SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for sssd-krb5-2.7.0-1.5.x86_64.rpm :

* Thu Apr 14 2022 Jan Engelhardt - Update to release 2.7.0
* Better default for IPA/AD re_expression. Tunning for group names containing \'AATT\' is no longer needed.
* A new debug level is added to show statistical and performance data.
* Added support for anonymous PKINIT to get FAST credentials.
* SSSD now correctly falls back to UPN search if the user was not found even with `cache_first = true`.
* Mon Feb 21 2022 Callum Farmer - Enable selinux support- Update Supplements to new format
* Wed Feb 09 2022 Samuel Cabrero - Remove caches only when performing a package downgrade. The sssd daemon takes care of upgrading the database format when necessary (bsc#1195552)
* Tue Jan 25 2022 Jan Engelhardt - Update to release 2.6.3
* A regression introduced in sssd-2.6.2 in the IPA provider that prevented users from login was fixed. Access control always denied access because the selinux_child returned an unexpected reply.
* A critical regression that prevented authentication of users via AD and IPA providers was fixed. LDAP port was reused for Kerberos communication and this provider would send incomprehensible information to this port.
* When authenticating AD users, backtrace was triggered even though everything was working correctly. This was caused by a search in the global catalog. Servers from the global catalog are filtered out of the list before writing the KDC info file. With this fix, SSSD does not attempt to write to the KDC info file when performing a GC lookup.
* Mon Jan 17 2022 Jan Engelhardt - Upgrade LDB_DIR shell variable to %ldbdir macro.
* Tue Jan 11 2022 Samuel Cabrero - Remove libsmbclient-devel BuildRequires in favor of pkgconfig(smbclient)
* Thu Dec 23 2021 Jan Engelhardt - Update to release 2.6.2
* Quick log out and log in did not correctly refresh user\'s initgroups in no_session PAM schema due to lingering systemd processes.
* Tue Nov 23 2021 Johannes Segitz - Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_sssd-ifp.service.patch
* harden_sssd-kcm.service.patch
* Tue Nov 09 2021 Jan Engelhardt - Update to release 2.6.1
* New infopipe method FindByValidCertificate().
* The default value of the \"ssh_hash_known_hosts\" setting was changed to false for the sake of consistency with OpenSSH that does not hash host names by default.
* Fri Oct 15 2021 Jan Engelhardt - Update to release 2.6.0
* Support of legacy json format for ccaches was dropped.
* Support of long time deprecated secrets responder was dropped.
* Support of long time deprecated local provider was dropped.
* The sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands, which was fixed.
* Basic support of user\'s \'subuid and subgid ranges\' for IPA provider and corresponding plugin for shadow-utils were added.
* Mon Jul 12 2021 Jan Engelhardt - Update to release 2.5.2
* originalADgidNumber attribute in the SSSD cache is now indexed.
* Add new config option fallback_to_nss.
* Tue Jun 08 2021 Jan Engelhardt - Update to release 2.5.1
* auto_private_groups option can be set centrally through ID range setting in IPA (see ipa idrange commands family). This feature requires SSSD update on both client and server. This feature also requires freeipa 4.9.4 and newer.
* Fix getsidbyname issues with IPA users with a user-private-group.
* Default value of ldap_sudo_random_offset changed to 0 (disabled). This makes sure that sudo rules are available as soon as possible after SSSD start in default configuration.
* Mon May 10 2021 Jan Engelhardt - Update to release 2.5.0
* Added support for automatic renewal of renewable TGTs that are stored in KCM ccache. This can be enabled by setting tgt_renewal = true. See the sssd-kcm man page for more details. This feature requires MIT Kerberos krb5-1.19-0.beta2.3 or higher.
* ad_gpo_implicit_deny is now respected even if there are no applicable GPOs present.
* Tue Apr 06 2021 Samuel Cabrero - Move sssctl command from sssd to sssd-tools package; (bsc#1184289);
* Thu Apr 01 2021 jeffmAATTsuse.com- Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285).
* Tue Feb 23 2021 Aurelien Aptel - Make cifs-idmap plugin (cifs_idmap_sss.so) use update-alternatives mechanism to be able to switch between cifs-utils and sssd; (bsc#1182682).
* Fri Feb 19 2021 Jan Engelhardt - Update to release 2.4.2
* Default value of \"user\" config option was fixed into accordance with man page, i.e. default is \"root\".
* pam_sss_gss now support authentication indicators to further harden the authentication.
* Fri Feb 12 2021 Dominique Leuenberger - Pass --with-pid-path=%{_rundir} to configure: adjust rundir according the distro settings, i.e. /run on modern systems. Eliminates a systemd warning like this one in the journal: Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13: PIDFile= references a path below legacy directory /var/run/, updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly.
* Fri Feb 05 2021 Jan Engelhardt - Update to release 2.4.1
* New PAM module pam_sss_gss for authentication using GSSAPI.
* case_sensitive=Preserving can now be set for trusted domains with AD and IPA providers.
* krb5_use_subdomain_realm=True can now be used when sub-domain user principal names have upnSuffixes which are not known in the parent domain. SSSD will try to send the Kerberos request directly to a KDC of the sub-domain.
* SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald output, to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.
* Added pam_gssapi_check_upn to enforce authentication only with principal that can be associated with target user.
* Added pam_gssapi_services to list PAM services that can authenticate using GSSAPI.
 
ICM