Skip to content

sssd-2.10.0

Compare
Choose a tag to compare
@pbrezina pbrezina released this 15 Oct 10:31
· 120 commits to master since this release
2.10.0

SSSD 2.10.0 Release Notes

Highlights

General information

  • IMPORTANT note for downstream maintainers!

    This release features significant improvements of "running with less
    privileges (under unprivileged service user)" feature. There is still a
    ./configure option --with-sssd-user= available that allows downstream
    package maintainers to choose if support of non-root service user should be
    built. In case such support is built, a preferred way to configure service
    user is simply by starting SSSD under this user; for example, using
    User=/Group= options of systemd sssd.service file. Upstream defaults are
    to build --with-sssd-user=sssd and to install systemd service with
    User=/Group=sssd. In this case, only several helper processes -
    ldap_child, krb5_child and selinux_child - are executed with
    elevated capabilities (that are now granted using fine grained file
    capabilities instead of SUID bit). All other SSSD components run without any
    capabilities. In this scenario it's still possible to re-configure SSSD to run
    under root (if needed for some reason): besides changing User/Group=
    options, some other tweaks of systemd service files are required.

    A legacy method to configure a service user - sssd.conf user option - is
    now deprecated and its support isn’t built by default. It can be enabled using
    --with-conf-service-user-support ./configure option if needed (for
    example, due to backward compatibility requirements of stable releases).

    Further, no matter if SSSD is built --with-sssd-user=sssd or
    --with-sssd-user=root, when it's configured to run under root (in both
    cases) it still runs without capabilities, the same way as when it's
    configured to run under sssd user. The only difference is from the DAC
    perspective.

    Important note: owner of /etc/sssd/sssd.conf file (and snippets) should
    match the user configured to start SSSD service. Upstream spec file and
    service files change ownership of existing sssd.conf to sssd during
    package installation and at runtime for seamless upgrades / transition period
    only.

    Additionally, this release fixes a large number of issues with "socket
    activation of responders" feature, making it operable out-of-the-box when the
    package is built --with-sssd-user=sssd. Please take a note, that user
    configured to run main sssd.service and socket activated responders (if used)
    should match (i.e. if sssd.service is re-configured from upstream defaults to
    root then responders services also should be re-configured).

    Downstream package maintainers are advised to carefully inspect changes in
    contrib/sssd.spec.in, src/sysv/systemd/* and ./configure options
    that this release brings!

  • sssctl cache-upgrade command was removed. SSSD performs automatic upgrades
    at startup when needed.

  • Support of enumeration feature (i.e. ability to list all users/groups
    using getent passwd/group without argument) for AD/IPA providers is
    deprecated and might be removed in further releases. Those who are interested
    to keep using it awhile should configure its build explicitly using
    --with-extended-enumeration-support ./configure option.

  • A number of minor glitches of sssd-2.10.0-beta1 around building and
    packaging were fixed.

New features

  • The new tool sss_ssh_knownhosts can be used with ssh's
    KnownHostsCommand configuration option to retrieve the host's public keys
    from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more
    reliable, replaces sss_ssh_knownhostsproxy. The latter is no longer built
    by default, but its build can be forced with the ./configure option
    --with-ssh-known-hosts-proxy.

Packaging changes

  • Building SSSD now unconditionally requires availability of ucred/
    SO_PEERCRED to enforce certain security checks at runtime (see man 7 unix for details).

  • SSSD now requires libini not older than v1.3

  • Explicit --with-semanage ./configure switch was removed, going forward
    --with-selinux includes this.

  • sssd_pam binary lost public rx bits and got cap_dac_read_search=p
    file capability to be able to use GSSAPI

  • Support of OpenSSL older than 1.0.1 was dropped

  • Support of --without-infopipe ./configure option was dropped. Feature
    is long time out of experimental state. Since building it doesn't require any
    additional dependencies, there is not much sense to keep option available.
    Those who not interested in feature can skip installing sssd-ifp sub-package.

Configuration changes

  • Default ldap_id_use_start_tls value changed from false to true for
    improved security.

  • Added a ldap_use_ppolicy option for backends with broken ppolicy extension
    handling.

  • Obsolete config_file_version option was removed.

  • Option reconnection_retries was removed since it is no longer used. SSSD
    switch to a new architecte of internal IPC between SSSD processes where
    responders do not connect to backend anymore and therefore this option is no
    longer used.

See full release notes here.