The FreeIPA team would like to announce FreeIPA 4.6.6 release!
It can be downloaded from http://www.freeipa.org/page/Downloads.
Highlights in 4.6.6#
Enhancements#
6077: [RFE] Support One-Way Trust authenticated by trust secret
With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC). Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret from both Active Directory and from IdM.
7206: [RFE] Provide an option to include FQDN in IDM topology graph
IdM WebUI is now able to display the fully qualified domain name (FQDN) of the nodes in its Topology Graph. As a result, the topology graph is able to distinguish nodes with the same short hostname but within different domains.
7658: [RFE] sysadm_r should be included in default SELinux user map order
The default SELinux user map order now includes sysadm_r. This parameter defines the list of SELinux users available for mapping. As a result, IdM now allows to map users to the SELinux role sysadm_r.
7716: [RFE] remove “last init status” from ipa-replica-manage list if it’s None.
In verbose mode, the command ipa-replica-manage list displays additional details such as the status and timestamp of the last initialization or the last update. When no initialization occurred on the server, the command doesn’t display any more the labels ‘last init status: None’ and ‘last init ended: 1970-01-01 00:00:00+00:00’ which were confusing.
Known Issues#
Bug fixes#
FreeIPA 4.6.6 is a stabilization release for the features delivered as a part of 4.6.0. There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
4812 Switch nsslapd-unhashed-pw-switch to nolog
6077 [RFE] Support One-Way Trust authenticated by trust secret
6250 Replica uninstallation does not remove the topology segment on master
6627 WebUI: Enable pagination
6951 Update samba config file and use sss idmap module
7139 Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.
7206 [RFE] Provide an option to include FQDN in IDM topology graph
7239 Using –auto-reverse and –allow-zone-overlap does not skip zone overlap check
7304 double ca acl provoke console error.
7366 RFE: ipa client should setup openldap for GSSAPI
7598 ipa-client-install: autodiscovery must refuse single label domains
7647 Error message should be more useful while ipa-backup fails for insufficient space
7649 error shown when options are added to an existing sudo rule
7651 ipa-replica-install –setup-kra broken on DL1
7658 [RFE] sysadm_r should be included in default SELinux user map order
7667 When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy
7705 Support Samba 4.9
7708 Create a warning that SSSD needs restart after idrange-mod
7716 [RFE] remove “last init status” from ipa-replica-manage list if it’s None.
7744 ipa-replica-install picks wrong replica for CA initial replication
7783 use non-symlink (aliases) NFS unit names
7805 [NFS] test kerberized NFS
7835 Cert revokation for services and hosts is inefficient
7843 [WebUI] Use generated certificates and CSR for testing
7844 testcase test_change_sysaccount_password_issue7561 fails with some test configurations
7857 Create tests for ipa-winsync-migrate
7874 testcase test_commands.py::TestIPACommand::test_ssh_key_connection fails with some test configurations
7876 Fail replica install
7884 Coverity: New defect found in ipa-4.6.5
7885 RFE: wrapper for Dogtag cert-fix command
7886 ipa-replica-manage force-sync –from keeps prompting “No status yet”
7889 test_integration/test_trust.py need improvement
7892 Implement hidden / unadvertised IPA replicas
7895 ipa trust fetch-domains, server parameter ignored
7896 ipa-server-upgrade fails with ConversionError: invalid ‘cn’: must be Unicode text
7897 ipa-kra-install failing with invalid ‘role_servrole’: must be Unicode text error
7901 IPA Web UI is slow to display user details page.
7903 d-bus interface signature failure for oddjobd helper trust-fetch-domains
7918 ipa-client-automount needs option to specify domain
7922 Command ipa conole is broken
7926 cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign
7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd
7928 cn=cacert could show expired certificate
7929 ERROR: invalid ‘PKINIT enabled server’: all masters must have IPA master role enabled
7931 test_integration/test_server_del.py fails due to inability to use command line option –ignore-topology-diconnect
7932 FreeIPA queries rely on missing attribute altsecurityidentities
7933 FreeIPA must index certmap attributes.
7934 ipa-server-common expected file permissions in package don’t match runtime permissions
7939 Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured
7959 ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character
7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs
7970 test failure in test_backup_and_restore.py::TestBackupAndRestore
7976 Issue with adding multiple RHEL 7 IPA replica to RHEL 6 IPA master
7982 Cannot modify TTL with ipa dnsrecord-mod –ttl alone on command line
7983 Staged user is not being recognized if the user entry doesn’t have an objectClass “posixaccount”
7988 test_nfs.py: errors when running ipa-client-automount
7992 ipa upgrade fails with trust entry already exists
7995 Removing TLSv1.0, TLSv1.1 from nss.conf
8000 [ipa-4-6] Restrict cipher lists used by openssl connections
Detailed changelog since 4.6.5#
Armando Neto (2)#
tox: force pytest version to the 4.6.4
Bump template version
Alexander Bokovoy (22)#
translations: update from Zanata for IPA 4.6
certmaprule: add negative test for altSecurityIdentities
certmap rules: altSecurityIdentities should only be used for trusted domains
Create indexes for altSecurityIdentities and ipaCertmapData attributes
Add altSecurityIdentities attribute from MS-WSPP schema definition
trust-fetch-domains: make sure we use right KDC when –server is specified
adtrust upgrade: fix wrong primary principal name, part 2
adtrust upgrade: fix wrong primary principal name
upgrade: adtrust - catch empty result when retrieving list of trusts
Enforce SMBLoris attack protection in default Samba configuration
Set idmap config for Samba to follow IPA ranges and use SSSD
Bypass D-BUS interface definition deficiences for trust-fetch-domains
net groupmap: force using empty config when mapping Guests
adtrust: define Guests mapping after creating cifs/ principal
oddjob: allow to pass options to trust-fetch-domains
upgrade: add trust upgrade to actual upgrade code
upgrade: upgrade existing trust agreements to new layout
trusts: add support for one-way shared secret trust
trust: allow trust agents to read POSIX identities of trust
Add design page for one-way trust to AD with shared secret
Support Samba 4.9
domainlevel-get: fix various issues when running as non-admin
amitkuma (1)#
RFE: ipa client should setup openldap for GSSAPI
Anuja More (1)#
ipatests: POSIX attributes are no longer overwritten or missing
Christian Heimes (24)#
Use only TLS 1.2 by default
Refactor tasks to include is_selinux_enabled()
Forbid imports of ipaserver and install packages
Don’t import ipaserver in conf.py
Replace imports from ipaserver
Delay import of SSSDConfig
Consider configured servers as valid
Adapt cert-find performance workaround for users
Don’t fail if config-show does not return servers
Add design draft
Test replica installation from hidden replica
Synchronize hidden state from IPA master role
Don’t allow to hide last server for a role
More test fixes
Improve config-show to show hidden servers
Consider hidden servers as role provider
Implement server-state –state=enabled/hidden
Simplify and improve tests
Add hidden replica feature
Replace hard-coded paths with path constants
Consolidate container_masters queries
Use api.env.container_masters
Unify and simplify LDAP service discovery
replica install: acknowledge ca_host override
François Cami (11)#
ipatests: add proper timeouts to nfs.py
ipa-client-automount: fix ‘–idmap-domain DNS’ logic
ipatests: add tests for the new NFSv4 domain option of ipa-client-automount
ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)
nfs.py: fix user creation
Hidden replica documentation: fix typo
ipa-backup: better error message if ENOSPC
ipatests: add nfs tests
ipatests: add a test for ipa-client-automount
ipatests: Exercise hidden replica feature
Add sysadm_r to default SELinux user map order
Florence Blanc-Renaud (25)#
Update the ciphers list
DL0 replica install: fix nsDS5ReplicaBindDN config
mod_nss: stop using NSSProtocols TLS 1.0 and 1.1
ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py
XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD –ttl
dnsrecord-mod: allow to modify ttl without passing the record
ipatests: add a test for stageuser-find with non-posix account
stageuser-find: fix search with non-posix user
ipatests: fix test_backup_and_restore.py::TestBackupAndRestore
ipatests: add integration test for ipa-replica-manage list
ipa-replica-manage: remove “last init status” if it’s None.
NSSDatabase: fix get_trust_chain
ipatests: CA renewal must refresh cn=CAcert
CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
ipatests: add integration test checking the files mode
Fix expected file permissions for ghost files
ipactl restart: fix wrong logic when checking service list
tests: correctly place xfail for test_integration/test_installation.py
ipa-client-install: autodiscovery must refuse single-label domains
tests: fix test_user_permissions.py::TestInstallClientNoAdmin
PRCI: add nightly definition for ipa-4-6 branch
ipa-setup-kra: fix python2 parameter
ipa-server-upgrade: fix add_systemd_user_hbac
ipa-replica-manage: fix force-sync
Coverity: fix issue in ipa_extdom_extop.c
Fraser Tweedale (11)#
dn: sort AVAs when converting from x509.Name
ipa-cert-fix: fix spurious renewal master change
ipa-cert-fix: handle ‘pki-server cert-fix’ failure
dn: handle multi-valued RDNs in Name conversion
ipa-cert-fix: use customary exit statuses
ipa-cert-fix: add man page
Add ipa-cert-fix tool
constants: add ca_renewal container
cainstance: add function to determine ca_renewal nickname
Extract ca_renewal cert update subroutine
Add uniqueness constraint on CA ACL name
Justin Stephenson (1)#
Skip zone overlap check with auto-reverse
Mohammad Rizwan Yusuf (1)#
Test if ipactl restart restarts the pki-tomcatd
Petr Vobornik (1)#
Fix order of commands in test for removing topology segments
Rob Crittenden (6)#
When reading SSH pub key don’t assume last character is newline
Convert members into types in sudorule-*-option
Remove tests which install KRA on replica w/o KRA on master
Fix uninstallation test, use different method to stop dirsrv
Extend CALessBase::installer_server to accept extra_args
VERSION.m4: Set back to git snapshot
Sergey Orlov (17)#
ipatests: new test for trust with partially unreachable AD topology
ipatests: new tests for establishing one-way AD trust with shared secret
ipatests: fix replica uninstallation in test_integration/test_server_del.py
ipatests: make encoding to base64 compatible with python2
ipatests: new tests for ipa-winsync-migrate utility
ipa console: catch proper exception when history file can not be open
ipatests: coerce tmpdir to string
ipatests: fix host name for ssh connection from controller to master
ipatests: fix ldap server url
ipatests: refactor test_trust.py
ipatests: adapt test_trust.py for changes in multihost fixture
ipatests: allow AD hosts to be placed in separate domain config objects
ipatests: fix expectations of `ipa trust-find` output for trust with root domain
ipatests: in test_trust.py fix parent class
ipatests: disable bind dns validation when preparing to establish AD trust
ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
Revert “Tests: Remove DNS configuration from trust tests”
Serhii Tsymbaliuk (5)#
WebUI: Fix automount maps pagination
WebUI: Fix ‘user not found’ traceback on user ID override details page
Fix test_arbitrary_certificates for Web UI
Web UI tests: Get rid of *_cert_path and *_csr_path config variables
Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone
Thierry Bordaz (1)#
Switch nsslapd-unhashed-pw-switch to nolog
Oleg Kozlov (1)#
Show a notification that sssd needs restarting after idrange-mo