Ctrl+K

Highlights in 4.4.1

The FreeIPA team would like to announce FreeIPA v4.4.1 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.1#

Enhancements#

  • Kerberos KDC now takes Authentication Indicators into account when issuing service tickets. This allows, for example, to require two-factor authenticated Kerberos credentials prior to obtaining tickets to a VPN service.

  • FreeIPA Certificate Authority now is able to create subordinate CAs to issue certificates with a specific scope

  • Web UI and API end-points now can be configured to log-in with client certificates and smart cards. Additional configuration details are described in the External Authentication design page.

  • Web UI now suggests to have redundancy in Certificate Authority topology

  • Custom FreeIPA plugins can now be built without modifying core FreeIPA code

  • When establishing trust to an Active Directory forest, FreeIPA now is capable on automatically resolving DNS namespace conflicts with another Active Directory forest.

Known Issues#

  • Interactive CLI input for dnsrecord-* commands does not work properly for multipart records (#6203).

  • ipa-ca-install fails on replica when master is CA-less (#6226).

  • Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` (#6019).

  • Certificate revocation in service-del and host-del isn’t aware of Sub CAs and causes command to fail when Sub CA cert is used (#6221).

Bug fixes#

FreeIPA 4.4.1 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 140 bug-fixes which details can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets#

  • #3864 Adjust Kerberos Principal Aliases implementation

  • #4291 CA not start during ipa server install in pure IPv6 env

  • #433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator

  • #4559 [RFE] Support lightweight sub-CAs

  • #4710 “ipa-server-install: Cannot handle double hyphen “”–”” in hostname”

  • #4831 ipa-client-install should check if fedora-domainname.service is available before calling it

  • #4970 Server certificate profile should always include a Subject Alternate name for the host

  • [https://fedorahosted.org/freeipa/ticket/5281, #5281] 3 unnecessary search operations for each user in user-find

  • #5696 Add conflicts with bind-chroot to spec.

  • #5738 Tree-root domains in a trusted AD forest aren’t marked as reachable via the forest root

  • #5750 Stop using sys.exit() from modules

  • #5764 [RFE] Web UI: allow Smart Card authentication

  • #5828 [RFE] [webui] warn admin if there is only one IPA server with CA

  • #5864 [RFE] Create a plugins directory that users can use to place custom FreeIPA modifications

  • #5881 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2

  • #5932 IPA Error 911: RefererError has verbatim ‘br/’ in the message

  • #5934 “Move “”ipa”” command to freeipa-client package”

  • #5956 ocsp responer url should aways contain ipa-ca hostname instead of master hostnames.

  • #5976 replica-promotion: is possible to set invalid IPA domain

  • #5984 CLI is not using session cookies for communication with IPA API

  • #6002 Default CA can be used without an ACL

  • #6012 Multiple issues while uninstalling ipa-server

  • #6013 ipa-cacert-manage –help and man differ

  • #6015 IPA server uninstall doesn’t remove Custodia keys

  • #6016 ipa-ca-install on replica tries to connect to master:8443

  • #6020 Server uninstall does not stop tracking lightweight sub-CA with certmonger

  • #6021 External trust with root domain is transitive

  • #6022 cert-show command does not display Subject Alternative Names

  • #6024 ‘test_user_plugin’ and UserTracker do not handle test cases renaming users

  • #6026 ipa commands not showing expected error messages

  • #6027 ipa-nis-manage config.get_dn missing

  • #6028 Renaming a user removes all of his principal aliases

  • #6030 Heap corruption in ipapwd plugin

  • #6032 ipa-server-certinstall couldnt unlock private key file

  • #6033 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn()

  • #6034 ipa migrate-ds command fails for IPA in RHEL 7.3

  • #6035 ipa unknown command vault-add

  • #6036 ‘kinit -E’ does not work for IPA user

  • #6037 Traceback on adding default automember group and hostgroup set

  • #6043 host-find should not print SSH keys by default, only SSH fingerprints

  • #6044 ipa-advise: object of type ‘type’ has no len()

  • #6046 ipa-replica-install suggests about non-existent –force-ntpd option

  • #6047 Commands vault-* cause internal error (KeyError: ‘ipavaultsalt’)

  • #6048 performance regression in CLI help

  • #6050 The host add dialog is not properly closed when the 4304 error occured

  • #6052 Delete action in user details facet has specific name

  • #6053 Menu items has different names

  • #6054 Some facet doesn’t have breadcrumb any more

  • #6055 Full name is not displayed when adding an user into User Group

  • #6056 custodia.conf and server.keys file is world-readable.

  • #6058 ipa-replica-manage man page example output differs actual command output

  • #6059 ipa trust-add with raw option gives internal error.

  • #6060 host-del updatedns options complains about missing ptr record for host

  • #6061 ipa trustconfig-show throws internal error.

  • #6062 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain

  • #6064 Create tests for the new certificates WebUI

  • #6069 Fix the help for ipa otp and other topics

  • #6071 ipa-server-install fails in container because of hostnamectl set-hostname

  • #6072 traceback message seen in ipaserver-uninstall.log file.

  • #6076 Mulitple domain Active Directory Trust conflict

  • #6078 “””ipa radiusproxy-add”” command needs to prompt to enter secret key”

  • #6081 ipa otptoken-add –type=totp gives internal error

  • #6082 com.redhat.idm.trust-fetch-domains helper crashes due to bad API initialization

  • #6083 Replica install fails with old IPA master

  • #6085 Minor errors in comments

  • #6086 CA replica install logs to wrong log file

  • #6089 Vault commands are available in CLI even when the server does not support them

  • #6093 [Tests] External trust

  • #6094 [Tests] Support of UPN for trusted domains

  • #6095 ipa command stuck forever on higher versioned client with lower versioned server

  • #6097 Incorrect instantiation of MidairCollision exception in the framework

  • #6098 cert-find is slow when there is a lot of certificates

  • #6099 Validation of kerberos enterprise principal alias fails if the trusted domain entry doesn’t have ipantadditionalsuffixes attribute

  • #6100 on large deployment user-add in 4.4 is much slower than in 4.2

  • #6101 Migrating users doesn’t update krbCanonicalName

  • #6111 AVC on dirsrv config caused by IPA installer

  • #6116 Increase length of passwords generated by installer

  • #6117 ipa-server-install command fails to install IPA server.

  • #6120 “ipa-adtrust-install: when running with –netbios-name=””””, the NetBIOS name is changed without notification”

  • #6129 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server

  • #6130 ipa-replica-install –domain= option does not work

  • #6134 “Command “”ipa-replica-prepare”” not allowed to create line replication topology”

  • #6138 UPN-based search for AD users does not match an entry in slapi-nis map cache

  • #6142 Provide test implementation kerberos principal alias RFEs

  • #6146 caacl: error when instantiating rules with service principals

  • #6149 Tests: authentication indicator tests fail after removal of has_keytab attribute from results of update command

  • #6150 `cert-find` crashes on invalid certificate data

  • #6151 cert-find should also show CA of the certificates

  • #6154 ipa vault-mod no longer allows defining salt

  • #6157 ipa hbactest produces error about cannot concatenate ‘str’ and ‘bool’ objects

  • #6158 SYSTEMD_SYSTEM_HTTPD_D_DIR points to wrong directory

  • #6159 ipa vault container owner cannot add vault

  • #6160 ipa vault-retrieve internal error when using the wrong public key

  • #6161 Add jslint into Makefile

  • #6164 ipa-replica-install –help usage line suggests the replica file is needed

  • #6165 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf

  • #6166 Subsequent external CA installation fails

  • #6167 Incorrect domainlevel info in tests

  • #6168 Middle replica uninstallation in line topology works without ‘–ignore-topology-disconnect’

  • #6171 caacl-add-service: incorrect error message when service does not exists

  • #6173 Freeipa cannot be build on fedora 25

  • #6174 ipa otptoken-add bytes object has no attribute confirm

  • #6175 Topology graph: ca and domain adders shows question marks instead of plus icon

  • #6177 ca-less test are broken - invalid usage of ipautil.run

  • #6182 Incomplete output returned for command ipa vault-add

  • #6185 Fix messages tests in ipa.test_ipalib

  • #6186 Fix registry test ipa.test_ipalib.test_plugable.test_Registry

  • #6187 Regression found by test: ipa.test_ipalib.test_parameters.test_create_param

  • #6188 Regressions found by test_frontend: ipa.test_ipalib.test_frontend

  • #6189 Regression found by test: ipa.test_ipalib.test_output.test_Output.test_repr

  • #6191 Regressions found by: ipa.test_ipalib.test_plugable

  • #6192 Regression found by test: ipa.test_ipalib.test_rpc.test_xmlclient.test_forward

  • #6194 Regression found by test: ipa.test_ipaserver.test_ldap.test_ldap.test_Backend

  • #6197 Broken test ipa.test_xmlrpc.test_kerberos_principal_aliases.TestKerberosAliasExceptions.test_enterprise_principal_overlap_with_AD_realm

  • #6198 Regression found by test: ipa.test_xmlrpc.test_old_permission_plugin.test_old_permission

  • #6199 Received ACIError instead of DuplicatedError in stageuser_tests

  • #6200 ipa otptoken-add with empty `key` cause internal error

  • #6204 thin client ignores locale change

  • #6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade

  • #6206 Upgrade leaves BIND running even if it was not running before the upgrade

  • #6207 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full

  • #6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin

  • #6215 Missing or malformed docstrings in ipalib/messages.py

  • #6217 Server assumes latest version of command instead of version 1 for old / 3rd party clients

  • #6224 Failing tests in test_ipalib.test_parameters

  • #6232 Insufficient privileges check in certificate revocation (CVE-2016-5404)

  • #6233 man page for ipa-replica-manage has a typo in -c flag

  • #6234 improve error message in ipa migrate-ds: mention ipa config-mod –enable-migration=TRUE

  • #6235 AD Global Catalog port is missing from in list of ports required for AD trusts

  • #6236 config-mod –usersearch does not accept attribute names with uppercase characters

  • #6240 Tests: Host and service trackers don’t recognize ‘ipakrboktoauthasdelegate’ attribute

  • #6241 Tests: ID views tests don’t recognize ‘ipakrboktoauthasdelegate’ attribute

  • #6242 Tests: ID views tests don’t recognize ‘krbcanonicalname’ attribute

  • #6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires

  • #6246 Duplicate declaration of variables in ipatests/test_xmlrpc/test_idviews_plugin

  • #6247 ipa otptoken-add –type=hotp –key creates wrong OTP

  • #6248 ipa server-del fails with Python stack trace

  • #6251 Require httpd >= 2.4.6-31

  • #6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed

  • #6255 Hostname backup fails if there is no temporary ipatests folder during execution

  • #6258 Tests: invalid test case for adding bad certificate to a service

  • #6259 –ignore-last-of-role has no effect

  • #6265 test catches 2 non-merged one-way segments instead of one merged

  • #6269 cert-find –all does not show information about revocation

  • #6276 Tests: test_xmlrpc/test_trust_plugin tests fail due to missing attributes

  • #6277 When establishing external two-way trust, forest root Administrator account is used to fetch domain info

  • #6284 Tests: avoid skipping tests because of missing files when running as outoftree

  • #3103 GSSAPI error causes failures for child domain user logins across IPA - AD trust

Detailed changelog since 4.4.0#

Abhijeet Kasurde (4)#

  • Minor fix in ipa-replica-manage MAN page

  • Corrected minor spell check in AD Trust information doc messages

  • Removed unwanted line break from RefererError Dialog message

  • Handled empty hostname in server-del command

Alexander Bokovoy (9)#

  • service: add flag to allow S4U2Self

  • support schema files from third-party plugins

  • ipaserver/dcerpc: reformat to make the code closer to pep8

  • trust: automatically resolve DNS trust conflicts for triangle trusts

  • trust: make sure external trust topology is correctly rendered

  • trust: make sure ID range is created for the child domain even if it exists

  • ipa-kdb: simplify trusted domain parent search

  • support multiple uid values in schema compatibility tree

  • freeipa.spec.in: move ipa CLI utility to freeipa-client

Ben Lipton (3)#

  • Fix several small typos

  • Use existing HostKey config to test sshd

  • Silence sshd messages during install

Christian Heimes (5)#

  • Correct path to HTTPD’s systemd service directory

  • RedHatCAService should wait for local Dogtag instance

  • Remove Custodia server keys from LDAP

  • Secure permissions of Custodia server.keys

  • Require httpd 2.4.6-31 with mod_proxy Unix socket support

David Kupka (21)#

  • schema: Fix subtopic -> topic mapping

  • help: Add dnsserver commands to help topic ‘dns’

  • vault: Catch correct exception in decrypt

  • schema: Speed up schema cache

  • frontend: Change doc, summary, topic and NO_CLI to class properties

  • schema: Introduce schema cache format

  • schema: Generate bits for help load them on request

  • help: Do not create instances to get information about commands and topics

  • compat: Save server’s API version in for pre-schema servers

  • schema cache: Do not reset ServerInfo dirty flag

  • schema cache: Do not read fingerprint and format from cache

  • Access data for help separately

  • frontent: Add summary class property to CommandOverride

  • schema cache: Read server info only once

  • schema cache: Store API schema cache in memory

  • client: Do not create instance just to check isinstance

  • schema cache: Read schema instead of rewriting it when SchemaUpToDate

  • schema check: Check current client language against cached one

  • compat: Fix ping command call

  • schema cache: Fallback to ‘en_us’ when locale is not available

  • otptoken, permission: Convert custom type parameters on server

Florence Blanc-Renaud (4)#

  • Show full error message for selinuxusermap-add-hostgroup

  • server uninstall fails to remove krb principals

  • Fix session cookies

  • Fix ipa hbactest output

Fraser Tweedale (11)#

  • uninstall: untrack lightweight CA certs

  • caacl: expand plugin documentation

  • spec: require Dogtag >= 10.3.3-3

  • Create server and host certs with DNS altname

  • caacl: fix regression in rule instantiation

  • cert-revoke: fix permission check bypass (CVE-2016-5404)

  • Move GeneralName parsing code to ipalib.x509

  • x509: fix SAN directoryName parsing

  • x509: use NSS enums and OIDs to identify SAN types

  • x509: include otherName DER value in GeneralNameInfo

  • cert-show: show subject alternative names

Ganna Kaihorodova (2)#

  • Fix conflict between “got” and “expected” values

  • Fix for integration tests replication layouts

Jan Cholasta (19)#

  • frontend: copy command arguments to output params on client

  • Revert “Enable vault-* commands on client”

  • client: fix hiding of commands which lack server support

  • compat: fix ping call

  • install: fix external CA cert validation

  • vault: add missing salt option to vault_mod

  • Revert “spec: add conflict with bind-chroot to freeipa-server-dns”

  • parameters: move the `confirm` kwarg to Param

  • client: add missing output params to client-side commands

  • cert: speed up cert-find

  • cert: do not crash on invalid data in cert-find

  • server install: do not prompt for cert file PIN repeatedly

  • tests: fix test_ipalib.test_frontend.test_Object

  • custodia: include known CA certs in the PKCS#12 file for Dogtag

  • cert: add missing param values to cert-find output

  • cert: include CA name in cert command output

  • rpcserver: assume version 1 for unversioned command calls

  • custodia: force reconnect before retrieving CA certs from LDAP

  • rpcserver: fix crash in XML-RPC system commands

Lenka Doudova (26)#

  • Tests: Tracker class for services

  • Tests: Authentication indicators xmlrpc tests

  • Tests: Authentication indicators integration tests

  • Tests: External trust

  • Tests: Support of UPN for trusted domains

  • Tests: Improve handling of rename operation by user tracker

  • Tests: IPA user can kinit using enterprise principal with IPA domain

  • Tests: Removing manipulation with /etc/hosts file from integration tests

  • Tests: Remove has_keytab from list of expected keys of update command

  • Tests: Add data attribute to messages

  • Tests: test_ipalib/test_output fails due to change of Output behaviour

  • Fix malformed or missing docstrings in ipalib/messages

  • Tests: Fix failing tests in test_ipalib/test_parameters

  • Tests: Fix failing tests in test_ipalib/test_frontend

  • Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute

  • Tests: Duplicate declaration on variables in ID views tests

  • Tests: ID views tests do not recognize krbcanonicalname attribute

  • Tests: Host tracker does not recognize ‘ipakrboktoauthasdelegate’ attribute

  • Tests: Service tracker and tests don’t recognize ‘ipakrboktoauthasdelegate’ attribute

  • Tests: Failing test_ipalib/test_rpc

  • Tests: Failing test_ipaserver/test_ldap test

  • Tests: Failing tests in test_ipalib/test_plugable

  • Raise error when running ipa-adtrust-install with empty netbios–name

  • Tests: Random issuer certificate can be added to a service

  • Tests: Add missing attributes to test_xmlrpc/test_trust tests

  • Tests: Avoid skipping tests due to missing files

Lukáš Slebodník (4)#

  • ipa_pwd_extop: Fix warning declaration shadows previous local

  • ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer

  • ipa-kdb: Allow to build with samba 4.5

  • ipa-kdb: Fix unit test after packaging changes in krb5

Martin Babinsky (20)#

  • Fix incorrect check for principal type when evaluating CA ACLs

  • ipa-nis-manage: Use server API to retrieve plugin status

  • ipa-compat-manage: use server API to retrieve plugin status

  • ipa-advise: correct handling of plugin namespace iteration

  • vault-add: set the default vault type on the client side if none was given

  • Preserve user principal aliases during rename operation

  • messages: specify message type for ResultFormattingError

  • DNS install: Ensure that DNS servers container exists

  • Use server API in com.redhat.idm.trust-fetch-domains oddjob helper

  • allow ‘value’ output param in commands without primary key

  • allow multiple dashes in the components of server hostname

  • expose `–secret` option in radiusproxy-* commands

  • prevent search for RADIUS proxy servers by secret

  • trust-add: handle `–all/–raw` options properly

  • baseldap: Fix MidairCollision instantiation during entry modification

  • Create indexes for krbCanonicalName attribute

  • harden the check for trust namespace overlap in new principals

  • re-set canonical principal name on migrated users

  • add python-libsss_nss_idmap and python-sss to BuildRequires

  • do not use trusted forest name to construct domain admin principal

Martin Bašti (18)#

  • Enable vault-* commands on client

  • host-find: do not show SSH key by default

  • CI: DNS locations

  • Host-del: fix behavior of –updatedns and PTR records

  • DNS Locations: fix update-system-records unpacking error

  • Use copy when replacing files to keep SELinux context

  • CI tests: improve log collecting

  • CI tests: fix SSSD log collecting

  • idrange: fix unassigned global variable

  • Do not initialize API in ipa-client-automount uninstall

  • Increase default length of auto generated passwords

  • ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf

  • Fix: container owner should be able to add vault

  • Remove forgotten print from DN.__str__ implementation

  • Raise DuplicatedEnrty error when user exists in delete_container

  • Update translations

  • Print to debug output answer from CA

  • Revert “Enable LDAPS in replica promotion”

Milan Kubík (12)#

  • ipatests: Tracker implementation for Sub CA feature

  • ipatests: Extend CAACL suite to cover Sub CA members

  • ipatests: Test Sub CA with CAACL and certificate profile

  • ipatests: remove ipacertbase option from test CSR configuration

  • ipatests: Add tracker class for kerberos principal aliases

  • ipatests: Extend the MockLDAP utility class

  • ipatests: Provide a context manager for mocking a trust in RPC tests

  • ipatests: Move trust mock helper functions to a separate module

  • ipapython: Extend kinit_password to support principal canonicalization

  • ipatests: Allow change_principal context manager to use canonicalization

  • ipatests: Add kerberos principal alias tests

  • ipatests: Fix wrong fixture in kerberos principal alias test

Oleg Fayans (7)#

  • Test for incorrect client domain

  • Fixed import error

  • Fixed incorrect return code assert

  • Fixed incorrect domainlevel determination in tests

  • Fixed incorrect sequence of method calls in tasks.py

  • Added a sleep interval after domainlevel raise in tests

  • Disabled raiseonerr in kinit call during topology level check

Pavel Vomacka (12)#

  • Close host adder dialog before showing 4304 dialog

  • Remove navigation using breadcrumb menus

  • Fix test_navigation tests

  • Fix test which checks removing of user

  • Set default delete action name to ‘delete’

  • Remove full name from adding user to user group dialog

  • Add function which check whether the field is empty

  • Add jslint into Makefile

  • Fix unicode characters in ca and domain adders

  • Add warning about only one existing CA server

  • Set servers list as default facet in topology facet group

  • Add ‘trusted to auth as user’ checkbox

Peter Lacko (1)#

  • Test URIs in certificate.

Petr Voborník (2)#

  • unite log file name of ipa-ca-install

  • ca-less tests: fix getting cert in pem format from nssdb

Petr Špaček (15)#

  • client-install: log exceptions from certmonger.request_cert

  • replica-install: Fix –domain

  • Fix ipa-replica-prepare’s error message about missing local CA instance

  • client: RPM require initscripts to get *-domainname.service

  • server-install: Fix –hostname option to always override api.env values

  • install: Call hostnamectl set-hostname only if –hostname option is used

  • DNS server upgrade: do not fail when DNS server did not respond

  • server upgrade: do not start BIND if it was not running before the upgrade

  • DNS: allow to add forward zone to already broken sub-domain

  • adtrust-install: Mention AD GC port 3286 in list of required ports.

  • config-mod: normalize attribute names for –usersearch/–groupsearch

  • migrate-ds: Mention –enable-migration in error message about migration mode

  • Fix man page ipa-replica-manage: remove duplicate -c option from –no-lookup

  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin

  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin

Simo Sorce (4)#

  • Simplify date manipulation in pwd plugin

  • Regenerate asn1 code

  • Additional coverity fixes.

  • Fix CA ACL Check on SubjectAltNames

Stanislav Laznicka (7)#

  • Removed unused method parameter from migrate-ds

  • Improvements for the ipa-cacert-manage man and help

  • Removed objectclass from LDAP*ReverseMember based tests

  • Don’t show –force-ntpd option in replica install

  • Remove sys.exit from install modules and scripts

  • Fail on topology disconnect/last role removal

  • Don’t ignore –ignore-last-of-role for last CA

Sumit Bose (1)#

  • kdb: check for local realm in enterprise principals

Thierry Bordaz (2)#

  • Heap corruption in ipapwd plugin

  • ipa-pwd-extop memory leak during passord update

Tiboris (1)#

  • Added new authentication method

Tomas Krizek (5)#

  • Update ipa-replica-install documentation

  • Fix ipa-caalc-add-service error message

  • Validate key in otptoken-add

  • Fix ipa-server-install in pure IPv6 environment

  • Enable LDAPS in replica promotion

gkaihoro (1)#

  • Test for caacl-add-service

tester (4)#

  • Add possibility to choose parent element by css

  • TEST: managing user certificates

  • TEST: managing host certificates

  • TEST: managing service certificates

Contents