The FreeIPA team is proud to announce version FreeIPA v3.0.2.
It can be downloaded from http://www.freeipa.org/page/Downloads.
Highlights in 3.0.2#
WebUI: Change of default value of type of new group back to POSIX.
Lookup the user SID in external group as well.
Include sssd-managed domain/realm mapping file managed in krb5.conf.
Fix potential security error in cookie handling in ipa client tool, CVE-2012-5631.
Upgrading#
An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.
Please note, that the referential integrity extension requires an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of hosts, SUDO or HBAC entries may require several minutes to finish.
If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.
Downgrading a server once upgraded is not supported.
Upgrading from 2.2.0 is supported. Upgrading from previous versions is not supported and has not been tested.
An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-devel mailing list: http://www.redhat.com/mailman/listinfo/freeipa-devel
Detailed Changelog since 3.0.1#
Alexander Bokovoy (3):
ipasam: better Kerberos error handling in ipasam
trusts: replace use of python-crypto by m2crypto
Propagate kinit errors with trust account
Jakub Hrozek (4):
Make enabling the autofs service more robust
ipachangeconf: allow specifying non-default delimeter for options
Specify includedir in krb5.conf on new installs
Add the includedir to krb5.conf on upgrades
John Dennis (1):
Compliant client side session cookie behavior
Lubomir Rintel (1):
Drop unused readline import
Martin Kosek (5):
Prepare spec file for Fedora 18
Filter suffix in replication management tools
Change network configuration file
Improve ipa-replica-prepare error message
Fix sshd feature check
Petr Viktorin (2):
Provide explicit user name for Dogtag installation scripts
Add Lubomir Rintel to Contributors.txt
Petr Vobornik (4):
WebUI: Change of default value of type of new group back to POSIX
Editable sshkey, mac address field after upgrade
Better licensing information of 3rd party code
Better error message for login of users from other realms
Rob Crittenden (5):
Honor the kdb options disabling KDC writes in ipa_lockout plugin
Only update the list of running services in the installer or ipactl.
Set min for selinux-policy to 3.11.1-60
Reorder XML-RPC initialization in ipa-join to avoid segfault.
Become IPA 3.0.2
Simo Sorce (1):
MS-PAC: Special case NFS services
Sumit Bose (3):
Lookup the user SID in external group as well
Restart sssd after authconfig update
Do not recommend how to configure DNS in error message
Tomas Babej (1):
Add detection for users from trusted/invalid realms