sssd-1.14.0.alpha1

sssd-1_14_0_alpha1

Tagging the 1.14 Alpha release

sssd-1.13.90

sssd-1_13_90

Tagging the 1.14 alpha release

sssd-1.13.4

SSSD 1.13.4

Highlights

• The IPA sudo provider was reimplemented. The new version reads the data from IPA's LDAP tree (as opposed to the compat tree populated by the slapi-nis plugin that was used previously). The benefit is that deployments which don't require the compat tree for other purposes, such as support for non-SSSD clients can disable those autogenerated LDAP trees to conserve resources that slapi-nis otherwise requires. There should be no visible changes to the end user.
• SSSD now has the ability to renew the machine credentials (keytabs) when the ad provider is used. Please note that a recent version of the adcli (0.8 or newer) package is required for this feature to work.
• The automatic ID mapping feature was improved so that the administrator is no longer required to manually set the range size in case a RID in the AD domain is larger than the default range size
• A potential infinite loop in the NFS ID mapping plugin that was resulting in an excessive memory usage was fixed
• Clients that are pinned to a particular AD site using the ad_site option no longer communicate with DCs outside that site during service discovery.
• The IPA identity provider is now able to resolve external (typically coming from a trusted AD forest) group members during get-group-information requests. Please note that resolving external group memberships for AD users during the initgroup requests used to work even prior to this update. This feature is mostly useful for cases where an IPA client is using the compat tree to resolve AD trust users.
• The IPA ID views feature now works correctly even for deployments without a trust relationship. Previously, the subdomains IPA provider failed to read the views data if no master domain record was created on the IPA server during trust establishment.
• A race condition in the client libraries between the SSSD closing the socket as idle and the client application using the socket was fixed. This bug manifested with a Broken Pipe error message on the client.
• SSSD is now able to resolve users with the same usernames in different OUs of an AD domain
• The smartcard authentication now works properly with gnome-screensaver

Packaging Changes

• The krb5.include.d directory is now owned by the sssd user and packaged in the krb5-common subpackage

Documentation Changes

• A new option ldap_idmap_helper_table_size was added. This option can help tune allocation of new ID mapping slices for AD domains with a high RID values. Most deployments can use the default value of this option.
• Several PAM services were added to the lists that are used to map Windows logon services to GNU/Linux PAM services. The newly added PAM services include login managers (lightdm, lxdm, sddm and xdm) as well as the cockpit service.
• The AD machine credentials renewal task can be fine-tuned using the ad_machine_account_password_renewal_opts to change the initial delay and period of the credentials renewal task. In addition, the new ad_maximum_machine_account_password_age option allows the administrator to select how old the machine credential must be before trying to renew it.
• The administrator can use the new option pam_account_locked_message to set a custom informational message when the account logging in is locked.

See full release notes here.

sssd-1.11.8

sssd-1_11_8

Tagging the 1.11.8 release

sssd-1.13.3

SSSD 1.13.3

Highlights

• A bug that prevented user lookups and logins after migration from winsync to IPA-AD trusts was fixed
• The OCSP certificate validation checks are enabled for smartcard logins if SSSD was compiled with the NSS crypto library.
• A bug that prevented the ignore_group_members option from working correctly in AD provider setups that use a dedicated primary group (as opposed to a user-private group) was fixed
• Offline detection and offline login timeouts were improved for AD users logging in from a domain trusted by an IPA server
• The AD provider supports setting up autofs_provider=ad
• Several usability improvements to our debug messages

Packaging Changes

• The p11_child helper binary is able to run completely unprivileged and no longer requires the setgid bit to be set

Documentation Changes

• A new option certificate_verification was added. This option allows the administrator to disable OCSP checks in case the OCSP server is not reachable

See full release notes here.

sssd-1.13.2

SSSD 1.13.2

Highlights

• This is primarily a bugfix release, with minor features added to the local overrides feature
• The sss_override tool gained new user-show, user-find, group-show and group-find commands
• The PAM responder was crashing if PAM_USER was set to an empty string. This bug was fixed
• The sssd_be process could crash when looking up groups in setups with IPA-AD trusts that use POSIX attributes but do not replicate them to the Global Catalog
• A socket leak in case SSSD couldn't establish a connection to an LDAP server was fixed
• SSSD's memory cache now behaves better when used by long-running applications such as system daemons and the administrator invalidates the cache
• The SSSDConfig Python API no longer throws an exception when config_file_version is missing
• The InfoPipe D-Bus interface is able to retrieve user groups correctly if the user is a member of non-POSIX groups like ipausers as well
• Lookups by certificate now work correctly in multi-domain environment
• The lookup of POSIX attributes after startup was relaxed to only check attribute presence, not validity. The POSIX check was also made less verbose.
• A bug when looking up a subdomain user by UPN users was fixed

Packaging Changes

• The memory cache for initgroups results was previously not packaged. This bug was fixed.
• Python 2/3 packaging in the RPM specfile was improved

See full release notes here.

sssd-1.13.1

SSSD 1.13.1

Highlights

• Initial support for Smart Card authentication was added. The feature can be activated with the new pam_cert_auth option
• The PAM prompting was enhanced so that when Two-Factor Authentication is used, both factors (password and token) can be entered separately on separate prompts. At the same time, only the long-term password is cached, so offline access would still work using the long term password
• A new command line tool sss_override is present in this release. The tools allows to override attributes on the SSSD side. It's helpful in environment where e.g. some hosts need to have a different view of POSIX attributes than others. Please note that the overrides are stored in the cache as well, so removing the cache will also remove the overrides
• New methods were added to the SSSD D-Bus interface. Notably support for looking up a user by certificate and looking up multiple users using a wildcard was added. Please see the interface introspection or the design pages for full details
• Several enhancements to the dynamic DNS update code. Notably, clients that update multiple interfaces work better with this release
• This release supports authenticating againt a KDC proxy
• The fail over code was enhanced so that if a trusted domain is not reachable, only that domain will be marked as inactive but the backed would stay in online mode
• Several fixes to the GPO access control code are present

Packaging Changes

• The Smart Card authentication feature requires a helper process p11_child that needs to be marked as setgid if SSSD needs to be able to. Please note the p11_child requires the NSS crypto library at the moment
• The sss_override tool was added along with its own manpage
• The upstream RPM can now build on RHEL/CentOS 6.7

Documentation Changes

• The config_file_version configuration option now defaults to 2. As an effect, this option doesn't have to be set anymore unless the config file format is changed again by SSSD upstream
• It is now possible to specify a comma-separated list of interfaces in the dyndns_iface option
• The InfoPipe responder and the LDAP provider gained a new option wildcard_lookup that specifies an upper limit on the number of entries that can be returned with a wildcard lookup
• A new option dyndns_server was added. This option allows to attempt a fallback DNS update against a specific DNS server. Please note this option only works as a fallback, the first attempt will always be performed against autodiscovered servers.
• The PAM responder gained a new option ca_db that allows the storage of trusted CA certificates to be specified
• The time the p11_child is allowed to operate can be specified using a new option p11_child_timeout

See full release notes here.

sssd-1.13.0

SSSD 1.13.0

Highlights

• Support for separate prompts when using two-factor authentication was added
• Added support for one-way trusts between an IPA and Active Directory environment. Please note that this SSSD functionality depends on IPA code that will be released in the IPA 4.2 version
• The fast memory cache now also supports the initgroups operation.
• The PAM responder is now capable of caching authentication for configurable period, which might reduce server load in cases where accounts authenticate very frequently. Please refer to the cached_auth_timeout option in the sssd.conf manual page.
• The Active Directory provider has changed the default value of the ad_gpo_access_control option from permissive to enforcing. As a consequence, the GPO access control now affects all clients that set access_provider to ad. In order to restore the previous behaviour, set ad_gpo_access_control to permissive or use a different access_provider type.
• Group Policy objects defined in a different AD domain that the computer object is defined in are now supported.
• Credential caching and Offline authentication are also available when using two-factor authentication
• Many enhancements to the InfoPipe D-Bus API. Notably, the SSSD users and groups are now exposed as first-class objects. The users and groups can also be marked as cached and would subsequently show up in the Introspection output
• The DBus interface is now also able to look up User objects by certificate. This is a first part of work that will eventually allow smart-card authentication in SSSD.
• The LDAP cleanup task is now disabled by default, unless enumeration is enabled. Please refer to the ldap_purge_cache_timeout option in case your environment requires the cleanup task
• The Python bindings are now built for both Python2 and Python3
• The LDAP bind timeout, StartTLS timeout and password change timeout are now configurable using the ldap_opt_timeout option

Packaging Changes

• A new directory /var/lib/sss/keytabs is present and owned by the sssd-ipa subpackage. The SSSD stores keytabs for one-way trust relationships in this directory. Downstreams should make sure that the directory is only readable to the user who runs the SSSD service.
• Several packaging changes are present in this release to support the Python3 bindings, notably new python-sss and python-sss-murmur subpackages are introduced in upstream RPM packaging
• All python bindings now have a Python3 and a Python2 version in the upstream RPM packaging scheme
• The OpenSSL development library such as openssl-devel on RHEL/Fedora or Debian/Ubuntu libssl-dev is now required to support certificate operations
• A new internal library libsss_cert.so is present in this release.
• The fast initgroups memcache is represented by a new file /var/lib/sss/mc/initgroups

Documentation Changes

• The ad_gpo_access_control option default has changed from permissive to enforcing
• The default value of ldap_purge_cache_timeout changed to 0, thus effectivelly disabling the cleanup task.
• A new option cache_credentials_minimal_first_factor_length was added. This option sets constraints on the password length if One-Time passwords are used and credentials are to be cached. Please see the sssd.conf(5) man page for more details
• The cached authentication is controlled by new option cached_auth_timeout. By default the cached authentication is disabled.

See full release notes here.

sssd-1.13.0.alpha

sssd-1_13_0_alpha

Tagging the 1.13 Alpha release

sssd-1.12.90

sssd-1_12_90

Tagging the 1.13 Alpha release