[Freeipa-interest] Announcing SSSD 2.4.1

Pavel Březina pbrezina at redhat.com
Fri Feb 5 12:53:52 UTC 2021 

# SSSD 2.4.1

The SSSD team is proud to announce the release of version 2.4.1 of the
System Security Services Daemon. The tarball can be downloaded from:
     https://github.com/SSSD/sssd/releases/tag/2.4.1

See the full release notes at:
     https://sssd.io/docs/users/relnotes/notes_2_4_1

RPM packages will be made available for Fedora shortly.

## Feedback

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
     https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
     https://lists.fedorahosted.org/mailman/listinfo/sssd-users

## Highlights

### General information

* `SYSLOG_IDENTIFIER` was renamed to `SSSD_PRG_NAME` in journald output, 
to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.

### New features

* New PAM module `pam_sss_gss` for authentication using GSSAPI
* `case_sensitive=Preserving` can now be set for trusted domains with AD 
provider
* `case_sensitive=Preserving` can now be set for trusted domains with 
IPA provider. However, the option needs to be set to `Preserving` on 
both client and the server for it to take effect.
* `case_sensitive` option can be now inherited by subdomains
* `case_sensitive` can be now set separately for each subdomain in 
`[domain/parent/subdomain]` section
* `krb5_use_subdomain_realm=True` can now be used when sub-domain user 
principal names have upnSuffixes which are not known in the parent 
domain. SSSD will try to send the Kerberos request directly to a KDC of 
the sub-domain.

### Important fixes

* krb5_child uses proper umask for DIR type ccaches
* Memory leak in the simple access provider
* KCM performance has improved dramatically for cases where large amount 
of credentials are stored in the ccache.

### Packaging changes

* Added `pam_sss_gss.so` PAM module and `pam_sss_gss.8` manual page

### Configuration changes

* New default value of `debug_level` is 0x0070
* Added `pam_gssapi_check_upn` to enforce authentication only with 
principal that can be associated with target user.
* Added `pam_gssapi_services` to list PAM services that can authenticate 
using GSSAPI

More information about the Freeipa-interest mailing list