The FreeIPA team is proud to announce version FreeIPA v3.0.1.

It can be downloaded from http://www.freeipa.org/page/Downloads.

A build will be submitted to updates-testing for Fedora 18 soon.

Highlights in 3.0.1#

  • Change the way we calculate what services IPA is managing so that startup/shutdown with systemd works.

  • Resolve external members from trusted domain via Global Catalog.

  • Improvements to ipa-client-automount.

  • Man page and command help improvements.

  • Added option to configure DNS forwarding by zone.

Upgrading#

An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel

Detailed Changelog since 3.0.0#

Alexander Bokovoy (4):

  • Remove bogus check for smbpasswd

  • Warn about DNA plugin configuration when working with local ID ranges

  • Resolve external members from trusted domain via Global Catalog

  • Clarify trust-add help regarding multiple runs against the same domain

Jakub Hrozek (1):

  • ipa-client-automount: Add the autofs service if it doesn’t exist yet

Jan Cholasta (1):

  • Reword description of the –passsync option of ipa-replica-manage.

John Dennis (1):

  • log dogtag errors

Martin Kosek (9):

  • Create reverse zone in unattended mode

  • Add fallback for httpd restarts on sysV platforms

  • Report ipa-upgradeconfig errors during RPM upgrade

  • Avoid uninstalling dependencies during package lifetime

  • Remove servertrls and clientctrls options from rename_s

  • Use common encoding in modlist generation

  • Process relative nameserver DNS record correctly

  • Do not require resolvable nameserver in DNS install

  • Disable global forwarding per-zone

Nikolai Kondrashov (1):

  • Add uninstall command hints to ipa-*-install

Petr Viktorin (3):

  • ipautil.run: Log the command line before running the command

  • ipa-replica-install: Use configured IPA DNS servers in forward/reverse resolution check

  • Make sure the CA is running when starting services

Petr Vobornik (2):

  • Simpler instructions to generate certificate

  • Fixed incorrect link to browser config after session expiration

Rob Crittenden (11):

  • Use TLS for CA replication

  • Don’t configure a reverse zone if not desired in interactive installer.

  • Fix requesting certificates that contain subject altnames.

  • Improve error messages in ipa-replica-manage.

  • Close connection after each request, avoid NSS shutdown problem.

  • The SECURE_NFS value needs to be lower-case yes on SysV systems.

  • After unininstall see if certmonger is still tracking any of our certs.

  • Wait for the directory server to come up when updating the agent certificate.

  • Set MLS/MCS for user_u context to what will be on remote systems.

  • Handle the case where there are no replicas with list-ruv

  • Become IPA 3.0.1

Simo Sorce (6):

  • Add support for using AES fo cross-realm TGTs

  • Preserve original service_name in services

  • Save service name on service startup

  • Get list of service from LDAP only at startup

  • Revert “Save service name on service startup”

  • Save service name on service startup/shutdown

Sumit Bose (4):

  • Fix various issues found by Coverity

  • extdom: handle INP_POSIX_UID and INP_POSIX_GID requests

  • Restart httpd if ipa-server-trust-ad is installed or updated

  • ipa-adtrust-install: allow to reset te NetBIOS domain name

Tomas Babej (4):

  • Forbid overlapping primary and secondary rid ranges

  • Refactoring of default.conf man page

  • Make service naming in ipa-server-install consistent

  • IPA Server check in ipa-replica-manage