[SSSD-users] Announcing SSSD 2.4.1

Fri, 05 Feb 2021 04:54:46 -0800 

# SSSD 2.4.1

The SSSD team is proud to announce the release of version 2.4.1 of the
System Security Services Daemon. The tarball can be downloaded from:
    https://github.com/SSSD/sssd/releases/tag/2.4.1

See the full release notes at:
    https://sssd.io/docs/users/relnotes/notes_2_4_1

RPM packages will be made available for Fedora shortly.

## Feedback

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
    https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
    https://lists.fedorahosted.org/mailman/listinfo/sssd-users

## Highlights

### General information
* `SYSLOG_IDENTIFIER` was renamed to `SSSD_PRG_NAME` in journald output, to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output. 

### New features

* New PAM module `pam_sss_gss` for authentication using GSSAPI
* `case_sensitive=Preserving` can now be set for trusted domains with AD provider * `case_sensitive=Preserving` can now be set for trusted domains with IPA provider. However, the option needs to be set to `Preserving` on both client and the server for it to take effect. 
* `case_sensitive` option can be now inherited by subdomains
* `case_sensitive` can be now set separately for each subdomain in `[domain/parent/subdomain]` section * `krb5_use_subdomain_realm=True` can now be used when sub-domain user principal names have upnSuffixes which are not known in the parent domain. SSSD will try to send the Kerberos request directly to a KDC of the sub-domain. 

### Important fixes

* krb5_child uses proper umask for DIR type ccaches
* Memory leak in the simple access provider
* KCM performance has improved dramatically for cases where large amount of credentials are stored in the ccache. 

### Packaging changes

* Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page

### Configuration changes

* New default value of `debug_level` is 0x0070
* Added `pam_gssapi_check_upn` to enforce authentication only with principal that can be associated with target user. * Added `pam_gssapi_services` to list PAM services that can authenticate using GSSAPI 
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to