Resolves: RHEL-18395 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users
Resolves: RHEL-17498 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') [rhel-9]
Resolves: RHEL-21079 - SSSD GPO lacks group resolution on hosts [rhel-9]
Resolves: RHEL-19211 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest [rhel-9]
Resolves: RHEL-14427 - Expected cn in RDN, got uid
Resolves: RHEL-12229 - HANA validation on RHEL 9.2 issue possibly related to libc/nss_sss behaviour
Resolves: RHEL-3925 - SSSD goes offline when, while reading a single user, misses a required attribute (i.e. SID)
Resolves: RHEL-2319 - Passkey authentication for centrally managed users
Resolves: RHEL-4146 - Incorrect handling of reverse IPv6 update results in update failure
Resolves: RHEL-4971 - sssd-kcm does not appear to expire Kerberos tickets (RFE: sssd_kcm should have the option to automatically delete the expired tickets)
Resolves: rhbz#2196816 - [RHEL9] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
Resolves: rhbz#2162552 - sssd client caches old data after removing netgroup member on IDM
Resolves: rhbz#2189542 - [sssd] RHEL 9.3 Tier 0 Localization
Resolves: rhbz#2133854 - [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete
Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
Resolves: rhbz#1913839 - filter_groups doesn't filter GID from 'id' output: AD + 'ldap_id_mapping = True' corner case
Resolves: rhbz#2100789 - [Improvement] sssctl config-check command does not show an error when we don't have id_provider in the domain section
Resolves: rhbz#2152177 - [RFE] Add support for ldapi:// URLs
Resolves: rhbz#2164852 - man page entry should make clear that a nested group needs a name
Resolves: rhbz#2166627 - Improvement: sss_client: add 'getsidbyusername()' and 'getsidbygroupname()' and corresponding python bindings
Resolves: rhbz#2166943 - kinit switches KCM away from the newly issued ticket
Resolves: rhbz#2167728 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search
Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service)
Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization
Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately
Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
The "Prepare results.yml in STI format" task in sssd-tasks.yml was set
to run after the pytest task. If pytest failed, the results were not
properly prepared and caused processing issues with the log results.
Moving the task to under always section.
Related: rhbz#2127510
Resolves: rhbz#1507035 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file
Resolves: rhbz#1766490 - Use negative cache better and domain checks for lookup by SIDs
Resolves: rhbz#1964121 - RFE: Add an option to sssd config to convert home directories to lowercase (or add a new template for the 'override_homedir' option)
Resolves: rhbz#2074307 - reduce debug level in case well_known_sid_to_name() fails
Resolves: rhbz#2096031 - SSSD: sdap_handle_id_collision_for_incomplete_groups debug message missing a new line
Resolves: rhbz#2103325 - Supported AD group types should be explained in the docs
Resolves: rhbz#2111388 - authenticating against external IdP services okta (native app) with OAuth client secret failed
Resolves: rhbz#2115171 - SSSD: duplicate dns_resolver_* option in man sssd.conf
Resolves: rhbz#2127492 - sssd timezone issues sudonotafter
Resolves: rhbz#2128840 - [RFE] provide dbus method to find users by attr
Resolves: rhbz#2128883 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
Resolves: rhbz#2119373 - sssctl analyze --logdir option requires sssd to be configured
Resolves: rhbz#2120657 - Incorrect request ID tracking from responder to backend
Resolves: rhbz#2109451 - virsh command will hang after the host run several auto test cases
Resolves: rhbz#2098654 - cache_req_data_set_hybrid_lookup: cache_req_data should never be NULL
Resolves: rhbz#2106685 - [regression] sssctl analyze fails to parse PAM related sssd logs
Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN
Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)
Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization
Resolves: rhbz#1893192 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets
Resolves: rhbz#1927553 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file
Resolves: rhbz#2089216 - pam_sss_gss ceased to work after upgrade to 8.6
Resolves: rhbz#2090776 - Add idp authentication indicator in man page of sssd.conf
Resolves: rhbz#1927195 - sssd runs out of proxy child slots and doesn't clear the counter for Active requests
Resolves: rhbz#2073095 - Harden kerberos ticket validation
Resolves: rhbz#2082455 - 'getent hosts' not return hosts if they have more than one CN in LDAP
Resolves: rhbz#2087581 - Regression "Missing internal domain data." when setting ad_domain to incorrect
Resolves: rhbz#2072640 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
Resolves: rhbz#2070189 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
Resolves: rhbz#2070138 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
Resolves: rhbz#2065693 - [RHEL9] Ship new sub-package called sssd-idp into sssd
Resolves: rhbz#2065098 - Use right sdap_domain in ad_domain_info_send
Resolves: rhbz#2062716 - [Improvement] Add user and group version of sss_nss_getorigbyname()
Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol
Resolves: rhbz#2056482 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
Resolves: rhbz#1937895 - SSSD update prompts for smartcard pin twice - After update to 7.9
Resolves: rhbz#1925559 - [RFE] Implement time logging for the LDAP queries and warning of high queries time
Resolves: rhbz#1915564 - sssd does not enforce smartcard auth for kde screen locker
Resolves: rhbz#1859751 - [RFE] Allow SSSD to use anonymous pkinit for FAST
Resolves: rhbz#1749279 - 2FA prompting setting ineffective
Resolves: rhbz#1661055 - sssd fails GPO-based access if AD have setup with Japanese language
Resolves: rhbz#1245367 - [RFE] Implement memory cache for SID requests to improve performance
Resolves: rhbz#2017390 - [sssd] RHEL 9.0 GA Tier 0 Localization
Resolves: rhbz#2013263 - [RHEL9] Add ability to parse child log files
Resolves: rhbz#2013262 - [RHEL9] Add tevent chain ID logic into responders
Resolves: rhbz#1992432 - Add client certificate validation D-Bus API
Resolves: rhbz#1940517 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
Resolves: rhbz#1966201 - sssd: incorrect checks on length values during packet decoding in unpack_authtok()
Resolves: rhbz#977803 - incorrect checks of `strto*()` string to number convertion functions
Resolves: rhbz#1992432 - Add client certificate validation D-Bus API
Resolves: rhbz#1992973 - Lookup with fully-qualified name does not work with 'cache_first = True'
Resolves: rhbz#1996151 - Add support for CKM_RSA_PKCS in smart card authentication.
Resolves: rhbz#1998459 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
Resolves: rhbz#2000476 - disabled root ad domain causes subdomains to be marked offline
Resolves: rhbz#2014249 - Consistency in defaults between OpenSSH and SSSD
Resolves: rhbz#2029419 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
Resolves: rhbz#1954686
epel 9 is not availabe yet. epel 8 was removed from the rhel9 compose,
so added task in playbook to add epel 8 repo.
Pacakge python3-virtualenv is removed from rhel9. Removed it from list
of packages to install
Resolves: rhbz#1938876 - review of important potential issues detected by static analyzers in sssd-2.4.1-1.el9
Resolves: rhbz#1942277 - Wrong default debug level of sssd tools
Alexey Tikhonov
jvavra
Scott Poore
Mohan Boddu
Steeve Goveas
DistroBaker
Troy Dawson