# SSSD 2.9.7
The SSSD team is announcing the release of version 2.9.7 of the System
Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.9.7
Note that this is the latest release of 2.9.x LTM branch.
See the full release notes at:
https://sssd.io/release-notes/sssd-2.9.7.html
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-develhttps://lists.fedorahosted.org/mailman/listinfo/sssd-users
# SSSD 2.9.7 Release Notes
## Highlights
### General information
* When both IPv4 and IPv6 address families are resolvable, but the
primary is blocked on firewall, SSSD attempts to connect to the server
on the secondary family.
### New features
* SSSD IPA provider now supports IPA subdomains, not only Active
Directory. This IPA subdomain support will enable SSSD support of
IPA-IPA Trust feature, the full usable feature coming in a later
FreeIPA release. Trusted domain configuration options are specified in
the 'sssd-ipa' man page.
### Important fixes
* 'sssd_kcm' memory leak was fixed.
### Configuration changes
* New 'ldap_read_rootdse' option allows you to specify how SSSD will
read RootDSE from the LDAP server. Allowed values are "anonymous",
"authenticated" and "never"
* Until now dyndns_iface option supported only "*" for all interfaces
or exact names. With this update it is possible to use shell wildcard
patterns (e. g. eth*, eth[01], ...).
Hi Everyone,
I’m working on a system that authenticates users through both Active Directory (AD) and LDAP, and I’m looking for suggestions to improve the current setup.
Current Setup:
- AD is used solely for authentication.
- LDAP manages local users (e.g., temporary users) and assigns additional groups to both AD and LDAP users. These groups control access to shared folders for teammates.
The Challenge:
- I need to append groups from LDAP to users authenticated through AD.
- To achieve this, I’ve created "no-login" accounts in LDAP for each AD user, mapping their UID/GID to match.
- However, I haven’t found a way to fully rely on SSSD for this task.
Current Workaround:
- I’m using nslcd alongside SSSD and forcing nsswitch.conf to prioritize LDAP group lookups before SSSD and local files. My current nsswitch.conf looks like this:
passwd: sss files
group: ldap sss files systemd
netgroup: ldap sss files
automount: ldap sss files
services: ldap sss files
SSSD Configuration:
Here’s my current sssd.conf setup:
[sssd]
services = nss, pam
config_file_version = 2
domains = ad.domain, ldap.domain
# Prevent user login with fully_qualified_name
re_expression = (?P<name>^[^@]+$)
debug_level = 9
[domain/ad.domain]
ad_server = adserver.example.com
ad_domain = ad.example.com
auth_provider = ad
id_provider = ad
access_provider = simple
simple_allow_groups = allow_login_group
realmd_tags = manages-system joined-with-adcli
krb5_realm = AD.EXAMPLE.COM
krb5_store_password_if_offline = True
# To generate private groups for each user
auto_private_groups = True
ignore_group_members = True
use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /home/%u
cache_credentials = True
[domain/ldap.domain]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://ldapserver
ldap_search_base = dc=example,dc=com
cache_credentials = True
ldap_tls_cacert = /path/to/ca.pem
ldap_tls_cert = /path/to/ldap.pem
ldap_tls_key = /path/to/ldap.key
ldap_tls_reqcert = demand
default_shell = /bin/bash
fallback_homedir = /home/%u
What I’m Looking For:
Is there a better way to append LDAP groups to AD-authenticated users so that I can eliminate nslcd entirely and rely solely on SSSD? Any advice or suggestions on how to achieve this would be greatly appreciated!
Thank you in advance for your help!
Hello,
We want to switch from winbind to sssd. We have been using winbind for many years and have a configuration that does not seem to be compatible with sssd, at least I have not been able to find one.
We use several Windows Active Directory servers. When we started using winbind, there were relatively few Linux hosts. Most of our clients and servers had a Windows operating system.
We decided to go with rid backends at that time. It works very well. Here are the settings from /etc/samba/smb.conf:
# UID & GID Mapping with RID
idmap config DOMAIN1:backend = rid
idmap config DOMAIN1:range = 100000-349999
idmap config DOMAIN:base_rid = 0
idmap config DOMAIN2:backend = rid
idmap config DOMAIN2:range = 350000-599999
idmap config DOMAIN2:base_rid = 0
idmap config *:backend = tdb
idmap config *:range = 600000-849999
Now we would like to obtain the IDs of the users and groups in order to have a very low impact on the productive systems.
We have found the appropriate setting for our primary domain (DOMAIN1). However, we have not yet found a way to implement this for our trusted domain (DOMAIN2).
Here are the settings from /etc/sssd/sssd.conf:
[sssd]
domains = example1.com
default_domain_suffix = example1.com
config_file_version = 2
services = nss, pam
[domain/example1.com]
access_provider = ad
id_provider = ad
krb5_realm = EXAMPLE1.COM
krb5_store_password_if_offline = True
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/.krb5cc_%U
full_name_format = %1$s
default_shell = /bin/bash
cache_credentials = True
realmd_tags = manages-system joined-with-adcli
fallback_homedir = /home/DOMAIN1/%u
override_homedir = /home/DOMAIN1/%u
ad_domain = example1.com
use_fully_qualified_names = True
ldap_id_mapping = True
ldap_schema = ad
ldap_idmap_default_domain = example1.com
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 349999
I hope you have a solution for me.
Regards
Ralf
