The FreeIPA team would like to announce FreeIPA 4.9.4 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.4#
2575: [RFE] Installer wizard should prompt for DNS
The prompting during the server installation was enhanced to ask whether user wants to install the DNS component.
8807: [RFE] IPA to allow setting a new range type.
A new option was added to define how private groups represented in ID ranges of trusted Active Directory domains. More details can be found in the design document: https://freeipa.readthedocs.io/en/latest/designs/adtrust/auto-private-groups.html
Enhancements#
Known Issues#
Bug fixes#
FreeIPA 4.9.4 is a stabilization release for the features delivered as a part of 4.9.0 version series.
There are more than 40 bug-fixes since FreeIPA 4.9.3 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets#
#2575 (rhbz#952756) [RFE] Installer wizard should prompt for DNS
#2692 (rhbz#817071) ipa-server-install ignores –hostname
#4011 (rhbz#1026434) ipa-server-install crashes when AD subpackage is not installed
#4166 (rhbz#1059135) Backup CS.cfg before modifying it
#4751 (rhbz#1851835) Implement ACME certificate enrolment
#6587 ipa-otpd: systemctl reports “degraded” for “is-system-running” after todays CentOS updates
#7397 ipa host-add –ip-address… returns Internal error when forward-policy=none is defined
#7835 (rhbz#1658280) Cert revocation for services and hosts is inefficient
#8203 (rhbz#1835853) User page on WebUi only has half the information in CA-less install
#8361 Add support for managing subuids and subgids in FreeIPA
#8534 Nightly test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::test_hidden_replica_promote
#8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck
#8632 [CA-less] user fails to login via WebUI in case of `–no-pkinit`
#8641 Random failure in test_webui/test_user.py::TestLifeCycles::test_life_cycles
#8676 (rhbz#1955440) [Tracker] Multiple nightly test failure in test_integration/test_ntp_options/TestNTPoptions
#8738 (rhbz#1934991) ACME fails to generate a cert on migrated RHEL8.4 server
#8767 (rhbz#1943151) ipa-server-install displays debug output when –debug output is not specified.
#8784 RFE: Reduce number of LDAP operations during hbacrule-del
#8785 Nightly test failure in test_integration/test_commands.py/TestIPACommand/test_proxycommand_invalid_shell
#8787 Add pkey_only to the service_find calls in the host plugin
#8792 Random nightly test failure in test_replica_promotion.py::TestRenewalMaster::test_automatic_renewal_master_transfer_ondelete
#8793 [Tracker] Nightly failure (rawhide/f34) in test_dnssec.py::TestInstallDNSSECFirst::test_chain_of_trust
#8794 (rhbz#1948034) Failure to deploy FreeIPA domain controller in Rawhide with systemd-resolved 248-1.fc35
#8797 Cache the value of ca_is_enabled in the request context
#8798 (rhbz#1953656) RFE: Cache LDAP data within a request
#8799 Remove DS problematic code
#8801 user-mod requires two searches for a user entry
#8802 IPA test failing with long serial numbers
#8807 (rhbz#1688267) [RFE] IPA to allow setting a new range type.
#8809 RFE: A tool to collect and analyze etimes from IPA logs
#8814 Use Dogtag’s CryptographyCryptoProvider instead of NSSCryptoProvider for KRAClient()
#8818 new pylint 2.8 and astroid 2.5.5
#8830 [azure] performance instability
#8831 update_dna_shared_config may not update all entries
#8832 (rhbz#1957768) ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
#8837 Add support of ‘ipaautoprivategroups’ LDAP attribute on ‘ID ranges’ page
#8844 [Tracker] Nightly test failure (sssd 2.5.0-1) in test_smb and test_sudo
#8847 [F34] JS linter
#8848 F32 is going to be EOL
#8851 pkispawn: use loopback IP address instead of localhost4/localhost6 for AJP
#8856 (rhbz#1951511) Allow specifying permanent logging settings for BIND
#8872 FreeIPA 4.9.3 Web UI reports “Internal Server Error” on Fedora 34 Server after reboot
#8873 Missing credential cache can raise 500 when authenticating instead of 401
#8874 (rhbz#1962570) depend on system-logos-ipa instead of redhat-logos-ipa
Detailed changelog since 4.9.3#
Armando Neto (1)#
ipatests: Bump PR-CI templates to Fedora 34 commit
Alexander Bokovoy (37)#
Become FreeIPA 4.9.4 commit
po/uk.po: Update translations to FreeIPA ipa-4-9 state commit
po/ru.po: Update translations to FreeIPA ipa-4-9 state commit
po/ipa.pot: Update translations to FreeIPA ipa-4-9 state commit
po/es.po: Update translations to FreeIPA ipa-4-9 state commit
Depend on system-logos-ipa on RHEL/CentOS Stream commit #8874
service: enforce keytab user when retrieving the keytab commit #8872
po/zh_CN.po: Update translations to FreeIPA ipa-4-9 state commit
po/tr.po: Update translations to FreeIPA ipa-4-9 state commit
po/tg.po: Update translations to FreeIPA ipa-4-9 state commit
po/sk.po: Update translations to FreeIPA ipa-4-9 state commit
po/ru.po: Update translations to FreeIPA ipa-4-9 state commit
po/pt_BR.po: Update translations to FreeIPA ipa-4-9 state commit
po/pt.po: Update translations to FreeIPA ipa-4-9 state commit
po/pa.po: Update translations to FreeIPA ipa-4-9 state commit
po/nl.po: Update translations to FreeIPA ipa-4-9 state commit
po/mr.po: Update translations to FreeIPA ipa-4-9 state commit
po/kn.po: Update translations to FreeIPA ipa-4-9 state commit
po/ja.po: Update translations to FreeIPA ipa-4-9 state commit
po/ipa.pot: Update translations to FreeIPA ipa-4-9 state commit
po/id.po: Update translations to FreeIPA ipa-4-9 state commit
po/hu.po: Update translations to FreeIPA ipa-4-9 state commit
po/hi.po: Update translations to FreeIPA ipa-4-9 state commit
po/fr.po: Update translations to FreeIPA ipa-4-9 state commit
po/eu.po: Update translations to FreeIPA ipa-4-9 state commit
po/es.po: Update translations to FreeIPA ipa-4-9 state commit
po/en_GB.po: Update translations to FreeIPA ipa-4-9 state commit
po/de.po: Update translations to FreeIPA ipa-4-9 state commit
po/cs.po: Update translations to FreeIPA ipa-4-9 state commit
po/ca.po: Update translations to FreeIPA ipa-4-9 state commit
po/bn_IN.po: Update translations to FreeIPA ipa-4-9 state commit
ds: Support renaming of a replication plugin in 389-ds commit #8799
Update IRC links to point to Libera.chat commit
freeipa.spec: do not use jsl for linting on Fedora 34+ commit #8847
ipaserver/install/dns: handle SERVFAIL when checking reverse zone commit #8794
Back to git snapshots commit
Antonio Torres (1)#
Carl George (1)#
Also use uglifyjs on CentOS Stream 8 commit
Christian Heimes (7)#
François Cami (7)#
ipatests: mark test_ipahealthcheck_hidden_replica as expected failure commit #8534, #8582
ipatests: hidden replica: use dns_update_system_records commit #8534
ipatests: use wait_for_replication for hidden replica checks commit #8534
ipatests: hiddenreplica: use wait_for_ipa_to_start after restore commit #8534
ipatests: tasks.py: add dns_update_system_records commit #8534
Florence Blanc-Renaud (12)#
xmlrpc tests: add test for idrange auto-private-groups option commit #8807
LDAP schema: new attribute ipaautoprivategroups commit #8807
Design doc for idrange option “auto-private-groups” commit #8807
ipatests: check that the output of sudo -V is not displayed commit #8767
ipatests: TestIpaHealthCheck now needs 1 client commit
ipatests: call server-del before replica uninstall commit #8792
ipatests: collect PKI config files and NSSDB commit
MIZUTA Takeshi (8)#
Add –keyfile option to ipa-otptoken-import.1 commit
Add argument for –entry option in ipa-managed-entries.1 commit
Remove -s option from ipa-ldap-updater usage commit
Add argument for –schema-file option in ipa-ldap-updater.1 commit
Add arguments to the description of OPTIONS in ipa-winsync-migrate.1 commit
Fix the option to match in the ipa-client-automount usage and man-page commit
Add -d option to match in the ipa-client-samba usage and man-page commit
man: fix typos in ipa-epn.1 commit
Michal Polovka (3)#
Mohammad Rizwan (1)#
Rob Crittenden (15)#
Catch ValueError when trying to retrieve existing credentials commit #8873
ipatests: kinit on server for test_proxycommand_invalid_shell commit #8785
Add ability to search on certificate revocation status commit #7835
Load dogtag RA plugin in installers so profiles can be loaded commit #8738
Parse the debugging cache log to determine the read savings commit #8798
Add LDAP cache options to the default.conf man page commit #8798
Call the LDAPClient layer when modifying values commit #8798
Only attempt to upgrade ACME configuration files if deployed commit #8832
Parse Apache log etime and display average per command commit #8809
Retrieve the user objectclasses when checking for existence commit #8801
Cache the value of ca_is_enabled in the request context commit #8797
Add pkey_only to the service_find calls in host del and disable commit #8787
Stanislav Levin (27)#
azure: Make it possible to adjust Docker resources per test env commit
azure: coredump: Wait for systemd fully booted commit
azure: Re-balance tests envs commit
azure: Warn about extra and missing gating tests compared to PR-CI commit
ipatests: dnssec: Add alternative approach for checking chain of trust commit #8793
azure: Collect installed packages commit
ipatests: Suppress list trust or certificates commit
ipatests: Ignore warnings on failed to read files on tarring commit
pytest: Show extra summary information for all except passed tests commit
dns: get_reverse_zone: Ignore resolver’s timeout commit #7397
dnsutil: Improvements for IPA DNS Resolver commit
ipatests: Handle network-isolated mode commit
azure: Run Base and XMLRPC tests is isolated network commit
ipatests: Setup and collect BIND logs commit
azure: Warn about memory issues commit
azure: Add workaround for PhantomJS against OpenSSL 1.1.1 commit
ipatests: Update expectations for test_detect_container commit
azure: Mask systemd-resolved commit
azure: Remove no longer needed repo commit
azure: Wait for systemd booted commit
azure: Enforce multi-user.target as default systemd’s target commit
azure: Collect systemd boot log commit
pkispawn: Make timeout consistent with IPA’s startup_timeout commit #8830
Sergey Orlov (1)#
ipatests: increase timeout for test_commands up to 1.5 hours commit
Serhii Tsymbaliuk (2)#
Sudhir Menon (1)#
ipatests: Test to check ipa-healthcheck tool displays warning when run on ipa-client commit