Hi,
I was reviewing an Ubuntu merge of sssd 2.7.1 and saw that the new
sssd-idp package links with MIT kerberos libkrad0. libkrad-dev in
Debian has this notice in its description[1]:
```
This package includes development headers for libkrad0, the MIT
Kerberos RADIUS library. You should not use this RADIUS library in
packages unrelated to MIT Kerberos.
```
It looks like that was added as a result of dealing with Debian bug
#735323[1], which is what introduced the libkrad-dev package in
Debian.
Currently in Ubuntu (and likely Debian, I haven't checked) libkrad0
has only krb5 itself has a reverse dependency[3], and this change will
make sssd a new rdep.
Is that notice in libkrad-dev's package description still current, and
external projects shouldn't link with libkrad0? What's the reasoning?
Or is that no longer relevant?
I'm CCing package maintainers who might not be subscribed to
sssd-devel, please include them in any replies if you can.
1. https://salsa.debian.org/debian/krb5/-/blob/master/debian/control#L471
2. https://www.debian.org/Bugs/#735323
3. https://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.jammy/…
# SSSD 2.7.2
The SSSD team is announcing the release of version 2.7.2 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.7.2
See the full release notes at:
https://sssd.io/release-notes/sssd-2.7.2.html
*This is a hot fix release* which fixes a serious regression that
prevented IPA users to log in.
This fix is already included in Fedora packages.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-develhttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### Important fixes
* A serious regression introduced in `sssd-2.7.1` that prevented
successful authentication of IPA users was fixed.
### Configuration changes
* Default value of `pac_check` changed to `check_upn,
check_upn_dns_info_ex` (for AD and IPA provider).
>The SSSD team is proud to announce the release of version 2.7.0 of the
>System Security Services Daemon. The tarball can be downloaded from:
> https://github.com/SSSD/sssd/releases/tag/2.7.1_
New key and no word on it?
$ gpg --list-keys | grep -A3 -B3 pb
pub rsa2048/0xAFFE75DDE8508E12 2020-05-11 [SC]
Key fingerprint = 1A41 DC67 505F 89A3 3082 8B66 AFFE 75DD E850 8E12
uid [ unknown] Pavel Březina <pbrezina(a)redhat.com>
sub rsa2048/0xD8286B7F47C317E5 2020-05-11 [E]
$ gpg --verify *asc
gpg: assuming signed data in 'sssd-2.7.1.tar.gz'
gpg: Signature made Thu 02 Jun 2022 01:19:12 PM CEST
gpg: using RSA key C13CD07FFB2DB1408E457A3CD3D21B2910CF6759
gpg: Can't check signature: No public key
$ gpg --recv-keys C13CD07FFB2DB1408E457A3CD3D21B2910CF6759
gpg: key 0xD3D21B2910CF6759: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
[keyserver hkps://keys.openpgp.org]
# SSSD 2.7.1
The SSSD team is proud to announce the release of version 2.7.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.7.1
See the full release notes at:
https://sssd.io/release-notes/sssd-2.7.1.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-develhttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* SSSD can now handle multi-valued RDNs if a unique name must be
determined with the help of the RDN.
### Important fixes
* A regression in `pam_sss_gss` module causing a failure if `KRB5CCNAME`
environment variable was not set was fixed.
### Packaging changes
* `sssd-ipa` doesn't require `sssd-idp` anymore
### Configuration changes
* New option `implicit_pac_responder` to control if the PAC responder is
started for the IPA and AD providers, default is `true`.
* New option `krb5_check_pac` to control the PAC validation behavior.
* multiple `crl_file` arguments can be used in the
`certificate_verification` option.
