sssd-2.10.0

SSSD 2.10.0 Release Notes

Highlights

General information

• IMPORTANT note for downstream maintainers!

  This release features significant improvements of "running with less
  privileges (under unprivileged service user)" feature. There is still a
  ./configure option --with-sssd-user= available that allows downstream
  package maintainers to choose if support of non-root service user should be
  built. In case such support is built, a preferred way to configure service
  user is simply by starting SSSD under this user; for example, using
  User=/Group= options of systemd sssd.service file. Upstream defaults are
  to build --with-sssd-user=sssd and to install systemd service with
  User=/Group=sssd. In this case, only several helper processes -
  ldap_child, krb5_child and selinux_child - are executed with
  elevated capabilities (that are now granted using fine grained file
  capabilities instead of SUID bit). All other SSSD components run without any
  capabilities. In this scenario it's still possible to re-configure SSSD to run
  under root (if needed for some reason): besides changing User/Group=
  options, some other tweaks of systemd service files are required.

  A legacy method to configure a service user - sssd.conf user option - is
  now deprecated and its support isn’t built by default. It can be enabled using
  --with-conf-service-user-support ./configure option if needed (for
  example, due to backward compatibility requirements of stable releases).

  Further, no matter if SSSD is built --with-sssd-user=sssd or
  --with-sssd-user=root, when it's configured to run under root (in both
  cases) it still runs without capabilities, the same way as when it's
  configured to run under sssd user. The only difference is from the DAC
  perspective.

  Important note: owner of /etc/sssd/sssd.conf file (and snippets) should
  match the user configured to start SSSD service. Upstream spec file and
  service files change ownership of existing sssd.conf to sssd during
  package installation and at runtime for seamless upgrades / transition period
  only.

  Additionally, this release fixes a large number of issues with "socket
  activation of responders" feature, making it operable out-of-the-box when the
  package is built --with-sssd-user=sssd. Please take a note, that user
  configured to run main sssd.service and socket activated responders (if used)
  should match (i.e. if sssd.service is re-configured from upstream defaults to
  root then responders services also should be re-configured).

  Downstream package maintainers are advised to carefully inspect changes in
  contrib/sssd.spec.in, src/sysv/systemd/* and ./configure options
  that this release brings!

• sssctl cache-upgrade command was removed. SSSD performs automatic upgrades
  at startup when needed.

• Support of enumeration feature (i.e. ability to list all users/groups
  using getent passwd/group without argument) for AD/IPA providers is
  deprecated and might be removed in further releases. Those who are interested
  to keep using it awhile should configure its build explicitly using
  --with-extended-enumeration-support ./configure option.

• A number of minor glitches of sssd-2.10.0-beta1 around building and
  packaging were fixed.

New features

• The new tool sss_ssh_knownhosts can be used with ssh's
  KnownHostsCommand configuration option to retrieve the host's public keys
  from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more
  reliable, replaces sss_ssh_knownhostsproxy. The latter is no longer built
  by default, but its build can be forced with the ./configure option
  --with-ssh-known-hosts-proxy.

Packaging changes

• Building SSSD now unconditionally requires availability of ucred/
  SO_PEERCRED to enforce certain security checks at runtime (see man 7 unix for details).

• SSSD now requires libini not older than v1.3

• Explicit --with-semanage ./configure switch was removed, going forward
  --with-selinux includes this.

• sssd_pam binary lost public rx bits and got cap_dac_read_search=p
  file capability to be able to use GSSAPI

• Support of OpenSSL older than 1.0.1 was dropped

• Support of --without-infopipe ./configure option was dropped. Feature
  is long time out of experimental state. Since building it doesn't require any
  additional dependencies, there is not much sense to keep option available.
  Those who not interested in feature can skip installing sssd-ifp sub-package.

Configuration changes

• Default ldap_id_use_start_tls value changed from false to true for
  improved security.

• Added a ldap_use_ppolicy option for backends with broken ppolicy extension
  handling.

• Obsolete config_file_version option was removed.

• Option reconnection_retries was removed since it is no longer used. SSSD
  switch to a new architecte of internal IPC between SSSD processes where
  responders do not connect to backend anymore and therefore this option is no
  longer used.

See full release notes here.

sssd-2.10.0-beta2

SSSD sssd-2.10.0~beta2 Release Notes

Highlights

General information

• A number of minor glitches of sssd-2.10.0-beta1 around building and packaging were fixed.

Packaging changes

• sssd_pam binary lost public rx bits and got cap_dac_read_search=p file capability to be able to use GSSAPI

See full release notes here.

sssd-2.10.0-beta1

SSSD 2.10-beta1 Release Notes

Highlights

General information

• IMPORTANT note for downstream maintainers!

  This release features significant improvements of "running with less privileges (under unprivileged service user)" feature. There is still a ./configure option --with-sssd-user= available that allows downstream package maintainers to choose if support of non-root service user should be built. In case such support is built, a preferred way to configure service user is simply by starting SSSD under this user; for example, using User=/Group= options of systemd sssd.service file. Upstream defaults are to build --with-sssd-user=sssd and to install systemd service with User=/Group=sssd. In this case, only several helper processes - ldap_child, krb5_child and selinux_child - are executed with elevated capabilities (that are now granted using fine grained file capabilities instead of SUID bit). All other SSSD components run without any capabilities. In this scenario it's still possible to re-configure SSSD to run under root (if needed for some reason): besides changing User/Group= options, some other tweaks of systemd service files are required.

  A legacy method to configure a service user - sssd.conf user option - is now deprecated and its support isn’t built by default. It can be enabled using --with-conf-service-user-support ./configure option if needed (for example, due to backward compatibility requirements of stable releases).

  Further, no matter if SSSD is built --with-sssd-user=sssd or --with-sssd-user=root, when it's configured to run under root (in both cases) it still runs without capabilities, the same way as when it's configured to run under sssd user. The only difference is from the DAC perspective.

  Important note: owner of /etc/sssd/sssd.conf file (and snippets) should match the user configured to start SSSD service. Upstream spec file changes ownership of existing sssd.conf to sssd during package installation for seamless upgrades.

  Additionally, this release fixes a large number of issues with "socket activation of responders" feature, making it operable out-of-the-box when the package is built --with-sssd-user=sssd. Please take a note, that user configured to run main sssd.service and socket activated responders (if used) should match (i.e. if sssd.service is re-configured from upstream defaults to root then responders services also should be re-configured).

  Downstream package maintainers are advised to carefully inspect changes in contrib/sssd.spec.in, src/sysv/systemd/* and ./configure options that this release brings!

• sssctl cache-upgrade command was removed. SSSD performs automatic upgrades at startup when needed.

• Support of enumeration feature (i.e. ability to list all users/groups using getent passwd/group without argument) for AD/IPA providers is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-extended-enumeration-support ./configure option.

New features

• The new tool sss_ssh_knownhosts can be used with ssh's KnownHostsCommand configuration option to retrieve the host's public keys from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more reliable, replaces sss_ssh_knownhostsproxy. Please consider switching to using the new tool as the old one will be removed.

Packaging changes

• Building SSSD now unconditionally requires availability of ucred/ SO_PEERCRED to enforce certain security checks at runtime (see man 7 unix for details).
• SSSD now requires libini not older than v1.3
• Explicit --with-semanage ./configure switch was removed, going forward --with-selinux includes this.

Configuration changes

• Default ldap_id_use_start_tls value changed from false to true for improved security.
• Added a ldap_use_ppolicy option for backends with broken ppolicy extension handling.
• Obsolete config_file_version option was removed.

See full release notes here.

sssd-2.9.5

SSSD 2.9.5 Release Notes

Highlights

Security

• Moderate: CVE-2023-3758. Fixed a race condition flaw in GPO policy application. GHSA-7pwr-cfrc-px4f

Configuration changes

• Added failover_primary_timout configuration option. This can be used to configure how often SSSD tries to reconnect to a primary server after a successful connection to a backup server. This was previously hardcoded to 31 seconds which is kept as the default value.

See full release notes here.

sssd-2.9.4

SSSD 2.9.4 Release Notes

Highlights

Important fixes

• Fixes a crash when PAM passkey processing incorrectly handles non-passkey data.
• A workaround was implemented to handle gracefully misbehaving applications that destroy internal state of SSSD client librarires. A particular example of such application is described in TigerVNC/tigervnc#1709.
• An error when rotating KCM's logs was fixed. When KCM's logs were rotated by logrotate, KCM would still use the old file (renamed sssd_kcm.log.1). Only after KCM was restarted (either manually or automatically) the new log file would be used. This problem is now solved and KCM uses the new file immediately.
• Fixed group membership handling when members are coming from different forest domains and using ldap token groups is prohibited.
• Files provider was erroneously taking into consideration local_auth_policy config option, thus breaking smartcard authentication of local user in setups that didn't explicitly specify this option. This is now fixed.

See full release notes here.

sssd-2.9.3

SSSD 2.9.3 Release Notes

Highlights

General information

• The proxy provider is now able to handle certificate mapping and matching rules and users handled by the proxy provider can be configured for local Smartcard authentication. Besides the mapping rule local Smartcard authentication should be enabled with the 'local_auth_policy' option in the backend and with 'pam_cert_auth' in the PAM responder.

Important fixes

Passkey doesn't fail when using FreeIPA server-side authentication and require-user-verification=false.

New features

• When adding a new credential to KCM and the user has already reached their limit, the oldest expired credential will be removed to free some space. If no expired credential is found to be removed, the operation will fail as it happened in the previous versions.

See full release notes here.

sssd-2.9.2

SSSD 2.9.2 Release Notes

Highlights

SSSD 2.9 branch is now in long-term maintenance (LTM) phase.

General information

• libkrb5-1.21 can now be used to build PAC plugin.
• sssctl cert-show and cert-show cert-eval-rule can now be run as non-root user.

Important fixes

• SSSD does no longer crash if PIN is introduced but the tactile trigger isn't pressed during passkey authentication.
• SSSD can now recover if memory-cache files under /var/lib/sss/mc where truncated while SSSD is running.
• Chaining of identical D-Bus requests that run in parallel to avoid multiple backend queries works again.

Configuration changes

• New option local_auth_policy is added to control which offline authentication methods will be enabled by SSSD. This option is relevant for authentication methods which have online, and offline capability such as passkey, and smartcard authentication. The default value match sets the offline methods to their corresponding online value. This enables offline authentication when online kerberos pre-authentication such as PKINIT, or passkey is supported by the backend, note that online methods will still be attempted first. Option value only can be used to disable online authentication entirely, or the value enable:method to explicitly enable specific authentication methods, e.g. enable:passkey.

See full release notes here.

sssd-2.9.1

SSSD 2.9.1 Release Notes

Highlights

New features

• Passkey: added option to write key mapping data to file.

Important fixes

• A regression was fixed that prevented autofs lookups to function correctly when cache_first is set to True. Since this was set as a new default value in sssd-2.9.0, it is considered as a regression.
• A regression where SSSD failed to properly watch for changes in '/etc/resolv.conf' when it was a symbolic link or was a relative path, was fixed.

See full release notes here.

sssd-2.9.0

SSSD 2.9.0 Release Notes

Highlights

General information

• sss_simpleifp library is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-libsifp ./configure option.
• "Files provider" (i.e. id_provider = files) is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-files-provider ./configure option. Or consider using "Proxy provider" with proxy_lib_name = files instead.
• Previously deprecated --enable-files-domain configure option, which was used to manage default value of the enable_files_domain config option, is now removed.
• Long time unused '--enable-all-experimental-features' configure option was removed.
• SSSD will no longer warn about changed defaults when using ldap_schema = rfc2307 and default autofs mapping. This warning was introduced in 1.14 to loudly warn about different default values.

New features

• New passkey functionality, which will allow the use of FIDO2 compliant devices to authenticate a centrally managed user locally. Moreover, in the case of a FreeIPA user, it can also issue a Kerberos ticket automatically with upcoming FreeIPA version 4.11.
• Add support for ldapi:// URLs to allow connections to local LDAP servers
• NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname

Note: support for passkey is in its initial phase and the authentication policy will be adjusted in future versions.

Packaging changes for passkey

• Include passkey subpackage and dependency for libfido2.

Configuration changes for passkey

• New options to enable and tune passkey behavior: pam_passkey_auth, ldap_user_passkey, passkey_verification, passkey_child_timeout, interactive, interactive_prompt, touch and touch_prompt.
• --with-passkey is a new configuration option to enable building passkey authentication.

Important fixes

• A regression when running sss_cache when no SSSD domain is enabled would produce a syslog critical message was fixed.

Configuration changes

• Default value of cache_first option was changed to true in case SSSD is built without files provider.
• ipa_access_order parameter introduced. It behaves much like ldap_access_order but affects IPA domains (id_provider = ipa) and accepts limited values. Please see sssd-ipa(5) for more information.

See full release notes here.

sssd-2.8.2

SSSD 2.8.2 Release Notes

Highlights

General information

• SSSD can be configured not to perform a DNS search during DNS name resolution. This behavior is governed by the new dns_resolver_use_search_list. This parameter can be used in the domain section. Default value is true - that means that SSSD follows the system settings.
• --enable-files-domain configure option is deprecated and will be removed in one of the next versions of SSSD.
• sssctl analyze tool doesn't require anymore to be run under root.

New features

• New mapping template for serial number, subject key id, SID, certificate hashes and DN components are added to libsss_certmap.

See full release notes here.