Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

sssd-2.5.2-1.6 RPM for armv7hl

From OpenSuSE Ports Tumbleweed for armv7hl

Name: sssd Distribution: openSUSE Tumbleweed
Version: 2.5.2 Vendor: openSUSE
Release: 1.6 Build date: Thu Oct 21 12:07:24 2021
Group: System/Daemons Build host: obs-arm-10
Size: 4370329 Source RPM: sssd-2.5.2-1.6.src.rpm
Summary: System Security Services Daemon
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.




GPL-3.0-or-later and LGPL-3.0-or-later


* Mon Jul 12 2021 Jan Engelhardt <>
  - Update to release 2.5.2
    * originalADgidNumber attribute in the SSSD cache is now indexed.
    * Add new config option fallback_to_nss.
* Tue Jun 08 2021 Jan Engelhardt <>
  - Update to release 2.5.1
    * auto_private_groups option can be set centrally through ID
      range setting in IPA (see ipa idrange commands family). This
      feature requires SSSD update on both client and server. This
      feature also requires freeipa 4.9.4 and newer.
    * Fix getsidbyname issues with IPA users with a
    * Default value of ldap_sudo_random_offset changed to 0
      (disabled). This makes sure that sudo rules are available as
      soon as possible after SSSD start in default configuration.
* Mon May 10 2021 Jan Engelhardt <>
  - Update to release 2.5.0
    * Added support for automatic renewal of renewable TGTs that
      are stored in KCM ccache. This can be enabled by setting
      tgt_renewal = true. See the sssd-kcm man page for more
      details. This feature requires MIT Kerberos
      krb5-1.19-0.beta2.3 or higher.
    * ad_gpo_implicit_deny is now respected even if there are no
      applicable GPOs present.
* Tue Apr 06 2021 Samuel Cabrero <>
  - Move sssctl command from sssd to sssd-tools package; (bsc#1184289);
* Thu Apr 01 2021
  - Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285).
* Tue Feb 23 2021 Aurelien Aptel <>
  - Make cifs-idmap plugin ( use update-alternatives
    mechanism to be able to switch between cifs-utils and sssd;
* Fri Feb 19 2021 Jan Engelhardt <>
  - Update to release 2.4.2
    * Default value of "user" config option was fixed into
      accordance with man page, i.e. default is "root".
    * pam_sss_gss now support authentication indicators to further
      harden the authentication.
* Fri Feb 12 2021 Dominique Leuenberger <>
  - Pass --with-pid-path=%{_rundir} to configure: adjust rundir
    according the distro settings, i.e. /run on modern systems.
    Eliminates a systemd warning like this one in the journal:
      Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13:
      PIDFile= references a path below legacy directory /var/run/,
      updating /var/run/ → /run/; please update the unit file accordingly.
* Fri Feb 05 2021 Jan Engelhardt <>
  - Update to release 2.4.1
    * New PAM module pam_sss_gss for authentication using GSSAPI.
    * case_sensitive=Preserving can now be set for trusted domains
      with AD and IPA providers.
    * krb5_use_subdomain_realm=True can now be used when sub-domain
      user principal names have upnSuffixes which are not known in
      the parent domain. SSSD will try to send the Kerberos request
      directly to a KDC of the sub-domain.
    * SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald
      output, to avoid issues with PID parsing in rsyslog
      (BSD-style forwarder) output.
    * Added pam_gssapi_check_upn to enforce authentication only
      with principal that can be associated with target user.
    * Added pam_gssapi_services to list PAM services that can
      authenticate using GSSAPI.
* Mon Oct 12 2020 Jan Engelhardt <>
  - Update to release 2.4.0
    * Session recording can now exclude specific users or groups
      when scope is set to all (see exclude_users and
      exclude_groups options).
    * Active Directory provider now sends CLDAP pings over UDP
      protocol to Domain Controllers in parallel to determine site
      and forest to speed up server discovery.
* Mon Aug 10 2020 Jan Engelhardt <>
  - Build sssd's KCM.
* Fri Jul 24 2020 Jan Engelhardt <>
  - Update to release 2.3.1
    * Domains can be now explicitly enabled or disabled using
      enable option in domain section. This can be especially used
      in configuration snippets.
    * New configuration options memcache_size_passwd,
      memcache_size_group, memcache_size_initgroups that can be
      used to control memory cache size.
    * Fixed several regressions in GPO processing introduced in
    * Fixed regression in PAM responder: failures in cache only
      lookups are no longer considered fatal.
    * Fixed regression in proxy provider: pwfield=x is now default
      value only for sssd-shadowutils target.
  - sssd-wbclient is obsolete and no longer shipped
* Tue May 19 2020 Jan Engelhardt <>
  - Update to release 2.3.0
    * SSSD can now handle hosts and networks nsswitch databases
      (see resolve_provider option).
    * By default, authentication request only refresh user's
      initgroups if it is expired or there is not active user's
      session (see pam_initgroups_scheme option).
    * OpenSSL is used as default crypto provider, NSS is deprecated.
    * The AD provider now defaults to GSS-SPNEGO SASL mechanism
      (see ldap_sasl_mech option).
    * The AD provider can now be configured to use only ldaps port
      (see ad_use_ldaps option).
    * SSSD now accepts host entries from GPO's security filter.
    * New debug level (0x10000) added for low level LDB messages
      only (see sssd.conf man page).
  - Drop sssd-gpo_host_security_filter-2.2.2.patch,
    0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged)
  - Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
* Tue Mar 24 2020 Jan Engelhardt <>
  - Update to 2.2.3
    * New features:
    * allow_missing_name now treats empty strings the same as
      missing names.
    * "soft_ocsp" and "soft_crl" options have been added to make
      the checks for revoked certificates more flexible if the
      system is offline.
    * Smart card authentication in polkit is now allowed by default.
    * Fixes:
    * Handling of FreeIPA users and groups containing ‘@’ sign now
    * SSSD was unable to hande ldap_uri containing URIs with
      different port numbers, which has been rectified.
  - Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
* Mon Mar 16 2020 Samuel Cabrero <>
  - Fix dynamic DNS updates not using FQDN (bsc#1160587); Add
* Sun Jan 19 2020 Stefan Brüns <>
  - Remove leftover python2 build dependencies
  - Remove python3-devel BuildRequires in favor of pkgconfig(python3)
* Mon Jan 13 2020 David Mulder <>
  - SSSD GPO host entries are ignored if computer cn does not
    match its samaccountname, add
    (jsc#SLE-9298); (bsc#1160688)
* Thu Jan 02 2020 David Mulder <>
  - SSSD should accept host entries from GPO's security filter, add
    sssd-gpo_host_security_filter-2.2.2.patch; (jsc#SLE-9298)
* Fri Nov 22 2019 Samuel Cabrero <>
  - Install infopipe dbus service (bsc#1106598)
  - Add systemd service unit files to manage socket or bus activated responders.
  - All responders except infopipe are also managed by a socket unit file.
  - Add missing post and postun hooks for libsss_certmap0 package.
* Thu Nov 21 2019 Jan Engelhardt <>
  - Update to release 2.2.2
    * New options were added which allow sssd-kcm to handle bigger
      data. See manual pages for max_ccaches, max_uid_caches and
    * SSSD can now automatically refresh cached user data from
      subdomains in IPA/AD trust.
    * Fixed issue with SSSD hanging when connecting to
      non-responsive server with ldaps://.
    * SSSD is now restarted by systemd after crashes.
* Tue Jun 18 2019 Jan Engelhardt <>
  - Update to new upstream release 2.2.0
    * The Kerberos provider can now include more KDC addresses or
      host names when writing data for the Kerberos locator plugin.
    * The 2FA prompting can now be configured.
    * The LDAP authentication provider now allows to use a
      different method of changing LDAP passwords using a modify
      operation in addition to the default extended operation.
    * The "auto_private_groups" configuration option now takes a
      new value hybrid.
    * A new option "ad_gpo_ignore_unreadable" was added.
    * The "cached_auth_timeout" parameter is now inherited by
      trusted domains.
    * The "ldap_sasl_mech" option now accepts another mechanism
      "GSS-SPNEGO" in addition to "GSSAPI".
    * The sssctl tool has two new commands, "cert-show" and
* Fri Apr 26 2019 Samuel Cabrero <>
  - Create directory to download and cache GPOs (bsc#1132879)
* Sat Mar 16 2019 Jan Engelhardt <>
  - Update to new upstream release 2.1.0
    * Any provider can now match and map certificates to user
    * pam_sss can now be configured to only perform Smart Card
      authentication or return an error if this is not possible.
    * pam_sss can also prompt the user to insert a Smart Card if,
      during an authentication it is not available.
    * A new configuration option ad_gpo_implicit_deny was added.
      This option (when set to True) can be used to deny access to
      users even if there is not applicable GPO.
    * The dynamic DNS update can now batch DNS updates to include
      all address family updates in a single transaction.
* Wed Feb 20 2019 Samuel Cabrero <>
  - Install systemd service unit file created from source's template
  - Install logrotate configuration (bsc#1004220)
  - Set journald as system logger
* Fri Feb 15 2019 Jan Engelhardt <>
  - Add krb-noversion.diff so sssd_pac builds even with newer krb.
* Mon Oct 01 2018
  - Add dependency to adcli for sssd-ad
      (SLE15: fate#326619, bsc#1109849)
      (SLE12SP4: fate#326620, bsc#1110121)
* Fri Sep 07 2018 Jan Engelhardt <>
  - Update to new upstream release 2.0.0
    * The Python API for managing users and groups in local domains
      (id_provider=local) was removed completely. The local
      provider (id_provider=local) and the command line tools to
      manage users and groups in the local domains, such as
      sss_useradd is not built anymore.
    * The LDAP provider had a special-case branch for evaluating
      group memberships with the RFC2307bis schema when group
      nesting was explicitly disabled. This codepath is removed.
    * The "ldap_sudo_include_regexp" option changed its default
      value from true to false. Wildcards in the sudoHost LDAP
      attribute are no longer evaluated. This was costly to
      evaluate on the LDAP server side and at the same time rarely
    * The list of PAM services which are allowed to authenticate
      using a Smart Card is now configurable using a new option
* Fri Aug 31 2018
  - Update to upstream release 1.16.3
    * New Features:
    * kdcinfo files for informing krb5 about discovered KDCs are
      now also generated for trusted domains in setups that use
      id_provider=ad and IPA masters in a trust relationship with
      an AD domain.
    * The Kerberlos locator plugin can now process multiple
      address if SSSD generates more than one. A
    * Bug fixes:
    * Fixed information leak due to incorrect permissions on
      /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
    * Cached password are now stored with a salt. Old ones will be
      regenerated on next authentication, and the auth server needs
      to be reachable for that.
    * The sss_ssh proces leaked file descriptors when converting
      more than one X.509 certificate to an SSH public key.
    * The PAC responder is now able to process Domain Local in case
      the PAC uses SID compression (Windows Server 2012+).
    * Address the issue that some versions of OpenSSH would close
      the pipe towards sss_ssh_authorizedkeys when the matching key
      is found before the rest of the output is read.
    * User lookups no longer fail if user's e-mail address
      conflicts with another user's fully qualified name.
    * The override_shell and override_homedir options are no longer
      applied to entries from the files domain.
    * The grace logins with an expired password when authenticating
      against certain newer versions of the 389DS/RHDS LDAP server
      did not work.
  - Removed patches that are included upstream now:
* Sun Jul 01 2018
  - Fixed patch name.
* Wed Jun 20 2018
  - Introduce patches:
    * Create sockets with right permissions:
      (bsc#1098377, CVE-2018-10852)
    * Fix for sssd upstream integration tests
* Wed Jun 20 2018
  - Update to new minor upstream release 1.16.2
    New Features:
    * The smart card authentication, or in more general certificate
      authentication code now supports OpenSSL in addition to previously
      supported NSS (#3489). In addition, the SSH responder can now
      return public SSH keys derived from the public keys stored in a
      X.509 certificate. Please refer to the ssh_use_certificate_keys
      option in the man pages.
    * The files provider now supports mirroring multiple passwd or
      group files. This enhancement can be used to use the SSSD files
      provider instead of the nss_altfiles module
    * A memory handling issue in the nss_ex interface was fixed. This
      bug would manifest in IPA environments with a trusted AD domain
      as a crash of the ns-slapd process, because a ns-slapd plugin
      loads the nss_ex interface (#3715)
    * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
    * The ad_site override is now honored in GPO code as well (#3646)
    * Several potential crashes in the NSS responder’s netgroup code
      were fixed (#3679, #3731)
    * A potential crash in the autofs responder’s code was fixed (#3752)
    * The LDAP provider now supports group renaming (#2653)
    * The GPO access control code no longer returns an error if one
      of the relevant GPO rules contained no SIDs at all (#3680)
    * A memory leak in the IPA provider related to resolving external
      AD groups was fixed (#3719)
    * Setups that used multiple domains where one of the domains had
      its ID space limited using the min_id/max_id options did not
      resolve requests by ID properly (#3728)
    * Overriding IDs or names did not work correctly when the domain
      resolution order was set as well (#3595)
    * A version mismatch between certain newer Samba versions (e.g.
      those shipped in RHEL-7.5) and the Winbind interface provided
      by SSSD was fixed. To further prevent issues like this in the
      future, the correct interface is now detected at build time (#3741)
    * The files provider no longer returns a qualified name in case
      domain resolution order is used (#3743)
    * A race condition between evaluating IPA group memberships and
      AD group memberships in setups with IPA-AD trusts that would
      have manifested as randomly losing IPA group memberships assigned
      to an AD user was fixed (#3744)
    * Setting an SELinux login label was broken in setups where the
      domain resolution order was used (#3740)
    * SSSD start up issue on systems that use the libldb library
      with version 1.4.0 or newer was fixed.
    Introduce a patch:
    * Fix build of sssd of 1.16.2 version:
      (back then called fix-build.patch)
* Fri Apr 27 2018
  - Update to new minor upstream release 1.16.1 (fate#323340):
    New Features:
    * A new option auto_private_groups was added. If this option is
    enabled, SSSD will automatically create user private groups based
    on user’s UID number. The GID number is ignored in this case.
    * The SSSD smart card integration now supports a special type of PAM
    conversation implemented by GDM which allows the user to select
    the appropriate smrt card certificate in GDM.
    * A new API for accessing user and group information was added.
    This API is similar to the tradiional Name Service Switch API, but
    allows the consumer to talk to SSSD directly as well as to
    fine-tune the query with e.g. how cache should be evaluated.
    * The sssctl command line tool gained a new command access-report,
    which can generate who can access the client machine. Currently
    only generating the report on an IPA client based on HBAC rules
    is supported.
    * The hostid provider was moved from the IPA specific code to
    the generic LDAP code. This allows SSH host keys to be access by
    the generic LDAP provider as well. See the ldap_host_* options in
    the sssd-ldap manual page for more details.
    * Setting the memcache_timeout option to 0 disabled creating
    the memory cache files altogether. This can be useful in cases
    there is a bug in the memory cache that needs working around.
* Tue Apr 24 2018
  - Updated sssd.spec:
    The IPA provider depends on AD provider's PAC executable, hence
    introducing the package dependency. (bsc#1021441, bsc#1062124)
* Tue Feb 27 2018
  - Remove package descriptions for the python 2 packages that are
    no longer distributed:
    * python-ipa_hbac
    * python-sss-murmur
    * python-sss_nss_idmap
    * python-sssd-config
  - Correct python version dependency of tools package. (bsc#1082108)



Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Dec 3 23:48:33 2021