# SSSD 2.10.0-beta1
The SSSD team is announcing the release of version 2.10.0-beta1 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.10.0-beta1
See the full release notes at:
https://sssd.io/release-notes/sssd-2.10.0-beta1.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-develhttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
# SSSD 2.10-beta1 Release Notes
## Highlights
### General information
* **IMPORTANT note for downstream maintainers!**
This release features significant improvements of "running with less
privileges (under unprivileged service user)" feature. There is still
a `./configure` option `--with-sssd-user=` available that allows
downstream package maintainers to choose if support of non-root service
user should be built. In case such support is built, a preferred way to
configure service user is simply by starting SSSD under this user; for
example, using `User=/Group=` options of systemd sssd.service file.
Upstream defaults are to build `--with-sssd-user=sssd` and to install
systemd service with `User=/Group=sssd`. In this case, only several
helper processes - `ldap_child`, `krb5_child` and `selinux_child` - are
executed with elevated capabilities (that are now granted using fine
grained file capabilities instead of SUID bit). All other SSSD
components run without any capabilities. In this scenario it's still
possible to re-configure SSSD to run under `root` (if needed for some
reason): besides changing `User/Group=` options, some other tweaks of
systemd service files are required.
A legacy method to configure a service user - sssd.conf `user` option
- is now deprecated and its support isn’t built by default. It can be
enabled using `--with-conf-service-user-support` `./configure` option if
needed (for example, due to backward compatibility requirements of
stable releases).
Further, no matter if SSSD is built `--with-sssd-user=sssd` or
`--with-sssd-user=root`, when it's configured to run under `root` (in
both cases) it still runs without capabilities, the same way as when
it's configured to run under `sssd` user. The only difference is from
the DAC perspective.
Important note: owner of `/etc/sssd/sssd.conf` file (and snippets)
should match the user configured to start SSSD service. Upstream spec
file changes ownership of existing `sssd.conf` to `sssd` during package
installation for seamless upgrades.
Additionally, this release fixes a large number of issues with
"socket activation of responders" feature, making it operable
out-of-the-box when the package is built `--with-sssd-user=sssd`. Please
take a note, that user configured to run main sssd.service and socket
activated responders (if used) should match (i.e. if sssd.service is
re-configured from upstream defaults to `root` then responders services
also should be re-configured).
Downstream package maintainers are advised to carefully inspect
changes in `contrib/sssd.spec.in`, `src/sysv/systemd/*` and
`./configure` options that this release brings!
* sssctl `cache-upgrade` command was removed. SSSD performs automatic
upgrades at startup when needed.
* Support of `enumeration` feature (i.e. ability to list all
users/groups using `getent passwd/group` without argument) for AD/IPA
providers is deprecated and might be removed in further releases. Those
who are interested to keep using it awhile should configure its build
explicitly using `--with-extended-enumeration-support` ./configure option.
### New features
* The new tool `sss_ssh_knownhosts` can be used with ssh's
KnownHostsCommand configuration option to retrieve the host's public
keys from a remote server (FreeIPA, LDAP, etc.). This new tool, which is
more reliable, replaces `sss_ssh_knownhostsproxy`. Please consider
switching to using the new tool as the old one will be removed.
### Packaging changes
* Building SSSD now unconditionally requires availability of `ucred`/
`SO_PEERCRED` to enforce certain security checks at runtime (see `man 7
unix` for details).
* SSSD now requires `libini` not older than v1.3
* Explicit `--with-semanage` ./configure switch was removed, going
forward `--with-selinux` includes this.
### Configuration changes
* Default `ldap_id_use_start_tls` value changed from `false` to `true`
for improved security.
* Added a `ldap_use_ppolicy` option for backends with broken ppolicy
extension handling.
* Obsolete `config_file_version` option was removed.