The FreeIPA team would like to announce FreeIPA 4.8.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 31 will be available in the official COPR repository.
Highlights in 4.8.2#
5608: [RFE] Add Dogtag configuration extensions
Dogtag CA allows to specify additional options in the configuration file used to deploy CA. FreeIPA installers can now pass through an overlay configuration file to fine-tune the CA.
7971: [RFE] Include hint for replication_wait_timeout if timeout fails
In case replica set up times out, suggest increasing replication_wait_timeout option before running the replica installation.
Enhancements#
8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
When Kerberos authentication is performed with the help of SPAKE or PKINIT pre-authentication methods, add authentication indicator to resulting tickets. This allows filtering access to resources by a wider variety of pre-authentication methods.
8110 Enable AES SHA 256 and 384 Kerberos enctypes
Allow use of AES SHA 256 and 384 Kerberos encryption types by default for new Kerberos principals.
8111 [FIPS] Don’t add camellia KRB5 encsalttypes in FIPS mode
Expose only encryption types allowed in FIPS mode when creating a master in FIPS mode.
8020 support AES in LWCA key replication
Sub-CA key replication between CA replicas now can use AES encryption to wrap the secrets.
8044 Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
An LDAP control used by SSSD for retrieval of information about AD users and groups was extended to properly differentiate lack of information and its unavailability.
Known Issues#
Bug fixes#
FreeIPA 4.8.2 is a stabilization release for the features delivered as a part of 4.8.0 series. There are more than 40 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
2018 Change hostname length limit to 64
3999 [RFE] Fix and Document how to set up Samba File Server with IPA
4972 check for existence of private group is done even if UPG definition is disabled
5062 [WebUI] Unlock option is enabled for all user.
5608 [RFE] Add Dogtag configuration extensions
5879 Attempt to fix capitalization fails with ipa: ERROR: Type or value exists:
6210 When master’s IP address does not resolve to its name, ipa-replica-install fails
6843 ipa-backup does not create log file at /var/log/
7307 RFE: Extend IPA to support unadvertised replicas
7522 Disable cert publishing in dogtag
7566 Installation of replica against a specific master
7725 ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory
7870 [certmonger][upgrade] “Failed to get request: bus, object_path and dbus_interface must not be None.”
7961 [WebUI] Identity Manager WebUI requires you to save changes after changing specifications before making other change
7971 [RFE] Include hint for replication_wait_timeout if timeout fails
7987 Python shebang: Use isolated mode
7995 Removing TLSv1.0, TLSv1.1 from nss.conf
8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
8017 host-add –password logs cleartext userpassword to Apache error log
8020 support AES in LWCA key replication
8031 HBAC Test Validation error when running the HBAC test the second time round via the IPA Web GUI
8034 Existing p11-kit config file is not restored on uninstall
8038 ipa-client-automount –uninstall is not restoring nsswitch.conf
8044 Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
8048 Travis-CI sometimes fails at dnf
8052 test failure in test_integration/test_sudo.py::TestSudo::()::test_domain_resolution_order on fedora29
8053 [WebUI] Fix login screen loading issue in test_loginscreen
8054 ipa-client-install calls “authselect select sssd –force” at uninstall time before restoring user-nsswitch.conf
8055 Test for PG6843: ipa-backup does not create log file at /var/log is failing
8056 BuildRequires is not compatible with %{_libdir}
8057 Running ipa-server-install produces SyntaxWarning: “is not” with a literal. Did you mean “!=”?
8062 Re-add configure_nsswitch_database, configure_nsswitch, … to ipaclient.install
8066 Don’t use -t option to klist in adtrust code when timestamp is not needed
8067 add default access control configuration to trusted domain objects
8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
8073 Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module
8075 Don’t create log file for helper scripts
8077 New pylint 2.4.0 errors
8079 [Security] By default, DNS recursion is open, breaking best practices
8084 KRA authentication fails when IPA CA has custom Subject DN
8086 ipa-server-certinstall man page does not match built-in help.
8099 ipa-backup command is failing on rhel-7.8
8102 Pylint 2.4.3 + Astroid 2.3.2 errors
8105 getcert with -F option returns before cacert file is created
8110 Enable AES SHA 256 and 384 Kerberos enctypes
8111 [FIPS] Don’t add camellia KRB5 encsalttypes in FIPS mode
8113 ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
8114 [RFE] Delegate group membership management
8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb
Detailed changelog since 4.8.1#
Armando Neto (4)#
prci: bump template version
prci: increase timeout argument for test_sssd.py
prci: increase timeout for jobs that required AD
prci: Update box used in branch ipa-4-8
Alexander Bokovoy (9)#
Become FreeIPA 4.8.2
Update list of contributors
Update translations
Add local helpers to handle unixid structure
adtrust: add default read_keys permission for TDO objects
add default access control when migrating trust objects
adtrust: avoid using timestamp in klist output
Mark failing test as xfail for use of python-dns make_ds method
ipa-extdom-extop: test timed out getgrgid_r
Alexandre Mulatinho (1)#
ipa-scripts: fix all ipa command line scripts to operate with -I
Anuja More (1)#
Extdom plugin should not return error (32)/’No such object’
Christian Heimes (12)#
Add tests for member management
Add group membership management
Skip commented lines after substitution
Block camellia in krbenctypes update in FIPS
Don’t install a preexec_fn by default
Don’t create log files from help scripts
Fix ca_initialize_hsm_state
Add new env vars to pylint plugin
Fix wrong use of identity operation
Enable literal-comparison linter again
Replace %{_libdir} macro in BuildRequires
Store HSM token and state
Cédric Jeanneret (1)#
Prevents DNS Amplification Attack and allow to customize named
Changmin Teng (5)#
Add design document
Modify webUI to adhere to new IPA server API
Implement user pre-authentication control with kdcpolicy plugin
Extend the list of supported pre-auth mechanisms in IPA server API
Add new authentication indicators in kdc.conf.template
François Cami (8)#
ipatests: temporarily remove test_smb from gating
ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf)
ipapython/ipachangeconf.py: change “is not 0” for “!= 0”
travis-ci: make dnf invocations more resilient
authconfig.py: restore user-nsswitch.conf at uninstall time
ipatests: remove xfail in TestIpaClientAutomountFileRestore
ipa-client-automount: always restore nsswitch.conf at uninstall time
ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time
Florence Blanc-Renaud (11)#
smartcard: make the ipa-advise script compatible with authselect/authconfig
ipa-backup: fix python2 issue with os.mkdir
ipa-server-certinstall manpage: add missing options
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion
ipatests: add XMLRPC test for user-add when UPG plugin is disabled
ipa user_add: do not check group if UPG is disabled
replica install: enforce –server arg
ipatests: ensure that backup/restore restores pkcs 11 modules config file
ipa-backup: backup the PKCS module config files setup by IPA
config plugin: replace ‘is 0’ with ‘== 0’
ipatests: fix wrong xfail in test_domain_resolution_order
Francisco Trivino (1)#
prci: increase gating tasks priority
Fraser Tweedale (7)#
test_integration: add tests for custom CA subject DN
upgrade: fix ipakra people entry ‘description’ attribute
krainstance: set correct issuer DN in uid=ipakra entry
Bump Dogtag min version to 10.7.3
ipa-pki-retrieve-key: request AES encryption (with fallback)
NSSWrappedCertDB: accept optional symmetric algorithm
IPASecStore: support extra key arguments
Michal Polovka (3)#
ipatests: add tests for ipa host-add with non-default maxhostnamelength
ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions
ipatests: Test for ipa-backup with ipa not configured
Mohammad Rizwan Yusuf (3)#
Add test to nightly yamls.
Installation of replica against a specific server
Check file ownership and permission for dirsrv log instance
ndehadra (1)#
Hidden Replica: Add a test for Automatic CRL configuration
Spencer E. Olson (1)#
Fixes debian path for IPA_CUSTODIA_HANDLER
Rob Crittenden (16)#
Conditionally restart certmonger after client installation
Add conditional restart (try-restart) capability to services
Enable AES SHA 256 and 384-bit enctypes in Kerberos
Add missing timeout option to logging statement
Log dogtag auth timeout in install, provide hint to increase it
Log the replication wait timeout for debugging purposes
Replace replication_wait_timeout with certmonger_wait_timeout
Disable dogtag cert publishing
ipa-restore: Restore ownership and perms on 389-ds log directory
Report if a certmonger CA is missing
Re-order tasks.restore_pkcs11_modules() to run earlier
Don’t log host passwords when they are set/modified
Skip lock and fork in ipa-server-guard on unsupported ops
Defer initializing the API in dogtag-ipa-ca-renew-agent-submit
Use tasks to configure automount nsswitch settings
Move ipachangeconf from ipaclient.install to ipapython
Robbie Harwood (7)#
Provide modern example enctypes in ipa-getkeytab(1)
Fix segfault in ipadb_parse_ldap_entry()
Add a skeleton kdcpolicy plugin
Move certauth configuration into a server krb5.conf template
Enable krb5 snippet updates on client update
Fix NULL pointer dereference in maybe_require_preauth()
Log INFO message when LDAP connection fails on startup
Rafael Guterres Jeffman (1)#
Fixes pylint errors introduced by version 2.4.0.
Rafael Guterres Jeffman (6)#
Removed unnecessary imports after code review.
Removes several pylint warnings.
Removed unnecessary imports after code review.
Removes several pylint warnings.
Removes rpmlint warning on freeipa.spec.
Re-add function façades removed by commit 2da9088.
Sumit Bose (1)#
extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
Stanislav Levin (5)#
Fix errors found by Pylint-2.4.3
Install language packs for tests
Restore running of ‘test_ipaserver’ tests on Azure
Setup DNS for AP Docker container
Fixed errors newly exposed by pylint 2.4.0
Sergey Orlov (14)#
ipatests: enable test_smb.py in gating.yaml
ipatests: replace ad hoc backup with FileBackup helper
ipatests: refactor FileBackup helper
ipatests: in DNS zone file add A record for name server
ipatests: strip newline character when getting name of temp file
ipatests: add test to check that only TLS 1.2 is enabled in Apache
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains
ipatests: add tests for cached_auth_timeout in sssd.conf
ipatests: refactoring: use library function to check if selinux is enabled
ipatests: add new utilities for file management
ipatests: refactor and extend tests for IPA-Samba integration
ipatests: modify run_command to allow specify successful return codes
ipatests: add utility functions related to using and managing user accounts
ipatests: allow to pass additional options for clients installation
Serhii Tsymbaliuk (4)#
WebUI: Fix new test initialization on “HBAC Test” page
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages
WebUI: Make ‘Unlock’ option is available only on locked user page
WebUI tests: Fix login screen loading issue
Sudhir Menon (1)#
Added testcase to check capitalization fix while running ipa user-mod
Tibor Dudlák (1)#
Add container environment check to replicainstall
Tomas Halman (4)#
extdom: add extdom protocol documentation
extdom: use sss_nss_*_timeout calls
extdom: plugin doesn’t use timeout in blocking call
extdom: plugin doesn’t allow @ in group name