3.1.3
What's Changed
NSS and Group Resolution
- Added
initgroups_dynsupport fornss_himmelblau, allowing glibc to fetch supplementary groups for a specific user directly instead of enumerating all Entra ID groups. - Improved login and session startup performance for users with many group memberships, especially in flows such as GDM session setup where group initialization is required.
- Added a targeted daemon request for NSS initgroups lookups, returning only the relevant GID list from the cached user token.
Reliability
- Fixed a systemd startup deadlock where NSS or PAM could call back into
himmelblaudwhile systemd was still launchinghimmelblaud.serviceorhimmelblaud-tasks.service. - NSS and PAM now detect Himmelblau service activation through
SYSTEMD_ACTIVATION_UNITand return immediately instead of attempting daemon socket communication during service startup. - This improves boot and service recovery behavior on systems where Himmelblau is present in
nsswitch.confor the PAM stack.
PAM and Authentication Integration
- Adjusted PAM package installation behavior so automatic PAM configuration is only applied during the initial install, avoiding resets of administrator-managed PAM,
authselect, orpam-configstate during upgrades. - Improved RPM post-install handling for
authselect,pam-config, and fallbackaad-tool configure-pamflows so only one successful configuration path is applied. - Preserved existing GDM keyring token handling so graphical logins can continue passing the authenticated secret to the keyring where applicable.
SELinux
- Updated SELinux policy to allow
unconfined_service_tto searchhimmelblaud_tdirectories. - This resolves access denials for unconfined services that need to interact with Himmelblau-managed runtime paths.
Packaging / Build / CI
- Bumped the workspace and package versions from
3.1.2to3.1.3. - Updated RPM packaging scripts for safer PAM configuration behavior on install versus upgrade.
Documentation
- No documentation changes were included in this release.
Full Changelog: 3.1.2...3.1.3