The FreeIPA team would like to announce FreeIPA 4.6.8 release!

It can be downloaded from http://www.freeipa.org/page/Downloads.

Highlights in 4.6.8#

  • 5662: ID Views: do not allow custom Views for the masters

    Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.


  • 6783: [RFE] Host-group names command rename

    host groups can now be renamed with IPA CLI: ‘ipa hostgroup-mod group-name –rename new-name’. Protected hostgroups (‘ipaservers’) cannot be renamed.


  • 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled

    FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.


  • 8236: Enforce a check to prevent adding objects from IPA as external members of external groups

    Command ‘ipa group-add-member’ allowed to specify any user or group for ‘–external’ option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.


  • 8239: Actualize Bootstrap version

    Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.


Enhancements#

Known Issues#

Bug fixes#

FreeIPA 4.6.8 is a stabilization release for the features delivered as a part of 4.6 version series.

There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #4972 (rhbz#1206690) check for existence of private group is done even if UPG definition is disabled

  • #5662 (rhbz#1404770) ID Views: do not allow custom Views for the masters

  • #6210 (rhbz#1364139, rhbz#1751951) When master’s IP address does not resolve to its name, ipa-replica-install fails

  • #6783 (rhbz#1430365) [RFE] Host-group names command rename

  • #6951 (rhbz#1449133) Update samba config file and use sss idmap module

  • #7181 (rhbz#1545755) ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled

  • #7307 (rhbz#1518939) RFE: Extend IPA to support unadvertised replicas

  • #7470 TestBasicADTrust.test_ipauser_authentication is failing with error “Confidentiality required”

  • #7566 (rhbz#1591824) Installation of replica against a specific master

  • #7597 (rhbz#1583950) IPA: IDM drops all custom attributes when moving account from preserved to stage

  • #7600 (rhbz#1585020) Enable compat tree to provide information about AD users and groups on trust agents

  • #7725 (rhbz#1636765) ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory

  • #7795 (rhbz#1795890) ipa-pkinit-manage enable fails on replica if it doesn’t host the CA

  • #7804 (rhbz#1777811) `ipa otptoken-sync` fails with stack trace

  • #7807 (rhbz#1752005) Detect container installation to avoid Kernel keyring

  • #7870 (rhbz#1680039) [certmonger][upgrade] “Failed to get request: bus, object_path and dbus_interface must not be None.”

  • #7893 ipasam needs changes for Samba 4.10

  • #7895 (rhbz#1686302) ipa trust fetch-domains, server parameter ignored

  • #7964 GSSAPI failure causing LWCA key replication failure on f30

  • #7995 (rhbz#1711172) Removing TLSv1.0, TLSv1.1 from nss.conf

  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth

  • #8017 (rhbz#1817927) host-add –password logs cleartext userpassword to Apache error log

  • #8026 Update pr-ci definitions with master_3client topology

  • #8029 (rhbz#1749788) ipa host-find –pkey-only includes SSH keys in output

  • #8044 (rhbz#1717008) Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors

  • #8058 (rhbz#1745108) ipa-4-6: ipa-client-install should not refuse single-label domains

  • #8067 (rhbz#1750700) add default access control configuration to trusted domain objects

  • #8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install

  • #8077 New pylint 2.4.0 errors

  • #8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.

  • #8084 (rhbz#1758406) KRA authentication fails when IPA CA has custom Subject DN

  • #8086 (rhbz#1756568) ipa-server-certinstall man page does not match built-in help.

  • #8099 (rhbz#1762317) ipa-backup command is failing on rhel-7.8

  • #8102 Pylint 2.4.3 + Astroid 2.3.2 errors

  • #8113 (rhbz#1755535) ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client

  • #8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb

  • #8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements

  • #8126 Nightly test failure in fedora-27/test_ca_custom_sdn

  • #8131 (rhbz#1777920) covscan memory leaks report

  • #8138 (rhbz#1780548) Man page ipa-cacert-manage does not display correctly on RHEL

  • #8148 (rhbz#1782587) add “systemctl restart sssd” to warning message when adding trust agents to replicas

  • #8152 ipatests: Enhance install_replica() method with promote option for ipa-4-6

  • #8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs

  • #8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS

  • #8176 External CA is tracked for renewals and replaced with a self-signed certificate

  • #8193 (rhbz#1801791) Re-order 50-externalmembers.update to be after 80-schema_compat.update

  • #8213 Test failure in Travis CI: missing IPv6 loopback interface

  • #8219 ipatests: unify editing of sssd.conf

  • #8220 Pylint for python2 complains about import from ipaplatform

  • #8221 (rhbz#1812169) Secure AJP connector between Dogtag and Apache proxy

  • #8236 (rhbz#1809835) Enforce a check to prevent adding objects from IPA as external members of external groups

  • #8238 Nightly test failure in fedora-27/test_sssd

  • #8239 Actualize Bootstrap version

  • #8242 (rhbz#1788718) ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd

Detailed changelog since 4.6.7#

Armando Neto (2)#

  • Travis: Enable IPv6 support for Docker commit #8213

  • prci: Update box used in branch ipa-4-6 commit

Alexander Bokovoy (24)#

  • Return to development snapshots commit

  • Become FreeIPA 4.6.8 commit

  • Update list of contributors commit

  • Allow rename of a host group commit #6783

  • Add ‘api’ and ‘aci’ targets to make commit

  • ipa-pwd-extop: don’t check password policy for non-Kerberos account set by DM or a passsync manager commit #7181

  • ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN commit #7181

  • ipatests: test sysaccount password change with a password policy applied commit #7181

  • ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181

  • Fix indentation levels commit

  • Prevent adding IPA objects as external members of external groups commit #8236

  • Secure AJP connector between Dogtag and Apache proxy commit #8221

  • Tighten permissions on PKI proxy configuration commit #8221

  • install/updates: move external members past schema compat update commit #8193

  • covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131

  • covscan: free encryption types in case there is an error commit #8131

  • Become FreeIPA 4.6.7 commit

  • Do not run trust upgrade code if master lacks Samba bindings commit #8001

  • adtrust: add default read_keys permission for TDO objects commit #8067

  • add default access control when migrating trust objects commit #8067

  • ipasam: use SID formatting calls to libsss_idmap commit #7893

  • Use unicode strings for Python 2 version commit #6951

  • ipa-extdom-extop: test timed out getgrgid_r commit #8044

  • Revert back to git snapshots commit

Anuja More (13)#

  • Mark test to skip sssd-1.16.3 [sssd/issue/4073] commit

  • ipatests: User and group with same name should not break reading AD user data. commit

  • Mark xfail for tests using sssd-1.16.3 commit

  • ipatests: Added test when 2FA prompting configurations is set. commit

  • Mark xfail for sssd-version 1.16.3 commit

  • ipatests: SSSD should fetch external groups without any limit. commit

  • Add sssd.py in nightly ipa-4-6.yaml commit

  • ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit

  • Mark xfail for test_is_user_filtered commit

  • ipatests: filter_users should be applied correctly. commit

  • Mark xfail for test_sss_ssh_authorizedkeys() commit

  • ipatests: ‘sss_ssh_authorizedkeys user’ should return ssh key commit

  • Extdom plugin should not return error (32)/’No such object’ commit #8044

Christian Heimes (7)#

François Cami (2)#

  • adtrust.py: mention restarting sssd when adding trust agents commit #8148

  • prci_definitions: add master_3client topology commit #8026

Florence Blanc-Renaud (28)#

  • ipatests: fix group-add-member in test_sssd commit #8238

  • ipatests: fix KeyError in test_sssd commit #8238

  • xmlrpc tests: add a test for idview-apply on a master commit #5662

  • idviews: prevent applying to a master commit #5662

  • ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600

  • ipatests: add test for ipa-adtrust-install –add-agents commit #7600

  • ipa-adtrust-install: run remote configuration for new agents commit #7600

  • Privilege: add a helper checking if a principal has a given privilege commit #7600

  • ipatests: fix TestSubCAkeyReplication commit

  • ipatests: fix modify_sssd_conf() commit

  • test: add non-reg test checking pkinit after server install commit #7795

  • pkinit setup: fix regression on master install commit #7795

  • ipatests: add integration test for pkinit enable on replica commit #7795

  • pkinit enable: use local dogtag only if host has CA commit #7795

  • ipatests: fix backup and restore commit #8170

  • ipa-cacert-manage man page: fix indentation commit #8138

  • trust upgrade: ensure that host is member of adtrust agents commit

  • ipatests: fix test_ca_custom_sdn commit #8126

  • smartcard: make the ipa-advise script compatible with authselect/authconfig commit #8113

  • ipa-backup: fix python2 issue with os.mkdir commit #8099

  • ipa-server-certinstall manpage: add missing options commit #8086

  • ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion commit #8070

  • ipatests: add XMLRPC test for user-add when UPG plugin is disabled commit #4972

  • ipa user_add: do not check group if UPG is disabled commit #4972

  • replica install: enforce –server arg commit #7566

  • check for single-label domains only during server install commit #8058

  • xmlrpc test: add test for preserved > stage user commit #7597

  • user-stage: transfer all attributes from preserved to stage user commit #7597

Fraser Tweedale (8)#

  • Do not renew externally-signed CA as self-signed commit #8176

  • test_integration: add tests for custom CA subject DN commit #8084

  • upgrade: fix ipakra people entry ‘description’ attribute commit #8084

  • krainstance: set correct issuer DN in uid=ipakra entry commit #8084

  • Bump krb5 min version commit

  • CustodiaClient: fix IPASecStore config on ipa-4-7 commit #7964

  • CustodiaClient: use ldapi when ldap_uri not specified commit #7964

  • Handle missing LWCA certificate or chain commit #7964

Gaurav Talreja (1)#

  • Normalize test definations titles commit

Ganna Kaihorodova (1)#

  • TestBasicADTrust.test_ipauser_authentication commit #7470

Jayesh Garg (2)#

  • Test if ipactl starts services stopped by systemctl commit

  • Test for ipa-ca-install on replica commit

Kaleemullah Siddiqui (1)#

  • Tests for autounmembership feature commit

Mohammad Rizwan Yusuf (7)#

  • ipatests: Test if slew mode is not set while configuring ntpd commit #8242

  • Test if schema-compat-entry-attribute is set commit #8193

  • Test if schema-compat-entry-attribute is set commit #8193

  • Add promote option to install_replica() method commit #8152

  • Add test to nightly.yaml commit

  • Installation of replica against a specific server commit #7566

  • Check file ownership and permission for dirsrv log instance commit #7725

ndehadra (1)#

  • Hidden Replica: Add a test for Automatic CRL configuration commit #7307

Rob Crittenden (11)#

  • Don’t configure ntpd with -x commit #8242

  • Test that pwpolicy only applied on Kerberos entries commit

  • Add ability to change a user password as the Directory Manager commit

  • Don’t save password history on non-Kerberos accounts commit

  • Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164

  • CVE-2019-10195: Don’t log passwords embedded in commands in calls using batch commit

  • ipa-restore: Restore ownership and perms on 389-ds log directory commit #7725

  • Report if a certmonger CA is missing commit #7870

  • Don’t log host passwords when they are set/modified commit #8017

  • Disable deprecated-lambda check in adtrust upgrade code commit

  • Don’t return SSH keys with ipa host-find –pkey-only commit #8029

Robbie Harwood (3)#

  • Fix NULL pointer dereference in maybe_require_preauth() commit

  • Log INFO message when LDAP connection fails on startup commit

  • Fix segfault in ipadb_parse_ldap_entry() commit

Sumit Bose (2)#

  • ipa_sam: remove dependency to talloc_strackframe.h commit

  • extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT commit #8044

Stanislav Levin (2)#

Sergey Orlov (24)#

  • ipatests: remove test_ordering commit

  • ipatests: add test_trust suite to nightly runs commit

  • ipatests: add workaround for unfixed sssd bug in Fedora 27 commit

  • ipatests: use less strict check for error message commit

  • ipatests: provide AD admin password when trying to establish trust commit #7895

  • ipatests: remove workaround for pylint error no-name-in-module commit #8220

  • ipatests: temporary disable pylint check no-name-in-module commit #8220

  • ipatests: remove invalid parameter from sssd.conf commit #8219

  • ipatests: use remote_sssd_config to modify sssd.conf commit #8219

  • ipatests: replace utility for editing sssd.conf commit #8219

  • ipatests: update docstring to reflect changes in FileBackup.restore() commit

  • ipatests: refactor FileBackup helper commit #8115

  • ipatests: fix collection of tests from test_trust suite commit

  • Add convenient template for temp commits commit

  • ipatests: add test_winsyncmigrate suite to nightly runs commit

  • ipatests: fix compatibility with python2 (import ConfigParser) commit

  • ipatests: add new utilities for file management commit

  • ipatests: add utility functions related to using and managing user accounts commit

  • ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951

  • ipatests: add test to check that only TLS 1.2 is enabled in Apache commit #7995

  • ipatests: modify run_command to allow specify successful return codes commit

  • ipatests: in DNS zone file add A record for name server commit

  • ipatests: strip newline character when getting name of temp file commit

  • ipatests: fix DNS forwarders setup for AD trust tests with non-root domains commit

Sumedh Sidhaye (2)#

  • Added a test to check if ipa host-find –pkey-only does not return SSH public key commit #8029

  • Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf commit

Simo Sorce (1)#

  • Make sure to have storage space for tag commit

Serhii Tsymbaliuk (2)#

  • WebUI: Fix notification area layout commit #8120

  • Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 commit #8239

Tibor Dudlák (1)#

  • Add container environment check to replicainstall commit #6210

Tomas Halman (4)#

  • extdom: add extdom protocol documentation commit

  • extdom: use sss_nss_*_timeout calls commit

  • extdom: plugin doesn’t use timeout in blocking call commit

  • extdom: plugin doesn’t allow @ in group name commit