# SSSD 2.11.0
The SSSD team is announcing the release of version 2.11.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.11.0
See the full release notes at:
https://sssd.io/release-notes/sssd-2.11.0.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
# SSSD 2.11.0 Release Notes
## Highlights
### General information
* The deprecated tool `sss_ssh_knownhostsproxy` was finally removed,
together
with the `./configure` option `--with-ssh-known-host-proxy` used to
build it.
It is now replaced by a stub which displays an error message. Instead
of this
tool, you must now use `sss_ssh_knownhosts`. Please check the
sss_ssh_knownhosts(1) man page for detailed information.
* Support for the previously deprecated `sssd.conf::user` option
(`--with-conf-service-user-support` `./configure` option) was removed.
* When both IPv4 and IPv6 address families are resolvable, but the
primary is
blocked on firewall, SSSD attempts to connect to the server on the
secondary
family.
* During startup SSSD won't check NSCD configuration to issue a warning in a
case of potential conflict.
* Previously deprecated `--with-files-provider` configure option and thus
support of `id_provider = files` were removed.
* Previously deprecated `--with-libsifp` configure option and
`sss_simpleifp'
library were removed.
* `krb5-child-test` was removed. Corresponding tests under
`src/tests/system/`
are aimed to provide a comprehensive test coverage of `krb5_child`
functionality.
* SSSD doesn't create any more missing path components of DIR:/FILE: ccache
types while acquiring user's TGT. The parent directory of requested
ccache
directory must exist and the user trying to log in must have `rwx`
access to
this directory. This matches behavior of `kinit`.
* The DoT for dynamic DNS updates is supported now. It requires new
version of
`nsupdate` from BIND 9.19+.
* The option default_domain_suffix is deprecated. Consider using the more
flexible domain_resolution_order instead.
### New features
* New generic id and auth provider for Identity Providers (IdPs), as a start
Keycloak and Entra ID are supported. Given suitable credentials this
provider
can read users and groups from IdPs and can authenticate IdP users
with the
help of the OAUTH 2.0 Device Authorization Grant (RFC 8628)
* SSSD IPA provider now supports IPA subdomains, not only Active
Directory. This
IPA subdomain support will enable SSSD support of IPA-IPA Trust
feature, the
full usable feature coming in a later FreeIPA release. Trusted domain
configuration options are specified in the `sssd-ipa` man page.
### Important fixes
* `sssd_kcm` memory leak was fixed.
* If the ssh responder is not running, `sss_ssh_knownhosts` will not
fail (but
it will not return the keys).
### Packaging changes
* **Important note for downstream maintainers.**
A set of capabilities required by privileged binaries was further
reduced to:
```
krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
ldap_child cap_dac_read_search=p
selinux_child cap_setgid,cap_setuid=p
sssd_pam cap_dac_read_search=p
```
Keep in mind that even with a limited set of fine grained
capabilities, usual
precautions still should be taken while packaging binaries with file
capabilities: it's very important to make sure that those are
executable only
by root/sssd service user. For this reason upstream spec file
packages it as:
```
-rwxr-x---. 1 root sssd
```
Failing to do so (i.e. allowing non-privileged users to execute those
binaries) can impose systems installing the package to a security risk.
* New configure option `--with-id-provider-idp` to enable and disable
building
SSSD's IdP id provider, default is enabled.
* `--with-nscd-conf` `./configure` option was removed.
* Support of deprecated `ad_allow_remote_domain_local_groups` sssd.conf
option
isn't built by default. It can be enabled using
`--with-allow-remote-domain-local-groups` `./configure` option.
### Configuration changes
* The id_provider and auth_provider options support a new value `idp`.
Details
about how to configure the IdP provider can be found in the sssd-idp
man page.
* New optional fourth value for AD provider configuration option
ad_machine_account_password_renewal_opts to select the command to
update the
keytab, currently `adcli` and `realm` are allowed values
* The pam_sss.so module gained a new option named
"allow_chauthtok_by_root". It
allows changing realm password for an arbitrary user via PAM when
invoked by
root.
* New `ldap_read_rootdse` option allows you to specify how SSSD will read
RootDSE from the LDAP server. Allowed values are "anonymous",
"authenticated"
and "never"
* Until now dyndns_iface option supported only "*" for all interfaces or
exact
names. With this update it is possible to use shell wildcard patterns
(e. g.
eth*, eth[01], ...).
* `ad_allow_remote_domain_local_groups` option is deprecated and will be
removed
in future releases.
* the `dyndns_server` option is extended so it can be in form of URI
(dns+tls://1.2.3.4:853#servername). New set of options
`dyndns_dot_cacert`,
`dyndns_dot_cert` and `dyndns_dot_key` allows to configure DNS-over-TLS
communication.
* Added `exop_force` value for configuration option
`ldap_pwmodify_mode`. This
can be used to force a password change even if no grace logins are left.
Depending on the configuration of the LDAP server it might be
expected that
the password change will fail.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
