[SSSD-users][SSSD] Announcing SSSD 2.12.0

[Pavel Březina via sssd-users]

# SSSD 2.12.0

The SSSD team is announcing the release of version 2.12.0 of the
System Security Services Daemon. The tarball can be downloaded from:
     https://github.com/SSSD/sssd/releases/tag/2.12.0
See the full release notes at:
     https://sssd.io/release-notes/sssd-2.12.0.html

RPM packages will be made available for Fedora shortly.

## Feedback

Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
     https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
     https://lists.fedorahosted.org/mailman/listinfo/sssd-users

# SSSD 2.12.0 Release Notes

## Highlights

### General information

* After startup SSSD already creates a Kerberos configuration snippet 
typically in `/var/lib/sss/pubconf/krb5.include.d/localauth_plugin` if 
the AD or IPA providers are used. This enables SSSD's localauth plugin. 
Starting with this release the an2ln plugin is disabled in the 
configuration snippet as well. If this file or its content are included 
in the Kerberos configuration it will fix CVE-2025-11561.
* Previously deprecated `--with-extended-enumeration-support` 
`./configure` option was removed.
* SSSD now allows using machine credentials from a trusted AD domain or 
Kerberos realm if no suitable domain-local credentials are available.

### New features

* SSSD now supports authentication mechanism selection through PAM using 
a JSON-based protocol. This feature enables passwordless authentication 
mechanisms in GUI login environments that support the protocol. Feature 
will be supported by GNOME Display Manager (GDM) starting with GNOME 50. 
While currently optimized for GNOME, the JSON protocol design allows for 
future support in other display managers. authselect is the recommended 
approach and will handle the necessary PAM stack modifications 
automatically starting with version 1.7 through the new option 
`with-switchable-auth` which provides a new PAM service called 
`switchable-auth`. Manual PAM configuration is also possible. For more 
technical details and implementation specifications, see the design 
documentation: https://sssd.io/design-pages/passwordless_gdm.html

### Packaging changes

* This update makes it possible to not grant CAP_SETUID and CAP_SETGID 
to `krb5_child` binary in a situation where it is not required to store 
acquired TGT after user authentication. Taking into account that it is 
already possible to avoid using CAP_DAC_READ_SEARCH if keytab is 
readable by SSSD service user, and usage of 'selinux_child' isn't always 
required, this allows to build a setup with completely privilege-less 
SSSD to serve certain use cases. In particular, this might be used to 
build a container running SSSD on OCP with a restricted profile.
* A new configure option `--with-ldb-modules-path=PATH` option to 
specify LDB modules path at build time.
* `--with-allow-remote-domain-local-groups` `./configure` option was 
removed.

### Configuration changes

* An option `ipa_enable_dns_sites`, that never worked due to missing 
server side implementation, was removed.
* A new option `pam_json_services` is now available to enable JSON 
protocol to communicate the available authentication mechanisms.
* The default value of `session_provider` option was changed to `none` 
(i.e. disabled) no matter what `id_provider` used. Previously 
`session_provider` was enabled by default for `id_provider = ipa` case. 
The primary tool it was intended to support, "Fleet Commander," has 
become obsolete.
* The option `ipa_subid_ranges_search_base` was deprecated in favor of 
`ldap_subid_ranges_search_base`.
* Support of previously deprecated `ad_allow_remote_domain_local_groups` 
config option was removed completely.
* `ipa_dyndns_update`, `ipa_dyndns_ttl`, and `ipa_dyndns_iface` legacy 
options were removed.
* A new option, `dyndns_address`, has been introduced to specify network 
addresses that are allowed or excluded from dynamic DNS updates. The 
`dyndns_iface` option has been extended to support the exclusion of 
network interfaces.

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue