The FreeIPA team would like to announce FreeIPA v4.2.4 bug fixing release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23.
Highlights in 4.2.4#
FreeIPA 4.2.4 is a bugfix release to improve upgrade experience from FreeIPA 4.1 for Fedora 23.
Bug fixes#
Fixed issue in installation of server with external CA where second step of installation “forgot” options from previous step which could lead, e.g., to DNS server not being installed. #5556
Fixed issue in ipa-adtrust-install when a dash character was used in NetBIOS name
Fixed issue with migration from old self-sign IPA(e.g. CentOS 6) and upgrading it to a server with CA #5611, #5598, #5602, #5595, #5636, #4492, #5506
Fixed issue with bind not starting after update due to wrong file permissions. #5520
Fixed issue in installation of server without CA when certmonger was not running. #5519
Fixed issue in upgrade of NIS maps. #5507
Fixed issue in handling of empty cookies. It prevented users from log in to Web UI using forms-based authentication. #5709
Fixed issue with installation of KRA on a replica. #5346
Fixed issue with DNSSEC key purging not being handled properly #5334
Fixed issue in replica installation after update of master from previous version where certificate profiles and CA ACL were not properly added. #5269
Fixed issue in installation of replica with external CA, when multiple certificates with the same nickname were provided. #5117
Fixed issue after upgrade of sidgen and extdom plugins which prevented from generation of Security Identifiers(SIDs). As a result, all AD trust created after the upgrade did not work while advertising that the trust was established correctly. #5665
Fixed issue with starting FreeIPA after upgrade which happened when FreeIPA server was turned off. #5655
Fixed internal error during an upgrade from FreeIPA 4.0 to 4.2 which prevented the upgrade process from upgrading forward zones properly. #5472
Fixed issue with missing “System: Read Replication Agreements” ACI on new replicas. #5631
Fixed issue on Web UI password reset page where user was not notified when he entered invalid password #5567
Enhancements#
ipa-replica-prepare and ipa-replica-install no longer fails if PTR record is not resolvable #5686
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.2.3#
Abhijeet Kasurde (2)#
Fixed small typo in stage-user documentation
Fixed login error message box in LoginScreen page
Alexander Bokovoy (1)#
slapi-nis: update configuration to allow external members of IPA groups
Christian Heimes (1)#
Require Dogtag 10.2.6-13 to fix KRA uninstall
David Kupka (5)#
ipa-cacert-renew: Fix connection to ldap.
ipa-otptoken-import: Fix connection to ldap.
test: Temporarily increase timeout in vault test.
installer: Propagate option values from components instead of copying them.
installer: Fix logic of reading option values from cache.
Fraser Tweedale (5)#
TLS and Dogtag HTTPS request logging improvements
Avoid race condition caused by profile delete and recreate
Do not erroneously reinit NSS in Dogtag interface
Add profiles and default CA ACL on migration
Do not decode HTTP reason phrase from Dogtag
Gabe Alford (2)#
Incomplete ports for IPA AD Trust
Check if IPA is configured before attempting a winsync migration
Jan Cholasta (9)#
install: fix command line option validation
install: export KRA agent PEM file in ipa-kra-install
cert renewal: make renewal of ipaCert atomic
client install: do not corrupt OpenSSH config with Match sections
ipalib: assume version 2.0 when skip_version_check is enabled
cert renewal: import all external CA certs on IPA CA cert renewal
CA install: explicitly set dogtag_version to 10
replica install: validate DS and HTTP server certificates
certdb: never use the -r option of certutil
Lenka Doudova (2)#
Adding descriptive IDs to stageuser tests
Tests: Fix tests for (stage)user plugin
Martin Babinsky (13)#
fix error reporting when installer option is supplied with invalid choice
suppress errors arising from adding existing LDAP entries during KRA install
update idrange tests to reflect disabled modification of local ID ranges
disconnect ldap2 backend after adding default CA ACL profiles
do not disconnect when using existing connection to check default CA ACLs
fix error message assertion in negative forced client reenrollment tests
prevent crash of CA-less server upgrade due to absent certmonger
use FFI call to rpmvercmp function for version comparison
fix standalone installation of externally signed CA on IPA master
always start certmonger during IPA server configuration upgrade
upgrade: unconditional import of certificate profiles into LDAP
CI tests: use old schema when testing hostmask-based sudo rules
use LDAPS during standalone CA/KRA subsystem deployment
Martin Bašti (27)#
fix caching in get_ipa_config
upgrade: fix migration of old dns forward zones
Fix upgrade of forwardzones when zone is in realmdomains
ipa-getkeytab: do not return error when translations cannot be loaded
KRA: do not stop certmonger during standalone uninstall
ipa-kra-install: allow to install first KRA on replica
Modify error message to install first instance of KRA
Fix version comparison
DNS: fix file permissions
Explicitly call chmod on newly created directories
Fix: replace mkdir with chmod
FIX: ipa_kdb_principals: add missing break statement
Allow to used mixed case for sysrestore
Upgrade: Fix upgrade of NIS Server configuration
Tests: DNS replace 192.0.2.0/24 with 198.18.0.0/15 range
make lint: use config file and plugin for pylint
Disable new pylint checks
upgrade: fix config of sidgen and extdom plugins
trusts: use ipaNTTrustPartner attribute to detect trust entries
Warn user if trust is broken
fix upgrade: wait for proper DS socket after DS restart
Pylint: add missing attributes of errors to definitions
fix permission: Read Replication Agreements
Make PTR records check optional for IPA installation
Fix connections to DS during installation
pylint: supress false positive no-member errors
Fix broken trust warnings
Milan Kubik (1)#
Applied tier0 and tier1 marks on unit tests and xmlrpc tests
Milan Kubík (1)#
ipatests: Fix missed module import in ipaserver tests
Petr Voborník (3)#
advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
cookie parser: do not fail on cookie with empty value
fix incorrect name of ipa-winsync-migrate command in help
Petr Špaček (12)#
Makefile: disable parallel build
DNSSEC: Improve error reporting from ipa-ods-exporter
DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
DNSSEC: Make sure that current key state in LDAP matches key state in BIND
DNSSEC: remove obsolete TODO note
DNSSEC: add debug mode to ldapkeydb.py
DNSSEC: logging improvements in ipa-ods-exporter
DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
DNSSEC: ipa-ods-exporter: add ldap-cleanup command
DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
DNSSEC: Log debug messages at log level DEBUG
Simo Sorce (2)#
Return default TL_DATA is krbExtraData is missing
Insure the admin_conn is disconnected on stop
Sumit Bose (4)#
ipasam: fix wrong usage of talloc_new()
ipasam: use more restrictive search filter for group lookup
ipasam: fix a use-after-free issue
ipa-kdb: map_groups() consider all results
Tomáš Babej (4)#
tests: Fix incorrect uninstall method invocation
tests: Add hostmask detection for sudo rules validating on hostmask
ipa-adtrust-install: Allow dash in the NETBIOS name
spec: Bump required sssd version to 1.13.3-5