Ctrl+K

Highlights in 4.8.2

The FreeIPA team would like to announce FreeIPA 4.8.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 31 will be available in the official COPR repository.

Highlights in 4.8.2#

  • 5608: [RFE] Add Dogtag configuration extensions

Dogtag CA allows to specify additional options in the configuration file used to deploy CA. FreeIPA installers can now pass through an overlay configuration file to fine-tune the CA.

  • 7971: [RFE] Include hint for replication_wait_timeout if timeout fails

In case replica set up times out, suggest increasing replication_wait_timeout option before running the replica installation.

Enhancements#

  • 8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth

When Kerberos authentication is performed with the help of SPAKE or PKINIT pre-authentication methods, add authentication indicator to resulting tickets. This allows filtering access to resources by a wider variety of pre-authentication methods.

  • 8110 Enable AES SHA 256 and 384 Kerberos enctypes

Allow use of AES SHA 256 and 384 Kerberos encryption types by default for new Kerberos principals.

  • 8111 [FIPS] Don’t add camellia KRB5 encsalttypes in FIPS mode

Expose only encryption types allowed in FIPS mode when creating a master in FIPS mode.

  • 8020 support AES in LWCA key replication

Sub-CA key replication between CA replicas now can use AES encryption to wrap the secrets.

  • 8044 Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors

An LDAP control used by SSSD for retrieval of information about AD users and groups was extended to properly differentiate lack of information and its unavailability.

Known Issues#

Bug fixes#

FreeIPA 4.8.2 is a stabilization release for the features delivered as a part of 4.8.0 series. There are more than 40 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • 2018 Change hostname length limit to 64

  • 3999 [RFE] Fix and Document how to set up Samba File Server with IPA

  • 4972 check for existence of private group is done even if UPG definition is disabled

  • 5062 [WebUI] Unlock option is enabled for all user.

  • 5608 [RFE] Add Dogtag configuration extensions

  • 5879 Attempt to fix capitalization fails with ipa: ERROR: Type or value exists:

  • 6210 When master’s IP address does not resolve to its name, ipa-replica-install fails

  • 6843 ipa-backup does not create log file at /var/log/

  • 7307 RFE: Extend IPA to support unadvertised replicas

  • 7522 Disable cert publishing in dogtag

  • 7566 Installation of replica against a specific master

  • 7725 ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory

  • 7870 [certmonger][upgrade] “Failed to get request: bus, object_path and dbus_interface must not be None.”

  • 7961 [WebUI] Identity Manager WebUI requires you to save changes after changing specifications before making other change

  • 7971 [RFE] Include hint for replication_wait_timeout if timeout fails

  • 7987 Python shebang: Use isolated mode

  • 7995 Removing TLSv1.0, TLSv1.1 from nss.conf

  • 8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth

  • 8017 host-add –password logs cleartext userpassword to Apache error log

  • 8020 support AES in LWCA key replication

  • 8031 HBAC Test Validation error when running the HBAC test the second time round via the IPA Web GUI

  • 8034 Existing p11-kit config file is not restored on uninstall

  • 8038 ipa-client-automount –uninstall is not restoring nsswitch.conf

  • 8044 Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors

  • 8048 Travis-CI sometimes fails at dnf

  • 8052 test failure in test_integration/test_sudo.py::TestSudo::()::test_domain_resolution_order on fedora29

  • 8053 [WebUI] Fix login screen loading issue in test_loginscreen

  • 8054 ipa-client-install calls “authselect select sssd –force” at uninstall time before restoring user-nsswitch.conf

  • 8055 Test for PG6843: ipa-backup does not create log file at /var/log is failing

  • 8056 BuildRequires is not compatible with %{_libdir}

  • 8057 Running ipa-server-install produces SyntaxWarning: “is not” with a literal. Did you mean “!=”?

  • 8062 Re-add configure_nsswitch_database, configure_nsswitch, … to ipaclient.install

  • 8066 Don’t use -t option to klist in adtrust code when timestamp is not needed

  • 8067 add default access control configuration to trusted domain objects

  • 8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install

  • 8073 Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module

  • 8075 Don’t create log file for helper scripts

  • 8077 New pylint 2.4.0 errors

  • 8079 [Security] By default, DNS recursion is open, breaking best practices

  • 8084 KRA authentication fails when IPA CA has custom Subject DN

  • 8086 ipa-server-certinstall man page does not match built-in help.

  • 8099 ipa-backup command is failing on rhel-7.8

  • 8102 Pylint 2.4.3 + Astroid 2.3.2 errors

  • 8105 getcert with -F option returns before cacert file is created

  • 8110 Enable AES SHA 256 and 384 Kerberos enctypes

  • 8111 [FIPS] Don’t add camellia KRB5 encsalttypes in FIPS mode

  • 8113 ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client

  • 8114 [RFE] Delegate group membership management

  • 8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb

Detailed changelog since 4.8.1#

Armando Neto (4)#

  • prci: bump template version

  • prci: increase timeout argument for test_sssd.py

  • prci: increase timeout for jobs that required AD

  • prci: Update box used in branch ipa-4-8

Alexander Bokovoy (9)#

  • Become FreeIPA 4.8.2

  • Update list of contributors

  • Update translations

  • Add local helpers to handle unixid structure

  • adtrust: add default read_keys permission for TDO objects

  • add default access control when migrating trust objects

  • adtrust: avoid using timestamp in klist output

  • Mark failing test as xfail for use of python-dns make_ds method

  • ipa-extdom-extop: test timed out getgrgid_r

Alexandre Mulatinho (1)#

  • ipa-scripts: fix all ipa command line scripts to operate with -I

Anuja More (1)#

  • Extdom plugin should not return error (32)/’No such object’

Christian Heimes (12)#

  • Add tests for member management

  • Add group membership management

  • Skip commented lines after substitution

  • Block camellia in krbenctypes update in FIPS

  • Don’t install a preexec_fn by default

  • Don’t create log files from help scripts

  • Fix ca_initialize_hsm_state

  • Add new env vars to pylint plugin

  • Fix wrong use of identity operation

  • Enable literal-comparison linter again

  • Replace %{_libdir} macro in BuildRequires

  • Store HSM token and state

Cédric Jeanneret (1)#

  • Prevents DNS Amplification Attack and allow to customize named

Changmin Teng (5)#

  • Add design document

  • Modify webUI to adhere to new IPA server API

  • Implement user pre-authentication control with kdcpolicy plugin

  • Extend the list of supported pre-auth mechanisms in IPA server API

  • Add new authentication indicators in kdc.conf.template

François Cami (8)#

  • ipatests: temporarily remove test_smb from gating

  • ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf)

  • ipapython/ipachangeconf.py: change “is not 0” for “!= 0”

  • travis-ci: make dnf invocations more resilient

  • authconfig.py: restore user-nsswitch.conf at uninstall time

  • ipatests: remove xfail in TestIpaClientAutomountFileRestore

  • ipa-client-automount: always restore nsswitch.conf at uninstall time

  • ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time

Florence Blanc-Renaud (11)#

  • smartcard: make the ipa-advise script compatible with authselect/authconfig

  • ipa-backup: fix python2 issue with os.mkdir

  • ipa-server-certinstall manpage: add missing options

  • ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion

  • ipatests: add XMLRPC test for user-add when UPG plugin is disabled

  • ipa user_add: do not check group if UPG is disabled

  • replica install: enforce –server arg

  • ipatests: ensure that backup/restore restores pkcs 11 modules config file

  • ipa-backup: backup the PKCS module config files setup by IPA

  • config plugin: replace ‘is 0’ with ‘== 0’

  • ipatests: fix wrong xfail in test_domain_resolution_order

Francisco Trivino (1)#

  • prci: increase gating tasks priority

Fraser Tweedale (7)#

  • test_integration: add tests for custom CA subject DN

  • upgrade: fix ipakra people entry ‘description’ attribute

  • krainstance: set correct issuer DN in uid=ipakra entry

  • Bump Dogtag min version to 10.7.3

  • ipa-pki-retrieve-key: request AES encryption (with fallback)

  • NSSWrappedCertDB: accept optional symmetric algorithm

  • IPASecStore: support extra key arguments

Michal Polovka (3)#

  • ipatests: add tests for ipa host-add with non-default maxhostnamelength

  • ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions

  • ipatests: Test for ipa-backup with ipa not configured

Mohammad Rizwan Yusuf (3)#

  • Add test to nightly yamls.

  • Installation of replica against a specific server

  • Check file ownership and permission for dirsrv log instance

ndehadra (1)#

  • Hidden Replica: Add a test for Automatic CRL configuration

Spencer E. Olson (1)#

  • Fixes debian path for IPA_CUSTODIA_HANDLER

Rob Crittenden (16)#

  • Conditionally restart certmonger after client installation

  • Add conditional restart (try-restart) capability to services

  • Enable AES SHA 256 and 384-bit enctypes in Kerberos

  • Add missing timeout option to logging statement

  • Log dogtag auth timeout in install, provide hint to increase it

  • Log the replication wait timeout for debugging purposes

  • Replace replication_wait_timeout with certmonger_wait_timeout

  • Disable dogtag cert publishing

  • ipa-restore: Restore ownership and perms on 389-ds log directory

  • Report if a certmonger CA is missing

  • Re-order tasks.restore_pkcs11_modules() to run earlier

  • Don’t log host passwords when they are set/modified

  • Skip lock and fork in ipa-server-guard on unsupported ops

  • Defer initializing the API in dogtag-ipa-ca-renew-agent-submit

  • Use tasks to configure automount nsswitch settings

  • Move ipachangeconf from ipaclient.install to ipapython

Robbie Harwood (7)#

  • Provide modern example enctypes in ipa-getkeytab(1)

  • Fix segfault in ipadb_parse_ldap_entry()

  • Add a skeleton kdcpolicy plugin

  • Move certauth configuration into a server krb5.conf template

  • Enable krb5 snippet updates on client update

  • Fix NULL pointer dereference in maybe_require_preauth()

  • Log INFO message when LDAP connection fails on startup

Rafael Guterres Jeffman (1)#

  • Fixes pylint errors introduced by version 2.4.0.

Rafael Guterres Jeffman (6)#

  • Removed unnecessary imports after code review.

  • Removes several pylint warnings.

  • Removed unnecessary imports after code review.

  • Removes several pylint warnings.

  • Removes rpmlint warning on freeipa.spec.

  • Re-add function façades removed by commit 2da9088.

Sumit Bose (1)#

  • extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT

Stanislav Levin (5)#

  • Fix errors found by Pylint-2.4.3

  • Install language packs for tests

  • Restore running of ‘test_ipaserver’ tests on Azure

  • Setup DNS for AP Docker container

  • Fixed errors newly exposed by pylint 2.4.0

Sergey Orlov (14)#

  • ipatests: enable test_smb.py in gating.yaml

  • ipatests: replace ad hoc backup with FileBackup helper

  • ipatests: refactor FileBackup helper

  • ipatests: in DNS zone file add A record for name server

  • ipatests: strip newline character when getting name of temp file

  • ipatests: add test to check that only TLS 1.2 is enabled in Apache

  • ipatests: fix DNS forwarders setup for AD trust tests with non-root domains

  • ipatests: add tests for cached_auth_timeout in sssd.conf

  • ipatests: refactoring: use library function to check if selinux is enabled

  • ipatests: add new utilities for file management

  • ipatests: refactor and extend tests for IPA-Samba integration

  • ipatests: modify run_command to allow specify successful return codes

  • ipatests: add utility functions related to using and managing user accounts

  • ipatests: allow to pass additional options for clients installation

Serhii Tsymbaliuk (4)#

  • WebUI: Fix new test initialization on “HBAC Test” page

  • WebUI: Fix changing category on HBAC/Sudo/etc Rule pages

  • WebUI: Make ‘Unlock’ option is available only on locked user page

  • WebUI tests: Fix login screen loading issue

Sudhir Menon (1)#

  • Added testcase to check capitalization fix while running ipa user-mod

Tibor Dudlák (1)#

  • Add container environment check to replicainstall

Tomas Halman (4)#

  • extdom: add extdom protocol documentation

  • extdom: use sss_nss_*_timeout calls

  • extdom: plugin doesn’t use timeout in blocking call

  • extdom: plugin doesn’t allow @ in group name

Contents