The FreeIPA team would like to announce FreeIPA 4.4.3 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.
Highlights in 4.4.3#
Enhancements#
Chinese translations have been added to FreeIPA (state here)
Known Issues#
Fedora 25#
SELinux denials on ipa-otpd service prevent installation of FreeIPA master/replica
workaround: execute as root the following command
chcon system_u:object_r:ipa_otpd_exec_t:s0 /usr/libexec/ipa/ipa-otpd
before installation
Bug fixes#
FreeIPA 4.4.3 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 20 bug-fixes which details can be seen in the list of resolved tickets below.
CVE-2016-9575 Insufficient permission check in certprofile-mod
CVE-2016-7030 DoS attack against kerberized services by abusing password policy
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.
Resolved tickets#
#6005 Create an automated test for Certs in idoverrides feature
#6022 cert-show command does not display Subject Alternative Names
#6088 test_installation.py tests involving KRA installation on replicas fail in domain level 0
#6263 ipa-server-certinstall does not update all certificate stores and doesn’t set proper trust permissions
#6269 cert-find –all does not show information about revocation
#6347 Tests: provide trust test coverage for tree root domains
#6369 [tracker] raise 389 requires when “Total init may fail if the pushed schema is rejected” is part of update
#6393 Make httpd publish CA certificate on Domain Level 1
#6395 Backport partial fix for #6292
#6396 Cleanup AD trust information after tests
#6397 WebUI: Services are not displayed correctly after upgrade
#6400 Add file_exists method as a member of transport object
#6401 Revert expected returncode in replica_promotion test
#6410 Tests: Verify that cert commands show CA without –all
#6412 Create tests for certs in idoverrides feature
#6417 Skip topology disconnect/last of role checks when uninstalling single domain level 1 master
#6419 cert-show default output does not show validity
#6435 Fix zanata.xml config to skip testing ipa.pot file
#6445 Traceback seen in error_log when trustdomain-del is run
#6451 Automate managed replication topology 4.4 features
#6480 Update man page for ipa-adtrust-install by removing –no-msdcs option
#6481 Create a test for instantiating rules with service principals
#6503 IPA upgrade of replica without DNS fails during restart of named-pkcs11
#6508 ipa-ca-install on promoted replica hangs on creating a temporary CA admin
#6518 Can not install IPA server when hostname is not DNS resolvable
#6532 replica installation incorrectly sets nsds5replicabinddngroup/nsds5replicabinddngroupcheckinterval on IPA 3.x instance
#6534 topology should not include A<->B segment “both” and B->A “left right” at the same time.
#6539 ipa vault operations are not possible with an older server
#6546 Delete option shouldn’t be available for hosts applied to view.
#6551 Upgrade Samba configuration to not include keytab prefix
Detailed changelog since 4.4.2#
Alexander Bokovoy (3)#
David Kupka (3)#
Florence Blanc-Renaud (1)#
Fraser Tweedale (2)#
Jan Cholasta (2)#
Lenka Doudova (9)#
Document make_delete_command method in UserTracker cgit #6485
Tests: Providing trust tests with tree root domain cgit #6347
Tests: Verify that validity info is present in cert-show and cert-find command cgit #6419
Add file_exists method as a member of transport object cgit #6400
Tests: Provide AD cleanup for legacy client tests cgit #6396
Tests: Fix failing test_ipalib/test_parameters cgit #6292, #6395
Tests: Verify that cert commands show CA without –all cgit #6410
Ludwig Krispenz (1)#
Martin Babinsky (7)#
add missing attribute to ipaca replica during CA topology update cgit #6508
Revert “upgrade: add replica bind DN group check interval to CA topology config” cgit #6508
gracefully handle setting replica bind dn group on old masters cgit #6532
bindinstance: use data in named.conf to determine configuration status cgit #6503
replication: ensure bind DN group check interval is set on replica config cgit #6508
upgrade: add replica bind DN group check interval to CA topology config cgit #6508
server-del: fix incorrect check for one IPA master cgit #6417
Martin Basti (5)#
Oleg Fayans (8)#
tests: Added basic tests for certs in idoverrides cgit #6412
Test for installing rules with service principals cgit #6481
Test: integration tests for certs in idoverrides feature cgit #6005
Added interface to certutil cgit
Automated ipa-replica-manage del tests cgit
Reverted the essertion for replica uninstall returncode cgit #6401