SSSD 1.15.1
Highlights
- Several issues related to starting the SSSD services on-demand by the
systemd service manager were fixed. In particular, it is no longer
possible to have a service started both by sssd and by systemd. Another
bug which might have caused the responder to start before SSSD started
and cause issues especially on system startup was fixed.
- A new
files
provider was added. This provider mirrors the contents
of /etc/passwd
and /etc/shadow
into the SSSD database. The purpose
of this new provider is to make it possible to use SSSD’s interfaces,
such as the D-Bus interface for local users and enable leveraging the
in-memory fast cache for local users as well, as a replacement for nscd.
In future, we intend to extend the D-Bus interface to also provide setting
and retrieving additional custom attributes for the files users.
- SSSD now autogenerates a fallback configuration that enables the
files domain if no SSSD configuration exists. This allows distributions
to enable the
sssd
service when the SSSD package is installed. Please
note that SSSD must be build with the configuration option
--enable-files-domain
for this functionality to be enabled.
- Support for public-key authentication with Kerberos (PKINIT) was
added. This support will enable users who authenticate with a Smart Card
to obtain a Kerberos ticket during authentication.
Packaging Changes
- The new files provider comes as a new shared library
libsss_files.so
and a new manual page
- A new helper binary called
sssd_check_socket_activated_responders
was added. This binary is used in the ExecStartPre
directive to check
if the service that corresponds to socket about to be started was also
started explicitly and abort the socket startup if it was.
Documentation Changes
- A new PAM module option
prompt_always
was added. This option is
related to fixing https://pagure.io/SSSD/sssd/issue/2984 which
changed the behaviour of the PAM module so that pam_sss
always
uses an auth token that was on stack. The new prompt_always
option
makes it possible to restore the previous behaviour.
Tickets Fixed
- #3112 - When sssd.conf is missing, create one with id_provider=files
- #3220 - Improve successful Dynamic DNS update log messages
- #3227 - sssd doesn’t update PTR records if A/PTR zones are configured as non-secure and secure
- #3230 - Use the same logic for matching GC results in initgroups and user lookups
- #3260 - handle default_domain_suffix for ssh requests with default_domain_suffix
- #3262 - Implement a files provider to mirror the contents of /etc/passwd and /etc/groups
- #3270 - [RFE] Add PKINIT support to SSSD Kerberos proivder
- #3298 - Socket activation of SSSD doesn’t work and leads to chaos
- #3299 - SSSD does not start if using only the local provider and services line is empty
- #3300 - Avoid running two instances of the same service
- #3309 - Coverity warns about an unused value in IPA sudo code
- #3313 - cache_req should use an negative cache entry for UPN based lookups
- #2984 - Don’t prompt for password if there is already one on the stack
- #1126 - Reuse cache_req() in responder code
Detailed Changelog