Skip to content


Choose a tag to compare
@pbrezina pbrezina released this 16 Apr 09:01
· 3195 commits to master since this release

SSSD 1.16.2


New Features

  • The smart card authentication, or in more general certificate authentication code now supports OpenSSL in addition to previously supported NSS (#3489). In addition, the SSH responder can now return public SSH keys derived from the public keys stored in a X.509 certificate. Please refer to the ssh_use_certificate_keys option in the man pages.
  • The files provider now supports mirroring multiple passwd or group files. This enhancement can be used to use the SSSD files provider instead of the nss_altfiles module

Notable bug fixes

  • A memory handling issue in the nss_ex interface was fixed. This bug would manifest in IPA environments with a trusted AD domain as a crash of the ns-slapd process, because a ns-slapd plugin loads the nss_ex interface (#3715)
  • Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
  • The ad_site override is now honored in GPO code as well (#3646)
  • Several potential crashes in the NSS responder's netgroup code were fixed (#3679, #3731)
  • A potential crash in the autofs responder's code was fixed (#3752)
  • The LDAP provider now supports group renaming (#2653)
  • The GPO access control code no longer returns an error if one of the relevant GPO rules contained no SIDs at all (#3680)
  • A memory leak in the IPA provider related to resolving external AD groups was fixed (#3719)
  • Setups that used multiple domains where one of the domains had its ID space limited using the min_id/max_id options did not resolve requests by ID properly (#3728)
  • Overriding IDs or names did not work correctly when the domain resolution order was set as well (#3595)
  • A version mismatch between certain newer Samba versions (e.g. those shipped in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further prevent issues like this in the future, the correct interface is now detected at build time (#3741)
  • The files provider no longer returns a qualified name in case domain resolution order is used (#3743)
  • A race condition between evaluating IPA group memberships and AD group memberships in setups with IPA-AD trusts that would have manifested as randomly losing IPA group memberships assigned to an AD user was fixed (#3744)
  • Setting an SELinux login label was broken in setups where the domain resolution order was used (#3740)
  • SSSD start up issue on systems that use the libldb library with version 1.4.0 or newer was fixed.

Packaging Changes

  • Several new build requirements were added in order to support the OpenSSL certificate authentication

Documentation Changes

  • The files provider gained two new configuration options passwd_files and group_files. These can be used to specify the additional files to mirror.
  • A new ssh_use_certificate_keys option toggles whether the SSH responder would return public SSH keys derived from X.509 certificates.
  • The local_negative_timeout option is now enabled by default. This means that if SSSD fails to find a user in the configured domains, but is then able to find the user with an NSS call such as getpwnam, it would negatively cache the request for the duration of the local_negative_timeout option.

See full release notes here.