The cifs.idmap(8) userspace helper relies on a plugin to handle the
ID mapping. This package contains the ID mapping plugin that will use
sssd.
In SUSE systems, only one such plugin can be installed at a time
(either the one from sssd, or from cifs-utils).
Without the plugin, file objects in a mounted share have UID/GID of
the original mounting process.
Provides
Requires
License
GPL-3.0-or-later AND LGPL-3.0-or-later
Changelog
* Thu Jul 31 2025 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.11.1
* Fixed AD users in external groups not being cleared once the
cache expires.
* Fixed `cache_credentials=true` not having any effect.
* Fixed socket activation not having an effect for sssd_pam.
* Fri Jul 18 2025 Jan Engelhardt <jengelh@inai.de>
- Add logrotate.patch [boo#1246537]
* Wed Jun 11 2025 Samuel Cabrero <scabrero@suse.de>
- Install file in krb5.conf.d to include sssd krb5 config snippets;
(bsc#1244325);
* Thu Jun 05 2025 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.11
* The deprecated tool `sss_ssh_knownhostsproxy` was finally
removed.
* Support for `id_provider = files` was removed.
* SSSD doesn't create any more missing path components of
DIR:/FILE: ccache types while acquiring user's TGT.
* New generic id and auth provider for Identity Providers (IdPs)
for Keycloak/EntraID. [Not enabled in openSUSE for now.]
* Tue Mar 11 2025 Jan Engelhardt <jengelh@inai.de>
- Run mkdir/rm with verbose mode for the build log
* Thu Jan 30 2025 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.2
* If the ssh responder is not running, sss_ssh_knownhosts will
not fail (but it will not return the keys).
* SSSD is now capable of handling multiple services associated
with the same port.
* sssd_pam, being a privileged binary, now clears the
environment and does not allow configuration of the
PR_SET_DUMPABLE flag as a precaution.
* Wed Jan 22 2025 Dominique Leuenberger <dimstar@opensuse.org>
- Drop build dependency on ncsd, which has been deprecated
(boo#1239262).
* Tue Jan 21 2025 Samuel Cabrero <scabrero@suse.de>
- Migrate away from update-alternatives, replaced by package
conflicts; (bsc#1235789); (bsc#1216739);
* Tue Dec 10 2024 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.1
* SSSD does not create anymore missing path components of
DIR:/FILE: ccache types while acquiring user's TGT. The
parent directory of requested ccache directory must exist and
the user trying to log in must have rwx access to this
directory. This matches behavior of /usr/bin/kinit.
* The option default_domain_suffix is deprecated.
- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch,
0001-INI-relax-config-files-checks.patch,
0001-INI-stop-using-libini_config-for-access-check.patch,
0001-sssd-always-print-path-when-config-object-is-rejecte.patch
(merged)
- Add 0001-TOOL-Fix-build-parameter-name-omitted.patch
* Tue Oct 15 2024 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.0
* The ``sssctl cache-upgrade`` command was removed. SSSD
performs automatic upgrades at startup when needed.
* Support of ``enumeration`` feature (i.e. ability to list all
users/groups using ``getent passwd/group`` without argument)
for AD/IPA providers is deprecated and might be removed in
further releases.
* The new tool ``sss_ssh_knownhosts`` can be used with ssh's
``KnownHostsCommand`` configuration option to retrieve the
host's public keys from a remote server (FreeIPA, LDAP,
etc.). It replaces ```sss_ssh_knownhostsproxy``.
* The default value for ``ldap_id_use_start_tls`` changed from
false to true for improved security.
* https://github.com/SSSD/sssd/releases/tag/2.10.0
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch,
0001-INI-stop-using-libini_config-for-access-check.patch,
0001-INI-relax-config-files-checks.patch,
0001-Configuration-make-sure-etc-sssd-and-everything.patch
- Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
* Tue Oct 01 2024 Jan Engelhardt <jengelh@inai.de>
- Update filelists involving memberof.so and idmap/sss.so to
avoid gobbling up one file into multiple sssd subpackages.
(Between samba-4.20 and 4.21, %ldbdir changes from
/usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now
`%_libdir/samba` is a bit too broad.)
* Wed Jul 17 2024 Samuel Cabrero <scabrero@suse.de>
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
python3_fix_shebang_path RPM macro is not available
* Thu Jul 11 2024 Samuel Cabrero <scabrero@suse.de>
- Revert the change dropping the default configuration file. If
/usr/etc exists will be installed there, otherwise in /etc.
(bsc#1226157);
* Thu May 16 2024 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9.5
* Added failover_primary_timout configuration option. This can
be used to configure how often SSSD tries to reconnect to a
primary server after a successful connection to a backup
server. This was previously hardcoded to 31 seconds which is
kept as the default value.
* Fri Mar 08 2024 pgajdos@suse.com
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang_path macro, [bsc#1212476]
* Fri Jan 12 2024 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9.4
* Fixes a crash when PAM passkey processing incorrectly handles
non-passkey data.
* Fixed group membership handling when members are coming from
different forest domains and using ldap token groups is
prohibited.
* Files provider was erroneously taking into consideration
``local_auth_policy`` config option, thus breaking smartcard
authentication of local user in setups that did not explicitly
specify this option. This is now fixed.
* Tue Nov 21 2023 Samuel Cabrero <scabrero@suse.de>
- Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714);
* Remove package sssd-common, merged into sssd
* Continue building deprecated files provider and infopipe
responder
* Disable selinux and semanage
* Provide rcsssd shortcut
* Fri Nov 17 2023 Samuel Cabrero <scabrero@suse.de>
- Fix spec file for Leap
* Fri Nov 17 2023 Samuel Cabrero <scabrero@suse.de>
- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after
update (bsc#1216865)
- Do not install the KRB5 IDP plugin, it is useless without the
OIDC child
- Drop no longer valid --without-secrets configure switch
* Mon Nov 13 2023 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9.3
* The proxy provider is now able to handle certificate mapping
and matching rules and users handled by the proxy provider can
be configured for local Smartcard authentication. Besides the
mapping rule local Smartcard authentication should be enabled
with the `local_auth_policy` option in the backend and with
`pam_cert_auth` in the PAM responder.
* Thu Nov 02 2023 Jan Engelhardt <jengelh@inai.de>
- Offer the sssd.conf template as %doc (for examples, do actually
see the "Examples" section of the sssd.conf(5) manpage)
* Tue Oct 31 2023 Samuel Cabrero <scabrero@suse.de>
- Update dependencies to require the same subpackages version and
release
- Fix /usr/etc migration fragment in wrong "%pre kcm" instead of
"%pre"
- Move sss_analyze to sssd-tools package
* Tue Oct 31 2023 Jan Engelhardt <jengelh@inai.de>
- Default config is unworkable, just stop installing it altogether
[boo#1216739]
* Thu Sep 07 2023 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9.2
* sssctl cert-show and cert-show cert-eval-rule can now be run as
non-root user.
* New option local_auth_policy is added to control which offline
authentication methods will be enabled by SSSD.
* Fix sssd entering failed state under heavy load by adding
watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283);
Drop SLE patch 0001-sssd-watchdog.patch
* Fri Jun 23 2023 Jan Engelhardt <jengelh@inai.de>
- Update to relese 2.9.1
* A regression was fixed that prevented autofs lookups to
function correctly when cache_first is set to True.
* A regression where SSSD failed to properly watch for changes
in ``/etc/resolv.conf`` when it was a symbolic link or was a
relative path, was fixed.
* ldap password policy: return failure if there are no grace logins
left; (bsc#1214434); Drop SLE patch
0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch
* Fri May 05 2023 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.9
* The sss_simpleifp library is deprecated (and for openSUSE,
already removed)
* The "Files provider" (i.e. id_provider = files) is deprecated
(and for openSUSE, already removed)
* SSSD will no longer warn about changed defaults when using
ldap_schema = rfc2307 and default autofs mapping.
* New passkey functionality, which will allow the use of FIDO2
compliant devices to authenticate a centrally managed user
locally.
* Add support for ldapi:// URLs to allow connections to local
LDAP servers.
* NSS IDMAP has two new methods: getsidbyusername and
getsidbygroupname.
* Thu Jan 26 2023 Callum Farmer <gmbr3@opensuse.org>
- Move dbus-1 system.d file to /usr (bsc#1207586)
* Tue Jan 03 2023 Stefan Schubert <schubi@suse.com>
- Migration of PAM settings to /usr/lib/pam.d.
* Wed Dec 21 2022 Jan Engelhardt <jengelh@inai.de>
- Take systemd units off the restart list that have
RefuseManualStart=yes [boo#1206592]
- Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166]
* Sun Dec 11 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.8.2
* New mapping template for serial number, subject key id, SID,
certificate hashes and DN components are added to
libsss_certmap.
* Fri Nov 04 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.8.1
* A regression when running sss_cache when no SSSD domain is
enabled would produce a syslog critical message was fixed.
* Fri Oct 07 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.8.0
* Introduced the dbus function
org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value,
limit) listing upto limit users matching the filter
attr=value.
* sssctl is now able to create, list and delete indexes on the
local caches. Indexes are useful for the new D-Bus
ListByAttr() function.
* sssctl is now able to read and set each component's debug
level independently.
* A number of new configuration options are available,
cf. https://sssd.io/release-notes/sssd-2.8.0.html .
* Fix sdap_access_host No matching host rule found;
(bsc#1202559); Drop SLE patch
0001-Fix-sdap_access_host-No-matching-host-rule-found.patch
* Accept krb5 1.20 for building the PAC plugin; Drop SLE patch
0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch
* Thu Sep 01 2022 Stefan Schubert <schubi@suse.com>
- Migration to /usr/etc: Saving user changed configuration files
in /etc and restoring them while an RPM update.
* Fri Aug 26 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.7.4
* Lock-free client support will be only built if libc provides
pthread_key_create() and pthread_once(). For glibc this means
version 2.34+.
* Mon Jul 04 2022 Jan Engelhardt <jengelh@inai.de>
- Update to release 2.7.3
* All SSSD client libraries (nss, pam, etc) won't serialize
requests anymore by default, i.e. requests from multiple
threads can be executed in parallel. Old behavior
(serialization) can be enabled by setting environment
variable "SSS_LOCKFREE" to "NO".
* Tue Jun 21 2022 Stefan Schubert <schubi@localhost>
- Removed %config flag for files in /usr d