Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

sssd-krb5-common-2.9.5-1.2 RPM for s390x

From OpenSuSE Ports Tumbleweed for s390x

Name: sssd-krb5-common Distribution: openSUSE:Factory:zSystems
Version: 2.9.5 Vendor: openSUSE
Release: 1.2 Build date: Thu May 16 14:13:02 2024
Group: System/Daemons Build host: reproducible
Size: 327080 Source RPM: sssd-2.9.5-1.2.src.rpm
Packager: https://bugs.opensuse.org
Url: https://github.com/SSSD/sssd
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
Provides helper processes that the LDAP and Kerberos back ends can
use for Kerberos user or host authentication.

Provides

Requires

License

GPL-3.0-or-later

Changelog

* Thu May 16 2024 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.9.5
    * Added failover_primary_timout configuration option. This can
      be used to configure how often SSSD tries to reconnect to a
      primary server after a successful connection to a backup
      server. This was previously hardcoded to 31 seconds which is
      kept as the default value.
* Fri Mar 08 2024 pgajdos@suse.com
  - remove dependency on /usr/bin/python3 using
    %python3_fix_shebang_path macro, [bsc#1212476]
* Fri Jan 12 2024 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.9.4
    * Fixes a crash when PAM passkey processing incorrectly handles
      non-passkey data.
    * Fixed group membership handling when members are coming from
      different forest domains and using ldap token groups is
      prohibited.
    * Files provider was erroneously taking into consideration
      ``local_auth_policy`` config option, thus breaking smartcard
      authentication of local user in setups that did not explicitly
      specify this option. This is now fixed.
* Tue Nov 21 2023 Samuel Cabrero <scabrero@suse.de>
  - Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714);
    * Remove package sssd-common, merged into sssd
    * Continue building deprecated files provider and infopipe
      responder
    * Disable selinux and semanage
    * Provide rcsssd shortcut
* Fri Nov 17 2023 Samuel Cabrero <scabrero@suse.de>
  - Fix spec file for Leap
* Fri Nov 17 2023 Samuel Cabrero <scabrero@suse.de>
  - /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after
    update (bsc#1216865)
  - Do not install the KRB5 IDP plugin, it is useless without the
    OIDC child
  - Drop no longer valid --without-secrets configure switch
* Mon Nov 13 2023 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.9.3
    * The proxy provider is now able to handle certificate mapping
      and matching rules and users handled by the proxy provider can
      be configured for local Smartcard authentication. Besides the
      mapping rule local Smartcard authentication should be enabled
      with the `local_auth_policy` option in the backend and with
      `pam_cert_auth` in the PAM responder.
* Thu Nov 02 2023 Jan Engelhardt <jengelh@inai.de>
  - Offer the sssd.conf template as %doc (for examples, do actually
    see the "Examples" section of the sssd.conf(5) manpage)
* Tue Oct 31 2023 Samuel Cabrero <scabrero@suse.de>
  - Update dependencies to require the same subpackages version and
    release
  - Fix /usr/etc migration fragment in wrong "%pre kcm" instead of
    "%pre"
  - Move sss_analyze to sssd-tools package
* Tue Oct 31 2023 Jan Engelhardt <jengelh@inai.de>
  - Default config is unworkable, just stop installing it altogether
    [boo#1216739]
* Thu Sep 07 2023 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.9.2
    * sssctl cert-show and cert-show cert-eval-rule can now be run as
      non-root user.
    * New option local_auth_policy is added to control which offline
      authentication methods will be enabled by SSSD.
    * Fix sssd entering failed state under heavy load by adding
      watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283);
      Drop SLE patch 0001-sssd-watchdog.patch
* Fri Jun 23 2023 Jan Engelhardt <jengelh@inai.de>
  - Update to relese 2.9.1
    * A regression was fixed that prevented autofs lookups to
      function correctly when cache_first is set to True.
    * A regression where SSSD failed to properly watch for changes
      in ``/etc/resolv.conf`` when it was a symbolic link or was a
      relative path, was fixed.
    * ldap password policy: return failure if there are no grace logins
      left; (bsc#1214434); Drop SLE patch
      0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch
* Fri May 05 2023 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.9
    * The sss_simpleifp library is deprecated (and for openSUSE,
      already removed)
    * The "Files provider" (i.e. id_provider = files) is deprecated
      (and for openSUSE, already removed)
    * SSSD will no longer warn about changed defaults when using
      ldap_schema = rfc2307 and default autofs mapping.
    * New passkey functionality, which will allow the use of FIDO2
      compliant devices to authenticate a centrally managed user
      locally.
    * Add support for ldapi:// URLs to allow connections to local
      LDAP servers.
    * NSS IDMAP has two new methods: getsidbyusername and
      getsidbygroupname.
* Thu Jan 26 2023 Callum Farmer <gmbr3@opensuse.org>
  - Move dbus-1 system.d file to /usr (bsc#1207586)
* Tue Jan 03 2023 Stefan Schubert <schubi@suse.com>
  - Migration of PAM settings to /usr/lib/pam.d.
* Wed Dec 21 2022 Jan Engelhardt <jengelh@inai.de>
  - Take systemd units off the restart list that have
    RefuseManualStart=yes [boo#1206592]
  - Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166]
* Sun Dec 11 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.8.2
    * New mapping template for serial number, subject key id, SID,
      certificate hashes and DN components are added to
      libsss_certmap.
* Fri Nov 04 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.8.1
    * A regression when running sss_cache when no SSSD domain is
      enabled would produce a syslog critical message was fixed.
* Fri Oct 07 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.8.0
    * Introduced the dbus function
      org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value,
      limit) listing upto limit users matching the filter
      attr=value.
    * sssctl is now able to create, list and delete indexes on the
      local caches. Indexes are useful for the new D-Bus
      ListByAttr() function.
    * sssctl is now able to read and set each component's debug
      level independently.
    * A number of new configuration options are available,
      cf. https://sssd.io/release-notes/sssd-2.8.0.html .
    * Fix sdap_access_host No matching host rule found;
      (bsc#1202559); Drop SLE patch
      0001-Fix-sdap_access_host-No-matching-host-rule-found.patch
    * Accept krb5 1.20 for building the PAC plugin; Drop SLE patch
      0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch
* Thu Sep 01 2022 Stefan Schubert <schubi@suse.com>
  - Migration to /usr/etc: Saving user changed configuration files
    in /etc and restoring them while an RPM update.
* Fri Aug 26 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.7.4
    * Lock-free client support will be only built if libc provides
      pthread_key_create() and pthread_once(). For glibc this means
      version 2.34+.
* Mon Jul 04 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.7.3
    * All SSSD client libraries (nss, pam, etc) won't serialize
      requests anymore by default, i.e. requests from multiple
      threads can be executed in parallel. Old behavior
      (serialization) can be enabled by setting environment
      variable "SSS_LOCKFREE" to "NO".
* Tue Jun 21 2022 Stefan Schubert <schubi@localhost>
  - Removed %config flag for files in /usr directory.
* Tue Jun 21 2022 Stefan Schubert <schubi@suse.com>
  - Moved logrotate files from user-specific directory /etc/logrotate.d
    to vendor-specific directory /usr/etc/logrotate.d.
* Wed Jun 15 2022 Samuel Cabrero <scabrero@suse.de>
  - Use pam rpm macros to avoid hardcoding the directory names;
    (bsc#1191047);
  - Do not take ownership of %_pam_confdir directory, it is owned by
    pam package
* Mon Jun 13 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.7.2
    * A sssd-2.7.1 regression preventing successful authentication of
      IPA users was fixed.
    * Default value of pac_check changed to check_upn,
      check_upn_dns_info_ex (for AD and IPA provider).
* Thu Jun 02 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.7.1
    * SSSD can now handle multi-valued RDNs if a unique name must
      be determined with the help of the RDN.
    * A regression in pam_sss_gss module causing a failure if
      KRB5CCNAME environment variable was not set was fixed.
    * New option `implicit_pac_responder` to control if the PAC
      responder is started for the IPA and AD providers; the
      default is true.
    * New option `krb5_check_pac` to control the PAC validation
      behavior.
    * Multiple `crl_file` arguments can be used in the
      `certificate_verification` option.
* Mon May 16 2022 Jan Engelhardt <jengelh@inai.de>
  - Enable subid_sss
* Thu Apr 14 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.7.0
    * Better default for IPA/AD re_expression. Tunning for group
      names containing '@' is no longer needed.
    * A new debug level is added to show statistical and
      performance data.
    * Added support for anonymous PKINIT to get FAST credentials.
    * SSSD now correctly falls back to UPN search if the user was
      not found even with `cache_first = true`.
    * Add 'ldap_ignore_unreadable_references' parameter to skip
      unreadable objects referenced by 'member' attributte;
      (bsc#1190775); (gh#SSSD/sssd#4893); Drop SLE patch
      0001-ldap-ignore-unreadable-references.patch
* Mon Feb 21 2022 Callum Farmer <gmbr3@opensuse.org>
  - Enable selinux support
  - Update Supplements to new format
* Wed Feb 09 2022 Samuel Cabrero <scabrero@suse.de>
  - Remove caches only when performing a package downgrade. The sssd
    daemon takes care of upgrading the database format when necessary
    (bsc#1195552)
* Tue Jan 25 2022 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.6.3
    * A regression introduced in sssd-2.6.2 in the IPA provider
      that prevented users from login was fixed. Access control
      always denied access because the selinux_child returned an
      unexpected reply.
    * A critical regression that prevented authentication of users
      via AD and IPA providers was fixed. LDAP port was reused for
      Kerberos communication and this provider would send
      incomprehensible information to this port.
    * When authenticating AD users, backtrace was triggered even
      though everything was working correctly. This was caused by a
      search in the global catalog. Servers from the global catalog
      are filtered out of the list before writing the KDC info
      file. With this fix, SSSD does not attempt to write to the
      KDC info file when performing a GC lookup.
* Mon Jan 17 2022 Jan Engelhardt <jengelh@inai.de>
  - Upgrade LDB_DIR shell variable to %ldbdir macro.
* Tue Jan 11 2022 Samuel Cabrero <scabrero@suse.de>
  - Remove libsmbclient-devel BuildRequires in favor of
    pkgconfig(smbclient)
* Thu Dec 23 2021 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.6.2
    * Quick log out and log in did not correctly refresh user's
      initgroups in no_session PAM schema due to lingering systemd
      processes.
* Tue Nov 23 2021 Johannes Segitz <jsegitz@suse.com>
  - Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
    * harden_sssd-ifp.service.patch
    * harden_sssd-kcm.service.patch
* Tue Nov 09 2021 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.6.1
    * New infopipe method FindByValidCertificate().
    * The default value of the "ssh_hash_known_hosts" setting was
      changed to false for the sake of consistency with OpenSSH
      that does not hash host names by default.
* Fri Oct 15 2021 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.6.0
    * Support of legacy json format for ccaches was dropped.
    * Support of long time deprecated secrets responder was dropped.
    * Support of long time deprecated local provider was dropped.
    * The sssctl command was vulnerable to shell command injection
      via the logs-fetch and cache-expire subcommands,
      which was fixed; (CVE-2021-3621); (bsc#1189492); Drop SLE patch
      0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch
    * Basic support of user's 'subuid and subgid ranges' for IPA
      provider and corresponding plugin for shadow-utils were added.
* Mon Jul 12 2021 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.5.2; (jsc#SLE-17763);
    * originalADgidNumber attribute in the SSSD cache is now indexed.
    * Add new config option fallback_to_nss.
* Tue Jun 08 2021 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.5.1
    * auto_private_groups option can be set centrally through ID
      range setting in IPA (see ipa idrange commands family). This
      feature requires SSSD update on both client and server. This
      feature also requires freeipa 4.9.4 and newer.
    * Fix getsidbyname issues with IPA users with a user-private-group.
    * Default value of ldap_sudo_random_offset changed to 0
      (disabled). This makes sure that sudo rules are available as
      soon as possible after SSSD start in default configuration.
* Mon May 10 2021 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.5.0
    * Added support for automatic renewal of renewable TGTs that
      are stored in KCM ccache. This can be enabled by setting
      tgt_renewal = true. See the sssd-kcm man page for more
      details. This feature requires MIT Kerberos
      krb5-1.19-0.beta2.3 or higher.
    * Backround sudo periodic tasks (smart and full refresh) periods are
      now extended by a random offset to spread the load on the server in
      environments with many clients.
    * Completing a sudo full refresh now postpones the smart refresh by
      ldap_sudo_smart_refresh_interval value. This ensure that the smart
      refresh is not run too soon after a successful full refresh.
    * If debug_backtrace_enabled is set to true then on any error all prior
      debug messages (to some limit) are printed even if debug_level is set
      to low value.
    * Besides trusted domains known by the forest root, trusted domains known
      by the local domain are used as well.
    * New configuration option offline_timeout_random_offset to control random
      factor in backend probing interval when SSSD is in offline mode.
    * ad_gpo_implicit_deny is now respected even if there are no
      applicable GPOs present.
    * During the IPA subdomains request a failure in reading a single specific
      configuration option is not considered fatal and the request will
      continue.
    * Unknown IPA id-range types are not considered as an error
* Tue Apr 06 2021 Samuel Cabrero <scabrero@suse.de>
  - Move sssctl command from sssd to sssd-tools package; (bsc#1184289);
* Thu Apr 01 2021 jeffm@suse.com
  - Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285).
* Tue Feb 23 2021 Aurelien Aptel <aaptel@suse.com>
  - Make cifs-idmap plugin (cifs_idmap_sss.so) use update-alternatives
    mechanism to be able to switch between cifs-utils and sssd;
    (bsc#1182682).
* Fri Feb 19 2021 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.4.2
    * Default value of "user" config option was fixed into
      accordance with man page, i.e. default is "root".
    * pam_sss_gss now support authentication indicators to further
      harden the authentication.
* Fri Feb 12 2021 Dominique Leuenberger <dimstar@opensuse.org>
  - Pass --with-pid-path=%{_rundir} to configure: adjust rundir
    according the distro settings, i.e. /run on modern systems.
    Eliminates a systemd warning like this one in the journal:
      Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13:
      PIDFile= references a path below legacy directory /var/run/,
      updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly.
* Fri Feb 05 2021 Jan Engelhardt <jengelh@inai.de>
  - Update to release 2.4.1
    * New PAM module pam_sss_gss for authentication using GSSAPI.
    * case_sensitive=Preserving can now be set for trusted domains
      with AD and IPA providers.
    * krb5_use_subdomain_realm=True can now be used when sub-domain
      user principal names have upnSuffixes which are not known in
      the parent domain. SSSD will try to send the Kerberos request
      directly to a KDC of the sub-domain.
    * SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald
      output, to avoid issues with PID parsing in rsyslog
      (BSD-style forwarder) output.
    * Added pam_gssapi_check_upn to enforce authentication only
      with principal that can be associated with target user.
    * Added pam_gssapi_services to list PAM services that can
      authenticate using GSSAPI.
    * Create timestamp attribute in cache objects if missing;
      (bsc#1182637);

Files

/usr/lib64/sssd
/usr/lib64/sssd/libsss_krb5_common.so
/usr/libexec/sssd
/usr/libexec/sssd/krb5_child
/usr/libexec/sssd/ldap_child


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 12:37:36 2024