The FreeIPA team would like to announce FreeIPA 4.9.4 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.4

• 2575: [RFE] Installer wizard should prompt for DNS

  The prompting during the server installation was enhanced to ask whether user wants to install the DNS component.

---

• 8807: [RFE] IPA to allow setting a new range type.

  A new option was added to define how private groups represented in ID ranges of trusted Active Directory domains. More details can be found in the design document: https://freeipa.readthedocs.io/en/latest/designs/adtrust/auto-private-groups.html

Enhancements

Known Issues

Bug fixes

FreeIPA 4.9.4 is a stabilization release for the features delivered as a part of 4.9.0 version series.

There are more than 40 bug-fixes since FreeIPA 4.9.3 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

• #2575 (rhbz#952756) [RFE] Installer wizard should prompt for DNS

• #2692 (rhbz#817071) ipa-server-install ignores –hostname

• #4011 (rhbz#1026434) ipa-server-install crashes when AD subpackage is not installed

• #4166 (rhbz#1059135) Backup CS.cfg before modifying it

• #4751 (rhbz#1851835) Implement ACME certificate enrolment

• #6587 ipa-otpd: systemctl reports “degraded” for “is-system-running” after todays CentOS updates

• #7397 ipa host-add –ip-address… returns Internal error when forward-policy=none is defined

• #7835 (rhbz#1658280) Cert revocation for services and hosts is inefficient

• #8203 (rhbz#1835853) User page on WebUi only has half the information in CA-less install

• #8361 Add support for managing subuids and subgids in FreeIPA

• #8534 Nightly test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::test_hidden_replica_promote

• #8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck

• #8632 [CA-less] user fails to login via WebUI in case of `–no-pkinit`

• #8641 Random failure in test_webui/test_user.py::TestLifeCycles::test_life_cycles

• #8676 (rhbz#1955440) [Tracker] Multiple nightly test failure in test_integration/test_ntp_options/TestNTPoptions

• #8738 (rhbz#1934991) ACME fails to generate a cert on migrated RHEL8.4 server

• #8767 (rhbz#1943151) ipa-server-install displays debug output when –debug output is not specified.

• #8784 RFE: Reduce number of LDAP operations during hbacrule-del

• #8785 Nightly test failure in test_integration/test_commands.py/TestIPACommand/test_proxycommand_invalid_shell

• #8787 Add pkey_only to the service_find calls in the host plugin

• #8792 Random nightly test failure in test_replica_promotion.py::TestRenewalMaster::test_automatic_renewal_master_transfer_ondelete

• #8793 [Tracker] Nightly failure (rawhide/f34) in test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust

• #8794 (rhbz#1948034) Failure to deploy FreeIPA domain controller in Rawhide with systemd-resolved 248-1.fc35

• #8797 Cache the value of ca_is_enabled in the request context

• #8798 (rhbz#1953656) RFE: Cache LDAP data within a request

• #8799 Remove DS problematic code

• #8801 user-mod requires two searches for a user entry

• #8802 IPA test failing with long serial numbers

• #8807 (rhbz#1688267) [RFE] IPA to allow setting a new range type.

• #8809 RFE: A tool to collect and analyze etimes from IPA logs

• #8814 Use Dogtag’s CryptographyCryptoProvider instead of NSSCryptoProvider for KRAClient()

• #8818 new pylint 2.8 and astroid 2.5.5

• #8830 [azure] performance instability

• #8831 update_dna_shared_config may not update all entries

• #8832 (rhbz#1957768) ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4

• #8837 Add support of ‘ipaautoprivategroups’ LDAP attribute on ‘ID ranges’ page

• #8844 [Tracker] Nightly test failure (sssd 2.5.0-1) in test_smb and test_sudo

• #8847 [F34] JS linter

• #8848 F32 is going to be EOL

• #8851 pkispawn: use loopback IP address instead of localhost4/localhost6 for AJP

• #8856 (rhbz#1951511) Allow specifying permanent logging settings for BIND

• #8872 FreeIPA 4.9.3 Web UI reports “Internal Server Error” on Fedora 34 Server after reboot

• #8873 Missing credential cache can raise 500 when authenticating instead of 401

• #8874 (rhbz#1962570) depend on system-logos-ipa instead of redhat-logos-ipa

Detailed changelog since 4.9.3

Armando Neto (1)

• ipatests: Bump PR-CI templates to Fedora 34 commit

Alexander Bokovoy (37)

• Become FreeIPA 4.9.4 commit

• po/uk.po: Update translations to FreeIPA ipa-4-9 state commit

• po/ru.po: Update translations to FreeIPA ipa-4-9 state commit

• po/ipa.pot: Update translations to FreeIPA ipa-4-9 state commit

• po/es.po: Update translations to FreeIPA ipa-4-9 state commit

• Depend on system-logos-ipa on RHEL/CentOS Stream commit #8874

• service: enforce keytab user when retrieving the keytab commit #8872

• po/zh_CN.po: Update translations to FreeIPA ipa-4-9 state commit

• po/tr.po: Update translations to FreeIPA ipa-4-9 state commit

• po/tg.po: Update translations to FreeIPA ipa-4-9 state commit

• po/sk.po: Update translations to FreeIPA ipa-4-9 state commit

• po/ru.po: Update translations to FreeIPA ipa-4-9 state commit

• po/pt_BR.po: Update translations to FreeIPA ipa-4-9 state commit

• po/pt.po: Update translations to FreeIPA ipa-4-9 state commit

• po/pa.po: Update translations to FreeIPA ipa-4-9 state commit

• po/nl.po: Update translations to FreeIPA ipa-4-9 state commit

• po/mr.po: Update translations to FreeIPA ipa-4-9 state commit

• po/kn.po: Update translations to FreeIPA ipa-4-9 state commit

• po/ja.po: Update translations to FreeIPA ipa-4-9 state commit

• po/ipa.pot: Update translations to FreeIPA ipa-4-9 state commit

• po/id.po: Update translations to FreeIPA ipa-4-9 state commit

• po/hu.po: Update translations to FreeIPA ipa-4-9 state commit

• po/hi.po: Update translations to FreeIPA ipa-4-9 state commit

• po/fr.po: Update translations to FreeIPA ipa-4-9 state commit

• po/eu.po: Update translations to FreeIPA ipa-4-9 state commit

• po/es.po: Update translations to FreeIPA ipa-4-9 state commit

• po/en_GB.po: Update translations to FreeIPA ipa-4-9 state commit

• po/de.po: Update translations to FreeIPA ipa-4-9 state commit

• po/cs.po: Update translations to FreeIPA ipa-4-9 state commit

• po/ca.po: Update translations to FreeIPA ipa-4-9 state commit

• po/bn_IN.po: Update translations to FreeIPA ipa-4-9 state commit

• ds: Support renaming of a replication plugin in 389-ds commit #8799

• Update IRC links to point to Libera.chat commit

• freeipa.spec: do not use jsl for linting on Fedora 34+ commit #8847

• ipa-otpd: handle LDAP timeout in a better way commit #6587

• ipaserver/install/dns: handle SERVFAIL when checking reverse zone commit #8794

• Back to git snapshots commit

Antonio Torres (1)

• hbacrule: reduce number of LDAP searches during deletion commit #8784

Carl George (1)

• Also use uglifyjs on CentOS Stream 8 commit

Christian Heimes (7)

• Move constants, document timeout loop commit

• Fix update_dna_shared_config to wait for both entries commit #8831

• Constrain pylint to supported versions commit #8818

• Add max/min safe integer commit #8361, #8802

• Use PyCA crypto provider for KRAClient commit #8814

• Improve wsgi app loading commit

• Better mod_wsgi configuration commit

François Cami (7)

• ipatests: mark test_ipahealthcheck_hidden_replica as expected failure commit #8534, #8582

• ipatests: hidden replica: misc fixes commit #8534

• ipatests: hidden replica: use dns_update_system_records commit #8534

• ipatests: use wait_for_replication for hidden replica checks commit #8534

• ipatests: hiddenreplica: use wait_for_ipa_to_start after restore commit #8534

• ipatests: tasks.py: add dns_update_system_records commit #8534

• ipatests: tasks.py: add wait_for_ipa_to_start commit #8534

Florence Blanc-Renaud (12)

• pkispawn: override AJP connector address commit #8851

• Spec file: bump augeas-libs version commit #8676

• xmlrpc tests: add test for idrange auto-private-groups option commit #8807

• Trust: add auto private groups option commit #8807

• LDAP schema: new attribute ipaautoprivategroups commit #8807

• Design doc for idrange option “auto-private-groups” commit #8807

• ipatests: check that the output of sudo -V is not displayed commit #8767

• client install: do not capture sudo -V stdout commit #8767

• Bumps openssl requires commit #8632

• ipatests: TestIpaHealthCheck now needs 1 client commit

• ipatests: call server-del before replica uninstall commit #8792

• ipatests: collect PKI config files and NSSDB commit

MIZUTA Takeshi (8)

• Add –keyfile option to ipa-otptoken-import.1 commit

• Add argument for –entry option in ipa-managed-entries.1 commit

• Remove -s option from ipa-ldap-updater usage commit

• Add argument for –schema-file option in ipa-ldap-updater.1 commit

• Add arguments to the description of OPTIONS in ipa-winsync-migrate.1 commit

• Fix the option to match in the ipa-client-automount usage and man-page commit

• Add -d option to match in the ipa-client-samba usage and man-page commit

• man: fix typos in ipa-epn.1 commit

Michal Polovka (3)

• ipatests: test_installation: add install test scenarios commit #2575, #2692, #4011, #4166

• WebUI: Handle assertion if multiple notifications are present commit #8641

• WebUI: test_user: test if user is enabled by default commit #8203

Mohammad Rizwan (1)

• ipatests: Test if ACME renews the issued cert with cerbot commit #4751

Rob Crittenden (15)

• Catch ValueError when trying to retrieve existing credentials commit #8873

• ipatests: kinit on server for test_proxycommand_invalid_shell commit #8785

• Add ability to search on certificate revocation status commit #7835

• Load dogtag RA plugin in installers so profiles can be loaded commit #8738

• Parse the debugging cache log to determine the read savings commit #8798

• Add a unit test for the LDAP cache layer commit #8798

• Add LDAP cache options to the default.conf man page commit #8798

• Implement simple LDAP cache layer commit #8798

• Unify installer context to be ‘installer’ commit #8798

• Call the LDAPClient layer when modifying values commit #8798

• Only attempt to upgrade ACME configuration files if deployed commit #8832

• Parse Apache log etime and display average per command commit #8809

• Retrieve the user objectclasses when checking for existence commit #8801

• Cache the value of ca_is_enabled in the request context commit #8797

• Add pkey_only to the service_find calls in host del and disable commit #8787

Stanislav Levin (27)

• ipatests: Fetch sudo rules without time offset commit #8844

• azure: Make it possible to adjust Docker resources per test env commit

• azure: coredump: Wait for systemd fully booted commit

• azure: Re-balance tests envs commit

• azure: Warn about extra and missing gating tests compared to PR-CI commit

• ipatests: dnssec: Add alternative approach for checking chain of trust commit #8793

• azure: Collect installed packages commit

• ipatests: Suppress list trust or certificates commit

• ipatests: Ignore warnings on failed to read files on tarring commit

• pytest: Show extra summary information for all except passed tests commit

• dns: get_reverse_zone: Ignore resolver’s timeout commit #7397

• dnsutil: Improvements for IPA DNS Resolver commit

• ipatests: Handle network-isolated mode commit

• azure: Run Base and XMLRPC tests is isolated network commit

• ipatests: Setup and collect BIND logs commit

• BIND: Setup logging commit #8856

• azure: Warn about memory issues commit

• azure: Add workaround for PhantomJS against OpenSSL 1.1.1 commit

• ipatests: Update expectations for test_detect_container commit

• azure: Mask systemd-resolved commit

• azure: Remove no longer needed repo commit

• azure: Wait for systemd booted commit

• azure: Enforce multi-user.target as default systemd’s target commit

• azure: Collect systemd boot log commit

• azure: bump F32->F34 commit #8848

• pkispawn: Make timeout consistent with IPA’s startup_timeout commit #8830

• pylint: Adapt to new Pylint 2.8 commit #8818

Sergey Orlov (1)

• ipatests: increase timeout for test_commands up to 1.5 hours commit

Serhii Tsymbaliuk (2)

• WebUI tests: Add test for ‘ipaautoprivategroups’ field on ‘ID Ranges’ page commit #8837

• WebUI: Add support of ‘ipaautoprivategroups’ LDAP attribute on ‘ID Ranges’ page commit #8837

Sudhir Menon (1)

• ipatests: Test to check ipa-healthcheck tool displays warning when run on ipa-client commit