The FreeIPA team would like to announce FreeIPA 4.9.9 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.9#
6524: Vault key archival using AES
The vault plugin now uses AES-128-CBC as default wrapping algorithm for the transport of secrets.
9084: ipa-client-automount –no-sssd broken with authselect 1.3.0
The command ipa-client-automount does not support any more the –no-sssd option. As a consequence, the command always configures the client to use SSSD for automount.
9095: After ipa-restore, a hidden server is not made visible
When a hidden server is restored using ipa-restore, it is now always made visible by marking all its services as enabled instead of hidden.
9106: Nightly failure (rawhide) when calling kinit admin
OpenLDAP 2.6+ removed -h and -p options from OpenLDAP command line utilities (ldapadd/ldapmodify/…). FreeIPA now uses only -H url option to specify the target server and protocol to use.
9107: Enable ipa-ccache-sweep.timer during server installation
New installations of IPA now enable the ipa-ccache-sweep.timer that is removing expired credential caches from the filesystem.
Bug fixes#
FreeIPA 4.9.9 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 50 bug-fixes since FreeIPA 4.9.8 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading#
Upgrade instructions are available on Upgrade page.
Feedback#
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.
Resolved tickets#
#6524 Vault key archival using AES
#7671 Remove –no-sssd and –noac options
#8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
#8361 Add support for managing subuids and subgids in FreeIPA
#8506 (rhbz#1930038) Nightly failure in ipa-server-install –uninstall: org.freedesktop.DBus.Error.NoReply
#8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck
#8605 (rhbz#1903250) backtrace using ipa-replica-manage
#8807 (rhbz#1688267) [RFE] IPA to allow setting a new range type.
#8865 [Tracker] ipa-replica-install fails on 2nd run (f35+)
#8899 (rhbz#2061957) healthcheck 0.9 warns about permissions of /var/log/ipaupgrade.log
#8906 (rhbz#1731484) support for SHA384withRSA signing algo missing
#8962 (rhbz#1966289) Info about searchrecordslimit set search limit to 10,000 after upgrade
#9004 Can’t use –delattr with a date value
#9009 Nightly failure (rawhide) in webui_tests: yaml.load() now requires Loader
#9014 ‘init/tmpfilesd/ipa.conf.in’ hardcodes apache group
#9024 Nightly failure (updates-testing) in test_fips.py::TestInstallFIPS
#9031 Harden FreeIPA KDC processing of PAC buffers
#9038 (rhbz#1825010) Concerns regarding ‘ipa pwpolicy-mod –minlife 24 –maxlife 1’
#9044 Random nightly failure in test_otp.py::TestOTPToken::test_check_otpd_after_idle_timeout
#9047 Add automation for ipa-replica-conncheck in upstream tests
#9051 Nightly test failure (selinux/updates-testing) in ipa-restore
#9052 Nightly test failure (updates-testing) in test_ipa_cert_fix.py::TestCertFixReplica teardown
#9054 [ipatests] ipa-healthcheck and URI RRs
#9063 (rhbz#2031825) Changing default pac type to ‘nfs:NONE and MS-PAC’ doesnot display error ‘ipa: ERROR: no modifications to be performed’
#9065 (rhbz#2033342) Can’t log in after ipa user-mod USER –user-auth-type=hardened
#9067 Nightly test failure (rawhide) in test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
#9068 –desc in automember-default-group-set and automember-default-group-remove
#9069 Nightly test failure (updates-testing) in test_winsyncmigrate.py::TestWinsyncMigrate
#9080 (rhbz#2032701) Build against OpenLDAP 2.6
#9083 Support MIT Kerberos KDB version 9
#9084 ipa-client-automount –no-sssd broken with authselect 1.3.0
#9085 ipa-client-install fails if pre-existing NIS domain contains a “%”
#9087 cifs mounts fails with error: cifs filesystem not supported by the system
#9095 After ipa-restore, a hidden server is not made visible
#9096 Nightly test failure in testing_master_pki: certificate not retrieved on replica
#9099 (rhbz#2049167) KRA GetStatus service blocked by IPA proxy
#9100 (rhbz#2022483) Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes
#9101 (rhbz#2032806) Error replacing a replica with CentOS Stream 9
#9103 (rhbz#2048558) ipa-join tests are failing due to changes in expected output
#9106 (rhbz#2050921) Nightly failure (rawhide) when calling kinit admin
#9107 (rhbz#2051575) Enable ipa-ccache-sweep.timer during server installation
#9108 ipatests: remove additional check for failed units.
#9110 (rhbz#2032738) IPA LDAP plugin ipa-cldap memory leak
#9111 Server host name not saved by the script ?
#9117 Pylint 2.12 issues
#9119 (rhbz#2057471) KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
#9123 Random nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#9126 allow overriding systemd-tmpfiles program
#9127 (rhbz#2062379) Use new getorigby{user|group}name() calls in extdom plugin
#9129 Remove Python warning about PROTOCOL_SSLv23
#9133 Nightly test failure in test_fips.py::TestInstallFIPS::test_basic
#9134 Nightly test failure (rawhide) while establishing two-way trust
#9137 test_replica_install_after_restore is performing reinit in the wrong direction
#9141 ipatests: fix xfail assertion in auto private group tests
Detailed changelog since 4.9.8#
Alexander Bokovoy (20)#
ipatests: collect samba logs when setting up trust to AD commit
ipa-sam: retrieve trusted domain account credential from the TDO itself commit #9134
ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects commit #9134
ipatests: fix check for AD topology being present commit #9133
tests: ensure AD-SUPPORT subpolicy is active in more cases commit #9119
ipalib/util.py: switch to ssl.PROTOCOL_TLS_CLIENT by default commit #9129
test_krbtpolicy: skip SPAKE-related tests in FIPS mode commit #9119
test_otp: do not use paramiko unless it is really needed commit #9119
Kerberos instance: default to AES256-SHA2 for master key encryption commit #9119
freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream commit #9119
KRB instance: make provision to work with crypto policy without SHA-1 HMAC types commit #9119
translations: regenerate translations after changes in help message in sudorule commit #9106
pylint: workaround incorrect pylint detection of a local function commit
OpenLDAP 2.6+: use only -H option to specify LDAP url commit #9106
ipa-kdb: refactor KDB driver to prepare for KDB version 9 commit #9083
ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates commit #9031
Anuja More (6)#
Antonio Torres (1)#
Back to git snapshots commit
Brian Turek (1)#
Christian Heimes (1)#
Florence Blanc-Renaud (14)#
ipatests: fix wrong condition in xfail_context for auto private grp commit #9141
ipatests: Fix a call to run_command with wildcard commit #8506
ipatests: remove certmonger tracking before uninstall commit #9123
ipatests: add missing test in the nightly defs commit
Commit template: use either Fixes or Related commit
ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus commit #8582, #9099
ipatests: fix expected automount config in nsswitch.conf commit #9067
config plugin: add a test ensuring EmptyModlist is returned commit #9063
Config plugin: return EmptyModlist when no change is applied commit #9063
automember default group: remove –desc parameter commit #9068
ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout commit #9044
Francisco Trivino (3)#
Fraser Tweedale (1)#
jh23453 (1)#
Remove deprecation warning when installing a CA replica commit
Julien Rische (2)#
Michal Polovka (2)#
Mohammad Rizwan (8)#
ipatests: extend find_segment with suffix param commit
ipatests: fix the topologysegment-reinitialize command commit #9137
ipatests: Check maxlife error message where minlife > maxlife specified commit #9038
Test ipa-ccache-sweep.timer enabled by default during installation commit #9107
PEP8 Fixes commit
ipatests: Test empty cert request doesn’t force certmonger to segfault commit
ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown commit #9052
Rob Crittenden (11)#
Remove the –no-sssd option from ipa-client-automount commit #7671, #9084
Convert values using _SYNTAX_MAPPING with –delattr commit #9004
ipatests: Give the subCA more time to be loaded by the CA commit #9096
Strip off trailing period of a user-provided FQDN in installer commit #9111
Verify the user-provided hostname in the server installer commit #9111
Set the mode on ipaupgrade.log during RPM %post snipppet commit #8899
ipatests: Remove certmonger tracking before uninstall in cert tests commit #8506
Enable the ccache sweep timer during installation commit #9107
Remove ipa-join errors from behind the debug option commit #9103
Don’t always override the port in import_included_profiles commit #9100
Sumit Bose (2)#
Stanislav Levin (34)#
pylint: Skip false-positive invalid-sequence-index commit #9117
pylint: Fix format-string-without-interpolation commit #9117
pylint: Skip deprecated-method for match_hostname commit #9117
pylint: Skip use-implicit-booleaness-not-comparison commit #9117
pylint: Skip isinstance-second-argument-not-valid-type commit #9117
pylint: Skip unused-private-member for unsupported cases commit #9117
pylint: Skip unused-private-member for property case commit #9117
pylint: Drop never used __remove_lightweight_ca_key_retrieval_custodia commit #9117
pylint: Clean up __convert_to_gssapi_replication commit #9117
ipatests: healthcheck: Sync the expected system RRs commit #9054
Sumedh Sidhaye (3)#
Sudhir Menon (1)#
ipatests: Test for pki.server.healthcheck.clones.connectivity_and_data commit
Timo Aaltonen (7)#
configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in commit #9014
ipaplatform: Modify paths to fips-mode-setup and systemd-tmpfiles commit
ipatests/test_ipaplatform: Skip test_ipa_version on Debian commit
ipaplatform/debian: Fix ntpd service name commit
ipaplatform/debian: Fix named keytab name commit
ipaplatform: Add support for recognizing systemd-timesyncd commit
ipaplatform/debian: Fix HTTPD_ALIAS_DIR, and drop some obsolete paths. commit