# SSSD 2.9.8

The SSSD team is announcing the release of version 2.9.8 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.9.8

See the full release notes at: https://sssd.io/release-notes/sssd-2.9.8.html

While we plan to maintain this branch providing critical bug fixes upstream, we don't commit to regular releases off this branch going forward. We recommend switching to the latest upstream release 2.12.0.

## Feedback

Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users

# SSSD 2.9.8 Release Notes

## Highlights

### General information

* After startup SSSD already creates a Kerberos configuration snippet typically in /var/lib/sss/pubconf/krb5.include.d/localauth_plugin if the AD or IPA providers are used. This enables SSSD's localauth plugin. Starting with this release the an2ln plugin is disabled in the configuration snippet as well. If this file or its content are included in the Kerberos configuration it will fix CVE-2025-11561.

### Configuration changes

* An option `ipa_enable_dns_sites`, that never worked due to missing server side implementation, was removed. * The default value of session_provider option was changed to none (i.e. disabled) no matter what id_provider used. Previously session_provider was enabled by default for id_provider = ipa case. The primary tool it was intended to support, “Fleet Commander,” has become obsolete. * The option `ipa_subid_ranges_search_base` was deprecated in favor of `ldap_subid_ranges_search_base`.