SSSD 2.6.1 Release Notes

  • New infopipe method FindByValidCertificate() which accepts the certificate as input, validates it against configured CAs, and outputs the user path on success. This is similar to the existing FindByCertificate(), but that does not do any trust validation.

  • subid ranges support was enabled by default.

  • Default value of ssh_hash_known_hosts setting was changed to false for the sake of consistency with OpenSSH that does not hash host names by default.

  • #5224 - Add client certificate validation D-Bus API

  • #5528 - SSSD not detecting subdomain from AD forest (RHEL 8.3)

  • #5672 - Auth failures because of System Error

  • #5781 - socket-activated services start as the sssd user and then are unable to read the confdb

  • #5783 - proxy provider: secondary group is showing in sssd cache after group is removed

  • #5819 - After sssd update to 1.16.5-10.el7_9.8.x86_64 the customer is facing slow connection/authentication (due to discovery of unexpected AD domains)

  • #5832 - autofs lookups for unknown mounts are delayed for 50s

  • #5839 - “Unable to obtain cached rules” filling up sssd_sudo.log

  • #5846 - offline authentication and desktop profiles

  • #5848 - Consistency in defaults between OpenSSH and SSSD

  • #5854 - Add support for CKM_RSA_PKCS in smart card authentication.

$ git shortlog --pretty=format:"%h  %s" -w0,4 2.6.0..2.6.1

Alexey Tikhonov (17):
    625274738  DEBUG: fix missing "va_end"
    766fe6235  GPO: fixed compilation warning
    84a4230b1  KCM: fixed uninitialized value
    de6eba31e  Removed excessive includes around 'strtonum'
    a2cc7daef  'strtonum' helpers: usage sanitization
    3c17a57e7  'strto*()': usage sanitization
    a664e9ce0  TESTS: fixed a bug in define->string conversion
    86413e5f0  SUDO: decrease log level in case object wasn't found
    7cba8ed6a  KCM: delete malformed 'cn=default' entries
    e8b43cc82  SSH: changed default value of `ssh_hash_known_hosts` to false
    b30861d86  SPEC: enabled build of 'subid ranges' support
    d469a8105  SPEC: disable running files provider by default
    7121e56d7  INTG-TESTS: enable build of 'subid ranges' support
    bb8da4303  DEBUG: avoid backtrace dups.
    bd9038657  P11: refactoring of get_preferred_rsa_mechanism()
    71b6d548c  P11: add support of 'CKM_RSA_PKCS' mechanism
    b5073394d  TESTS: added two tests to check cert auth with specific RSA mechanisms: CKM_RSA_PKCS and CKM_SHA384_RSA_PKCS. (CKM_SHA384_RSA_PKCS is arbitrary chosen as one of CKM_SHA*_RSA_PKCS family)

Anuj Borah (2):
    305120b9a  Tests: Regression 8.5 - sssd-ipa
    48234ed8e  Tests: sss_override does not take precedence over override_homedir directive

Fernando Apesteguia (1):
    4292f9fdd  Fix untranslated string

Iker Pedrosa (3):
    301659a66  proxy: allow removing group members
    cf75d897b  ifp: new interface to validate a certificate
    50e6070e4  Tests: ifp interface to validate certificate

Justin Stephenson (2):
    60353300d  Tests: Fix warning about deprecated res_randomid()
    232ba7f0d  DP: Resolve intermediate groups prior to SR overlay

Pavel Březina (4):
    bb94a18f0  cache_req: return success for autofs when ENOENT is returned from provider
    8db2485cd  sbus: maintain correct refcount before sending a reply
    19a902a16  pot: update pot files
    02183611c  Release sssd-2.6.1

Shridhar Gadekar (1):
    bd521abe2  Tests: pam_sss_gss.so doesn't work with large kerberos tickets #5815

Stanislav Levin (1):
    7bfdd3db8  pam_sss: Allow offline authentication against non-ipa-desktopprofiles aware DC

Sumit Bose (1):
    4c48c4a77  ad: filter trusted domains

Tomas Halman (2):
    92e167994  CONFDB: Change ownership of config.ldb
    7db6cfd06  CONFDB: Change ownership before dropping privileges

Weblate (1):
    8406af355  po: update translations