Jump to: navigation, search


Release date Released 2014-01-28

The FreeIPA team is proud to announce FreeIPA v3.3.4!

It can be downloaded from http://www.freeipa.org/page/Downloads. Fedora 19 and Fedora 20 builds are already on their way to updates-testing repo.

Highlights in 3.3.4


  • New Web UI for trusted domain subdomain management
  • trustdomain-find now shows status (enabled/disabled) of trusted domain subdomains
  • group-show command now shows external user's name instead of raw SID
  • FreeIPA is now built with hardening enabled (PIE, RELRO)
  • Added support for kernel keyring CCACHEs

Bug fixes

  • ipa-server-install no longer crashes when freeipa-server-trust-ad package is not installed on the system
  • ipa-replica-manage no longer crashes when winsync agreement is being created
  • CLDAP plugin now correctly handles long hostnames and does not create invalid NetBIOS name
  • FreeIPA now builds on PPC and s390 platforms
  • PKI subsystem certificate renewal no longer crash on FreeIPA replicas
  • hbac-test command works for external users again
  • sudoOrder attribute is now present in ou=sudoers LDAP tree
  • trust-fetch-domains command now creates ID ranges for child domains
  • Trust can be now re-established even when it contains subdomains
  • Default Kerberos password policy reference (krbpwdpolicyreference) is no longer added to new user's entry. The default policy is now rather hard coded in the Kerberos backend to achieve the same behavior for both standard FreeIPA users and winsync users
  • dnsrecord-mod no longer produces API version warning
  • ... and numerous other small fixes

Test improvements

  • Support external names for hosts
  • Various small fixes related to legacy client feature testing

Interface changes

  • trust-resolve command was hidden from CLI as internal, given that group-show command now shows external user's name instead of raw SID


An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Upgrading old FreeIPA servers with CA
Upgrades of FreeIPA servers with CA installed prior to 3.1 requires manual migration procedure

Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:

  1. ipa-upgradeconfig
  2. ipa-ldap-updater --upgrade

Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 3.3.3

Alexander Bokovoy (10)

  • Guard import of adtrustinstance for case without trusts
  • Map NT_STATUS_INVALID_PARAMETER to most likely error cause: clock skew
  • subdomains: Use AD admin credentials when trust is being established
  • trust: fix get_dn() to distinguish creating and re-adding trusts
  • trust-fetch-domains: create ranges for new child domains
  • trustdomain-find: report status of the (sub)domain
  • ipaserver/install/installutils: clean up properly after yield
  • group-show: resolve external members of the groups
  • ipa-adtrust-install: configure host netbios name by default
  • ipasam: delete trusted child domains before removing the trust

Ana Krivokapic (1)

  • Fix regression which prevents creating a winsync agreement

Jan Cholasta (9)

  • Remove mod_ssl port workaround.
  • Use hardening flags for ipa-optd.
  • Own /usr/share/ipa/ui/js/ in the spec file.
  • Prevent garbage from readline on standard output of dogtag-ipa-retrieve-agent.
  • PKI service restart after CA renewal failed
  • Fix ipa-client-automount uninstall when fstore is empty.
  • Do not start the service in stopped_service if it was not running before.
  • Increase service startup timeout default.
  • Fix ntpd config on clients.

Krzysztof Klimonda (1)

  • Fix -Wformat-security warnings

Martin Basti (1)

  • Added warning if cert '/etc/ipa/ca.crt' exists

Martin Kosek (12)

  • Server does not detect different server and IPA domain
  • Allow kernel keyring CCACHE when supported
  • Increase Java stack size on PPC platforms
  • Increase Java stack size on s390 platforms
  • Revert restart scripts file permissions change
  • hbactest does not work for external users
  • sudoOrder missing in sudoers
  • Add missing example to sudorule
  • Remove missing VERSION warning in dnsrecord-mod
  • Hide trust-resolve command
  • ntpconf: remove redundant comment
  • Become IPA 3.3.4

Petr Viktorin (5)

  • Revert "Remove mod_ssl port workaround."
  • test_integration: Support external names for hosts
  • test_integration: Log external hostname in Host.ldap_connect
  • test_webui: Allow False values in configuration for no_ca, no_dns, has_trusts
  • cli.print_attribute: Convert values to strings

Petr Vobornik (4)

  • Fix license in some Web UI files
  • Increase stack size for Web UI builder
  • Remove SID resolve call from Web UI
  • Trust domains Web UI

Rob Crittenden (1)

  • Change the way we determine if the host has a password set.

Simo Sorce (3)

  • Fix license tag in python setup files
  • Harmonize policy discovery to kdb driver
  • Stop adding a default password policy reference

Sumit Bose (3)

  • CLDAP: do not prepend \\
  • CLDAP: generate NetBIOS name like ipa-adtrust-install does
  • CLDAP: add unit tests for make_netbios_name

Tomas Babej (6)

  • trusts: Do not pass base-id to the subdomain ranges
  • trusts: Always stop and disable smb service on uninstall
  • ipa-client-install: Always pass hostname to the ipa-join
  • ipa-cldap: Cut NetBIOS name after 15 characters
  • ipatests: Remove sudo calls from tasks
  • ipatests: Check for legacy_client attribute presence if unapplying fixes