Jump to: navigation, search


Release date Released 2013-11-01

The FreeIPA team is proud to announce FreeIPA v3.3.3!

It can be downloaded from http://www.freeipa.org/page/Downloads. Fedora 19 and Fedora 20 builds are already on their way to updates-testing repo.

Highlights in 3.3.3


  • New ipa-advise plugins for configuring legacy clients via nss-pam-ldapd
  • New ipa-advise plugins for configuring legacy clients via nss_ldap
  • FreeIPA server can now co-exist with mod_ssl serving other non-443 ports

Bug fixes

  • ipa-replica-install no longer crashes when being installed with a CA support
  • winsync reinitialization no longer prints error
  • Samba configuration added by ipa-adtrust-install is now properly removed
  • Administrative password changes (e.g. by Directory Manager) now respect maximum password life as defined in password policy
  • nsds5ReplicaStripAttrs is now properly set on replication agreements, avoiding potential replication issues
  • ... and numerous other small fixes

Test improvements

  • New integration test for external CA installation
  • New integration tests for AD Trust legacy clients feature
  • Numerous small fixes in test framework and beaker integration

Deprecated functionality

  • DNS can no longer be configured with --no-serial-autoincrement option. Serial autoincrement is a requirement for several DNS main features, including zone transfers and future DNSSEC support
  • LanMan hash is no longer supported or generated. LanMan hash has several security weaknesses allowing attacker to crack it in a reasonable time. As such, the LanMan hash was already not allowed in a default configuration and had to be explicitly enabled.


An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Upgrading old FreeIPA servers with CA
Upgrades of FreeIPA servers with CA installed prior to 3.1 requires manual migration procedure

Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:

  1. ipa-upgradeconfig
  2. ipa-ldap-updater --upgrade

Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 3.3.2

Ana Krivokapic (4):

  • Add ipa-advise plugins for nss-pam-ldapd legacy clients
  • Do not roll back failed client installation on server
  • Make sure nsds5ReplicaStripAttrs is set on agreements
  • Add test for external CA installation

Jakub Hrozek (1):

  • trusts: combine filters with AND to make sure only the intended domain matches

Jan Cholasta (1):

  • Track DS certificate with certmonger on replicas.

Martin Kosek (14):

  • Do not allow '%' in DM password
  • Remove --no-serial-autoincrement
  • PKI installation on replica failing due to missing proxy conf
  • Use consistent realm name in cainstance and dsinstance
  • Winsync re-initialize should not run memberOf fixup task
  • Installer should always wait until CA starts up
  • Administrative password change does not respect password policy
  • Do not add kadmin/changepw ACIs on new installs
  • Make set_directive and get_directive more strict
  • Remove mod_ssl conflict
  • Add nsswitch.conf to FILES section of ipa-client-install man page
  • Remove ipa-pwd-extop and ipa-enrollment duplicate error strings
  • Remove deprecated AllowLMhash config
  • Become IPA 3.3.3

Petr Viktorin (6):

  • test_caless.TestCertInstall: Fix 'test_no_ds_password' test case
  • Use new CLI options in certinstall tests
  • test_simple_replication: Fix waiting for replication
  • freeipa.spec: Fix changelog dates
  • Tests: mkdir_recursive: Don't fail when top-level directory doesn't exist
  • beakerlib plugin: Don't try to submit logs if they are missing

Petr Vobornik (1):

  • Fix password expiration notification

Sumit Bose (3):

  • Use the right attribute with ipapwd_entry_checks for MagicRegen
  • Remove AllowLMhash from the allowed IPA config strings
  • Remove generation and handling of LM hashes

Tomas Babej (23):

  • trusts: Do not create ranges for subdomains in case of POSIX trust
  • ipa-upgradeconfig: Remove backed up smb.conf
  • ipa-adtrust-install: Add warning that we will break existing samba configuration
  • adtrustinstance: Properly handle uninstall of AD trust instance
  • adtrustinstance: Move attribute definitions from setup to init method
  • ipatests: Extend the order plugin to properly handle inheritance
  • Get the created range type in case of re-establishing trust
  • ipatests: Add Active Directory support to configuration
  • ipatests: Extend domain object with 'ad' role support and WinHosts
  • ipatests: Extend IntegrationTest with multiple AD domain support
  • ipatests: Create util module for ipatests
  • ipatests: Add WinHost class
  • ipatests: Add AD-integration related tasks
  • ipatests: Add AD integration test case
  • trusts: Fix typo in error message for realm-domain mismatch
  • advice: Add legacy client configuration script using nss-ldap
  • ipatests: Extend clear_sssd_cache to support non-systemd platforms
  • ipatests: Restore SELinux context after restoring files from backup
  • ipatests: Do not use /usr/bin hardcoded paths
  • ipatests: Add support for extra roles referenced by a keyword
  • ipatests: Use command -v instead of which in legacy client advice
  • ipatests: Add integration tests for legacy clients
  • ipatests: test_trust: use domain name instead of realm for user lookups