Jump to: navigation, search


Revision as of 14:43, 20 August 2021 by Fcami (talk | contribs) (Feedback)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Release date Released 2021-08-19

The FreeIPA team would like to announce FreeIPA 4.9.7 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.7

  • 3226: [RFE] ipa sudorule-add-user should accept more types of characters
  • 8402: [RFE] ipa-client-install forces nsupdate to bind with gssapi:: Invoke nsupdate without authentication if the GSS-TSIG attempt fails at install time ; configure SSSD to use nsupdate without GSS-TSIG in this case.
  • 8528: Use separate logs for AD Trust and DNS installer:: ipa-adtrust-install and ipa-dns-install commands now log their activity into separate log files.
  • 8655: Allow to establish trust to Active Directory in FIPS mode:: When IPA is deployed in FIPS mode, it is now possible to establish trust to Active Directory forest.


  • FreeIPA now provides centrally-managed allocation of ID sub-ranges for users and groups, for use in podman and runc.
  • ipa-getkeytab now has an option to discover servers using DNS SRV.
  • ipa-client-install now gracefully switches to using no authentication when updating its own DNS record if GSS-TSIG fails. It also configures SSSD to do the same.

Known Issues

  • ipa-server-install --auto-reverse does not create a reverse DNS zone even when needed on systems using systemd-resolved.

Bug fixes

FreeIPA 4.9.7 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libra.chat.

Resolved tickets

  • #3226 [RFE] ipa sudorule-add-user should accept more types of characters
  • #6587 ipa-otpd: systemctl reports "degraded" for "is-system-running" after todays CentOS updates
  • #7814 fix automountlocation-tofiles output
  • #8206 Add checks to prevent assigning authentication indicators to internal IPA services
  • #8227 dnszone-add: ignores given SOA serial
  • #8245 ipa-kra-install should exit if ca_host is overriden.
  • #8257 ipa-certupdate sets temporary ccache in the wrong place
  • #8361 Add support for managing subuids and subgids in FreeIPA
  • #8397 Cannot remove First master server with KRA after the server hard disk failed ( destructed)
  • #8402 [RFE] ipa-client-install forces nsupdate to bind with gssapi
  • #8415 Ignore case when evaluating attributes and objectclasses in config plugin
  • #8452 update samba configuration on IPA master to explicitly use 'server role' setting
  • #8478 Do SRV discovery in ipa-getkeytab if -s and -H aren't provided
  • #8501 Unify how FreeIPA gets FQDN of current host
  • #8519 Fedora container platform is incomplete
  • #8524 Deploy & manage the ACME service topology wide from a single system
  • #8528 Use separate logs for AD Trust and DNS installer
  • #8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
  • #8647 Incorrect DNSKEY created when DNSSEC enabled for zone
  • #8655 Allow to establish trust to Active Directory in FIPS mode
  • #8676 [Tracker] Multiple nightly test failure in test_integration/test_ntp_options/TestNTPoptions
  • #8795 Remove dependency from tests on ipaserver package/modules
  • #8810 Nightly test failure (rawhide/f34) in test_ipahealthcheck.py::TestIpaHealthCheck: missing AAAA record for ipa-ca
  • #8832 ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
  • #8864 azure: dnf sometimes fails
  • #8889 [tests] healthcheck 0.9
  • #8890 Nightly test failure (rawhide) in test_ipa_cert_fix.py::TestIpaCertFix::test_missing_startup
  • #8891 FreeIPA server in debug mode fails to run because time.perf_counter_ns is Python 3.7+
  • #8892 [RFE] When IPA system is healthy, ipa-healthcheck --failures-only should display proper message instead of empty list
  • #8905 Package python3-ipatests (from CRB repo) Requires python3-coverage
  • #8906 support for SHA384withRSA signing algo missing
  • #8909 Unable to set ipaUserAuthType with stageuser-add
  • #8911 Nightly test failure in pki-fedora/test_webui_cert.
  • #8913 [man page] contradiction in ipa-server-upgrade command's man page and usage
  • #8918 Nightly failure in test_external_ca.py::TestSelfExternalSelf::test_switch_back_to_self_signed
  • #8919 Nightly test failure in test_webui/test_range.py::test_range::test_crud
  • #8920 ipa-healthcheck reports RIPluginCheck CRITICAL error for DSRILE0002
  • #8923 Trust controller role should pull sssd-winbind-idmap package
  • #8925 ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
  • #8926 Nightly test failure (rawhide) in test_smb
  • #8929 Nightly test failure in test_integration//test_acme.py/TestACMERenew/test_renew - kinit admin: Password change failed while getting initial credentials
  • #8930 IdM should call into Dogtag to dynamically update the security domain info
  • #8931 flake8 report for tasks.py
  • #8934 ipa-advise unconditionally uses modutil to load opensc module
  • #8935 [tracker] Update boxes for PR-CI nightly runs
  • #8936 ipa-server install failure without DNS
  • #8937 Multiple issues in tasks's install/uninstall helpers
  • #8938 Remove python3-pexpect as dependency for ipatests pkg
  • #8939 Add index for sudoorder
  • #8942 TestAJPSecretUpgrade tests fail on system without pkiuser
  • #8944 TestIpaAdTrustInstall::test_ipa_user_s4u2self_pac failed at create_active_user
  • #8949 Test for RFE ipa-healthcheck should verify owner/perms for important logs in "/var/log" in the ipahealthcheck.ipa.files source
  • #8956 Nightly failure in test_caless.py::TestIPACommands::test_invoke_upgrader

Detailed changelog since 4.9.6

Armando Neto (1)

  • ipatests: bump prci boxes + move gating to f34 commit #8935

Alexander Bokovoy (2)

  • rhel platform: add a named crypto-policy support commit #8925
  • Back to git snapshots commit

Anuja More (5)

  • ipatests: Test unsecure nsupdate. commit #8402
  • ipatests: Refactor test_check_otpd_after_idle_timeout commit #6587
  • ipatests: skip test_basesearch_compat_tree on fedora. commit
  • ipatests: Test ldapsearch with base scope works with compat tree. commit
  • ipatests: Test for OTP when the LDAP connection timed out. commit #6587

Antonio Torres (6)

  • ipatests: expect SOA serial option deprecation warning commit #8227
  • dnszone: deprecate option for setting SOA serial commit #8227
  • ipatests: test if KRA install fails when ca_host is overriden commit #8245
  • ipa-kra-install: exit if ca_host is overriden commit #8245
  • ipatests: ensure auth indicators can't be added to internal IPA services commit #8206
  • Add checks to prevent adding auth indicators to internal IPA services commit #8206

Christian Heimes (8)

  • Fix string check in uninstall helper commit #8937
  • Fix ldapupdate.get_sub_dict() for missing named user commit #8936
  • Test DNA plugin configuration commit
  • Fix oid of ipaUserDefaultSubordinateId commit
  • Fix ipa-server-upgrade commit
  • Use 389-DS' dnaInterval setting to assign intervals commit
  • Redesign subid feature commit
  • Add basic support for subordinate user/group ids commit #8361

Chris Kelley (2)

  • Parse cert chain as JSON not XML commit
  • Parse getStatus as JSON not XML commit

François Cami (13)

  • Update list of contributors commit
  • ipatests: use krb5_trace in TestIpaAdTrustInstall commit #8944
  • freeipa.spec.in: remove python3-pexpect from Requires commit #8938
  • gating.yaml: Fix TestInstallMaster timeout commit
  • Azure: temporarily disable problematic tests, #2 commit #8864
  • Azure: temporarily disable problematic tests, #1 commit #8864
  • tasks.py: fix flake8-reported issues commit #8931
  • test_acme: make password renewal more robust commit #8929
  • test_acme: refactor with tasks commit
  • ipatests: smbclient "-k" => "--use-kerberos=desired" commit #8926
  • rpcserver.py: perf_counter_ns is Python 3.7+ commit #8891
  • ipatests: smoke test for server debug mode. commit #8891
  • paths: add IPA_SERVER_CONF commit #8891

Florence Blanc-Renaud (12)

  • webui tests: fix algo for finding available idrange commit #8919
  • Index: Fix definition for memberOf commit #8920
  • spec file: Trust controller role should pull sssd-winbind-idmap package commit #8923
  • webui tests: close notification when revoking cert commit #8911
  • pr-ci definitions: add subid-related jobs commit #8361
  • ipatests: use whole date when calling journalctl --since commit #8918
  • Server install: do not use unchecked ip addr for ipa-ca record commit #8810
  • man page: update ipa-server-upgrade.1 commit #8913
  • augeas: bump version for rhel9 commit #8676
  • XMLRPC test: add a test for stageuser-add --user-auth-type commit #8909
  • stageuser: add ipauserauthtypeclass when required commit #8909
  • Remove unneeded dependency on python-coverage commit #8905

Michal Polovka (3)

  • ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files commit #8949
  • ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency commit #8795
  • ipatests: test_ipahealthcheck: print a message if a system is healthy commit #8892

Mohammad Rizwan (2)

  • ipatests: Look for warning into stderr instead of stdout commit #8890
  • ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg commit #8890

Rob Crittenden (21)

  • Only call add_agent_to_security_domain_admins() when CA is installed commit #8956
  • ipatests: Verify that securitydomain is updated on server-del commit #8930
  • Clean up the PKI securitydomain when removing a server commit #8930
  • pr-ci definitions: add custom plugin-related jobs commit #8415
  • ipatests: add suite for testing custom plugins commit #8415
  • Don't assume that plugin attributes and objectclasses are lowercase commit #8415
  • Add index for sudoorder commit #8939
  • ipatests: verify that getcert output includes the issued date commit
  • ipa-advise: Define the domain used when looking up ipa-ca commit #8934
  • ipa-advise: if p11-kit provides opensc, don't add to NSS db commit #8934
  • ipatests: test ipa-getkeytab server option commit #8478
  • ipa-getkeytab: fix compiler warnings commit #8478
  • ipa-getkeytab: add option to discover servers using DNS SRV commit #8478
  • Provide more information in ipa-certupdate on ccache failure commit #8257
  • Fix automountlocation-tofiles expected output in xmlrpc test commit #7814
  • ipatests: Add test for ipa automountlocation-tofiles commit #7814
  • Display all orphaned keys in automountlocation-tofiles commit #7814
  • ipatests: test removing last KRA when it is not running commit #8397
  • Use new method in check to prevent removal of last KRA commit #8397
  • Fall back to krbprincipalname when validating host auth indicators commit #8206
  • Add SHA384withRSA as a certificate signing algorithm commit #8906

Stanislav Levin (1)

  • ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser commit #8942

Serhii Tsymbaliuk (1)

  • WebUI: Improve subordinate ids user workflow commit #8361

Sudhir Menon (1)

  • ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab commit #8889