# SSSD 2.10.1
The SSSD team is announcing the release of version 2.10.1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.10.1
See the full release notes at:
https://sssd.io/release-notes/sssd-2.10.1.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
# SSSD 2.10.1 Release Notes
## Highlights
### General information
* `krb5-child-test` was removed. Corresponding tests under
'src/tests/system/'
are aimed to provide a comprehensive test coverage of 'krb5_child'
functionality.
* SSSD doesn't create anymore missing path components of DIR:/FILE:
ccache types
while acquiring user's TGT. The parent directory of requested ccache
directory
must exist and the user trying to log in must have 'rwx' access to this
directory. This matches behavior of 'kinit'.
* The DoT (DNS over TLS) for dynamic DNS updates is supported now. It
requires
new version of `nsupdate` from BIND 9.19+.
* The option default_domain_suffix is deprecated. Consider using the more
flexible domain_resolution_order instead.
### Packaging changes
* **Important note for downstream maintainers.**
A set of capabilities required by privileged binaries was further
reduced to:
```
krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
ldap_child cap_dac_read_search=p
selinux_child cap_setgid,cap_setuid=p
sssd_pam cap_dac_read_search=p
```
Keep in mind that even with a limited set of fine grained
capabilities, usual
precautions still should be taken while packaging binaries with file
capabilities: it's very important to make sure that those are
executable only
by root/sssd service user. For this reason upstream spec file
packages it as:
```
-rwxr-x---. 1 root sssd
```
Failing to do so (i.e. allowing non-privileged users to execute those
binaries) can impose systems installing the package to a security risk.
* Support of deprecated 'ad_allow_remote_domain_local_groups' sssd.conf
option
isn't built by default. It can be enabled using
'--with-allow-remote-domain-local-groups' ./configure option.
### Configuration changes
* `ad_allow_remote_domain_local_groups` option is deprecated and will be
removed
in future releases.
* the `dyndns_server` option is extended so it can be in form of URI
(dns+tls://1.2.3.4:853#servername). New set of options
`dyndns_dot_cacert`,
`dyndns_dot_cert` and `dyndns_dot_key` allows to configure DNS-over-TLS
communication.
* Added `exop_force` value for configuration option
`ldap_pwmodify_mode`. This
can be used to force a password change even if no grace logins are left.
Depending on the configuration of the LDAP server it might be
expected that
the password change will fail.
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
