The FreeIPA team would like to announce FreeIPA 4.9.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Bug fixes

FreeIPA 4.9.2 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 20 bug-fixes since FreeIPA 4.9.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

• #6739 Cannot login to replica’s WebUI

• #8404 Detect and fail if not enough memory is available for installation

• #8452 update samba configuration on IPA master to explicitly use ‘server role’ setting

• #8506 Nightly failure in ipa-server-install –uninstall: org.freedesktop.DBus.Error.NoReply

• #8533 Nightly failure in ipa-replica-install configuring renewals: DBusException: org.freedesktop.DBus.Error.NoReply

• #8550 (rhbz#1902173) Uninstallation of server with KRA diplays error but proceeds successfully (unable to access security domain)

• #8554 (rhbz#1891056) ipa-kdb: support subordinate/superior UPN suffixes

• #8588 The ‘ipactl status’ command exit code does not fail on a partial error

• #8630 (rhbz#1909876) Do not resolve user/group UID/GID in the service constructors

• #8636 (rhbz#1923900) Samba on IdM member failure

• #8647 (rhbz#1912556) Incorrect DNSKEY created when DNSSEC enabled for zone

• #8658 (rhbz#1924501) Value stored to ‘krberr’ is never read in ipa-rmkeytab.c

• #8669 Reduce difference between upstream and downstream releases

• #8675 Update failed: NSS is built without support of the legacy database(DBM)

• #8683 [ipatests] `test_ipa_dns_systemrecords_check` and `test_ipa_healthcheck_no_errors` fail in Azure Pipelines

• #8685 KDC cert has no SAN DNSname

• #8686 (rhbz#1922955) Resubmitting KDC cert fails with internal server error

• #8689 Add centos platform module

• #8690 Add a tool to control interactive programs on remote hosts in IPA tests

• #8699 (rhbz#1926699) avc denial for gpg-agent with systemd-run

• #8704 (rhbz#1926910) ipa cert-remove-hold returns an incorrect error message

• #8712 Support new baseURL config option for ACME

Detailed changelog since 4.9.1

Alexander Bokovoy (14)

• Back to git commits commit

• Become IPA 4.9.2 commit

• po: refresh translations to remove outdated strings commit

• po: update translations template commit

• test_installutils: run gpg-agent under a specific SELinux context commit #8699

• Force-update translation after FreeIPA to IPA change: po/fr.po commit

• Force-update translation after FreeIPA to IPA change: po/es.po commit

• Force-update translation po/id.po commit

• Force-update translation po/fr.po commit

• Force-update translation po/es.po commit

• Force-update translation po/de.po commit

• client: synchronize ignored return codes with ipa-rmkeytab commit #8658

• ipa-sam: return NetBIOS domain name instead of DNS one commit #8636

• Back to git commits commit

Antonio Torres (4)

• ipatests: test addition of invalid sudo command commit

• sudocmd: ensure command doesn’t contain trailing dot before adding it commit

• WebUI: change FreeIPA naming to IPA in About dialog commit #8669

• Update samba configuration on IPA master to explicitly use ‘server role’ setting commit #8452

Christian Heimes (4)

• configure: ipaplatform falls back to ID_LIKE commit #8689

• Don’t install csrgen extra dependencies commit #8669

• Ensure that KDC cert has SAN DNS entry commit #8685

• Fix cert_request for KDC cert commit #6739, #8686

Florence Blanc-Renaud (8)

• ipatests: update expected error message commit #8704

• xmlrpc tests: add a test for cert-remove-hold commit #8704

• cert plugin: propagate the error for non-existent cert commit #8704

• ipatests: ipactl status now exits with 3 when a service is stopped commit #8588

• ipatests: fix ipahealthcheck fixture _modify_permission commit

• OpenDNSSEC: fix timezone in key creation date commit

• ipatests: add a test for ZSK/KSK keytype in DNSKEY record commit #8647

• dnssec: fix the key type with OpenDNSSEC 2.1 commit #8647

Mohammad Rizwan (1)

• ipatests: Test if server setup without dns uninstall properly commit #8630

Rob Crittenden (20)

• Remove the option stop_certmonger from stop_tracking_* commit #8506, #8533

• Add some logging around initial ACME deployment commit #8712

• Add versions to the ACME config templates and update on upgrade commit #8712

• Set the ACME baseURL in order to pin a client to a single IPA server commit #8712

• Add RHEL 9 UI branding patch reference commit #8669

• Force-update translation after FreeIPA to IPA change: po/ipa.pot commit

• Remove references to rjsmin in UI compile.sh commit #8669

• Remove support for csrgen commit #8669

• Change FreeIPA references to IPA and Identity Management commit #8669

• ipatests: Handle non-zero return code in test_ipactl_scenario_check commit #8550

• Add exit status to the ipactl man page commit #8550

• Ensure IPA is running (ideally) before uninstalling the KRA commit #8550

• ipactl: support script status 3, program is not running commit #8588

• Use the new API introduced in PKI 10.8 commit

• Change CA profile migration message from info to debug commit

• Only build the UI with uglifyjs on RHEL 8 commit #8669

• Provide more detailed logging around memory detection commit #8404

• ipatests: Update NSSDatabase DBM test on non-DBM-capable installs commit #8675

• Ignore database errors when trying to extract ipaCert on upgrade commit #8675

• Report the NSS database directory if it cannot be opened commit #8675

Stanislav Levin (3)

• rpm-spec: Require crypto-policies-scripts commit

• ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check commit #8683

• Azure: Populate containers with self-AAAA records commit #8683

Sergey Orlov (5)

• ipatests: use pexpect to control inetractive session of ipa-adtrust-install commit #8690

• ipatests: use pexpect to invoke ktutil commit #8690

• ipatests: add a tests-oriented wrapper for pexpect module commit #8690

• ipatests: rewrite test for requests routing to subordinate suffixes commit #8554

• fix collecting log files which are symlinks commit

Thorsten Scherf (1)

• man: fix ipa-client-samba.1 typos commit