sssd-2.6.0

SSSD 2.6.0 Release Notes

Highlights

General information

• Support of legacy json format for ccaches was dropped
• Support of long time deprecated secrets responder was dropped.
• Support of long time deprecated local provider was dropped.
• This release drops support of --with-unicode-lib configure option. libunistring will be used unconditionally for Unicode processing.
• This release removes pcre1 support. pcre2 is used unconditionally.
• p11_child does not stop at the first empty slot when searching for tokens
• A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This patch fixes a flaw by replacing system() with execvp().

New features

• Basic support of user's 'subuid and subgid ranges' for IPA provider and corresponding plugin for shadow-utils were introduced. Limitations: - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid ranges) Take a note, this is MVP of experimental feature. Significant changes might be required later, after initial feedback. Corresponding support in shadow-utils was merged upstream, but since there is no upstream release available yet, SSSD feature isn't built by default. Build can be enabled with --with-subid configure option. Plugin's install path can be configured with --with-subid-lib-path= (${libdir} by default)

Important fixes

• KCM now replace the old credential with new one when storing an updated credential that is however already present in the ccache to avoid unnecessary growth of the ccache.
• Improve mpg search filter to be more reliable with id-overrides and the new auto_private_groups options.
• Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root.
• ccache files are created with the right ownership during offline Smartcard authentication
• AD ping is now sent over ldap if cldap support is not available during build. This helps to build SSSD on distributions without cldap support in libldap.
• CVE-2021-3621

Configuration changes

• New IPA provider's option ipa_subid_ranges_search_base allows configuration of search base for user's subid ranges. Default: cn=subids,%basedn

See full release notes here.

sssd-2.5.2

sssd 2.5.2 Release Notes

Highlights

General information

• originalADgidNumber attribute in the SSSD cache is now indexed

New features

• Debug messages in data provider include a unique request ID that can be used to track the request from its start to its end (requires libtevent >= 0.11.0)

Important fixes

• Update large files in the files provider in batches to avoid timeouts

Configuration changes

• Add new config option fallback_to_nss

See full release notes here.

sssd-2.5.1

sssd 2.5.1 Release Notes

Highlights

New features

• auto_private_groups option can be set centrally through ID range setting in IPA (see ipa idrange commands family). This feature requires SSSD update on both client and server. This feature also requires freeipa 4.9.4 and newer.

Important fixes

• Fix getsidbyname issues with IPA users with a user-private-group

Configuration changes

• Default value of ldap_sudo_random_offset changed to 0 (disabled). This makes sure that sudo rules are available as soon as possible after SSSD start in default configuration.

See full release notes here.

sssd-2.5.0

SSSD 2.5.0 Release Notes

Highlights

General information

• secrets support is deprecated and will be removed in one of the next versions of SSSD.
• local-provider is deprecated and will be removed in one of the next versions of SSSD.
• SSSD's implementation of libwbclient was removed as incompatible with modern version of Samba.
• This release deprecates pcre1 support. This support will be removed completely in following releases.
• A home directory from a dedicated user override, either local or centrally managed by IPA, will have a higher precedence than the override_homedir option.
• debug-to-files, debug-to-stderr command line and undocumented debug_to_files config options were removed.

New features

• Added support for automatic renewal of renewable TGTs that are stored in KCM ccache. This can be enabled by setting tgt_renewal = true. See the sssd-kcm man page for more details. This feature requires MIT Kerberos krb5-1.19-0.beta2.3 or higher.
• Backround sudo periodic tasks (smart and full refresh) periods are now extended by a random offset to spread the load on the server in environments with many clients. The random offset can be changed with ldap_sudo_random_offset.
• Completing a sudo full refresh now postpones the smart refresh by ldap_sudo_smart_refresh_interval value. This ensure that the smart refresh is not run too soon after a successful full refresh.
• If debug_backtrace_enabled is set to true then on any error all prior debug messages (to some limit) are printed even if debug_level is set to low value (for details see man sssd.conf: debug_backtrace_enabled description).
• Besides trusted domains known by the forest root, trusted domains known by the local domain are used as well.
• New configuration option offline_timeout_random_offset to control random factor in backend probing interval when SSSD is in offline mode.

Important fixes

• ad_gpo_implicit_deny is now respected even if there are no applicable GPOs present
• During the IPA subdomains request a failure in reading a single specific configuration option is not considered fatal and the request will continue
• unknown IPA id-range types are not considered as an error
• SSSD spec file %postun no longer tries to restart services that can not be restarted directly to stop produce systemd warnings

Configuration changes

• Added tgt_renewal, tgt_renewal_inherit, and krb5_* KCM options to enable, and tune behavior of new KCM renewal feature.
• Added ldap_sudo_random_offset (default to 30) to add a random offset to backround sudo periodic tasks (smart and full refresh).
• Introduced new option 'debug_backtrace_enabled' to control debug backtrace.
• Added offline_timeout_random_offset configuration option to control maximum size of random offset added to offline timeout SSSD backend probing interval.
• Long time deprecated and undocumented debug_to_files option was removed.

See full release notes here.

sssd-2.4.2

SSSD 2.4.2 Release Notes

Highlights

General information

• Default value of 'user' config option was fixed into accordance with man page, i.e. default is 'root'
• Example systemd service configs now makes use of CapabilityBoundingSet option as a security hardening measure.

New features

• pam_sss_gss now support authentication indicators to further harden the authentication

Configuration changes

• Added pam_gssapi_indicators_map to configure authentication indicators requirements

See full release notes here.

sssd-2.4.1

SSSD 2.4.1 Release Notes

Highlights

General information

• SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald output, to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.

New features

• New PAM module pam_sss_gss for authentication using GSSAPI
• case_sensitive=Preserving can now be set for trusted domains with AD provider
• case_sensitive=Preserving can now be set for trusted domains with IPA provider. However, the option needs to be set to Preserving on both client and the server for it to take effect.
• case_sensitive option can be now inherited by subdomains
• case_sensitive can be now set separately for each subdomain in [domain/parent/subdomain] section
• krb5_use_subdomain_realm=True can now be used when sub-domain user principal names have upnSuffixes which are not known in the parent domain. SSSD will try to send the Kerberos request directly to a KDC of the sub-domain.

Important fixes

• krb5_child uses proper umask for DIR type ccaches
• Memory leak in the simple access provider
• KCM performance has improved dramatically for cases where large amount of credentials are stored in the ccache.

Packaging changes

• Added pam_sss_gss.so PAM module and pam_sss_gss.8 manual page

Configuration changes

• New default value of debug_level is 0x0070
• Added pam_gssapi_check_upn to enforce authentication only with principal that can be associated with target user.
• Added pam_gssapi_services to list PAM services that can authenticate using GSSAPI

See full release notes here.

sssd-2.4.0

SSSD 2.4.0

Highlights

• libnss support was dropped, SSSD now supports only openssl cryptography

New features

• Session recording can now exclude specific users or groups when scope is set to all (see exclude_users and exclude_groups options)
• Active Directory provider now sends CLDAP pings over UDP protocol to Domain Controllers in parallel to determine site and forest to speed up server discovery

Packaging changes

• python2 bindings are disable by default, use --with-python2-bindings to build it

Documentation Changes

• Default value of client_idle_timeout changed from 60 to 300 seconds for KCM, this allows more time for user interaction (e.g. during kinit)
• Added exclude_users and exclude_groups option to session_recording section, this allows to exclude user or groups from session recording when scope is set to all
• Added ldap_library_debug_level option to enable debug messages from libldap
• Added dyndns_auth_ptr to set authentication mechanism for PTR DNS records update
• Added ad_allow_remote_domain_local_groups to be compatible with other solutions

See full release notes here.

sssd-2.3.1

SSSD 2.3.1

Highlights

New features

• Domains can be now explicitly enabled or disabled using enable option in
  domain section. This can be especially used in configuration snippets.
• New configuration options memcache_size_passwd, memcache_size_group,
  memcache_size_initgroups that can be used to control memory cache size.

Notable bug fixes

• Fixed several regressions in GPO processing introduced in sssd-2.3.0
• Fixed regression in PAM responder: failures in cache only lookups are no longer considered fatal
• Fixed regression in proxy provider: pwfield=x is now default value only for sssd-shadowutils target

Packaging changes

• libwbclient is now deprecated and is not being built by default (use --with-libwibclient to build it)

Documentation Changes

• Added option memcache_size_passwd
• Added option memcache_size_group
• Added option memcache_size_initgroups
• Added option enable in domain sections
• Minor text improvements

See full release notes here.

sssd-2.3.0

SSSD 2.3.0

Highlights

New features

• SSSD can now handle hosts and networks nsswitch databases (see resolve_provider option)
• By default, authentication request only refresh user's initgroups if it is expired or there is not active user's session (see pam_initgroups_scheme option)
• OpenSSL is used as default crypto provider, NSS is deprecated
• Active Directory provider now defaults to GSS-SPNEGO SASL mechanism (see ldap_sasl_mech option)
• Active Directory provider can now be configured to use only ldaps port (see ad_use_ldaps option)
• SSSD now accepts host entries from GPO's security filter
• Format of debug messages has changed to be shorter and better sortable
• New debug level (0x10000) was added for low level ldb messages only (see sssd.conf man page)

Packaging changes

• New configure option --enable-gss-spnego-for-zero-maxssf

Documentation Changes

• Default value of ldap_sasl_mech has changed to GSS-SPNEGO for AD provider
• Return code of pam_sss.so are documented in pam_sss manpage
• Added option ad_update_samba_machine_account_password
• Added option ad_use_ldaps
• Added option ldap_iphost_object_class
• Added option ldap_iphost_name
• Added option ldap_iphost_number
• Added option ldap_ipnetwork_object_class
• Added option ldap_ipnetwork_name
• Added option ldap_ipnetwork_number
• Added option ldap_iphost_search_base
• Added option ldap_ipnetwork_search_base
• Added option ldap_connection_expire_offset
• Added option ldap_sasl_maxssf
• Added option pam_initgroups_scheme
• Added option entry_cache_resolver_timeout
• Added option entry_cache_computer_timeout
• Added option resolver_provider
• Added option proxy_resolver_lib_name
• Minor text improvements

See full release notes here.

sssd-1.16.5

SSSD 1.16.5

Highlights

New Features

• New option ad_gpo_ignore_unreadable was added that allows SSSD to ignore unreadable GPO containers in AD.
• It is possible to configure auto_private_groups per subdomain or with subdomain_inherit.

Security issues fixed

• A flaw was found in sssd Group Policy Objects implementation. When the GPO is not readable by SSSD due to a too strict permission settings on the server side, SSSD will allow all authenticated users to login instead of denying access. (CVE-2018-16838)

Notable bug fixes

• Multiple URI specified in ldap_uri did not work properly if they differed only in port number.
• Several issues with SUDO rules processing have been fixed.
• SSSD sometimes incorrectly started in offline mode. This was fixed.
• Issue with missing nested groups after add/remove operation on the sever was fixed.
• A use-after-free error causing SSSD service to crash was fixed.

See full release notes here.