Ctrl+K

Highlights in 4.9.7

The FreeIPA team would like to announce FreeIPA 4.9.7 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.7#

  • 3226: [RFE] ipa sudorule-add-user should accept more types of characters

  • 8402: [RFE] ipa-client-install forces nsupdate to bind with gssapi:: Invoke nsupdate without authentication if the GSS-TSIG attempt fails at install time ; configure SSSD to use nsupdate without GSS-TSIG in this case.

  • 8528: Use separate logs for AD Trust and DNS installer:: ipa-adtrust-install and ipa-dns-install commands now log their activity into separate log files.

  • 8655: Allow to establish trust to Active Directory in FIPS mode:: When IPA is deployed in FIPS mode, it is now possible to establish trust to Active Directory forest.

Enhancements#

  • FreeIPA now provides centrally-managed allocation of ID sub-ranges for users and groups, for use in podman and runc.

  • ipa-getkeytab now has an option to discover servers using DNS SRV.

  • ipa-client-install now gracefully switches to using no authentication when updating its own DNS record if GSS-TSIG fails. It also configures SSSD to do the same.

Known Issues#

  • ipa-server-install –auto-reverse does not create a reverse DNS zone even when needed on systems using systemd-resolved.

Bug fixes#

FreeIPA 4.9.7 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libra.chat.

Resolved tickets#

  • #3226 [RFE] ipa sudorule-add-user should accept more types of characters

  • #6587 ipa-otpd: systemctl reports “degraded” for “is-system-running” after todays CentOS updates

  • #7814 fix automountlocation-tofiles output

  • #8206 Add checks to prevent assigning authentication indicators to internal IPA services

  • #8227 dnszone-add: ignores given SOA serial

  • #8245 ipa-kra-install should exit if ca_host is overriden.

  • #8257 ipa-certupdate sets temporary ccache in the wrong place

  • #8361 Add support for managing subuids and subgids in FreeIPA

  • #8397 Cannot remove First master server with KRA after the server hard disk failed ( destructed)

  • #8402 [RFE] ipa-client-install forces nsupdate to bind with gssapi

  • #8415 Ignore case when evaluating attributes and objectclasses in config plugin

  • #8452 update samba configuration on IPA master to explicitly use ‘server role’ setting

  • #8478 Do SRV discovery in ipa-getkeytab if -s and -H aren’t provided

  • #8501 Unify how FreeIPA gets FQDN of current host

  • #8519 Fedora container platform is incomplete

  • #8524 Deploy & manage the ACME service topology wide from a single system

  • #8528 Use separate logs for AD Trust and DNS installer

  • #8584 ACME communication with dogtag REST endpoints should be using the cookie it creates

  • #8647 Incorrect DNSKEY created when DNSSEC enabled for zone

  • #8655 Allow to establish trust to Active Directory in FIPS mode

  • #8676 [Tracker] Multiple nightly test failure in test_integration/test_ntp_options/TestNTPoptions

  • #8795 Remove dependency from tests on ipaserver package/modules

  • #8810 Nightly test failure (rawhide/f34) in test_ipahealthcheck.py::TestIpaHealthCheck: missing AAAA record for ipa-ca

  • #8832 ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4

  • #8864 azure: dnf sometimes fails

  • #8889 [tests] healthcheck 0.9

  • #8890 Nightly test failure (rawhide) in test_ipa_cert_fix.py::TestIpaCertFix::test_missing_startup

  • #8891 FreeIPA server in debug mode fails to run because time.perf_counter_ns is Python 3.7+

  • #8892 [RFE] When IPA system is healthy, ipa-healthcheck –failures-only should display proper message instead of empty list

  • #8905 Package python3-ipatests (from CRB repo) Requires python3-coverage

  • #8906 support for SHA384withRSA signing algo missing

  • #8909 Unable to set ipaUserAuthType with stageuser-add

  • #8911 Nightly test failure in pki-fedora/test_webui_cert.

  • #8913 [man page] contradiction in ipa-server-upgrade command’s man page and usage

  • #8918 Nightly failure in test_external_ca.py::TestSelfExternalSelf::test_switch_back_to_self_signed

  • #8919 Nightly test failure in test_webui/test_range.py::test_range::test_crud

  • #8920 ipa-healthcheck reports RIPluginCheck CRITICAL error for DSRILE0002

  • #8923 Trust controller role should pull sssd-winbind-idmap package

  • #8925 ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL

  • #8926 Nightly test failure (rawhide) in test_smb

  • #8929 Nightly test failure in test_integration//test_acme.py/TestACMERenew/test_renew - kinit admin: Password change failed while getting initial credentials

  • #8930 IdM should call into Dogtag to dynamically update the security domain info

  • #8931 flake8 report for tasks.py

  • #8934 ipa-advise unconditionally uses modutil to load opensc module

  • #8935 [tracker] Update boxes for PR-CI nightly runs

  • #8936 ipa-server install failure without DNS

  • #8937 Multiple issues in tasks’s install/uninstall helpers

  • #8938 Remove python3-pexpect as dependency for ipatests pkg

  • #8939 Add index for sudoorder

  • #8942 TestAJPSecretUpgrade tests fail on system without pkiuser

  • #8944 TestIpaAdTrustInstall::test_ipa_user_s4u2self_pac failed at create_active_user

  • #8949 Test for RFE ipa-healthcheck should verify owner/perms for important logs in “/var/log” in the ipahealthcheck.ipa.files source

  • #8956 Nightly failure in test_caless.py::TestIPACommands::test_invoke_upgrader

Detailed changelog since 4.9.6#

Armando Neto (1)#

  • ipatests: bump prci boxes + move gating to f34 commit #8935

Alexander Bokovoy (2)#

  • rhel platform: add a named crypto-policy support commit #8925

  • Back to git snapshots commit

Anuja More (5)#

  • ipatests: Test unsecure nsupdate. commit #8402

  • ipatests: Refactor test_check_otpd_after_idle_timeout commit #6587

  • ipatests: skip test_basesearch_compat_tree on fedora. commit

  • ipatests: Test ldapsearch with base scope works with compat tree. commit

  • ipatests: Test for OTP when the LDAP connection timed out. commit #6587

Antonio Torres (6)#

  • ipatests: expect SOA serial option deprecation warning commit #8227

  • dnszone: deprecate option for setting SOA serial commit #8227

  • ipatests: test if KRA install fails when ca_host is overriden commit #8245

  • ipa-kra-install: exit if ca_host is overriden commit #8245

  • ipatests: ensure auth indicators can’t be added to internal IPA services commit #8206

  • Add checks to prevent adding auth indicators to internal IPA services commit #8206

Christian Heimes (8)#

  • Fix string check in uninstall helper commit #8937

  • Fix ldapupdate.get_sub_dict() for missing named user commit #8936

  • Test DNA plugin configuration commit

  • Fix oid of ipaUserDefaultSubordinateId commit

  • Fix ipa-server-upgrade commit

  • Use 389-DS’ dnaInterval setting to assign intervals commit

  • Redesign subid feature commit

  • Add basic support for subordinate user/group ids commit #8361

Chris Kelley (2)#

  • Parse cert chain as JSON not XML commit

  • Parse getStatus as JSON not XML commit

François Cami (13)#

  • Update list of contributors commit

  • ipatests: use krb5_trace in TestIpaAdTrustInstall commit #8944

  • freeipa.spec.in: remove python3-pexpect from Requires commit #8938

  • gating.yaml: Fix TestInstallMaster timeout commit

  • Azure: temporarily disable problematic tests, #2 commit #8864

  • Azure: temporarily disable problematic tests, #1 commit #8864

  • tasks.py: fix flake8-reported issues commit #8931

  • test_acme: make password renewal more robust commit #8929

  • test_acme: refactor with tasks commit

  • ipatests: smbclient “-k” => “–use-kerberos=desired” commit #8926

  • rpcserver.py: perf_counter_ns is Python 3.7+ commit #8891

  • ipatests: smoke test for server debug mode. commit #8891

  • paths: add IPA_SERVER_CONF commit #8891

Florence Blanc-Renaud (12)#

  • webui tests: fix algo for finding available idrange commit #8919

  • Index: Fix definition for memberOf commit #8920

  • spec file: Trust controller role should pull sssd-winbind-idmap package commit #8923

  • webui tests: close notification when revoking cert commit #8911

  • pr-ci definitions: add subid-related jobs commit #8361

  • ipatests: use whole date when calling journalctl –since commit #8918

  • Server install: do not use unchecked ip addr for ipa-ca record commit #8810

  • man page: update ipa-server-upgrade.1 commit #8913

  • augeas: bump version for rhel9 commit #8676

  • XMLRPC test: add a test for stageuser-add –user-auth-type commit #8909

  • stageuser: add ipauserauthtypeclass when required commit #8909

  • Remove unneeded dependency on python-coverage commit #8905

Michal Polovka (3)#

  • ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files commit #8949

  • ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency commit #8795

  • ipatests: test_ipahealthcheck: print a message if a system is healthy commit #8892

Mohammad Rizwan (2)#

  • ipatests: Look for warning into stderr instead of stdout commit #8890

  • ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg commit #8890

Rob Crittenden (21)#

  • Only call add_agent_to_security_domain_admins() when CA is installed commit #8956

  • ipatests: Verify that securitydomain is updated on server-del commit #8930

  • Clean up the PKI securitydomain when removing a server commit #8930

  • pr-ci definitions: add custom plugin-related jobs commit #8415

  • ipatests: add suite for testing custom plugins commit #8415

  • Don’t assume that plugin attributes and objectclasses are lowercase commit #8415

  • Add index for sudoorder commit #8939

  • ipatests: verify that getcert output includes the issued date commit

  • ipa-advise: Define the domain used when looking up ipa-ca commit #8934

  • ipa-advise: if p11-kit provides opensc, don’t add to NSS db commit #8934

  • ipatests: test ipa-getkeytab server option commit #8478

  • ipa-getkeytab: fix compiler warnings commit #8478

  • ipa-getkeytab: add option to discover servers using DNS SRV commit #8478

  • Provide more information in ipa-certupdate on ccache failure commit #8257

  • Fix automountlocation-tofiles expected output in xmlrpc test commit #7814

  • ipatests: Add test for ipa automountlocation-tofiles commit #7814

  • Display all orphaned keys in automountlocation-tofiles commit #7814

  • ipatests: test removing last KRA when it is not running commit #8397

  • Use new method in check to prevent removal of last KRA commit #8397

  • Fall back to krbprincipalname when validating host auth indicators commit #8206

  • Add SHA384withRSA as a certificate signing algorithm commit #8906

Stanislav Levin (1)#

  • ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser commit #8942

Serhii Tsymbaliuk (1)#

  • WebUI: Improve subordinate ids user workflow commit #8361

Sudhir Menon (1)#

  • ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab commit #8889

Contents