Releases/4.3.1

The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release!
It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR repository. Experimental builds for CentOS 7 are available in the official FreeIPA CentOS7 COPR repository
Contents
- 1 Highlights in 4.3.1
- 2 Upgrading
- 3 Feedback
- 4 Detailed Changelog since 4.3.0
- 4.1 Abhijeet Kasurde (1)
- 4.2 Alexander Bokovoy (1)
- 4.3 Christian Heimes (3)
- 4.4 David Kupka (19)
- 4.5 Filip Skola (3)
- 4.6 Fraser Tweedale (1)
- 4.7 Jan Cholasta (13)
- 4.8 Ludwig Krispenz (1)
- 4.9 Lukáš Slebodník (1)
- 4.10 Martin Babinsky (21)
- 4.11 Martin Bašti (36)
- 4.12 Michael Simacek (1)
- 4.13 Milan Kubík (6)
- 4.14 Oleg Fayans (17)
- 4.15 Pavel Vomacka (4)
- 4.16 Petr Viktorin (23)
- 4.17 Petr Voborník (11)
- 4.18 Petr Špaček (15)
- 4.19 Simo Sorce (6)
- 4.20 Stanislav Laznicka (4)
- 4.21 Sumit Bose (1)
- 4.22 Thierry Bordaz (2)
- 4.23 Timo Aaltonen (6)
- 4.24 Tomáš Babej (4)
Highlights in 4.3.1
Enhancements
- FreeIPA Apache instance has an update mod_nss cipher suite to only allow secure ciphers #5589
- Directory Server is configured with "default" cipher suite instead of "+all" #5684
- topology graph user experience was improved. Graph is enlarged to fill all available space. It can be moved and zoomed so that it handles bigger topologies better. #5502, #5649, #5647
- MS-PAC extension was made optional for users #2579, currently without UI #5752
- added option to disable preauth for service principal names. Configurable via ipaconfigstring value "KDC:Disable Default Preauth for SPNs" in server config. #3860
- improved behavior of DNA plugin in complex FreeIPA environments where replicas are not all interconnected so that directory server is able to lookup ranges on other servers once a range is exhausted #4026
- 3des and rc4 enctypes are no longer used on new installations of FreeIPA server #4740
- `ipa-replica-manage clean-dangling-ruv` subcommand was added to help with cases with dandling RUVs, especially the ones related to CA suffix #5411
- deprecated keytab_set extended operation was removed from ipasam module #5495
- an option was added to Web UI to allow to specify GID number in user adder dialog
- improved warning message on uninstallation of replica notifying that admin might be removing the last CA, KRA or DNSSec master #5544
- FreeIPA python packages were made independent on architecture(noarch) #5596
- AD users are now shown as members of IPA groups when external group is added to IPA group #4403
Bug fixes
- fixed bug where `ipa-cacert-manage install` failed on intermediate CA certs #5612
- fixed bug where ipa-server-install didn't stop on error and subsequently reported incorrect root cause #2539
- fixed bug where ipa-ca-install hang on creating a temporary CA admin during replica promotion #5412
- fixed issue with vault-archive command sometimes not working #5538
- fixed regression in Web UI where required indicator '*' was missing on Global Password Policy page, priority field #5553
- fixed regression in reverse zone creation/handling on domain level 0 in ipa-replica-prepare by adding --auto-reverse and --allow-zone-overlap options #5563
- fixed bug where DNS zone overlap check caused failure of ipa-dns-install #5564
- fixed upgrade bug which prevents installation of replicas from masters updated to 4.3.0 #5575
- fixed rare bug in connection handling which can cause a crash of KDC #5577
- fixed regression in updating DNS entries in `ipa-csreplica-manage del` #5583
- fixed not displaying suffixes in IPA servers table in Web UI #5609
- fixed deadlock in directory server between slapi-nis/memberof when a topology segment was added/removed #5637
- fixed issue where ipa-adtrust-install sometimes created incorrect SRV records #5663
Upgrading
Upgrade instructions are available on Upgrade page.
Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Detailed Changelog since 4.3.0
Abhijeet Kasurde (1)
- Fixed login error message box in LoginScreen page
Alexander Bokovoy (1)
- slapi-nis: update configuration to allow external members of IPA groups
Christian Heimes (3)
- Require Dogtag 10.2.6-13 to fix KRA uninstall
- Modernize mod_nss's cipher suites
- Move user/group constants for PKI and DS into ipaplatform
David Kupka (19)
- installer: Propagate option values from components instead of copying them.
- installer: Fix logic of reading option values from cache.
- ipa-dns-install: Do not check for zone overlap when DNS installed.
- ipa-replica-prepare: Add '--auto-reverse' and '--allow-zone-overlap' options
- installer: Change reverse zones question to better reflect reality.
- Fix: Use unattended parameter instead of options.unattended
- CI: Add '2-connected' topology generator.
- CI: Add simple replication test in 2-connected topology.
- CI: Add test for 2-connected topology generator.
- CI: Fix pep8 errors in 2-connected topology generator
- CI: add empty topology test for 2-connected topology generator
- CI: Add double circle topology.
- CI: Add replication test utilizing double-circle topology.
- CI: Add test for double-circle topology generator.
- CI: Make double circle topology python3 compatible
- upgrade: Match whole pre/post command not just basename.
- dsinstance: add start_tracking_certificates method
- httpinstance: add start_tracking_certificates method
- Look up HTTPD_USER's UID and GID during installation.
Filip Skola (3)
- Refactor test_user_plugin, use UserTracker for tests
- Refactor test_replace
- Refactor test_attr
Fraser Tweedale (1)
- Do not decode HTTP reason phrase from Dogtag
Jan Cholasta (13)
- ipalib: assume version 2.0 when skip_version_check is enabled
- ipapython: remove default_encoding_utf8
- ipapython: port p11helper C code to Python
- ipapython: use python-cryptography instead of libcrypto in p11helper
- spec file: package python-ipalib as noarch
- cert renewal: import all external CA certs on IPA CA cert renewal
- replica install: validate DS and HTTP server certificates
- replica promotion: fix AVC denials in remote connection check
- test_ipagetkeytab: fix missing import
- cacert install: fix trust chain validation
- client: stop using /etc/pki/nssdb
- certdb: never use the -r option of certutil
- daemons: remove unused erroneous _ipap11helper import
Ludwig Krispenz (1)
- prevent moving of topology entries out of managed scope by modrdn operations
Lukáš Slebodník (1)
- IPA-SAM: Fix build with samba 4.4
Martin Babinsky (21)
- raise more descriptive Backend connection-related exceptions
- prevent crash of CA-less server upgrade due to absent certmonger
- use FFI call to rpmvercmp function for version comparison
- tests for package version comparison
- fix Py3 incompatible exception instantiation in replica install code
- ipa-csreplica-manage: remove extraneous ldap2 connection
- IPA upgrade: move replication ACIs to the mapping tree entry
- uninstallation: more robust check for master removal from topology
- correctly set LDAP bind related attributes when setting up replication
- disable RA plugins when promoting a replica from CA-less master
- fix standalone installation of externally signed CA on IPA master
- reset ldap.conf to point to newly installer replica after promotion
- always start certmonger during IPA server configuration upgrade
- upgrade: unconditional import of certificate profiles into LDAP
- CI tests: use old schema when testing hostmask-based sudo rules
- use LDAPS during standalone CA/KRA subsystem deployment
- test_cert_plugin: use only first part of the hostname to construct short name
- only search for Kerberos SRV records when autodiscovery was requested
- spec: add conflict with bind-chroot to freeipa-server-dns
- spec: require python-cryptography newer than 0.9
- otptoken-add: improve the robustness of QR code printing
Martin Bašti (36)
- Fix DNS tests: dns-resolve returns warning
- Fix version comparison
- Fix: replace mkdir with chmod
- Allow to used mixed case for sysrestore
- Upgrade: Fix upgrade of NIS Server configuration
- DNSSEC test: fix adding zones with --skip-overlap-check
- DNSSEC CI: add missing ldns-utils dependency
- CI test: fix regression in task.install_kra
- Warn about potential loss of CA, KRA, DNSSEC during uninstall
- Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
- Exclude o=ipaca subtree from Retro Changelog (syncrepl)
- Fix DNSSEC test: add glue record
- DNSSEC CI: fix zone delegations
- make lint: use config file and plugin for pylint
- Disable new pylint checks
- Py3: do not use dict.iteritems()
- upgrade: fix config of sidgen and extdom plugins
- trusts: use ipaNTTrustPartner attribute to detect trust entries
- Warn user if trust is broken
- fix upgrade: wait for proper DS socket after DS restart
- Revert "test: Temporarily increase timeout in vault test."
- Pylint: add missing attributes of errors to definitions
- fix permission: Read Replication Agreements
- Make PTR records check optional for IPA installation
- Fix connections to DS during installation
- pylint: supress false positive no-member errors
- CI: allow customized DS install test to work with domain levels
- fix suspicious except statements
- Configure 389ds with "default" cipher suite
- krb5conf: use 'true' instead of 'yes' for forwardable option
- stageuser-activate: Normalize manager value
- Remove redundant parameters from CS.cfg in dogtaginstance
- Fix broken trust warnings
- spec: Add missing dependencies to python*-ipalib package
- SPEC: do not run upgrade when ipa server is not installed
- Fix stageuser-activate - managers test
Michael Simacek (1)
- Fix bytes/string handling in rpc
Milan Kubík (6)
- ipatests: Roll back the forwarder config after a test case
- ipatests: Fix configuration problems in dns tests
- ipatests: Make the A record for hosts in topology conditional
- ipatests: fix the install of external ca
- ipatests: Add missing certificate profile fixture
- ipatests: extend permission plugin test with new expected output
Oleg Fayans (17)
- CI tests: Enabled automatic creation of reverse zone during master installation
- CI tests: Added domain realm as a parameter to master installation in integration tests
- Fixed install_ca and install_kra under domain level 0
- fixed an issue with master installation not creating reverse zone
- Enabled recreation of test directory in apply_common_fixes function
- Updated connect/disconnect replica to work with both domainlevels
- Removed --ip-address option from replica installation
- Removed messing around with resolv.conf
- Integration tests for replica promotion feature
- Enabled setting domain level explicitly in test class
- Removed a constantly failing call to prepare_host
- Made apply_common_fixes call at replica installation independent on domain_level
- Workaround for ticket 5627
- Added copyright info to replica promotion tests
- rewrite a misprocessed teardown_method method as a custom decorator
- Reverted changes in mh fixture causing some tests to fail
- Fixed a bug with prepare_host failing upon existing ipatests folder
Pavel Vomacka (4)
- Add pan and zoom functionality to the topology graph
- Nodes stay fixed after initial animation.
- Add field for group id in user add dialog
- Resize topology graph canvas according to window size
Petr Viktorin (23)
- Use explicit truncating division
- Don't index exceptions directly
- Use print_function future definition wherever print() is used
- Alias "unicode" to "str" under Python 3
- Avoid builtins that were removed in Python 3
- dnsutil: Rename __nonzero__ to __bool__
- Remove deprecated contrib/RHEL4
- make-lint: Allow running pylint --py3k to detect Python3 issues
- Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)
- test_parameters: Ignore specific error message
- ipaldap, ldapupdate: Encoding fixes for Python 3
- ipautil.run, kernel_keyring: Encoding fixes for Python 3
- tests: Use absolute imports
- ipautil: Use mode 'w+' in write_tmp_file
- test_util: str/bytes check fixes for Python 3
- p11helper: Port to Python 3
- cli: Don't encode/decode for stdin/stdout on Python 3
- Package python3-ipaclient
- migration.py: Remove stray get_ipa_basedn import
- Move get_ipa_basedn from ipautil to ipadiscovery
- ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
- ipapython.sysrestore: Use str methods instead of functions from the string module
- ipalib.x809: Accept bytes for make_pem
Petr Voborník (11)
- webui: add examples to network address validator error message
- webui: pwpolicy cospriority field was marked as required
- spec: do not require arch specific ipalib package from noarch packages
- webui: dislay server suffixes in server search page
- stop installer when setup-ds.pl fail
- webui: remove moot error from webui build
- webui: use API call ca_is_enabled instead of enable_ra env variable.
- advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
- cookie parser: do not fail on cookie with empty value
- fix incorrect name of ipa-winsync-migrate command in help
- Become IPA 4.3.1
Petr Špaček (15)
- DNSSEC: Improve error reporting from ipa-ods-exporter
- DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
- DNSSEC: Make sure that current key state in LDAP matches key state in BIND
- DNSSEC: remove obsolete TODO note
- DNSSEC: add debug mode to ldapkeydb.py
- DNSSEC: logging improvements in ipa-ods-exporter
- DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
- DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
- DNSSEC: ipa-ods-exporter: add ldap-cleanup command
- DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
- DNSSEC: Log debug messages at log level DEBUG
- Fix --auto-reverse option in --unattended mode.
- Fix dns_is_enabled() API command to throw exceptions as appropriate
- Fix DNS zone overlap check to allow ipa-replica-install to work
- Fix ipa-adtrust-install to always generate SRV records with FQDNs
Simo Sorce (6)
- Use only AES enctypes by default
- Always verify we have a valid ldap context.
- Improve keytab code to select the right principal.
- Convert ipa-sam to use the new getkeytab control
- Allow admins to disable preauth for SPNs.
- Allow to specify Kerberos authz data type per user
Stanislav Laznicka (4)
- Listing and cleaning RUV extended for CA suffix
- Automatically detect and remove dangling RUVs
- Cosmetic changes to the code
- Fixes minor issues
Sumit Bose (1)
- ipa-kdb: map_groups() consider all results
Thierry Bordaz (2)
- configure DNA plugin shared config entries to allow connection with GSSAPI
- DS deadlock when memberof scopes topology plugin updates
Timo Aaltonen (6)
- Use HTTPD_USER in dogtaginstance.py
- Move freeipa certmonger helpers to libexecdir.
- ipa_restore: Import only FQDN from ipalib.constants
- ipaplatform: Move remaining user/group constants to ipaplatform.constants.
- Use ODS_USER/ODS_GROUP in opendnssec_conf.template
- Fix kdc.conf.template to use ipaplatform.paths.
Tomáš Babej (4)
- py3: Remove py3 incompatible exception handling
- ipa-adtrust-install: Allow dash in the NETBIOS name
- spec: Bump required sssd version to 1.13.3-5
- adtrustinstance: Make sure smb.conf exists