The FreeIPA team would like to announce FreeIPA 4.6.8 release!
It can be downloaded from http://www.freeipa.org/page/Downloads.
Highlights in 4.6.8#
5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.
6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: ‘ipa hostgroup-mod group-name –rename new-name’. Protected hostgroups (‘ipaservers’) cannot be renamed.
7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.
8236: Enforce a check to prevent adding objects from IPA as external members of external groups
Command ‘ipa group-add-member’ allowed to specify any user or group for ‘–external’ option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.
8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.6.8 is a stabilization release for the features delivered as a part of 4.6 version series.
There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#4972 (rhbz#1206690) check for existence of private group is done even if UPG definition is disabled
#5662 (rhbz#1404770) ID Views: do not allow custom Views for the masters
#6210 (rhbz#1364139, rhbz#1751951) When master’s IP address does not resolve to its name, ipa-replica-install fails
#6783 (rhbz#1430365) [RFE] Host-group names command rename
#6951 (rhbz#1449133) Update samba config file and use sss idmap module
#7181 (rhbz#1545755) ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
#7307 (rhbz#1518939) RFE: Extend IPA to support unadvertised replicas
#7470 TestBasicADTrust.test_ipauser_authentication is failing with error “Confidentiality required”
#7566 (rhbz#1591824) Installation of replica against a specific master
#7597 (rhbz#1583950) IPA: IDM drops all custom attributes when moving account from preserved to stage
#7600 (rhbz#1585020) Enable compat tree to provide information about AD users and groups on trust agents
#7725 (rhbz#1636765) ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory
#7795 (rhbz#1795890) ipa-pkinit-manage enable fails on replica if it doesn’t host the CA
#7804 (rhbz#1777811) `ipa otptoken-sync` fails with stack trace
#7807 (rhbz#1752005) Detect container installation to avoid Kernel keyring
#7870 (rhbz#1680039) [certmonger][upgrade] “Failed to get request: bus, object_path and dbus_interface must not be None.”
#7893 ipasam needs changes for Samba 4.10
#7895 (rhbz#1686302) ipa trust fetch-domains, server parameter ignored
#7964 GSSAPI failure causing LWCA key replication failure on f30
#7995 (rhbz#1711172) Removing TLSv1.0, TLSv1.1 from nss.conf
#8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
#8017 (rhbz#1817927) host-add –password logs cleartext userpassword to Apache error log
#8026 Update pr-ci definitions with master_3client topology
#8029 (rhbz#1749788) ipa host-find –pkey-only includes SSH keys in output
#8044 (rhbz#1717008) Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
#8058 (rhbz#1745108) ipa-4-6: ipa-client-install should not refuse single-label domains
#8067 (rhbz#1750700) add default access control configuration to trusted domain objects
#8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
#8077 New pylint 2.4.0 errors
#8082 (rhbz#1756432) Default client configuration breaks ssh in FIPS mode.
#8084 (rhbz#1758406) KRA authentication fails when IPA CA has custom Subject DN
#8086 (rhbz#1756568) ipa-server-certinstall man page does not match built-in help.
#8099 (rhbz#1762317) ipa-backup command is failing on rhel-7.8
#8102 Pylint 2.4.3 + Astroid 2.3.2 errors
#8113 (rhbz#1755535) ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
#8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb
#8120 (rhbz#1769791) Invisible part of notification area in Web UI intercepts clicks of some page elements
#8126 Nightly test failure in fedora-27/test_ca_custom_sdn
#8131 (rhbz#1777920) covscan memory leaks report
#8138 (rhbz#1780548) Man page ipa-cacert-manage does not display correctly on RHEL
#8148 (rhbz#1782587) add “systemctl restart sssd” to warning message when adding trust agents to replicas
#8152 ipatests: Enhance install_replica() method with promote option for ipa-4-6
#8164 (rhbz#1788907) Renewed certs are not picked up by IPA CAs
#8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS
#8176 External CA is tracked for renewals and replaced with a self-signed certificate
#8193 (rhbz#1801791) Re-order 50-externalmembers.update to be after 80-schema_compat.update
#8213 Test failure in Travis CI: missing IPv6 loopback interface
#8219 ipatests: unify editing of sssd.conf
#8220 Pylint for python2 complains about import from ipaplatform
#8221 (rhbz#1812169) Secure AJP connector between Dogtag and Apache proxy
#8236 (rhbz#1809835) Enforce a check to prevent adding objects from IPA as external members of external groups
#8238 Nightly test failure in fedora-27/test_sssd
#8239 Actualize Bootstrap version
#8242 (rhbz#1788718) ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd
Detailed changelog since 4.6.7#
Armando Neto (2)#
Alexander Bokovoy (24)#
Return to development snapshots commit
Become FreeIPA 4.6.8 commit
Update list of contributors commit
Add ‘api’ and ‘aci’ targets to make commit
ipa-pwd-extop: don’t check password policy for non-Kerberos account set by DM or a passsync manager commit #7181
ipatests: test sysaccount password change with a password policy applied commit #7181
ipatests: allow changing sysaccount passwords as cn=Directory Manager commit #7181
Fix indentation levels commit
Prevent adding IPA objects as external members of external groups commit #8236
Secure AJP connector between Dogtag and Apache proxy commit #8221
install/updates: move external members past schema compat update commit #8193
covscan: free ucs2-encoded password copy when generating NTLM hash commit #8131
covscan: free encryption types in case there is an error commit #8131
Become FreeIPA 4.6.7 commit
Do not run trust upgrade code if master lacks Samba bindings commit #8001
adtrust: add default read_keys permission for TDO objects commit #8067
add default access control when migrating trust objects commit #8067
ipasam: use SID formatting calls to libsss_idmap commit #7893
Revert back to git snapshots commit
Anuja More (13)#
Mark test to skip sssd-1.16.3 [sssd/issue/4073] commit
ipatests: User and group with same name should not break reading AD user data. commit
Mark xfail for tests using sssd-1.16.3 commit
ipatests: Added test when 2FA prompting configurations is set. commit
Mark xfail for sssd-version 1.16.3 commit
ipatests: SSSD should fetch external groups without any limit. commit
Add sssd.py in nightly ipa-4-6.yaml commit
ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit
Mark xfail for test_is_user_filtered commit
ipatests: filter_users should be applied correctly. commit
Mark xfail for test_sss_ssh_authorizedkeys() commit
ipatests: ‘sss_ssh_authorizedkeys user’ should return ssh key commit
Extdom plugin should not return error (32)/’No such object’ commit #8044
Christian Heimes (7)#
François Cami (2)#
Florence Blanc-Renaud (28)#
xmlrpc tests: add a test for idview-apply on a master commit #5662
ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600
ipatests: add test for ipa-adtrust-install –add-agents commit #7600
ipa-adtrust-install: run remote configuration for new agents commit #7600
Privilege: add a helper checking if a principal has a given privilege commit #7600
ipatests: fix TestSubCAkeyReplication commit
ipatests: fix modify_sssd_conf() commit
test: add non-reg test checking pkinit after server install commit #7795
ipatests: add integration test for pkinit enable on replica commit #7795
pkinit enable: use local dogtag only if host has CA commit #7795
trust upgrade: ensure that host is member of adtrust agents commit
smartcard: make the ipa-advise script compatible with authselect/authconfig commit #8113
ipa-server-certinstall manpage: add missing options commit #8086
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion commit #8070
ipatests: add XMLRPC test for user-add when UPG plugin is disabled commit #4972
ipa user_add: do not check group if UPG is disabled commit #4972
check for single-label domains only during server install commit #8058
xmlrpc test: add test for preserved > stage user commit #7597
user-stage: transfer all attributes from preserved to stage user commit #7597
Fraser Tweedale (8)#
Do not renew externally-signed CA as self-signed commit #8176
test_integration: add tests for custom CA subject DN commit #8084
upgrade: fix ipakra people entry ‘description’ attribute commit #8084
krainstance: set correct issuer DN in uid=ipakra entry commit #8084
Bump krb5 min version commit
CustodiaClient: fix IPASecStore config on ipa-4-7 commit #7964
CustodiaClient: use ldapi when ldap_uri not specified commit #7964
Gaurav Talreja (1)#
Normalize test definations titles commit
Ganna Kaihorodova (1)#
Jayesh Garg (2)#
Kaleemullah Siddiqui (1)#
Tests for autounmembership feature commit
Mohammad Rizwan Yusuf (7)#
ndehadra (1)#
Rob Crittenden (11)#
Test that pwpolicy only applied on Kerberos entries commit
Add ability to change a user password as the Directory Manager commit
Don’t save password history on non-Kerberos accounts commit
Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164
CVE-2019-10195: Don’t log passwords embedded in commands in calls using batch commit
ipa-restore: Restore ownership and perms on 389-ds log directory commit #7725
Don’t log host passwords when they are set/modified commit #8017
Disable deprecated-lambda check in adtrust upgrade code commit
Don’t return SSH keys with ipa host-find –pkey-only commit #8029
Robbie Harwood (3)#
Sumit Bose (2)#
Stanislav Levin (2)#
Sergey Orlov (24)#
ipatests: remove test_ordering commit
ipatests: add test_trust suite to nightly runs commit
ipatests: add workaround for unfixed sssd bug in Fedora 27 commit
ipatests: use less strict check for error message commit
ipatests: provide AD admin password when trying to establish trust commit #7895
ipatests: remove workaround for pylint error no-name-in-module commit #8220
ipatests: temporary disable pylint check no-name-in-module commit #8220
ipatests: remove invalid parameter from sssd.conf commit #8219
ipatests: use remote_sssd_config to modify sssd.conf commit #8219
ipatests: replace utility for editing sssd.conf commit #8219
ipatests: update docstring to reflect changes in FileBackup.restore() commit
ipatests: fix collection of tests from test_trust suite commit
Add convenient template for temp commits commit
ipatests: add test_winsyncmigrate suite to nightly runs commit
ipatests: fix compatibility with python2 (import ConfigParser) commit
ipatests: add new utilities for file management commit
ipatests: add utility functions related to using and managing user accounts commit
ipatests: add check that ipa-adtrust-install generates sane smb.conf commit #6951
ipatests: add test to check that only TLS 1.2 is enabled in Apache commit #7995
ipatests: modify run_command to allow specify successful return codes commit
ipatests: in DNS zone file add A record for name server commit
ipatests: strip newline character when getting name of temp file commit
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains commit
Sumedh Sidhaye (2)#
Simo Sorce (1)#
Make sure to have storage space for tag commit