sssd-2.2.3

SSSD 2.2.3

Highlights

New features

• allow_missing_name now treats empty strings the same as missing names.
• 'soft_ocsp' and 'soft_crl options have been added to make the checks for revoked certificates more flexible if the system is offline.
• Smart card authentication in polkit is now allowed by default.
• ssh_use_certificate_matching_rules now allows no_rules and all_rules values (see man page for description).

Notable bug fixes

• Fixed several memory management errors that caused SSSD to crash under some circumstances.
• Handling of FreeIPA users and groups containing '@' sign now works.
• Issue when autofs was unable to mount shares was fixed.
• SSSD was unable to hande ldap_uri containing URIs with different port numbers. This was fixed.

Packaging Changes

• Added sssd-ldap-attributes man page.

Documentation Changes

• Added new sssd-ldap-attributes man page.
• Added option monitor_resolv_conf.
• Added option ssh_use_certificate_matching_rules
• Improved AD GPO options man page.
• Improved sssd-systemtap man page.

See full release notes here.

sssd-2.2.2

SSSD 2.2.2

Highlights

New features

None

Notable bug fixes

• Removing domain from ad_enabled_domain was not reflected in SSSD's cache. This has been fixed.
• Because of a race condition SSSD could crash during shutdown. The race condition was fixed.
• Fixed a bug that limited number of external groups fetched by SSSD to 2000.
• pam_sss now properly creates gnome keyring during login.
• SSSD with KCM could wrongly pick older ccache instead of the latest one after login. This was fixed.

Packaging Changes

None

Documentation Changes

None

See full release notes here.

sssd-2.2.1

SSSD 2.2.1

Highlights

New features

• New options were added which allow sssd-kcm to handle bigger data. See manual pages for max_ccaches, max_uid_caches and max_ccache_size.
• SSSD can now automatically refresh cached user data from subdomains in IPA/AD trust.

Notable bug fixes

• Fixed issue with SSSD hanging when connecting to non-responsive server with ldaps://
• SSSD is now restarted by systemd after crashes.
• Fixed refression when dyndns_update was set to True and dyndns_refresh_interval was not set or set to 0 then DNS records were not updated at all.
• Fixed issue when default_domain_suffix was used with id_provider = files and caused all results from files domain to be fully qualified.
• Fixed issue with sudo rules not being visible on OpenLDAP servers
• Fixed crash with auth_provider = proxy that prevented logins

Packaging Changes

None

Documentation Changes

A new option dns_resolver_server_timeout was added A new option max_ccaches was added A new option max_uid_ccaches was added A new option max_ccache_size was added A new option ocsp_dgst was added

See full release notes here.

sssd-2.2.0

SSSD 2.2.0

Highlights

New features

• The Kerberos provider (and composite authentication providers based on it, like AD or IPA) can now include more KDC addresses or host names when writing data for the Kerberos locator plugin (see sssd_krb5_locator_plugin(8)). This means that Kerberos client applications, such as kinit would be able to switch between multiple KDC servers discovered by SSSD. Please see description of the option krb5_kdcinfo_lookahead in the sssd-krb5(5) manual page for more information or refer to the design page (#3973, #3974, #3975)
• The 2FA prompting can now be configured. The administrator can set custom prompts for first or second factor or select a single prompt for both factors. This can be configured per-service. Please see the section called "Prompting configuration" in the sssd.conf(5) manual page for more details or refer to the design page (#3264).
• The LDAP authentication provider now allows to use a different method of changing LDAP passwords using a modify operation in addition to the default extended operation. This is meant to support old LDAP servers that do not implement the extended operation. The password change using the modification operation can be selected with ldap_pwmodify_mode = "ldap_modify". More information can also be found in the design page (#1314)
• The auto_private_groups configuration option now takes a new value hybrid. This mode autogenerates private groups for user entries where the UID and GID values have the same value and at the same time the GID value does not correspond to a real group entry in LDAP (#3822)
• A new option ad_gpo_ignore_unreadable was added. This option, which defaults to false, can be used to ignore group policy containers in AD with unreadable or missing attributes. This is for the case when server contains GPOs that have very strict permissions on their attributes in AD but are unrelated to access control (#3867)
• The cached_auth_timeout parameter is now inherited by trusted domains (#3960). The pre-authentication request is now cached as well when this option is in effect (#3960)
• The ldap_sasl_mech option now accepts another mechanism GSS-SPNEGO in addition to GSSAPI. Using SPNEGO might be preferable with newer Active Directory servers especially with hardened configurations. SSSD might switch to using SPNEGO by default in a future release (#4006)
• The sssctl tool has two new commands cert-show and cert-map which can help in troubleshooting Smart-Card and in general user certificate related issues

Notable bug fixes

• A potential race condition between SSSD receiving a notification to try switching to online mode and the network being actually reachable is now handled better. SSSD now tries to go online three times with an increasing delay between online checks up to 4s (#3467).
• A potential deadlock in user resolution when the IPA provider fetches the keytab used to authenticate to a trusted AD domain was fixed (#3992)
• When checking if objects that cannot be looked up exist locally and thus should be added to a negative cache with a longer negative TTL (see local_negative_timeout in sssd.conf(5)), the blocking NSS API is no longer used. The blocking calls which might have caused a timeout especially during SSSD startup (#3963)
• Some cache attributes used by the Kerberos ticket renewal code are now indexed, which speeds up the cache searches which might have otherwise caused SSSD to appear blocked and killed by the internal watchdog (#3968)
• Cached objects from an Active Directory domain trusted by an IPA domain that no longer exist on the server are now properly removed from the cache (#3984)
• The sudoRunAsUser/Group now work correctly with an IPA configuration that also uses the domain_resolution_order, either set locally or centrally (#3957)
• Certificates that are completely missing the Key Usage (KU) certificate extension are now handled gracefully (rhbz#1660899)
• The sudo smart refresh (see man sssd-sudo) now correctly uses the highest USN number, which results in more efficient queries (#3997)
• The pam_sss module now returns PAM_USER_UNKNOWN if the PAM socket is missing completely. This could have been the case if SSSD is running with the files domain only and a user resolved by a completely different PAM module logs in (#3988)
• Netgroups lookups now honor the midpoint refresh interval set by cache_refresh_percent (#3947)
• The list of users or groups from the filter_users/filter_groups lists which will be negatively cached, avoiding lookups of those entries, are now correctly evaluated for domains that are discovered after sssd had started (#3983). These lists can also now include UPNs (#3978)
• The IPA access provider no longer fails if the configuration file completely disables dereference by setting ldap_deref_threshold=0 (#3979)
• The sss_cache tool does not print loud warnings in case the sssd cache cannot be written to, typically this was occuring when /var was mounted read-only during an rpm-ostree update.
• The command line tools such as sssctl can now operate on the implicit files domain (#3769)
• The files and proxy provider no longer crash on receiving a request to go online, which they don't implement (#4014)
• A potential crash in the online check callback was fixed (#3990)
• The winbind ID-mapping plugin now works with recent Samba releases again (#4005)

Packaging Changes

None

Documentation Changes

• A new option ad_gpo_ignore_unreadable was added
• A new option krb5_kdcinfo_lookahead was added
• A new option ldap_pwmodify_mode was added
• The option ldap_sasl_mech now accepts a new value GSS-SPNEGO
• The option auto_private_groups now accepts a new value hybrid
• Multi-factor prompting can now be configured in a separate section called [prompting]

See full release notes here.

sssd-1.16.4

SSSD 1.16.4

Highlights

New Features

• The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option pam_p11_allowed_services. (#2926)
• A new configuration option ad_gpo_implicit_deny was added. This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. (#3701)
• The LDAP authentication provider now allows to use a different method of changing LDAP passwords using a modify operation in addition to the default extended operation. This is meant to support old LDAP servers that do not implement the extended operation. The password change using the modification operation can be selected with ldap_pwmodify_mode = "ldap_modify" (#1314)
• The auto_private_groups configuration option now takes a new value hybrid. This mode autogenerates private groups for user entries where the UID and GID values have the same value and at the same time the GID value does not correspond to a real group entry in LDAP (#3822)

Security issues fixed

• CVE-2019-3811: SSSD used to return "/" in case a user entry had no home directory. This was deemed a security issue because this flaw could impact services that restrict the user's filesystem access to within their home directory. An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).

Notable bug fixes

• The IPA provider, in a setup with a trusted Active Directory domain, did not remove cached entries that were no longer present on the AD side (#3984)
• The Active Directory provider now fetches the user information from the LDAP port and switches to using the Global Catalog port, if available for the group membership. This fixes an issue where some attributes which are not available in the Global Catalog, typically the home directory, would be removed from the user entry. (#2474)
• The IPA SELinux provider now sets the user login context even if it is the same as the system default. This is important in case the user has a non-standard home directory, because then only adding the user to the SELinux database ensures the home directory will be labeled properly. However, this fix causes a performance hit during the first login as the context must be written into the semanage database.
• The sudo responder did not reflect the case_sensitive domain option (#3820)
• A memory leak when requesting netgroups repeatedly was fixed (#3870)
• An issue that caused SSSD to sometimes switch to offline mode in case not all domains in the forest ran the Global Catalog service was fixed (#3902)
• The SSH responder no longer fails completely if the p11_child times out when deriving SSH keys from a certificate (#3937)
• The negative cache was not reloaded after new sub domains were discovered which could have lead to a high SSSD load (#3683)
• The negative cache did not work properly for in case a lookup fell back to trying a UPN instead of a name (#3978)
• If any of the SSSD responders was too busy, that responder wouldn't have refreshed the trusted domain list (#3967)
• A potential crash due to a race condition between the fail over code refreshing a SRV lookup and back end using its results (#3976)
• Sudo's runAsUser and runAsGroup attributes did not match properly when used in setups with domain_resolution_order
• Processing of the values from the filter_users or filter_groups options could trigger calls to blocking NSS API functions which could in turn prevent the startup of SSSD services in case nsswitch.conf contained other modules than sss or files (#3963)

See full release notes here.

sssd-2.1.0

SSSD 2.1.0

Highlights

New features

• Any provider can now match and map certificates to user identities. This feature enables to log in with a smart card without having to store the full certificate blob in the directory or in user overrides. Please see The design page for more information (#3500)
• pam_sss can now be configured to only perform Smart Card authentication or return an error if this is not possible.
• pam_sss can also prompt the user to insert a Smart Card if, during an authentication it is not available. SSSD would then wait for the card until it is inserted or until timeout defined by p11_wait_for_card_timeout passes.
• The device or reader used for Smart Card authentication can now be selected or restricted using a PKCS#11 URI (see RFC-7512) specified in the p11_uri option.
• Multiple certificates are now supported for Smart Card authentication even if SSSD is built with OpenSSL
• OCSP checks were added to the OpenSSL version of certificate authentication
• A new option crl_file can be used to select a Certificate Revocation List (CRL) file to be used during verification of a certificate for Smart Card authentication.
• Certificates with Elliptic Curve keys are now supported (#3887)
• It is now possible to refresh the KCM configuration without restarting the whole SSSD deamon, just by modifying the [kcm] section of sssd.conf and running systemctl restart sssd-kcm.service.
• A new configuration option ad_gpo_implicit_deny was added. This option (when set to True) can be used to deny access to users even if there is not applicable GPO. Normally users are allowed access in this situation. (#3701)
• The dynamic DNS update can now batch DNS updates to include all address family updates in a single transaction to reduce replication traffic in complex environments (#3829)
• Configuration file snippets can now be used even when the main sssd.conf file does not exist. This is mostly useful to configure e.g. the KCM responder, the implicit files provider or the session recording with setups that have no explicit domain (#3439)
• The sssctl user-checks tool can now display extra attributes set with the InfoPipe user_attributes configuraton option (#3866)

Security issues fixed

• CVE-2019-3811: SSSD used to return "/" in case a user entry had no home directory. This was deemed a security issue because this flaw could impact services that restrict the user's filesystem access to within their home directory. An empty home directory field would indicate "no filesystem access", where sssd reporting it as "/" would grant full access (though still confined by unix permissions, SELinux etc).

Notable bug fixes

• Many fixes for the internal "sbus" IPC that was rewritten in the 2.0 release including crash on reconnection (#3821), a memory leak (#3810), a proxy provider startup crash (#3812), sudo responder crash (#3854), proxy provider authentication (#3892), accessing the extraAttributes InfoPipe property (#3906) or a potential startup failure (#3924)
• The Active Directory provider now fetches the user information from the LDAP port and switches to using the Global Catalog port, if available for the group membership. This fixes an issue where some attributes which are not available in the Global Catalog, typically the home directory, would be removed from the user entry. (#2474)
• Session recording can now be enabled also for local users when the session recording is configured with scope=some and restricted to certain groups.
• Smart Card authentication did not work with the KCM credentials cache because with KCM root cannot write to arbitrary user's credential caches (#3903)
• A KCM bug that prevented SSH Kerberos credential forwarding from functioning was fixed (#3873)
• The KCM responder did not work with completely empty database (#3815)
• The sudo responder did not reflect the case_sensitive domain option (#3820)
• The SSH responder no longer fails completely if the p11_child times out when deriving SSH keys from a certificate (#3937)t
• An issue that caused SSSD to sometimes switch to offline mode in case not all domains in the forest ran the Global Catalog service was fixed (#3902)
• If any of the SSSD responders was too busy, that responder wouldn't have refreshed the trusted domain list (#3967)
• The IPA SELinux provider now sets the user login context even if it is the same as the system default. This is important in case the user has a non-standard home directory, because then only adding the user to the SELinux database ensures the home directory will be labeled properly. However, this fix causes a performance hit during the first login as the context must be written into the semanage database.
• A memory leak when requesting netgroups repeatedly was fixed (#3870)
• The pysss.getgrouplist() interface that was removed by accident in the 2.0 version was re-added (#3493)
• Crash when requesting users with the FindByNameAndCertificate D-Bus method was fixed (#3863)
• SSSD can again run as the non-privileged sssd user (#3871)
• The cron PAM service name used for GPO access control now defaults to a different service name depending on the OS (Launchpad #1572908)

Packaging Changes

• The sbus code generator no longer relies on existance of the "python" binary, the python2/3 binary is used depending on which bindings are being generated (#3807)
• Very old libini library versions are no longer supported

Documentation Changes

• Two new pam_sss options try_cert_auth and require_cert_auth can restrict authentication to use a Smart Card only or wait for a Smart Card to be inserted.
• A new option p11_wait_for_card_timeout controls how long would SSSD wait for a Smart Card to be inserted before failing with PAM_AUTHINFO_UNAVAIL.
• A new option p11_uri is available to restrict the device or reader used for Smart Card authentication.

See full release notes here.

sssd-2.0.0

SSSD 2.0.0

Highlights

This release removes or deprecates functionality from SSSD, therefore the SSSD team decided it was time to bump the major version number. The sssd-1-16 branch will be still supported (most probably even as a LTM branch) so that users who rely on any of the removed features can either migrate or ask for the features to be readded.

Except for the removed features, this release contains a reworked internal IPC and a new default storage back end for the KCM responder.

Platform support removal

• Starting with SSSD 2.0, upstream no longer supports RHEL-6 and its derivatives. Users of RHEL-6 are encouraged to stick with the sssd-1-16 branch.

Removed features

• The Python API for managing users and groups in local domains (id_provider=local) was removed completely. The interface had been packaged as module called pysss.local
• The LDAP provider had a special-case branch for evaluating group memberships with the RFC2307bis schema when group nesting was explicitly disabled. This codepath was adding needless additional complexity for little performance gain and was rarely used.
• The ldap_groups_use_matching_rule_in_chain and ldap_initgroups_use_matching_rule_in_chain options and the code that evaluated them was removed. Neither of these options provided a significant performance benefit and the code implementing these options was complex and rarely used.

Deprecated features

• The local provider (id_provider=local) and the command line tools to manage users and groups in the local domains, such as sss_useradd is not built by default anymore. There is a configure-time switch --enable-local-domain you can use to re-enable the local domain support. However, upstream would like to remove the local domain completely in a future release.
• The sssd_secrets responder is not packaged by default. The responder was meant to provide a REST API to access user secrets as well as a proxy to Custodia servers, but as Custodia development all but stopped and the local secrets handling so far didn't gain traction, we decided to not enable this code by default. This also means that the default SSSD configuration no longer requires libcurl and http-parser.

Changed default settings

• The ldap_sudo_include_regexp option changed its default value from true to false. This means that wild cards in the sudoHost LDAP attribute are no longer supported by default. The reason we changed the default was that the wildcard was costly to evaluate on the LDAP server side and at the same time rarely used.

New features

• The KCM responder has a new back end to store credential caches in a local database. This new back end is enabled by default and actually uses the same storage as the sssd-secrets responder had used, so the switch from sssd-secrets to this new back end should be completely seamless. The sssd-secrets socket is no longer required for KCM to operate.
• The list of PAM services which are allowed to authenticate using a Smart Card is now configurable using a new option pam_p11_allowed_services.

Packaging Changes

• The sss_useradd, sss_userdel, sss_usermod, sss_groupadd, sss_groupdel, sss_groupshow and sss_groupmod binaries and their manual pages are no longer packaged by default unless --enable-local-provider is selected.
• The sssd_secrets responder is no longer packaged by default unless --enable-secrets-responder is selected.
• The new internal IPC mechanism uses several private libraries that need to be packaged - libsss_sbus.so, libsss_sbus_sync.so, libsss_iface.so, libsss_iface_sync.so, libifp_iface.so and libifp_iface_sync.so
• The new KCM ccache back end relies on a private library libsss_secrets.so that must be packaged in case either the KCM responder or the secrets responder are enabled.

Documentation Changes

• The ldap_groups_use_matching_rule_in_chain and ldap_initgroups_use_matching_rule_in_chain options were removed.
• The ldap_sudo_include_regexp option changed its default value from true to false.

Known issues

• <#4802 The sbus codegen script relies on "python" which might not be available on all distributions

• There is a script that autogenerates code for the internal SSSD IPC. The script happens to call "python" which is not available on all distributions. Patching the sbus_generate.sh file to call e.g. python3 explicitly works around the issue

See full release notes here.

sssd-1.16.3

SSSD 1.16.3

Highlights

New Features

• The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were discovered for a Kerberos realm used to be only generated for the joined domain, not the trusted domains. Starting with this release, the kdcinfo files are generated automatically also for trusted domains in setups that use id_provider=ad and IPA masters in a trust relationship with an AD domain.
• The SSSD Kerberos locator plugin which processes the kdcinfo files and actually tells libkrb5 about the available KDCs can now process multiple address if SSSD generates more than one. At the moment, this feature is only used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8) manual page for more information about the Kerberos locator plugin.
• On IPA clients, the AD DCs or the AD site which should be used to authenticate users can now be listed in a subdomain section. Please see the feature design page or the section "trusted domains configuration" for more details.

Notable bug fixes

• SECURITY: The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read anyone else's sudo rules. This was considered an information leak and assigned CVE-2018-10852 (#3766)
• IMPORTANT: The 1.16.2 release was storing the cached passwords without a salt prefix string. This bug was fixed in this release, but any password hashes generated by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is that upgrade from 1.16.2 to 1.16.3 should be done when the authentication server is reachable so that the first authentication after the upgrade fix the cached password.
• The sss_ssh proces leaked file descriptors when converting more than one x509 certificate to SSH public key (#3794)
• SSSD, when configured with id_provider=ad was using too expensive LDAP search to find out whether the required POSIX attributes were replicated to the Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which is much more effective (#3755)
• The PAC responder is now able to process Domain Local in case the PAC uses SID compression. Typicaly this is the case with Windows Server 2012 and newer (#3767)
• Some versions of OpenSSH (e.g. the one shipped in RHEL-7.5) would close the pipe towards sss_ssh_authorizedkeys when the matching key is found before the rest of the output is read. The sss_ssh_authorizedkeys helper was not handling this behaviour well and would exit with SIGPIPE, which also meant the public key authentication failed (#3747)
• User lookups no longer fail if user's e-mail address conflicts with another user's fully qualified name (#3607)
• The override_shell and override_homedir options are no longer applied to entries from the files domain. (#3758)
• Several bugs related to the FleetCommander integration were fixed (#3773, #3774)
• The grace logins with an expired password when authenticating against certain newer versions of the 389DS/RHDS LDAP server did not work (#3597)
• Whitespace around netgroup triple separator is now stripped
• The sss_ssh_knownhostproxy utility can now print the host key without proxying the connection.
• Due to an overly restrictive check, the fast in-memory cache was sometimes skipped, which caused a high load on the sssd_nss process (#3776).

Packaging Changes

• The python2 bindings are not built by default on Fedora 29 or newer
• The sssd-secrets responder is now packaged in the sssd-kcm subpackage and might be removed in a future release

Documentation Changes

• sss_ssh_knownhostsproxy has a new option -k/--print.

See full release notes here.

sssd-1.16.2

SSSD 1.16.2

Highlights

New Features

• The smart card authentication, or in more general certificate authentication code now supports OpenSSL in addition to previously supported NSS (#3489). In addition, the SSH responder can now return public SSH keys derived from the public keys stored in a X.509 certificate. Please refer to the ssh_use_certificate_keys option in the man pages.
• The files provider now supports mirroring multiple passwd or group files. This enhancement can be used to use the SSSD files provider instead of the nss_altfiles module

Notable bug fixes

• A memory handling issue in the nss_ex interface was fixed. This bug would manifest in IPA environments with a trusted AD domain as a crash of the ns-slapd process, because a ns-slapd plugin loads the nss_ex interface (#3715)
• Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
• The ad_site override is now honored in GPO code as well (#3646)
• Several potential crashes in the NSS responder's netgroup code were fixed (#3679, #3731)
• A potential crash in the autofs responder's code was fixed (#3752)
• The LDAP provider now supports group renaming (#2653)
• The GPO access control code no longer returns an error if one of the relevant GPO rules contained no SIDs at all (#3680)
• A memory leak in the IPA provider related to resolving external AD groups was fixed (#3719)
• Setups that used multiple domains where one of the domains had its ID space limited using the min_id/max_id options did not resolve requests by ID properly (#3728)
• Overriding IDs or names did not work correctly when the domain resolution order was set as well (#3595)
• A version mismatch between certain newer Samba versions (e.g. those shipped in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further prevent issues like this in the future, the correct interface is now detected at build time (#3741)
• The files provider no longer returns a qualified name in case domain resolution order is used (#3743)
• A race condition between evaluating IPA group memberships and AD group memberships in setups with IPA-AD trusts that would have manifested as randomly losing IPA group memberships assigned to an AD user was fixed (#3744)
• Setting an SELinux login label was broken in setups where the domain resolution order was used (#3740)
• SSSD start up issue on systems that use the libldb library with version 1.4.0 or newer was fixed.

Packaging Changes

• Several new build requirements were added in order to support the OpenSSL certificate authentication

Documentation Changes

• The files provider gained two new configuration options passwd_files and group_files. These can be used to specify the additional files to mirror.
• A new ssh_use_certificate_keys option toggles whether the SSH responder would return public SSH keys derived from X.509 certificates.
• The local_negative_timeout option is now enabled by default. This means that if SSSD fails to find a user in the configured domains, but is then able to find the user with an NSS call such as getpwnam, it would negatively cache the request for the duration of the local_negative_timeout option.

See full release notes here.

sssd-1.16.1

SSSD 1.16.1

Highlights

New Features

• A new option auto_private_groups was added. If this option is enabled, SSSD will automatically create user private groups based on user's UID number. The GID number is ignored in this case. Please see <../../design_pages/auto_private_groups.mdfor more details on the feature.
• The SSSD smart card integration now supports a special type of PAM conversation implemented by GDM which allows the user to select the appropriate smrt card certificate in GDM. Please refer to <../../design_pages/smartcard_multiple_certificates.mdfor more details about this feature.
• A new API for accessing user and group information was added. This API is similar to the tradiional Name Service Switch API, but allows the consumer to talk to SSSD directly as well as to fine-tune the query with e.g. how cache should be evaluated. Please see <../../design_pages/enhanced_nss_api.mdfor more information on the new API.
• The sssctl command line tool gained a new command access-report, which can generate who can access the client machine. Currently only generating the report on an IPA client based on HBAC rules is supported. Please see <../../design_pages/attestation_report.mdfor more information about this new feature.
• The hostid provider was moved from the IPA specific code to the generic LDAP code. This allows SSH host keys to be access by the generic LDAP provider as well. See the ldap_host_* options in the sssd-ldap manual page for more details.
• Setting the memcache_timeout option to 0 disabled creating the memory cache files altogether. This can be useful in cases there is a bug in the memory cache that needs working around.

Performance enhancements

• Several internal changes to how objects are stored in the cache improve SSSD performance in environments with large number of objects of the same type (e.g. many users, many groups). In particular, several useless indexes were removed and the most common object types no longer use the indexed objectClass attribute, but use unindexed objectCategory instead (#3503)
• In setups with id_provider=ad that use POSIX attributes which are replicated to the Global Catalog, SSSD uses the Global Catalog to determine which domain should be contacted for a by-ID lookup instead of iterating over all domains. More details about this feature can be found at <../../design_pages/uid_negative_global_catalog.md>

Notable bug fixes

• A crash in sssd_nss that might have happened if a list of domains was refreshed while a NSS lookup using this request was fixed (#3551)
• A potential crash in sssd_nss during netgroup lookup in case the netgroup object kept in memory was already freed (#3523)
• Fixed a potential crash of sssd_be with two concurrent sudo refreshes in case one of them failed (#3562)
• A memory growth issue in sssd_nss that occured when an entry was removed from the memory cache was fixed (#3588)
• Two potential memory growth issues in the sssd_be process that could have hit configurations with id_provider=ad were fixed (#3639)
• The selinux_child process no longer crashes on a system where SSSD is compiled with SELinux support, but at the same time, the SELinux policy is not even installed on the machine (#3618)
• The memory cache consistency detection logic was fixed. This would prevent printing false positive memory cache corruption messages (#3571)
• SSSD now remembers the last successfuly discovered AD site and use this for DNS search to lookup a site and forest during the next lookup. This prevents time outs in case SSSD was discovering the site using the global list of DCs where some of the global DCs might be unreachable. (#3265)
• SSSD no longer starts the implicit file domain when configured with id_provider=proxy and proxy_lib_name=files. This bug prevented SSSD from being used in setups that combine identities from UNIX files together with authentication against a remote source unless a files domain was explicitly configured (#3590)
• The IPA provider can handle switching between different ID views better (#3579)
• Previously, the IPA provider kept SSH public keys and certificates from an ID view in its cache and returned them even if the public key or certificate was then removed from the override (#3602, #3603)
• FleetCommander profiles coming from IPA are applied even if they are assigned globally (to category: ALL), previously, only profiles assigned to a host or a hostgroup were applied (#3449)
• It is now possible to reset an expired password for users with 2FA authentication enabled (#3585)
• A bug in the AD provider which could have resulted in built-in AD groups being incorrectly cached was fixed (#3610)
• The SSSD watchdog can now cope better with time drifts (#3285)
• The nss_sss NSS module's return codes for invalid cases were fixed
• A bug in the LDAP provider that prevented setups with id_provider=proxy and auth_provider=ldap with LDAP servers that do not allow anonymous binds from working was fixed (#3451)

Packaging Changes

• The FleetCommander desktop profile path now uses stricter permissions, 751 instead of 755 (#3621)
• A new option --logger was added to the sssd(8) binary. This option obsoletes old options such as --debug-to-files, although the old options are kept for backwards compatibility.
• The file /etc/systemd/system/sssd.service.d/journal.conf is not installed anymore In order to change logging to journald, please use the --logger option. The logger is set using the Environment=DEBUG_LOGGER directive in the systemd unit files. The default value is Environment=DEBUG_LOGGER=--logger=files

Documentation Changes

There are no notable documentation changes such as options changing default values etc in this release.

See full release notes here.