Jump to: navigation, search


Release date Released 2016-12-16

The FreeIPA team would like to announce FreeIPA 4.4.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.3


  • Chinese translations have been added to FreeIPA (state here)

Known Issues

Fedora 25

Bug fixes

FreeIPA 4.4.3 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 20 bug-fixes which details can be seen in the list of resolved tickets below.

  • CVE-2016-9575 Insufficient permission check in certprofile-mod
  • CVE-2016-7030 DoS attack against kerberized services by abusing password policy


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets

  • #6005 Create an automated test for Certs in idoverrides feature
  • #6022 cert-show command does not display Subject Alternative Names
  • #6088 test_installation.py tests involving KRA installation on replicas fail in domain level 0
  • #6263 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions
  • #6269 cert-find --all does not show information about revocation
  • #6347 Tests: provide trust test coverage for tree root domains
  • #6369 [tracker] raise 389 requires when "Total init may fail if the pushed schema is rejected" is part of update
  • #6393 Make httpd publish CA certificate on Domain Level 1
  • #6395 Backport partial fix for #6292
  • #6396 Cleanup AD trust information after tests
  • #6397 WebUI: Services are not displayed correctly after upgrade
  • #6400 Add file_exists method as a member of transport object
  • #6401 Revert expected returncode in replica_promotion test
  • #6410 Tests: Verify that cert commands show CA without --all
  • #6412 Create tests for certs in idoverrides feature
  • #6417 Skip topology disconnect/last of role checks when uninstalling single domain level 1 master
  • #6419 cert-show default output does not show validity
  • #6435 Fix zanata.xml config to skip testing ipa.pot file
  • #6445 Traceback seen in error_log when trustdomain-del is run
  • #6451 Automate managed replication topology 4.4 features
  • #6480 Update man page for ipa-adtrust-install by removing --no-msdcs option
  • #6481 Create a test for instantiating rules with service principals
  • #6503 IPA upgrade of replica without DNS fails during restart of named-pkcs11
  • #6508 ipa-ca-install on promoted replica hangs on creating a temporary CA admin
  • #6518 Can not install IPA server when hostname is not DNS resolvable
  • #6532 replica installation incorrectly sets nsds5replicabinddngroup/nsds5replicabinddngroupcheckinterval on IPA 3.x instance
  • #6534 topology should not include A<->B segment "both" and B->A "left right" at the same time.
  • #6539 ipa vault operations are not possible with an older server
  • #6546 Delete option shouldn't be available for hosts applied to view.
  • #6551 Upgrade Samba configuration to not include keytab prefix

Detailed changelog since 4.4.2

Alexander Bokovoy (3)

  • ipa-kdb: search for password policies globally cgit #6561
  • adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf cgit #6551
  • trustdomain-del: fix the way how subdomain is searched cgit #6445

David Kupka (3)

  • tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all cgit #6561
  • password policy: Add explicit default password policy for hosts and services cgit #6561
  • ipaclient.plugins: Use api_version from internally called commands cgit #6539

Florence Blanc-Renaud (1)

  • Add cert checks in ipa-server-certinstall cgit #6263

Fraser Tweedale (2)

  • certprofile-mod: correctly authorise config update cgit #6560
  • cert-show: show validity in default output cgit #6419

Jan Cholasta (2)

  • spec file: bump minimal required version of 389-ds-base cgit #6369
  • cert: add revocation reason back to cert-find output cgit #6269

Lenka Doudova (9)

  • Document make_delete_command method in UserTracker cgit #6485
  • Tests: Providing trust tests with tree root domain cgit #6347
  • Tests: Verify that validity info is present in cert-show and cert-find command cgit #6419
  • Add file_exists method as a member of transport object cgit #6400
  • Tests: Provide AD cleanup for legacy client tests cgit #6396
  • Tests: Provide AD cleanup for trust tests cgit #6396
  • Tests: Fix integration sudo test cgit #6378
  • Tests: Fix failing test_ipalib/test_parameters cgit #6292, #6395
  • Tests: Verify that cert commands show CA without --all cgit #6410

Ludwig Krispenz (1)

  • Check for conflict entries before raising domain level cgit #6534

Martin Babinsky (7)

  • add missing attribute to ipaca replica during CA topology update cgit #6508
  • Revert "upgrade: add replica bind DN group check interval to CA topology config" cgit #6508
  • gracefully handle setting replica bind dn group on old masters cgit #6532
  • bindinstance: use data in named.conf to determine configuration status cgit #6503
  • replication: ensure bind DN group check interval is set on replica config cgit #6508
  • upgrade: add replica bind DN group check interval to CA topology config cgit #6508
  • server-del: fix incorrect check for one IPA master cgit #6417

Martin Basti (5)

  • freeipa-4.4.3: update translations cgit
  • Zanata: exlude testing ipa.pot file cgit #6435
  • CI: Disable KRA install tests on DL0 cgit #6088
  • CI: use --setup-kra with replica installation cgit #6088
  • CI: extend replication layouts tests with KRA cgit #6088

Oleg Fayans (8)

  • tests: Added basic tests for certs in idoverrides cgit #6412
  • Created idview tracker cgit #6412
  • Test for installing rules with service principals cgit #6481
  • Test: integration tests for certs in idoverrides feature cgit #6005
  • Added interface to certutil cgit
  • Automated ipa-replica-manage del tests cgit
  • tests: Automated clean-ruv subcommand tests cgit #6451
  • Reverted the essertion for replica uninstall returncode cgit #6401

Petr Spacek (2)

  • Accept server host names resolvable only using /etc/hosts cgit #6518
  • Update man page for ipa-adtrust-install by removing --no-msdcs option cgit #6480

Pavel Vomacka (2)

  • WebUI: Hide incorrectly shown buttons on hosts tab in ID Views cgit #6546
  • WebUI: services without canonical name are shown correctly cgit #6397

Stanislav Laznicka (2)

  • Fix missing file that fails DL1 replica installation cgit #6393
  • Make httpd publish its CA certificate on DL1 cgit #6393