sssd-2.11.1

SSSD 2.11.1 Release Notes

This is a minor bugfix update.

Fixed Issues

• #7921 - AD user in external group is not cleared when expiring the cache
• #7968 - cache_credentials = true not working in sssd master
• #8005 - Socket activation doesn't work for 'sssd_pam'

See full release notes here.

sssd-2.11.0

SSSD 2.11.0 Release Notes

Highlights

General information

• The deprecated tool sss_ssh_knownhostsproxy was finally removed, together
  with the ./configure option --with-ssh-known-host-proxy used to build it.
  It is now replaced by a stub which displays an error message. Instead of this
  tool, you must now use sss_ssh_knownhosts. Please check the
  sss_ssh_knownhosts(1) man page for detailed information.
• Support for the previously deprecated sssd.conf::user option
  (--with-conf-service-user-support ./configure option) was removed.
• When both IPv4 and IPv6 address families are resolvable, but the primary is
  blocked on firewall, SSSD attempts to connect to the server on the secondary
  family.
• During startup SSSD won't check NSCD configuration to issue a warning in a
  case of potential conflict.
• Previously deprecated --with-files-provider configure option and thus
  support of id_provider = files were removed.
• Previously deprecated --with-libsifp configure option and `sss_simpleifp'
  library were removed.
• krb5-child-test was removed. Corresponding tests under src/tests/system/
  are aimed to provide a comprehensive test coverage of krb5_child
  functionality.
• SSSD doesn't create any more missing path components of DIR:/FILE: ccache
  types while acquiring user's TGT. The parent directory of requested ccache
  directory must exist and the user trying to log in must have rwx access to
  this directory. This matches behavior of kinit.
• The DoT for dynamic DNS updates is supported now. It requires new version of
  nsupdate from BIND 9.19+.
• The option default_domain_suffix is deprecated. Consider using the more
  flexible domain_resolution_order instead.

New features

• New generic id and auth provider for Identity Providers (IdPs), as a start
  Keycloak and Entra ID are supported. Given suitable credentials this provider
  can read users and groups from IdPs and can authenticate IdP users with the
  help of the OAUTH 2.0 Device Authorization Grant (RFC 8628)
• SSSD IPA provider now supports IPA subdomains, not only Active Directory. This
  IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the
  full usable feature coming in a later FreeIPA release. Trusted domain
  configuration options are specified in the sssd-ipa man page.

Important fixes

• sssd_kcm memory leak was fixed.
• If the ssh responder is not running, sss_ssh_knownhosts will not fail (but
  it will not return the keys).

Packaging changes

• Important note for downstream maintainers.

  A set of capabilities required by privileged binaries was further reduced to:

  krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
  ldap_child cap_dac_read_search=p
  selinux_child cap_setgid,cap_setuid=p
  sssd_pam cap_dac_read_search=p
  

  Keep in mind that even with a limited set of fine grained capabilities, usual
  precautions still should be taken while packaging binaries with file
  capabilities: it's very important to make sure that those are executable only
  by root/sssd service user. For this reason upstream spec file packages it as:

  -rwxr-x---. 1 root sssd
  

  Failing to do so (i.e. allowing non-privileged users to execute those
  binaries) can impose systems installing the package to a security risk.

• New configure option --with-id-provider-idp to enable and disable building
  SSSD's IdP id provider, default is enabled.

• --with-nscd-conf ./configure option was removed.

• Support of deprecated ad_allow_remote_domain_local_groups sssd.conf option
  isn't built by default. It can be enabled using
  --with-allow-remote-domain-local-groups ./configure option.

Configuration changes

• The id_provider and auth_provider options support a new value idp. Details
  about how to configure the IdP provider can be found in the sssd-idp man page.
• New optional fourth value for AD provider configuration option
  ad_machine_account_password_renewal_opts to select the command to update the
  keytab, currently adcli and realm are allowed values
• The pam_sss.so module gained a new option named "allow_chauthtok_by_root". It
  allows changing realm password for an arbitrary user via PAM when invoked by
  root.
• New ldap_read_rootdse option allows you to specify how SSSD will read
  RootDSE from the LDAP server. Allowed values are "anonymous", "authenticated"
  and "never"
• Until now dyndns_iface option supported only "" for all interfaces or exact
  names. With this update it is possible to use shell wildcard patterns (e. g.
  eth, eth[01], ...).
• ad_allow_remote_domain_local_groups option is deprecated and will be removed
  in future releases.
• the dyndns_server option is extended so it can be in form of URI
  (dns+tls://1.2.3.4:853#servername). New set of options dyndns_dot_cacert,
  dyndns_dot_cert and dyndns_dot_key allows to configure DNS-over-TLS
  communication.
• Added exop_force value for configuration option ldap_pwmodify_mode. This
  can be used to force a password change even if no grace logins are left.
  Depending on the configuration of the LDAP server it might be expected that
  the password change will fail.

See full release notes here.

sssd-2.9.7

SSSD 2.9.7 Release Notes

Highlights

General information

• When both IPv4 and IPv6 address families are resolvable, but the primary is blocked on firewall, SSSD attempts to connect to the server on the secondary family.

New features

• SSSD IPA provider now supports IPA subdomains, not only Active Directory. This IPA subdomain support will enable SSSD support of IPA-IPA Trust feature, the full usable feature coming in a later FreeIPA release. Trusted domain configuration options are specified in the 'sssd-ipa' man page.

Important fixes

• 'sssd_kcm' memory leak was fixed.

Configuration changes

• New 'ldap_read_rootdse' option allows you to specify how SSSD will read RootDSE from the LDAP server. Allowed values are "anonymous", "authenticated" and "never"
• Until now dyndns_iface option supported only "*" for all interfaces or exact names. With this update it is possible to use shell wildcard patterns (e. g. eth*, eth[01], ...).

See full release notes here.

sssd-2.10.2

SSSD 2.10.2 Release Note

Highlights

This release fixes a number of minor issues in the spec and services files,
affecting mainly rpm-ostree based systems.

Important fixes

• If the ssh responder is not running, sss_ssh_knownhosts will not fail (but
  it will not return the keys).

• A wrong path to a pid file in SSSD logrotate configuration snippet was
  corrected.

• SSSD is now capable of handling multiple services associated with the same
  port.

• sssd_pam, being a privileged binary, now clears the environment and
  doesn't allow configuration of the PR_SET_DUMPABLE flag as a precaution.

See full release notes here.

sssd-2.10.1

SSSD 2.10.1 Release Notes

Highlights

General information

• krb5-child-test was removed. Corresponding tests under 'src/tests/system/'
  are aimed to provide a comprehensive test coverage of 'krb5_child'
  functionality.
• SSSD doesn't create anymore missing path components of DIR:/FILE: ccache types
  while acquiring user's TGT. The parent directory of requested ccache directory
  must exist and the user trying to log in must have 'rwx' access to this
  directory. This matches behavior of 'kinit'.
• The DoT (DNS over TLS) for dynamic DNS updates is supported now. It requires
  new version of nsupdate from BIND 9.19+.
• The option default_domain_suffix is deprecated. Consider using the more
  flexible domain_resolution_order instead.

Packaging changes

• Important note for downstream maintainers.

  A set of capabilities required by privileged binaries was further reduced to:

  krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
  ldap_child cap_dac_read_search=p
  selinux_child cap_setgid,cap_setuid=p
  sssd_pam cap_dac_read_search=p
  

  Keep in mind that even with a limited set of fine grained capabilities, usual
  precautions still should be taken while packaging binaries with file
  capabilities: it's very important to make sure that those are executable only
  by root/sssd service user. For this reason upstream spec file packages it as:

  -rwxr-x---. 1 root sssd
  

  Failing to do so (i.e. allowing non-privileged users to execute those
  binaries) can impose systems installing the package to a security risk.

• Support of deprecated 'ad_allow_remote_domain_local_groups' sssd.conf option
  isn't built by default. It can be enabled using
  '--with-allow-remote-domain-local-groups' ./configure option.

Configuration changes

• ad_allow_remote_domain_local_groups option is deprecated and will be removed
  in future releases.
• the dyndns_server option is extended so it can be in form of URI
  (dns+tls://1.2.3.4:853#servername). New set of options dyndns_dot_cacert,
  dyndns_dot_cert and dyndns_dot_key allows to configure DNS-over-TLS
  communication.
• Added exop_force value for configuration option ldap_pwmodify_mode. This
  can be used to force a password change even if no grace logins are left.
  Depending on the configuration of the LDAP server it might be expected that
  the password change will fail.

See full release notes here.

sssd-2.9.6

SSSD 2.9.6 Release Notes

Highlights

General information

• The DoT for dynamic DNS updates is supported now. It requires new version of
  nsupdate from BIND 9.19+.

• The option default_domain_suffix is deprecated. Consider using the more
  flexible domain_resolution_order instead.

Important fixes

• When the DP_OPT_DYNDNS_REFRESH_OFFSET enumerator was created, the
  associated struct dp_option was not. Because these structures are part of
  an array and the enumerator is used as the index, the wrong structure would be
  accessed when trying to use this index. This problem was fixed by creating the
  missing structure.

Configuration changes

• The dyndns_server option is extended so it can be in form of URI
  (dns+tls://1.2.3.4:853#servername). New set of options
  dyndns_dot_cacert, dyndns_dot_cert and dyndns_dot_key allows to
  configure DNS-over-TLS communication.

• Added exop_force value for configuration option ldap_pwmodify_mode.
  This can be used to force a password change even if no grace logins are left.
  Depending on the configuration of the LDAP server it might be expected that
  the password change will fail.

See full release notes here.

sssd-2.10.0

SSSD 2.10.0 Release Notes

Highlights

General information

• IMPORTANT note for downstream maintainers!

  This release features significant improvements of "running with less
  privileges (under unprivileged service user)" feature. There is still a
  ./configure option --with-sssd-user= available that allows downstream
  package maintainers to choose if support of non-root service user should be
  built. In case such support is built, a preferred way to configure service
  user is simply by starting SSSD under this user; for example, using
  User=/Group= options of systemd sssd.service file. Upstream defaults are
  to build --with-sssd-user=sssd and to install systemd service with
  User=/Group=sssd. In this case, only several helper processes -
  ldap_child, krb5_child and selinux_child - are executed with
  elevated capabilities (that are now granted using fine grained file
  capabilities instead of SUID bit). All other SSSD components run without any
  capabilities. In this scenario it's still possible to re-configure SSSD to run
  under root (if needed for some reason): besides changing User/Group=
  options, some other tweaks of systemd service files are required.

  A legacy method to configure a service user - sssd.conf user option - is
  now deprecated and its support isn’t built by default. It can be enabled using
  --with-conf-service-user-support ./configure option if needed (for
  example, due to backward compatibility requirements of stable releases).

  Further, no matter if SSSD is built --with-sssd-user=sssd or
  --with-sssd-user=root, when it's configured to run under root (in both
  cases) it still runs without capabilities, the same way as when it's
  configured to run under sssd user. The only difference is from the DAC
  perspective.

  Important note: owner of /etc/sssd/sssd.conf file (and snippets) should
  match the user configured to start SSSD service. Upstream spec file and
  service files change ownership of existing sssd.conf to sssd during
  package installation and at runtime for seamless upgrades / transition period
  only.

  Additionally, this release fixes a large number of issues with "socket
  activation of responders" feature, making it operable out-of-the-box when the
  package is built --with-sssd-user=sssd. Please take a note, that user
  configured to run main sssd.service and socket activated responders (if used)
  should match (i.e. if sssd.service is re-configured from upstream defaults to
  root then responders services also should be re-configured).

  Downstream package maintainers are advised to carefully inspect changes in
  contrib/sssd.spec.in, src/sysv/systemd/* and ./configure options
  that this release brings!

• sssctl cache-upgrade command was removed. SSSD performs automatic upgrades
  at startup when needed.

• Support of enumeration feature (i.e. ability to list all users/groups
  using getent passwd/group without argument) for AD/IPA providers is
  deprecated and might be removed in further releases. Those who are interested
  to keep using it awhile should configure its build explicitly using
  --with-extended-enumeration-support ./configure option.

• A number of minor glitches of sssd-2.10.0-beta1 around building and
  packaging were fixed.

New features

• The new tool sss_ssh_knownhosts can be used with ssh's
  KnownHostsCommand configuration option to retrieve the host's public keys
  from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more
  reliable, replaces sss_ssh_knownhostsproxy. The latter is no longer built
  by default, but its build can be forced with the ./configure option
  --with-ssh-known-hosts-proxy.

Packaging changes

• Building SSSD now unconditionally requires availability of ucred/
  SO_PEERCRED to enforce certain security checks at runtime (see man 7 unix for details).

• SSSD now requires libini not older than v1.3

• Explicit --with-semanage ./configure switch was removed, going forward
  --with-selinux includes this.

• sssd_pam binary lost public rx bits and got cap_dac_read_search=p
  file capability to be able to use GSSAPI

• Support of OpenSSL older than 1.0.1 was dropped

• Support of --without-infopipe ./configure option was dropped. Feature
  is long time out of experimental state. Since building it doesn't require any
  additional dependencies, there is not much sense to keep option available.
  Those who not interested in feature can skip installing sssd-ifp sub-package.

Configuration changes

• Default ldap_id_use_start_tls value changed from false to true for
  improved security.

• Added a ldap_use_ppolicy option for backends with broken ppolicy extension
  handling.

• Obsolete config_file_version option was removed.

• Option reconnection_retries was removed since it is no longer used. SSSD
  switch to a new architecte of internal IPC between SSSD processes where
  responders do not connect to backend anymore and therefore this option is no
  longer used.

See full release notes here.

sssd-2.10.0-beta2

SSSD sssd-2.10.0~beta2 Release Notes

Highlights

General information

• A number of minor glitches of sssd-2.10.0-beta1 around building and packaging were fixed.

Packaging changes

• sssd_pam binary lost public rx bits and got cap_dac_read_search=p file capability to be able to use GSSAPI

See full release notes here.

sssd-2.10.0-beta1

SSSD 2.10-beta1 Release Notes

Highlights

General information

• IMPORTANT note for downstream maintainers!

  This release features significant improvements of "running with less privileges (under unprivileged service user)" feature. There is still a ./configure option --with-sssd-user= available that allows downstream package maintainers to choose if support of non-root service user should be built. In case such support is built, a preferred way to configure service user is simply by starting SSSD under this user; for example, using User=/Group= options of systemd sssd.service file. Upstream defaults are to build --with-sssd-user=sssd and to install systemd service with User=/Group=sssd. In this case, only several helper processes - ldap_child, krb5_child and selinux_child - are executed with elevated capabilities (that are now granted using fine grained file capabilities instead of SUID bit). All other SSSD components run without any capabilities. In this scenario it's still possible to re-configure SSSD to run under root (if needed for some reason): besides changing User/Group= options, some other tweaks of systemd service files are required.

  A legacy method to configure a service user - sssd.conf user option - is now deprecated and its support isn’t built by default. It can be enabled using --with-conf-service-user-support ./configure option if needed (for example, due to backward compatibility requirements of stable releases).

  Further, no matter if SSSD is built --with-sssd-user=sssd or --with-sssd-user=root, when it's configured to run under root (in both cases) it still runs without capabilities, the same way as when it's configured to run under sssd user. The only difference is from the DAC perspective.

  Important note: owner of /etc/sssd/sssd.conf file (and snippets) should match the user configured to start SSSD service. Upstream spec file changes ownership of existing sssd.conf to sssd during package installation for seamless upgrades.

  Additionally, this release fixes a large number of issues with "socket activation of responders" feature, making it operable out-of-the-box when the package is built --with-sssd-user=sssd. Please take a note, that user configured to run main sssd.service and socket activated responders (if used) should match (i.e. if sssd.service is re-configured from upstream defaults to root then responders services also should be re-configured).

  Downstream package maintainers are advised to carefully inspect changes in contrib/sssd.spec.in, src/sysv/systemd/* and ./configure options that this release brings!

• sssctl cache-upgrade command was removed. SSSD performs automatic upgrades at startup when needed.

• Support of enumeration feature (i.e. ability to list all users/groups using getent passwd/group without argument) for AD/IPA providers is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-extended-enumeration-support ./configure option.

New features

• The new tool sss_ssh_knownhosts can be used with ssh's KnownHostsCommand configuration option to retrieve the host's public keys from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more reliable, replaces sss_ssh_knownhostsproxy. Please consider switching to using the new tool as the old one will be removed.

Packaging changes

• Building SSSD now unconditionally requires availability of ucred/ SO_PEERCRED to enforce certain security checks at runtime (see man 7 unix for details).
• SSSD now requires libini not older than v1.3
• Explicit --with-semanage ./configure switch was removed, going forward --with-selinux includes this.

Configuration changes

• Default ldap_id_use_start_tls value changed from false to true for improved security.
• Added a ldap_use_ppolicy option for backends with broken ppolicy extension handling.
• Obsolete config_file_version option was removed.

See full release notes here.

sssd-2.9.5

SSSD 2.9.5 Release Notes

Highlights

Security

• Moderate: CVE-2023-3758. Fixed a race condition flaw in GPO policy application. GHSA-7pwr-cfrc-px4f

Configuration changes

• Added failover_primary_timout configuration option. This can be used to configure how often SSSD tries to reconnect to a primary server after a successful connection to a backup server. This was previously hardcoded to 31 seconds which is kept as the default value.

See full release notes here.