Ctrl+K

Highlights in 4.8.5

The FreeIPA team would like to announce FreeIPA 4.8.5 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 30-32 versions will be available soon.

Highlights in 4.8.5#

  • #8214 openDNSSEC 2.1 support

  • #8221 AJP connector protection for Dogtag/FreeIPA communication for CVE-2020-1938 mitigation. Fedora and RHEL do not force encrypted AJP connector by default with 9.0.31 but FreeIPA 4.8.5 will convert to encrypted AJP channel on upgrade or at a new deployment. Use of AJP is limited to localhost connections with integrated CA already.

  • Default authentication indicators are now documented in FreeIPA workshop, freeipa/freeipa-workshop

  • #6891 FreeIPA SELinux policy is now part of the upstream packaging and replaces distribution-wide policies.

  • New internal mechanism to promote Trust Agents in ipa-adtrust-install, to allow configuring schema compatibility plugin on remote replicas.

  • #8124 New “ipa-cacert-manage delete” command to allow pruning a CA certificate from LDAP store

Enhancements#

  • Backup / restore tools now check whether packages for various optional IPA master features installed before restore

  • IPA CLI commands for DNS operations display additional attributes and handle optional parameters when a record is removed

  • Additional checks for external CA certificate properties during installation

  • Minor content improvements in ipa-client-samba’s tool output

  • Preliminary support for building with MIT Kerberos 1.18

  • Increased test coverage in upstream test suite

  • Ability to test multi-host scenarios in upstream CI using Azure Pipelines

Known Issues#

Bug fixes#

FreeIPA 4.8.5 is a stabilization release for the features delivered as a part of 4.8.0 release series.

There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #6891 Move FreeIPA SELinux policy from system policy to project policy

  • #7522 Disable cert publishing in dogtag

  • #7537 PR-CI: external_ca tests are hitting timeout

  • #7600 Enable compat tree to provide information about AD users and groups on trust agents

  • #7630 ipa-restore should check that optional feature packages are installed before restoring a backup using a feature

  • #7744 ipa-replica-install picks wrong replica for CA initial replication

  • #7830 FreeIPA installation fails with 389-DS 1.4.0.20-1

  • #7856 Nightly test failure in test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall

  • #7861 Make IPADiscovery available in PyPI packages

  • #7909 Wrong evaluation of replication update status

  • #7917 Occasional ‘whoami.data is undefined’ error in FreeIPA web UI

  • #7938 ‘ipa dnszone-show/find’ should display “Dynamic Update” and “Bind update policy” by default

  • #7941 ipapython/dn_ctypes.py: libldap_r shared library missing

  • #7942 WebUI test for automount is broken

  • #7948 [FIPS] Use 3DES for certificate encryption when creating a PKCS#12

  • #7953 ipa-pwd-extop: do not remove MagicRegen mod, replace it

  • #7965 Stop using 389-ds legacy tools for backup and restore

  • #7974 Nightly test failure in ipatests.test_integration.test_user_permissions.TestUserPermissions

  • #7984 make sure ‘make fastlint’ processes Python .in files

  • #7987 Python shebang: Use isolated mode

  • #7989 Pytest4.2+ errors

  • #7990 Assumptions about systemd name of `named`

  • #7998 Use system-wide crypto policy in TLS client

  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth

  • #8004 RHEL 8 uses nis-domainname instead of rhel-domainname

  • #8029 ipa host-find –pkey-only includes SSH keys in output

  • #8079 [Security] By default, DNS recursion is open, breaking best practices

  • #8098 Host principals lack ACI to look up DNS objects in LDAP

  • #8105 getcert with -F option returns before cacert file is created

  • #8110 Enable AES SHA 256 and 384 Kerberos enctypes

  • #8116 Pylint parallel execution with custom plugin

  • #8124 Add option to ipa-cacert-manage to delete certificates

  • #8135 When Service weight is set as 0 for server in IPA location “IPA Error 903: InternalError” is displayed

  • #8142 check Not Before / Not After in externally signed CA sanity check

  • #8149 SIDs of AD domains do not display in ipa-client-samba installer

  • #8150 IPA Server install fail

  • #8151 test_commands timing-out

  • #8153 Kerberos ticket policy reset does not reset per-indicator policies

  • #8157 NIghtly test failure in fedora-rawhide/test_webui_network

  • #8163 “Internal Server Error” reported for minor issues implies IPA is broken [IdmHackfest2019]

  • #8164 Renewed certs are not picked up by IPA CAs

  • #8169 NIghtly test failure in fedora-rawhide/test_webui_policy

  • #8170 Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS

  • #8173 Broken -k argument parsing in ipa-run-tests 4.8.4-1 package

  • #8176 External CA is tracked for renewals and replaced with a self-signed certificate

  • #8179 Tests broken with python version < 3.7 (module ‘re’ has no attribute ‘Pattern’)

  • #8190 ipa-client-automount fails after repeated installation/uninstallation

  • #8192 ipa-adtrust-install does not list service records for manual addition to DNS zone

  • #8193 Re-order 50-externalmembers.update to be after 80-schema_compat.update

  • #8196 API: dnsrecord_del failure with empty list aaaarecord

  • #8200 ipa krb5kdc db: krb5kdc coredump

  • #8201 update ssbrowser.html

  • #8202 Azure: add support for multi-container tests

  • #8214 Support for opendnssec 2.1.6

  • #8219 ipatests: unify editing of sssd.conf

  • #8221 Secure AJP connector between Dogtag and Apache proxy

  • #8226 ipa-restore does not restart httpd

Detailed changelog since 4.8.4#

Armando Neto (4)#

  • prci: update fedora used for testing ipa-4-8 commit

  • prci: Bump template version commit

  • ipatests: Skip test_sss_ssh_authorizedkeys method commit #8151

  • ipatests: Improve test_commands reliability commit

Alexander Bokovoy (11)#

  • Become FreeIPA 4.8.5 commit

  • Add new contributors to the list commit

  • Add more contributor emails to the mailmap commit

  • Secure AJP connector between Dogtag and Apache proxy commit #8221

  • Tighten permissions on PKI proxy configuration commit #8221

  • Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+ commit

  • kdb: make sure audit_as_req callback signature change is preserved commit #8200

  • adtrust: print DNS records for external DNS case after role is enabled commit #8192

  • Update Azure Pipelines to use Fedora 31 commit

  • install/updates: move external members past schema compat update commit #8193

  • Reset per-indicator Kerberos policy commit #8153

Anuja More (11)#

  • Mark test to skip sssd-2.2.2 commit

  • ipatests: User and group with same name should not break reading AD user data. commit

  • ipatests: Added test when 2FA prompting configurations is set. commit

  • ipatests: SSSD should fetch external groups without any limit. commit

  • ipatests: Add test for ipa-extdom-extop plugin should allow @ in group name commit

  • Update topology for test_integration/test_sssd.py commit

  • After mounting “Unspecified GSS failure” should not be in logs. commit

  • Add xmlrpc test with input validation check for kerberos ticket policy. commit

  • Fix fedora version for xfail for sssd test commit

  • Add integration test for otp kerberos ticket policy. commit #8001

  • ipatests: filter_users should be applied correctly. commit

Christian Heimes (7)#

  • Allow hosts to read DNS records for IP SAN commit #8098

  • Cleanup SELinux policy commit #6891

  • Integrate SELinux policy into build system commit

  • dnsrecord: Treat empty list arguments correctly commit #8196

  • Remove dependency on custodia package commit

  • Make assert_error compatible with Python 3.6 commit #8179

  • Print LDAP diagnostic messages on error commit

Dinesh Prasanth M K (1)#

  • Adding auto COPR builds commit

François Cami (5)#

  • ipa-restore: restart services at the end commit #8226

  • ipatests: make sure ipa-client-automount reverts sssd.conf commit #8190

  • ipa-client-automount: call save_domain() for each change commit #8190

  • ipatests: expect “Dynamic Update” and “Bind update policy” in default dnszone* output commit #7938

  • ipaserver/plugins/dns.py: add “Dynamic Update” and “Bind update policy” to default dnszone* output commit #7938

Florence Blanc-Renaud (16)#

  • opendnssec2.1 support: move all ods tasks to specific file commit #8214

  • DnsSecMaster migration: move the call to zonelist export later commit #8214

  • Support OpenDNSSEC 2.1: new ods-signer protocol commit #8214

  • With opendnssec 2, read the zone list from file commit #8214

  • Remove the from opendnssec conf commit #8214

  • Support opendnssec 2.1.6 commit #8214

  • selinux policy: add the right context for org.freeipa.server.trust-enable-agent commit #7600

  • ipa-adtrust-install: remote command fails if ipa-server-trust-ad pkg missing commit #7600

  • ipatests: fix TestSubCAkeyReplication commit

  • ipatests: add test for ipa-adtrust-install –add-agents commit #7600

  • ipa-adtrust-install: run remote configuration for new agents commit #7600

  • Privilege: add a helper checking if a principal has a given privilege commit #7600

  • Part2: Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201

  • ipatests: fix modify_sssd_conf() commit

  • ipatests: fix backup and restore commit #8170

  • AD user without override receive InternalServerError with API commit #8163

Fraser Tweedale (4)#

  • Do not renew externally-signed CA as self-signed commit #8176

  • ipatests: add test for certinstall with notBefore in the future commit #8142

  • Fix test regressions caused by certificate validation changes commit #8142

  • ipatests: assert_error: allow regexp match commit #8142

Gaurav Talreja (1)#

  • Normalize test definations titles commit

Isaac Boukris (2)#

  • Fix legacy S4U2Proxy in DAL v8 support commit

  • Fix DAL v8 support commit

Jayesh (3)#

  • Test for ipa-ca-install on replica commit

  • Test ipa-getkeytab quiet mode, encryptons commit

  • Test if ipactl starts services stopped by systemctl commit

Kaleemullah Siddiqui (1)#

  • Tests for backup-restore when pkg required is missing commit #7630

Mohammad Rizwan Yusuf (6)#

  • Test if getcert creates cacert file with -F option commit #8105

  • Move wait_for_request() method to tasks.py commit

  • Test if server installer lock Bind9 recursion commit #8079

  • Add certmonger wait_for_request that uses run_command commit

  • Test if certmonger reads the token in HSM commit

  • Test AES SHA 256 and 384 Kerberos enctypes enabled commit #8110

Rob Crittenden (7)#

  • Move execution of ipa-healthcheck to a separate function commit

  • Fix div-by-zero when svc weight is 0 for all masters in location commit #8135

  • Don’t fully quality the FQDN in ssbrowser.html for Chrome commit #8201

  • Add tests for ipa-cacert-manage delete command commit #8124

  • ipa-certupdate removes all CA certs from db before adding new ones commit #8124

  • Add delete option to ipa-cacert-manage to remove CA certificates commit #8124

  • Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit commit #8164

Robbie Harwood (6)#

  • Drop support for DAL version 5.0 commit

  • Support DAL version 8.0 commit

  • Handle the removal of KRB5_KDB_FLAG_ALIAS_OK commit

  • Fix several leaks in ipadb_find_principal commit

  • Use separate variable for client fetch in kdcpolicy commit

  • Make the coding style explicit commit

Stanislav Levin (24)#

  • spec: Take the ownership over ‘/usr/libexec/ipa/custodia’ commit

  • Azure: Report elapsed time commit

  • Azure: Rebalance tests commit

  • Azure: Skip tests requiring external DNS commit

  • Azure: Free Docker resources after usage commit

  • Azure: Preliminary check for provided limits commit

  • Azure: Sync Gating definitions to current PR-CI commit

  • pylint: Run Pylint over Azure Python scripts commit #8202

  • Azure: Add support for testing multi IPA environments commit #8202

  • Azure: Don’t collect twice systemd_journal.log commit #8202

  • yamllint: Lint all the YAML files commit #8202

  • Azure: Make it possible to configure distro-specific stuff commit #8202

  • Azure: Allow to run integration tests commit #8202

  • Azure: Allow SSH for Docker environments commit #8202

  • Azure: Allow to not provide tests to be ignored commit #8202

  • ipatests: Allow zero-length arguments commit #8173

  • lint: Make Pylint-2.4 happy again commit #8116

  • pylint: Clean up comment commit #8116

  • pylint: Synchronize pylint plugin to ipatests code commit #8116

  • pylint: Teach Pylint how to handle request.context commit #8116

  • ipatests: Properly kill gpg-agent commit #7989

  • pytest: Warn about unittest/nose/xunit tests commit #7989

  • pytest: Migrate unittest/nose to Pytest fixtures commit #7989

  • pytest: Migrate xunit-style setups to Pytest fixtures commit #7989

Sergey Orlov (9)#

  • ipatests: add test for SSSD updating expired cache items commit

  • ipatests: provide docstrings instead of imporperly placed comments commit

  • ipatests: remove invalid parameter from sssd.conf commit #8219

  • ipatests: use remote_sssd_config to modify sssd.conf commit #8219

  • ipatests: replace utility for editing sssd.conf commit #8219

  • ipatests: update docstring to reflect changes in FileBackup.restore() commit

  • ipatests: add test_trust suite to nightly runs commit

  • ipatests: add check for output contents of ipa-client-samba commit #8149

  • ipatests: add test_winsyncmigrate suite to nightly runs commit

Sumedh Sidhaye (1)#

  • Added a test to check if ipa host-find –pkey-only does not return SSH public key commit #8029

Serhii Tsymbaliuk (2)#

  • WebUI tests: Fix broken reference to parent facet in table record check commit #8157

  • WebUI tests: Fix ‘Button is not displayed’ exception commit #8169

sumenon (3)#

  • ipatests: check that ipa-healthcheck warns if no dna range is set commit

  • Nightly definition for ipa-healthcheck tool commit

  • Tier-1 test for ipa-healthcheck tool commit

Thomas Woerner (2)#

  • ipaserver/plugins/hbacrule: Add HBAC to memberservice_hbacsvc* labels commit

  • DNS install check: Fix overlapping DNS zone from the master itself commit #8150

Vit Mojzis (3)#

  • selinux: Remove obsolete memcached access commit

  • selinux: move BUILD_SELINUX_POLICY definition commit

  • Add freeipa-selinux subpackage commit

Contents