Jump to: navigation, search


Release date Released 2016-09-01

The FreeIPA team would like to announce FreeIPA v4.4.1 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.1


  • Kerberos KDC now takes Authentication Indicators into account when issuing service tickets. This allows, for example, to require two-factor authenticated Kerberos credentials prior to obtaining tickets to a VPN service.
  • FreeIPA Certificate Authority now is able to create subordinate CAs to issue certificates with a specific scope
  • Web UI and API end-points now can be configured to log-in with client certificates and smart cards. Additional configuration details are described in the External Authentication design page.
  • Web UI now suggests to have redundancy in Certificate Authority topology
  • Custom FreeIPA plugins can now be built without modifying core FreeIPA code
  • When establishing trust to an Active Directory forest, FreeIPA now is capable on automatically resolving DNS namespace conflicts with another Active Directory forest.

Known Issues

  • Interactive CLI input for dnsrecord-* commands does not work properly for multipart records (#6203).
  • ipa-ca-install fails on replica when master is CA-less (#6226).
  • Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` (#6019).
  • Certificate revocation in service-del and host-del isn't aware of Sub CAs and causes command to fail when Sub CA cert is used (#6221).

Bug fixes

FreeIPA 4.4.1 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 140 bug-fixes which details can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets

  • #3864 Adjust Kerberos Principal Aliases implementation
  • #4291 CA not start during ipa server install in pure IPv6 env
  • #433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator
  • #4559 [RFE] Support lightweight sub-CAs
  • #4710 "ipa-server-install: Cannot handle double hyphen ""--"" in hostname"
  • #4831 ipa-client-install should check if fedora-domainname.service is available before calling it
  • #4970 Server certificate profile should always include a Subject Alternate name for the host
  • #5281 3 unnecessary search operations for each user in user-find
  • #5696 Add conflicts with bind-chroot to spec.
  • #5738 Tree-root domains in a trusted AD forest aren't marked as reachable via the forest root
  • #5750 Stop using sys.exit() from modules
  • #5764 [RFE] Web UI: allow Smart Card authentication
  • #5828 [RFE] [webui] warn admin if there is only one IPA server with CA
  • #5864 [RFE] Create a plugins directory that users can use to place custom FreeIPA modifications
  • #5881 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2
  • #5932 IPA Error 911: RefererError has verbatim 'br/' in the message
  • #5934 "Move ""ipa"" command to freeipa-client package"
  • #5956 ocsp responer url should aways contain ipa-ca hostname instead of master hostnames.
  • #5976 replica-promotion: is possible to set invalid IPA domain
  • #5984 CLI is not using session cookies for communication with IPA API
  • #6002 Default CA can be used without an ACL
  • #6012 Multiple issues while uninstalling ipa-server
  • #6013 ipa-cacert-manage --help and man differ
  • #6015 IPA server uninstall doesn't remove Custodia keys
  • #6016 ipa-ca-install on replica tries to connect to master:8443
  • #6020 Server uninstall does not stop tracking lightweight sub-CA with certmonger
  • #6021 External trust with root domain is transitive
  • #6022 cert-show command does not display Subject Alternative Names
  • #6024 'test_user_plugin' and UserTracker do not handle test cases renaming users
  • #6026 ipa commands not showing expected error messages
  • #6027 ipa-nis-manage config.get_dn missing
  • #6028 Renaming a user removes all of his principal aliases
  • #6030 Heap corruption in ipapwd plugin
  • #6032 ipa-server-certinstall couldnt unlock private key file
  • #6033 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn()
  • #6034 ipa migrate-ds command fails for IPA in RHEL 7.3
  • #6035 ipa unknown command vault-add
  • #6036 'kinit -E' does not work for IPA user
  • #6037 Traceback on adding default automember group and hostgroup set
  • #6043 host-find should not print SSH keys by default, only SSH fingerprints
  • #6044 ipa-advise: object of type 'type' has no len()
  • #6046 ipa-replica-install suggests about non-existent --force-ntpd option
  • #6047 Commands vault-* cause internal error (KeyError: 'ipavaultsalt')
  • #6048 performance regression in CLI help
  • #6050 The host add dialog is not properly closed when the 4304 error occured
  • #6052 Delete action in user details facet has specific name
  • #6053 Menu items has different names
  • #6054 Some facet doesn't have breadcrumb any more
  • #6055 Full name is not displayed when adding an user into User Group
  • #6056 custodia.conf and server.keys file is world-readable.
  • #6058 ipa-replica-manage man page example output differs actual command output
  • #6059 ipa trust-add with raw option gives internal error.
  • #6060 host-del updatedns options complains about missing ptr record for host
  • #6061 ipa trustconfig-show throws internal error.
  • #6062 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain
  • #6064 Create tests for the new certificates WebUI
  • #6069 Fix the help for ipa otp and other topics
  • #6071 ipa-server-install fails in container because of hostnamectl set-hostname
  • #6072 traceback message seen in ipaserver-uninstall.log file.
  • #6076 Mulitple domain Active Directory Trust conflict
  • #6078 """ipa radiusproxy-add"" command needs to prompt to enter secret key"
  • #6081 ipa otptoken-add --type=totp gives internal error
  • #6082 com.redhat.idm.trust-fetch-domains helper crashes due to bad API initialization
  • #6083 Replica install fails with old IPA master
  • #6085 Minor errors in comments
  • #6086 CA replica install logs to wrong log file
  • #6089 Vault commands are available in CLI even when the server does not support them
  • #6093 [Tests] External trust
  • #6094 [Tests] Support of UPN for trusted domains
  • #6095 ipa command stuck forever on higher versioned client with lower versioned server
  • #6097 Incorrect instantiation of MidairCollision exception in the framework
  • #6098 cert-find is slow when there is a lot of certificates
  • #6099 Validation of kerberos enterprise principal alias fails if the trusted domain entry doesn't have ipantadditionalsuffixes attribute
  • #6100 on large deployment user-add in 4.4 is much slower than in 4.2
  • #6101 Migrating users doesn't update krbCanonicalName
  • #6111 AVC on dirsrv config caused by IPA installer
  • #6116 Increase length of passwords generated by installer
  • #6117 ipa-server-install command fails to install IPA server.
  • #6120 "ipa-adtrust-install: when running with --netbios-name="""", the NetBIOS name is changed without notification"
  • #6129 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server
  • #6130 ipa-replica-install --domain=<IPA primary domain> option does not work
  • #6134 "Command ""ipa-replica-prepare"" not allowed to create line replication topology"
  • #6138 UPN-based search for AD users does not match an entry in slapi-nis map cache
  • #6142 Provide test implementation kerberos principal alias RFEs
  • #6146 caacl: error when instantiating rules with service principals
  • #6149 Tests: authentication indicator tests fail after removal of has_keytab attribute from results of update command
  • #6150 `cert-find` crashes on invalid certificate data
  • #6151 cert-find should also show CA of the certificates
  • #6154 ipa vault-mod no longer allows defining salt
  • #6157 ipa hbactest produces error about cannot concatenate 'str' and 'bool' objects
  • #6158 SYSTEMD_SYSTEM_HTTPD_D_DIR points to wrong directory
  • #6159 ipa vault container owner cannot add vault
  • #6160 ipa vault-retrieve internal error when using the wrong public key
  • #6161 Add jslint into Makefile
  • #6164 ipa-replica-install --help usage line suggests the replica file is needed
  • #6165 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-<instance>.conf
  • #6166 Subsequent external CA installation fails
  • #6167 Incorrect domainlevel info in tests
  • #6168 Middle replica uninstallation in line topology works without '--ignore-topology-disconnect'
  • #6171 caacl-add-service: incorrect error message when service does not exists
  • #6173 Freeipa cannot be build on fedora 25
  • #6174 ipa otptoken-add bytes object has no attribute confirm
  • #6175 Topology graph: ca and domain adders shows question marks instead of plus icon
  • #6177 ca-less test are broken - invalid usage of ipautil.run
  • #6182 Incomplete output returned for command ipa vault-add
  • #6185 Fix messages tests in ipa.test_ipalib
  • #6186 Fix registry test ipa.test_ipalib.test_plugable.test_Registry
  • #6187 Regression found by test: ipa.test_ipalib.test_parameters.test_create_param
  • #6188 Regressions found by test_frontend: ipa.test_ipalib.test_frontend
  • #6189 Regression found by test: ipa.test_ipalib.test_output.test_Output.test_repr
  • #6191 Regressions found by: ipa.test_ipalib.test_plugable
  • #6192 Regression found by test: ipa.test_ipalib.test_rpc.test_xmlclient.test_forward
  • #6194 Regression found by test: ipa.test_ipaserver.test_ldap.test_ldap.test_Backend
  • #6197 Broken test ipa.test_xmlrpc.test_kerberos_principal_aliases.TestKerberosAliasExceptions.test_enterprise_principal_overlap_with_AD_realm
  • #6198 Regression found by test: ipa.test_xmlrpc.test_old_permission_plugin.test_old_permission
  • #6199 Received ACIError instead of DuplicatedError in stageuser_tests
  • #6200 ipa otptoken-add with empty `key` cause internal error
  • #6204 thin client ignores locale change
  • #6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade
  • #6206 Upgrade leaves BIND running even if it was not running before the upgrade
  • #6207 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full
  • #6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin
  • #6215 Missing or malformed docstrings in ipalib/messages.py
  • #6217 Server assumes latest version of command instead of version 1 for old / 3rd party clients
  • #6224 Failing tests in test_ipalib.test_parameters
  • #6232 Insufficient privileges check in certificate revocation (CVE-2016-5404)
  • #6233 man page for ipa-replica-manage has a typo in -c flag
  • #6234 improve error message in ipa migrate-ds: mention ipa config-mod --enable-migration=TRUE
  • #6235 AD Global Catalog port is missing from in list of ports required for AD trusts
  • #6236 config-mod --usersearch does not accept attribute names with uppercase characters
  • #6240 Tests: Host and service trackers don't recognize 'ipakrboktoauthasdelegate' attribute
  • #6241 Tests: ID views tests don't recognize 'ipakrboktoauthasdelegate' attribute
  • #6242 Tests: ID views tests don't recognize 'krbcanonicalname' attribute
  • #6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires
  • #6246 Duplicate declaration of variables in ipatests/test_xmlrpc/test_idviews_plugin
  • #6247 ipa otptoken-add --type=hotp --key creates wrong OTP
  • #6248 ipa server-del fails with Python stack trace
  • #6251 Require httpd >= 2.4.6-31
  • #6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed
  • #6255 Hostname backup fails if there is no temporary ipatests folder during execution
  • #6258 Tests: invalid test case for adding bad certificate to a service
  • #6259 --ignore-last-of-role has no effect
  • #6265 test catches 2 non-merged one-way segments instead of one merged
  • #6269 cert-find --all does not show information about revocation
  • #6276 Tests: test_xmlrpc/test_trust_plugin tests fail due to missing attributes
  • #6277 When establishing external two-way trust, forest root Administrator account is used to fetch domain info
  • #6284 Tests: avoid skipping tests because of missing files when running as outoftree
  • #3103 GSSAPI error causes failures for child domain user logins across IPA - AD trust

Detailed changelog since 4.4.0

Abhijeet Kasurde (4)

  • Minor fix in ipa-replica-manage MAN page
  • Corrected minor spell check in AD Trust information doc messages
  • Removed unwanted line break from RefererError Dialog message
  • Handled empty hostname in server-del command

Alexander Bokovoy (9)

  • service: add flag to allow S4U2Self
  • support schema files from third-party plugins
  • ipaserver/dcerpc: reformat to make the code closer to pep8
  • trust: automatically resolve DNS trust conflicts for triangle trusts
  • trust: make sure external trust topology is correctly rendered
  • trust: make sure ID range is created for the child domain even if it exists
  • ipa-kdb: simplify trusted domain parent search
  • support multiple uid values in schema compatibility tree
  • freeipa.spec.in: move ipa CLI utility to freeipa-client

Ben Lipton (3)

  • Fix several small typos
  • Use existing HostKey config to test sshd
  • Silence sshd messages during install

Christian Heimes (5)

  • Correct path to HTTPD's systemd service directory
  • RedHatCAService should wait for local Dogtag instance
  • Remove Custodia server keys from LDAP
  • Secure permissions of Custodia server.keys
  • Require httpd 2.4.6-31 with mod_proxy Unix socket support

David Kupka (21)

  • schema: Fix subtopic -> topic mapping
  • help: Add dnsserver commands to help topic 'dns'
  • vault: Catch correct exception in decrypt
  • schema: Speed up schema cache
  • frontend: Change doc, summary, topic and NO_CLI to class properties
  • schema: Introduce schema cache format
  • schema: Generate bits for help load them on request
  • help: Do not create instances to get information about commands and topics
  • compat: Save server's API version in for pre-schema servers
  • schema cache: Do not reset ServerInfo dirty flag
  • schema cache: Do not read fingerprint and format from cache
  • Access data for help separately
  • frontent: Add summary class property to CommandOverride
  • schema cache: Read server info only once
  • schema cache: Store API schema cache in memory
  • client: Do not create instance just to check isinstance
  • schema cache: Read schema instead of rewriting it when SchemaUpToDate
  • schema check: Check current client language against cached one
  • compat: Fix ping command call
  • schema cache: Fallback to 'en_us' when locale is not available
  • otptoken, permission: Convert custom type parameters on server

Florence Blanc-Renaud (4)

  • Show full error message for selinuxusermap-add-hostgroup
  • server uninstall fails to remove krb principals
  • Fix session cookies
  • Fix ipa hbactest output

Fraser Tweedale (11)

  • uninstall: untrack lightweight CA certs
  • caacl: expand plugin documentation
  • spec: require Dogtag >= 10.3.3-3
  • Create server and host certs with DNS altname
  • caacl: fix regression in rule instantiation
  • cert-revoke: fix permission check bypass (CVE-2016-5404)
  • Move GeneralName parsing code to ipalib.x509
  • x509: fix SAN directoryName parsing
  • x509: use NSS enums and OIDs to identify SAN types
  • x509: include otherName DER value in GeneralNameInfo
  • cert-show: show subject alternative names

Ganna Kaihorodova (2)

  • Fix conflict between "got" and "expected" values
  • Fix for integration tests replication layouts

Jan Cholasta (19)

  • frontend: copy command arguments to output params on client
  • Revert "Enable vault-* commands on client"
  • client: fix hiding of commands which lack server support
  • compat: fix ping call
  • install: fix external CA cert validation
  • vault: add missing salt option to vault_mod
  • Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
  • parameters: move the `confirm` kwarg to Param
  • client: add missing output params to client-side commands
  • cert: speed up cert-find
  • cert: do not crash on invalid data in cert-find
  • server install: do not prompt for cert file PIN repeatedly
  • tests: fix test_ipalib.test_frontend.test_Object
  • custodia: include known CA certs in the PKCS#12 file for Dogtag
  • cert: add missing param values to cert-find output
  • cert: include CA name in cert command output
  • rpcserver: assume version 1 for unversioned command calls
  • custodia: force reconnect before retrieving CA certs from LDAP
  • rpcserver: fix crash in XML-RPC system commands

Lenka Doudova (26)

  • Tests: Tracker class for services
  • Tests: Authentication indicators xmlrpc tests
  • Tests: Authentication indicators integration tests
  • Tests: External trust
  • Tests: Support of UPN for trusted domains
  • Tests: Improve handling of rename operation by user tracker
  • Tests: IPA user can kinit using enterprise principal with IPA domain
  • Tests: Removing manipulation with /etc/hosts file from integration tests
  • Tests: Remove has_keytab from list of expected keys of update command
  • Tests: Add data attribute to messages
  • Tests: test_ipalib/test_output fails due to change of Output behaviour
  • Fix malformed or missing docstrings in ipalib/messages
  • Tests: Fix failing tests in test_ipalib/test_parameters
  • Tests: Fix failing tests in test_ipalib/test_frontend
  • Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute
  • Tests: Duplicate declaration on variables in ID views tests
  • Tests: ID views tests do not recognize krbcanonicalname attribute
  • Tests: Host tracker does not recognize 'ipakrboktoauthasdelegate' attribute
  • Tests: Service tracker and tests don't recognize 'ipakrboktoauthasdelegate' attribute
  • Tests: Failing test_ipalib/test_rpc
  • Tests: Failing test_ipaserver/test_ldap test
  • Tests: Failing tests in test_ipalib/test_plugable
  • Raise error when running ipa-adtrust-install with empty netbios--name
  • Tests: Random issuer certificate can be added to a service
  • Tests: Add missing attributes to test_xmlrpc/test_trust tests
  • Tests: Avoid skipping tests due to missing files

Lukáš Slebodník (4)

  • ipa_pwd_extop: Fix warning declaration shadows previous local
  • ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
  • ipa-kdb: Allow to build with samba 4.5
  • ipa-kdb: Fix unit test after packaging changes in krb5

Martin Babinsky (20)

  • Fix incorrect check for principal type when evaluating CA ACLs
  • ipa-nis-manage: Use server API to retrieve plugin status
  • ipa-compat-manage: use server API to retrieve plugin status
  • ipa-advise: correct handling of plugin namespace iteration
  • vault-add: set the default vault type on the client side if none was given
  • Preserve user principal aliases during rename operation
  • messages: specify message type for ResultFormattingError
  • DNS install: Ensure that DNS servers container exists
  • Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
  • allow 'value' output param in commands without primary key
  • allow multiple dashes in the components of server hostname
  • expose `--secret` option in radiusproxy-* commands
  • prevent search for RADIUS proxy servers by secret
  • trust-add: handle `--all/--raw` options properly
  • baseldap: Fix MidairCollision instantiation during entry modification
  • Create indexes for krbCanonicalName attribute
  • harden the check for trust namespace overlap in new principals
  • re-set canonical principal name on migrated users
  • add python-libsss_nss_idmap and python-sss to BuildRequires
  • do not use trusted forest name to construct domain admin principal

Martin Bašti (18)

  • Enable vault-* commands on client
  • host-find: do not show SSH key by default
  • CI: DNS locations
  • Host-del: fix behavior of --updatedns and PTR records
  • DNS Locations: fix update-system-records unpacking error
  • Use copy when replacing files to keep SELinux context
  • CI tests: improve log collecting
  • CI tests: fix SSSD log collecting
  • idrange: fix unassigned global variable
  • Do not initialize API in ipa-client-automount uninstall
  • Increase default length of auto generated passwords
  • ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
  • Fix: container owner should be able to add vault
  • Remove forgotten print from DN.__str__ implementation
  • Raise DuplicatedEnrty error when user exists in delete_container
  • Update translations
  • Print to debug output answer from CA
  • Revert "Enable LDAPS in replica promotion"

Milan Kubík (12)

  • ipatests: Tracker implementation for Sub CA feature
  • ipatests: Extend CAACL suite to cover Sub CA members
  • ipatests: Test Sub CA with CAACL and certificate profile
  • ipatests: remove ipacertbase option from test CSR configuration
  • ipatests: Add tracker class for kerberos principal aliases
  • ipatests: Extend the MockLDAP utility class
  • ipatests: Provide a context manager for mocking a trust in RPC tests
  • ipatests: Move trust mock helper functions to a separate module
  • ipapython: Extend kinit_password to support principal canonicalization
  • ipatests: Allow change_principal context manager to use canonicalization
  • ipatests: Add kerberos principal alias tests
  • ipatests: Fix wrong fixture in kerberos principal alias test

Oleg Fayans (7)

  • Test for incorrect client domain
  • Fixed import error
  • Fixed incorrect return code assert
  • Fixed incorrect domainlevel determination in tests
  • Fixed incorrect sequence of method calls in tasks.py
  • Added a sleep interval after domainlevel raise in tests
  • Disabled raiseonerr in kinit call during topology level check

Pavel Vomacka (12)

  • Close host adder dialog before showing 4304 dialog
  • Remove navigation using breadcrumb menus
  • Fix test_navigation tests
  • Fix test which checks removing of user
  • Set default delete action name to 'delete'
  • Remove full name from adding user to user group dialog
  • Add function which check whether the field is empty
  • Add jslint into Makefile
  • Fix unicode characters in ca and domain adders
  • Add warning about only one existing CA server
  • Set servers list as default facet in topology facet group
  • Add 'trusted to auth as user' checkbox

Peter Lacko (1)

  • Test URIs in certificate.

Petr Voborník (2)

  • unite log file name of ipa-ca-install
  • ca-less tests: fix getting cert in pem format from nssdb

Petr Špaček (15)

  • client-install: log exceptions from certmonger.request_cert
  • replica-install: Fix --domain
  • Fix ipa-replica-prepare's error message about missing local CA instance
  • client: RPM require initscripts to get *-domainname.service
  • server-install: Fix --hostname option to always override api.env values
  • install: Call hostnamectl set-hostname only if --hostname option is used
  • DNS server upgrade: do not fail when DNS server did not respond
  • server upgrade: do not start BIND if it was not running before the upgrade
  • DNS: allow to add forward zone to already broken sub-domain
  • adtrust-install: Mention AD GC port 3286 in list of required ports.
  • config-mod: normalize attribute names for --usersearch/--groupsearch
  • migrate-ds: Mention --enable-migration in error message about migration mode
  • Fix man page ipa-replica-manage: remove duplicate -c option from --no-lookup
  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
  • Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin

Simo Sorce (4)

  • Simplify date manipulation in pwd plugin
  • Regenerate asn1 code
  • Additional coverity fixes.
  • Fix CA ACL Check on SubjectAltNames

Stanislav Laznicka (7)

  • Removed unused method parameter from migrate-ds
  • Improvements for the ipa-cacert-manage man and help
  • Removed objectclass from LDAP*ReverseMember based tests
  • Don't show --force-ntpd option in replica install
  • Remove sys.exit from install modules and scripts
  • Fail on topology disconnect/last role removal
  • Don't ignore --ignore-last-of-role for last CA

Sumit Bose (1)

  • kdb: check for local realm in enterprise principals

Thierry Bordaz (2)

  • Heap corruption in ipapwd plugin
  • ipa-pwd-extop memory leak during passord update

Tiboris (1)

  • Added new authentication method

Tomas Krizek (5)

  • Update ipa-replica-install documentation
  • Fix ipa-caalc-add-service error message
  • Validate key in otptoken-add
  • Fix ipa-server-install in pure IPv6 environment
  • Enable LDAPS in replica promotion

gkaihoro (1)

  • Test for caacl-add-service

tester (4)

  • Add possibility to choose parent element by css
  • TEST: managing user certificates
  • TEST: managing host certificates
  • TEST: managing service certificates