sssd: Update to version 2.9.2-1

  - IPFire-3.x
- Update from version 2.8.2-2 to 2.9.2-1
- version 2.8.2-2 was failing to build.
- Initially version 2.9.2-1 failed with the same error messages.
   /usr/lib/sssd/sss_analyze [INVALID-INTERPRETER]
   There was also the following two messages in the log
   "/usr/lib/sssd/sss_analyze: Found command python ((null))
    /usr/lib/sssd/sss_analyze: Could not find path for command python"
  Based on the above error I checked sss_analyze and found the following first line
   "#!/usr/bin/env python" but the python program in IPFire is called python3
  Added the sed line to change python to python3 and the build then was successful.
- Changelog
    2.9.2
	Highlights
		SSSD 2.9 branch is now in long-term maintenance (LTM) phase.
	General information
	    libkrb5-1.21 can now be used to build PAC plugin.
	    sssctl cert-show and cert-show cert-eval-rule can now be run as non-root
	     user.
	Important fixes
	    SSSD does no longer crash if PIN is introduced but the tactile trigger
	     isn’t pressed during passkey authentication.
	    SSSD can now recover if memory-cache files under /var/lib/sss/mc where
	     truncated while SSSD is running.
	    Chaining of identical D-Bus requests that run in parallel to avoid
	     multiple backend queries works again.
	Configuration changes
	    New option local_auth_policy is added to control which offline
	     authentication methods will be enabled by SSSD. This option is relevant
	     for authentication methods which have online, and offline capability
	     such as passkey, and smartcard authentication. The default value match
	     sets the offline methods to their corresponding online value. This
	     enables offline authentication when online kerberos pre-authentication
	     such as PKINIT, or passkey is supported by the backend, note that
	     online methods will still be attempted first. Option value only can be
	     used to disable online authentication entirely, or the value
	     enable:method to explicitly enable specific authentication methods,
	     e.g. enable:passkey.
	Tickets Fixed
	    #5198 - monatomically should have been monotonically
	    #6733 - New covscan errors in ‘passkey’ code
	    #6802 - sss_certmap_test fail in v2.9.1 on Arch Linux
	    #6803 - [sssd] SSSD enters failed state after heavy load in the system
	    #6889 - Crash in pam_passkey_auth_done
	    #6911 - SBUS chaining is broken for getAccountInfo and other internal
	            D-Bus calls
    2.9.1
	New features
	    Passkey: added option to write key mapping data to file.
	Important fixes
	    A regression was fixed that prevented autofs lookups to function
	     correctly when cache_first is set to True. Since this was set as a
	     new default value in sssd-2.9.0, it is considered as a regression.
	    A regression where SSSD failed to properly watch for changes in
	     ‘/etc/resolv.conf’ when it was a symbolic link or was a relative path,
	     was fixed.
	Tickets Fixed
	    #6442 - PAC errors when no PAC configured
	    #6652 - IPA: previously cached netgroup member is not remove correctly
		    after it is removed from ipa
	    #6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988
		    error 4 in libc-2.28.so[7f16b5e72000+1bc000]
	    #6718 - file_watch-tests fail in v2.9.0 on Arch Linux
	    #6720 - [sssd] User lookup on IPA client fails with ‘s2n get_fqlist
		    request failed’
	    #6739 - autofs mounts: Access to non-existent file very slow since 2.9.0
	    #6744 - sssd-be tends to run out of system resources, hitting the
		    maximum number of open files
	    #6766 - [RHEL8] sssd : AD user login problem when modify
		    ldap_user_name= name and restricted by GPO Policy
	    #6768 - [RHEL8] sssd attempts LDAP password modify extended op after
		    BIND failure
    2.9.0
	General information
	    sss_simpleifp library is deprecated and might be removed in further
	     releases. Those who are interested to keep using it awhile should
	     configure its build explicitly using --with-libsifp ./configure option.
	    “Files provider” (i.e. id_provider = files) is deprecated and might be
	     removed in further releases. Those who are interested to keep using it
	     awhile should configure its build explicitly using
	     --with-files-provider ./configure option. Or consider using
	     “Proxy provider” with proxy_lib_name = files instead.
	    Previously deprecated --enable-files-domain configure option, which was
	     used to manage default value of the enable_files_domain config option,
	     is now removed.
	    Long time unused ‘–enable-all-experimental-features’ configure option
	     was removed.
	    SSSD will no longer warn about changed defaults when using
	     ldap_schema = rfc2307 and default autofs mapping. This warning was
	     introduced in 1.14 to loudly warn about different default values.
	New features
	    New passkey functionality, which will allow the use of FIDO2 compliant
	     devices to authenticate a centrally managed user locally. Moreover, in
	     the case of a FreeIPA user, it can also issue a Kerberos ticket
	     automatically with upcoming FreeIPA version 4.11.
	    Add support for ldapi:// URLs to allow connections to local LDAP servers
	    NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname
	Note: support for passkey is in its initial phase and the authentication
	      policy will be adjusted in future versions.
	Packaging changes for passkey
	    Include passkey subpackage and dependency for libfido2.
	Configuration changes for passkey
	    New options to enable and tune passkey behavior: pam_passkey_auth,
	     ldap_user_passkey, passkey_verification, passkey_child_timeout,
	     interactive, interactive_prompt, touch and touch_prompt.
	    --with-passkey is a new configuration option to enable building passkey
	     authentication.
	Important fixes
	    A regression when running sss_cache when no SSSD domain is enabled
	     would produce a syslog critical message was fixed.
	Configuration changes
	    Default value of cache_first option was changed to true in case SSSD
	     is built without files provider.
	    ipa_access_order parameter introduced. It behaves much like
	     ldap_access_order but affects IPA domains (id_provider = ipa) and
	     accepts limited values. Please see sssd-ipa(5) for more information.
	Tickets Fixed
	    #5390 - sssd failing to register dynamic DNS addresses against an AD
		    server due to unnecessary DNS search
	    #6383 - sssd is not waiting for network-online.target
	    #6403 - Add new Active Directory related certificate mapping templates
	    #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
	    #6451 - UPN check cannot be disabled explicitly but requires
		    krb5_validate = false’ as a work-around
	    #6479 - Smart Card auth does not work with p11_uri
		    (with-smartcard-required)
	    #5080 - [RFE] - Show password expiration warning when IdM users login
		    with SSH keys
	    #5390 - sssd failing to register dynamic DNS addresses against an AD
		    server due to unnecessary DNS search
	    #6228 - Enable passkey authentication in a centralized environment
	    #6324 - coredump occurs when I restart sssd-ifp.service with
		    sssd.service is inactive
	    #6357 - KCM erroneously changes primary cache when renewing credentials
	    #6360 - [D-Bus] ListByName() returns several times the same entry
	    #6361 - [D-Bus] ListByName() fails when not using wildcards
	    #6383 - sssd is not waiting for network-online.target
	    #6387 - Fatal errors in log during Anaconda installation:
		    “CRIT sss_cache:No domains configured, fatal error!”
	    #6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName()
		    not working
	    #6403 - Add new Active Directory related certificate mapping templates
	    #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
	    #6451 - UPN check cannot be disabled explicitly but requires
		    krb5_validate = false’ as a work-around
	    #6465 - SBUS:A core dump occurs when dbus_server_get_address()
	    #6477 - changing password with ldap_password_policy = shadow does not
		    take effect immediately
	    #6479 - Smart Card auth does not work with p11_uri
		    (with-smartcard-required)
	    #6487 - implicit declaration of function fgetpwent in test_negcache_2.c
	    #6505 - SSS_CLIENT: general library destructor should cancel
		    thread-at-exit destructors
	    #6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to
		    exist (can be a bogus keytab)
	    #6544 - AD: Nested group processing can fail or return invalid members
		    (security issue)
	    #6548 - sssd-ipa
	    #6551 - passkey_child cannot be used to register passkey due to too
		    strict permissions
	    #6558 - enabling passkey authentication breaks idp support
	    #6565 - Improvement: sss_client: add ‘getsidbyusername()’ and
		    ‘getsidbygroupname()’ and corresponding python bindings
	    #6588 - Integration Tests：The sssd_hosts module is missing in release
		    tarball
	    #6592 - pid wrapping caused sss_cli_check_socket to close the file
		    descriptor opened by the process
	    #6600 - [sssd] Auth fails if client cannot speak to forest root domain
		    (ldap_sasl_interactive_bind_s failed)
	    #6610 - BUILD: Clear compilation alarms.
	    #6612 - MIT Kerberos confusion over password expiry
	    #6617 - filter_groups doesn’t filter GID from ‘id’ output: AD +
		    ‘ldap_id_mapping = True’ corner case
	    #6626 - Unable to lookup AD user from child domain
		    (or “make filtering of the domains more configurable”)
	    #6635 - sss allows extraneous @ characters prefixed to username

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 sssd/sssd.nm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
  

Hi All,

I see that the x86_64 build of sssd is failing due to lack of
libldb-devel and the aarch64 due to lack of
libtalloc-devel

Both are listed in the requires section. On my local build system I 
initially had the same message about libldb-devel but I then cleared my 
cache and rebuilt sssd, which forced building of all the other packages 
and then sssd built without any problems.

This might be the problem we had occasionally over the weekend where the 
pakfire build took the wrong version or didn't build all the 
dependencies correctly.

I am currently working on samba and that is requiring newer versions of 
libtalloc and libldb and a few others so when i have that working and 
submitted those dependencies will be newer. Maybe that will also help 
with sssd.

Regards,

Adolf.


On 20/09/2023 22:44, Adolf Belka wrote:
> - IPFire-3.x
> - Update from version 2.8.2-2 to 2.9.2-1
> - version 2.8.2-2 was failing to build.
> - Initially version 2.9.2-1 failed with the same error messages.
>     /usr/lib/sssd/sss_analyze [INVALID-INTERPRETER]
>     There was also the following two messages in the log
>     "/usr/lib/sssd/sss_analyze: Found command python ((null))
>      /usr/lib/sssd/sss_analyze: Could not find path for command python"
>    Based on the above error I checked sss_analyze and found the following first line
>     "#!/usr/bin/env python" but the python program in IPFire is called python3
>    Added the sed line to change python to python3 and the build then was successful.
> - Changelog
>      2.9.2
> 	Highlights
> 		SSSD 2.9 branch is now in long-term maintenance (LTM) phase.
> 	General information
> 	    libkrb5-1.21 can now be used to build PAC plugin.
> 	    sssctl cert-show and cert-show cert-eval-rule can now be run as non-root
> 	     user.
> 	Important fixes
> 	    SSSD does no longer crash if PIN is introduced but the tactile trigger
> 	     isn’t pressed during passkey authentication.
> 	    SSSD can now recover if memory-cache files under /var/lib/sss/mc where
> 	     truncated while SSSD is running.
> 	    Chaining of identical D-Bus requests that run in parallel to avoid
> 	     multiple backend queries works again.
> 	Configuration changes
> 	    New option local_auth_policy is added to control which offline
> 	     authentication methods will be enabled by SSSD. This option is relevant
> 	     for authentication methods which have online, and offline capability
> 	     such as passkey, and smartcard authentication. The default value match
> 	     sets the offline methods to their corresponding online value. This
> 	     enables offline authentication when online kerberos pre-authentication
> 	     such as PKINIT, or passkey is supported by the backend, note that
> 	     online methods will still be attempted first. Option value only can be
> 	     used to disable online authentication entirely, or the value
> 	     enable:method to explicitly enable specific authentication methods,
> 	     e.g. enable:passkey.
> 	Tickets Fixed
> 	    #5198 - monatomically should have been monotonically
> 	    #6733 - New covscan errors in ‘passkey’ code
> 	    #6802 - sss_certmap_test fail in v2.9.1 on Arch Linux
> 	    #6803 - [sssd] SSSD enters failed state after heavy load in the system
> 	    #6889 - Crash in pam_passkey_auth_done
> 	    #6911 - SBUS chaining is broken for getAccountInfo and other internal
> 	            D-Bus calls
>      2.9.1
> 	New features
> 	    Passkey: added option to write key mapping data to file.
> 	Important fixes
> 	    A regression was fixed that prevented autofs lookups to function
> 	     correctly when cache_first is set to True. Since this was set as a
> 	     new default value in sssd-2.9.0, it is considered as a regression.
> 	    A regression where SSSD failed to properly watch for changes in
> 	     ‘/etc/resolv.conf’ when it was a symbolic link or was a relative path,
> 	     was fixed.
> 	Tickets Fixed
> 	    #6442 - PAC errors when no PAC configured
> 	    #6652 - IPA: previously cached netgroup member is not remove correctly
> 		    after it is removed from ipa
> 	    #6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988
> 		    error 4 in libc-2.28.so[7f16b5e72000+1bc000]
> 	    #6718 - file_watch-tests fail in v2.9.0 on Arch Linux
> 	    #6720 - [sssd] User lookup on IPA client fails with ‘s2n get_fqlist
> 		    request failed’
> 	    #6739 - autofs mounts: Access to non-existent file very slow since 2.9.0
> 	    #6744 - sssd-be tends to run out of system resources, hitting the
> 		    maximum number of open files
> 	    #6766 - [RHEL8] sssd : AD user login problem when modify
> 		    ldap_user_name= name and restricted by GPO Policy
> 	    #6768 - [RHEL8] sssd attempts LDAP password modify extended op after
> 		    BIND failure
>      2.9.0
> 	General information
> 	    sss_simpleifp library is deprecated and might be removed in further
> 	     releases. Those who are interested to keep using it awhile should
> 	     configure its build explicitly using --with-libsifp ./configure option.
> 	    “Files provider” (i.e. id_provider = files) is deprecated and might be
> 	     removed in further releases. Those who are interested to keep using it
> 	     awhile should configure its build explicitly using
> 	     --with-files-provider ./configure option. Or consider using
> 	     “Proxy provider” with proxy_lib_name = files instead.
> 	    Previously deprecated --enable-files-domain configure option, which was
> 	     used to manage default value of the enable_files_domain config option,
> 	     is now removed.
> 	    Long time unused ‘–enable-all-experimental-features’ configure option
> 	     was removed.
> 	    SSSD will no longer warn about changed defaults when using
> 	     ldap_schema = rfc2307 and default autofs mapping. This warning was
> 	     introduced in 1.14 to loudly warn about different default values.
> 	New features
> 	    New passkey functionality, which will allow the use of FIDO2 compliant
> 	     devices to authenticate a centrally managed user locally. Moreover, in
> 	     the case of a FreeIPA user, it can also issue a Kerberos ticket
> 	     automatically with upcoming FreeIPA version 4.11.
> 	    Add support for ldapi:// URLs to allow connections to local LDAP servers
> 	    NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname
> 	Note: support for passkey is in its initial phase and the authentication
> 	      policy will be adjusted in future versions.
> 	Packaging changes for passkey
> 	    Include passkey subpackage and dependency for libfido2.
> 	Configuration changes for passkey
> 	    New options to enable and tune passkey behavior: pam_passkey_auth,
> 	     ldap_user_passkey, passkey_verification, passkey_child_timeout,
> 	     interactive, interactive_prompt, touch and touch_prompt.
> 	    --with-passkey is a new configuration option to enable building passkey
> 	     authentication.
> 	Important fixes
> 	    A regression when running sss_cache when no SSSD domain is enabled
> 	     would produce a syslog critical message was fixed.
> 	Configuration changes
> 	    Default value of cache_first option was changed to true in case SSSD
> 	     is built without files provider.
> 	    ipa_access_order parameter introduced. It behaves much like
> 	     ldap_access_order but affects IPA domains (id_provider = ipa) and
> 	     accepts limited values. Please see sssd-ipa(5) for more information.
> 	Tickets Fixed
> 	    #5390 - sssd failing to register dynamic DNS addresses against an AD
> 		    server due to unnecessary DNS search
> 	    #6383 - sssd is not waiting for network-online.target
> 	    #6403 - Add new Active Directory related certificate mapping templates
> 	    #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
> 	    #6451 - UPN check cannot be disabled explicitly but requires
> 		    krb5_validate = false’ as a work-around
> 	    #6479 - Smart Card auth does not work with p11_uri
> 		    (with-smartcard-required)
> 	    #5080 - [RFE] - Show password expiration warning when IdM users login
> 		    with SSH keys
> 	    #5390 - sssd failing to register dynamic DNS addresses against an AD
> 		    server due to unnecessary DNS search
> 	    #6228 - Enable passkey authentication in a centralized environment
> 	    #6324 - coredump occurs when I restart sssd-ifp.service with
> 		    sssd.service is inactive
> 	    #6357 - KCM erroneously changes primary cache when renewing credentials
> 	    #6360 - [D-Bus] ListByName() returns several times the same entry
> 	    #6361 - [D-Bus] ListByName() fails when not using wildcards
> 	    #6383 - sssd is not waiting for network-online.target
> 	    #6387 - Fatal errors in log during Anaconda installation:
> 		    “CRIT sss_cache:No domains configured, fatal error!”
> 	    #6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName()
> 		    not working
> 	    #6403 - Add new Active Directory related certificate mapping templates
> 	    #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
> 	    #6451 - UPN check cannot be disabled explicitly but requires
> 		    krb5_validate = false’ as a work-around
> 	    #6465 - SBUS:A core dump occurs when dbus_server_get_address()
> 	    #6477 - changing password with ldap_password_policy = shadow does not
> 		    take effect immediately
> 	    #6479 - Smart Card auth does not work with p11_uri
> 		    (with-smartcard-required)
> 	    #6487 - implicit declaration of function fgetpwent in test_negcache_2.c
> 	    #6505 - SSS_CLIENT: general library destructor should cancel
> 		    thread-at-exit destructors
> 	    #6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to
> 		    exist (can be a bogus keytab)
> 	    #6544 - AD: Nested group processing can fail or return invalid members
> 		    (security issue)
> 	    #6548 - sssd-ipa
> 	    #6551 - passkey_child cannot be used to register passkey due to too
> 		    strict permissions
> 	    #6558 - enabling passkey authentication breaks idp support
> 	    #6565 - Improvement: sss_client: add ‘getsidbyusername()’ and
> 		    ‘getsidbygroupname()’ and corresponding python bindings
> 	    #6588 - Integration Tests：The sssd_hosts module is missing in release
> 		    tarball
> 	    #6592 - pid wrapping caused sss_cli_check_socket to close the file
> 		    descriptor opened by the process
> 	    #6600 - [sssd] Auth fails if client cannot speak to forest root domain
> 		    (ldap_sasl_interactive_bind_s failed)
> 	    #6610 - BUILD: Clear compilation alarms.
> 	    #6612 - MIT Kerberos confusion over password expiry
> 	    #6617 - filter_groups doesn’t filter GID from ‘id’ output: AD +
> 		    ‘ldap_id_mapping = True’ corner case
> 	    #6626 - Unable to lookup AD user from child domain
> 		    (or “make filtering of the domains more configurable”)
> 	    #6635 - sss allows extraneous @ characters prefixed to username
> 
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   sssd/sssd.nm | 7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/sssd/sssd.nm b/sssd/sssd.nm
> index 90d804469..5f3a4ecd4 100644
> --- a/sssd/sssd.nm
> +++ b/sssd/sssd.nm
> @@ -4,8 +4,8 @@
>   ###############################################################################
>   
>   name       = sssd
> -version    = 2.8.2
> -release    = 2
> +version    = 2.9.2
> +release    = 1
>   
>   groups     = System/Tools
>   url        = https://github.com/SSSD/sssd
> @@ -95,6 +95,9 @@ build
>   
>   		# Drop /var/run
>   		rm -rvf %{BUILDROOT}%{localstatedir}/run
> +		
> +		# Change python to python3 in sss_analyze file
> +		sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python3|g' %{BUILDROOT}/usr/lib/sssd/sss_analyze
>   	end
>   end
>
  

Hello Adolf,

Yes, this used to be a problem because of a compiler bug in GCC.

This afternoon I asked Stefan to have a look at this since he has resolved this before, but it looks like updating the packages does the job as well.

I merged your patchset, tested it and it works. So I pushed it just now and hopefully a couple more packages should build as they are waiting for a working version of libtalloc, etc.

Best,
-Michael

> On 21 Sep 2023, at 10:17, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi All,
> 
> I see that the x86_64 build of sssd is failing due to lack of
> libldb-devel and the aarch64 due to lack of
> libtalloc-devel
> 
> Both are listed in the requires section. On my local build system I initially had the same message about libldb-devel but I then cleared my cache and rebuilt sssd, which forced building of all the other packages and then sssd built without any problems.
> 
> This might be the problem we had occasionally over the weekend where the pakfire build took the wrong version or didn't build all the dependencies correctly.
> 
> I am currently working on samba and that is requiring newer versions of libtalloc and libldb and a few others so when i have that working and submitted those dependencies will be newer. Maybe that will also help with sssd.
> 
> Regards,
> 
> Adolf.
> 
> 
> On 20/09/2023 22:44, Adolf Belka wrote:
>> - IPFire-3.x
>> - Update from version 2.8.2-2 to 2.9.2-1
>> - version 2.8.2-2 was failing to build.
>> - Initially version 2.9.2-1 failed with the same error messages.
>>    /usr/lib/sssd/sss_analyze [INVALID-INTERPRETER]
>>    There was also the following two messages in the log
>>    "/usr/lib/sssd/sss_analyze: Found command python ((null))
>>     /usr/lib/sssd/sss_analyze: Could not find path for command python"
>>   Based on the above error I checked sss_analyze and found the following first line
>>    "#!/usr/bin/env python" but the python program in IPFire is called python3
>>   Added the sed line to change python to python3 and the build then was successful.
>> - Changelog
>>     2.9.2
>> Highlights
>> SSSD 2.9 branch is now in long-term maintenance (LTM) phase.
>> General information
>>     libkrb5-1.21 can now be used to build PAC plugin.
>>     sssctl cert-show and cert-show cert-eval-rule can now be run as non-root
>>      user.
>> Important fixes
>>     SSSD does no longer crash if PIN is introduced but the tactile trigger
>>      isn’t pressed during passkey authentication.
>>     SSSD can now recover if memory-cache files under /var/lib/sss/mc where
>>      truncated while SSSD is running.
>>     Chaining of identical D-Bus requests that run in parallel to avoid
>>      multiple backend queries works again.
>> Configuration changes
>>     New option local_auth_policy is added to control which offline
>>      authentication methods will be enabled by SSSD. This option is relevant
>>      for authentication methods which have online, and offline capability
>>      such as passkey, and smartcard authentication. The default value match
>>      sets the offline methods to their corresponding online value. This
>>      enables offline authentication when online kerberos pre-authentication
>>      such as PKINIT, or passkey is supported by the backend, note that
>>      online methods will still be attempted first. Option value only can be
>>      used to disable online authentication entirely, or the value
>>      enable:method to explicitly enable specific authentication methods,
>>      e.g. enable:passkey.
>> Tickets Fixed
>>     #5198 - monatomically should have been monotonically
>>     #6733 - New covscan errors in ‘passkey’ code
>>     #6802 - sss_certmap_test fail in v2.9.1 on Arch Linux
>>     #6803 - [sssd] SSSD enters failed state after heavy load in the system
>>     #6889 - Crash in pam_passkey_auth_done
>>     #6911 - SBUS chaining is broken for getAccountInfo and other internal
>>             D-Bus calls
>>     2.9.1
>> New features
>>     Passkey: added option to write key mapping data to file.
>> Important fixes
>>     A regression was fixed that prevented autofs lookups to function
>>      correctly when cache_first is set to True. Since this was set as a
>>      new default value in sssd-2.9.0, it is considered as a regression.
>>     A regression where SSSD failed to properly watch for changes in
>>      ‘/etc/resolv.conf’ when it was a symbolic link or was a relative path,
>>      was fixed.
>> Tickets Fixed
>>     #6442 - PAC errors when no PAC configured
>>     #6652 - IPA: previously cached netgroup member is not remove correctly
>>     after it is removed from ipa
>>     #6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988
>>     error 4 in libc-2.28.so[7f16b5e72000+1bc000]
>>     #6718 - file_watch-tests fail in v2.9.0 on Arch Linux
>>     #6720 - [sssd] User lookup on IPA client fails with ‘s2n get_fqlist
>>     request failed’
>>     #6739 - autofs mounts: Access to non-existent file very slow since 2.9.0
>>     #6744 - sssd-be tends to run out of system resources, hitting the
>>     maximum number of open files
>>     #6766 - [RHEL8] sssd : AD user login problem when modify
>>     ldap_user_name= name and restricted by GPO Policy
>>     #6768 - [RHEL8] sssd attempts LDAP password modify extended op after
>>     BIND failure
>>     2.9.0
>> General information
>>     sss_simpleifp library is deprecated and might be removed in further
>>      releases. Those who are interested to keep using it awhile should
>>      configure its build explicitly using --with-libsifp ./configure option.
>>     “Files provider” (i.e. id_provider = files) is deprecated and might be
>>      removed in further releases. Those who are interested to keep using it
>>      awhile should configure its build explicitly using
>>      --with-files-provider ./configure option. Or consider using
>>      “Proxy provider” with proxy_lib_name = files instead.
>>     Previously deprecated --enable-files-domain configure option, which was
>>      used to manage default value of the enable_files_domain config option,
>>      is now removed.
>>     Long time unused ‘–enable-all-experimental-features’ configure option
>>      was removed.
>>     SSSD will no longer warn about changed defaults when using
>>      ldap_schema = rfc2307 and default autofs mapping. This warning was
>>      introduced in 1.14 to loudly warn about different default values.
>> New features
>>     New passkey functionality, which will allow the use of FIDO2 compliant
>>      devices to authenticate a centrally managed user locally. Moreover, in
>>      the case of a FreeIPA user, it can also issue a Kerberos ticket
>>      automatically with upcoming FreeIPA version 4.11.
>>     Add support for ldapi:// URLs to allow connections to local LDAP servers
>>     NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname
>> Note: support for passkey is in its initial phase and the authentication
>>       policy will be adjusted in future versions.
>> Packaging changes for passkey
>>     Include passkey subpackage and dependency for libfido2.
>> Configuration changes for passkey
>>     New options to enable and tune passkey behavior: pam_passkey_auth,
>>      ldap_user_passkey, passkey_verification, passkey_child_timeout,
>>      interactive, interactive_prompt, touch and touch_prompt.
>>     --with-passkey is a new configuration option to enable building passkey
>>      authentication.
>> Important fixes
>>     A regression when running sss_cache when no SSSD domain is enabled
>>      would produce a syslog critical message was fixed.
>> Configuration changes
>>     Default value of cache_first option was changed to true in case SSSD
>>      is built without files provider.
>>     ipa_access_order parameter introduced. It behaves much like
>>      ldap_access_order but affects IPA domains (id_provider = ipa) and
>>      accepts limited values. Please see sssd-ipa(5) for more information.
>> Tickets Fixed
>>     #5390 - sssd failing to register dynamic DNS addresses against an AD
>>     server due to unnecessary DNS search
>>     #6383 - sssd is not waiting for network-online.target
>>     #6403 - Add new Active Directory related certificate mapping templates
>>     #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
>>     #6451 - UPN check cannot be disabled explicitly but requires
>>     krb5_validate = false’ as a work-around
>>     #6479 - Smart Card auth does not work with p11_uri
>>     (with-smartcard-required)
>>     #5080 - [RFE] - Show password expiration warning when IdM users login
>>     with SSH keys
>>     #5390 - sssd failing to register dynamic DNS addresses against an AD
>>     server due to unnecessary DNS search
>>     #6228 - Enable passkey authentication in a centralized environment
>>     #6324 - coredump occurs when I restart sssd-ifp.service with
>>     sssd.service is inactive
>>     #6357 - KCM erroneously changes primary cache when renewing credentials
>>     #6360 - [D-Bus] ListByName() returns several times the same entry
>>     #6361 - [D-Bus] ListByName() fails when not using wildcards
>>     #6383 - sssd is not waiting for network-online.target
>>     #6387 - Fatal errors in log during Anaconda installation:
>>     “CRIT sss_cache:No domains configured, fatal error!”
>>     #6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName()
>>     not working
>>     #6403 - Add new Active Directory related certificate mapping templates
>>     #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD
>>     #6451 - UPN check cannot be disabled explicitly but requires
>>     krb5_validate = false’ as a work-around
>>     #6465 - SBUS:A core dump occurs when dbus_server_get_address()
>>     #6477 - changing password with ldap_password_policy = shadow does not
>>     take effect immediately
>>     #6479 - Smart Card auth does not work with p11_uri
>>     (with-smartcard-required)
>>     #6487 - implicit declaration of function fgetpwent in test_negcache_2.c
>>     #6505 - SSS_CLIENT: general library destructor should cancel
>>     thread-at-exit destructors
>>     #6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to
>>     exist (can be a bogus keytab)
>>     #6544 - AD: Nested group processing can fail or return invalid members
>>     (security issue)
>>     #6548 - sssd-ipa
>>     #6551 - passkey_child cannot be used to register passkey due to too
>>     strict permissions
>>     #6558 - enabling passkey authentication breaks idp support
>>     #6565 - Improvement: sss_client: add ‘getsidbyusername()’ and
>>     ‘getsidbygroupname()’ and corresponding python bindings
>>     #6588 - Integration Tests：The sssd_hosts module is missing in release
>>     tarball
>>     #6592 - pid wrapping caused sss_cli_check_socket to close the file
>>     descriptor opened by the process
>>     #6600 - [sssd] Auth fails if client cannot speak to forest root domain
>>     (ldap_sasl_interactive_bind_s failed)
>>     #6610 - BUILD: Clear compilation alarms.
>>     #6612 - MIT Kerberos confusion over password expiry
>>     #6617 - filter_groups doesn’t filter GID from ‘id’ output: AD +
>>     ‘ldap_id_mapping = True’ corner case
>>     #6626 - Unable to lookup AD user from child domain
>>     (or “make filtering of the domains more configurable”)
>>     #6635 - sss allows extraneous @ characters prefixed to username
>> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
>> ---
>>  sssd/sssd.nm | 7 +++++--
>>  1 file changed, 5 insertions(+), 2 deletions(-)
>> diff --git a/sssd/sssd.nm b/sssd/sssd.nm
>> index 90d804469..5f3a4ecd4 100644
>> --- a/sssd/sssd.nm
>> +++ b/sssd/sssd.nm
>> @@ -4,8 +4,8 @@
>>  ###############################################################################
>>    name       = sssd
>> -version    = 2.8.2
>> -release    = 2
>> +version    = 2.9.2
>> +release    = 1
>>    groups     = System/Tools
>>  url        = https://github.com/SSSD/sssd
>> @@ -95,6 +95,9 @@ build
>>     # Drop /var/run
>>   rm -rvf %{BUILDROOT}%{localstatedir}/run
>> + 
>> + # Change python to python3 in sss_analyze file
>> + sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python3|g' %{BUILDROOT}/usr/lib/sssd/sss_analyze
>>   end
>>  end
>>  
> 
> -- 
> Sent from my laptop