I decided to test new sssd/KCM and this is what I get:
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Default principal: jo...@infinera.com
Valid starting Expires Service principal
10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/infinera....@infinera.com
renew until 17/05/21 16:47:32
~ $ ksu
ksu: Ccache function not supported: not implemented while selecting the best
principal
I also have mit-kr5b master installed.
Did I miss something?
On Mon, 2021-05-10 at 15:49 +0200, Pavel Březina wrote:
> # SSSD 2.5.0
>
> The SSSD team is proud to announce the release of version 2.5.0 of the
> System Security Services Daemon. The tarball can be downloaded from:
>
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSSSD%2Fsssd%2Freleases%2Ftag%2F2.5.0&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZZv%2FaeMU6Wx5QFRtyzsHdzkNU7Vkn4q%2BrDi0IQjI9h0%3D&reserved=0
>
> See the full release notes at:
>
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsssd.io%2Frelease-notes%2Fsssd-2.5.0.html&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LMsuYLsuCaD5%2F3jqw9KYaHVOArmtu1ZLkVmc3nA4lP8%3D&reserved=0
>
> RPM packages will be made available for Fedora shortly.
>
> ## Feedback
>
> Please provide comments, bugs and other feedback via the sssd-devel
> or sssd-users mailing lists:
>
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Fmailman%2Flistinfo%2Fsssd-devel&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sXeSBIt%2FNd7S16ZfKVAAout3V%2FL8X3LbjDomF0LhPGU%3D&reserved=0
>
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Fmailman%2Flistinfo%2Fsssd-users&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Z0RpNieyohivktAEc5RJYhrF4bfJOToBs70MVzkxNB4%3D&reserved=0
>
> ## Highlights
>
> ### General information
>
> * `secrets` support is deprecated and will be removed in one of the next
> versions of SSSD.
> * `local-provider` is deprecated and will be removed in one of the next
> versions of SSSD.
> * SSSD's implementation of `libwbclient` was removed as incompatible
> with modern version of Samba.
> * This release deprecates `pcre1` support. This support will be removed
> completely in following releases.
> * A home directory from a dedicated user override, either local or
> centrally managed by IPA, will have a higher precedence than the
> `override_homedir` option.
> * `debug-to-files`, `debug-to-stderr` command line and undocumented
> `debug_to_files` config options were removed.
>
> ### New features
>
> * Added support for automatic renewal of renewable TGTs that are stored
> in KCM ccache. This can be enabled by setting `tgt_renewal = true`. See
> the sssd-kcm man page for more details. This feature requires MIT
> Kerberos krb5-1.19-0.beta2.3 or higher.
> * Backround sudo periodic tasks (smart and full refresh) periods are now
> extended by a random offset to spread the load on the server in
> environments with many clients. The random offset can be changed with
> `ldap_sudo_random_offset`.
> * Completing a sudo full refresh now postpones the smart refresh by
> `ldap_sudo_smart_refresh_interval` value. This ensure that the smart
> refresh is not run too soon after a successful full refresh.
> * If `debug_backtrace_enabled` is set to `true` then on any error all
> prior debug messages (to some limit) are printed even if `debug_level`
> is set to low value (for details see `man sssd.conf`:
> `debug_backtrace_enabled` description).
> * Besides trusted domains known by the forest root, trusted domains
> known by the local domain are used as well.
> * New configuration option `offline_timeout_random_offset` to control
> random factor in backend probing interval when SSSD is in offline mode.
>
> ### Important fixes
>
> * `ad_gpo_implicit_deny` is now respected even if there are no
> applicable GPOs present
> * During the IPA subdomains request a failure in reading a single
> specific configuration option is not considered fatal and the request
> will continue
> * unknown IPA id-range types are not considered as an error
> * SSSD spec file `%postun` no longer tries to restart services that can
> not be restarted directly to stop produce systemd warnings
>
> ### Configuration changes
>
> * Added `tgt_renewal`, `tgt_renewal_inherit`, and `krb5_*` KCM options
> to enable, and tune behavior of new KCM renewal feature.
> * Added `ldap_sudo_random_offset` (default to `30`) to add a random
> offset to backround sudo periodic tasks (smart and full refresh).
> * Introduced new option 'debug_backtrace_enabled' to control debug
> backtrace.
> * Added `offline_timeout_random_offset` configuration option to control
> maximum size of random offset added to offline timeout SSSD backend
> probing interval.
> * Long time deprecated and undocumented `debug_to_files` option was removed.
> _______________________________________________
> sssd-users mailing list -- sssd-us...@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0FzHF15iAEN0nXgdZX04l2xV11RZB5zUj04ZS961BpQ%3D&reserved=0
> List Guidelines:
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W8bEdWBEA2kS4e2kAkwDz2N7eKSHWjl8GnbRBhY83mE%3D&reserved=0
> List Archives:
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KXaa1zYlDYa6V2E6aa8y5%2BflDrx5Q%2FkLZMV4%2BAT3yT4%3D&reserved=0
> Do not reply to spam on the list, report it:
> https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944793119%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Jx%2FoHUIHY1QgYNfKrIOfCLomhPxi7QabVuXJk9H1Z6o%3D&reserved=0
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
