The FreeIPA team would like to announce FreeIPA 4.4.3 release!

It can be downloaded from Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.3#


  • Chinese translations have been added to FreeIPA (state here)

Known Issues#

Fedora 25#

Bug fixes#

FreeIPA 4.4.3 is a stabilization release for the features delivered as a part of 4.4.0. There are more than 20 bug-fixes which details can be seen in the list of resolved tickets below.

  • CVE-2016-9575 Insufficient permission check in certprofile-mod

  • CVE-2016-7030 DoS attack against kerberized services by abusing password policy


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Resolved tickets#

  • #6005 Create an automated test for Certs in idoverrides feature

  • #6022 cert-show command does not display Subject Alternative Names

  • #6088 tests involving KRA installation on replicas fail in domain level 0

  • #6263 ipa-server-certinstall does not update all certificate stores and doesn’t set proper trust permissions

  • #6269 cert-find –all does not show information about revocation

  • #6347 Tests: provide trust test coverage for tree root domains

  • #6369 [tracker] raise 389 requires when “Total init may fail if the pushed schema is rejected” is part of update

  • #6393 Make httpd publish CA certificate on Domain Level 1

  • #6395 Backport partial fix for #6292

  • #6396 Cleanup AD trust information after tests

  • #6397 WebUI: Services are not displayed correctly after upgrade

  • #6400 Add file_exists method as a member of transport object

  • #6401 Revert expected returncode in replica_promotion test

  • #6410 Tests: Verify that cert commands show CA without –all

  • #6412 Create tests for certs in idoverrides feature

  • #6417 Skip topology disconnect/last of role checks when uninstalling single domain level 1 master

  • #6419 cert-show default output does not show validity

  • #6435 Fix zanata.xml config to skip testing ipa.pot file

  • #6445 Traceback seen in error_log when trustdomain-del is run

  • #6451 Automate managed replication topology 4.4 features

  • #6480 Update man page for ipa-adtrust-install by removing –no-msdcs option

  • #6481 Create a test for instantiating rules with service principals

  • #6503 IPA upgrade of replica without DNS fails during restart of named-pkcs11

  • #6508 ipa-ca-install on promoted replica hangs on creating a temporary CA admin

  • #6518 Can not install IPA server when hostname is not DNS resolvable

  • #6532 replica installation incorrectly sets nsds5replicabinddngroup/nsds5replicabinddngroupcheckinterval on IPA 3.x instance

  • #6534 topology should not include A<->B segment “both” and B->A “left right” at the same time.

  • #6539 ipa vault operations are not possible with an older server

  • #6546 Delete option shouldn’t be available for hosts applied to view.

  • #6551 Upgrade Samba configuration to not include keytab prefix

Detailed changelog since 4.4.2#

Alexander Bokovoy (3)#

  • ipa-kdb: search for password policies globally cgit #6561

  • adtrust: remove FILE: prefix from ‘dedicated keytab file’ in smb.conf cgit #6551

  • trustdomain-del: fix the way how subdomain is searched cgit #6445

David Kupka (3)#

  • tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} –all cgit #6561

  • password policy: Add explicit default password policy for hosts and services cgit #6561

  • ipaclient.plugins: Use api_version from internally called commands cgit #6539

Florence Blanc-Renaud (1)#

  • Add cert checks in ipa-server-certinstall cgit #6263

Fraser Tweedale (2)#

  • certprofile-mod: correctly authorise config update cgit #6560

  • cert-show: show validity in default output cgit #6419

Jan Cholasta (2)#

  • spec file: bump minimal required version of 389-ds-base cgit #6369

  • cert: add revocation reason back to cert-find output cgit #6269

Lenka Doudova (9)#

  • Document make_delete_command method in UserTracker cgit #6485

  • Tests: Providing trust tests with tree root domain cgit #6347

  • Tests: Verify that validity info is present in cert-show and cert-find command cgit #6419

  • Add file_exists method as a member of transport object cgit #6400

  • Tests: Provide AD cleanup for legacy client tests cgit #6396

  • Tests: Provide AD cleanup for trust tests cgit #6396

  • Tests: Fix integration sudo test cgit #6378

  • Tests: Fix failing test_ipalib/test_parameters cgit #6292, #6395

  • Tests: Verify that cert commands show CA without –all cgit #6410

Ludwig Krispenz (1)#

  • Check for conflict entries before raising domain level cgit #6534

Martin Babinsky (7)#

  • add missing attribute to ipaca replica during CA topology update cgit #6508

  • Revert “upgrade: add replica bind DN group check interval to CA topology config” cgit #6508

  • gracefully handle setting replica bind dn group on old masters cgit #6532

  • bindinstance: use data in named.conf to determine configuration status cgit #6503

  • replication: ensure bind DN group check interval is set on replica config cgit #6508

  • upgrade: add replica bind DN group check interval to CA topology config cgit #6508

  • server-del: fix incorrect check for one IPA master cgit #6417

Martin Basti (5)#

  • freeipa-4.4.3: update translations cgit

  • Zanata: exlude testing ipa.pot file cgit #6435

  • CI: Disable KRA install tests on DL0 cgit #6088

  • CI: use –setup-kra with replica installation cgit #6088

  • CI: extend replication layouts tests with KRA cgit #6088

Oleg Fayans (8)#

  • tests: Added basic tests for certs in idoverrides cgit #6412

  • Created idview tracker cgit #6412

  • Test for installing rules with service principals cgit #6481

  • Test: integration tests for certs in idoverrides feature cgit #6005

  • Added interface to certutil cgit

  • Automated ipa-replica-manage del tests cgit

  • tests: Automated clean-ruv subcommand tests cgit #6451

  • Reverted the essertion for replica uninstall returncode cgit #6401

Petr Spacek (2)#

  • Accept server host names resolvable only using /etc/hosts cgit #6518

  • Update man page for ipa-adtrust-install by removing –no-msdcs option cgit #6480

Pavel Vomacka (2)#

  • WebUI: Hide incorrectly shown buttons on hosts tab in ID Views cgit #6546

  • WebUI: services without canonical name are shown correctly cgit #6397

Stanislav Laznicka (2)#

  • Fix missing file that fails DL1 replica installation cgit #6393

  • Make httpd publish its CA certificate on DL1 cgit #6393