| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: sssd-krb5-common | Distribution: openSUSE Tumbleweed |
| Version: 2.11.1 | Vendor: openSUSE |
| Release: 1.1 | Build date: Thu Jul 31 18:15:46 2025 |
| Group: System/Daemons | Build host: reproducible |
| Size: 401620 | Source RPM: sssd-2.11.1-1.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://github.com/SSSD/sssd | |
| Summary: SSSD helpers needed for Kerberos and GSSAPI authentication | |
Provides helper processes that the LDAP and Kerberos back ends can use for Kerberos user or host authentication.
GPL-3.0-or-later
* Thu Jul 31 2025 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.11.1
* Fixed AD users in external groups not being cleared once the
cache expires.
* Fixed `cache_credentials=true` not having any effect.
* Fixed socket activation not having an effect for sssd_pam.
* Fri Jul 18 2025 Jan Engelhardt <jengelh@inai.de>
- Add logrotate.patch [boo#1246537]
* Wed Jun 11 2025 Samuel Cabrero <scabrero@suse.de>
- Install file in krb5.conf.d to include sssd krb5 config snippets;
(bsc#1244325);
* Thu Jun 05 2025 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.11
* The deprecated tool `sss_ssh_knownhostsproxy` was finally
removed.
* Support for `id_provider = files` was removed.
* SSSD doesn't create any more missing path components of
DIR:/FILE: ccache types while acquiring user's TGT.
* New generic id and auth provider for Identity Providers (IdPs)
for Keycloak/EntraID. [Not enabled in openSUSE for now.]
* Tue Mar 11 2025 Jan Engelhardt <jengelh@inai.de>
- Run mkdir/rm with verbose mode for the build log
* Thu Jan 30 2025 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.2
* If the ssh responder is not running, sss_ssh_knownhosts will
not fail (but it will not return the keys).
* SSSD is now capable of handling multiple services associated
with the same port.
* sssd_pam, being a privileged binary, now clears the
environment and does not allow configuration of the
PR_SET_DUMPABLE flag as a precaution.
* Wed Jan 22 2025 Dominique Leuenberger <dimstar@opensuse.org>
- Drop build dependency on ncsd, which has been deprecated
(boo#1239262).
* Tue Jan 21 2025 Samuel Cabrero <scabrero@suse.de>
- Migrate away from update-alternatives, replaced by package
conflicts; (bsc#1235789); (bsc#1216739);
* Tue Dec 10 2024 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.1
* SSSD does not create anymore missing path components of
DIR:/FILE: ccache types while acquiring user's TGT. The
parent directory of requested ccache directory must exist and
the user trying to log in must have rwx access to this
directory. This matches behavior of /usr/bin/kinit.
* The option default_domain_suffix is deprecated.
- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch,
0001-INI-relax-config-files-checks.patch,
0001-INI-stop-using-libini_config-for-access-check.patch,
0001-sssd-always-print-path-when-config-object-is-rejecte.patch
(merged)
- Add 0001-TOOL-Fix-build-parameter-name-omitted.patch
* Tue Oct 15 2024 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.0
* The ``sssctl cache-upgrade`` command was removed. SSSD
performs automatic upgrades at startup when needed.
* Support of ``enumeration`` feature (i.e. ability to list all
users/groups using ``getent passwd/group`` without argument)
for AD/IPA providers is deprecated and might be removed in
further releases.
* The new tool ``sss_ssh_knownhosts`` can be used with ssh's
``KnownHostsCommand`` configuration option to retrieve the
host's public keys from a remote server (FreeIPA, LDAP,
etc.). It replaces ```sss_ssh_knownhostsproxy``.
* The default value for ``ldap_id_use_start_tls`` changed from
false to true for improved security.
* https://github.com/SSSD/sssd/releases/tag/2.10.0
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch,
0001-INI-stop-using-libini_config-for-access-check.patch,
0001-INI-relax-config-files-checks.patch,
0001-Configuration-make-sure-etc-sssd-and-everything.patch
- Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
* Tue Oct 01 2024 Jan Engelhardt <jengelh@inai.de>
- Update filelists involving memberof.so and idmap/sss.so to
avoid gobbling up one file into multiple sssd subpackages.
(Between samba-4.20 and 4.21, %ldbdir changes from
/usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now
`%_libdir/samba` is a bit too broad.)
* Wed Jul 17 2024 Samuel Cabrero <scabrero@suse.de>
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
python3_fix_shebang_path RPM macro is not available
* Thu Jul 11 2024 Samuel Cabrero <scabrero@suse.de>
- Revert the change dropping the default configuration file. If
/usr/etc exists will be installed there, otherwise in /etc.
(bsc#1226157);
* Thu May 16 2024 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9.5
* Added failover_primary_timout configuration option. This can
be used to configure how often SSSD tries to reconnect to a
primary server after a successful connection to a backup
server. This was previously hardcoded to 31 seconds which is
kept as the default value.
* Fri Mar 08 2024 pgajdos@suse.com
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang_path macro, [bsc#1212476]
* Fri Jan 12 2024 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9.4
* Fixes a crash when PAM passkey processing incorrectly handles
non-passkey data.
* Fixed group membership handling when members are coming from
different forest domains and using ldap token groups is
prohibited.
* Files provider was erroneously taking into consideration
``local_auth_policy`` config option, thus breaking smartcard
authentication of local user in setups that did not explicitly
specify this option. This is now fixed.
* Tue Nov 21 2023 Samuel Cabrero <scabrero@suse.de>
- Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714);
* Remove package sssd-common, merged into sssd
* Continue building deprecated files provider and infopipe
responder
* Disable selinux and semanage
* Provide rcsssd shortcut
* Fri Nov 17 2023 Samuel Cabrero <scabrero@suse.de>
- Fix spec file for Leap
* Fri Nov 17 2023 Samuel Cabrero <scabrero@suse.de>
- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after
update (bsc#1216865)
- Do not install the KRB5 IDP plugin, it is useless without the
OIDC child
- Drop no longer valid --without-secrets configure switch
* Mon Nov 13 2023 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9.3
* The proxy provider is now able to handle certificate mapping
and matching rules and users handled by the proxy provider can
be configured for local Smartcard authentication. Besides the
mapping rule local Smartcard authentication should be enabled
with the `local_auth_policy` option in the backend and with
`pam_cert_auth` in the PAM responder.
* Thu Nov 02 2023 Jan Engelhardt <jengelh@inai.de>
- Offer the sssd.conf template as %doc (for examples, do actually
see the "Examples" section of the sssd.conf(5) manpage)
* Tue Oct 31 2023 Samuel Cabrero <scabrero@suse.de>
- Update dependencies to require the same subpackages version and
release
- Fix /usr/etc migration fragment in wrong "%pre kcm" instead of
"%pre"
- Move sss_analyze to sssd-tools package
* Tue Oct 31 2023 Jan Engelhardt <jengelh@inai.de>
- Default config is unworkable, just stop installing it altogether
[boo#1216739]
* Thu Sep 07 2023 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9.2
* sssctl cert-show and cert-show cert-eval-rule can now be run as
non-root user.
* New option local_auth_policy is added to control which offline
authentication methods will be enabled by SSSD.
* Fix sssd entering failed state under heavy load by adding
watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283);
Drop SLE patch 0001-sssd-watchdog.patch
* Fri Jun 23 2023 Jan Engelhardt <jengelh@inai.de>
- Update to relese 2.9.1
* A regression was fixed that prevented autofs lookups to
function correctly when cache_first is set to True.
* A regression where SSSD failed to properly watch for changes
in ``/etc/resolv.conf`` when it was a symbolic link or was a
relative path, was fixed.
* ldap password policy: return failure if there are no grace logins
left; (bsc#1214434); Drop SLE patch
0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch
* Fri May 05 2023 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9
* The sss_simpleifp library is deprecated (and for openSUSE,
already removed)
* The "Files provider" (i.e. id_provider = files) is deprecated
(and for openSUSE, already removed)
* SSSD will no longer warn about changed defaults when using
ldap_schema = rfc2307 and default autofs mapping.
* New passkey functionality, which will allow the use of FIDO2
compliant devices to authenticate a centrally managed user
locally.
* Add support for ldapi:// URLs to allow connections to local
LDAP servers.
* NSS IDMAP has two new methods: getsidbyusername and
getsidbygroupname.
* Thu Jan 26 2023 Callum Farmer <gmbr3@opensuse.org>
- Move dbus-1 system.d file to /usr (bsc#1207586)
* Tue Jan 03 2023 Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d.
* Wed Dec 21 2022 Jan Engelhardt <jengelh@inai.de>
- Take systemd units off the restart list that have
RefuseManualStart=yes [boo#1206592]
- Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166]
* Sun Dec 11 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.8.2
* New mapping template for serial number, subject key id, SID,
certificate hashes and DN components are added to
libsss_certmap.
* Fri Nov 04 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.8.1
* A regression when running sss_cache when no SSSD domain is
enabled would produce a syslog critical message was fixed.
* Fri Oct 07 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.8.0
* Introduced the dbus function
org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value,
limit) listing upto limit users matching the filter
attr=value.
* sssctl is now able to create, list and delete indexes on the
local caches. Indexes are useful for the new D-Bus
ListByAttr() function.
* sssctl is now able to read and set each component's debug
level independently.
* A number of new configuration options are available,
cf. https://sssd.io/release-notes/sssd-2.8.0.html .
* Fix sdap_access_host No matching host rule found;
(bsc#1202559); Drop SLE patch
0001-Fix-sdap_access_host-No-matching-host-rule-found.patch
* Accept krb5 1.20 for building the PAC plugin; Drop SLE patch
0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch
* Thu Sep 01 2022 Stefan Schubert <schubi@suse.com>
- Migration to /usr/etc: Saving user changed configuration files
in /etc and restoring them while an RPM update.
* Fri Aug 26 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.7.4
* Lock-free client support will be only built if libc provides
pthread_key_create() and pthread_once(). For glibc this means
version 2.34+.
* Mon Jul 04 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.7.3
* All SSSD client libraries (nss, pam, etc) won't serialize
requests anymore by default, i.e. requests from multiple
threads can be executed in parallel. Old behavior
(serialization) can be enabled by setting environment
variable "SSS_LOCKFREE" to "NO".
* Tue Jun 21 2022 Stefan Schubert <schubi@localhost>
- Removed %config flag for files in /usr directory.
* Tue Jun 21 2022 Stefan Schubert <schubi@suse.com>
- Moved logrotate files from user-specific directory /etc/logrotate.d
to vendor-specific directory /usr/etc/logrotate.d.
* Wed Jun 15 2022 Samuel Cabrero <scabrero@suse.de>
- Use pam rpm macros to avoid hardcoding the directory names;
(bsc#1191047);
- Do not take ownership of %_pam_confdir directory, it is owned by
pam package
* Mon Jun 13 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.7.2
* A sssd-2.7.1 regression preventing successful authentication of
IPA users was fixed.
* Default value of pac_check changed to check_upn,
check_upn_dns_info_ex (for AD and IPA provider).
* Thu Jun 02 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.7.1
* SSSD can now handle multi-valued RDNs if a unique name must
be determined with the help of the RDN.
* A regression in pam_sss_gss module causing a failure if
KRB5CCNAME environment variable was not set was fixed.
* New option `implicit_pac_responder` to control if the PAC
responder is started for the IPA and AD providers; the
default is true.
* New option `krb5_check_pac` to control the PAC validation
behavior.
* Multiple `crl_file` arguments can be used in the
`certificate_verification` option.
* Mon May 16 2022 Jan Engelhardt <jengelh@inai.de>
- Enable subid_sss
* Thu Apr 14 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.7.0
* Better default for IPA/AD re_expression. Tunning for group
names containing '@' is no longer needed.
* A new debug level is added to show statistical and
performance data.
* Added support for anonymous PKINIT to get FAST credentials.
* SSSD now correctly falls back to UPN search if the user was
not found even with `cache_first = true`.
* Add 'ldap_ignore_unreadable_references' parameter to skip
unreadable objects referenced by 'member' attributte;
(bsc#1190775); (gh#SSSD/sssd#4893); Drop SLE patch
0001-ldap-ignore-unreadable-references.patch
* Mon Feb 21 2022 Callum Farmer <gmbr3@opensuse.org>
- Enable selinux support
- Update Supplements to new format
* Wed Feb 09 2022 Samuel Cabrero <scabrero@suse.de>
- Remove caches only when performing a package downgrade. The sssd
daemon takes care of upgrading the database format when necessary
(bsc#1195552)
* Tue Jan 25 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.6.3
* A regression introduced in sssd-2.6.2 in the IPA provider
that prevented users from login was fixed. Access control
always denied access because the selinux_child returned an
unexpected reply.
* A critical regression that prevented authentication of users
via AD and IPA providers was fixed. LDAP port was reused for
Kerberos communication and this provider would send
incomprehensible information to this port.
* When authenticating AD users, backtrace was triggered even
though everything was working correctly. This was caused by a
search in the global catalog. Servers from the global catalog
are filtered out of the list before writing the KDC info
file. With this fix, SSSD does not attempt to write to the
KDC info file when performing a GC lookup.
* Mon Jan 17 2022 Jan Engelhardt <jengelh@inai.de>
- Upgrade LDB_DIR shell variable to %ldbdir macro.
* Tue Jan 11 2022 Samuel Cabrero <scabrero@suse.de>
- Remove libsmbclient-devel BuildRequires in favor of
pkgconfig(smbclient)
/etc/krb5.conf.d/enable_sssd_conf_dir /usr/lib64/sssd /usr/lib64/sssd/libsss_krb5_common.so /usr/libexec/sssd /usr/libexec/sssd/krb5_child /usr/libexec/sssd/ldap_child /usr/share/sssd/krb5-snippets /usr/share/sssd/krb5-snippets/enable_sssd_conf_dir /usr/share/sssd/krb5-snippets/sssd_enable_idp /var/lib/sss/pubconf/krb5.include.d
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Oct 23 23:06:42 2025