Ctrl+K

Highlights in 4.9.3

The FreeIPA team would like to announce FreeIPA 4.9.3 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.3#

Bug fixes#

FreeIPA 4.9.3 is a stabilization release for the features delivered as a part of 4.9.0 version series.

There are more than 30 bug-fixes since FreeIPA 4.9.2 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets#

  • #7885 (rhbz#1690191) RFE: wrapper for Dogtag cert-fix command

  • #8155 Enhance error message for adding non-posix groups with a GID

  • #8244 The help for the –otp flag in “ipa passwd” could be clearer

  • #8423 Multiple permitopen in SSH-key

  • #8496 [Tracker] Multiple nightly test failures in test_dnssec, test_backup_and_restore and test_dns_locations

  • #8506 (rhbz#1930038) Nightly failure in ipa-server-install –uninstall: org.freedesktop.DBus.Error.NoReply

  • #8530 (rhbz#1859185) Running ipa-server-install fails on machine where libsss_sudo is not installed

  • #8550 (rhbz#1902173) Uninstallation of server with KRA diplays error but proceeds successfully (unable to access security domain)

  • #8553 Random failure in test_backup_and_restore.py::TestBackupRoles::test_rolecheck_Trust

  • #8565 Remove duplication in pkispawn exception output

  • #8600 ipa-cert-fix unable to fix certs no named ‘Server-cert’

  • #8605 (rhbz#1903250) backtrace using ipa-replica-manage

  • #8636 (rhbz#1923900) Samba on IdM member failure

  • #8654 DNSSEC key synchronization issues

  • #8669 Reduce difference between upstream and downstream releases

  • #8681 krb5kdc dumped core

  • #8695 Nightly failure in test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf (fed33)

  • #8703 DNS resolvers issues in IPA tests

  • #8705 server installation fails against 389-ds 1.4.3.19

  • #8715 (rhbz#1924707) Establishing trust with AD domain using shared secret fails in FIPS mode

  • #8718 (rhbz#1928854) ipa-server-install ignores –zonemgr parameter

  • #8720 New pylint failures reported for inconsistent-return-statements

  • #8721 (rhbz#1779984) The ipa-cert-fix command failed. [Errno 2] No such file or directory: ‘/etc/pki/pki-tomcat/certs/27-renewed.crt’

  • #8725 Nightly test failure in test_cert

  • #8728 Random nightly test failure in test_commands.py::TestIPACommand::test_ssh_key_connection

  • #8735 ccache-sweeper removes valid ccaches

  • #8737 [ipatests] `test_source_ipahealthcheck_ipa_host_check_ipahostkeytab` fails against krb5 1.19.1

  • #8743 (rhbz#1922781) Inconsistent nsaccountlock field type in api response

  • #8747 Nightly failure in test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered

  • #8753 Adopt redhat ipaplatform to RHEL 9/ELN and RHEL 7/8 split

  • #8759 RFE: Extend logging to include execution time

  • #8768 rpmlint should be optional for fastcheck, devcheck and lint make targets

  • #8772 pylint 2.7.0-2.7.2 introduces new warnings

  • #8779 Nightly test failure (updates-testing) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck

  • #8780 RFE: Reduce number of LDAP operations during sudorule-mod

  • #8781 test_ipaserver/test_jsplugins.py::test_jsplugins::test_jsplugins fails in server-less environments

Detailed changelog since 4.9.2#

Armando Neto (1)#

  • ipatests: Update gating to Fedora 33 commit

Alexander Bokovoy (10)#

  • Become FreeIPA 4.9.3 commit

  • Update list of contributors commit

  • Update ipa.pot translations file commit

  • freeipa.spec: synchronize with Fedora for 389-ds and PKI versions commit #8705

  • ipa-kdb: mark test functions as static commit

  • ipa-kdb: reformat ipa_kdb_certauth commit

  • ipa-kdb: add missing prototypes commit

  • ipa-kdb: fix compiler warnings commit

  • ipa-kdb: do not use OpenLDAP functions with NULL LDAP context commit #8681

  • Back to git commits commit

Antonio Torres (11)#

  • sudorule: reduce number of LDAP searches during modification commit #8780

  • ipa passwd: make help for `–otp` option clearer commit #8244

  • ipatests: add test for multiple permitopen entries in SSH keys commit

  • Allow multiple permitopen/permitlisten in SSH keys commit #8423

  • ipatests: add test for group creation with GID and nonposix option commit

  • Enhance error message when adding non-posix group with a GID commit #8155

  • ipatests: expect boolean type for nsaccountlock in user module commit #8743

  • Return nsaccountlock in user-add as boolean commit #8743

  • Extend logging to include execution time commit #8759

  • ipatests: check that zonemgr is set correctly during server install commit #8718

  • ipaserver: don’t ignore zonemgr option on install commit #8718

Alexander Scheel (1)#

  • Handle multiple AJP adapters during upgrade commit

François Cami (10)#

  • ipatests: check for the “no sudo present” string absence commit #8530

  • ipa-client-install: output a warning if sudo is not present (2) commit #8530

  • ipa-csreplica-manage, ipa-replica-manage: refactor commit #8605

  • ipalib/util.py: add print_replication_status commit

  • ipa-replica-manage: handle missing attributes commit #8605

  • ipa-replica-manage: always display nsds5replicalastinitstatus commit #8605

  • freeipa.spec: client: depend on libsss_sudo and sudo commit #8530

  • ipa-client-install: output a warning if sudo is not present commit #8530

  • ipatests: tasks: handle uninstalling packages with nodeps commit

  • ipatests: add TestInstallWithoutSudo commit #8530

Florence Blanc-Renaud (11)#

  • ipatests: update expected message commit #8779

  • Adapt redhat ipaplatform to RHEL9/ELN commit #8753

  • ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic commit #8695

  • ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating commit #8496

  • ipatests: filter_users belongs to nss section commit #8747

  • dnssec: concurrency issue when disabling old replica key commit #8654

  • dnssec: fix ipa-ods-exporter crash when master key missing commit #8654

  • ipatests: use whole date when calling journalctl –since commit #8728

  • freeipa.spec: bump the required version of 389ds commit #8496

  • ipatests: Update PRCI templates for ipa-4-9 commit

  • pylint: fix inconsistent-return-statements commit #8720

Fraser Tweedale (1)#

  • ipa-cert-fix: improve handling of ‘pki-server cert-fix’ failure commit #8721

Jan Pazdziora (1)#

  • Avoid comparing ‘max’ with ‘maxn’. commit

Kaleemullah Siddiqui (1)#

  • ipatests: error message check in uninstall log for KRA commit #8550

Mohammad Rizwan (7)#

  • ipatests: Don’t rely on certmonger’s assigned request id commit #8725

  • ipatests: Enable certbot test on rhel commit

  • ipatests: introduce wait_for_replication in test_rolecheck_Trust commit #8553

  • ipatests: update nightly definition for ipa_cert_fix suite commit

  • ipatests: Test if ipa-cert-fix renews expired certs with kra installed commit #7885

  • Move fixture outside the class and add setup_kra capability commit

  • ipatests: Test if ipa-cert-fix renews expired certs commit #7885

Rob Crittenden (11)#

  • Increase timeout for TestIpaHealthCheck to 5400s commit #8506

  • Uninstall without starting the CA in cert expiration test commit #8506

  • ipatests: Test secure_ajp_connector works with multiple connectors commit

  • Allow overriding is_newer_tomcat_version() commit

  • Don’t renew non-IPA issued certs in ipa-cert-fix commit #8600

  • Set pki-core dependency to 10.3.3 for pki-server cert-fix bug commit

  • ipatests: test third-party 389-ds cert with ipa-cert-fix commit #8600

  • ipa-cert-fix: Don’t hardcode the NSS certificate nickname commit #8600

  • Remove a remaining file used with csrgen commit #8669

  • Don’t double-report any errors from pki-spawn failures commit #8565

  • Suppress error message if the CRL directory doesn’t exist commit #8565

Stanislav Levin (16)#

  • ipatests: Skip test_jsplugins in server less environments commit #8781

  • Azure: Run Lint task as separate job commit #8772

  • pylint: Fix several warnings commit #8772

  • Azure: Don’t install pypi’s docker commit

  • Azure: Disable AppArmor profile for chrony commit

  • Azure: Warn about Host’s AVC and SECCOMP commit

  • Azure: Collect Host’s systemd journal commit

  • Azure: Run chronyd in Docker commit

  • Azure: Template docs build commit

  • Azure: Show disk usage commit

  • Azure: Make it possible to pass additional Pytest args commit

  • Azure: Run rpmlint on Fedora commit #8768

  • configure: Make rpmlint optional commit #8768

  • ipatests: Fix expectation about GSS error in test for healthcheck commit #8737

  • cleanup: Drop never used path for httpd’s ccache commit

  • ccache_sweeper: Add gssproxy service commit #8735

Sergey Orlov (16)#

  • ipatests: log command spawned by pexpect commit

  • ipatests: allocate pseudo-terminal only for specific command commit

  • ipatests: update prci definitions for test_http_kdc_proxy commit

  • ipatests: add test for kdcproxy handling reply split to several TCP packets commit

  • ipatests: return result of kinit_as_user, pass raiseonerr parameter commit

  • ipatests: use proper template for TestMaskInstall commit

  • ipatests: do not configure nameserver when installing client and replica commit #8703

  • ipatests: always try to create A records for hosts in IPA domain commit #8703

  • ipatests: mock resolver factory commit #8703

  • ipatests: disable systemd-resolved cache commit #8703

  • ipatests: do not manually modify /etc/resolv.conf in tests commit #8703

  • ipatests: setup resolvers during replica and client installations commit #8703

  • ipatests: add utility for managing domain name resolvers commit #8703

  • ipatests: collect config files for NetworkManager and systemd-resolved commit #8703

  • ipatests: test Samba mount with NTLM authentication commit #8636

  • ipatests: skip tests for AD trust with shared secret in FIPS mode commit #8715

Sudhir Menon (1)#

  • ipatests: Test to check sosreport collects healthcheck.log file commit

Troy Dawson (1)#

  • platform-python only on RHEL8 commit

Thorsten Scherf (2)#

  • Update 10-ssh-key-management.rst commit

  • Fix lgtm file classification commit

Contents