Ctrl+K

Highlights in 4.7.2

The FreeIPA team would like to announce FreeIPA 4.7.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 29 and Fedora 28 will be available in the official COPR repository and also published to Fedora 28 and Fedora 29 updates.

Highlights in 4.7.2#

Bugfixes to make FreeIPA 4.7 work well on Fedora 29 and RHEL 8.0 beta.

Known Issues#

Bug fixes#

FreeIPA 4.7.2 is a stabilization release for the features delivered as a part of 4.7 release series.

There are more than 10 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • 7779 Update PR-CI definitions to use Fedora 29

  • 7776 authselect 1.0.2 fails on unknown feature

  • 7772 pylint 2.2.0 violations

  • 7769 Installer does not detect that kadmin port 749/UDP is blocked

  • 7767 make fasttest errors because of missing python3-lib389

  • 7758 pylint-2.1.1 errors on Fedora 29

  • 7754 Replace archaic term messagebus with dbus

  • 7753 CID 323644: logically dead code in ipaserver.install.adtrust.py

  • 7741 Smart card advise script uses hard-coded Python interpreter

  • 7729 Bad output on failed client installation rollback

  • 7728 RFE: Validation and better error messages when novajoin fails because of SSL errors

  • 7723 NTP options fails on ipa replica

  • 7671 Remove –no-sssd and –noac options

  • 7658 [RFE] sysadm_r should be included in default SELinux user map order

  • 7651 ipa-replica-install –setup-kra broken on DL1

  • 7408 ipa-replica-install command should display proper message on the console.

  • 5378 Incorrect error message at wrong password from private key file

Detailed changelog since 4.7.1#

Alexander Bokovoy (6)#

  • Become IPA 4.7.2

  • ipa-kdb: reduce LDAP operations timeout to 30 seconds

  • ipa-4-7: merge translations from zanata

  • ipaserver.install.adtrust: fix CID 323644

  • net groupmap: force using empty config when mapping Guests

  • adtrust: define Guests mapping after creating cifs/ principal

Adam Williamson (1)#

  • Fix authselect invocations to work with 1.0.2

Christian Heimes (35)#

  • Update temp commit template to F29

  • Increase debugging for blocked port 749 and 464

  • Address misc pylint issues in CLI scripts

  • pylint: also verify scripts

  • pylint: Fix duplicate-string-formatting-argument

  • pylint 2.2: Fix unnecessary pass statement

  • PR-CI: Restart rpcbind when it blocks kadmin port

  • Fix pytest deprecation warning

  • certdb: validate server cert signature

  • Require pylint 2.1.1-2

  • Silence comparison-with-itself in tests

  • Fix raising-format-tuple

  • Fix various dict related pylint warnings

  • Fix Module ‘pytest’ has no ‘config’ member

  • Fix useless-import-alias

  • Fix comparison-with-callable

  • Address consider-using-in

  • Ignore consider-using-enumerate for now

  • Address inconsistent-return-statements

  • Address pylint violations in lite-server

  • Ignore W504 code style like in travis config

  • Fix test_cli_fsencoding on Python 3.7, take 2

  • Replace messagebus with modern name dbus

  • Copy-paste error in permssions plugin, CID 323649

  • Allow ipaapi user to access SSSD’s info pipe

  • Fix test_cli_fsencoding on Python 3.7

  • ipapwd_pre_mod: NULL ptr deref

  • ipadb_mspac_get_trusted_domains: NULL ptr deref

  • has_krbprincipalkey: avoid double free

  • Require Dogtag 10.6.7-3

  • Use tasks.install_master() in external_ca tests

  • Keep Dogtag’s client db in external CA step 1

  • Replace hard-coded interpreter with sys.executable

  • Don’t abuse strncpy() length limitation

  • Fix ipadb_multires resource handling

François Cami (3)#

  • Add a “Find enabled services” ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.

  • Add a shared-vault-retrieve test

  • Add sysadm_r to default SELinux user map order

Florence Blanc-Renaud (19)#

  • ipatests: add upgrade test for double-encoded cacert

  • ipa upgrade: handle double-encoded certificates

  • ipatests: add xmlrpc test for user|host-find –certificate

  • ipaldap.py: fix method creating a ldap filter for IPACertificate

  • ipatests: fix test_replica_uninstall_deletes_ruvs

  • ipatests: add test for ipa-replica-install options

  • ipa-replica-install: password and admin-password options mutually exclusive

  • freeipa.spec.in: add BuildRequires for python3-lib389

  • ipatests: add integration test for “Read radius servers” perm

  • radiusproxy: add permission for reading radius proxy servers

  • tests: add xmlrpc test for ipa user-add –radius-username

  • ipa user-add: add optional objectclass for radius-username

  • ipatest: add functional test for ipa-backup

  • ipa-backup: restart services before compressing the backup

  • ipa-replica-install –setup-adtrust: check for package ipa-server-trust-ad

  • ipatests: fix path in expected error message

  • Bump requires 389-ds-base

  • ipa tests: CA less

  • certdb: provide meaningful err msg for wrong PIN

Francisco Trivino (2)#

  • PR-CI: Move to Fedora 29 template, version 0.2.0

  • prci_definitions: update vagrant memory topology requirements

Fraser Tweedale (6)#

  • certdb: validate certificate signatures

  • Print correct subject on CA cert verification failure

  • certdb: ensure non-empty Subject Key Identifier

  • ipaldap: avoid invalid modlist when attribute encoding differs

  • rpc: always read response

  • Restore KRA clone installation integration test

Varun Mylaraiah (1)#

Petr Vobornik (1)#

  • ipa-advise: update url of cacerdir_rehash tool

Rob Crittenden (10)#

  • Add support for multiple certificates/formats to ipa-cacert-manage

  • Add tests for ipa-cacert-manage install

  • Enable replica install info logging to match ipa-server-install

  • Demote log message in custodia _wait_keys to debug

  • Pass a list of values into add_master_dns_records

  • Collect the client and server uninstall logs in tests

  • Fix misleading errors during client install rollback

  • Remove the authselect profile warning if sssd was not configured.

  • Handle NTP configuration in a replica server installation

  • Enable LDAP debug output in client to display TLS errors in join

Stanislav Levin (1)#

  • Move ipa’s systemd tmpfiles from /var/run to /run

Sergey Orlov (2)#

  • ipatests: add test for ipa-restore in multi-master configuration

  • ipatests: add test for ipa-advise for enabling sudo for admins group

sudharsanomprakash (1)#

  • Don’t use deprecated Apache Access options.

Thomas Woerner (5)#

  • Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon

  • Fix ressource leak in client/config.c get_config_entry

  • Update annobin to fix continuous-integration/travis-ci/pr issues

  • Find orphan automember rules

  • ipaclient: Remove –no-sssd and –no-ac options

Contents