SSSD 2.4.1 Release Notes
SYSLOG_IDENTIFIER was renamed to
SSSD_PRG_NAME in journald output, to avoid issues with PID parsing in rsyslog (BSD-style forwarder) output.
- New PAM module
pam_sss_gss for authentication using GSSAPI
case_sensitive=Preserving can now be set for trusted domains with AD provider
case_sensitive=Preserving can now be set for trusted domains with IPA provider. However, the option needs to be set to
Preserving on both client and the server for it to take effect.
case_sensitive option can be now inherited by subdomains
case_sensitive can be now set separately for each subdomain in
krb5_use_subdomain_realm=True can now be used when sub-domain user principal names have upnSuffixes which are not known in the parent domain. SSSD will try to send the Kerberos request directly to a KDC of the sub-domain.
- krb5_child uses proper umask for DIR type ccaches
- Memory leak in the simple access provider
- KCM performance has improved dramatically for cases where large amount of credentials are stored in the ccache.
pam_sss_gss.so PAM module and
pam_sss_gss.8 manual page
- New default value of
debug_level is 0x0070
pam_gssapi_check_upn to enforce authentication only with principal that can be associated with target user.
pam_gssapi_services to list PAM services that can authenticate using GSSAPI
See full release notes here.