The FreeIPA team would like to announce FreeIPA 4.9.8 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.8#
8397: Cannot remove First master server with KRA after the server hard disk failed ( destructed)
The KRA role search was too narrow resulting in false positives when trying to delete a server with a KRA, resulting in an error that the last KRA was being removed when this was not the case.
8492: RFE: Include the server schema version in communication with the client
IPA clients store a copy of the server command schema, with a TTL of 1 hour by default. During plugin development command options, labels, etc may change and because some values are cached, new values will not display until the cache expires. This change adds a new configuration option, schema_ttl, so that a user can control how long the data is cached. A setting of 0 disables the cache. Tuning this is not recommended on production servers.
8962: Info about searchrecordslimit set search limit to 10,000 after upgrade
Set the server-side search size limit to 10,000 entries. By default the client side will still be 100. Consider carefully when increasing the client side value as it adds additional load on the server to retrieve more entries.
8968: Add URI records for KDC
FreeIPA DNS integration now provides URI records for a dynamic discovery of Kerberos KDCs. This allows automatic discover and use of MS-KKDCP proxies. URI records are also Kubernetes-friendly as Kubernetes does not support SRV records with the same name and different protocols.
8974: RHEL 8.5 IPA Replica setup fails against a RHEL 7.9 IPA server
When creating a new replica against an older existing server that lacks the sanToCNDefaultImpl capability, the ACME certificate profile cannot be added. Running ipa-server-upgrade manually after ipa-replica-install has completed will correctly add in the missing profile.
8980: Nightly test failure in pki-fedora/test_integration/test_backup_and_restore
Make Dogtag return XML for ipa cert-find
8986: ipa cert-request replaces user certificate instead of adding
By default IPA caches LDAP entries within a given request. Entries with a userCertificate value are not cached because the attribute may be represented with or without a ;binary tag and this confuses the cache. This will be revisted in the future but for now we are favoring correctness over speed.
8995: Integrate SID configuration into base IPA installers
New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part of the ipa-adtrust-install command.
9031: Harden FreeIPA KDC processing of PAC buffers
FreeIPA now implements PAC structure hardening as coordinated with Samba Team and Microsoft in CVE-2020-25719 and CVE-2021-42287 correspondingly.
9038: Concerns regarding ‘ipa pwpolicy-mod –minlife 24 –maxlife 1’
ipa pwpolicy-mod –minlife $min –maxlife $max accepts $max >= $min, yet the error message says: “Maximum password life must be greater than minimum.” Change the error message so that it conveys the actual logic.
Enhancements#
8492: RFE: Include the server schema version in communication with the client
IPA clients store a copy of the server command schema, with a TTL of 1 hour by default. During plugin development command options, labels, etc may change and because some values are cached, new values will not display until the cache expires. This change adds a new configuration option, schema_ttl, so that a user can control how long the data is cached. A setting of 0 disables the cache. Tuning this is not recommended on production servers.
8968: Add URI records for KDC
FreeIPA DNS integration now provides URI records for a dynamic discovery of Kerberos KDCs. This allows automatic discover and use of MS-KKDCP proxies. URI records are also Kubernetes-friendly as Kubernetes does not support SRV records with the same name and different protocols.
8995: Integrate SID configuration into base IPA installers
New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part of the ipa-adtrust-install command.
9031: Harden FreeIPA KDC processing of PAC buffers
FreeIPA now implements PAC structure hardening as coordinated with Samba Team and Microsoft in CVE-2020-25719 and CVE-2021-42287 correspondingly.
Known Issues#
8700: ipa-server-install –auto-reverse does not create reverse DNS zone in Fedora 33
Previously, systemd-resolved presented reverse record for host’s IP address which made ipa-server-install skip creation of reverse zone. The issue was fixed in systemd on Fedora 35 and is not a problem anymore.
9026: Missing bind-pkcs11-utils causing failures in OpenDNSSec
OpenDNSSec integration: depend on bind-dnssec-utils on all Fedora releases and RHEL == 9+. Switch to “/usr/sbin/dnssec-keyfromlabel -E pkcs11” instead of “/usr/sbin/dnssec-keyfromlabel-pkcs11” there too.
Bug fixes#
FreeIPA 4.9.8 is a stabilization release for the features delivered as a part of 4.9.0 version series.
There are more than 30 bug-fixes since FreeIPA 4.9.7 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#7885 (rhbz#1690191) RFE: wrapper for Dogtag cert-fix command
#8353 Sporadic: Nightly test failure in test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed - kinit: Password has expired while getting initial credentials
#8397 (rhbz#1985069) Cannot remove First master server with KRA after the server hard disk failed ( destructed)
#8492 RFE: Include the server schema version in communication with the client
#8687 (rhbz#1980356) Nightly failure (rawhide/f34) reinstalling samba client: winbindd coredump
#8700 ipa-server-install –auto-reverse does not create reverse DNS zone in Fedora 33
#8755 (rhbz#1921007) ipa-server-install : No such file or directory: ‘/etc/authselect/user-nsswitch.conf’
#8815 Nightly test failure in new test test_ipa_cert_fix.py::TestCertFixReplica
#8846 Nightly test failure in test_webui_policy::test_selinuxusermap::test_undo_refresh_reset_update_cancel
#8932 ipatests: move_date is defined twice
#8953 test_certmonger_ipa_responder_jsonrpc random failure
#8954 Issues in commands of `schema` plugin
#8955 Unstable fingerprints for the same API schema
#8961 [azure] inconsistent results for `Quick code style check` and `Lint` tasks
#8962 (rhbz#1966289) Info about searchrecordslimit set search limit to 10,000 after upgrade
#8965 (rhbz#2000261) extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
#8966 Invoke pkispawn with –log-file
#8968 Add URI records for KDC
#8972 (rhbz#1998129) AVC denied { read } comm=”ipa-custodia” on aarch64 during installation of ipa-server
#8974 (rhbz#1999142) RHEL 8.5 IPA Replica setup fails against a RHEL 7.9 IPA server
#8975 Nightly test failure in test_integration/test_commands.py/TestIPACommand/test_reset_password_unlock
#8979 Nightly test failure (rawhide) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret
#8980 Nightly test failure in pki-fedora/test_integration/test_backup_and_restore
#8983 [azure] tar sometimes fails on changed in process files
#8984 (rhbz#1999992) ipa migrate-ds command fails to warn when compat plugin is enabled
#8985 [azure] docs build fails with Pygments 2.8.0+
#8986 (rhbz#1999893) ipa cert-request replaces user certificate instead of adding
#8987 Nightly test failure in test_integration/test_trust.py/TestTrust/test_extdom_plugin
#8989 Nightly failure (rawhide) in tasks.run_ssh_cmd
#8995 Integrate SID configuration into base IPA installers
#8999 Nightly failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
#9000 Nightly failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheck::test_sosreport_includes_healthcheck
#9006 Nightly failure in test_commands.py::TestIPACommand::test_cacert_manage
#9008 [azure] clone3 and glibc 2.34 in container
#9009 Nightly failure (rawhide) in webui_tests: yaml.load() now requires Loader
#9011 [azure] pip’s builddir
#9013 [ipatests] test_external_ca.py::TestMultipleExternalCA::test_master_install_ca1 fails
#9026 (rhbz#2020207) Missing bind-pkcs11-utils causing failures in OpenDNSSec
#9029 Nightly webui test failure (rawhide): selenium issue
#9031 Harden FreeIPA KDC processing of PAC buffers
#9036 (rhbz#2009114) Invalid PTR records created when navigated from host details page
#9038 (rhbz#1825010) Concerns regarding ‘ipa pwpolicy-mod –minlife 24 –maxlife 1’
#9046 Stacktrace when using ‘ipa server-del’ in non-English locale
Detailed changelog since 4.9.7#
Armando Neto (2)#
Alexander Bokovoy (12)#
freeipa.spec.in: -server subpackage should require samba-client-libs commit #9031
ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U commit #9031
ipa-kdb: honor SID from the host or service entry commit #9031
ipa-kdb: Use proper account flags for Kerberos principal in PAC commit #9031
ipa-kdb: add PAC_ATTRIBUTES_INFO PAC buffer support commit #9031
ipa-kdb: add support for PAC_REQUESTER_SID buffer commit #9031
ipa-kdb: S4U2Proxy target should use a service name without realm commit #9031
ipa-kdb: use entry DN to compare aliased entries in S4U operations commit #9031
ipa-kdb: enforce SID checks when generating PAC commit #9031
Antonio Torres (4)#
Christian Heimes (1)#
Chris Kelley (1)#
Endi Sukma Dewata (1)#
François Cami (6)#
Florence Blanc-Renaud (27)#
ipatests: remove xfail on f35+ for test_number_of_zones commit #8700
ipatests: mark test_installation_TestInstallWithCA_DNS3 as xfail commit #8700
ipatests: update the expected output of user-add cmd commit #8995
User plugin: do not return the SID on user creation commit #8995
ipatests: backup-reinstall-restore needs to clear sssd cache commit #8995
User lifecycle: ignore SID when moving from preserved to staged commit #8995
ipatests: interactive install prompts for netbios name commit #8995
ipatests: add test ensuring SIDs are generated for new installs commit #8995
adtrust install: define constants for rid bases commit #8995
Installers: configure sid generation in server/replica installer commit #8995
ipatests: Update the subca used in TestIPACommand::test_cacert_manage commit #9006
webui test: close notification after selinux user map update commit #8846
ipatests: update expected error message for openssl verify commit #8999
ipatests: fix expected msg in tasks.run_ssh_cmd commit #8989
ipatests: fix logic waiting for repl in TestIPACommand commit #8975
ipatests: rpcclient now uses –use-kerberos=desired commit #8979
selinux policy: allow custodia to access /proc/cpuinfo commit #8972
Jochen Kellner (1)#
Michal Polovka (1)#
Mohammad Rizwan (4)#
Pavel Březina (1)#
kdb: fix typo in ipa_kdcpolicy_check_as commit
Petr Voborník (2)#
Rob Crittenden (7)#
Don’t limit role-find by hostname when searching for last KRA commit #8397
On redhat-based platforms rely on authselect to enable sudo commit #8755
ipatests: Test that a user can be issued multiple certificates commit #8986
Don’t store entries with a usercertificate in the LDAP cache commit #8986
Increase default limit on LDAP searches to 100k commit #8962
Sumit Bose (1)#
Stanislav Levin (15)#
ipatests: TestMultipleExternalCA: Create tempfiles on remote host commit #9013
seccomp profile: Default to ENOSYS instead of EPERM commit #9008
test_schema_plugin: Add missing tests for command, class and topic commands commit #8954
command_defaults: Don’t crash on nonexistent command commit #8954
schema plugin: Fix commands without metaobject arg commit #8954
ipatests: Log debug messages for locator plugin commit #8353
Sergey Orlov (2)#
Sumedh Sidhaye (1)#
Test to verify if the case of a request for /ca/rest/authority/{id}/cert (or …/chain) commit
Vit Mojzis (1)#
selinux: Fix file context definition for /var/run commit