SSSD 1.15.1

Highlights

  • Several issues related to starting the SSSD services on-demand by the systemd service manager were fixed. In particular, it is no longer possible to have a service started both by sssd and by systemd. Another bug which might have caused the responder to start before SSSD started and cause issues especially on system startup was fixed.
  • A new files provider was added. This provider mirrors the contents of /etc/passwd and /etc/shadow into the SSSD database. The purpose of this new provider is to make it possible to use SSSD’s interfaces, such as the D-Bus interface for local users and enable leveraging the in-memory fast cache for local users as well, as a replacement for nscd. In future, we intend to extend the D-Bus interface to also provide setting and retrieving additional custom attributes for the files users.
  • SSSD now autogenerates a fallback configuration that enables the files domain if no SSSD configuration exists. This allows distributions to enable the sssd service when the SSSD package is installed. Please note that SSSD must be build with the configuration option --enable-files-domain for this functionality to be enabled.
  • Support for public-key authentication with Kerberos (PKINIT) was added. This support will enable users who authenticate with a Smart Card to obtain a Kerberos ticket during authentication.

Packaging Changes

  • The new files provider comes as a new shared library libsss_files.so and a new manual page
  • A new helper binary called sssd_check_socket_activated_responders was added. This binary is used in the ExecStartPre directive to check if the service that corresponds to socket about to be started was also started explicitly and abort the socket startup if it was.

Documentation Changes

  • A new PAM module option prompt_always was added. This option is related to fixing https://pagure.io/SSSD/sssd/issue/2984 which changed the behaviour of the PAM module so that pam_sss always uses an auth token that was on stack. The new prompt_always option makes it possible to restore the previous behaviour.

Tickets Fixed

  • #3112 - When sssd.conf is missing, create one with id_provider=files
  • #3220 - Improve successful Dynamic DNS update log messages
  • #3227 - sssd doesn’t update PTR records if A/PTR zones are configured as non-secure and secure
  • #3230 - Use the same logic for matching GC results in initgroups and user lookups
  • #3260 - handle default_domain_suffix for ssh requests with default_domain_suffix
  • #3262 - Implement a files provider to mirror the contents of /etc/passwd and /etc/groups
  • #3270 - [RFE] Add PKINIT support to SSSD Kerberos proivder
  • #3298 - Socket activation of SSSD doesn’t work and leads to chaos
  • #3299 - SSSD does not start if using only the local provider and services line is empty
  • #3300 - Avoid running two instances of the same service
  • #3309 - Coverity warns about an unused value in IPA sudo code
  • #3313 - cache_req should use an negative cache entry for UPN based lookups
  • #2984 - Don’t prompt for password if there is already one on the stack
  • #1126 - Reuse cache_req() in responder code

Detailed Changelog