The FreeIPA team would like to announce FreeIPA 4.6.6 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Highlights in 4.6.6#

Enhancements#

  • 6077: [RFE] Support One-Way Trust authenticated by trust secret

With this enhancement, Identity Management (IdM) supports establishing a one-way forest trust to Active Directory (AD) authenticated by a shared secret from the Windows AD domain controller (DC). Previous IdM versions did not contain the features that allowed AD DCs to contact an IdM DC in the mentioned scenario. As a result, IdM now supports establishing a one-way forest trust using a shared secret from both Active Directory and from IdM.


  • 7206: [RFE] Provide an option to include FQDN in IDM topology graph

IdM WebUI is now able to display the fully qualified domain name (FQDN) of the nodes in its Topology Graph. As a result, the topology graph is able to distinguish nodes with the same short hostname but within different domains.


  • 7658: [RFE] sysadm_r should be included in default SELinux user map order

The default SELinux user map order now includes sysadm_r. This parameter defines the list of SELinux users available for mapping. As a result, IdM now allows to map users to the SELinux role sysadm_r.


  • 7716: [RFE] remove “last init status” from ipa-replica-manage list if it’s None.

In verbose mode, the command ipa-replica-manage list displays additional details such as the status and timestamp of the last initialization or the last update. When no initialization occurred on the server, the command doesn’t display any more the labels ‘last init status: None’ and ‘last init ended: 1970-01-01 00:00:00+00:00’ which were confusing.


Known Issues#

Bug fixes#

FreeIPA 4.6.6 is a stabilization release for the features delivered as a part of 4.6.0. There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • 4812 Switch nsslapd-unhashed-pw-switch to nolog

  • 6077 [RFE] Support One-Way Trust authenticated by trust secret

  • 6250 Replica uninstallation does not remove the topology segment on master

  • 6627 WebUI: Enable pagination

  • 6951 Update samba config file and use sss idmap module

  • 7139 Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.

  • 7206 [RFE] Provide an option to include FQDN in IDM topology graph

  • 7239 Using –auto-reverse and –allow-zone-overlap does not skip zone overlap check

  • 7304 double ca acl provoke console error.

  • 7366 RFE: ipa client should setup openldap for GSSAPI

  • 7598 ipa-client-install: autodiscovery must refuse single label domains

  • 7647 Error message should be more useful while ipa-backup fails for insufficient space

  • 7649 error shown when options are added to an existing sudo rule

  • 7651 ipa-replica-install –setup-kra broken on DL1

  • 7658 [RFE] sysadm_r should be included in default SELinux user map order

  • 7667 When setting up mod_ssl, define range o f the TLS protocols within the system-wide crypto policy

  • 7705 Support Samba 4.9

  • 7708 Create a warning that SSSD needs restart after idrange-mod

  • 7716 [RFE] remove “last init status” from ipa-replica-manage list if it’s None.

  • 7744 ipa-replica-install picks wrong replica for CA initial replication

  • 7783 use non-symlink (aliases) NFS unit names

  • 7805 [NFS] test kerberized NFS

  • 7835 Cert revokation for services and hosts is inefficient

  • 7843 [WebUI] Use generated certificates and CSR for testing

  • 7844 testcase test_change_sysaccount_password_issue7561 fails with some test configurations

  • 7857 Create tests for ipa-winsync-migrate

  • 7874 testcase test_commands.py::TestIPACommand::test_ssh_key_connection fails with some test configurations

  • 7876 Fail replica install

  • 7884 Coverity: New defect found in ipa-4.6.5

  • 7885 RFE: wrapper for Dogtag cert-fix command

  • 7886 ipa-replica-manage force-sync –from keeps prompting “No status yet”

  • 7889 test_integration/test_trust.py need improvement

  • 7892 Implement hidden / unadvertised IPA replicas

  • 7895 ipa trust fetch-domains, server parameter ignored

  • 7896 ipa-server-upgrade fails with ConversionError: invalid ‘cn’: must be Unicode text

  • 7897 ipa-kra-install failing with invalid ‘role_servrole’: must be Unicode text error

  • 7901 IPA Web UI is slow to display user details page.

  • 7903 d-bus interface signature failure for oddjobd helper trust-fetch-domains

  • 7918 ipa-client-automount needs option to specify domain

  • 7922 Command ipa conole is broken

  • 7926 cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign

  • 7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd

  • 7928 cn=cacert could show expired certificate

  • 7929 ERROR: invalid ‘PKINIT enabled server’: all masters must have IPA master role enabled

  • 7931 test_integration/test_server_del.py fails due to inability to use command line option –ignore-topology-diconnect

  • 7932 FreeIPA queries rely on missing attribute altsecurityidentities

  • 7933 FreeIPA must index certmap attributes.

  • 7934 ipa-server-common expected file permissions in package don’t match runtime permissions

  • 7939 Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured

  • 7959 ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character

  • 7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs

  • 7970 test failure in test_backup_and_restore.py::TestBackupAndRestore

  • 7976 Issue with adding multiple RHEL 7 IPA replica to RHEL 6 IPA master

  • 7982 Cannot modify TTL with ipa dnsrecord-mod –ttl alone on command line

  • 7983 Staged user is not being recognized if the user entry doesn’t have an objectClass “posixaccount”

  • 7988 test_nfs.py: errors when running ipa-client-automount

  • 7992 ipa upgrade fails with trust entry already exists

  • 7995 Removing TLSv1.0, TLSv1.1 from nss.conf

  • 8000 [ipa-4-6] Restrict cipher lists used by openssl connections

Detailed changelog since 4.6.5#

Armando Neto (2)#

  • tox: force pytest version to the 4.6.4

  • Bump template version

Alexander Bokovoy (22)#

  • translations: update from Zanata for IPA 4.6

  • certmaprule: add negative test for altSecurityIdentities

  • certmap rules: altSecurityIdentities should only be used for trusted domains

  • Create indexes for altSecurityIdentities and ipaCertmapData attributes

  • Add altSecurityIdentities attribute from MS-WSPP schema definition

  • trust-fetch-domains: make sure we use right KDC when –server is specified

  • adtrust upgrade: fix wrong primary principal name, part 2

  • adtrust upgrade: fix wrong primary principal name

  • upgrade: adtrust - catch empty result when retrieving list of trusts

  • Enforce SMBLoris attack protection in default Samba configuration

  • Set idmap config for Samba to follow IPA ranges and use SSSD

  • Bypass D-BUS interface definition deficiences for trust-fetch-domains

  • net groupmap: force using empty config when mapping Guests

  • adtrust: define Guests mapping after creating cifs/ principal

  • oddjob: allow to pass options to trust-fetch-domains

  • upgrade: add trust upgrade to actual upgrade code

  • upgrade: upgrade existing trust agreements to new layout

  • trusts: add support for one-way shared secret trust

  • trust: allow trust agents to read POSIX identities of trust

  • Add design page for one-way trust to AD with shared secret

  • Support Samba 4.9

  • domainlevel-get: fix various issues when running as non-admin

amitkuma (1)#

  • RFE: ipa client should setup openldap for GSSAPI

Anuja More (1)#

  • ipatests: POSIX attributes are no longer overwritten or missing

Christian Heimes (24)#

  • Use only TLS 1.2 by default

  • Refactor tasks to include is_selinux_enabled()

  • Forbid imports of ipaserver and install packages

  • Don’t import ipaserver in conf.py

  • Replace imports from ipaserver

  • Delay import of SSSDConfig

  • Consider configured servers as valid

  • Adapt cert-find performance workaround for users

  • Don’t fail if config-show does not return servers

  • Add design draft

  • Test replica installation from hidden replica

  • Synchronize hidden state from IPA master role

  • Don’t allow to hide last server for a role

  • More test fixes

  • Improve config-show to show hidden servers

  • Consider hidden servers as role provider

  • Implement server-state –state=enabled/hidden

  • Simplify and improve tests

  • Add hidden replica feature

  • Replace hard-coded paths with path constants

  • Consolidate container_masters queries

  • Use api.env.container_masters

  • Unify and simplify LDAP service discovery

  • replica install: acknowledge ca_host override

François Cami (11)#

  • ipatests: add proper timeouts to nfs.py

  • ipa-client-automount: fix ‘–idmap-domain DNS’ logic

  • ipatests: add tests for the new NFSv4 domain option of ipa-client-automount

  • ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)

  • nfs.py: fix user creation

  • Hidden replica documentation: fix typo

  • ipa-backup: better error message if ENOSPC

  • ipatests: add nfs tests

  • ipatests: add a test for ipa-client-automount

  • ipatests: Exercise hidden replica feature

  • Add sysadm_r to default SELinux user map order

Florence Blanc-Renaud (25)#

  • Update the ciphers list

  • DL0 replica install: fix nsDS5ReplicaBindDN config

  • mod_nss: stop using NSSProtocols TLS 1.0 and 1.1

  • ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py

  • XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD –ttl

  • dnsrecord-mod: allow to modify ttl without passing the record

  • ipatests: add a test for stageuser-find with non-posix account

  • stageuser-find: fix search with non-posix user

  • ipatests: fix test_backup_and_restore.py::TestBackupAndRestore

  • ipatests: add integration test for ipa-replica-manage list

  • ipa-replica-manage: remove “last init status” if it’s None.

  • NSSDatabase: fix get_trust_chain

  • ipatests: CA renewal must refresh cn=CAcert

  • CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA

  • ipatests: add integration test checking the files mode

  • Fix expected file permissions for ghost files

  • ipactl restart: fix wrong logic when checking service list

  • tests: correctly place xfail for test_integration/test_installation.py

  • ipa-client-install: autodiscovery must refuse single-label domains

  • tests: fix test_user_permissions.py::TestInstallClientNoAdmin

  • PRCI: add nightly definition for ipa-4-6 branch

  • ipa-setup-kra: fix python2 parameter

  • ipa-server-upgrade: fix add_systemd_user_hbac

  • ipa-replica-manage: fix force-sync

  • Coverity: fix issue in ipa_extdom_extop.c

Fraser Tweedale (11)#

  • dn: sort AVAs when converting from x509.Name

  • ipa-cert-fix: fix spurious renewal master change

  • ipa-cert-fix: handle ‘pki-server cert-fix’ failure

  • dn: handle multi-valued RDNs in Name conversion

  • ipa-cert-fix: use customary exit statuses

  • ipa-cert-fix: add man page

  • Add ipa-cert-fix tool

  • constants: add ca_renewal container

  • cainstance: add function to determine ca_renewal nickname

  • Extract ca_renewal cert update subroutine

  • Add uniqueness constraint on CA ACL name

Justin Stephenson (1)#

  • Skip zone overlap check with auto-reverse

Mohammad Rizwan Yusuf (1)#

  • Test if ipactl restart restarts the pki-tomcatd

Petr Vobornik (1)#

  • Fix order of commands in test for removing topology segments

Rob Crittenden (6)#

  • When reading SSH pub key don’t assume last character is newline

  • Convert members into types in sudorule-*-option

  • Remove tests which install KRA on replica w/o KRA on master

  • Fix uninstallation test, use different method to stop dirsrv

  • Extend CALessBase::installer_server to accept extra_args

  • VERSION.m4: Set back to git snapshot

Sergey Orlov (17)#

  • ipatests: new test for trust with partially unreachable AD topology

  • ipatests: new tests for establishing one-way AD trust with shared secret

  • ipatests: fix replica uninstallation in test_integration/test_server_del.py

  • ipatests: make encoding to base64 compatible with python2

  • ipatests: new tests for ipa-winsync-migrate utility

  • ipa console: catch proper exception when history file can not be open

  • ipatests: coerce tmpdir to string

  • ipatests: fix host name for ssh connection from controller to master

  • ipatests: fix ldap server url

  • ipatests: refactor test_trust.py

  • ipatests: adapt test_trust.py for changes in multihost fixture

  • ipatests: allow AD hosts to be placed in separate domain config objects

  • ipatests: fix expectations of `ipa trust-find` output for trust with root domain

  • ipatests: in test_trust.py fix parent class

  • ipatests: disable bind dns validation when preparing to establish AD trust

  • ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust

  • Revert “Tests: Remove DNS configuration from trust tests”

Serhii Tsymbaliuk (5)#

  • WebUI: Fix automount maps pagination

  • WebUI: Fix ‘user not found’ traceback on user ID override details page

  • Fix test_arbitrary_certificates for Web UI

  • Web UI tests: Get rid of *_cert_path and *_csr_path config variables

  • Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone

Thierry Bordaz (1)#

  • Switch nsslapd-unhashed-pw-switch to nolog

Oleg Kozlov (1)#

  • Show a notification that sssd needs restarting after idrange-mo