Releases/4.9.6

The FreeIPA team would like to announce FreeIPA 4.9.6 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Contents
Highlights in 4.9.6
- 8402: [RFE] ipa-client-install forces nsupdate to bind with gssapi
- Invoke nsupdate without authentication if the GSS-TSIG attempt fails at install time ; configure SSSD to use nsupdate without GSS-TSIG in this case.
Enhancements
Known Issues
- FreeIPA 4.9.4 contains a new LDAP caching layer that might incorrectly return data in certain cases. This is known to affect ansible-freeipa operations with automember rules. FreeIPA 4.9.6 addresses this issue.
Bug fixes
FreeIPA 4.9.6 is a stabilization release for the features delivered as a part of 4.9.0 version series.
There are more than 10 bug-fixes since FreeIPA 4.9.5 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading
Upgrade instructions are available on Upgrade page.
Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets
- #7752 ipa client throws http.client.ResponseNotReady error
- #8402 (rhbz#1854557) [RFE] ipa-client-install forces nsupdate to bind with gssapi
- #8532 (rhbz#1886837) Revise PKINIT upgrade code
- #8726 Provide a better error message with updatedns and FQDN Is not provided
- #8754 (rhbz#1919384) Certificate Serial Number issue
- #8817 Running ipa-server-certinstall with v1 certificate fails with Attempted "__iter__" operation on ASN.1 schema object
- #8880 (rhbz#1973023) CA_less ipa-server-install fails if CA cert subject contains non ascii chars
- #8882 Directly integrate custodia
- #8884 (rhbz#1967325) API returns the misleading error "Insufficient Access" if run as non-admin
- #8885 (rhbz#1975139) Upgrade error: Add failure missing required attribute "objectclass"
- #8889 [tests] healthcheck 0.9
- #8897 (rhbz#1976286) ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache
- #8898 plugin `plugins` doesn't work
Detailed changelog since 4.9.5
Alexander Bokovoy (2)
Antonio Torres (3)
- ipatests: test host update using shortname commit #8726, #8884
- host: try to resolve FQDN before command execution commit #8726, #8884
- Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server commit #8532
Christian Heimes (7)
- Also drop Custodia client and forwarder commit #8882
- Add Custodia tests commit
- Remove more unused Custodia code commit #8882
- Fix Custodia pylint issues commit #8882
- Fix Custodia imports commit #8882
- Remove unused Custodia modules commit #8882
- Add Custodia 0.6.0 to ipaserver package commit #8882
François Cami (3)
- ipa-client-install: update sssd.conf if nsupdate requires -g commit #8402
- ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain) commit #8402
- ipa-client-install: remove fsync in do_nsupdate() commit #8402
Florence Blanc-Renaud (2)
- ipatests: use non-ascii chars in CA-less install commit #8880
- CA-less install: non-ASCII chars in CA cert subject commit #8880
Rob Crittenden (3)
- Return a copy of cached entries, only with requested attributes commit #8897
- Use get_replication_plugin_name in LDAP updater commit #8885
- When loading certificates verify that it is X.509 v3 commit #8817
Stanislav Levin (4)
- ipatests: Add tests for `env` plugin commit
- ipatests: Add tests for `plugins` plugin commit #8898
- plugins: Don't treat keys of api as bytes commit #8898
- ipatests: healthcheck: Update IPAHostKeytab assumptions commit #8889