The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.1#
3226: [RFE] ipa sudorule-add-user should accept more types of characters
IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership IPA now supports adding users and groups from trusted Active Directory domains in SUDO rules without an intermediate non-POSIX group membership
7599: Leading / trailing white spaces in password are disallowed
Allow leading and trailing whitespaces in passwords set through IPA commands. They were already allowed via Kerberos and LDAP.
7676: ipa-client-install changes system wide ssh configuration
Skip ProxyCommand wrapper in SSH configuration in case user is configured with /sbin/nologin to allow automated tools to operate as expected
8528: Use separate logs for AD Trust and DNS installer
ipa-adtrust-install and ipa-dns-install commands now log their activity into separate log files.
8618: ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
ipa-cert-fix tool now handles situations when a CSR is missing from Dogtag’s CA/KRA CS.cfg configuration files. Configuration file is updated with a CSR tracked by Certmonger.
8634: Install of CA fails on CentOS 8 Stream with pki-core 10.9
IPA will not deploy ACME service if Dogtag PKI version is known to not provide a complete service. A complete ACME support requires Dogtag 10.10.0 or later.
8635: Memory availability detection does not work with cgroupsv2 environment
Containerized environments on Linux with cgroup v2 are now recognized and supported.
8644: ipa-certupdate drops profile from the caSigningCert tracking
ipa-certupdate tool now honors CA profile specified in the certificate request it tries to update
8646: permission-mod attrs, includedattrs and excludedattrs issues
Managed permissions commands now properly rollback changes if a generated ACI has incorrect syntax
8655: Allow to establish trust to Active Directory in FIPS mode
When IPA is deployed in FIPS mode, it is now possible to establish trust to Active Directory forest.
8659: ipa-kdb: provide correct logon time in MS-PAC from authentication time
Trust to Active Directory support was improved to be more compatible with AD DC queries: lookup groups via LSA RPCs, allow user principal name lookups, more complete PAC record generation.
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.9.1 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 30 bug-fixes since FreeIPA 4.9.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#3226 (rhbz#871208) [RFE] ipa sudorule-add-user should accept more types of characters
#7599 (rhbz#1593745) Leading / trailing white spaces in password are disallowed
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
#8528 Use separate logs for AD Trust and DNS installer
#8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
#8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find
#8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred:
#8614 Remove ca.crt from the system-wide store on uninstall
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
#8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
#8635 Memory availability detection does not work with cgroupsv2 environment
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8653 Nightly test failure in test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
#8658 Value stored to ‘krberr’ is never read in ipa-rmkeytab.c
#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time
#8660 ipasam: implement PASSDB getgrnam call
#8661 ipasam: allow search of users by user principal name (UPN)
#8662 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
#8664 Nightly test failure (fed33, rawhide) in ipa trust-add –external=True
#8668 (rhbz#1915471) Nightly failure in (f33+updates-testing) test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
#8670 Nightly failure (fed33) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
#8674 test_ipahealthcheck divides KiB by 1000
#8678 Nightly failure (master) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret
#8682 [ipatests] TestIPACommand.test_login_wrong_password time to time fails
Detailed changelog since 4.9.1#
Armando Neto (1)#
ipatests: Update PR-CI definitions for ipa-4-9 commit
Alexander Bokovoy (30)#
Become FreeIPA 4.9.1 commit
Force-update translation po/uk.po commit
Force-update translation po/ipa.pot commit
Force-update translation po/hu.po commit
Force-update translation po/de.po commit
Update contributors list commit
baseldap: allow rejecting unknown objects instead of adding to an external attr commit #3226
ipatests: when talking to AD DCs, use FQDN credentials commit #8678
test_trust: add tests for using AD users and groups in SUDO rules commit #3226
ipatests: fix test_sudorule_plugin’s wrong argument use commit #3226
sudorule runAs: allow to add users and groups from trusted domains directly commit #3226
sudorule-add-user: allow to reference users and groups from trusted domains directly commit #3226
idviews: add extended validator for users from trusted domains commit #3226
baseldap: when adding external objects, differentiate between them and failures commit #3226
baseldap: refactor validator support in add_external_pre_callback commit #3226
Add design document for using AD users/groups in SUDO rules commit #3226
use a constant instead of /var/lib/sss/keytabs commit
trust-fetch-domains: use custom krb5.conf overlay for all trust operations commit #8655, #8664
ipaserver/dcerpc: store forest topology as a blob in ipasam commit #8576
ipasam: derive parent domain for subdomains automatically commit #8576
ipasam: allow search of users by user principal name (UPN) commit #8661
ipa-kdb: provide correct logon time in MS-PAC from authentication time commit #8659
ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available commit #8655
ipaserver/dcerpc.py: use Kerberos authentication for discovery commit #8655
ipaserver/dcerpc: use Samba-provided trust helper to establish trust commit #8655
ipatests: fix race condition in finalizer of encrypted backup test commit
ipaplatform: add constant for systemd-run binary commit
Get back to git snapshots commit
Antonio Torres (2)#
Antonio Torres Moríñigo (2)#
Christian Heimes (1)#
François Cami (1)#
Florence Blanc-Renaud (12)#
ipatests: fix discrepancies in nightly defs commit
ipatests: fix expected output for ipahealthcheck.ipa.files commit #8662
ipatests: fix healthcheck test for ipahealthcheck.ds.encryption commit #8670
ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser commit #8668
ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection commit #8596, #8653
ipatests: add test_ipa_cert_fix to the nightly definitions commit #8618
ipa-cert-fix: do not fail when CSR is missing from CS.cfg commit #8618
ipatests: clear initgroups cache in clear_sssd_cache commit
ipatests: fix expected error message in test_commands commit #8631
JoeDrane (1)#
Update ipa_sam.c commit
Rob Crittenden (16)#
ipatests: test the cgroup v2 memory restrictions commit #8635
Add support for cgroup v2 to the installer memory checker commit #8635
ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get commit #8658
ipa-rmkeytab: convert numeric return values to #defines commit #8658
ipa_pwd: Remove unnecessary conditional commit
ipa_kdb: Fix memory leak commit
ipa-kdb: Fix logic to prevent NULL pointer dereference commit
ipa-kdb: Change mspac base RID logic from OR to AND commit
Add missing break statement to password quality switch commit
Revert “Remove test for minimum ACME support and rely on package deps” commit #8634
ipatests: See if nologin supports -c before asserting message commit #7676
ipatests: test that modifying a permission attrs handles failure commit #8646
Remove virtual attributes before rolling back a permission commit #8646
ipatests: test that no errors are reported after ipa-certupdate commit #8644
Don’t change the CA profile when modifying request in ipa_certupdate commit #8644