The FreeIPA team would like to announce FreeIPA v4.2.2 security release!

It can be downloaded from The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the official COPR repository.

Highlights in 4.2.2#

FreeIPA 4.2.0 introduced Key Archival Agent (KRA) support. This release fixes CVE-2015-5284. The CVE affects IPA servers where ipa-kra-install was run. Read manual instructions if your system was affected.

Bug fixes#

  • CVE-2015-5284: ipa-kra-install included certificate and private key in world readable file.

  • Firefox configuration steps were adjusted to new extension signing policy.

  • ipa-restore does not overwrite files with local users/groups

  • ipa-restore now works with KRA installed

  • Fixed an integer underflow bug in libotp which prevented from syncing TOTP tokens under certain circumstances.

  • winsync-migrate properly handles collisions in the names of external group

  • Fixed regression where installation of CA failed on CA-less server #5288.

  • Vault operations now works on a replica without KRA installed (assuming that at least one replica has KRA installed). #5302


  • Improved performance of search in Web UI’s dialog for adding e.g. users to e.g. sudo rules.

  • Modified vault access control and added commands for managing vault containers. #5250

  • Added support for generating client referrals for trusted domain principals. Note that bug has to be fixed in MIT Kerberos packages to allow client referrals from FreeIPA KDC to be processed.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Detailed Changelog since 4.2.1#

Abhijeet Kasurde (1)#

  • Updated number of legacy permission in ipatests

Alexander Bokovoy (1)#

  • client referral support for trusted domain principals

Christian Heimes (1)#

  • Handle timeout error in ipa-httpd-kdcproxy

Gabe Alford (4)#

  • Add Chromium configuration note to ssbrowser

  • Standardize minvalue for ipasearchrecordlimit and ipasesarchsizelimit for unlimited minvalue

  • dnssec option missing in ipa-dns-install man page

  • Update FreeIPA package description

Jan Cholasta (16)#

  • config: allow user/host attributes with tagging options

  • baseldap: make subtree deletion optional in LDAPDelete

  • vault: set owner to current user on container creation

  • vault: update access control

  • vault: add permissions and administrator privilege

  • install: support KRA update

  • install: Support overriding knobs in subclasses

  • install: Add common base class for server and replica install

  • install: Move unattended option to the general help section

  • install: create kdcproxy user during server install

  • platform: add option to create home directory when adding user

  • install: fix kdcproxy user home directory

  • install: fix ipa-server-install fail on missing –forwarder

  • install: fix KRA agent PEM file permissions

  • install: always export KRA agent PEM file

  • vault: select a server with KRA for vault operations

Martin Babinsky (5)#

  • load RA backend plugins during standalone CA install on CA-less IPA master

  • destroy httpd ccache after stopping the service

  • ipa-server-install: mark master_password Knob as deprecated

  • re-kinit after ipa-restore in backup/restore CI tests

  • do not overwrite files with local users/groups when restoring authconfig

Martin Bašti (11)#

  • FIX vault tests

  • Server Upgrade: backup CS.cfg when dogtag is turned off

  • IPA Restore: allows to specify files that should be removed

  • DNSSEC: improve CI test

  • DNSSEC CI: test master migration

  • backup CI: test DNS/DNSSEC after backup and restore

  • Limit max age of replication changelog

  • Server Upgrade: addifnew should not create entry

  • CI: backup and restore with KRA

  • Replica inst. fix: do not require -r, -a, -p options in unattended mode

  • Fix import get_reverse_zone_default in tasks

Milan Kubík (4)#

  • ipatests: Add Certprofile tracker class implementation

  • ipatests: Add basic tests for certificate profile plugin

  • ipatests: configure Network Manager not to manage resolv.conf

  • Include ipatests/test_xmlrpc/data directory into distribution.

Nathaniel McCallum (1)#

  • Fix an integer underflow bug in libotp

Oleg Fayans (1)#

  • Added a proper workaround for dnssec test failures in Beaker environment

Petr Voborník (4)#

  • vault: add vault container commands

  • webui: use manual Firefox configuration for Firefox >= 40

  • webui: improve performance of search in association dialog

  • Become IPA 4.2.2

Petr Špaček (1)#

  • Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits

Timo Aaltonen (2)#

  • paths: Add GENERATE_RNDC_KEY.

  • httpinstance: Replace a hardcoded path to password.conf with HTTPD_PASSWORD_CONF

Tomáš Babej (4)#

  • winsync: Add inetUser objectclass to the passsync sysaccount

  • ipa-backup: Add mechanism to store empty directory structure

  • winsync-migrate: Convert entity names to posix friendly strings

  • winsync-migrate: Properly handle collisions in the names of external groups