. This domain trusts a Windows domain win.test
[domain/ipa.test/win.test]
ad_server = dc.win.test
- Several issues related to socket-activating the NSS service, especially if SSSD was configured to use a non-privileged userm were fixed. The NSS service now doesn't change the ownership of its log files to avoid triggering a name-service lookup while the NSS service is not running yet. Additionally, the NSS service is started before any other service to make sure username resolution works and the other service can resolve the SSSD user correctly.
- A new option
cache_first
allows the administrator to change the way multiple domains are searched. When this option is enabled, SSSD will first try to "pin" the requested name or ID to a domain by searching the entries that are already cached and contact the domain that contains the cached entry first. Previously, SSSD would check the cache and the remote server for each domain. This option brings performance benefit for setups that use multiple domains (even auto-discovered trusted domains), especially for ID lookups that would previously iterate over all domains. Please note that this option must be enabled with care as the administrator must ensure that the ID space of domains does not overlap. - The SSSD D-Bus interface gained two new methods:
FindByNameAndCertificate
andListByCertificate
. These methods will be used primarily by IPA and mod_lookup_identity to correctly match multple users who use the same certificate for Smart Card login. - A bug where SSSD did not properly sanitize a username with a newline character in it was fixed.
Packaging Changes
None in this release
Documentation Changes
- A new option
cache_first
was added. Please see the Highlights section for more details - The
override_homedir
option supports a new template expansionl
that expands to the first letter of username
sssd-1.15.1
SSSD 1.15.1
Highlights
- Several issues related to starting the SSSD services on-demand via socket activation were fixed. In particular, it is no longer possible to have a service started both by sssd and socket-activated. Another bug which might have caused the responder to start before SSSD started and cause issues especially on system startup was fixed.
- A new
files
provider was added. This provider mirrors the contents of/etc/passwd
and/etc/group
into the SSSD database. The purpose of this new provider is to make it possible to use SSSD's interfaces, such as the D-Bus interface for local users and enable leveraging the in-memory fast cache for local users as well, as a replacement fornscd
. In future, we intend to extend the D-Bus interface to also provide setting and retrieving additional custom attributes for the files users. - SSSD now autogenerates a fallback configuration that enables the files domain if no SSSD configuration exists. This allows distributions to enable the
sssd
service when the SSSD package is installed. Please note that SSSD must be build with the configuration option--enable-files-domain
for this functionality to be enabled. - Support for public-key authentication with Kerberos (PKINIT) was added. This support will enable users who authenticate with a Smart Card to obtain a Kerberos ticket during authentication.
Packaging Changes
- The new files provider comes as a new shared library
libsss_files.so
and a new manual page - A new helper binary called
sssd_check_socket_activated_responders
was added. This binary is used in theExecStartPre
directive to check if the service that corresponds to socket about to be started was also started explicitly and abort the socket startup if it was.
Documentation Changes
- A new PAM module option
prompt_always
was added. This option is related to fixing <https://github.com/SSSD/sssd/issues/4025which changed the behaviour of the PAM module so thatpam_sss
always uses an auth token that was on stack. The newprompt_always
option makes it possible to restore the previous behaviour.
sssd-1.15.0
SSSD 1.15.0
Highlights
- SSSD now allows the responders to be activated by the systemd service manager and exit when idle. This means the
services
line in sssd.conf is optional and the responders can be started on-demand, simplifying the sssd configuration. Please note that this change is backwards-compatible and the responders listed explicitly in sssd.conf's services line are managed by sssd in the same manner as in previous releases. Please refer toman sssd.conf(5)
for more information - The sudo provider is no longer disabled for configurations that do not explicitly include the
sudo
responder in theservices
list. In order to disable the sudo-related back end code that executes the periodic LDAP queries, set thesudo_provider
tonone
explicitly - The watchdog signal handler no longer uses signal-unsafe functions. This bug was causing a deadlock in case the watchdog was about to kill a stuck process
- A bug that prevented TLS to be set up correctly on systems where libldap links with GnuTLS was fixed
- The functionality to alter SSSD configuration through the D-Bus interface provided by the IFP responder was removed. This functionality was not used to the best of our knowledge, had no tests and prevented the InfoPipe responder from running as a non-privileged user.
- A bug that prevented statically-linked applications from using libnss_sss was fixed by removing dependency on
-lpthreads
from thelibnss_sss
library (please see <https://sourceware.org/bugzilla/show_bug.cgi?id=20500for an example on why linking with-lpthread
from an NSS modules is problematic) - Previously, SSSD did not ignore GPOs that were missing the gPCFunctionalityVersion attribute and failed the whole GPO processing. Starting with this version, the GPOs without the gPCFunctionalityVersion are skipped.
Packaging Changes
- The Augeas development libraries are no longer required since the configuration manipulation interface was dropped from the InfoPipe responder
- The libsss_config.so internal library was removed as well due to removal of the InfoPipe config management
- In order to manage socket-activated or bus activated responders, each responder is now represented by a systemd service file (e.g. sssd-nss.service). All responders except InfoPipe, which is bus-activated, are also managed by a socket unit file (e.g. sssd-nss.socket)
Documentation Changes
- The sssd-secrets responder gained a new option max_payload_size that allows the administrator to limit the maximum size of a secret
- A new option responder_idle_timeout was added to support idle termination of socket-activated responders
- The sssd-ad and sssd-ipa man pages now summarize differences between the generic Kerberos/LDAP back end and the specialized IPA/AD back ends
sssd-1.14.2
sssd-1_14_2 Tagging the 1.14.2 release
sssd-1.14.1
sssd-1_14_1 Tagging the 1.14.1 release
sssd-1.14.0
sssd-1_14_0 Tagging the 1.14.0 release
sssd-1.14.0.beta1
sssd-1_14_0_beta1 Tagging the 1.14 beta1 release
sssd-1.13.91
sssd-1_13_91 Tagging the 1.13.92 release
sssd-1.14.0.alpha1
sssd-1_14_0_alpha1 Tagging the 1.14 Alpha release