Ctrl+K

Highlights in 4.8.0

The FreeIPA team would like to announce FreeIPA 4.8.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 30 will be available in the official COPR repository.

Highlights in 4.8.0#

Enhancements#

FreeIPA 4.8.0 is a major release. Below is the list of noticeable changes between FreeIPA 4.7 and 4.8.0:

  • Removal or deprecation of weak ciphers

Following a general effort to harden FreeIPA deployments, FreeIPA 4.8.0 removes default support for weak ciphers. 3DES and RC4 ciphers are not accessible for use in Kerberos anymore, and, in addition, Camelia ciphers are not accessible when FreeIPA is deployed in FIPS mode. The only permitted ciphers are the AES family (called aes, which is the combination of: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128).

DES, RC4, and Camellia are not permitted in FIPS mode by the underlying system crypto libraries. While 3DES is permitted, the KDF used for it in Kerberos V protocol is not, and Microsoft doesn’t implement 3DES anyway.

  • 3999: [RFE] Fix and Document how to set up Samba File Server with IPA

FreeIPA 4.8.0 introduces a tool to configure Samba file server on IPA client. The tool, “ipa-client-samba” performs Samba configuration and creates all required services on IPA side. Both the client side and the server side (IPA master) require FreeIPA 4.8.0 due to multiple changes introduced. Please see domain controller and domain member design documents for more details.

  • 4440: Add support for bounce_url to /ipa/ui/reset_password.html

The /ipa/ui/reset_password.html page accepts url parameter to provide the user with a back link after successful password reset, to support resets initiated by external web applications. Additional parameter delay automatically redirects back after the specified number of seconds has elapsed.

  • 4491: Use lib389 to install 389-ds instead of setup-ds.pl

FreeIPA now utilizes Python-based installer of 389-ds directory server

  • 4580: FreeIPA’s LDAP server requires SASL security strength factor of >= 56

Original FreeIPA 4.7.90.pre1 set FreeIPA LDAP server default configuration to require SASL security strength factor higher than 56 bit. However, this change caused “realmd” and other enrollment tools to fail as they expected to be able to retrieve certain information from FreeIPA LDAP server unauthenticated. The change for the server configuration was backed off. We intend to revisit this hardnening later in FreeIPA 4.8 series.

  • 5608: Tech preview: add Dogtag configuration extensions

FreeIPA team started rewrite of the Certificate Authority configuration to make possible passing additional options when configuring Dogtag. This is required to allow use of hardware secure (HSM) modules within FreeIPA CA but also to allow tuning CA defaults. HSM configuration is not yet fully available due to a number of open issues in Dogtag itself.

  • 5803: Add utility to promote CA replica to CRL master

New utility was added to promote a CA replica to be the CRL master. Design page provides more details and use examples.

  • 6077: Support One-Way Trust authenticated by trust secret

Samba integration was updated to allow establishing trust to Active Directory from Windows side using a Trust wizard. This allows to establish a one-way trust authenticated by a shared trust secret. Additionally, it allows to establish a trust with Samba AD DC 4.7 or later, initiated from Samba AD DC side.

  • 6790: Allow creating IPA CA with 3084-bit key.

CA key size default is raised to 3072 instead of 2048 because it’s the recommended size by NIST. An extensibility feature added with ticket 5608 allows increasing the CA key size further buta 4096-bit key is considerably slower. The change only affects new deployments. There is no way to upgrade existing CA infrastructure other than issuing a new CA key and re-issuing new certificates to all existing users of the old root CA. In addition, lightweight sub-CAs are currently hard-coded to 2048 bit key size. All relevant public root CAs in the CA/B forum use 2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.

  • 7193: Warn or adjust umask if it is too restrictive to break installation

FreeIPA deployment now enforces own umask settings that are known to work at install time at hardened sites which follow some of STIG recommendations.

  • 7200: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not

The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT cert is not re-issued. The command triggers the request of a new certificate (signed by IPA CA when state=enable, selfsigned when disabled), but as the cert file is still present, certmonger does not create a new request and the existing certificate is kept.

The fix consists in deleting the cert and key file before calling certmonger to request a new cert.

  • 7206: Provide an option to include FQDN in IDM topology graph

In the replication topology graph visualization, it is now possible to see a fully qualified name of the server. This change helps to reduce confusion when managing complex multi-datacenter topologies.

  • 7365: make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable

Log level for technical messages of a KDC proxy was reduced to keep logs clean.

  • 7451: Allow issuing certificates with IP addresses in subjectAltName

FreeIPA now allows issuing certificates with IP addresses in the subject alternative name (SAN), if all of the following are true:

    • One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).

    • All of the DNS entries in the resolution chain are managed by this IPA instance.

    • The IP address has a (correct) reverse DNS entry that is managed by this IPA instance

  • 7568: FreeIPA no longer supports Python 2

Removed Python 2 related code and configuration from spec file, autoconf and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python 3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are no longer available. PR-CI, lint, and tox aren’t testing Python 2 compatibility anymore.

  • 7632: Allow IPA Services to Start After the IPA Backup Has Completed

ipa-backup gathers all the files needed for the backup, then compresses the file and finally restarts the IPA services. When the backup is a large file, the compression may take time and widen the unavailabity window. This fix restarts the services as soon as all the required files are gathered, and compresses after services are restarted.

  • 7619, 7640, 7641: UI migration, password reset and configuration pages support translations

Static pages in FreeIPA web UI now allow translated content

  • 7658: sysadm_r should be included in default SELinux user map order

sysadm_r is a standard SELinux user role included in Red Hat Enterprise Linux.

  • 7667: Use only TLS 1.2 by default

TLS 1.3 is causing some trouble with client cert authentication. Conditional client cert authentication requires post-handshake authentication extension on TLS 1.3. The new feature is not fully implemented yet. TLS 1.0 and 1.1 are no longer state of the art and now disabled by default. TLS 1.2 works everywhere and supports perfect forward secrecy mode (PFS).

  • 7689: Domain Level 0 is no longer supported

Code to support operation on Domain Level 0 is removed. In order to upgrade to FreeIPA 4.8.0 via replication, an existing deployment must first be brought up to Domain Level 1.

  • 7716: [RFE] remove “last init status” from ipa-replica-manage list if it’s None.

If a supplier or consumer of LDAP replication data has never done a total update, its status is not shown anymore in “ipa-replica-manage list” output

  • 7747: Support interactive prompt for NTP options for FreeIPA

FreeIPA now asks user for NTP source server or pool address in interactive mode if there is no server nor pool specified and autodiscovery has not found any NTP source in DNS records.

  • 7892: hidden / unadvertised IPA replica

A hidden replica is an IPA master server that is not advertised to clients or other masters. Hidden replicas have all services running and available, but none of the services has any DNS SRV records or enabled LDAP server roles. This makes hidden replicas invisible for service discovery. Design document provides more details on use cases and management of hidden replicas.

  • PyPI packages have fewer dependencies

The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient no longer depend on the binary extensions netifaces and python-ldap by default.

Known Issues#

Bug fixes#

FreeIPA 4.8.0 is a first stable release in 4.8 series.

There are more than 50 bug-fixes since 4.7.90pre1 pre-release. Details of the bug-fixes can be seen in the list of resolved tickets below. Changes for 4.7.90pre1 can be found at 4.7.90.pre1 release page

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #2018 Change hostname length limit to 64

  • #3999 [RFE] Fix and Document how to set up Samba File Server with IPA

  • #4812 Switch nsslapd-unhashed-pw-switch to nolog

  • #5062 [WebUI] Unlock option is enabled for all user.

  • #6077 [RFE] Support One-Way Trust authenticated by trust secret

  • #6627 WebUI: Enable pagination

  • #7139 Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.

  • #7647 Error message should be more useful while ipa-backup fails for insufficient space

  • #7667 When setting up mod_ssl, define range of the TLS protocols within the system-wide crypto policy

  • #7716 [RFE] remove “last init status” from ipa-replica-manage list if it’s None.

  • #7761 External CA renewal accepts issuer key < 2048-bit

  • #7836 print appropriate message when uninstalling non-existent IPA client

  • #7885 RFE: wrapper for Dogtag cert-fix command

  • #7895 ipa trust fetch-domains, server parameter ignored

  • #7917 Occasional ‘whoami.data is undefined’ error in FreeIPA web UI

  • #7918 ipa-client-automount needs option to specify domain

  • #7926 cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign

  • #7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd

  • #7928 cn=cacert could show expired certificate

  • #7930 Interactive promt for NTP options after install check.

  • #7934 ipa-server-common expected file permissions in package don’t match runtime permissions

  • #7937 `build_requestinfo` crashes in OpenSSL1.1.0+ enviroments

  • #7939 Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured

  • #7940 ipatests.test_integration.test_legacy_clients failure

  • #7941 ipapython/dn_ctypes.py: libldap_r shared library missing

  • #7942 WebUI test for automount is broken

  • #7943 [FIPS] Use PKCS#8 instead of weaker traditional OpenSSL private key format

  • #7948 [FIPS] Use 3DES for certificate encryption when creating a PKCS#12

  • #7951 IPA i18n_messages call does not obey translations requests

  • #7952 ipa-backup file logging does not work

  • #7953 ipa-pwd-extop: do not remove MagicRegen mod, replace it

  • #7956 Ipatests don’t honor TMPDIR, TEMP or TMP environment variables

  • #7959 ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character

  • #7960 tests are failing to create secure LDAP connection in some test configurations

  • #7962 Different pycodestyle results: Travis vs Azure

  • #7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs

  • #7964 GSSAPI failure causing LWCA key replication failure on f30

  • #7965 Stop using 389-ds legacy tools for backup and restore

  • #7969 test failure in test_caless.py::TestServerInstall

  • #7970 test failure in test_backup_and_restore.py::TestBackupAndRestore

  • #7972 automember rebuild sometimes appears to return before the rebuild is complete

  • #7974 Nightly test failure in ipatests.test_integration.test_user_permissions.TestUserPermissions

  • #7977 tox 3.8.0+ fails on `make wheel_bundle`

  • #7978 Missing configuration point for the default shell of user/admin

  • #7981 Pytest4.x warnings

  • #7982 Cannot modify TTL with ipa dnsrecord-mod –ttl alone on command line

  • #7983 Staged user is not being recognized if the user entry doesn’t have an objectClass “posixaccount”

  • #7984 make sure ‘make fastlint’ processes Python .in files

  • #7986 Increase debugging level of certmonger

  • #7988 test_nfs.py: errors when running ipa-client-automount

  • #7990 Assumptions about systemd name of `named`

  • #7992 ipa upgrade fails with trust entry already exists

  • #7996 `test_selinuxusermap_plugin` fails against not default SELinux settings

  • #7998 Use system-wide crypto policy in TLS client

  • #7999 download errors in dnf in Azure pipelines

Detailed changelog since 4.7.90pre1#

Alexander Bokovoy (35)#

  • Become IPA 4.8.0 commit

  • translations: update from Zanata Spanish and Ukrainian translations commit

  • Set up CI with Azure Pipelines commit

  • prci: add test_integration/test_smb to the gating set commit #3999

  • ipa-client-samba: a tool to configure Samba domain member on IPA client commit #3999

  • ipaserver.plugins.service: add service-add-smb to set up an SMB service commit #3999

  • adtrust: update Samba domain controller keytab with host keys commit #3999

  • kdb: support SMB services on IPA domain members commit #3999

  • ipasam: add handling of machine accounts commit #3999

  • ipasam: add lookup of an account by SID commit #3999

  • ipapython.ipautil.run: allow skipping stdout/stderr logging commit #3999

  • ipaserver.install.installutils: move commonly used utils to ipapython.ipautil commit #3999

  • adtrust: add design document for Samba domain member on IPA client commit #3999

  • trust-fetch-domains: make sure we use right KDC when –server is specified commit #7895

  • adtrust upgrade: fix wrong primary principal name, part 2 commit #7992

  • adtrust upgrade: fix wrong primary principal name commit #7992

  • azure tests: make sure /etc/docker folder exists commit

  • ipa-pwd-extop: do not remove MagicRegen mod, replace it commit #7953

  • test_ipagetkeytab: test retrieval of explicit encryption types commit #7953

  • Keytab retrieval: allow requesting arcfour-hmac for SMB services commit

  • test_ipagetkeytab: factor out DM password reader commit #7953

  • test_ipagetkeytab: allow testing LDAP connection beyond bind operation commit #7953

  • ldap2.can_read: fix py3 compatibility commit #7953

  • LDAPCreate: allow callers to override objectclasses commit #7953

  • Azure Pipelines: run fast linter in case of a pull request build commit

  • Azure Pipelines: simplify test job definitions commit

  • ipa-run-tests: add support of globs for test targets and ignores commit

  • i18n_messages: get back a locale needed for testing commit #7951

  • test_legacy_clients: fix class inheritance commit #7940

  • fix selenium imports in automount web UI test commit #7942

  • azure-run-tests: handle single unexpanded parameter too commit

  • Use nodejs 1.10 to avoid current issues with nodejs 1.11 in Fedora 30 commit

  • upgrade: adtrust - catch empty result when retrieving list of trusts commit #7939

  • Revert “Require a minimum SASL security factor of 56” commit

  • Turn master branch back after pre-release tagging commit

Armando Neto (4)#

  • prci: fix nightly_master test definitions commit

  • prci: bump ci-master-f30 template commit

  • Add Fedora 30 test definitions and bump template version commit

  • Bump PR-CI template version commit

Anuja More (1)#

  • ipatests: POSIX attributes are no longer overwritten or missing commit

Adam Williamson (1)#

  • Correct default fontawesome path (broken by da2cf1c5) commit

Christian Heimes (14)#

  • Use system-wide crypto policy for TLS ciphers commit #7998

  • Use only TLS 1.2 by default commit #7667

  • Increase default debug level of certmonger commit #7986

  • Replace PYTHONSHEBANG with valid shebang commit #7984

  • Fix CustodiaClient ccache handling commit #7964

  • Bump release number to 4.7.91 commit

  • Forbid imports of ipaserver and install packages commit

  • integration plugins import ldif commit

  • Don’t import ipaserver in conf.py commit

  • Replace imports from ipaserver commit

  • Delay import of SSSDConfig commit

  • Use PKCS#8 instead of traditional privkey format commit #7943

  • Load libldap_r-*.so.2 commit #7941

  • Import urllib submodules commit

François Cami (14)#

  • Make dnf more robust and faster commit #7999

  • Makefile.am: add .in files to fastlint target commit #7984

  • Introduce minimal ipa-client-automount.in and ipactl.in commit #7984

  • ipa_client_automount.py and ipactl.py: fix codestyle commit #7984

  • Move ipa-client-automount.in and ipactl into modules commit #7984

  • test_nfs.py: change pr-ci configuration to run on master_2repl_1client commit

  • ipatests: add proper timeouts to nfs.py commit

  • ipa-client-automount: fix ‘–idmap-domain DNS’ logic commit #7988

  • nfs.py: fix user creation commit

  • Hidden replica documentation: fix typo commit

  • ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR commit

  • ipa-backup: better error message if ENOSPC commit #7647

  • ipatests: add tests for the new NFSv4 domain option of ipa-client-automount commit #7918

  • ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf) commit #7918

Florence Blanc-Renaud (14)#

  • ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py commit #7982

  • XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD –ttl commit #7982

  • dnsrecord-mod: allow to modify ttl without passing the record commit #7982

  • ipatests: add a test for stageuser-find with non-posix account commit #7983

  • stageuser-find: fix search with non-posix user commit #7983

  • ipatests: fix TestUserPermissions::test_selinux_user_optimized commit #7974

  • ipatests: fix test_backup_and_restore.py::TestBackupAndRestore commit #7970

  • ipatests: fix test_caless.py commit #7969

  • ipatests: add integration test for ipa-replica-manage list commit #7716

  • NSSDatabase: fix get_trust_chain commit #7926

  • ipatests: CA renewal must refresh cn=CAcert commit #7928

  • CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA commit #7928

  • ipatests: add integration test checking the files mode commit #7934

  • Fix expected file permissions for ghost files commit #7934

Fraser Tweedale (15)#

  • Handle missing LWCA certificate or chain commit #7964

  • dn: sort AVAs when converting from x509.Name commit #7963

  • .gitignore: add ipa-cert-fix program commit

  • avoid realm_to_serverid deprecation warning commit #7885

  • ipa-cert-fix: fix spurious renewal master change commit #7885

  • ipa-cert-fix: handle ‘pki-server cert-fix’ failure commit #7885

  • require Dogtag 10.7.0-1 commit #7885

  • ipa-cert-fix: use customary exit statuses commit #7885

  • ipa-cert-fix: add man page commit #7885

  • Add ipa-cert-fix tool commit #7885

  • constants: add ca_renewal container commit #7885

  • cainstance: add function to determine ca_renewal nickname commit #7885

  • Extract ca_renewal cert update subroutine commit #7885

  • add test for external CA key size sanity check commit #7761

  • dn: handle multi-valued RDNs in Name conversion commit #7963

German Parente (1)#

  • ipa-replica-manage: remove “last init status” if it’s None. commit #7716

Kaleemullah Siddiqui (2)#

  • Tests for autounmembership feature commit

  • Order of master and replica corrected in logger.info commit

Mohammad Rizwan Yusuf (1)#

  • Test if ipactl restart restarts the pki-tomcatd commit #7927

Rob Crittenden (14)#

  • Add test_smb to night Fedora 30 test suite commit

  • Remove DES3 and RC4 enctypes from Kerberos commit

  • Don’t configure disabled krb5 enctypes in FIPS mode commit

  • For Fedora and RHEL use system-wide crypto policy for mod_ssl commit #7667

  • Log the raised message when DNS check_zone_overlap fails commit

  • admintool: don’t display log file on errors unless logging is setup commit #7952

  • tests: Wait for automember rebuild –no-wait tasks to finish commit #7972

  • Fix expected return code in tests when server is uninstalled commit #7836

  • Return 0 on uninstall when on_master for case of not installed commit #7836

  • Drop list of return values to be ignored in AdminTool commit #7836

  • When reading SSH pub key don’t assume last character is newline commit #7959

  • Stop using 389-ds legacy backup and restoration utilities commit #7965

  • Add knob to limit hostname length commit #2018

  • Use AES-128-CBC for PKCS#12 encryption when creating files (FIPS) commit #7948

Stanislav Levin (12)#

  • Make use of single configuration point for SELinux commit #7996

  • Fix a typo in `replace` rule of 50-ipaconfig.update commit #7996

  • Exit on fail in azure multiline script commit

  • Make use of `named` well-known service commit #7990

  • Make use of the single configuration point for the default shells commit #7978

  • Fix Pytest4.x warning about `message` commit #7981

  • Fix Pytest4.1+ warnings about pytest.config commit #7981

  • Resolve tox substitutions to absolute paths commit #7977

  • Make `pycodestyle` results identical commit #7962

  • Respect TMPDIR, TEMP or TMP environment variables during testing commit #7956

  • Fix `build_requestinfo` in LibreSSL environments commit #7937

  • Fix `build_requestinfo` in OpenSSL1.1.0+ environments commit #7937

Sergey Orlov (2)#

  • ipatests: allow to relax security of LDAP connection from controller to IPA host commit #7960

  • ipatests: new tests for establishing one-way AD trust with shared secret commit #6077

Serhii Tsymbaliuk (4)#

  • WebUI: Fix automount maps pagination commit #6627

  • WebUI: Disable ‘Unlock’ action for users with no password commit #5062

  • WebUI: Fix ‘user not found’ traceback on user ID override details page commit #7139

  • Fix occasional ‘whoami.data is undefined’ error in FreeIPA web UI commit #7917

Thierry Bordaz (1)#

  • Switch nsslapd-unhashed-pw-switch to nolog commit #4812

Tibor Dudlák (4)#

  • Add SMB attributes for users commit #3999

  • Remove unreachable code commit

  • ipatests: Add Unattended option to external ca task commit #7930

  • Moving prompt for NTP options to install_check commit #7930

Contents