SSSD 2.9.3 Release Notes
Highlights
SSSD 2.9 branch is now in long-term maintenance (LTM) phase.
General information
The proxy provider is now able to handle certificate mapping and matching rules and users handled by the proxy provider can be configured for local Smartcard authentication. Besides the mapping rule local Smartcard authentication should be enabled with the ‘local_auth_policy’ option in the backend and with ‘pam_cert_auth’ in the PAM responder.
Important fixes
Passkey doesn’t fail when using FreeIPA server-side authentication and require-user-verification=false.
New features
When adding a new credential to KCM and the user has already reached their limit, the oldest expired credential will be removed to free some space. If no expired credential is found to be removed, the operation will fail as it happened in the previous versions.
Tickets Fixed
#6667 - KCM: provide mechanism to purge expired credentials
#6681 - Default hardening - id_provider channel defaults unencrypted with starttls
#6920 - sssd-sudo missing debug statement in its .service file
#6942 - SSSD goes offline during initgroups of trusted user if a group is missing SID
#6956 - Incorrect handling of reverse IPv6 update results in update failure
#7009 - sssd-2.9.2-1.el8 breaks smart card authentication
Detailed Changelog
$ git shortlog --pretty=format:"%h %s" -w0,4 2.9.2..2.9.3
Alejandro López (3):
c6ea805ee NSS: Replace notification message by a less scary one
1fa72109e KCM: Remove the oldest expired credential if no more space.
834b53697 KCM: Display in the log the limit as set by the user
Alexey Tikhonov (4):
b86d301c1 SUDO service: ${DEBUG_LOGGER} was missed for 'sudo'
0705145c6 MC: a couple of additions to 'recover from invalid memory cache size' patch
5e35a695b configure: use 'LDB_CFLAGS'
ef5370e96 SSS_CLIENT: replace `__thread` with `pthread_*specific()`
Dan Lavu (4):
674ee267c tests: adding group and importance markers
aa3616b34 Updating ad_multihost test
c866b5316 Updating ad_multihost test
3fd19c802 Adding test case for bz2167728
Iker Pedrosa (3):
a31113389 passkey: omit user-verification
9c4f7281d man: clarify user credentials for `cache_credentials`
fa33c997c CI: build passkey for centos-9
Jakub Vavra (8):
f1a11708a Tests: Print krb5.conf when joining realm.
cb1c59c7a Tests: Split package installation to different transactions.
f117da5a0 Tests: Handle dns with systemd resolved.
ec8f0269c tests: Add missing pytest marker config.
6218b40fb Tests: Skip tests unstable on other archs and tweak realm join.
c799b75da Tests: Fix AD param sasl tests.
c99f684c7 Tests: adjoin in test_00015_authselect_cannot_validate_its_own_files
a9498b12b Tests: Fix autofs cleanups
Justin Stephenson (5):
02bd1d7e7 Passkey: Allow kerberos preauth for "false" UV
5469de2fa tests: Improve read write pipe child tests
004796939 util: Realloc buffer size for atomic safe read
ede391c26 Passkey: Increase conv message size for prompting
793284ab9 man: Improve LDAP security wording
Madhuri Upadhye (1):
df709da52 tests: add passkey tests for sssctl and non-kerberos authentication
Patrik Rosecky (7):
0a429107a tests: convert multihost/basic/test_basic to test_kcm and test_authentication
583daff7d Tests: converted alltests/test_pasword_policy.py to tests/test_ldap.py
b8b2bfaf1 Tests: alltest/test_sssctl_local.py converted to system/tests/sssctl.py
7a53c7ac7 Tests: multihost/basic/test_files converted
a9617cff8 Tests:alltests/test_rfc2307.py converted to test_ldap.py
8d5752f44 Tests: alltests/test_sss_cache.py converted to multihost/test_sssctl.py
9e7a08a80 TESTS: topology set to KnownTopologyGroup.AnyProvider
Pavel Březina (7):
71ca2053b tests: add sssd_test_framework.markers plugin
6bba653c6 ci: install latest SSSD code on IPA server
380eafa5b intg: return status code for calls requiring it in fake nss module
e217fa826 ci: get frozen Fedora releases in the matrix
5a546c84e ipa: do not go offline if group does not have SID
d380342b4 pot: update pot files
ee2e0cd9b Release sssd-2.9.3
Scott Poore (1):
3b939ce9c Tests: add follow-symlinks to sed for nsswitch
Sumit Bose (10):
a4de653f5 ci: remove unused clang-analyzer from dependencies
7d73571ed utils: enable talloc null tracking
42face74e proxy: add support for certificate mapping rules
351aab979 intg: add NSS module for nss-wrapper support
d36491435 intg: replace files with proxy provider in PAM responder test
25a913eae confdb: add new option for confdb_certmap_to_sysdb()
7668ed6eb intg: use file and proxy provider in PAM responder test
04b6a22b3 intg: add proxy auth with fallback test
2bbc87540 ipa: reduce log level of some HBAC log messages
3da54579e PAM: fix Smartcard offline authentication
Tomas Halman (1):
a48c7445d dyndns: PTR record updates separately
Weblate (1):
2eae8ab44 po: update translations
aborah (2):
45fbcd93c Tests: Enabling proxy_fast_alias shows "ldb_modify failed: [Invalid attribute syntax]" for id lookups.
7e45b32a3 Tests: Port rootdse test suit to new test framework.
dependabot[bot] (4):
9ebaee777 build(deps): bump DamianReeves/write-file-action
d154f72d0 build(deps): bump actions/checkout from 3 to 4
66d115cc8 build(deps): bump vapier/coverity-scan-action from 1.2.0 to 1.7.0
155584ee2 build(deps): bump linuxdeepin/action-cppcheck
licunlong (1):
129ceaed8 cli: caculate the wait_time in milliseconds