The FreeIPA team would like to announce FreeIPA 4.9.7 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.7#
3226: [RFE] ipa sudorule-add-user should accept more types of characters
8402: [RFE] ipa-client-install forces nsupdate to bind with gssapi:: Invoke nsupdate without authentication if the GSS-TSIG attempt fails at install time ; configure SSSD to use nsupdate without GSS-TSIG in this case.
8528: Use separate logs for AD Trust and DNS installer:: ipa-adtrust-install and ipa-dns-install commands now log their activity into separate log files.
8655: Allow to establish trust to Active Directory in FIPS mode:: When IPA is deployed in FIPS mode, it is now possible to establish trust to Active Directory forest.
Enhancements#
FreeIPA now provides centrally-managed allocation of ID sub-ranges for users and groups, for use in podman and runc.
ipa-getkeytab now has an option to discover servers using DNS SRV.
ipa-client-install now gracefully switches to using no authentication when updating its own DNS record if GSS-TSIG fails. It also configures SSSD to do the same.
Known Issues#
ipa-server-install –auto-reverse does not create a reverse DNS zone even when needed on systems using systemd-resolved.
Bug fixes#
FreeIPA 4.9.7 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libra.chat.
Resolved tickets#
#3226 [RFE] ipa sudorule-add-user should accept more types of characters
#6587 ipa-otpd: systemctl reports “degraded” for “is-system-running” after todays CentOS updates
#7814 fix automountlocation-tofiles output
#8206 Add checks to prevent assigning authentication indicators to internal IPA services
#8227 dnszone-add: ignores given SOA serial
#8245 ipa-kra-install should exit if ca_host is overriden.
#8257 ipa-certupdate sets temporary ccache in the wrong place
#8361 Add support for managing subuids and subgids in FreeIPA
#8397 Cannot remove First master server with KRA after the server hard disk failed ( destructed)
#8402 [RFE] ipa-client-install forces nsupdate to bind with gssapi
#8415 Ignore case when evaluating attributes and objectclasses in config plugin
#8452 update samba configuration on IPA master to explicitly use ‘server role’ setting
#8478 Do SRV discovery in ipa-getkeytab if -s and -H aren’t provided
#8501 Unify how FreeIPA gets FQDN of current host
#8519 Fedora container platform is incomplete
#8524 Deploy & manage the ACME service topology wide from a single system
#8528 Use separate logs for AD Trust and DNS installer
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8647 Incorrect DNSKEY created when DNSSEC enabled for zone
#8655 Allow to establish trust to Active Directory in FIPS mode
#8676 [Tracker] Multiple nightly test failure in test_integration/test_ntp_options/TestNTPoptions
#8795 Remove dependency from tests on ipaserver package/modules
#8810 Nightly test failure (rawhide/f34) in test_ipahealthcheck.py::TestIpaHealthCheck: missing AAAA record for ipa-ca
#8832 ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
#8864 azure: dnf sometimes fails
#8889 [tests] healthcheck 0.9
#8890 Nightly test failure (rawhide) in test_ipa_cert_fix.py::TestIpaCertFix::test_missing_startup
#8891 FreeIPA server in debug mode fails to run because time.perf_counter_ns is Python 3.7+
#8892 [RFE] When IPA system is healthy, ipa-healthcheck –failures-only should display proper message instead of empty list
#8905 Package python3-ipatests (from CRB repo) Requires python3-coverage
#8906 support for SHA384withRSA signing algo missing
#8909 Unable to set ipaUserAuthType with stageuser-add
#8911 Nightly test failure in pki-fedora/test_webui_cert.
#8913 [man page] contradiction in ipa-server-upgrade command’s man page and usage
#8918 Nightly failure in test_external_ca.py::TestSelfExternalSelf::test_switch_back_to_self_signed
#8919 Nightly test failure in test_webui/test_range.py::test_range::test_crud
#8920 ipa-healthcheck reports RIPluginCheck CRITICAL error for DSRILE0002
#8923 Trust controller role should pull sssd-winbind-idmap package
#8925 ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
#8926 Nightly test failure (rawhide) in test_smb
#8929 Nightly test failure in test_integration//test_acme.py/TestACMERenew/test_renew - kinit admin: Password change failed while getting initial credentials
#8930 IdM should call into Dogtag to dynamically update the security domain info
#8931 flake8 report for tasks.py
#8934 ipa-advise unconditionally uses modutil to load opensc module
#8935 [tracker] Update boxes for PR-CI nightly runs
#8936 ipa-server install failure without DNS
#8937 Multiple issues in tasks’s install/uninstall helpers
#8938 Remove python3-pexpect as dependency for ipatests pkg
#8939 Add index for sudoorder
#8942 TestAJPSecretUpgrade tests fail on system without pkiuser
#8944 TestIpaAdTrustInstall::test_ipa_user_s4u2self_pac failed at create_active_user
#8949 Test for RFE ipa-healthcheck should verify owner/perms for important logs in “/var/log” in the ipahealthcheck.ipa.files source
#8956 Nightly failure in test_caless.py::TestIPACommands::test_invoke_upgrader
Detailed changelog since 4.9.6#
Armando Neto (1)#
Alexander Bokovoy (2)#
Anuja More (5)#
Antonio Torres (6)#
ipatests: expect SOA serial option deprecation warning commit #8227
dnszone: deprecate option for setting SOA serial commit #8227
ipatests: test if KRA install fails when ca_host is overriden commit #8245
ipatests: ensure auth indicators can’t be added to internal IPA services commit #8206
Add checks to prevent adding auth indicators to internal IPA services commit #8206
Christian Heimes (8)#
Fix ldapupdate.get_sub_dict() for missing named user commit #8936
Test DNA plugin configuration commit
Fix oid of ipaUserDefaultSubordinateId commit
Fix ipa-server-upgrade commit
Use 389-DS’ dnaInterval setting to assign intervals commit
Redesign subid feature commit
Add basic support for subordinate user/group ids commit #8361
Chris Kelley (2)#
François Cami (13)#
Update list of contributors commit
ipatests: use krb5_trace in TestIpaAdTrustInstall commit #8944
freeipa.spec.in: remove python3-pexpect from Requires commit #8938
gating.yaml: Fix TestInstallMaster timeout commit
Azure: temporarily disable problematic tests, #2 commit #8864
Azure: temporarily disable problematic tests, #1 commit #8864
test_acme: refactor with tasks commit
ipatests: smbclient “-k” => “–use-kerberos=desired” commit #8926
Florence Blanc-Renaud (12)#
webui tests: fix algo for finding available idrange commit #8919
spec file: Trust controller role should pull sssd-winbind-idmap package commit #8923
webui tests: close notification when revoking cert commit #8911
ipatests: use whole date when calling journalctl –since commit #8918
Server install: do not use unchecked ip addr for ipa-ca record commit #8810
XMLRPC test: add a test for stageuser-add –user-auth-type commit #8909
stageuser: add ipauserauthtypeclass when required commit #8909
Michal Polovka (3)#
ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files commit #8949
ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency commit #8795
ipatests: test_ipahealthcheck: print a message if a system is healthy commit #8892
Mohammad Rizwan (2)#
Rob Crittenden (21)#
Only call add_agent_to_security_domain_admins() when CA is installed commit #8956
ipatests: Verify that securitydomain is updated on server-del commit #8930
Clean up the PKI securitydomain when removing a server commit #8930
pr-ci definitions: add custom plugin-related jobs commit #8415
Don’t assume that plugin attributes and objectclasses are lowercase commit #8415
ipatests: verify that getcert output includes the issued date commit
ipa-advise: Define the domain used when looking up ipa-ca commit #8934
ipa-advise: if p11-kit provides opensc, don’t add to NSS db commit #8934
ipa-getkeytab: add option to discover servers using DNS SRV commit #8478
Provide more information in ipa-certupdate on ccache failure commit #8257
Fix automountlocation-tofiles expected output in xmlrpc test commit #7814
ipatests: Add test for ipa automountlocation-tofiles commit #7814
Display all orphaned keys in automountlocation-tofiles commit #7814
ipatests: test removing last KRA when it is not running commit #8397
Use new method in check to prevent removal of last KRA commit #8397
Fall back to krbprincipalname when validating host auth indicators commit #8206
Add SHA384withRSA as a certificate signing algorithm commit #8906