Ctrl+K

Highlights in 4.6.90.pre2

The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and rawhide will be available in the Fedora repositories.

Highlights in 4.6.90.pre2#

The major new features of this release are:

  • Switch from using mod_nss for the Apache TLS engine to using mod_ssl. Upgrading will move the certificates and keys from /etc/httpd/alias to /var/lib/ipa/certs/.

  • Switch time client and server from ntp to chrony.

  • Switch from using authconfig to authselect to configure the PAM stack.

  • Kerberos clients can now use SPAKE to strengthen their handshake with a FreeIPA KDC based on elliptic curve cryptography. See IETF draft draft-ietf-kitten-krb-spake-preauth-05 and relevant portions of krb5.conf(5) and kdc.conf(5) for details. SPAKE is enabled for new IPA servers and clients by default.

  • Thanks to our translation volunteers, FreeIPA 4.6.90.pre2 sees a major update for Chinese, French, Russian, and Ukrainian languages.

Known Issues#

Bug fixes#

FreeIPA 4.6.90.pre2 is a preview release for the features delivered as a part of 4.7.0.

There are more than 70 bug-fixes details of which can be seen ina the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • 7530 external CA replica installation fails with CA_UNREACHABLE

  • 7529 AVC denials and errors for IPA server installed on Fedora28

  • 7524 ipa-client-install fails because of missing file /usr/share/ipa/freeipa.template

  • 7523 external CA installation: step two reports self-signed configuration

  • 7520 ipa certmap-match throwing “ipa: ERROR: an internal error has occurred”

  • 7519 Adding SSH keys for AD users as I created overrides

  • 7518 Improve Custodia client and key distribution handling

  • 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf despite the migration to ssl.conf

  • 7514 Allow to create Kerberos services without a corresponding host object

  • 7513 Allow Kerberos services to be members of IPA groups

  • 7512 Missing dependency for freeipa-client: python3-augeas

  • 7510 validate_selinuxuser does not allow a period in selinux user identifier

  • 7508 Trust tests for Posix support are failing with Assertion Error None on Windows Server 2016

  • 7507 ui_tests: extend test_user suite

  • 7505 WebUI tests: Extend netgroup tests

  • 7503 multiple occurrences of profileId in certprofile causes incorrect behaviour

  • 7499 Integration tests dns_location in regards of check NTP records failing

  • 7498 [F28] CA replica fails with could not find certificate named “caSigningCert cert-pki-ca”

  • 7496 csrgen fails if subject base contains lower-case attribute names

  • 7490 installutils.set_directive doesn’t handle debian ssl.conf properly

  • 7489 Test test_caless_TestCertInstall is failing in nightly

  • 7488 Set nsds5ReplicaReleaseTimeout on all replicas and databases

  • 7486 Allow hosts to delete their own services

  • 7485 Extending webui user group test

  • 7484 Load ipaclient.csrgen on demand to speed up CLI

  • 7478 [F28] ipa-backup fails with “Failed to execute authconfig command”

  • 7474 ipa-server-install –uninstall on replica fails with “NoOptionError: No option ‘ldap_uri’ in section: ‘global’”

  • 7473 ERROR: No valid Negotiate header in server response

  • 7470 TestBasicADTrust.test_ipauser_authentication is failing with error “Confidentiality required”

  • 7469 ipa-replica-prepare fail with “stat: path should be string, bytes, os.PathLike or integer, not NoneType”

  • 7468 test_host.py::test_host::test_crud is failing in nightly tests

  • 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError

  • 7463 test_webui: add user life-cycles tests

  • 7461 Hardening of topology plugin to prevent erronous deletion of a replica agreement

  • 7459 [RFE] replica-install: warn when only one CA exists in topology

  • 7458 ui_tests: extend test_hostgroup.py suite

  • 7456 ipa otptoken-add should use LDAP Whoami call

  • 7454 Upgrade from F27 to F28 produces an error while updating ipa.conf.template

  • 7450 “This entry already exists” error when upgrading on IPA 4.5

  • 7442 Replication agreement status incorrectly checked

  • 7441 ui_tests: extend test_service.py suite

  • 7436 ipa: Please log something after restarting the KDC

  • 7427 User Administrator doesn’t have enough privileges to edit homeDirectory attribute

  • 7426 DogtagInstance.backup_config creates backup with wrong owner

  • 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn -s CA

  • 7424 Improve Realm Domains doc text

  • 7421 Store HTTPD private keys encrypted

  • 7415 CA installer need to check availability of port 8080

  • 7410 ipa-replica-install –add-agents option doesn’t install trust-agent on replica

  • 7377 Investigate and define plan of authconfig replacement in FreeIPA

  • 7376 clear sssd cache when uninstalling client

  • 7366 RFE: ipa client should setup openldap for GSSAPI

  • 7330 ipa-server-install –uninstall does not return error code on error

  • 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall

  • 7095 [tracker] please rotate & compress /var/lib/pki/pki-tomcat/logs/ca/debug

  • 7041 [ipa-replica-install] - KDC has no support for encryption type - reoccurence in multireplica scenario

  • 7024 freeipa depends on ntp

  • 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group

  • 6843 ipa-backup does not create log file at /var/log/

  • 5776 webui: some data disappear from user details page after the save action is performed

  • 5673 contrib/nssciphersuite/nssciphersuite.py raising error in tests

  • 4853 Utilize system-wide crypto-policies

Detailed changelog since 4.6.90.pre1#

Alexander Bokovoy (13)#

  • group: allow services as members of groups

  • service: allow creating services without a host to manage them

  • group-del: add a warning to logs when password policy could not be removed

  • idoverrideuser-add: allow adding ssh key in web ui

  • ACL: Allow hosts to remove services they manage

  • install: validate AD trust-related options in installers

  • replication: support error messages from 389-ds 1.3.5 or later

  • upgrade: treat duplicate entry when updating as not an error

  • Allow anonymous access to parentID attribute

  • upgrade: Run configuration upgrade under empty ccache collection

  • use LDAP Whoami command when creating an OTP token

  • Update template directory with new variables when upgrading ipa.conf.template

  • Processing of server roles should ignore errors.EmptyResult

Alexey Slaykovsky (1)#

  • Make tox tests to generate results in JUnit XML

amitkuma (5)#

  • RFE: ipa client should setup openldap for GSSAPI

  • Correcting detect typo in server.m4

  • Correction of management spelling.

  • clear sssd cache when uninstalling client

  • clear sssd cache when uninstalling client

Anuja More (2)#

  • Adding test-cases for ipa-cacert-manage

  • Adding test-cases for ipa-cacert-manage

Christian Heimes (32)#

  • Revert “Validate the Directory Manager password”

  • Create missing /etc/httpd/alias for ipasession.key

  • Only run subset of external CA tests

  • Require Dogtag 10.6.1

  • Require nss with fix for nickname bug

  • ipa-client package needs sssd-tool

  • Make ipatests’ create_external_ca a script

  • Load certificate files as binary data

  • Remove contrib/nssciphersuite

  • Compatibility with pytest 3.4

  • Use shutil to copy file

  • Use single Custodia instance in installers

  • Add augeas dependency to client package

  • Create users in server-common pre hook

  • Require 389-ds-base >= 1.4.0.8-1

  • CA replica PKCS12 workaround for SQL NSSDB

  • Add nsds5ReplicaReleaseTimeout to replica config

  • Fix Python dependencies

  • Remove os.chdir() from test_ipap11helper

  • certdb: Move chdir into subprocess call

  • Provide ldap_uri in Custodia uninstaller

  • Defer import of ipaclient.csrgen

  • Require more recent glibc on F27

  • Load librpm on demand for IPAVersion

  • Fix installer CA port check for port 8080

  • Temporarily disable authconfig backup and restore

  • Cleanup and remove more files on uninstall

  • Fix compatibility with latest pytest

  • More cleanup after uninstall

  • Require Dogtag PKI >= 10.6

  • Keep owner when backing up CA.cfg

  • Pylint 1.8.3 fixes

Felipe Barreto (10)#

  • Fixing tests on TestReplicaManageDel

  • Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs

  • Fixing TestBackupAndRestore::test_full_backup_and_restore_with_removed_users

  • Adding GSSPROXY_CONF to be backed up on ipa-backup

  • Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09

  • Fix TestSubCAkeyReplication providing the right path to pki log

  • temp commit: adding test to PR CI run

  • Adding right parameters to install IPA in TestInstallMasterReservedIPasForwarder

  • Changing Django’s CoC to reflect FreeIPA CoC

  • Adding Django’s Code of Conduct

Florence Blanc-Renaud (8)#

  • authselect migration: use stable interface to query current config

  • authselect test: skip test if authselect is not available

  • ipa-advise: adapt config-client-for-smart-card-auth to authselect

  • Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a

  • New tests for authselect migration

  • Migration from authconfig to authselect

  • ipa-advise config-server-for-smart-card-auth: use mod-ssl

  • ipa-replica-install: make sure that certmonger picks the right master

Fraser Tweedale (12)#

  • install: fix reported external CA configuration

  • csrgen: fix when attribute shortname is lower case

  • csrgen: drive-by docstring

  • csrgen: support initialising OpenSSL adaptor with key object

  • py3: fix csrgen error handling

  • certprofile: add tests for config profileId scenarios

  • certprofile: reject config with multiple profileIds

  • Fix upgrade (update_replica_config) in single master mode

  • Add commentary about PKI admin password

  • Fix upgrade when named.conf does not exist

  • replica-install: warn when there is only one CA in topology

  • install: configure dogtag status request timeout

Ganna Kaihorodova (5)#

  • Fix trust tests for Posix Support

  • Fix for integration tests dns_locations

  • Fix in IPA’s multihost fixture

  • TestBasicADTrust.test_ipauser_authentication

  • Fix for test TestInstallMasterReservedIPasForwarder

Takeshi MIZUTA (1)#

  • Fix some typos in man page

Michal Reznik (18)#

  • ui_tests: introduce new test_misc cases file

  • ui_driver: extension and modifications related to test_user

  • ui_tests: extend test_user suite

  • test_web_ui: extend ui_driver methods

  • test_webui: add user life-cycles tests

  • ui_tests: run ipa-get/rmkeytab command on UI host

  • ui_tests: select_combobox() fixes

  • ui_tests: test cancel and delete without button

  • ui_tests: make associations cancelable

  • ui_tests: add function to run cmd on UI host

  • ui_tests: add funcs to add/remove users public SSH key

  • ui_tests: add assert_field_required()

  • ui_tests: add assert_notification()

  • ui_tests: add more test cases

  • ui_tests: add more test cases to test_certification

  • ui_tests: add_service() support func in test_service

  • ui_tests: add_host() support func in test_service

  • ui_tests: change get_http_pkey() function

Varun Mylaraiah (3)#

  • WebUI tests: Extend netgroup tests with more scenarios

  • Fixed improper clean-up in test_host::test_kerberos_flags added closing the notification in kerberos flags

  • WebUI tests: Extend user group tests with more scenarios

Pavel Picka (1)#

  • WebUI Hostgroups tests cases added

Petr Vobornik (4)#

  • webui: refresh complex pages after modification

  • Fix order of commands in test for removing topology segments

  • webui tests: fix test_host:test_crud failure

  • realm domains: improve doc text

Rob Crittenden (16)#

  • Fix certificate retrieval in ipa-replica-prepare for DL0

  • Disable message about log in ipa-backup if IPA is not configured

  • Use a regex in installutils.get_directive instead of line splitting

  • Handle whitespace, add separator to regex in set_directive_lines

  • Validate the Directory Manager password before starting restore

  • Log service start/stop/restart message

  • Update project metadata in ipasetup.py.in

  • Allow dot as a valid character in an selinux identity name

  • Remove xfail from CALes test test_http_intermediate_ca

  • Some PKCS#12 errors are reported with full path names

  • ipa-server-certinstall failing, unknown option realm

  • Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c

  • Break out of teardown in test_replica_promotion.py if no config

  • Remove the Continuous installer class, it is unused

  • Return a value if exceptions are raised in server uninstall

  • VERSION.m4: Set back to git snapshot

Robbie Harwood (2)#

  • Move krb5 snippet into freeipa-client-common

  • Enable SPAKE support using krb5.conf.d snippet

Stanislav Laznicka (11)#

  • Allow user administrator to change user homedir

  • mod_ssl: add SSLVerifyDepth for external CA installs

  • Add absolute_import to test_authselect

  • Fix typo in ipa-getkeytab –help

  • Add absolute_import future imports

  • replica-install: pass –ip-address to client install

  • ipa_backup: Backup the password to HTTPD priv key

  • Fix upgrading of FreeIPA HTTPD

  • Remove py35 env from tox testing

  • Encrypt httpd key stored on disk

  • Dogtag configs: rename deprecated options

Thierry Bordaz (1)#

  • Hardening of topology plugin to prevent erronous deletion of a replica agreement

Tibor Dudlák (14)#

  • Use temporary pid file for chronyd -q task

  • Fix format string passed to pytest-multihost

  • Configure chrony with pool when server not set

  • Add enabling chrony daemon when not configured

  • Remove unnecessary option –force-chrony

  • Remove NTP server role while upgrading

  • Removes NTP server role from servroles and description

  • Update man pages for FreeIPA client, replica and server install

  • Adding method to ipa-server-upgrade to cleanup ntpd

  • Add –ntp-pool option to installers

  • FreeIPA server is time synchronization client only

  • Replace ntpd with chronyd in installation

  • Add dependency and paths for chrony

  • Removes ntp from dependencies and behave as there is always -N option

Contents