Jump to: navigation, search

Releases/4.6.90.pre2

Release date Released 2018-05-15

The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and rawhide will be available in the Fedora repositories.

Highlights in 4.6.90.pre2

The major new features of this release are:

  • Switch from using mod_nss for the Apache TLS engine to using mod_ssl. Upgrading will move the certificates and keys from /etc/httpd/alias to /var/lib/ipa/certs/.
  • Switch time client and server from ntp to chrony.
  • Switch from using authconfig to authselect to configure the PAM stack.
  • Kerberos clients can now use SPAKE to strengthen their handshake with a FreeIPA KDC based on elliptic curve cryptography. See IETF draft draft-ietf-kitten-krb-spake-preauth-05 and relevant portions of krb5.conf(5) and kdc.conf(5) for details. SPAKE is enabled for new IPA servers and clients by default.
  • Thanks to our translation volunteers, FreeIPA 4.6.90.pre2 sees a major update for Chinese, French, Russian, and Ukrainian languages.

Known Issues

Bug fixes

FreeIPA 4.6.90.pre2 is a preview release for the features delivered as a part of 4.7.0.

There are more than 70 bug-fixes details of which can be seen ina the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.


Resolved tickets

  • 7530 external CA replica installation fails with CA_UNREACHABLE
  • 7529 AVC denials and errors for IPA server installed on Fedora28
  • 7524 ipa-client-install fails because of missing file /usr/share/ipa/freeipa.template
  • 7523 external CA installation: step two reports self-signed configuration
  • 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has occurred"
  • 7519 Adding SSH keys for AD users as I created overrides
  • 7518 Improve Custodia client and key distribution handling
  • 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf despite the migration to ssl.conf
  • 7514 Allow to create Kerberos services without a corresponding host object
  • 7513 Allow Kerberos services to be members of IPA groups
  • 7512 Missing dependency for freeipa-client: python3-augeas
  • 7510 validate_selinuxuser does not allow a period in selinux user identifier
  • 7508 Trust tests for Posix support are failing with Assertion Error None on Windows Server 2016
  • 7507 ui_tests: extend test_user suite
  • 7505 WebUI tests: Extend netgroup tests
  • 7503 multiple occurrences of profileId in certprofile causes incorrect behaviour
  • 7499 Integration tests dns_location in regards of check NTP records failing
  • 7498 [F28] CA replica fails with could not find certificate named "caSigningCert cert-pki-ca"
  • 7496 csrgen fails if subject base contains lower-case attribute names
  • 7490 installutils.set_directive doesn't handle debian ssl.conf properly
  • 7489 Test test_caless_TestCertInstall is failing in nightly
  • 7488 Set nsds5ReplicaReleaseTimeout on all replicas and databases
  • 7486 Allow hosts to delete their own services
  • 7485 Extending webui user group test
  • 7484 Load ipaclient.csrgen on demand to speed up CLI
  • 7478 [F28] ipa-backup fails with "Failed to execute authconfig command"
  • 7474 ipa-server-install --uninstall on replica fails with "NoOptionError: No option 'ldap_uri' in section: 'global'"
  • 7473 ERROR: No valid Negotiate header in server response
  • 7470 TestBasicADTrust.test_ipauser_authentication is failing with error "Confidentiality required"
  • 7469 ipa-replica-prepare fail with "stat: path should be string, bytes, os.PathLike or integer, not NoneType"
  • 7468 test_host.py::test_host::test_crud is failing in nightly tests
  • 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
  • 7463 test_webui: add user life-cycles tests
  • 7461 Hardening of topology plugin to prevent erronous deletion of a replica agreement
  • 7459 [RFE] replica-install: warn when only one CA exists in topology
  • 7458 ui_tests: extend test_hostgroup.py suite
  • 7456 ipa otptoken-add should use LDAP Whoami call
  • 7454 Upgrade from F27 to F28 produces an error while updating ipa.conf.template
  • 7450 "This entry already exists" error when upgrading on IPA 4.5
  • 7442 Replication agreement status incorrectly checked
  • 7441 ui_tests: extend test_service.py suite
  • 7436 ipa: Please log something after restarting the KDC
  • 7427 User Administrator doesn't have enough privileges to edit homeDirectory attribute
  • 7426 DogtagInstance.backup_config creates backup with wrong owner
  • 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA
  • 7424 Improve Realm Domains doc text
  • 7421 Store HTTPD private keys encrypted
  • 7415 CA installer need to check availability of port 8080
  • 7410 ipa-replica-install --add-agents option doesn't install trust-agent on replica
  • 7377 Investigate and define plan of authconfig replacement in FreeIPA
  • 7376 clear sssd cache when uninstalling client
  • 7366 RFE: ipa client should setup openldap for GSSAPI
  • 7330 ipa-server-install --uninstall does not return error code on error
  • 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall
  • 7095 [tracker] please rotate & compress /var/lib/pki/pki-tomcat/logs/ca/debug
  • 7041 [ipa-replica-install] - KDC has no support for encryption type - reoccurence in multireplica scenario
  • 7024 freeipa depends on ntp
  • 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group
  • 6843 ipa-backup does not create log file at /var/log/
  • 5776 webui: some data disappear from user details page after the save action is performed
  • 5673 contrib/nssciphersuite/nssciphersuite.py raising error in tests
  • 4853 Utilize system-wide crypto-policies

Detailed changelog since 4.6.90.pre1

Alexander Bokovoy (13)

  • group: allow services as members of groups
  • service: allow creating services without a host to manage them
  • group-del: add a warning to logs when password policy could not be removed
  • idoverrideuser-add: allow adding ssh key in web ui
  • ACL: Allow hosts to remove services they manage
  • install: validate AD trust-related options in installers
  • replication: support error messages from 389-ds 1.3.5 or later
  • upgrade: treat duplicate entry when updating as not an error
  • Allow anonymous access to parentID attribute
  • upgrade: Run configuration upgrade under empty ccache collection
  • use LDAP Whoami command when creating an OTP token
  • Update template directory with new variables when upgrading ipa.conf.template
  • Processing of server roles should ignore errors.EmptyResult

Alexey Slaykovsky (1)

  • Make tox tests to generate results in JUnit XML

amitkuma (5)

  • RFE: ipa client should setup openldap for GSSAPI
  • Correcting detect typo in server.m4
  • Correction of management spelling.
  • clear sssd cache when uninstalling client
  • clear sssd cache when uninstalling client

Anuja More (2)

  • Adding test-cases for ipa-cacert-manage
  • Adding test-cases for ipa-cacert-manage

Christian Heimes (32)

  • Revert "Validate the Directory Manager password"
  • Create missing /etc/httpd/alias for ipasession.key
  • Only run subset of external CA tests
  • Require Dogtag 10.6.1
  • Require nss with fix for nickname bug
  • ipa-client package needs sssd-tool
  • Make ipatests' create_external_ca a script
  • Load certificate files as binary data
  • Remove contrib/nssciphersuite
  • Compatibility with pytest 3.4
  • Use shutil to copy file
  • Use single Custodia instance in installers
  • Add augeas dependency to client package
  • Create users in server-common pre hook
  • Require 389-ds-base >= 1.4.0.8-1
  • CA replica PKCS12 workaround for SQL NSSDB
  • Add nsds5ReplicaReleaseTimeout to replica config
  • Fix Python dependencies
  • Remove os.chdir() from test_ipap11helper
  • certdb: Move chdir into subprocess call
  • Provide ldap_uri in Custodia uninstaller
  • Defer import of ipaclient.csrgen
  • Require more recent glibc on F27
  • Load librpm on demand for IPAVersion
  • Fix installer CA port check for port 8080
  • Temporarily disable authconfig backup and restore
  • Cleanup and remove more files on uninstall
  • Fix compatibility with latest pytest
  • More cleanup after uninstall
  • Require Dogtag PKI >= 10.6
  • Keep owner when backing up CA.cfg
  • Pylint 1.8.3 fixes

Felipe Barreto (10)

  • Fixing tests on TestReplicaManageDel
  • Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
  • Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
  • Adding GSSPROXY_CONF to be backed up on ipa-backup
  • Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
  • Fix TestSubCAkeyReplication providing the right path to pki log
  • temp commit: adding test to PR CI run
  • Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder
  • Changing Django's CoC to reflect FreeIPA CoC
  • Adding Django's Code of Conduct

Florence Blanc-Renaud (8)

  • authselect migration: use stable interface to query current config
  • authselect test: skip test if authselect is not available
  • ipa-advise: adapt config-client-for-smart-card-auth to authselect
  • Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
  • New tests for authselect migration
  • Migration from authconfig to authselect
  • ipa-advise config-server-for-smart-card-auth: use mod-ssl
  • ipa-replica-install: make sure that certmonger picks the right master

Fraser Tweedale (12)

  • install: fix reported external CA configuration
  • csrgen: fix when attribute shortname is lower case
  • csrgen: drive-by docstring
  • csrgen: support initialising OpenSSL adaptor with key object
  • py3: fix csrgen error handling
  • certprofile: add tests for config profileId scenarios
  • certprofile: reject config with multiple profileIds
  • Fix upgrade (update_replica_config) in single master mode
  • Add commentary about PKI admin password
  • Fix upgrade when named.conf does not exist
  • replica-install: warn when there is only one CA in topology
  • install: configure dogtag status request timeout

Ganna Kaihorodova (5)

  • Fix trust tests for Posix Support
  • Fix for integration tests dns_locations
  • Fix in IPA's multihost fixture
  • TestBasicADTrust.test_ipauser_authentication
  • Fix for test TestInstallMasterReservedIPasForwarder

Takeshi MIZUTA (1)

  • Fix some typos in man page

Michal Reznik (18)

  • ui_tests: introduce new test_misc cases file
  • ui_driver: extension and modifications related to test_user
  • ui_tests: extend test_user suite
  • test_web_ui: extend ui_driver methods
  • test_webui: add user life-cycles tests
  • ui_tests: run ipa-get/rmkeytab command on UI host
  • ui_tests: select_combobox() fixes
  • ui_tests: test cancel and delete without button
  • ui_tests: make associations cancelable
  • ui_tests: add function to run cmd on UI host
  • ui_tests: add funcs to add/remove users public SSH key
  • ui_tests: add assert_field_required()
  • ui_tests: add assert_notification()
  • ui_tests: add more test cases
  • ui_tests: add more test cases to test_certification
  • ui_tests: add_service() support func in test_service
  • ui_tests: add_host() support func in test_service
  • ui_tests: change get_http_pkey() function

Varun Mylaraiah (3)

  • WebUI tests: Extend netgroup tests with more scenarios
  • Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags
  • WebUI tests: Extend user group tests with more scenarios

Pavel Picka (1)

  • WebUI Hostgroups tests cases added

Petr Vobornik (4)

  • webui: refresh complex pages after modification
  • Fix order of commands in test for removing topology segments
  • webui tests: fix test_host:test_crud failure
  • realm domains: improve doc text

Rob Crittenden (16)

  • Fix certificate retrieval in ipa-replica-prepare for DL0
  • Disable message about log in ipa-backup if IPA is not configured
  • Use a regex in installutils.get_directive instead of line splitting
  • Handle whitespace, add separator to regex in set_directive_lines
  • Validate the Directory Manager password before starting restore
  • Log service start/stop/restart message
  • Update project metadata in ipasetup.py.in
  • Allow dot as a valid character in an selinux identity name
  • Remove xfail from CALes test test_http_intermediate_ca
  • Some PKCS#12 errors are reported with full path names
  • ipa-server-certinstall failing, unknown option realm
  • Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
  • Break out of teardown in test_replica_promotion.py if no config
  • Remove the Continuous installer class, it is unused
  • Return a value if exceptions are raised in server uninstall
  • VERSION.m4: Set back to git snapshot

Robbie Harwood (2)

  • Move krb5 snippet into freeipa-client-common
  • Enable SPAKE support using krb5.conf.d snippet

Stanislav Laznicka (11)

  • Allow user administrator to change user homedir
  • mod_ssl: add SSLVerifyDepth for external CA installs
  • Add absolute_import to test_authselect
  • Fix typo in ipa-getkeytab --help
  • Add absolute_import future imports
  • replica-install: pass --ip-address to client install
  • ipa_backup: Backup the password to HTTPD priv key
  • Fix upgrading of FreeIPA HTTPD
  • Remove py35 env from tox testing
  • Encrypt httpd key stored on disk
  • Dogtag configs: rename deprecated options

Thierry Bordaz (1)

  • Hardening of topology plugin to prevent erronous deletion of a replica agreement

Tibor Dudlák (14)

  • Use temporary pid file for chronyd -q task
  • Fix format string passed to pytest-multihost
  • Configure chrony with pool when server not set
  • Add enabling chrony daemon when not configured
  • Remove unnecessary option --force-chrony
  • Remove NTP server role while upgrading
  • Removes NTP server role from servroles and description
  • Update man pages for FreeIPA client, replica and server install
  • Adding method to ipa-server-upgrade to cleanup ntpd
  • Add --ntp-pool option to installers
  • FreeIPA server is time synchronization client only
  • Replace ntpd with chronyd in installation
  • Add dependency and paths for chrony
  • Removes ntp from dependencies and behave as there is always -N option