The FreeIPA team would like to announce FreeIPA 4.8.10 release!

It can be downloaded from Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.8.10#

  • 8275: Support systemd-resolved

    FreeIPA DNS servers now detect systemd-resolved and configure it to pass through itself.

  • 8404: Detect and fail if not enough memory is available for installation

    FreeIPA server now requires at least 1.2 GiB RAM for installation to prevent performance degradation.

  • 8488: SELinux blocks custodia key replication / retrieval for sub-CAs

    SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key.

  • 8490: It is not possible to edit KDC database when the FreeIPA server is running

    kadmin.local command ‘getprincs’ is now supported

  • 8503: pkispawn logs files are empty

    On recent versions of Dogtag PKI, pkispawn does not create logs by default, making debugging failed IPA installs impossible. Invoke pkispawn with –debug to revert to the previous behavior.

  • 8507: [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)

    Support reproducible builds for jQuery library


Known Issues#

Bug fixes#

FreeIPA 4.8.10 is a stabilization release for the features delivered as a part of 4.8.10 version series.

There are more than 20 bug-fixes details of which can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

Resolved tickets#

  • #5914 (rhbz#1298288) invalid setting of DS lock table size

  • #6115 (rhbz#1357495) ipa command provides stack trace when provided with single hypen commands

  • #7125 (rhbz#1480102) ipa-server-upgrade failes with “This entry already exists”

  • #8204 (rhbz#1810148) ipa-server-certinstall -> certmonger add_subject template-subject dbus ‘unable to set arguments’ a{sv}

  • #8248 httpd ccaches created during server upgrade aren’t cleaned up on uninstall/install

  • #8275 (rhbz#1880628) Support systemd-resolved

  • #8344 Nightly test failure in

  • #8383 Test with dnspython 2.0

  • #8404 Detect and fail if not enough memory is available for installation

  • #8443 ipa delegation-add can add permissions and attributes several times

  • #8446 ipa dnszone-add ignores –name-from-ip option if name is given

  • #8458 auto-upgrade will never happen for existing installations

  • #8468 [pylint] new warnings on dev branch

  • #8472 [tracker] Nightly test failure in

  • #8473 Nightly test failure in all webui tests: Invalid or corrupt jarfile /opt/selenium.jar

  • #8474 Mozilla’s NSS without DBM

  • #8475 Azure: tox task and virtualenv 20+

  • #8481 Nightly test failure in rawhide in tasks.configure_dns_for_trust

  • #8488 (rhbz#1868432) SELinux blocks custodia key replication / retrieval for sub-CAs

  • #8490 (rhbz#1875001) It is not possible to edit KDC database when the FreeIPA server is running

  • #8491 Unindexed searches in FreeIPA git master

  • #8494 Azure Pipelines are broken due to docker compose tool upgrade

  • #8503 (rhbz#1879604) pkispawn logs files are empty

  • #8505 Nightly failure (fedora31) in test_integration/

  • #8507 [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)

  • #8511 The selinux subpackage does not have a requirement to match the server install

  • #8512 Import of psutil can trigger SELinux violation

  • #8513 (rhbz#1868432) SELinux module fails to load: Re-declaration of type node_t

  • #8515 (rhbz#1882340) nsslapd-db-locks patching no longer works

Detailed changelog since 4.8.9#

Armando Neto (3)#

  • ipatests: Add nightly definitions for enforcing mode commit

  • ipatests: Bump PR-CI templates commit #8473

  • ipatests: Bump PR-CI templates commit

Alexander Bokovoy (6)#

  • Become IPA 4.8.10 commit

  • Specify memory limits as strings for docker compose commit #8494

  • ipa-kdb: test kadmin.local getprincs command commit #8490

  • ipa-kdb: support getprincs request in kadmin.local commit #8490

  • test_smb: make sure both smbserver and smbclient use IPA master for DNS commit #8344

  • Return to git snapshots commit

Christian Heimes (11)#

  • Fix nsslapd-db-lock tuning of BDB backend commit #5914, #8515

  • Create systemd-resolved configuration on update commit

  • Configure systemd-resolved to use IPA’s BIND commit #8275

  • Use new API for auto-forwarders commit #8275

  • Configure NetworkManager to use systemd-resolved commit #8275

  • Add helpers for resolve1 and nameservers commit #8275

  • Delay import of psutil to avoid AVC commit #8512

  • Make git a build requirement commit

  • Duplicate CA CRT: ignore expected cert commit #7125

  • Add krbPrincipalName pres index correctly commit #8491

  • Only restart DS when duplicate cacrt was found commit #7125

François Cami (12)#

  • SELinux: do not double-define node_t and pki_tomcat_cert_t commit #8513

  • SELinux Policy: Allow tomcat_t to read kerberos keytabs commit #8488

  • SELinux Policy: make interfaces for kernel modules non-optional commit #8488

  • SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type commit #8488

  • SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t commit #8488

  • SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t commit #8488

  • SELinux Policy: let custodia_t map custodia_tmp_t commit #8488

  • SELinux: Add dedicated policy for ipa-pki-retrieve-key commit #8488

  • ipatests: enhance TestSubCAkeyReplication commit #8488

  • add –debug to pkispawn commit #8503

  • ipatests: check that pkispawn log is not empty commit #8503

  • SELinux Policy: let custodia replicate keys commit #8488

Florence Blanc-Renaud (4)#

  • test_smb: skip test_smb_service_s4u2self for fed31 commit #8505

  • dnsforwardzone-add: support dnspython 2.0 commit #8481

  • ipatests: add missing healthcheck test in PRCI nightlies commit

  • ipatests: run separately commit #8472

Mohammad Rizwan (3)#

  • PEP8 fixes commit

  • ipatests: add –skip-overlap-check option to prepare_reverse_zone() commit

  • ipatests: Add PTR record for IP SAN commit

Rob Crittenden (19)#

  • Test that ccaches are cleaned up during installation commit #8248

  • Clean up entire /run/ipa/ccaches directory not just files commit #8248

  • Reduce the memory requirement from 1.6 to 1.2 GB commit #8404

  • Require a matching server package for the selinux subpackage commit #8511

  • Add index for more trust-related attributes commit #8491

  • ipatests: Add test for ACI attribute and permission uniqueness commit #8443

  • Use ACI class set_permissions() method to set permissions commit #8443

  • De-duplicate ACI attributes and permissions commit #8443

  • ipatests: Add tests for checking available memory commit #8404

  • Require at least 1.6Gb of available RAM to install the server commit #8404

  • ipatests: test that a zone name and name-from-ip will be rejected commit #8446

  • Don’t allow both a zone name and –name-from-ip to be provided commit #8446

  • Set the certmonger subject with a string, not an object commit #8204

  • ipatests: test ipa_server_certinstall with an IPA-issued cert commit #8204

  • ipatests: Add test for is_ipa_configured commit #8458

  • Use is_ipa_configured from ipalib.facts commit #8458

  • Fall back to old server installation detection when needed commit #8458

  • cli: When parsing options require name/value pairs commit #6115

  • ipatests: Add option/arg parsing tests for the cli commit #6115

Stanislav Levin (13)#

  • dns: Make use of `resolve_address` of a current resolver instead of the global one commit

  • dnspython: Add compatibility shim commit #8383

  • tox: Don’t expand symlinks commit #8475

  • Azure: Increase verbosity for Tox task commit

  • deps: Require `nss-tools` for make’s fasttest target commit

  • nss: Raise exception earlier on unsupported DB type commit #8474

  • Azure: base: Collect both install and uninstall logs commit

  • Azure: Drop dependency on UsePythonVersion task commit

  • Azure: Add Rawhide definitions commit

  • pylint: Ignore `raise-missing-from` commit #8468

  • pylint: Ignore `super-with-arguments` commit #8468

  • pylint: Fix warning W0612(unused-variable) commit #8468

  • pylint: Teach pylint about more RRs types commit #8468

Sergey Orlov (2)#

  • ipatests: simplify fixture commit

  • ipatests: refactor test for login using cifs alias principal commit

Sumedh Sidhaye (1)#

Serhii Tsymbaliuk (1)#

  • WebUI: Fix jQuery DOM manipulation issues commit #8507

Sudhir Menon (1)#

  • ipatests: Install healthcheck pkg for TestIpaHealthCheckWithADtrust commit

Zdenek Pytela (1)#

  • Add ipa_pki_retrieve_key_exec() interface commit #8488