Jump to: navigation, search

Releases/4.4.1

Release date Released 2016-09-01

The FreeIPA team would like to announce FreeIPA v4.4.1 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.1

Enhancements

  • Kerberos KDC now takes Authentication Indicators into account when issuing service tickets. This allows, for example, to require two-factor authenticated Kerberos credentials prior to obtaining tickets to a VPN service.
  • FreeIPA Certificate Authority now is able to create subordinate CAs to issue certificates with a specific scope
  • Web UI and API end-points now can be configured to log-in with client certificates and smart cards. Additional configuration details are described in the External Authentication design page.
  • Web UI now suggests to have redundancy in Certificate Authority topology
  • Custom FreeIPA plugins can now be built without modifying core FreeIPA code
  • When establishing trust to an Active Directory forest, FreeIPA now is capable on automatically resolving DNS namespace conflicts with another Active Directory forest.

Known Issues

  • Interactive CLI input for dnsrecord-* commands does not work properly for multipart records (#6203).
  • ipa-ca-install fails on replica when master is CA-less (#6226).
  • Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` (#6019).
  • Certificate revocation in service-del and host-del isn't aware of Sub CAs and causes command to fail when Sub CA cert is used (#6221).

Bug fixes

FreeIPA 4.4.1 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 140 bug-fixes which details can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets

  • #3864 Adjust Kerberos Principal Aliases implementation
  • #4291 CA not start during ipa server install in pure IPv6 env
  • #433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator
  • #4559 [RFE] Support lightweight sub-CAs
  • #4710 "ipa-server-install: Cannot handle double hyphen ""--"" in hostname"
  • #4831 ipa-client-install should check if fedora-domainname.service is available before calling it
  • #4970 Server certificate profile should always include a Subject Alternate name for the host
  • #5281 3 unnecessary search operations for each user in user-find
  • #5696 Add conflicts with bind-chroot to spec.
  • #5738 Tree-root domains in a trusted AD forest aren't marked as reachable via the forest root
  • #5750 Stop using sys.exit() from modules
  • #5764 [RFE] Web UI: allow Smart Card authentication
  • #5828 [RFE] [webui] warn admin if there is only one IPA server with CA
  • #5864 [RFE] Create a plugins directory that users can use to place custom FreeIPA modifications
  • #5881 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2
  • #5932 IPA Error 911: RefererError has verbatim 'br/' in the message
  • #5934 "Move ""ipa"" command to freeipa-client package"
  • #5956 ocsp responer url should aways contain ipa-ca hostname instead of master hostnames.
  • #5976 replica-promotion: is possible to set invalid IPA domain
  • #5984 CLI is not using session cookies for communication with IPA API
  • #6002 Default CA can be used without an ACL
  • #6012 Multiple issues while uninstalling ipa-server
  • #6013 ipa-cacert-manage --help and man differ
  • #6015 IPA server uninstall doesn't remove Custodia keys
  • #6016 ipa-ca-install on replica tries to connect to master:8443
  • #6020 Server uninstall does not stop tracking lightweight sub-CA with certmonger
  • #6021 External trust with root domain is transitive
  • #6022 cert-show command does not display Subject Alternative Names
  • #6024 'test_user_plugin' and UserTracker do not handle test cases renaming users
  • #6026 ipa commands not showing expected error messages
  • #6027 ipa-nis-manage config.get_dn missing
  • #6028 Renaming a user removes all of his principal aliases
  • #6030 Heap corruption in ipapwd plugin
  • #6032 ipa-server-certinstall couldnt unlock private key file
  • #6033 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn()
  • #6034 ipa migrate-ds command fails for IPA in RHEL 7.3
  • #6035 ipa unknown command vault-add
  • #6036 'kinit -E' does not work for IPA user
  • #6037 Traceback on adding default automember group and hostgroup set
  • #6043 host-find should not print SSH keys by default, only SSH fingerprints
  • #6044 ipa-advise: object of type 'type' has no len()
  • #6046 ipa-replica-install suggests about non-existent --force-ntpd option
  • #6047 Commands vault-* cause internal error (KeyError: 'ipavaultsalt')
  • #6048 performance regression in CLI help
  • #6050 The host add dialog is not properly closed when the 4304 error occured
  • #6052 Delete action in user details facet has specific name
  • #6053 Menu items has different names
  • #6054 Some facet doesn't have breadcrumb any more
  • #6055 Full name is not displayed when adding an user into User Group
  • #6056 custodia.conf and server.keys file is world-readable.
  • #6058 ipa-replica-manage man page example output differs actual command output
  • #6059 ipa trust-add with raw option gives internal error.
  • #6060 host-del updatedns options complains about missing ptr record for host
  • #6061 ipa trustconfig-show throws internal error.
  • #6062 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain
  • #6064 Create tests for the new certificates WebUI
  • #6069 Fix the help for ipa otp and other topics
  • #6071 ipa-server-install fails in container because of hostnamectl set-hostname
  • #6072 traceback message seen in ipaserver-uninstall.log file.
  • #6076 Mulitple domain Active Directory Trust conflict
  • #6078 """ipa radiusproxy-add"" command needs to prompt to enter secret key"
  • #6081 ipa otptoken-add --type=totp gives internal error
  • #6082 com.redhat.idm.trust-fetch-domains helper crashes due to bad API initialization
  • #6083 Replica install fails with old IPA master
  • #6085 Minor errors in comments
  • #6086 CA replica install logs to wrong log file
  • #6089 Vault commands are available in CLI even when the server does not support them
  • #6093 [Tests] External trust
  • #6094 [Tests] Support of UPN for trusted domains
  • #6095 ipa command stuck forever on higher versioned client with lower versioned server
  • #6097 Incorrect instantiation of MidairCollision exception in the framework
  • #6098 cert-find is slow when there is a lot of certificates
  • #6099 Validation of kerberos enterprise principal alias fails if the trusted domain entry doesn't have ipantadditionalsuffixes attribute
  • #6100 on large deployment user-add in 4.4 is much slower than in 4.2
  • #6101 Migrating users doesn't update krbCanonicalName
  • #6111 AVC on dirsrv config caused by IPA installer
  • #6116 Increase length of passwords generated by installer
  • #6117 ipa-server-install command fails to install IPA server.
  • #6120 "ipa-adtrust-install: when running with --netbios-name="""", the NetBIOS name is changed without notification"
  • #6129 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server
  • #6130 ipa-replica-install --domain=<IPA primary domain> option does not work
  • #6134 "Command ""ipa-replica-prepare"" not allowed to create line replication topology"
  • #6138 UPN-based search for AD users does not match an entry in slapi-nis map cache
  • #6142 Provide test implementation kerberos principal alias RFEs
  • #6146 caacl: error when instantiating rules with service principals
  • #6149 Tests: authentication indicator tests fail after removal of has_keytab attribute from results of update command
  • #6150 `cert-find` crashes on invalid certificate data
  • #6151 cert-find should also show CA of the certificates
  • #6154 ipa vault-mod no longer allows defining salt
  • #6157 ipa hbactest produces error about cannot concatenate 'str' and 'bool' objects
  • #6158 SYSTEMD_SYSTEM_HTTPD_D_DIR points to wrong directory
  • #6159 ipa vault container owner cannot add vault
  • #6160 ipa vault-retrieve internal error when using the wrong public key
  • #6161 Add jslint into Makefile
  • #6164 ipa-replica-install --help usage line suggests the replica file is needed
  • #6165 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-<instance>.conf
  • #6166 Subsequent external CA installation fails
  • #6167 Incorrect domainlevel info in tests
  • #6168 Middle replica uninstallation in line topology works without '--ignore-topology-disconnect'
  • #6171 caacl-add-service: incorrect error message when service does not exists
  • #6173 Freeipa cannot be build on fedora 25
  • #6174 ipa otptoken-add bytes object has no attribute confirm
  • #6175 Topology graph: ca and domain adders shows question marks instead of plus icon
  • #6177 ca-less test are broken - invalid usage of ipautil.run
  • #6182 Incomplete output returned for command ipa vault-add
  • #6185 Fix messages tests in ipa.test_ipalib
  • #6186 Fix registry test ipa.test_ipalib.test_plugable.test_Registry
  • #6187 Regression found by test: ipa.test_ipalib.test_parameters.test_create_param
  • #6188 Regressions found by test_frontend: ipa.test_ipalib.test_frontend
  • #6189 Regression found by test: ipa.test_ipalib.test_output.test_Output.test_repr
  • #6191 Regressions found by: ipa.test_ipalib.test_plugable
  • #6192 Regression found by test: ipa.test_ipalib.test_rpc.test_xmlclient.test_forward
  • #6194 Regression found by test: ipa.test_ipaserver.test_ldap.test_ldap.test_Backend
  • #6197 Broken test ipa.test_xmlrpc.test_kerberos_principal_aliases.TestKerberosAliasExceptions.test_enterprise_principal_overlap_with_AD_realm
  • #6198 Regression found by test: ipa.test_xmlrpc.test_old_permission_plugin.test_old_permission
  • #6199 Received ACIError instead of DuplicatedError in stageuser_tests
  • #6200 ipa otptoken-add with empty `key` cause internal error
  • #6204 thin client ignores locale change
  • #6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade
  • #6206 Upgrade leaves BIND running even if it was not running before the upgrade
  • #6207 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full
  • #6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin
  • #6215 Missing or malformed docstrings in ipalib/messages.py
  • #6217 Server assumes latest version of command instead of version 1 for old / 3rd party clients
  • #6224 Failing tests in test_ipalib.test_parameters
  • #6232 Insufficient privileges check in certificate revocation (CVE-2016-5404)
  • #6233 man page for ipa-replica-manage has a typo in -c flag
  • #6234 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE
  • #6235 AD Global Catalog port is missing from in list of ports required for AD trusts
  • #6236 config-mod --usersearch does not accept attribute names with uppercase characters
  • #6240 Tests: Host and service trackers don't recognize 'ipakrboktoauthasdelegate' attribute
  • #6241 Tests: ID views tests don't recognize 'ipakrboktoauthasdelegate' attribute
  • #6242 Tests: ID views tests don't recognize 'krbcanonicalname' attribute
  • #6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires
  • #6246 Duplicate declaration of variables in ipatests/test_xmlrpc/test_idviews_plugin
  • #6247 ipa otptoken-add --type=hotp --key creates wrong OTP
  • #6248 ipa server-del fails with Python stack trace
  • #6251 Require httpd >= 2.4.6-31
  • #6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed
  • #6255 Hostname backup fails if there is no temporary ipatests folder during execution
  • #6258 Tests: invalid test case for adding bad certificate to a service
  • #6259 --ignore-last-of-role has no effect
  • #6265 test catches 2 non-merged one-way segments instead of one merged
  • #6269 cert-find --all does not show information about revocation
  • #6276 Tests: test_xmlrpc/test_trust_plugin tests fail due to missing attributes
  • #6277 When establishing external two-way trust, forest root Administrator account is used to fetch domain info
  • #6284 Tests: avoid skipping tests because of missing files when running as outoftree
  • #3103 GSSAPI error causes failures for child domain user logins across IPA - AD trust

Detailed changelog since 4.4.0

Abhijeet Kasurde (4)

  • Minor fix in ipa-replica-manage MAN page
  • Corrected minor spell check in AD Trust information doc messages
  • Removed unwanted line break from RefererError Dialog message
  • Handled empty hostname in server-del command

Alexander Bokovoy (9)

  • service: add flag to allow S4U2Self
  • support schema files from third-party plugins
  • ipaserver/dcerpc: reformat to make the code closer to pep8
  • trust: automatically resolve DNS trust conflicts for triangle trusts
  • trust: make sure external trust topology is correctly rendered
  • trust: make sure ID range is created for the child domain even if it exists
  • ipa-kdb: simplify trusted domain parent search
  • support multiple uid values in schema compatibility tree
  • freeipa.spec.in: move ipa CLI utility to freeipa-client

Ben Lipton (3)

  • Fix several small typos
  • Use existing HostKey config to test sshd
  • Silence sshd messages during install

Christian Heimes (5)

  • Correct path to HTTPD's systemd service directory
  • RedHatCAService should wait for local Dogtag instance
  • Remove Custodia server keys from LDAP
  • Secure permissions of Custodia server.keys
  • Require httpd 2.4.6-31 with mod_proxy Unix socket support

David Kupka (21)

  • schema: Fix subtopic -> topic mapping
  • help: Add dnsserver commands to help topic 'dns'
  • vault: Catch correct exception in decrypt
  • schema: Speed up schema cache
  • frontend: Change doc, summary, topic and NO_CLI to class properties
  • schema: Introduce schema cache format
  • schema: Generate bits for help load them on request
  • help: Do not create instances to get information about commands and topics
  • compat: Save server's API version in for pre-schema servers
  • schema cache: Do not reset ServerInfo dirty flag
  • schema cache: Do not read fingerprint and format from cache
  • Access data for help separately
  • frontent: Add summary class property to CommandOverride
  • schema cache: Read server info only once
  • schema cache: Store API schema cache in memory
  • client: Do not create instance just to check isinstance
  • schema cache: Read schema instead of rewriting it when SchemaUpToDate
  • schema check: Check current client language against cached one
  • compat: Fix ping command call
  • schema cache: Fallback to 'en_us' when locale is not available
  • otptoken, permission: Convert custom type parameters on server

Florence Blanc-Renaud (4)

  • Show full error message for selinuxusermap-add-hostgroup
  • server uninstall fails to remove krb principals
  • Fix session cookies
  • Fix ipa hbactest output

Fraser Tweedale (11)

  • uninstall: untrack lightweight CA certs
  • caacl: expand plugin documentation
  • spec: require Dogtag >= 10.3.3-3
  • Create server and host certs with DNS altname
  • caacl: fix regression in rule instantiation
  • cert-revoke: fix permission check bypass (CVE-2016-5404)
  • Move GeneralName parsing code to ipalib.x509
  • x509: fix SAN directoryName parsing
  • x509: use NSS enums and OIDs to identify SAN types
  • x509: include otherName DER value in GeneralNameInfo
  • cert-show: show subject alternative names

Ganna Kaihorodova (2)

  • Fix conflict between "got" and "expected" values
  • Fix for integration tests replication layouts

Jan Cholasta (19)

  • frontend: copy command arguments to output params on client
  • Revert "Enable vault-* commands on client"
  • client: fix hiding of commands which lack server support
  • compat: fix ping call
  • install: fix external CA cert validation
  • vault: add missing salt option to vault_mod
  • Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
  • parameters: move the `confirm` kwarg to Param
  • client: add missing output params to client-side commands
  • cert: speed up cert-find
  • cert: do not crash on invalid data in cert-find
  • server install: do not prompt for cert file PIN repeatedly
  • tests: fix test_ipalib.test_frontend.test_Object
  • custodia: include known CA certs in the PKCS#12 file for Dogtag
  • cert: add missing param values to cert-find output
  • cert: include CA name in cert command output
  • rpcserver: assume version 1 for unversioned command calls
  • custodia: force reconnect before retrieving CA certs from LDAP
  • rpcserver: fix crash in XML-RPC system commands

Lenka Doudova (26)

  • Tests: Tracker class for services
  • Tests: Authentication indicators xmlrpc tests
  • Tests: Authentication indicators integration tests
  • Tests: External trust
  • Tests: Support of UPN for trusted domains
  • Tests: Improve handling of rename operation by user tracker
  • Tests: IPA user can kinit using enterprise principal with IPA domain
  • Tests: Removing manipulation with /etc/hosts file from integration tests
  • Tests: Remove has_keytab from list of expected keys of update command
  • Tests: Add data attribute to messages
  • Tests: test_ipalib/test_output fails due to change of Output behaviour
  • Fix malformed or missing docstrings in ipalib/messages
  • Tests: Fix failing tests in test_ipalib/test_parameters
  • Tests: Fix failing tests in test_ipalib/test_frontend
  • Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute
  • Tests: Duplicate declaration on variables in ID views tests
  • Tests: ID views tests do not recognize krbcanonicalname attribute
  • Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute
  • Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute
  • Tests: Failing test_ipalib/test_rpc
  • Tests: Failing test_ipaserver/test_ldap test
  • Tests: Failing tests in test_ipalib/test_plugable
  • Raise error when running ipa-adtrust-install with empty netbios--name
  • Tests: Random issuer certificate can be added to a service
  • Tests: Add missing attributes to test_xmlrpc/test_trust tests
  • Tests: Avoid skipping tests due to missing files

Lukáš Slebodník (4)

  • ipa_pwd_extop: Fix warning declaration shadows previous local
  • ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
  • ipa-kdb: Allow to build with samba 4.5
  • ipa-kdb: Fix unit test after packaging changes in krb5

Martin Babinsky (20)

  • Fix incorrect check for principal type when evaluating CA ACLs
  • ipa-nis-manage: Use server API to retrieve plugin status
  • ipa-compat-manage: use server API to retrieve plugin status
  • ipa-advise: correct handling of plugin namespace iteration
  • vault-add: set the default vault type on the client side if none was given
  • Preserve user principal aliases during rename operation
  • messages: specify message type for ResultFormattingError
  • DNS install: Ensure that DNS servers container exists
  • Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
  • allow 'value' output param in commands without primary key
  • allow multiple dashes in the components of server hostname
  • expose `--secret` option in radiusproxy-* commands
  • prevent search for RADIUS proxy servers by secret
  • trust-add: handle `--all/--raw` options properly
  • baseldap: Fix MidairCollision instantiation during entry modification
  • Create indexes for krbCanonicalName attribute
  • harden the check for trust namespace overlap in new principals
  • re-set canonical principal name on migrated users
  • add python-libsss_nss_idmap and python-sss to BuildRequires
  • do not use trusted forest name to construct domain admin principal

Martin Bašti (18)

  • Enable vault-* commands on client
  • host-find: do not show SSH key by default
  • CI: DNS locations
  • Host-del: fix behavior of --updatedns and PTR records
  • DNS Locations: fix update-system-records unpacking error
  • Use copy when replacing files to keep SELinux context
  • CI tests: improve log collecting
  • CI tests: fix SSSD log collecting
  • idrange: fix unassigned global variable
  • Do not initialize API in ipa-client-automount uninstall
  • Increase default length of auto generated passwords
  • ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
  • Fix: container owner should be able to add vault
  • Remove forgotten print from DN.__str__ implementation
  • Raise DuplicatedEnrty error when user exists in delete_container
  • Update translations
  • Print to debug output answer from CA
  • Revert "Enable LDAPS in replica promotion"

Milan Kubík (12)

  • ipatests: Tracker implementation for Sub CA feature
  • ipatests: Extend CAACL suite to cover Sub CA members
  • ipatests: Test Sub CA with CAACL and certificate profile
  • ipatests: remove ipacertbase option from test CSR configuration
  • ipatests: Add tracker class for kerberos principal aliases
  • ipatests: Extend the MockLDAP utility class
  • ipatests: Provide a context manager for mocking a trust in RPC tests
  • ipatests: Move trust mock helper functions to a separate module
  • ipapython: Extend kinit_password to support principal canonicalization
  • ipatests: Allow change_principal context manager to use canonicalization
  • ipatests: Add kerberos principal alias tests
  • ipatests: Fix wrong fixture in kerberos principal alias test

Oleg Fayans (7)

  • Test for incorrect client domain
  • Fixed import error
  • Fixed incorrect return code assert
  • Fixed incorrect domainlevel determination in tests
  • Fixed incorrect sequence of method calls in tasks.py
  • Added a sleep interval after domainlevel raise in tests
  • Disabled raiseonerr in kinit call during topology level check

Pavel Vomacka (12)

  • Close host adder dialog before showing 4304 dialog
  • Remove navigation using breadcrumb menus
  • Fix test_navigation tests
  • Fix test which checks removing of user
  • Set default delete action name to 'delete'
  • Remove full name from adding user to user group dialog
  • Add function which check whether the field is empty
  • Add jslint into Makefile
  • Fix unicode characters in ca and domain adders
  • Add warning about only one existing CA server
  • Set servers list as default facet in topology facet group
  • Add 'trusted to auth as user' checkbox

Peter Lacko (1)

  • Test URIs in certificate.

Petr Voborník (2)

  • unite log file name of ipa-ca-install
  • ca-less tests: fix getting cert in pem format from nssdb

Petr Špaček (15)

  • client-install: log exceptions from certmonger.request_cert
  • replica-install: Fix --domain
  • Fix ipa-replica-prepare's error message about missing local CA instance
  • client: RPM require initscripts to get *-domainname.service
  • server-install: Fix --hostname option to always override api.env values
  • install: Call hostnamectl set-hostname only if --hostname option is used
  • DNS server upgrade: do not fail when DNS server did not respond
  • server upgrade: do not start BIND if it was not running before the upgrade
  • DNS: allow to add forward zone to already broken sub-domain
  • adtrust-install: Mention AD GC port 3286 in list of required ports.
  • config-mod: normalize attribute names for --usersearch/--groupsearch
  • migrate-ds: Mention --enable-migration in error message about migration mode
  • Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup
  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin

Simo Sorce (4)

  • Simplify date manipulation in pwd plugin
  • Regenerate asn1 code
  • Additional coverity fixes.
  • Fix CA ACL Check on SubjectAltNames

Stanislav Laznicka (7)

  • Removed unused method parameter from migrate-ds
  • Improvements for the ipa-cacert-manage man and help
  • Removed objectclass from LDAP*ReverseMember based tests
  • Don't show --force-ntpd option in replica install
  • Remove sys.exit from install modules and scripts
  • Fail on topology disconnect/last role removal
  • Don't ignore --ignore-last-of-role for last CA

Sumit Bose (1)

  • kdb: check for local realm in enterprise principals

Thierry Bordaz (2)

  • Heap corruption in ipapwd plugin
  • ipa-pwd-extop memory leak during passord update

Tiboris (1)

  • Added new authentication method

Tomas Krizek (5)

  • Update ipa-replica-install documentation
  • Fix ipa-caalc-add-service error message
  • Validate key in otptoken-add
  • Fix ipa-server-install in pure IPv6 environment
  • Enable LDAPS in replica promotion

gkaihoro (1)

  • Test for caacl-add-service

tester (4)

  • Add possibility to choose parent element by css
  • TEST: managing user certificates
  • TEST: managing host certificates
  • TEST: managing service certificates