Skip to content


Choose a tag to compare
@pbrezina pbrezina released this 16 Apr 09:01
· 3955 commits to master since this release

SSSD 1.15.1


  • Several issues related to starting the SSSD services on-demand via socket activation were fixed. In particular, it is no longer possible to have a service started both by sssd and socket-activated. Another bug which might have caused the responder to start before SSSD started and cause issues especially on system startup was fixed.
  • A new files provider was added. This provider mirrors the contents of /etc/passwd and /etc/group into the SSSD database. The purpose of this new provider is to make it possible to use SSSD's interfaces, such as the D-Bus interface for local users and enable leveraging the in-memory fast cache for local users as well, as a replacement for nscd. In future, we intend to extend the D-Bus interface to also provide setting and retrieving additional custom attributes for the files users.
  • SSSD now autogenerates a fallback configuration that enables the files domain if no SSSD configuration exists. This allows distributions to enable the sssd service when the SSSD package is installed. Please note that SSSD must be build with the configuration option --enable-files-domain for this functionality to be enabled.
  • Support for public-key authentication with Kerberos (PKINIT) was added. This support will enable users who authenticate with a Smart Card to obtain a Kerberos ticket during authentication.

Packaging Changes

  • The new files provider comes as a new shared library and a new manual page
  • A new helper binary called sssd_check_socket_activated_responders was added. This binary is used in the ExecStartPre directive to check if the service that corresponds to socket about to be started was also started explicitly and abort the socket startup if it was.

Documentation Changes

  • A new PAM module option prompt_always was added. This option is related to fixing < changed the behaviour of the PAM module so that pam_sss always uses an auth token that was on stack. The new prompt_always option makes it possible to restore the previous behaviour.

See full release notes here.