The FreeIPA team would like to announce FreeIPA 4.8.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 30 will be available in the official COPR repository.
Highlights in 4.8.0#
Enhancements#
FreeIPA 4.8.0 is a major release. Below is the list of noticeable changes between FreeIPA 4.7 and 4.8.0:
Removal or deprecation of weak ciphers
Following a general effort to harden FreeIPA deployments, FreeIPA 4.8.0 removes default support for weak ciphers. 3DES and RC4 ciphers are not accessible for use in Kerberos anymore, and, in addition, Camelia ciphers are not accessible when FreeIPA is deployed in FIPS mode. The only permitted ciphers are the AES family (called aes, which is the combination of: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode by the underlying system crypto libraries. While 3DES is permitted, the KDF used for it in Kerberos V protocol is not, and Microsoft doesn’t implement 3DES anyway.
3999: [RFE] Fix and Document how to set up Samba File Server with IPA
FreeIPA 4.8.0 introduces a tool to configure Samba file server on IPA client. The tool, “ipa-client-samba” performs Samba configuration and creates all required services on IPA side. Both the client side and the server side (IPA master) require FreeIPA 4.8.0 due to multiple changes introduced. Please see domain controller and domain member design documents for more details.
4440: Add support for bounce_url to /ipa/ui/reset_password.html
The /ipa/ui/reset_password.html page accepts url parameter to provide the user with a back link after successful password reset, to support resets initiated by external web applications. Additional parameter delay automatically redirects back after the specified number of seconds has elapsed.
4491: Use lib389 to install 389-ds instead of setup-ds.pl
FreeIPA now utilizes Python-based installer of 389-ds directory server
4580: FreeIPA’s LDAP server requires SASL security strength factor of >= 56
Original FreeIPA 4.7.90.pre1 set FreeIPA LDAP server default configuration to require SASL security strength factor higher than 56 bit. However, this change caused “realmd” and other enrollment tools to fail as they expected to be able to retrieve certain information from FreeIPA LDAP server unauthenticated. The change for the server configuration was backed off. We intend to revisit this hardnening later in FreeIPA 4.8 series.
5608: Tech preview: add Dogtag configuration extensions
FreeIPA team started rewrite of the Certificate Authority configuration to make possible passing additional options when configuring Dogtag. This is required to allow use of hardware secure (HSM) modules within FreeIPA CA but also to allow tuning CA defaults. HSM configuration is not yet fully available due to a number of open issues in Dogtag itself.
5803: Add utility to promote CA replica to CRL master
New utility was added to promote a CA replica to be the CRL master. Design page provides more details and use examples.
6077: Support One-Way Trust authenticated by trust secret
Samba integration was updated to allow establishing trust to Active Directory from Windows side using a Trust wizard. This allows to establish a one-way trust authenticated by a shared trust secret. Additionally, it allows to establish a trust with Samba AD DC 4.7 or later, initiated from Samba AD DC side.
6790: Allow creating IPA CA with 3084-bit key.
CA key size default is raised to 3072 instead of 2048 because it’s the recommended size by NIST. An extensibility feature added with ticket 5608 allows increasing the CA key size further buta 4096-bit key is considerably slower. The change only affects new deployments. There is no way to upgrade existing CA infrastructure other than issuing a new CA key and re-issuing new certificates to all existing users of the old root CA. In addition, lightweight sub-CAs are currently hard-coded to 2048 bit key size. All relevant public root CAs in the CA/B forum use 2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.
7193: Warn or adjust umask if it is too restrictive to break installation
FreeIPA deployment now enforces own umask settings that are known to work at install time at hardened sites which follow some of STIG recommendations.
7200: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not
The command ipa-pkinit-manage enable|disable is reporting success even though the PKINIT cert is not re-issued. The command triggers the request of a new certificate (signed by IPA CA when state=enable, selfsigned when disabled), but as the cert file is still present, certmonger does not create a new request and the existing certificate is kept.
The fix consists in deleting the cert and key file before calling certmonger to request a new cert.
7206: Provide an option to include FQDN in IDM topology graph
In the replication topology graph visualization, it is now possible to see a fully qualified name of the server. This change helps to reduce confusion when managing complex multi-datacenter topologies.
7365: make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable
Log level for technical messages of a KDC proxy was reduced to keep logs clean.
7451: Allow issuing certificates with IP addresses in subjectAltName
FreeIPA now allows issuing certificates with IP addresses in the subject alternative name (SAN), if all of the following are true:
One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).
All of the DNS entries in the resolution chain are managed by this IPA instance.
The IP address has a (correct) reverse DNS entry that is managed by this IPA instance
7568: FreeIPA no longer supports Python 2
Removed Python 2 related code and configuration from spec file, autoconf and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python 3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are no longer available. PR-CI, lint, and tox aren’t testing Python 2 compatibility anymore.
7632: Allow IPA Services to Start After the IPA Backup Has Completed
ipa-backup gathers all the files needed for the backup, then compresses the file and finally restarts the IPA services. When the backup is a large file, the compression may take time and widen the unavailabity window. This fix restarts the services as soon as all the required files are gathered, and compresses after services are restarted.
7619, 7640, 7641: UI migration, password reset and configuration pages support translations
Static pages in FreeIPA web UI now allow translated content
7658: sysadm_r should be included in default SELinux user map order
sysadm_r is a standard SELinux user role included in Red Hat Enterprise Linux.
7667: Use only TLS 1.2 by default
TLS 1.3 is causing some trouble with client cert authentication. Conditional client cert authentication requires post-handshake authentication extension on TLS 1.3. The new feature is not fully implemented yet. TLS 1.0 and 1.1 are no longer state of the art and now disabled by default. TLS 1.2 works everywhere and supports perfect forward secrecy mode (PFS).
7689: Domain Level 0 is no longer supported
Code to support operation on Domain Level 0 is removed. In order to upgrade to FreeIPA 4.8.0 via replication, an existing deployment must first be brought up to Domain Level 1.
7716: [RFE] remove “last init status” from ipa-replica-manage list if it’s None.
If a supplier or consumer of LDAP replication data has never done a total update, its status is not shown anymore in “ipa-replica-manage list” output
7747: Support interactive prompt for NTP options for FreeIPA
FreeIPA now asks user for NTP source server or pool address in interactive mode if there is no server nor pool specified and autodiscovery has not found any NTP source in DNS records.
7892: hidden / unadvertised IPA replica
A hidden replica is an IPA master server that is not advertised to clients or other masters. Hidden replicas have all services running and available, but none of the services has any DNS SRV records or enabled LDAP server roles. This makes hidden replicas invisible for service discovery. Design document provides more details on use cases and management of hidden replicas.
PyPI packages have fewer dependencies
The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient no longer depend on the binary extensions netifaces and python-ldap by default.
Known Issues#
Bug fixes#
FreeIPA 4.8.0 is a first stable release in 4.8 series.
There are more than 50 bug-fixes since 4.7.90pre1 pre-release. Details of the bug-fixes can be seen in the list of resolved tickets below. Changes for 4.7.90pre1 can be found at 4.7.90.pre1 release page
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#2018 Change hostname length limit to 64
#3999 [RFE] Fix and Document how to set up Samba File Server with IPA
#4812 Switch nsslapd-unhashed-pw-switch to nolog
#5062 [WebUI] Unlock option is enabled for all user.
#6077 [RFE] Support One-Way Trust authenticated by trust secret
#6627 WebUI: Enable pagination
#7139 Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.
#7647 Error message should be more useful while ipa-backup fails for insufficient space
#7667 When setting up mod_ssl, define range of the TLS protocols within the system-wide crypto policy
#7716 [RFE] remove “last init status” from ipa-replica-manage list if it’s None.
#7761 External CA renewal accepts issuer key < 2048-bit
#7836 print appropriate message when uninstalling non-existent IPA client
#7885 RFE: wrapper for Dogtag cert-fix command
#7895 ipa trust fetch-domains, server parameter ignored
#7917 Occasional ‘whoami.data is undefined’ error in FreeIPA web UI
#7918 ipa-client-automount needs option to specify domain
#7926 cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign
#7927 Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd
#7928 cn=cacert could show expired certificate
#7930 Interactive promt for NTP options after install check.
#7934 ipa-server-common expected file permissions in package don’t match runtime permissions
#7937 `build_requestinfo` crashes in OpenSSL1.1.0+ enviroments
#7939 Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured
#7940 ipatests.test_integration.test_legacy_clients failure
#7941 ipapython/dn_ctypes.py: libldap_r shared library missing
#7942 WebUI test for automount is broken
#7943 [FIPS] Use PKCS#8 instead of weaker traditional OpenSSL private key format
#7948 [FIPS] Use 3DES for certificate encryption when creating a PKCS#12
#7951 IPA i18n_messages call does not obey translations requests
#7952 ipa-backup file logging does not work
#7953 ipa-pwd-extop: do not remove MagicRegen mod, replace it
#7956 Ipatests don’t honor TMPDIR, TEMP or TMP environment variables
#7959 ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character
#7960 tests are failing to create secure LDAP connection in some test configurations
#7962 Different pycodestyle results: Travis vs Azure
#7963 x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs
#7964 GSSAPI failure causing LWCA key replication failure on f30
#7965 Stop using 389-ds legacy tools for backup and restore
#7969 test failure in test_caless.py::TestServerInstall
#7970 test failure in test_backup_and_restore.py::TestBackupAndRestore
#7972 automember rebuild sometimes appears to return before the rebuild is complete
#7974 Nightly test failure in ipatests.test_integration.test_user_permissions.TestUserPermissions
#7977 tox 3.8.0+ fails on `make wheel_bundle`
#7978 Missing configuration point for the default shell of user/admin
#7981 Pytest4.x warnings
#7982 Cannot modify TTL with ipa dnsrecord-mod –ttl alone on command line
#7983 Staged user is not being recognized if the user entry doesn’t have an objectClass “posixaccount”
#7984 make sure ‘make fastlint’ processes Python .in files
#7986 Increase debugging level of certmonger
#7988 test_nfs.py: errors when running ipa-client-automount
#7990 Assumptions about systemd name of `named`
#7992 ipa upgrade fails with trust entry already exists
#7996 `test_selinuxusermap_plugin` fails against not default SELinux settings
#7998 Use system-wide crypto policy in TLS client
#7999 download errors in dnf in Azure pipelines
Detailed changelog since 4.7.90pre1#
Alexander Bokovoy (35)#
Become IPA 4.8.0 commit
translations: update from Zanata Spanish and Ukrainian translations commit
Set up CI with Azure Pipelines commit
prci: add test_integration/test_smb to the gating set commit #3999
ipa-client-samba: a tool to configure Samba domain member on IPA client commit #3999
ipaserver.plugins.service: add service-add-smb to set up an SMB service commit #3999
adtrust: update Samba domain controller keytab with host keys commit #3999
kdb: support SMB services on IPA domain members commit #3999
ipapython.ipautil.run: allow skipping stdout/stderr logging commit #3999
ipaserver.install.installutils: move commonly used utils to ipapython.ipautil commit #3999
adtrust: add design document for Samba domain member on IPA client commit #3999
trust-fetch-domains: make sure we use right KDC when –server is specified commit #7895
adtrust upgrade: fix wrong primary principal name, part 2 commit #7992
adtrust upgrade: fix wrong primary principal name commit #7992
azure tests: make sure /etc/docker folder exists commit
ipa-pwd-extop: do not remove MagicRegen mod, replace it commit #7953
test_ipagetkeytab: test retrieval of explicit encryption types commit #7953
Keytab retrieval: allow requesting arcfour-hmac for SMB services commit
test_ipagetkeytab: factor out DM password reader commit #7953
test_ipagetkeytab: allow testing LDAP connection beyond bind operation commit #7953
LDAPCreate: allow callers to override objectclasses commit #7953
Azure Pipelines: run fast linter in case of a pull request build commit
Azure Pipelines: simplify test job definitions commit
ipa-run-tests: add support of globs for test targets and ignores commit
i18n_messages: get back a locale needed for testing commit #7951
azure-run-tests: handle single unexpanded parameter too commit
Use nodejs 1.10 to avoid current issues with nodejs 1.11 in Fedora 30 commit
upgrade: adtrust - catch empty result when retrieving list of trusts commit #7939
Revert “Require a minimum SASL security factor of 56” commit
Turn master branch back after pre-release tagging commit
Armando Neto (4)#
Anuja More (1)#
ipatests: POSIX attributes are no longer overwritten or missing commit
Adam Williamson (1)#
Correct default fontawesome path (broken by da2cf1c5) commit
Christian Heimes (14)#
Bump release number to 4.7.91 commit
Forbid imports of ipaserver and install packages commit
integration plugins import ldif commit
Don’t import ipaserver in conf.py commit
Replace imports from ipaserver commit
Delay import of SSSDConfig commit
Use PKCS#8 instead of traditional privkey format commit #7943
Import urllib submodules commit
François Cami (14)#
Introduce minimal ipa-client-automount.in and ipactl.in commit #7984
ipa_client_automount.py and ipactl.py: fix codestyle commit #7984
Move ipa-client-automount.in and ipactl into modules commit #7984
test_nfs.py: change pr-ci configuration to run on master_2repl_1client commit
ipatests: add proper timeouts to nfs.py commit
ipa-client-automount: fix ‘–idmap-domain DNS’ logic commit #7988
nfs.py: fix user creation commit
Hidden replica documentation: fix typo commit
ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR commit
ipatests: add tests for the new NFSv4 domain option of ipa-client-automount commit #7918
ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf) commit #7918
Florence Blanc-Renaud (14)#
ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py commit #7982
XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD –ttl commit #7982
dnsrecord-mod: allow to modify ttl without passing the record commit #7982
ipatests: add a test for stageuser-find with non-posix account commit #7983
ipatests: fix TestUserPermissions::test_selinux_user_optimized commit #7974
ipatests: fix test_backup_and_restore.py::TestBackupAndRestore commit #7970
ipatests: add integration test for ipa-replica-manage list commit #7716
CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA commit #7928
ipatests: add integration test checking the files mode commit #7934
Fraser Tweedale (15)#
.gitignore: add ipa-cert-fix program commit
ipa-cert-fix: fix spurious renewal master change commit #7885
ipa-cert-fix: handle ‘pki-server cert-fix’ failure commit #7885
cainstance: add function to determine ca_renewal nickname commit #7885
dn: handle multi-valued RDNs in Name conversion commit #7963
German Parente (1)#
Kaleemullah Siddiqui (2)#
Mohammad Rizwan Yusuf (1)#
Rob Crittenden (14)#
Add test_smb to night Fedora 30 test suite commit
Remove DES3 and RC4 enctypes from Kerberos commit
Don’t configure disabled krb5 enctypes in FIPS mode commit
For Fedora and RHEL use system-wide crypto policy for mod_ssl commit #7667
Log the raised message when DNS check_zone_overlap fails commit
admintool: don’t display log file on errors unless logging is setup commit #7952
tests: Wait for automember rebuild –no-wait tasks to finish commit #7972
Fix expected return code in tests when server is uninstalled commit #7836
Return 0 on uninstall when on_master for case of not installed commit #7836
Drop list of return values to be ignored in AdminTool commit #7836
When reading SSH pub key don’t assume last character is newline commit #7959
Stop using 389-ds legacy backup and restoration utilities commit #7965
Use AES-128-CBC for PKCS#12 encryption when creating files (FIPS) commit #7948
Stanislav Levin (12)#
Make use of single configuration point for SELinux commit #7996
Fix a typo in `replace` rule of 50-ipaconfig.update commit #7996
Exit on fail in azure multiline script commit
Make use of the single configuration point for the default shells commit #7978
Respect TMPDIR, TEMP or TMP environment variables during testing commit #7956
Fix `build_requestinfo` in LibreSSL environments commit #7937
Fix `build_requestinfo` in OpenSSL1.1.0+ environments commit #7937