Jump to: navigation, search


Revision as of 06:36, 31 March 2021 by Ab (talk | contribs) (Created page with " {{ReleaseDate|2021-03-31}} The FreeIPA team would like to announce FreeIPA 4.9.3 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Release date Released 2021-03-31

The FreeIPA team would like to announce FreeIPA 4.9.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.3

Bug fixes

FreeIPA 4.9.3 is a stabilization release for the features delivered as a part of 4.9.0 version series.

There are more than 30 bug-fixes since FreeIPA 4.9.2 release. Details of the bug-fixes can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • #7885 (rhbz#1690191) RFE: wrapper for Dogtag cert-fix command
  • #8155 Enhance error message for adding non-posix groups with a GID
  • #8244 The help for the --otp flag in "ipa passwd" could be clearer
  • #8423 Multiple permitopen in SSH-key
  • #8496 [Tracker] Multiple nightly test failures in test_dnssec, test_backup_and_restore and test_dns_locations
  • #8506 (rhbz#1930038) Nightly failure in ipa-server-install --uninstall: org.freedesktop.DBus.Error.NoReply
  • #8530 (rhbz#1859185) Running ipa-server-install fails on machine where libsss_sudo is not installed
  • #8550 (rhbz#1902173) Uninstallation of server with KRA diplays error but proceeds successfully (unable to access security domain)
  • #8553 Random failure in test_backup_and_restore.py::TestBackupRoles::test_rolecheck_Trust
  • #8565 Remove duplication in pkispawn exception output
  • #8600 ipa-cert-fix unable to fix certs no named 'Server-cert'
  • #8605 (rhbz#1903250) backtrace using ipa-replica-manage
  • #8636 (rhbz#1923900) Samba on IdM member failure
  • #8654 DNSSEC key synchronization issues
  • #8669 Reduce difference between upstream and downstream releases
  • #8681 krb5kdc dumped core
  • #8695 Nightly failure in test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf (fed33)
  • #8703 DNS resolvers issues in IPA tests
  • #8705 server installation fails against 389-ds
  • #8715 (rhbz#1924707) Establishing trust with AD domain using shared secret fails in FIPS mode
  • #8718 (rhbz#1928854) ipa-server-install ignores --zonemgr parameter
  • #8720 New pylint failures reported for inconsistent-return-statements
  • #8721 (rhbz#1779984) The ipa-cert-fix command failed. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/27-renewed.crt'
  • #8725 Nightly test failure in test_cert
  • #8728 Random nightly test failure in test_commands.py::TestIPACommand::test_ssh_key_connection
  • #8735 ccache-sweeper removes valid ccaches
  • #8737 [ipatests] `test_source_ipahealthcheck_ipa_host_check_ipahostkeytab` fails against krb5 1.19.1
  • #8743 (rhbz#1922781) Inconsistent nsaccountlock field type in api response
  • #8747 Nightly failure in test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered
  • #8753 Adopt redhat ipaplatform to RHEL 9/ELN and RHEL 7/8 split
  • #8759 RFE: Extend logging to include execution time
  • #8768 rpmlint should be optional for fastcheck, devcheck and lint make targets
  • #8772 pylint 2.7.0-2.7.2 introduces new warnings
  • #8779 Nightly test failure (updates-testing) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
  • #8780 RFE: Reduce number of LDAP operations during sudorule-mod
  • #8781 test_ipaserver/test_jsplugins.py::test_jsplugins::test_jsplugins fails in server-less environments

Detailed changelog since 4.9.2

Armando Neto (1)

  • ipatests: Update gating to Fedora 33 commit

Alexander Bokovoy (10)

  • Become FreeIPA 4.9.3 commit
  • Update list of contributors commit
  • Update ipa.pot translations file commit
  • freeipa.spec: synchronize with Fedora for 389-ds and PKI versions commit #8705
  • ipa-kdb: mark test functions as static commit
  • ipa-kdb: reformat ipa_kdb_certauth commit
  • ipa-kdb: add missing prototypes commit
  • ipa-kdb: fix compiler warnings commit
  • ipa-kdb: do not use OpenLDAP functions with NULL LDAP context commit #8681
  • Back to git commits commit

Antonio Torres (11)

  • sudorule: reduce number of LDAP searches during modification commit #8780
  • ipa passwd: make help for `--otp` option clearer commit #8244
  • ipatests: add test for multiple permitopen entries in SSH keys commit
  • Allow multiple permitopen/permitlisten in SSH keys commit #8423
  • ipatests: add test for group creation with GID and nonposix option commit
  • Enhance error message when adding non-posix group with a GID commit #8155
  • ipatests: expect boolean type for nsaccountlock in user module commit #8743
  • Return nsaccountlock in user-add as boolean commit #8743
  • Extend logging to include execution time commit #8759
  • ipatests: check that zonemgr is set correctly during server install commit #8718
  • ipaserver: don't ignore zonemgr option on install commit #8718

Alexander Scheel (1)

  • Handle multiple AJP adapters during upgrade commit

François Cami (10)

  • ipatests: check for the "no sudo present" string absence commit #8530
  • ipa-client-install: output a warning if sudo is not present (2) commit #8530
  • ipa-csreplica-manage, ipa-replica-manage: refactor commit #8605
  • ipalib/util.py: add print_replication_status commit
  • ipa-replica-manage: handle missing attributes commit #8605
  • ipa-replica-manage: always display nsds5replicalastinitstatus commit #8605
  • freeipa.spec: client: depend on libsss_sudo and sudo commit #8530
  • ipa-client-install: output a warning if sudo is not present commit #8530
  • ipatests: tasks: handle uninstalling packages with nodeps commit
  • ipatests: add TestInstallWithoutSudo commit #8530

Florence Blanc-Renaud (11)

  • ipatests: update expected message commit #8779
  • Adapt redhat ipaplatform to RHEL9/ELN commit #8753
  • ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic commit #8695
  • ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating commit #8496
  • ipatests: filter_users belongs to nss section commit #8747
  • dnssec: concurrency issue when disabling old replica key commit #8654
  • dnssec: fix ipa-ods-exporter crash when master key missing commit #8654
  • ipatests: use whole date when calling journalctl --since commit #8728
  • freeipa.spec: bump the required version of 389ds commit #8496
  • ipatests: Update PRCI templates for ipa-4-9 commit
  • pylint: fix inconsistent-return-statements commit #8720

Fraser Tweedale (1)

  • ipa-cert-fix: improve handling of 'pki-server cert-fix' failure commit #8721

Jan Pazdziora (1)

  • Avoid comparing 'max' with 'max\n'. commit

Kaleemullah Siddiqui (1)

  • ipatests: error message check in uninstall log for KRA commit #8550

Mohammad Rizwan (7)

  • ipatests: Don't rely on certmonger's assigned request id commit #8725
  • ipatests: Enable certbot test on rhel commit
  • ipatests: introduce wait_for_replication in test_rolecheck_Trust commit #8553
  • ipatests: update nightly definition for ipa_cert_fix suite commit
  • ipatests: Test if ipa-cert-fix renews expired certs with kra installed commit #7885
  • Move fixture outside the class and add setup_kra capability commit
  • ipatests: Test if ipa-cert-fix renews expired certs commit #7885

Rob Crittenden (11)

  • Increase timeout for TestIpaHealthCheck to 5400s commit #8506
  • Uninstall without starting the CA in cert expiration test commit #8506
  • ipatests: Test secure_ajp_connector works with multiple connectors commit
  • Allow overriding is_newer_tomcat_version() commit
  • Don't renew non-IPA issued certs in ipa-cert-fix commit #8600
  • Set pki-core dependency to 10.3.3 for pki-server cert-fix bug commit
  • ipatests: test third-party 389-ds cert with ipa-cert-fix commit #8600
  • ipa-cert-fix: Don't hardcode the NSS certificate nickname commit #8600
  • Remove a remaining file used with csrgen commit #8669
  • Don't double-report any errors from pki-spawn failures commit #8565
  • Suppress error message if the CRL directory doesn't exist commit #8565

Stanislav Levin (16)

  • ipatests: Skip test_jsplugins in server less environments commit #8781
  • Azure: Run Lint task as separate job commit #8772
  • pylint: Fix several warnings commit #8772
  • Azure: Don't install pypi's docker commit
  • Azure: Disable AppArmor profile for chrony commit
  • Azure: Warn about Host's AVC and SECCOMP commit
  • Azure: Collect Host's systemd journal commit
  • Azure: Run chronyd in Docker commit
  • Azure: Template docs build commit
  • Azure: Show disk usage commit
  • Azure: Make it possible to pass additional Pytest args commit
  • Azure: Run rpmlint on Fedora commit #8768
  • configure: Make rpmlint optional commit #8768
  • ipatests: Fix expectation about GSS error in test for healthcheck commit #8737
  • cleanup: Drop never used path for httpd's ccache commit
  • ccache_sweeper: Add gssproxy service commit #8735

Sergey Orlov (16)

  • ipatests: log command spawned by pexpect commit
  • ipatests: allocate pseudo-terminal only for specific command commit
  • ipatests: update prci definitions for test_http_kdc_proxy commit
  • ipatests: add test for kdcproxy handling reply split to several TCP packets commit
  • ipatests: return result of kinit_as_user, pass raiseonerr parameter commit
  • ipatests: use proper template for TestMaskInstall commit
  • ipatests: do not configure nameserver when installing client and replica commit #8703
  • ipatests: always try to create A records for hosts in IPA domain commit #8703
  • ipatests: mock resolver factory commit #8703
  • ipatests: disable systemd-resolved cache commit #8703
  • ipatests: do not manually modify /etc/resolv.conf in tests commit #8703
  • ipatests: setup resolvers during replica and client installations commit #8703
  • ipatests: add utility for managing domain name resolvers commit #8703
  • ipatests: collect config files for NetworkManager and systemd-resolved commit #8703
  • ipatests: test Samba mount with NTLM authentication commit #8636
  • ipatests: skip tests for AD trust with shared secret in FIPS mode commit #8715

Sudhir Menon (1)

  • ipatests: Test to check sosreport collects healthcheck.log file commit

Troy Dawson (1)

  • platform-python only on RHEL8 commit

Thorsten Scherf (2)

  • Update 10-ssh-key-management.rst commit
  • Fix lgtm file classification commit