Skip to content


Choose a tag to compare
@pbrezina pbrezina released this 10 May 13:36
· 1579 commits to master since this release

SSSD 2.5.0 Release Notes


General information

  • secrets support is deprecated and will be removed in one of the next versions of SSSD.
  • local-provider is deprecated and will be removed in one of the next versions of SSSD.
  • SSSD's implementation of libwbclient was removed as incompatible with modern version of Samba.
  • This release deprecates pcre1 support. This support will be removed completely in following releases.
  • A home directory from a dedicated user override, either local or centrally managed by IPA, will have a higher precedence than the override_homedir option.
  • debug-to-files, debug-to-stderr command line and undocumented debug_to_files config options were removed.

New features

  • Added support for automatic renewal of renewable TGTs that are stored in KCM ccache. This can be enabled by setting tgt_renewal = true. See the sssd-kcm man page for more details. This feature requires MIT Kerberos krb5-1.19-0.beta2.3 or higher.
  • Backround sudo periodic tasks (smart and full refresh) periods are now extended by a random offset to spread the load on the server in environments with many clients. The random offset can be changed with ldap_sudo_random_offset.
  • Completing a sudo full refresh now postpones the smart refresh by ldap_sudo_smart_refresh_interval value. This ensure that the smart refresh is not run too soon after a successful full refresh.
  • If debug_backtrace_enabled is set to true then on any error all prior debug messages (to some limit) are printed even if debug_level is set to low value (for details see man sssd.conf: debug_backtrace_enabled description).
  • Besides trusted domains known by the forest root, trusted domains known by the local domain are used as well.
  • New configuration option offline_timeout_random_offset to control random factor in backend probing interval when SSSD is in offline mode.

Important fixes

  • ad_gpo_implicit_deny is now respected even if there are no applicable GPOs present
  • During the IPA subdomains request a failure in reading a single specific configuration option is not considered fatal and the request will continue
  • unknown IPA id-range types are not considered as an error
  • SSSD spec file %postun no longer tries to restart services that can not be restarted directly to stop produce systemd warnings

Configuration changes

  • Added tgt_renewal, tgt_renewal_inherit, and krb5_* KCM options to enable, and tune behavior of new KCM renewal feature.
  • Added ldap_sudo_random_offset (default to 30) to add a random offset to backround sudo periodic tasks (smart and full refresh).
  • Introduced new option 'debug_backtrace_enabled' to control debug backtrace.
  • Added offline_timeout_random_offset configuration option to control maximum size of random offset added to offline timeout SSSD backend probing interval.
  • Long time deprecated and undocumented debug_to_files option was removed.

See full release notes here.