SSSD 1.15.1
===========

Highlights
----------
 * Several issues related to starting the SSSD services on-demand by the
   systemd service manager were fixed. In particular, it is no longer
   possible to have a service started both by sssd and by systemd. Another
   bug which might have caused the responder to start before SSSD started
   and cause issues especially on system startup was fixed.
 * A new ``files`` provider was added. This provider mirrors the contents
   of ``/etc/passwd`` and ``/etc/shadow`` into the SSSD database. The purpose
   of this new provider is to make it possible to use SSSD's interfaces,
   such as the D-Bus interface for local users and enable leveraging the
   in-memory fast cache for local users as well, as a replacement for `nscd`.
   In future, we intend to extend the D-Bus interface to also provide setting
   and retrieving additional custom attributes for the files users.
 * SSSD now autogenerates a fallback configuration that enables the
   files domain if no SSSD configuration exists. This allows distributions
   to enable the ``sssd`` service when the SSSD package is installed. Please
   note that SSSD must be build with the configuration option
   ``--enable-files-domain`` for this functionality to be enabled.
 * Support for public-key authentication with Kerberos (PKINIT) was
   added. This support will enable users who authenticate with a Smart Card
   to obtain a Kerberos ticket during authentication.

Packaging Changes
-----------------
 * The new files provider comes as a new shared library ``libsss_files.so``
   and a new manual page
 * A new helper binary called ``sssd_check_socket_activated_responders``
   was added. This binary is used in the ``ExecStartPre`` directive to check
   if the service that corresponds to socket about to be started was also
   started explicitly and abort the socket startup if it was.

Documentation Changes
---------------------
 * A new PAM module option ``prompt_always`` was added. This option is
   related to fixing `<https://pagure.io/SSSD/sssd/issue/2984>`_ which
   changed the behaviour of the PAM module so that ``pam_sss`` always
   uses an auth token that was on stack. The new ``prompt_always`` option
   makes it possible to restore the previous behaviour.

Tickets Fixed
-------------
 * `#3112 <https://pagure.io/SSSD/sssd/issue/3112>`_ - When sssd.conf is missing, create one with id_provider=files 
 * `#3220 <https://pagure.io/SSSD/sssd/issue/3220>`_ - Improve successful Dynamic DNS update log messages
 * `#3227 <https://pagure.io/SSSD/sssd/issue/3227>`_ - sssd doesn't update PTR records if A/PTR zones are configured as non-secure and secure 
 * `#3230 <https://pagure.io/SSSD/sssd/issue/3230>`_ - Use the same logic for matching GC results in initgroups and user lookups 
 * `#3260 <https://pagure.io/SSSD/sssd/issue/3260>`_ - handle default_domain_suffix for ssh requests with default_domain_suffix 
 * `#3262 <https://pagure.io/SSSD/sssd/issue/3262>`_ - Implement a files provider to mirror the contents of /etc/passwd and /etc/groups 
 * `#3270 <https://pagure.io/SSSD/sssd/issue/3270>`_ - [RFE] Add PKINIT support to SSSD Kerberos proivder 
 * `#3298 <https://pagure.io/SSSD/sssd/issue/3298>`_ - Socket activation of SSSD doesn't work and leads to chaos 
 * `#3299 <https://pagure.io/SSSD/sssd/issue/3299>`_ - SSSD does not start if using only the local provider and services line is empty 
 * `#3300 <https://pagure.io/SSSD/sssd/issue/3300>`_ - Avoid running two instances of the same service 
 * `#3309 <https://pagure.io/SSSD/sssd/issue/3309>`_ - Coverity warns about an unused value in IPA sudo code 
 * `#3313 <https://pagure.io/SSSD/sssd/issue/3313>`_ - cache_req should use an negative cache entry for UPN based lookups 
 * `#2984 <https://pagure.io/SSSD/sssd/issue/2984>`_ - Don't prompt for password if there is already one on the stack 
 * `#1126 <https://pagure.io/SSSD/sssd/issue/1126>`_ - Reuse cache_req() in responder code 

Detailed Changelog
------------------