The FreeIPA team would like to announce FreeIPA 4.8.9 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.8.9#
5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI
7137: [RFE]: Able to browse different links from IPA web gui in new tabs
8129: Tests: Replace paramiko with OpenSSH
Paramiko is not compatible with FIPS mode, therefore convert most tests to using ssh directly. The only non-converted test is the 2-prompt OTP test because sshpass does not support 2-prompt password authentication ( https://pagure.io/freeipa/issue/8431 ).
8151: test_commands timing-out
Re-enable test_sss_ssh_authorizedkeys ; add -v to ssh in order to get debug information if this test fails or stalls again. The test was run 16 times without a failure before re-enabling it.
8189: NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
Previously, ipa-client-installation saved the pre-install state using “authselect current” command and the uninstallation reverted to the same authselect state. In cases where the system was installed using authconfig instead of authselect, the uninstallation was unable to revert to the same state and picked “sssd“‘s authselect profile instead. Now, the client installation relies on the backup functionality of authselect and is able to revert to the exact pre-install state
8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting “ChallengeResponseAuthentication yes” take precedence.
8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain
When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.
8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present.
8391: Remove dnf workaround from test_epn.y
The new PR-CI images are cleaner and do not need the *epn* packages to be uninstalled/reinstalled.
8401: Create platform definitions for freeipa-container
ipaplatform now provides container platform flavors for freeipa/freeipa-container
8432: test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError
Sometimes test_login_wrong_password fails because the log window the string message is searched in is too narrow. Broaden the window by looking at the past 10 seconds.
8444: EPN: enhance input validation
Various input validation checks were added to EPN.
8445: EPN: ‘[Errno 111] Connection refused’ when the SMTP is down
EPN now displays a proper message if the configured SMTP server cannot be contacted.
8449: EPN: enhance CLI option tests
EPN: enhance existing tests for –dry-run, –from-nbdays and –to-nbdays.
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.8.9 is a stabilization release for the features delivered as a part of 4.8 version series.
There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#5011 (rhbz#1527185) [RFE] Forward CA requests to dogtag or helper by GSSAPI
#5628 webui: Unclear(UX) purpose of OTP field in password reset form on login
#7137 (rhbz#1484088) [RFE]: Able to browse different links from IPA web gui in new tabs
#8129 Tests: Replace paramiko with OpenSSH
#8151 test_commands timing-out
#8189 (rhbz#1810179) NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
#8300 Replace uglify-js with python3-rjsmin
#8304 [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
#8326 CVE-2020-10747
#8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain
#8336 [WebUI] “User attributes for SMB services” section always shown
#8364 Nightly test failure while establishing trust: Cannot find specified domain or server name
#8366 CA-less replica deployment fails with –setup-ca
#8367 IPA-EPN fails to build in ONLY_CLIENT mode
#8368 (rhbz#1846349) cannot issue certs with multiple IP addresses corresponding to different hosts
#8369 cert_find returns “CA not configured” in CA-less install
#8370 ipa-join does not set nshardwareplatform and nsosversion
#8371 Nightly test failure [testing_master_testing] in test_integration/test_idviews.py::TestCertsInIDOverrides
#8372 (rhbz#1849914) FreeIPA - Utilize 256-bit AJP connector passwords
#8374 (rhbz#1847999) EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
#8377 Nightly test failure (timeout) in test_caless_TestReplicaInstall
#8379 Nightly test failure [testing_master_pki] while installing CA replica
#8381 Nightly test failure in test_webui/test_loginscreen.py::TestLoginScreen::test_login_view
#8384 Provide reliable way to know if a server installation is complete
#8388 Make help() on plugins more useful
#8391 Remove dnf workaround from test_epn.y
#8395 selinux don’t audit rules deny fetching trust topology
#8396 [WebUI] Font type of “Enabled” column in user search facet wrong
#8399 certmonger attempts to add LWCA tracking requests on non-CA server.
#8400 sshd template file is installed in a wrong (server) location while used by the client side
#8401 Create platform definitions for freeipa-container
#8403 Add option to add ipaapi user as an allowed uid for ifp in /etc/sssd/sssd.conf when running ipa-replica-install
#8407 Support changelog integrated into main database
#8412 (rhbz#1857157) AVC: httpd cannot connect to ipa-custodia.sock
#8413 Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp
#8414 Nightly test failure in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp
#8416 [WebUI] Error while adding user ID overrides to group
#8419 Azure is reporting a slew of new no-member lint errors
#8425 Nightly test failure in test_cert.test_cert.TestInstallMasterClient (certmonger timeout)
#8428 [ipatests] fails due to new python-cryptography 3.0
#8429 Add fips-mode-setup to ipaplatform.paths
#8432 test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError
#8435 [ipatests] failures due to new Pytest6.0 (pypi part)
#8437 unit tests for ipa-extdom-extop are failing in Fedora 33
#8439 Nightly test failure in test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#8440 (rhbz#1863616) CA-less install does not set required permissions on KDC certificate
#8441 (rhbz#1870202) File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
#8442 [pylint] warnings/errors against pylint 2.5.3
#8444 (rhbz#1866291) EPN: enhance input validation
#8445 (rhbz#1863079) EPN: ‘[Errno 111] Connection refused’ when the SMTP is down
#8447 Nightly test failure in test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS
#8449 (rhbz#1866291) EPN: enhance CLI option tests
#8456 Need new aci’s for the new replication changelog entries
#8459 [upgrade] handle missing openssh-clients
#8461 [ALTLinux] server uninstall error on missing /var/lib/samba
#8463 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#8464 Increase replication changelog trimming interval
Detailed changelog since 4.8.8#
Armando Neto (4)#
Alexander Bokovoy (10)#
Become FreeIPA 4.8.9 commit
ipa-4-8: Add new contributors commit
ipa-4-8: update po/ipa.pot commit
Add alternative email to the mailmap for myself commit
extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration commit #8437
selinux: support running ipa-custodia with PrivateTmp=yes commit #8395
selinux: allow oddjobd to set up ipa_helper_t context for execution commit #8395
Get back to git snapshots commit
Become FreeIPA 4.8.8 commit
VERSION: back to git snapshots commit
Anuja More (5)#
ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn commit
ipatests: xfail test with older versions of sssd commit
ipatests : Test to verify override_gid works with subdomain. commit
ipatests: xfail test with older versions of sssd commit
ipatests: Test that trusted AD users should not lose their AD domains. commit
Alexander Scheel (3)#
Peter Keresztes Schmidt (7)#
WebUI: Unify adapter property definition for state evaluators commit #8336
WebUI: Make object_class_evaluator evaluator compatible with batch responses commit #8336
Populate nshardwareplatform and nsosversion during join operation commit #8370
WebUI: Fix rendering of boolean_status_formatter commit #8396
Unify spelling of “One-Time Password” commit
WebUI: reword OTP info message displayed during PW reset commit #5628
WebUI: move OTP to be the last field in the PW reset form commit #5628
Christian Heimes (17)#
François Cami (28)#
ipatests: test_epn: add test_EPN_connection_refused commit #8445
IPA-EPN: fix configuration file typo commit
IPA-EPN: Use a helper to retrieve LDAP attributes from an entry commit
ipatests: test_epn: test_EPN_nbdays enhancements commit #8449
ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd commit #8129
ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd commit #8129
ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_from_controller: refactor commit #8129
ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_login_wrong_password: look farther in time commit #8432
ipatests: re-enable test_sss_ssh_authorizedkeys commit #8151
ipatests: xfail TestIpaClientAutomountFileRestore’s final test commit #8189
ipatests: remove dnf workaround from test_epn.py commit #8391
ipatests: display SSSD kdcinfo in test_adtrust_install.py commit
ipatests: increase test_caless_TestReplicaInstall timeout commit #8377
ipatests: ipa_epn: uninstall/reinstall ipa-client-epn commit #8374
ipatests: check that EPN’s configuration file is installed. commit #8374
man pages: fix epn.conf.5 and ipa-epn.1 formatting commit
.mailmap: add fcami commit
Florence Blanc-Renaud (20)#
ipatests: remove xfail from test_dnssec commit
ipatests: fix TestIpaHealthCheckWithoutDNS failure commit #8447
ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck commit #8439
ipatests: increase test_trust timeout commit
ipatests: check KDC cert permissions in CA less install commit #8440
CAless installation: set the perms on KDC cert file commit #8440
ipa-client-install: use the authselect backup during uninstall commit #8189
Bump requires for selinux-policy commit
ipatests: fix the method adding ifp to sssd.conf commit #8371
Unify spelling of “One-Time Password” (take 2) commit #5628, #8381
ipa-client-install: use sshd drop-in configuration commit #8304
ipatests: add a test for ipa-replica-install –setup-ca –http-cert-file commit #8366
ipa-replica-install: –setup-ca and *-cert-file are mutually exclusive commit #8366
ipatests: fix the disable_dnssec_validation method commit #8364
Fraser Tweedale (5)#
Jeremy Frasier (2)#
Kaleemullah Siddiqui (1)#
Tests for fake_mname parameter setup commit
Michal Polovka (2)#
Mark Reynolds (3)#
Mohammad Rizwan (3)#
Petr Voborník (2)#
Rob Crittenden (23)#
ipatests: stop the CA during healthcheck expiration test commit #8463
IPA-EPN: Test that EPN can be install, uninstalled and re-installed commit
Added negative test case for –list-sources option commit
ipatests: CLI validation of ipa-healthcheck command commit
IPA-EPN: Test that users without givenname and/or mail are handled commit
Update check_client_configuration to use new client fact commit #8384
Don’t use the has_files() to know if client/server is configured commit #8384
Create a common place to retrieve facts about an IPA installation commit #8384
Simplify determining if IPA client configuration is complete commit #8384
Simplify determining if an IPA server installation is complete commit #8384
ipatests: Check permissions of /etc/ipa/ca.crt new installations commit #8441
Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations commit #8441
ipatests: Test healthcheck revocation checker commit
ipatests: Use healthcheck namespacing in stopped server test commit
ipatests: lib389 is now providing healthchecks, update naming commit
ipatests: Add healthcheck test for FileSystemSpaceCheck commit
ipatests: verify that all services can be detected by healthcheck commit
ipatests: Test that healthcheck detects and reports expiration commit
ipatests: Test cases for healthcheck File checker(s) commit
Replace SSLCertVerificationError with CertificateError for py36 commit
Add fips-mode-setup to ipaplatform.paths to determine FIPS status commit #8429
Stanislav Levin (9)#
spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package commit
uninstall: Don’t fail on missing /var/lib/samba commit #8461
rpm-spec: Don’t fail on missing /etc/ssh/ssh_config commit #8459
ipatests: Skip keyring tests on containerized platforms commit
Azure: Switch to dockerhub provider commit
ipatests: Add compatibility against python-cryptography 3.0 commit #8428
ipatests: Don’t turn Pytest IPA deprecation warnings into errors commit #8435
Sergey Orlov (1)#
Fix password file permission commit
Serhii Tsymbaliuk (5)#
WebUI tests: Add test case to cover user ID override feature commit #8416
WebUI: Fix error “unknown command ‘idoverrideuser_add_member’” commit #8416
WebUI tests: Change navigation tests to find menu items using data-name instead of href commit #7137
WebUI: Fix issue with opening links in new tab/window commit #7137
WebUI: Fix “IPA Error 3007: RequirmentError” while adding idoverrideuser association commit #8335
sumenon (9)#
Modified YAML files to include healthcheck externalCA tests commit
ipatests: Tests for ipahealthcheck tool with IPA external commit
ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert commit
ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed commit
ipatests: Increase timeout value in test_getcert_list_profile_using_subca commit
ipatests: Test for ipa-nis-manage CLI tool. commit
ipatests: Tests to check profile is displayed for getcert request. commit
Modified YAML to include healthcheck IPA-AD trust scenario commit
ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario commit
Zdenek Pytela (1)#
Allow ipa-adtrust-install restart sssd and dirsrv services commit