Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

sssd-2.8.2-3.1 RPM for s390x

From OpenSuSE Ports Tumbleweed for s390x

Name: sssd Distribution: openSUSE:Factory:zSystems
Version: 2.8.2 Vendor: openSUSE
Release: 3.1 Build date: Wed Jan 4 18:30:06 2023
Group: System/Daemons Build host: s390zp21
Size: 5282962 Source RPM: sssd-2.8.2-3.1.src.rpm
Summary: System Security Services Daemon
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.




GPL-3.0-or-later AND LGPL-3.0-or-later


* Tue Jan 03 2023 Stefan Schubert <>
  - Migration of PAM settings to /usr/lib/pam.d.
* Wed Dec 21 2022 Jan Engelhardt <>
  - Take systemd units off the restart list that have
    RefuseManualStart=yes [boo#1206592]
  - Add symvers.patch [boo#1206592]
* Sun Dec 11 2022 Jan Engelhardt <>
  - Update to release 2.8.2
    * New mapping template for serial number, subject key id, SID,
      certificate hashes and DN components are added to
* Fri Nov 04 2022 Jan Engelhardt <>
  - Update to release 2.8.1
    * A regression when running sss_cache when no SSSD domain is
      enabled would produce a syslog critical message was fixed.
* Fri Oct 07 2022 Jan Engelhardt <>
  - Update to release 2.8.0
    * Introduced the dbus function
      org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value,
      limit) listing upto limit users matching the filter
    * sssctl is now able to create, list and delete indexes on the
      local caches. Indexes are useful for the new D-Bus
      ListByAttr() function.
    * sssctl is now able to read and set each component's debug
      level independently.
    * A number of new configuration options are available,
      cf. .
* Thu Sep 01 2022 Stefan Schubert <>
  - Migration to /usr/etc: Saving user changed configuration files
    in /etc and restoring them while an RPM update.
* Fri Aug 26 2022 Jan Engelhardt <>
  - Update to release 2.7.4
    * Lock-free client support will be only built if libc provides
      pthread_key_create() and pthread_once(). For glibc this means
      version 2.34+.
* Mon Jul 04 2022 Jan Engelhardt <>
  - Update to release 2.7.3
    * All SSSD client libraries (nss, pam, etc) won't serialize
      requests anymore by default, i.e. requests from multiple
      threads can be executed in parallel. Old behavior
      (serialization) can be enabled by setting environment
      variable "SSS_LOCKFREE" to "NO".
* Tue Jun 21 2022 Stefan Schubert <schubi@localhost>
  - Removed %config flag for files in /usr directory.
* Tue Jun 21 2022 Stefan Schubert <>
  - Moved logrotate files from user-specific directory /etc/logrotate.d
    to vendor-specific directory /usr/etc/logrotate.d.
* Wed Jun 15 2022 Samuel Cabrero <>
  - Use pam rpm macros to avoid hardcoding the directory names;
  - Do not take ownership of %_pam_confdir directory, it is owned by
    pam package
* Mon Jun 13 2022 Jan Engelhardt <>
  - Update to release 2.7.2
    * A sssd-2.7.1 regression preventing successful authentication of
      IPA users was fixed.
    * Default value of pac_check changed to check_upn,
      check_upn_dns_info_ex (for AD and IPA provider).
* Thu Jun 02 2022 Jan Engelhardt <>
  - Update to release 2.7.1
    * SSSD can now handle multi-valued RDNs if a unique name must
      be determined with the help of the RDN.
    * A regression in pam_sss_gss module causing a failure if
      KRB5CCNAME environment variable was not set was fixed.
    * New option `implicit_pac_responder` to control if the PAC
      responder is started for the IPA and AD providers; the
      default is true.
    * New option `krb5_check_pac` to control the PAC validation
    * Multiple `crl_file` arguments can be used in the
      `certificate_verification` option.
* Mon May 16 2022 Jan Engelhardt <>
  - Enable subid_sss
* Thu Apr 14 2022 Jan Engelhardt <>
  - Update to release 2.7.0
    * Better default for IPA/AD re_expression. Tunning for group
      names containing '@' is no longer needed.
    * A new debug level is added to show statistical and
      performance data.
    * Added support for anonymous PKINIT to get FAST credentials.
    * SSSD now correctly falls back to UPN search if the user was
      not found even with `cache_first = true`.
* Mon Feb 21 2022 Callum Farmer <>
  - Enable selinux support
  - Update Supplements to new format
* Wed Feb 09 2022 Samuel Cabrero <>
  - Remove caches only when performing a package downgrade. The sssd
    daemon takes care of upgrading the database format when necessary
* Tue Jan 25 2022 Jan Engelhardt <>
  - Update to release 2.6.3
    * A regression introduced in sssd-2.6.2 in the IPA provider
      that prevented users from login was fixed. Access control
      always denied access because the selinux_child returned an
      unexpected reply.
    * A critical regression that prevented authentication of users
      via AD and IPA providers was fixed. LDAP port was reused for
      Kerberos communication and this provider would send
      incomprehensible information to this port.
    * When authenticating AD users, backtrace was triggered even
      though everything was working correctly. This was caused by a
      search in the global catalog. Servers from the global catalog
      are filtered out of the list before writing the KDC info
      file. With this fix, SSSD does not attempt to write to the
      KDC info file when performing a GC lookup.
* Mon Jan 17 2022 Jan Engelhardt <>
  - Upgrade LDB_DIR shell variable to %ldbdir macro.
* Tue Jan 11 2022 Samuel Cabrero <>
  - Remove libsmbclient-devel BuildRequires in favor of
* Thu Dec 23 2021 Jan Engelhardt <>
  - Update to release 2.6.2
    * Quick log out and log in did not correctly refresh user's
      initgroups in no_session PAM schema due to lingering systemd
* Tue Nov 23 2021 Johannes Segitz <>
  - Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
    * harden_sssd-ifp.service.patch
    * harden_sssd-kcm.service.patch
* Tue Nov 09 2021 Jan Engelhardt <>
  - Update to release 2.6.1
    * New infopipe method FindByValidCertificate().
    * The default value of the "ssh_hash_known_hosts" setting was
      changed to false for the sake of consistency with OpenSSH
      that does not hash host names by default.
* Fri Oct 15 2021 Jan Engelhardt <>
  - Update to release 2.6.0
    * Support of legacy json format for ccaches was dropped.
    * Support of long time deprecated secrets responder was dropped.
    * Support of long time deprecated local provider was dropped.
    * The sssctl command was vulnerable to shell command injection
      via the logs-fetch and cache-expire subcommands,
      which was fixed.
    * Basic support of user's 'subuid and subgid ranges' for IPA
      provider and corresponding plugin for shadow-utils were added.
* Mon Jul 12 2021 Jan Engelhardt <>
  - Update to release 2.5.2
    * originalADgidNumber attribute in the SSSD cache is now indexed.
    * Add new config option fallback_to_nss.
* Tue Jun 08 2021 Jan Engelhardt <>
  - Update to release 2.5.1
    * auto_private_groups option can be set centrally through ID
      range setting in IPA (see ipa idrange commands family). This
      feature requires SSSD update on both client and server. This
      feature also requires freeipa 4.9.4 and newer.
    * Fix getsidbyname issues with IPA users with a
    * Default value of ldap_sudo_random_offset changed to 0
      (disabled). This makes sure that sudo rules are available as
      soon as possible after SSSD start in default configuration.
* Mon May 10 2021 Jan Engelhardt <>
  - Update to release 2.5.0
    * Added support for automatic renewal of renewable TGTs that
      are stored in KCM ccache. This can be enabled by setting
      tgt_renewal = true. See the sssd-kcm man page for more
      details. This feature requires MIT Kerberos
      krb5-1.19-0.beta2.3 or higher.
    * ad_gpo_implicit_deny is now respected even if there are no
      applicable GPOs present.
* Tue Apr 06 2021 Samuel Cabrero <>
  - Move sssctl command from sssd to sssd-tools package; (bsc#1184289);
* Thu Apr 01 2021
  - Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285).
* Tue Feb 23 2021 Aurelien Aptel <>
  - Make cifs-idmap plugin ( use update-alternatives
    mechanism to be able to switch between cifs-utils and sssd;
* Fri Feb 19 2021 Jan Engelhardt <>
  - Update to release 2.4.2
    * Default value of "user" config option was fixed into
      accordance with man page, i.e. default is "root".
    * pam_sss_gss now support authentication indicators to further
      harden the authentication.
* Fri Feb 12 2021 Dominique Leuenberger <>
  - Pass --with-pid-path=%{_rundir} to configure: adjust rundir
    according the distro settings, i.e. /run on modern systems.
    Eliminates a systemd warning like this one in the journal:
      Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13:
      PIDFile= references a path below legacy directory /var/run/,
      updating /var/run/ → /run/; please update the unit file accordingly.
* Fri Feb 05 2021 Jan Engelhardt <>
  - Update to release 2.4.1
    * New PAM module pam_sss_gss for authentication using GSSAPI.
    * case_sensitive=Preserving can now be set for trusted domains
      with AD and IPA providers.
    * krb5_use_subdomain_realm=True can now be used when sub-domain
      user principal names have upnSuffixes which are not known in
      the parent domain. SSSD will try to send the Kerberos request
      directly to a KDC of the sub-domain.
    * SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald
      output, to avoid issues with PID parsing in rsyslog
      (BSD-style forwarder) output.
    * Added pam_gssapi_check_upn to enforce authentication only
      with principal that can be associated with target user.
    * Added pam_gssapi_services to list PAM services that can
      authenticate using GSSAPI.
* Mon Oct 12 2020 Jan Engelhardt <>
  - Update to release 2.4.0
    * Session recording can now exclude specific users or groups
      when scope is set to all (see exclude_users and
      exclude_groups options).
    * Active Directory provider now sends CLDAP pings over UDP
      protocol to Domain Controllers in parallel to determine site
      and forest to speed up server discovery.
* Mon Aug 10 2020 Jan Engelhardt <>
  - Build sssd's KCM.
* Fri Jul 24 2020 Jan Engelhardt <>
  - Update to release 2.3.1
    * Domains can be now explicitly enabled or disabled using
      enable option in domain section. This can be especially used
      in configuration snippets.
    * New configuration options memcache_size_passwd,
      memcache_size_group, memcache_size_initgroups that can be
      used to control memory cache size.
    * Fixed several regressions in GPO processing introduced in
    * Fixed regression in PAM responder: failures in cache only
      lookups are no longer considered fatal.
    * Fixed regression in proxy provider: pwfield=x is now default
      value only for sssd-shadowutils target.
  - sssd-wbclient is obsolete and no longer shipped
* Tue May 19 2020 Jan Engelhardt <>
  - Update to release 2.3.0
    * SSSD can now handle hosts and networks nsswitch databases
      (see resolve_provider option).
    * By default, authentication request only refresh user's
      initgroups if it is expired or there is not active user's
      session (see pam_initgroups_scheme option).
    * OpenSSL is used as default crypto provider, NSS is deprecated.
    * The AD provider now defaults to GSS-SPNEGO SASL mechanism
      (see ldap_sasl_mech option).
    * The AD provider can now be configured to use only ldaps port
      (see ad_use_ldaps option).
    * SSSD now accepts host entries from GPO's security filter.
    * New debug level (0x10000) added for low level LDB messages
      only (see sssd.conf man page).
  - Drop sssd-gpo_host_security_filter-2.2.2.patch,
    0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged)
  - Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
* Tue Mar 24 2020 Jan Engelhardt <>
  - Update to 2.2.3
    * New features:
    * allow_missing_name now treats empty strings the same as
      missing names.
    * "soft_ocsp" and "soft_crl" options have been added to make
      the checks for revoked certificates more flexible if the
      system is offline.
    * Smart card authentication in polkit is now allowed by default.
    * Fixes:
    * Handling of FreeIPA users and groups containing ‘@’ sign now
    * SSSD was unable to hande ldap_uri containing URIs with
      different port numbers, which has been rectified.
  - Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch
* Mon Mar 16 2020 Samuel Cabrero <>
  - Fix dynamic DNS updates not using FQDN (bsc#1160587); Add
* Sun Jan 19 2020 Stefan Brüns <>
  - Remove leftover python2 build dependencies
  - Remove python3-devel BuildRequires in favor of pkgconfig(python3)
* Mon Jan 13 2020 David Mulder <>
  - SSSD GPO host entries are ignored if computer cn does not
    match its samaccountname, add
    (jsc#SLE-9298); (bsc#1160688)
* Thu Jan 02 2020 David Mulder <>
  - SSSD should accept host entries from GPO's security filter, add
    sssd-gpo_host_security_filter-2.2.2.patch; (jsc#SLE-9298)
* Fri Nov 22 2019 Samuel Cabrero <>
  - Install infopipe dbus service (bsc#1106598)
  - Add systemd service unit files to manage socket or bus activated responders.
  - All responders except infopipe are also managed by a socket unit file.
  - Add missing post and postun hooks for libsss_certmap0 package.
* Thu Nov 21 2019 Jan Engelhardt <>
  - Update to release 2.2.2
    * New options were added which allow sssd-kcm to handle bigger
      data. See manual pages for max_ccaches, max_uid_caches and
    * SSSD can now automatically refresh cached user data from
      subdomains in IPA/AD trust.
    * Fixed issue with SSSD hanging when connecting to
      non-responsive server with ldaps://.
    * SSSD is now restarted by systemd after crashes.
* Tue Jun 18 2019 Jan Engelhardt <>
  - Update to new upstream release 2.2.0
    * The Kerberos provider can now include more KDC addresses or
      host names when writing data for the Kerberos locator plugin.
    * The 2FA prompting can now be configured.
    * The LDAP authentication provider now allows to use a
      different method of changing LDAP passwords using a modify
      operation in addition to the default extended operation.
    * The "auto_private_groups" configuration option now takes a
      new value hybrid.
    * A new option "ad_gpo_ignore_unreadable" was added.
    * The "cached_auth_timeout" parameter is now inherited by
      trusted domains.
    * The "ldap_sasl_mech" option now accepts another mechanism
      "GSS-SPNEGO" in addition to "GSSAPI".
    * The sssctl tool has two new commands, "cert-show" and
* Fri Apr 26 2019 Samuel Cabrero <>
  - Create directory to download and cache GPOs (bsc#1132879)
* Sat Mar 16 2019 Jan Engelhardt <>
  - Update to new upstream release 2.1.0
    * Any provider can now match and map certificates to user
    * pam_sss can now be configured to only perform Smart Card
      authentication or return an error if this is not possible.
    * pam_sss can also prompt the user to insert a Smart Card if,
      during an authentication it is not available.
    * A new configuration option ad_gpo_implicit_deny was added.
      This option (when set to True) can be used to deny access to
      users even if there is not applicable GPO.
    * The dynamic DNS update can now batch DNS updates to include
      all address family updates in a single transaction.
* Wed Feb 20 2019 Samuel Cabrero <>
  - Install systemd service unit file created from source's template
  - Install logrotate configuration (bsc#1004220)
  - Set journald as system logger
* Fri Feb 15 2019 Jan Engelhardt <>
  - Add krb-noversion.diff so sssd_pac builds even with newer krb.



Generated by rpm2html 1.8.1

Fabrice Bellet, Fri Feb 3 00:14:55 2023