SUSE Package Hub - SUSE-PackageHub-16.0-729

Update Info

SUSE-PackageHub-16.0-729

Recommended update for sssd

Type: recommended

Severity: important

Issued: 2026-05-11

Description:

This update for sssd fixes the following issues:

- With the 2.10 update sssd runs under unprivileged user which is not possible in certain scenarios.
This update reverts to run as root with minimum privileges (bsc#1259436);
- Let krb5 child tolerate missing capabilities;
- Add support for UsrEtc; (bsc#1257643);
- The default configuration file is installed now in /usr/etc/sssd/sssd.conf.
It can be completely overridden by manually creating the system specific config file
/etc/sssd/sssd.conf, or partially overridden by creating config snippets in
/etc/sssd/conf.d/ directory. Check sssd.conf manpage for more details.
- Fix ldap_child process started by the backend process ending in defunc state.
- Create the secrets directory for the KCM service; (bsc#1259253);
- Make sure previously rotated logs are chown-ed as well (bsc#1259475);
- Use %pre scriptlet instead of %pretrans to migrate from sssd-common (bsc#1257509);
- Update to release 2.10.2; (jsc#PED-12449):
* If the ssh responder is not running, sss_ssh_knownhosts will not fail.
* SSSD is now capable of handling multiple services associated with the same port.
* sssd_pam, being a privileged binary, now clears the environment and
does not allow configuration of the PR_SET_DUMPABLE flag as a precaution.
- Changes from sssd 2.10.1:
* SSSD does not create anymore missing path components of DIR:/FILE:
ccache types while acquiring user's TGT.
* The option default_domain_suffix is deprecated.
- Changes from sssd 2.10.0:
* The ``sssctl cache-upgrade`` command was removed.
SSSD performs automatic upgrades at startup when needed.
* Support of ``enumeration`` feature for AD/IPA providers is deprecated and
might be removed in further releases.
* The new tool ``sss_ssh_knownhosts`` can be used with ssh's ``KnownHostsCommand`` configuration option
to retrieve the host's public keys from a remote server. It replaces ```sss_ssh_knownhostsproxy``.
* The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security.
- Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
- Fix sssctl config-check exit code when the conf.d snippets directory does not exist (bsc#1230348);

References

jira: PED-12449 Impl: Backport SSSD feature to be able to run as non-root user
Bugzilla: 1259475 sssd: due to switch to sssd user logrotate can't rotate older logs
Bugzilla: 1259436 L3: Check for possible regression in sssd
Bugzilla: 1259253 sssd-kcm /var/lib/sssd/secrets missing
Bugzilla: 1257643 sssd fails to start on Leap 16.0
Bugzilla: 1257509 sssd %pretrans errors
Bugzilla: 1230348 False error message with /etc/sssd/conf.d

Packages

sssd-2.10.2-160000.1.1