I decided to test new sssd/KCM and this is what I get:
- ssh from non sssd/krb machine to new sssd machine, entered password
~ $ klist
Ticket cache: KCM:1001
Default principal: jocke(a)INFINERA.COM
Valid starting Expires Service principal
10/05/21 16:47:32 11/05/21 02:47:32 krbtgt/INFINERA.COM(a)INFINERA.COM
renew until 17/05/21 16:47:32
~ $ ksu
ksu: Ccache function not supported: not implemented while selecting the best principal
I also have mit-kr5b master installed.
Did I miss something?
On Mon, 2021-05-10 at 15:49 +0200, Pavel Březina wrote:
# SSSD 2.5.0
The SSSD team is proud to announce the release of version 2.5.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSSSD%2Fsssd%2Freleases%2Ftag%2F2.5.0&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZZv%2FaeMU6Wx5QFRtyzsHdzkNU7Vkn4q%2BrDi0IQjI9h0%3D&reserved=0
See the full release notes at:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsssd.io%2Frelease-notes%2Fsssd-2.5.0.html&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LMsuYLsuCaD5%2F3jqw9KYaHVOArmtu1ZLkVmc3nA4lP8%3D&reserved=0
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Fmailman%2Flistinfo%2Fsssd-devel&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sXeSBIt%2FNd7S16ZfKVAAout3V%2FL8X3LbjDomF0LhPGU%3D&reserved=0
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Fmailman%2Flistinfo%2Fsssd-users&data=04%7C01%7Cjoakim.tjernlund%40infinera.com%7Cfb8e28d36f314a61217808d913ba7cba%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C0%7C637562513944783164%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Z0RpNieyohivktAEc5RJYhrF4bfJOToBs70MVzkxNB4%3D&reserved=0
## Highlights
### General information
* `secrets` support is deprecated and will be removed in one of the next
versions of SSSD.
* `local-provider` is deprecated and will be removed in one of the next
versions of SSSD.
* SSSD's implementation of `libwbclient` was removed as incompatible
with modern version of Samba.
* This release deprecates `pcre1` support. This support will be removed
completely in following releases.
* A home directory from a dedicated user override, either local or
centrally managed by IPA, will have a higher precedence than the
`override_homedir` option.
* `debug-to-files`, `debug-to-stderr` command line and undocumented
`debug_to_files` config options were removed.
### New features
* Added support for automatic renewal of renewable TGTs that are stored
in KCM ccache. This can be enabled by setting `tgt_renewal = true`. See
the sssd-kcm man page for more details. This feature requires MIT
Kerberos krb5-1.19-0.beta2.3 or higher.
* Backround sudo periodic tasks (smart and full refresh) periods are now
extended by a random offset to spread the load on the server in
environments with many clients. The random offset can be changed with
`ldap_sudo_random_offset`.
* Completing a sudo full refresh now postpones the smart refresh by
`ldap_sudo_smart_refresh_interval` value. This ensure that the smart
refresh is not run too soon after a successful full refresh.
* If `debug_backtrace_enabled` is set to `true` then on any error all
prior debug messages (to some limit) are printed even if `debug_level`
is set to low value (for details see `man sssd.conf`:
`debug_backtrace_enabled` description).
* Besides trusted domains known by the forest root, trusted domains
known by the local domain are used as well.
* New configuration option `offline_timeout_random_offset` to control
random factor in backend probing interval when SSSD is in offline mode.
### Important fixes
* `ad_gpo_implicit_deny` is now respected even if there are no
applicable GPOs present
* During the IPA subdomains request a failure in reading a single
specific configuration option is not considered fatal and the request
will continue
* unknown IPA id-range types are not considered as an error
* SSSD spec file `%postun` no longer tries to restart services that can
not be restarted directly to stop produce systemd warnings
### Configuration changes
* Added `tgt_renewal`, `tgt_renewal_inherit`, and `krb5_*` KCM options
to enable, and tune behavior of new KCM renewal feature.
* Added `ldap_sudo_random_offset` (default to `30`) to add a random
offset to backround sudo periodic tasks (smart and full refresh).
* Introduced new option 'debug_backtrace_enabled' to control debug
backtrace.
* Added `offline_timeout_random_offset` configuration option to control
maximum size of random offset added to offline timeout SSSD backend
probing interval.
* Long time deprecated and undocumented `debug_to_files` option was removed.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
List Guidelines:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
List Archives:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
Do not reply to spam on the list, report it:
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure....