Support of legacy json format for ccaches was dropped
Support of long time deprecated
secretsresponder was dropped.
Support of long time deprecated
localprovider was dropped.
This release drops support of
libunistringwill be used unconditionally for Unicode processing.
This release removes pcre1 support. pcre2 is used unconditionally.
p11_child does not stop at the first empty slot when searching for tokens
A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This patch fixes a flaw by replacing
Basic support of user’s ‘subuid and subgid ranges’ for IPA provider and corresponding plugin for shadow-utils were introduced. Limitations: - single subid interval pair (subuid+subgid) per user - idviews aren’t supported - only forward lookup (user -> subid ranges) Take a note, this is MVP of experimental feature. Significant changes might be required later, after initial feedback. Corresponding support in shadow-utils was merged upstream, but since there is no upstream release available yet, SSSD feature isn’t built by default. Build can be enabled with
--with-subidconfigure option. Plugin’s install path can be configured with
KCM now replace the old credential with new one when storing an updated credential that is however already present in the ccache to avoid unnecessary growth of the ccache.
Improve mpg search filter to be more reliable with id-overrides and the new auto_private_groups options.
Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root.
ccache files are created with the right ownership during offline Smartcard authentication
AD ping is now sent over
cldapsupport is not available during build. This helps to build SSSD on distributions without
New IPA provider’s option
ipa_subid_ranges_search_baseallows configuration of search base for user’s subid ranges. Default:
#2739 - sssd: incorrect checks on length values during packet decoding
#4904 - sss_cache prints spurious error messages when invoked from shadow-utils on package install
#5121 - timestamp cache entries are not created if missing
#5197 - Support subid resources in ipa provider
#5482 - Add support to verify authentication indicators in pam_sss_gss
#5514 - [RFE] SSSD logs improvements: clarify which config option applies to each timeout in the logs
#5596 - sss_cache: reset originalModifyTimestamp in timestamp cache as well
#5720 - SSSD requirement for CLDAP support in libldap should be optional
#5729 - kcm fails to start if /var/lib/sss/db is empty
#5744 - Lookup with fully-qualified name does not work with ‘cache_first = True’
#5767 - Drop support of glib2 for Unicode processing
#5768 - Drop support of obsolete PCRE1
#5770 - disabled root ad domain causes subdomains to be marked offline
#5775 - kcm: replace old credentials when storing a new one
#5785 - SSSD 2.4.1 - krb5_child creates ccache file owned by root when in offline mode
#5790 - IPA clients fail to resolve override group names.
#5824 - SSSD should use “hidden” temporary file in its krb locator
$ git shortlog --pretty=format:"%h %s" -w0,4 2.5.2..2.6.0 Alexey Tikhonov (17): f54608822 Basics of 'subid ranges' support for IPA provider. 365cd676c NSS: don't treat absent 'CLEAR_MC_FLAG' as an error (This is expected in case of SIGHUP sent for log rotation.) 7ab83f97e TOOLS: replace system() with execvp() to avoid execution of user supplied command bd2ccbf69 file utils: reduce log level in remove_tree_with_ctx() Users of this function are responsible to decide if fail is critical. c037432c3 BUILD: get rid of PCRE support 6acb1d635 UNICODE: drop support of glib2 for Unicode processing 3e94b64da Got rid of 'local' provider. c4c0fd690 CONF: removed unused 'sbus_timeout' option 10069b1d3 Got rid of 'secrets' responder and it's support in KCM 5bb5380cb libsecrets was disbanded and merged into KCM responder as this is the only its user now. 9466aa4d9 KCM: secrets db: got rid of legacy json format support f5431c3a7 KCM: secrets db: got rid of legacy encrypted payload format dfb97f071 crypto: removed sss_encrypt()/sss_decrypt() helpers as those aren't used anymore. 29f8a795f TESTS: avoid cross-test tainting of os.environ 1e64a762f KCM: secdb: treat secdb_get_cc() == ENOENT the same way as corresponding key_by_*() == ENOENT (mostly) 03f6ef367 krb5_child: fixed incorrect checks on length value 01ff8155b MONITOR: reduce logs severity around signalling and termination of services to avoid useless in those cases backtraces Anuj Borah (12): b6fe76e7e Tests: SSSD is generating lot of LDAP queries in a very large environment Issue: https://github.com/SSSD/sssd/issues/5121 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1772513 9b24b8db2 Tests: Add support to verify authentication indicators in pam_sss_gss 85723a7b8 Tests: fix sss_cache to also reset cached timestamp a67d3bc80 Test: Fix RHEL9.0 Regression - alltests-tier1 bd422ccdf Tests: Suppress log message c3a8aad2b Tests: RHEL9.0 Regression - alltests-tier1_2 aab4fe9cf Tests: SSSD logs improvements: clarify which config option applies to each timeout in the logs 10d33986c Tests: Fix RHEL8.5 failures for IDM-CI b22f6195c Tests: sss_cache prints spurious error messages 9121fbf9d Tests: Remove shadow-utils test cases from sssd repo 51eaed9d0 Tests: Fix Failure of sssctl_local test 8e22258c1 Tests: support subid ranges managed by FreeIPA Assaf Morami (1): b9f8c2f99 p11_child: do_card partially fix loop exit condition when searching for token David Ward (5): a9218fbe0 p11_child: Restore functionality of --wait_for_card f3aa4b47a p11_child: Ensure OpenSSL cleanup is performed 3f1d03fc6 p11_child: Handle failure from p11_kit_uri_new() f5a9d8141 p11_child: Return updated CK_SLOT_INFO from wait_for_card() a036fc871 p11_child: Fix printing of non-null-terminated strings in do_card() Jakub Jelen (1): dab4448de p11_child: Add missing newline after log message Jakub Vavra (2): ccebfc9cf Tests: Add test_nss_get_by_name_with_private_group. a5716cd74 Tests: Add AD Parameters tests ported from bash. Justin Stephenson (10): 1dae17bf9 TESTS: Make test_kcm_renewals idempotent d41e956c6 MONITOR: Return success from genconf with no config 9f58bef3e CI: unset DEBUGINFOD_URLS 4b7b6fa70 KCM: Add krb5-libs dependency in spec fd3e397cf KCM: Remove unneeded allocation 3d8dd1282 debug: Add chain ID support for journald logger 3343b5a81 DP: Log offline warning for REQ_TRACE tracking 26086212a Responder: Log client uid that started a request 82e051e1f TOOLS: Add sss_analyze utility 097feb329 SSSCTL: Add analyze command Mantas Mikulėnas (1): 1a1e914b9 NSS client: avoid using NETDB_INTERNAL if daemon is not available Massimiliano Torromeo (1): 57247096b TEST: Use absolute path for the MODPATH assertions in python tests Pavel Březina (12): a2fc3a3ad Update version in version.m4 to track the next release a1f7035b3 remove deprecated talloc_autofree_context() 575e1899e fix warnings around sss_getenv() 9e47b63e4 configure: do not unset PYTHON_PREFIX and PYTHON_EXEC_PREFIX b606eb62c spec: fix invalid condition dfb6594e3 ad: fallback to ldap if cldap is not available in libldap aca2e08ba krb5: remove unused mem_ctx from get_krb5_data_from_cred() 55c5de2d5 kcm: replace existing credentials to avoid unnecessary ccache growth 770c7ce9c debug: fix unused variable warnings bb6d9d9cf monitor: fix unused variable warning 11c7f6a65 pot: update pot files bd71ae53f Release sssd-2.6.0 Paweł Poławski (2): 44525a999 General: Hardeninig getenv() usage c1dd12114 general: Fix compilation warnings Sergio Durigan Junior (1): efd155f0a Improve assertion when verifying paths for Python modules Shridhar Gadekar (2): 818e4f925 Tests: Randomize sudo refresh timeouts e0d85ab68 Tests: improve sssd refresh timers for sudo queries Steeve Goveas (3): 6f1188a06 TEST: Add id and fix indentation in docstrings 1d4095fbb TEST: usermod -d needs absolute path f0925489a Tests: Add firewalld package install on clients Sumit Bose (9): cdc75c539 tests: do not use libcheck include file in cmocka tests 7fdff741a test: replace deprecated libcheck macros 26654d3e5 cache_req: cache_first fix for fully-qualified names ef6aa9e44 krb5: fix ccache ownership for offline Smartcard authentication e92988a62 debug: reduce logging of GetAccountDomain() in the frontends ca8b655fb debug: suppress backtrace for backend errors 2a617c0ef sdap: always create sdap object for a forest root 4be5fcd9a sysdb: more specific mpg search filter 794127106 krb5: use hidden file when creating config snippets Timotej Lazar (1): 8ed53d284 Include sys/types.h in debug.h Weblate (3): 861e226b5 po: update translations e8055b8a2 po: update translations 629f149eb po: update translations Yuri Chornoivan (1): 3e7aa1071 Fix minor typo: indicated -> indicate