Resolves: RHEL-18395 - latest sssd breaks logging in via XDMCP for LDAP/Kerberos users
Resolves: RHEL-17498 - New sssd.conf seems not to be backwards compatible (wrt SmartCard auth of local users using 'files provider') [rhel-9]
Resolves: RHEL-21079 - SSSD GPO lacks group resolution on hosts [rhel-9]
Resolves: RHEL-19211 - Excessive logging to sssd_nss and sssd_be in multi-domain AD forest [rhel-9]
Resolves: RHEL-14427 - Expected cn in RDN, got uid
Resolves: RHEL-12229 - HANA validation on RHEL 9.2 issue possibly related to libc/nss_sss behaviour
Resolves: RHEL-3925 - SSSD goes offline when, while reading a single user, misses a required attribute (i.e. SID)
Resolves: RHEL-2319 - Passkey authentication for centrally managed users
Resolves: RHEL-4146 - Incorrect handling of reverse IPv6 update results in update failure
Resolves: RHEL-4971 - sssd-kcm does not appear to expire Kerberos tickets (RFE: sssd_kcm should have the option to automatically delete the expired tickets)
Resolves: rhbz#2196816 - [RHEL9] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed'
Resolves: rhbz#2162552 - sssd client caches old data after removing netgroup member on IDM
Resolves: rhbz#2189542 - [sssd] RHEL 9.3 Tier 0 Localization
Resolves: rhbz#2133854 - [RHEL9] In some cases when `sdap_add_incomplete_groups()` is called with `ignore_group_members = true`, groups should be treated as complete
Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
Resolves: rhbz#1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
Resolves: rhbz#1913839 - filter_groups doesn't filter GID from 'id' output: AD + 'ldap_id_mapping = True' corner case
Resolves: rhbz#2100789 - [Improvement] sssctl config-check command does not show an error when we don't have id_provider in the domain section
Resolves: rhbz#2152177 - [RFE] Add support for ldapi:// URLs
Resolves: rhbz#2164852 - man page entry should make clear that a nested group needs a name
Resolves: rhbz#2166627 - Improvement: sss_client: add 'getsidbyusername()' and 'getsidbygroupname()' and corresponding python bindings
Resolves: rhbz#2166943 - kinit switches KCM away from the newly issued ticket
Resolves: rhbz#2167728 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
Resolves: rhbz#1608496 - sssd failing to register dynamic DNS addresses against an AD server due to unnecessary DNS search
Resolves: rhbz#2110091 - SSSD doesn't handle changes in 'resolv.conf' properly (when started right before network service)
Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
Resolves: rhbz#2139684 - [sssd] RHEL 9.2 Tier 0 Localization
Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
Resolves: rhbz#2142794 - SSSD: `sssctl analyze` command shouldn't require 'root' privileged
Resolves: rhbz#2144893 - changing password with ldap_password_policy = shadow does not take effect immediately
Resolves: rhbz#2148737 - UPN check cannot be disabled explicitly but requires krb5_validate = false' as a work-around
Resolves: rhbz#1507035 - [RFE] SSSD does not support to change the user’s password when option ldap_pwd_policy equals to shadow in sssd.conf file
Resolves: rhbz#1766490 - Use negative cache better and domain checks for lookup by SIDs
Resolves: rhbz#1964121 - RFE: Add an option to sssd config to convert home directories to lowercase (or add a new template for the 'override_homedir' option)
Resolves: rhbz#2074307 - reduce debug level in case well_known_sid_to_name() fails
Resolves: rhbz#2096031 - SSSD: sdap_handle_id_collision_for_incomplete_groups debug message missing a new line
Resolves: rhbz#2103325 - Supported AD group types should be explained in the docs
Resolves: rhbz#2111388 - authenticating against external IdP services okta (native app) with OAuth client secret failed
Resolves: rhbz#2115171 - SSSD: duplicate dns_resolver_* option in man sssd.conf
Resolves: rhbz#2127492 - sssd timezone issues sudonotafter
Resolves: rhbz#2128840 - [RFE] provide dbus method to find users by attr
Resolves: rhbz#2128883 - Cannot SSH with AD user to ipa-client (`krb5_validate` and `pac_check` settings conflict)
Resolves: rhbz#2136791 - Lower the severity of the log message for SSSD so that it is not shown at the default debug level.
Resolves: rhbz#2139837 - Analyzer: Optimize and remove duplicate messages in verbose list
Resolves: rhbz#1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN
Resolves: rhbz#1978119 - [Improvement] avoid interlocking among threads that use `libsss_nss_idmap` API (or other sss_client libs)
Resolves: rhbz#2062665 - [sssd] RHEL 9.1 Tier 0 Localization
Resolves: rhbz#1893192 - sdap_nested_group_deref_direct_process() triggers internal watchdog for large data sets
Resolves: rhbz#1927553 - [Improvement] add SSSD support for more than one CRL PEM file name with parameters certificate_verification and crl_file
Resolves: rhbz#2089216 - pam_sss_gss ceased to work after upgrade to 8.6
Resolves: rhbz#2090776 - Add idp authentication indicator in man page of sssd.conf
Resolves: rhbz#1927195 - sssd runs out of proxy child slots and doesn't clear the counter for Active requests
Resolves: rhbz#2073095 - Harden kerberos ticket validation
Resolves: rhbz#2082455 - 'getent hosts' not return hosts if they have more than one CN in LDAP
Resolves: rhbz#2087581 - Regression "Missing internal domain data." when setting ad_domain to incorrect
Resolves: rhbz#2072640 - sssd_nss exiting (due to missing 'sssd' local user) making SSSD service to restart in a loop
Resolves: rhbz#2070189 - sssd error triggers backtrace : [write_krb5info_file_from_fo_server] (0x0020): [RID#73501] There is no server that can be written into kdc info file.
Resolves: rhbz#2070138 - SSSD authenticating to LDAP with obfuscated password produces Invalid authtoken type message causing sssd_be to go offline (cross inter_ference of different provider plugins options)
Resolves: rhbz#2065693 - [RHEL9] Ship new sub-package called sssd-idp into sssd
Resolves: rhbz#2065098 - Use right sdap_domain in ad_domain_info_send
Resolves: rhbz#2062716 - [Improvement] Add user and group version of sss_nss_getorigbyname()
Resolves: rhbz#2061795 - Unable to lookup AD user if the AD group contains '@' symbol
Resolves: rhbz#2056482 - [RFE] Add sssd internal krb5 plugin for authentication against external IdP via OAuth2
Resolves: rhbz#1937895 - SSSD update prompts for smartcard pin twice - After update to 7.9
Resolves: rhbz#1925559 - [RFE] Implement time logging for the LDAP queries and warning of high queries time
Resolves: rhbz#1915564 - sssd does not enforce smartcard auth for kde screen locker
Resolves: rhbz#1859751 - [RFE] Allow SSSD to use anonymous pkinit for FAST
Resolves: rhbz#1749279 - 2FA prompting setting ineffective
Resolves: rhbz#1661055 - sssd fails GPO-based access if AD have setup with Japanese language
Resolves: rhbz#1245367 - [RFE] Implement memory cache for SID requests to improve performance
Resolves: rhbz#2017390 - [sssd] RHEL 9.0 GA Tier 0 Localization
Resolves: rhbz#2013263 - [RHEL9] Add ability to parse child log files
Resolves: rhbz#2013262 - [RHEL9] Add tevent chain ID logic into responders
Resolves: rhbz#1992432 - Add client certificate validation D-Bus API
Resolves: rhbz#1940517 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
Resolves: rhbz#1966201 - sssd: incorrect checks on length values during packet decoding in unpack_authtok()
Resolves: rhbz#977803 - incorrect checks of `strto*()` string to number convertion functions
Resolves: rhbz#1992432 - Add client certificate validation D-Bus API
Resolves: rhbz#1992973 - Lookup with fully-qualified name does not work with 'cache_first = True'
Resolves: rhbz#1996151 - Add support for CKM_RSA_PKCS in smart card authentication.
Resolves: rhbz#1998459 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
Resolves: rhbz#2000476 - disabled root ad domain causes subdomains to be marked offline
Resolves: rhbz#2014249 - Consistency in defaults between OpenSSH and SSSD
Resolves: rhbz#2029419 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
Resolves: rhbz#1938876 - review of important potential issues detected by static analyzers in sssd-2.4.1-1.el9
Resolves: rhbz#1942277 - Wrong default debug level of sssd tools