Skip to content

sssd-2.10.1

Latest
Compare
Choose a tag to compare
@pbrezina pbrezina released this 10 Dec 14:37
· 93 commits to master since this release
2.10.1

SSSD 2.10.1 Release Notes

Highlights

General information

  • krb5-child-test was removed. Corresponding tests under 'src/tests/system/'
    are aimed to provide a comprehensive test coverage of 'krb5_child'
    functionality.
  • SSSD doesn't create anymore missing path components of DIR:/FILE: ccache types
    while acquiring user's TGT. The parent directory of requested ccache directory
    must exist and the user trying to log in must have 'rwx' access to this
    directory. This matches behavior of 'kinit'.
  • The DoT (DNS over TLS) for dynamic DNS updates is supported now. It requires
    new version of nsupdate from BIND 9.19+.
  • The option default_domain_suffix is deprecated. Consider using the more
    flexible domain_resolution_order instead.

Packaging changes

  • Important note for downstream maintainers.

    A set of capabilities required by privileged binaries was further reduced to:

    krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p
    ldap_child cap_dac_read_search=p
    selinux_child cap_setgid,cap_setuid=p
    sssd_pam cap_dac_read_search=p
    

    Keep in mind that even with a limited set of fine grained capabilities, usual
    precautions still should be taken while packaging binaries with file
    capabilities: it's very important to make sure that those are executable only
    by root/sssd service user. For this reason upstream spec file packages it as:

    -rwxr-x---. 1 root sssd
    

    Failing to do so (i.e. allowing non-privileged users to execute those
    binaries) can impose systems installing the package to a security risk.

  • Support of deprecated 'ad_allow_remote_domain_local_groups' sssd.conf option
    isn't built by default. It can be enabled using
    '--with-allow-remote-domain-local-groups' ./configure option.

Configuration changes

  • ad_allow_remote_domain_local_groups option is deprecated and will be removed
    in future releases.
  • the dyndns_server option is extended so it can be in form of URI
    (dns+tls://1.2.3.4:853#servername). New set of options dyndns_dot_cacert,
    dyndns_dot_cert and dyndns_dot_key allows to configure DNS-over-TLS
    communication.
  • Added exop_force value for configuration option ldap_pwmodify_mode. This
    can be used to force a password change even if no grace logins are left.
    Depending on the configuration of the LDAP server it might be expected that
    the password change will fail.

See full release notes here.