SUSE-RU-2026:0640-1: moderate: Recommended update for sssd

SLE-UPDATES null at suse.de
Wed Feb 25 20:30:38 UTC 2026 


# Recommended update for sssd

Announcement ID: SUSE-RU-2026:0640-1  
Release Date: 2026-02-25T15:40:40Z  
Rating: moderate  
References:

  * bsc#1212476
  * bsc#1257509
  * jsc#PED-12449
  * jsc#PED-13811

  
Affected Products:

  * Basesystem Module 15-SP7
  * SUSE Linux Enterprise Desktop 15 SP7
  * SUSE Linux Enterprise Real Time 15 SP7
  * SUSE Linux Enterprise Server 15 SP7
  * SUSE Linux Enterprise Server for SAP Applications 15 SP7

  
  
An update that contains two features and has two fixes can now be installed.

## Description:

This update for sssd fixes the following issues:

  * Use %pre scriptlet instead of %pretrans to migrate from sssd-common
    (bsc#1257509)
  * Update to release 2.10.2 (jsc#PED-12449):
    * If the ssh responder is not running, sss_ssh_knownhosts will not fail
    * SSSD is now capable of handling multiple services associated with the same port.
    * sssd_pam, being a privileged binary, now clears the environment and does not allow configuration of the PR_SET_DUMPABLE flag as a precaution.
  * Changes from sssd 2.10.1:
    * SSSD does not create anymore missing path components of DIR:/FILE: ccache types while acquiring user's TGT. The parent directory of requested ccache directory must exist and the user trying to log in must have rwx access to this directory. This matches behavior of /usr/bin/kinit.
    * The option default_domain_suffix is deprecated.
  * Changes from sssd 2.10.0:
    * The `sssctl cache-upgrade` command was removed. SSSD performs automatic upgrades at startup when needed.
    * Support of `enumeration` feature for AD/IPA providers is deprecated and might be removed in further releases.
    * The new tool `sss_ssh_knownhosts` can be used with ssh's `KnownHostsCommand` configuration option to retrieve the host's public keys from a remote server. It replaces ``sss_ssh_knownhostsproxy`.
    * The default value for `ldap_id_use_start_tls` changed from false to true for improved security.
  * Fix socket activation of responders
  * Daemon runs now as unprivileged user 'sssd'
  * Fix build parameter name omitted
  * Update filelists involving memberof.so and idmap/sss.so to avoid gobbling up
    one file into multiple sssd subpackages.
  * Fix spec file for openSUSE ALP and SUSE SLFO, where the
    python3_fix_shebang_path RPM macro is not available
  * remove dependency on /usr/bin/python3 using %python3_fix_shebang_path macro
    (bsc#1212476)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * Basesystem Module 15-SP7  
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-640=1

## Package List:

  * Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64)
    * sssd-2.10.2-150700.9.17.1
    * libsss_nss_idmap0-debuginfo-2.10.2-150700.9.17.1
    * libsss_idmap0-2.10.2-150700.9.17.1
    * sssd-krb5-2.10.2-150700.9.17.1
    * sssd-tools-2.10.2-150700.9.17.1
    * libsss_certmap-devel-2.10.2-150700.9.17.1
    * libsss_nss_idmap0-2.10.2-150700.9.17.1
    * sssd-ad-debuginfo-2.10.2-150700.9.17.1
    * libipa_hbac-devel-2.10.2-150700.9.17.1
    * sssd-winbind-idmap-debuginfo-2.10.2-150700.9.17.1
    * sssd-ipa-2.10.2-150700.9.17.1
    * sssd-proxy-debuginfo-2.10.2-150700.9.17.1
    * sssd-krb5-common-debuginfo-2.10.2-150700.9.17.1
    * libsss_simpleifp-devel-2.10.2-150700.9.17.1
    * libsss_idmap-devel-2.10.2-150700.9.17.1
    * sssd-debugsource-2.10.2-150700.9.17.1
    * sssd-ipa-debuginfo-2.10.2-150700.9.17.1
    * sssd-krb5-debuginfo-2.10.2-150700.9.17.1
    * python3-sssd-config-2.10.2-150700.9.17.1
    * sssd-tools-debuginfo-2.10.2-150700.9.17.1
    * libsss_idmap0-debuginfo-2.10.2-150700.9.17.1
    * sssd-kcm-2.10.2-150700.9.17.1
    * sssd-kcm-debuginfo-2.10.2-150700.9.17.1
    * sssd-ldap-2.10.2-150700.9.17.1
    * sssd-dbus-debuginfo-2.10.2-150700.9.17.1
    * libsss_simpleifp0-debuginfo-2.10.2-150700.9.17.1
    * sssd-dbus-2.10.2-150700.9.17.1
    * sssd-winbind-idmap-2.10.2-150700.9.17.1
    * sssd-ad-2.10.2-150700.9.17.1
    * sssd-proxy-2.10.2-150700.9.17.1
    * sssd-debuginfo-2.10.2-150700.9.17.1
    * libsss_certmap0-debuginfo-2.10.2-150700.9.17.1
    * sssd-krb5-common-2.10.2-150700.9.17.1
    * python3-sssd-config-debuginfo-2.10.2-150700.9.17.1
    * libipa_hbac0-debuginfo-2.10.2-150700.9.17.1
    * libsss_simpleifp0-2.10.2-150700.9.17.1
    * libipa_hbac0-2.10.2-150700.9.17.1
    * libsss_nss_idmap-devel-2.10.2-150700.9.17.1
    * libsss_certmap0-2.10.2-150700.9.17.1
    * sssd-ldap-debuginfo-2.10.2-150700.9.17.1
  * Basesystem Module 15-SP7 (x86_64)
    * sssd-32bit-debuginfo-2.10.2-150700.9.17.1
    * sssd-32bit-2.10.2-150700.9.17.1

## References:

  * https://bugzilla.suse.com/show_bug.cgi?id=1212476
  * https://bugzilla.suse.com/show_bug.cgi?id=1257509
  * https://jira.suse.com/browse/PED-12449
  * https://jira.suse.com/browse/PED-13811

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260225/b74d2171/attachment.htm>

More information about the sle-updates mailing list