Jump to: navigation, search


Release date Released 2016-03-18

The FreeIPA team would like to announce FreeIPA v4.2.4 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23.

Highlights in 4.2.4

FreeIPA 4.2.4 is a bugfix release to improve upgrade experience from FreeIPA 4.1 for Fedora 23.

Bug fixes

  • Fixed issue in installation of server with external CA where second step of installation "forgot" options from previous step which could lead, e.g., to DNS server not being installed. #5556
  • Fixed issue in ipa-adtrust-install when a dash character was used in NetBIOS name
  • Fixed issue with migration from old self-sign IPA(e.g. CentOS 6) and upgrading it to a server with CA #5611, #5598, #5602, #5595, #5636, #4492, #5506
  • Fixed issue with bind not starting after update due to wrong file permissions. #5520
  • Fixed issue in installation of server without CA when certmonger was not running. #5519
  • Fixed issue in upgrade of NIS maps. #5507
  • Fixed issue in handling of empty cookies. It prevented users from log in to Web UI using forms-based authentication. #5709
  • Fixed issue with installation of KRA on a replica. #5346
  • Fixed issue with DNSSEC key purging not being handled properly #5334
  • Fixed issue in replica installation after update of master from previous version where certificate profiles and CA ACL were not properly added. #5269
  • Fixed issue in installation of replica with external CA, when multiple certificates with the same nickname were provided. #5117
  • Fixed issue after upgrade of sidgen and extdom plugins which prevented from generation of Security Identifiers(SIDs). As a result, all AD trust created after the upgrade did not work while advertising that the trust was established correctly. #5665
  • Fixed issue with starting FreeIPA after upgrade which happened when FreeIPA server was turned off. #5655
  • Fixed internal error during an upgrade from FreeIPA 4.0 to 4.2 which prevented the upgrade process from upgrading forward zones properly. #5472
  • Fixed issue with missing "System: Read Replication Agreements" ACI on new replicas. #5631
  • Fixed issue on Web UI password reset page where user was not notified when he entered invalid password #5567


  • ipa-replica-prepare and ipa-replica-install no longer fails if PTR record is not resolvable #5686


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 4.2.3

Abhijeet Kasurde (2)

  • Fixed small typo in stage-user documentation
  • Fixed login error message box in LoginScreen page

Alexander Bokovoy (1)

  • slapi-nis: update configuration to allow external members of IPA groups

Christian Heimes (1)

  • Require Dogtag 10.2.6-13 to fix KRA uninstall

David Kupka (5)

  • ipa-cacert-renew: Fix connection to ldap.
  • ipa-otptoken-import: Fix connection to ldap.
  • test: Temporarily increase timeout in vault test.
  • installer: Propagate option values from components instead of copying them.
  • installer: Fix logic of reading option values from cache.

Fraser Tweedale (5)

  • TLS and Dogtag HTTPS request logging improvements
  • Avoid race condition caused by profile delete and recreate
  • Do not erroneously reinit NSS in Dogtag interface
  • Add profiles and default CA ACL on migration
  • Do not decode HTTP reason phrase from Dogtag

Gabe Alford (2)

  • Incomplete ports for IPA AD Trust
  • Check if IPA is configured before attempting a winsync migration

Jan Cholasta (9)

  • install: fix command line option validation
  • install: export KRA agent PEM file in ipa-kra-install
  • cert renewal: make renewal of ipaCert atomic
  • client install: do not corrupt OpenSSH config with Match sections
  • ipalib: assume version 2.0 when skip_version_check is enabled
  • cert renewal: import all external CA certs on IPA CA cert renewal
  • CA install: explicitly set dogtag_version to 10
  • replica install: validate DS and HTTP server certificates
  • certdb: never use the -r option of certutil

Lenka Doudova (2)

  • Adding descriptive IDs to stageuser tests
  • Tests: Fix tests for (stage)user plugin

Martin Babinsky (13)

  • fix error reporting when installer option is supplied with invalid choice
  • suppress errors arising from adding existing LDAP entries during KRA install
  • update idrange tests to reflect disabled modification of local ID ranges
  • disconnect ldap2 backend after adding default CA ACL profiles
  • do not disconnect when using existing connection to check default CA ACLs
  • fix error message assertion in negative forced client reenrollment tests
  • prevent crash of CA-less server upgrade due to absent certmonger
  • use FFI call to rpmvercmp function for version comparison
  • fix standalone installation of externally signed CA on IPA master
  • always start certmonger during IPA server configuration upgrade
  • upgrade: unconditional import of certificate profiles into LDAP
  • CI tests: use old schema when testing hostmask-based sudo rules
  • use LDAPS during standalone CA/KRA subsystem deployment

Martin Bašti (27)

  • fix caching in get_ipa_config
  • upgrade: fix migration of old dns forward zones
  • Fix upgrade of forwardzones when zone is in realmdomains
  • ipa-getkeytab: do not return error when translations cannot be loaded
  • KRA: do not stop certmonger during standalone uninstall
  • ipa-kra-install: allow to install first KRA on replica
  • Modify error message to install first instance of KRA
  • Fix version comparison
  • DNS: fix file permissions
  • Explicitly call chmod on newly created directories
  • Fix: replace mkdir with chmod
  • FIX: ipa_kdb_principals: add missing break statement
  • Allow to used mixed case for sysrestore
  • Upgrade: Fix upgrade of NIS Server configuration
  • Tests: DNS replace with range
  • make lint: use config file and plugin for pylint
  • Disable new pylint checks
  • upgrade: fix config of sidgen and extdom plugins
  • trusts: use ipaNTTrustPartner attribute to detect trust entries
  • Warn user if trust is broken
  • fix upgrade: wait for proper DS socket after DS restart
  • Pylint: add missing attributes of errors to definitions
  • fix permission: Read Replication Agreements
  • Make PTR records check optional for IPA installation
  • Fix connections to DS during installation
  • pylint: supress false positive no-member errors
  • Fix broken trust warnings

Milan Kubik (1)

  • Applied tier0 and tier1 marks on unit tests and xmlrpc tests

Milan Kubík (1)

  • ipatests: Fix missed module import in ipaserver tests

Petr Voborník (3)

  • advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
  • cookie parser: do not fail on cookie with empty value
  • fix incorrect name of ipa-winsync-migrate command in help

Petr Špaček (12)

  • Makefile: disable parallel build
  • DNSSEC: Improve error reporting from ipa-ods-exporter
  • DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
  • DNSSEC: Make sure that current key state in LDAP matches key state in BIND
  • DNSSEC: remove obsolete TODO note
  • DNSSEC: add debug mode to ldapkeydb.py
  • DNSSEC: logging improvements in ipa-ods-exporter
  • DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
  • DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
  • DNSSEC: ipa-ods-exporter: add ldap-cleanup command
  • DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
  • DNSSEC: Log debug messages at log level DEBUG

Simo Sorce (2)

  • Return default TL_DATA is krbExtraData is missing
  • Insure the admin_conn is disconnected on stop

Sumit Bose (4)

  • ipasam: fix wrong usage of talloc_new()
  • ipasam: use more restrictive search filter for group lookup
  • ipasam: fix a use-after-free issue
  • ipa-kdb: map_groups() consider all results

Tomáš Babej (4)

  • tests: Fix incorrect uninstall method invocation
  • tests: Add hostmask detection for sudo rules validating on hostmask
  • ipa-adtrust-install: Allow dash in the NETBIOS name
  • spec: Bump required sssd version to 1.13.3-5