# SSSD 2.5.0
The SSSD team is proud to announce the release of version 2.5.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/2.5.0
See the full release notes at:
https://sssd.io/release-notes/sssd-2.5.0.html
RPM packages will be made available for Fedora shortly.
## Feedback
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
## Highlights
### General information
* `secrets` support is deprecated and will be removed in one of the next
versions of SSSD.
* `local-provider` is deprecated and will be removed in one of the next
versions of SSSD.
* SSSD's implementation of `libwbclient` was removed as incompatible
with modern version of Samba.
* This release deprecates `pcre1` support. This support will be removed
completely in following releases.
* A home directory from a dedicated user override, either local or
centrally managed by IPA, will have a higher precedence than the
`override_homedir` option.
* `debug-to-files`, `debug-to-stderr` command line and undocumented
`debug_to_files` config options were removed.
### New features
* Added support for automatic renewal of renewable TGTs that are stored
in KCM ccache. This can be enabled by setting `tgt_renewal = true`. See
the sssd-kcm man page for more details. This feature requires MIT
Kerberos krb5-1.19-0.beta2.3 or higher.
* Backround sudo periodic tasks (smart and full refresh) periods are now
extended by a random offset to spread the load on the server in
environments with many clients. The random offset can be changed with
`ldap_sudo_random_offset`.
* Completing a sudo full refresh now postpones the smart refresh by
`ldap_sudo_smart_refresh_interval` value. This ensure that the smart
refresh is not run too soon after a successful full refresh.
* If `debug_backtrace_enabled` is set to `true` then on any error all
prior debug messages (to some limit) are printed even if `debug_level`
is set to low value (for details see `man sssd.conf`:
`debug_backtrace_enabled` description).
* Besides trusted domains known by the forest root, trusted domains
known by the local domain are used as well.
* New configuration option `offline_timeout_random_offset` to control
random factor in backend probing interval when SSSD is in offline mode.
### Important fixes
* `ad_gpo_implicit_deny` is now respected even if there are no
applicable GPOs present
* During the IPA subdomains request a failure in reading a single
specific configuration option is not considered fatal and the request
will continue
* unknown IPA id-range types are not considered as an error
* SSSD spec file `%postun` no longer tries to restart services that can
not be restarted directly to stop produce systemd warnings
### Configuration changes
* Added `tgt_renewal`, `tgt_renewal_inherit`, and `krb5_*` KCM options
to enable, and tune behavior of new KCM renewal feature.
* Added `ldap_sudo_random_offset` (default to `30`) to add a random
offset to backround sudo periodic tasks (smart and full refresh).
* Introduced new option 'debug_backtrace_enabled' to control debug
backtrace.
* Added `offline_timeout_random_offset` configuration option to control
maximum size of random offset added to offline timeout SSSD backend
probing interval.
* Long time deprecated and undocumented `debug_to_files` option was removed.