Jump to: navigation, search


Release date Released 2013-10-04

The FreeIPA team is proud to announce FreeIPA v3.3.2!

It can be downloaded from http://www.freeipa.org/page/Downloads. Fedora 19 builds are already on their way to updates-testing repo.

Highlights in 3.3.2


  • Multiple domains from a trusted Active Directory forest supported now
  • Issue warnings when installed FreeIPA realm differs from the main domain as this setup prevents configuring AD trusts
  • Allow PKCS#12 files with empty password in install tools

Bug fixes

  • ipa-replica-manage no longer returns RUV error when removing a replica
  • ipa-replica-install no longer crashes when being run against a master with older Directory Server
  • When creating AD trust, report supported enctypes based on Kerberos realm configuration
  • ... and numerous other small fixes

Test improvements

  • New tests for forced client re-enrollment feature
  • Integration tests no longer require python-paramiko and can run on top of bare SSH connection
  • Numerous small fixes in beakerlib integration

Supporting Multiple Domains from Trusted Active Directory Forest

Previously only a root level domain of a trusted AD forest was supported. Now all domains of the trusted AD forest can access resources in a FreeIPA domain. Free IPA admins are now able to refresh list of domains from a trusted AD forest and selectively enable and disable specific domains from accessing resources in FreeIPA domain.

Following commands were added to FreeIPA CLI:

  • ipa trust-fetch-domains <trust>
    • Refresh list of domains from a trusted AD forest. By default all found domains belonging to the forest will be allowed to access IPA resources.
  • ipa trustdomain-find <trust> [domain]
    • List domains of the trusted AD forest, displaying their attributes. When domain is specified in addition to the trust name, only information about domain is shown.
  • ipa trustdomain-disable <trust> <domain>
    • Disable access from <domain> of the <trust> to IPA resources.
  • ipa trustdomain-enable <trust> <domain>
    • Enable access from <domain> of the <trust> to IPA resources.
  • ipa trustdomain-del <trust> <domain>
    • Remove information about <domain> of the <trust> from IPA view about the trusted AD forest. Users from <domain> will not be able to access IPA resources.

Following IPA commands were extended:

  • ipa trust-add <trust>
    • When trust to an AD forest is established, list of domains of the forest will be fetched and identity ranges for them will be created automatically. In case of POSIX attributes being managed by the AD forest, a single identity range for the trusted forest's root level domain will be re-used.
    • When trust to an AD forest is established, list of domains associated with IPA is provided to the DC of the forest root level domain. This information is used to enable name suffix routing for systems belonging to IPA domain. As result, if IPA master servers don't belong to IPA DNS domain namespace, they will be able to access resources in the trusted AD forest.

FreeIPA 3.3.2 requires use of SSSD 1.11.1 due to integration of non-root level forest domains support.


FreeIPA servers with CA installed prior to version 3.1

Manual upgrade procedure is required for FreeIPA servers installed with version prior to 3.1. Please see http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration for details.

Other FreeIPA servers and clients

An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:

  1. ipa-upgradeconfig
  2. ipa-ldap-updater --upgrade

Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 3.3.1

Alexander Bokovoy (11):

  • ipa-sam: do not modify objectclass when trust object already created
  • ipa-sam: do not leak LDAPMessage on ipa-sam initialization
  • ipa-sam: report supported enctypes based on Kerberos realm configuration
  • ipaserver/dcerpc.py: populate forest trust information using realmdomains
  • trusts: support subdomains in a forest
  • frontend: report arguments errors with better detail
  • ipaserver/dcerpc: remove use of trust account authentication
  • trust: integrate subdomains support into trust-add
  • ipasam: for subdomains pick up defaults for missing values
  • KDC: implement transition check for trusted domains
  • ipa-kdb: Handle parent-child relationship for subdomains

Ana Krivokapic (5):

  • Add integration tests for forced client re-enrollment
  • Create DS user and group during ipa-restore
  • Add warning when uninstalling active replica
  • Do not crash if DS is down during server uninstall
  • Follow tmpfiles.d packaging guidelines

Jan Cholasta (3):

  • Fix nsslapdPlugin object class after initial replication.
  • Read passwords from stdin when importing PKCS#12 files with pk12util.
  • Allow PKCS#12 files with empty password in install tools.

Martin Kosek (5):

  • Use FQDN when creating MSDCS SRV records
  • Do not set DNS discovery domain in server mode
  • Require new SSSD to pull required AD subdomain fixes
  • Remove faulty DNS memberOf Task
  • Become IPA 3.3.2

Nathaniel McCallum (1):

  • Ensure credentials structure is initialized

Petr Spacek (1):

  • Add timestamps to named debug logs in /var/named/data/named.run

Petr Viktorin (15):

  • Remove __all__ specifications in ipaclient and ipaserver.install
  • Make make-lint compatible with Pylint 1.0
  • test_integration.host: Move transport-related functionality to a new module
  • test_integration: Add OpenSSHTransport, used if paramiko is not available
  • ipatests.test_integration.test_caless: Fix mkdir_recursive call
  • ipatests.beakerlib_plugin: Warn instead of failing when some logs are missing
  • ipatests.order_plugin: Exclude test generators from the order
  • ipatests.beakerlib_plugin: Add argument of generated tests to test captions
  • ipatests.test_cmdline.test_help: Re-raise unexpected exceptions on failure
  • Add tests for installing with empty PKCS#12 password
  • Update translations from Transifex
  • ipa-client-install: Use direct RPC instead of api.Command
  • ipa-client-install: Verify RPC connection with a ping
  • Do not fail upgrade if the global anonymous read ACI is not found
  • ipapython.nsslib: Name arguments to NSPRError

Petr Vobornik (5):

  • Fix RUV search scope in ipa-replica-manage
  • Fix redirection on deletion of last dns record entry
  • Allow edit of ipakrbokasdelegate in Web UI when attrlevelrights are unknown
  • Fix enablement of automount map type selector
  • ipatests.test_integration.host: Add logging to ldap_connect()

Simo Sorce (1):

  • Add Delegation Info to MS-PAC

Sumit Bose (1):

  • CLDAP: do not read IPA domain from hostname

Tomas Babej (3):

  • Use getent admin@domain for nss check in ipa-client-install
  • Do not add trust to AD in case of IPA realm-domain mismatch
  • Warn user about realm-domain mismatch in install scripts