Skip to content


Choose a tag to compare
@pbrezina pbrezina released this 14 Oct 10:12
· 1419 commits to master since this release

SSSD 2.6.0 Release Notes


General information

  • Support of legacy json format for ccaches was dropped
  • Support of long time deprecated secrets responder was dropped.
  • Support of long time deprecated local provider was dropped.
  • This release drops support of --with-unicode-lib configure option. libunistring will be used unconditionally for Unicode processing.
  • This release removes pcre1 support. pcre2 is used unconditionally.
  • p11_child does not stop at the first empty slot when searching for tokens
  • A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. This patch fixes a flaw by replacing system() with execvp().

New features

  • Basic support of user's 'subuid and subgid ranges' for IPA provider and corresponding plugin for shadow-utils were introduced. Limitations: - single subid interval pair (subuid+subgid) per user - idviews aren't supported - only forward lookup (user -> subid ranges) Take a note, this is MVP of experimental feature. Significant changes might be required later, after initial feedback. Corresponding support in shadow-utils was merged upstream, but since there is no upstream release available yet, SSSD feature isn't built by default. Build can be enabled with --with-subid configure option. Plugin's install path can be configured with --with-subid-lib-path= (${libdir} by default)

Important fixes

  • KCM now replace the old credential with new one when storing an updated credential that is however already present in the ccache to avoid unnecessary growth of the ccache.
  • Improve mpg search filter to be more reliable with id-overrides and the new auto_private_groups options.
  • Even if the forest root is disabled for lookups all required internal data is initialized to be able to refresh the list of trusted domains in the forest from a DC of the forest root.
  • ccache files are created with the right ownership during offline Smartcard authentication
  • AD ping is now sent over ldap if cldap support is not available during build. This helps to build SSSD on distributions without cldap support in libldap.
  • CVE-2021-3621

Configuration changes

  • New IPA provider's option ipa_subid_ranges_search_base allows configuration of search base for user's subid ranges. Default: cn=subids,%basedn

See full release notes here.