The FreeIPA team would like to announce FreeIPA v4.4.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.
Highlights in 4.4.1#
Enhancements#
Kerberos KDC now takes Authentication Indicators into account when issuing service tickets. This allows, for example, to require two-factor authenticated Kerberos credentials prior to obtaining tickets to a VPN service.
FreeIPA Certificate Authority now is able to create subordinate CAs to issue certificates with a specific scope
Web UI and API end-points now can be configured to log-in with client certificates and smart cards. Additional configuration details are described in the External Authentication design page.
Web UI now suggests to have redundancy in Certificate Authority topology
Custom FreeIPA plugins can now be built without modifying core FreeIPA code
When establishing trust to an Active Directory forest, FreeIPA now is capable on automatically resolving DNS namespace conflicts with another Active Directory forest.
Known Issues#
Interactive CLI input for dnsrecord-* commands does not work properly for multipart records (#6203).
ipa-ca-install fails on replica when master is CA-less (#6226).
Lightweight sub-CA certs are not tracked by certmonger after `ipa-replica-install` (#6019).
Certificate revocation in service-del and host-del isn’t aware of Sub CAs and causes command to fail when Sub CA cert is used (#6221).
Bug fixes#
FreeIPA 4.4.1 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 140 bug-fixes which details can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Resolved tickets#
#3864 Adjust Kerberos Principal Aliases implementation
#4291 CA not start during ipa server install in pure IPv6 env
#433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator
#4559 [RFE] Support lightweight sub-CAs
#4710 “ipa-server-install: Cannot handle double hyphen “”–”” in hostname”
#4831 ipa-client-install should check if fedora-domainname.service is available before calling it
#4970 Server certificate profile should always include a Subject Alternate name for the host
[https://fedorahosted.org/freeipa/ticket/5281, #5281] 3 unnecessary search operations for each user in user-find
#5696 Add conflicts with bind-chroot to spec.
#5738 Tree-root domains in a trusted AD forest aren’t marked as reachable via the forest root
#5750 Stop using sys.exit() from modules
#5764 [RFE] Web UI: allow Smart Card authentication
#5828 [RFE] [webui] warn admin if there is only one IPA server with CA
#5864 [RFE] Create a plugins directory that users can use to place custom FreeIPA modifications
#5881 URI details missing and OCSP-URI details are incorrectly displayed when certificate generated using IPA on RHEL 7.2up2
#5932 IPA Error 911: RefererError has verbatim ‘br/’ in the message
#5934 “Move “”ipa”” command to freeipa-client package”
#5956 ocsp responer url should aways contain ipa-ca hostname instead of master hostnames.
#5976 replica-promotion: is possible to set invalid IPA domain
#5984 CLI is not using session cookies for communication with IPA API
#6002 Default CA can be used without an ACL
#6012 Multiple issues while uninstalling ipa-server
#6013 ipa-cacert-manage –help and man differ
#6015 IPA server uninstall doesn’t remove Custodia keys
#6016 ipa-ca-install on replica tries to connect to master:8443
#6020 Server uninstall does not stop tracking lightweight sub-CA with certmonger
#6021 External trust with root domain is transitive
#6022 cert-show command does not display Subject Alternative Names
#6024 ‘test_user_plugin’ and UserTracker do not handle test cases renaming users
#6026 ipa commands not showing expected error messages
#6027 ipa-nis-manage config.get_dn missing
#6028 Renaming a user removes all of his principal aliases
#6030 Heap corruption in ipapwd plugin
#6032 ipa-server-certinstall couldnt unlock private key file
#6033 ipa-compat-manage command failed, exception: NotImplementedError: config.get_dn()
#6034 ipa migrate-ds command fails for IPA in RHEL 7.3
#6035 ipa unknown command vault-add
#6036 ‘kinit -E’ does not work for IPA user
#6037 Traceback on adding default automember group and hostgroup set
#6043 host-find should not print SSH keys by default, only SSH fingerprints
#6044 ipa-advise: object of type ‘type’ has no len()
#6046 ipa-replica-install suggests about non-existent –force-ntpd option
#6047 Commands vault-* cause internal error (KeyError: ‘ipavaultsalt’)
#6048 performance regression in CLI help
#6050 The host add dialog is not properly closed when the 4304 error occured
#6052 Delete action in user details facet has specific name
#6053 Menu items has different names
#6054 Some facet doesn’t have breadcrumb any more
#6055 Full name is not displayed when adding an user into User Group
#6056 custodia.conf and server.keys file is world-readable.
#6058 ipa-replica-manage man page example output differs actual command output
#6059 ipa trust-add with raw option gives internal error.
#6060 host-del updatedns options complains about missing ptr record for host
#6061 ipa trustconfig-show throws internal error.
#6062 DNS forwarder check is too strict: unable to add sub-domain to already-broken domain
#6064 Create tests for the new certificates WebUI
#6069 Fix the help for ipa otp and other topics
#6071 ipa-server-install fails in container because of hostnamectl set-hostname
#6072 traceback message seen in ipaserver-uninstall.log file.
#6076 Mulitple domain Active Directory Trust conflict
#6078 “””ipa radiusproxy-add”” command needs to prompt to enter secret key”
#6081 ipa otptoken-add –type=totp gives internal error
#6082 com.redhat.idm.trust-fetch-domains helper crashes due to bad API initialization
#6083 Replica install fails with old IPA master
#6085 Minor errors in comments
#6086 CA replica install logs to wrong log file
#6089 Vault commands are available in CLI even when the server does not support them
#6093 [Tests] External trust
#6094 [Tests] Support of UPN for trusted domains
#6095 ipa command stuck forever on higher versioned client with lower versioned server
#6097 Incorrect instantiation of MidairCollision exception in the framework
#6098 cert-find is slow when there is a lot of certificates
#6099 Validation of kerberos enterprise principal alias fails if the trusted domain entry doesn’t have ipantadditionalsuffixes attribute
#6100 on large deployment user-add in 4.4 is much slower than in 4.2
#6101 Migrating users doesn’t update krbCanonicalName
#6111 AVC on dirsrv config caused by IPA installer
#6116 Increase length of passwords generated by installer
#6117 ipa-server-install command fails to install IPA server.
#6120 “ipa-adtrust-install: when running with –netbios-name=””””, the NetBIOS name is changed without notification”
#6129 ipa-client-install join fail with traceback against RHEL-6.8 ipa-server
#6130 ipa-replica-install –domain= option does not work
#6134 “Command “”ipa-replica-prepare”” not allowed to create line replication topology”
#6138 UPN-based search for AD users does not match an entry in slapi-nis map cache
#6142 Provide test implementation kerberos principal alias RFEs
#6146 caacl: error when instantiating rules with service principals
#6149 Tests: authentication indicator tests fail after removal of has_keytab attribute from results of update command
#6150 `cert-find` crashes on invalid certificate data
#6151 cert-find should also show CA of the certificates
#6154 ipa vault-mod no longer allows defining salt
#6157 ipa hbactest produces error about cannot concatenate ‘str’ and ‘bool’ objects
#6158 SYSTEMD_SYSTEM_HTTPD_D_DIR points to wrong directory
#6159 ipa vault container owner cannot add vault
#6160 ipa vault-retrieve internal error when using the wrong public key
#6161 Add jslint into Makefile
#6164 ipa-replica-install –help usage line suggests the replica file is needed
#6165 ipa-backup is not keeping the /etc/tmpfiles.d/dirsrv-.conf
#6166 Subsequent external CA installation fails
#6167 Incorrect domainlevel info in tests
#6168 Middle replica uninstallation in line topology works without ‘–ignore-topology-disconnect’
#6171 caacl-add-service: incorrect error message when service does not exists
#6173 Freeipa cannot be build on fedora 25
#6174 ipa otptoken-add bytes object has no attribute confirm
#6175 Topology graph: ca and domain adders shows question marks instead of plus icon
#6177 ca-less test are broken - invalid usage of ipautil.run
#6182 Incomplete output returned for command ipa vault-add
#6185 Fix messages tests in ipa.test_ipalib
#6186 Fix registry test ipa.test_ipalib.test_plugable.test_Registry
#6187 Regression found by test: ipa.test_ipalib.test_parameters.test_create_param
#6188 Regressions found by test_frontend: ipa.test_ipalib.test_frontend
#6189 Regression found by test: ipa.test_ipalib.test_output.test_Output.test_repr
#6191 Regressions found by: ipa.test_ipalib.test_plugable
#6192 Regression found by test: ipa.test_ipalib.test_rpc.test_xmlclient.test_forward
#6194 Regression found by test: ipa.test_ipaserver.test_ldap.test_ldap.test_Backend
#6197 Broken test ipa.test_xmlrpc.test_kerberos_principal_aliases.TestKerberosAliasExceptions.test_enterprise_principal_overlap_with_AD_realm
#6198 Regression found by test: ipa.test_xmlrpc.test_old_permission_plugin.test_old_permission
#6199 Received ACIError instead of DuplicatedError in stageuser_tests
#6200 ipa otptoken-add with empty `key` cause internal error
#6204 thin client ignores locale change
#6205 The ipa-server-upgrade command failed when named-pkcs11 does not happen to run during dnf upgrade
#6206 Upgrade leaves BIND running even if it was not running before the upgrade
#6207 ipa-ca-install fails on replica when IPA server is converted from CA-less to CA-full
#6213 Incorrect test for DNSForwardPolicyConflictWithEmptyZone warning in test_xmlrpc/test_dns_plugin
#6215 Missing or malformed docstrings in ipalib/messages.py
#6217 Server assumes latest version of command instead of version 1 for old / 3rd party clients
#6224 Failing tests in test_ipalib.test_parameters
#6232 Insufficient privileges check in certificate revocation (CVE-2016-5404)
#6233 man page for ipa-replica-manage has a typo in -c flag
#6234 improve error message in ipa migrate-ds: mention ipa config-mod –enable-migration=TRUE
#6235 AD Global Catalog port is missing from in list of ports required for AD trusts
#6236 config-mod –usersearch does not accept attribute names with uppercase characters
#6240 Tests: Host and service trackers don’t recognize ‘ipakrboktoauthasdelegate’ attribute
#6241 Tests: ID views tests don’t recognize ‘ipakrboktoauthasdelegate’ attribute
#6242 Tests: ID views tests don’t recognize ‘krbcanonicalname’ attribute
#6244 build: add python-libsss_nss_idmap and python-sss to BuildRequires
#6246 Duplicate declaration of variables in ipatests/test_xmlrpc/test_idviews_plugin
#6247 ipa otptoken-add –type=hotp –key creates wrong OTP
#6248 ipa server-del fails with Python stack trace
#6251 Require httpd >= 2.4.6-31
#6254 kinit_admin raises an exception if server uninstallation is called from test teardown with server not installed
#6255 Hostname backup fails if there is no temporary ipatests folder during execution
#6258 Tests: invalid test case for adding bad certificate to a service
#6259 –ignore-last-of-role has no effect
#6265 test catches 2 non-merged one-way segments instead of one merged
#6269 cert-find –all does not show information about revocation
#6276 Tests: test_xmlrpc/test_trust_plugin tests fail due to missing attributes
#6277 When establishing external two-way trust, forest root Administrator account is used to fetch domain info
#6284 Tests: avoid skipping tests because of missing files when running as outoftree
#3103 GSSAPI error causes failures for child domain user logins across IPA - AD trust
Detailed changelog since 4.4.0#
Abhijeet Kasurde (4)#
Minor fix in ipa-replica-manage MAN page
Corrected minor spell check in AD Trust information doc messages
Removed unwanted line break from RefererError Dialog message
Handled empty hostname in server-del command
Alexander Bokovoy (9)#
service: add flag to allow S4U2Self
support schema files from third-party plugins
ipaserver/dcerpc: reformat to make the code closer to pep8
trust: automatically resolve DNS trust conflicts for triangle trusts
trust: make sure external trust topology is correctly rendered
trust: make sure ID range is created for the child domain even if it exists
ipa-kdb: simplify trusted domain parent search
support multiple uid values in schema compatibility tree
freeipa.spec.in: move ipa CLI utility to freeipa-client
Ben Lipton (3)#
Fix several small typos
Use existing HostKey config to test sshd
Silence sshd messages during install
Christian Heimes (5)#
Correct path to HTTPD’s systemd service directory
RedHatCAService should wait for local Dogtag instance
Remove Custodia server keys from LDAP
Secure permissions of Custodia server.keys
Require httpd 2.4.6-31 with mod_proxy Unix socket support
David Kupka (21)#
schema: Fix subtopic -> topic mapping
help: Add dnsserver commands to help topic ‘dns’
vault: Catch correct exception in decrypt
schema: Speed up schema cache
frontend: Change doc, summary, topic and NO_CLI to class properties
schema: Introduce schema cache format
schema: Generate bits for help load them on request
help: Do not create instances to get information about commands and topics
compat: Save server’s API version in for pre-schema servers
schema cache: Do not reset ServerInfo dirty flag
schema cache: Do not read fingerprint and format from cache
Access data for help separately
frontent: Add summary class property to CommandOverride
schema cache: Read server info only once
schema cache: Store API schema cache in memory
client: Do not create instance just to check isinstance
schema cache: Read schema instead of rewriting it when SchemaUpToDate
schema check: Check current client language against cached one
compat: Fix ping command call
schema cache: Fallback to ‘en_us’ when locale is not available
otptoken, permission: Convert custom type parameters on server
Florence Blanc-Renaud (4)#
Show full error message for selinuxusermap-add-hostgroup
server uninstall fails to remove krb principals
Fix session cookies
Fix ipa hbactest output
Fraser Tweedale (11)#
uninstall: untrack lightweight CA certs
caacl: expand plugin documentation
spec: require Dogtag >= 10.3.3-3
Create server and host certs with DNS altname
caacl: fix regression in rule instantiation
cert-revoke: fix permission check bypass (CVE-2016-5404)
Move GeneralName parsing code to ipalib.x509
x509: fix SAN directoryName parsing
x509: use NSS enums and OIDs to identify SAN types
x509: include otherName DER value in GeneralNameInfo
cert-show: show subject alternative names
Ganna Kaihorodova (2)#
Fix conflict between “got” and “expected” values
Fix for integration tests replication layouts
Jan Cholasta (19)#
frontend: copy command arguments to output params on client
Revert “Enable vault-* commands on client”
client: fix hiding of commands which lack server support
compat: fix ping call
install: fix external CA cert validation
vault: add missing salt option to vault_mod
Revert “spec: add conflict with bind-chroot to freeipa-server-dns”
parameters: move the `confirm` kwarg to Param
client: add missing output params to client-side commands
cert: speed up cert-find
cert: do not crash on invalid data in cert-find
server install: do not prompt for cert file PIN repeatedly
tests: fix test_ipalib.test_frontend.test_Object
custodia: include known CA certs in the PKCS#12 file for Dogtag
cert: add missing param values to cert-find output
cert: include CA name in cert command output
rpcserver: assume version 1 for unversioned command calls
custodia: force reconnect before retrieving CA certs from LDAP
rpcserver: fix crash in XML-RPC system commands
Lenka Doudova (26)#
Tests: Tracker class for services
Tests: Authentication indicators xmlrpc tests
Tests: Authentication indicators integration tests
Tests: External trust
Tests: Support of UPN for trusted domains
Tests: Improve handling of rename operation by user tracker
Tests: IPA user can kinit using enterprise principal with IPA domain
Tests: Removing manipulation with /etc/hosts file from integration tests
Tests: Remove has_keytab from list of expected keys of update command
Tests: Add data attribute to messages
Tests: test_ipalib/test_output fails due to change of Output behaviour
Fix malformed or missing docstrings in ipalib/messages
Tests: Fix failing tests in test_ipalib/test_parameters
Tests: Fix failing tests in test_ipalib/test_frontend
Tests: ID views tests do not recognize ipakrboktoauthasdelegate sttribute
Tests: Duplicate declaration on variables in ID views tests
Tests: ID views tests do not recognize krbcanonicalname attribute
Tests: Host tracker does not recognize ‘ipakrboktoauthasdelegate’ attribute
Tests: Service tracker and tests don’t recognize ‘ipakrboktoauthasdelegate’ attribute
Tests: Failing test_ipalib/test_rpc
Tests: Failing test_ipaserver/test_ldap test
Tests: Failing tests in test_ipalib/test_plugable
Raise error when running ipa-adtrust-install with empty netbios–name
Tests: Random issuer certificate can be added to a service
Tests: Add missing attributes to test_xmlrpc/test_trust tests
Tests: Avoid skipping tests due to missing files
Lukáš Slebodník (4)#
ipa_pwd_extop: Fix warning declaration shadows previous local
ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
ipa-kdb: Allow to build with samba 4.5
ipa-kdb: Fix unit test after packaging changes in krb5
Martin Babinsky (20)#
Fix incorrect check for principal type when evaluating CA ACLs
ipa-nis-manage: Use server API to retrieve plugin status
ipa-compat-manage: use server API to retrieve plugin status
ipa-advise: correct handling of plugin namespace iteration
vault-add: set the default vault type on the client side if none was given
Preserve user principal aliases during rename operation
messages: specify message type for ResultFormattingError
DNS install: Ensure that DNS servers container exists
Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
allow ‘value’ output param in commands without primary key
allow multiple dashes in the components of server hostname
expose `–secret` option in radiusproxy-* commands
prevent search for RADIUS proxy servers by secret
trust-add: handle `–all/–raw` options properly
baseldap: Fix MidairCollision instantiation during entry modification
Create indexes for krbCanonicalName attribute
harden the check for trust namespace overlap in new principals
re-set canonical principal name on migrated users
add python-libsss_nss_idmap and python-sss to BuildRequires
do not use trusted forest name to construct domain admin principal
Martin Bašti (18)#
Enable vault-* commands on client
host-find: do not show SSH key by default
CI: DNS locations
Host-del: fix behavior of –updatedns and PTR records
DNS Locations: fix update-system-records unpacking error
Use copy when replacing files to keep SELinux context
CI tests: improve log collecting
CI tests: fix SSSD log collecting
idrange: fix unassigned global variable
Do not initialize API in ipa-client-automount uninstall
Increase default length of auto generated passwords
ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf
Fix: container owner should be able to add vault
Remove forgotten print from DN.__str__ implementation
Raise DuplicatedEnrty error when user exists in delete_container
Update translations
Print to debug output answer from CA
Revert “Enable LDAPS in replica promotion”
Milan Kubík (12)#
ipatests: Tracker implementation for Sub CA feature
ipatests: Extend CAACL suite to cover Sub CA members
ipatests: Test Sub CA with CAACL and certificate profile
ipatests: remove ipacertbase option from test CSR configuration
ipatests: Add tracker class for kerberos principal aliases
ipatests: Extend the MockLDAP utility class
ipatests: Provide a context manager for mocking a trust in RPC tests
ipatests: Move trust mock helper functions to a separate module
ipapython: Extend kinit_password to support principal canonicalization
ipatests: Allow change_principal context manager to use canonicalization
ipatests: Add kerberos principal alias tests
ipatests: Fix wrong fixture in kerberos principal alias test
Oleg Fayans (7)#
Test for incorrect client domain
Fixed import error
Fixed incorrect return code assert
Fixed incorrect domainlevel determination in tests
Fixed incorrect sequence of method calls in tasks.py
Added a sleep interval after domainlevel raise in tests
Disabled raiseonerr in kinit call during topology level check
Pavel Vomacka (12)#
Close host adder dialog before showing 4304 dialog
Remove navigation using breadcrumb menus
Fix test_navigation tests
Fix test which checks removing of user
Set default delete action name to ‘delete’
Remove full name from adding user to user group dialog
Add function which check whether the field is empty
Add jslint into Makefile
Fix unicode characters in ca and domain adders
Add warning about only one existing CA server
Set servers list as default facet in topology facet group
Add ‘trusted to auth as user’ checkbox
Peter Lacko (1)#
Test URIs in certificate.
Petr Voborník (2)#
unite log file name of ipa-ca-install
ca-less tests: fix getting cert in pem format from nssdb
Petr Špaček (15)#
client-install: log exceptions from certmonger.request_cert
replica-install: Fix –domain
Fix ipa-replica-prepare’s error message about missing local CA instance
client: RPM require initscripts to get *-domainname.service
server-install: Fix –hostname option to always override api.env values
install: Call hostnamectl set-hostname only if –hostname option is used
DNS server upgrade: do not fail when DNS server did not respond
server upgrade: do not start BIND if it was not running before the upgrade
DNS: allow to add forward zone to already broken sub-domain
adtrust-install: Mention AD GC port 3286 in list of required ports.
config-mod: normalize attribute names for –usersearch/–groupsearch
migrate-ds: Mention –enable-migration in error message about migration mode
Fix man page ipa-replica-manage: remove duplicate -c option from –no-lookup
Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin
Simo Sorce (4)#
Simplify date manipulation in pwd plugin
Regenerate asn1 code
Additional coverity fixes.
Fix CA ACL Check on SubjectAltNames
Stanislav Laznicka (7)#
Removed unused method parameter from migrate-ds
Improvements for the ipa-cacert-manage man and help
Removed objectclass from LDAP*ReverseMember based tests
Don’t show –force-ntpd option in replica install
Remove sys.exit from install modules and scripts
Fail on topology disconnect/last role removal
Don’t ignore –ignore-last-of-role for last CA
Sumit Bose (1)#
kdb: check for local realm in enterprise principals
Thierry Bordaz (2)#
Heap corruption in ipapwd plugin
ipa-pwd-extop memory leak during passord update
Tiboris (1)#
Added new authentication method
Tomas Krizek (5)#
Update ipa-replica-install documentation
Fix ipa-caalc-add-service error message
Validate key in otptoken-add
Fix ipa-server-install in pure IPv6 environment
Enable LDAPS in replica promotion
gkaihoro (1)#
Test for caacl-add-service
tester (4)#
Add possibility to choose parent element by css
TEST: managing user certificates
TEST: managing host certificates
TEST: managing service certificates