Ctrl+K

Highlights in 4.2.4

The FreeIPA team would like to announce FreeIPA v4.2.4 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23.

Highlights in 4.2.4#

FreeIPA 4.2.4 is a bugfix release to improve upgrade experience from FreeIPA 4.1 for Fedora 23.

Bug fixes#

  • Fixed issue in installation of server with external CA where second step of installation “forgot” options from previous step which could lead, e.g., to DNS server not being installed. #5556

  • Fixed issue in ipa-adtrust-install when a dash character was used in NetBIOS name

  • Fixed issue with migration from old self-sign IPA(e.g. CentOS 6) and upgrading it to a server with CA #5611, #5598, #5602, #5595, #5636, #4492, #5506

  • Fixed issue with bind not starting after update due to wrong file permissions. #5520

  • Fixed issue in installation of server without CA when certmonger was not running. #5519

  • Fixed issue in upgrade of NIS maps. #5507

  • Fixed issue in handling of empty cookies. It prevented users from log in to Web UI using forms-based authentication. #5709

  • Fixed issue with installation of KRA on a replica. #5346

  • Fixed issue with DNSSEC key purging not being handled properly #5334

  • Fixed issue in replica installation after update of master from previous version where certificate profiles and CA ACL were not properly added. #5269

  • Fixed issue in installation of replica with external CA, when multiple certificates with the same nickname were provided. #5117

  • Fixed issue after upgrade of sidgen and extdom plugins which prevented from generation of Security Identifiers(SIDs). As a result, all AD trust created after the upgrade did not work while advertising that the trust was established correctly. #5665

  • Fixed issue with starting FreeIPA after upgrade which happened when FreeIPA server was turned off. #5655

  • Fixed internal error during an upgrade from FreeIPA 4.0 to 4.2 which prevented the upgrade process from upgrading forward zones properly. #5472

  • Fixed issue with missing “System: Read Replication Agreements” ACI on new replicas. #5631

  • Fixed issue on Web UI password reset page where user was not notified when he entered invalid password #5567

Enhancements#

  • ipa-replica-prepare and ipa-replica-install no longer fails if PTR record is not resolvable #5686

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.2.3#

Abhijeet Kasurde (2)#

  • Fixed small typo in stage-user documentation

  • Fixed login error message box in LoginScreen page

Alexander Bokovoy (1)#

  • slapi-nis: update configuration to allow external members of IPA groups

Christian Heimes (1)#

  • Require Dogtag 10.2.6-13 to fix KRA uninstall

David Kupka (5)#

  • ipa-cacert-renew: Fix connection to ldap.

  • ipa-otptoken-import: Fix connection to ldap.

  • test: Temporarily increase timeout in vault test.

  • installer: Propagate option values from components instead of copying them.

  • installer: Fix logic of reading option values from cache.

Fraser Tweedale (5)#

  • TLS and Dogtag HTTPS request logging improvements

  • Avoid race condition caused by profile delete and recreate

  • Do not erroneously reinit NSS in Dogtag interface

  • Add profiles and default CA ACL on migration

  • Do not decode HTTP reason phrase from Dogtag

Gabe Alford (2)#

  • Incomplete ports for IPA AD Trust

  • Check if IPA is configured before attempting a winsync migration

Jan Cholasta (9)#

  • install: fix command line option validation

  • install: export KRA agent PEM file in ipa-kra-install

  • cert renewal: make renewal of ipaCert atomic

  • client install: do not corrupt OpenSSH config with Match sections

  • ipalib: assume version 2.0 when skip_version_check is enabled

  • cert renewal: import all external CA certs on IPA CA cert renewal

  • CA install: explicitly set dogtag_version to 10

  • replica install: validate DS and HTTP server certificates

  • certdb: never use the -r option of certutil

Lenka Doudova (2)#

  • Adding descriptive IDs to stageuser tests

  • Tests: Fix tests for (stage)user plugin

Martin Babinsky (13)#

  • fix error reporting when installer option is supplied with invalid choice

  • suppress errors arising from adding existing LDAP entries during KRA install

  • update idrange tests to reflect disabled modification of local ID ranges

  • disconnect ldap2 backend after adding default CA ACL profiles

  • do not disconnect when using existing connection to check default CA ACLs

  • fix error message assertion in negative forced client reenrollment tests

  • prevent crash of CA-less server upgrade due to absent certmonger

  • use FFI call to rpmvercmp function for version comparison

  • fix standalone installation of externally signed CA on IPA master

  • always start certmonger during IPA server configuration upgrade

  • upgrade: unconditional import of certificate profiles into LDAP

  • CI tests: use old schema when testing hostmask-based sudo rules

  • use LDAPS during standalone CA/KRA subsystem deployment

Martin Bašti (27)#

  • fix caching in get_ipa_config

  • upgrade: fix migration of old dns forward zones

  • Fix upgrade of forwardzones when zone is in realmdomains

  • ipa-getkeytab: do not return error when translations cannot be loaded

  • KRA: do not stop certmonger during standalone uninstall

  • ipa-kra-install: allow to install first KRA on replica

  • Modify error message to install first instance of KRA

  • Fix version comparison

  • DNS: fix file permissions

  • Explicitly call chmod on newly created directories

  • Fix: replace mkdir with chmod

  • FIX: ipa_kdb_principals: add missing break statement

  • Allow to used mixed case for sysrestore

  • Upgrade: Fix upgrade of NIS Server configuration

  • Tests: DNS replace 192.0.2.0/24 with 198.18.0.0/15 range

  • make lint: use config file and plugin for pylint

  • Disable new pylint checks

  • upgrade: fix config of sidgen and extdom plugins

  • trusts: use ipaNTTrustPartner attribute to detect trust entries

  • Warn user if trust is broken

  • fix upgrade: wait for proper DS socket after DS restart

  • Pylint: add missing attributes of errors to definitions

  • fix permission: Read Replication Agreements

  • Make PTR records check optional for IPA installation

  • Fix connections to DS during installation

  • pylint: supress false positive no-member errors

  • Fix broken trust warnings

Milan Kubik (1)#

  • Applied tier0 and tier1 marks on unit tests and xmlrpc tests

Milan Kubík (1)#

  • ipatests: Fix missed module import in ipaserver tests

Petr Voborník (3)#

  • advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins

  • cookie parser: do not fail on cookie with empty value

  • fix incorrect name of ipa-winsync-migrate command in help

Petr Špaček (12)#

  • Makefile: disable parallel build

  • DNSSEC: Improve error reporting from ipa-ods-exporter

  • DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP

  • DNSSEC: Make sure that current key state in LDAP matches key state in BIND

  • DNSSEC: remove obsolete TODO note

  • DNSSEC: add debug mode to ldapkeydb.py

  • DNSSEC: logging improvements in ipa-ods-exporter

  • DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP

  • DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP

  • DNSSEC: ipa-ods-exporter: add ldap-cleanup command

  • DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal

  • DNSSEC: Log debug messages at log level DEBUG

Simo Sorce (2)#

  • Return default TL_DATA is krbExtraData is missing

  • Insure the admin_conn is disconnected on stop

Sumit Bose (4)#

  • ipasam: fix wrong usage of talloc_new()

  • ipasam: use more restrictive search filter for group lookup

  • ipasam: fix a use-after-free issue

  • ipa-kdb: map_groups() consider all results

Tomáš Babej (4)#

  • tests: Fix incorrect uninstall method invocation

  • tests: Add hostmask detection for sudo rules validating on hostmask

  • ipa-adtrust-install: Allow dash in the NETBIOS name

  • spec: Bump required sssd version to 1.13.3-5

Contents