Jump to: navigation, search


Release date Released 2022-04-26

The FreeIPA team would like to announce FreeIPA 4.9.9 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.9

  • 6524: Vault key archival using AES
The vault plugin now uses AES-128-CBC as default wrapping algorithm for the transport of secrets.

  • 9084: ipa-client-automount --no-sssd broken with authselect 1.3.0
The command ipa-client-automount does not support any more the --no-sssd option. As a consequence, the command always configures the client to use SSSD for automount.

  • 9095: After ipa-restore, a hidden server is not made visible
When a hidden server is restored using ipa-restore, it is now always made visible by marking all its services as enabled instead of hidden.

  • 9106: Nightly failure (rawhide) when calling kinit admin
OpenLDAP 2.6+ removed -h and -p options from OpenLDAP command line utilities (ldapadd/ldapmodify/...). FreeIPA now uses only -H url option to specify the target server and protocol to use.

  • 9107: Enable ipa-ccache-sweep.timer during server installation
New installations of IPA now enable the ipa-ccache-sweep.timer that is removing expired credential caches from the filesystem.

Bug fixes

FreeIPA 4.9.9 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 50 bug-fixes since FreeIPA 4.9.8 release. Details of the bug-fixes can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets

  • #6524 Vault key archival using AES
  • #7671 Remove --no-sssd and --noac options
  • #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
  • #8361 Add support for managing subuids and subgids in FreeIPA
  • #8506 (rhbz#1930038) Nightly failure in ipa-server-install --uninstall: org.freedesktop.DBus.Error.NoReply
  • #8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck
  • #8605 (rhbz#1903250) backtrace using ipa-replica-manage
  • #8807 (rhbz#1688267) [RFE] IPA to allow setting a new range type.
  • #8865 [Tracker] ipa-replica-install fails on 2nd run (f35+)
  • #8899 (rhbz#2061957) healthcheck 0.9 warns about permissions of /var/log/ipaupgrade.log
  • #8906 (rhbz#1731484) support for SHA384withRSA signing algo missing
  • #8962 (rhbz#1966289) Info about searchrecordslimit set search limit to 10,000 after upgrade
  • #9004 Can't use --delattr with a date value
  • #9009 Nightly failure (rawhide) in webui_tests: yaml.load() now requires Loader
  • #9014 'init/tmpfilesd/ipa.conf.in' hardcodes apache group
  • #9024 Nightly failure (updates-testing) in test_fips.py::TestInstallFIPS
  • #9031 Harden FreeIPA KDC processing of PAC buffers
  • #9038 (rhbz#1825010) Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
  • #9044 Random nightly failure in test_otp.py::TestOTPToken::test_check_otpd_after_idle_timeout
  • #9047 Add automation for ipa-replica-conncheck in upstream tests
  • #9051 Nightly test failure (selinux/updates-testing) in ipa-restore
  • #9052 Nightly test failure (updates-testing) in test_ipa_cert_fix.py::TestCertFixReplica teardown
  • #9054 [ipatests] ipa-healthcheck and URI RRs
  • #9063 (rhbz#2031825) Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed'
  • #9065 (rhbz#2033342) Can't log in after ipa user-mod USER --user-auth-type=hardened
  • #9067 Nightly test failure (rawhide) in test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
  • #9068 --desc in automember-default-group-set and automember-default-group-remove
  • #9069 Nightly test failure (updates-testing) in test_winsyncmigrate.py::TestWinsyncMigrate
  • #9080 (rhbz#2032701) Build against OpenLDAP 2.6
  • #9083 Support MIT Kerberos KDB version 9
  • #9084 ipa-client-automount --no-sssd broken with authselect 1.3.0
  • #9085 ipa-client-install fails if pre-existing NIS domain contains a "%"
  • #9087 cifs mounts fails with error: cifs filesystem not supported by the system
  • #9095 After ipa-restore, a hidden server is not made visible
  • #9096 Nightly test failure in testing_master_pki: certificate not retrieved on replica
  • #9099 (rhbz#2049167) KRA GetStatus service blocked by IPA proxy
  • #9100 (rhbz#2022483) Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes
  • #9101 (rhbz#2032806) Error replacing a replica with CentOS Stream 9
  • #9103 (rhbz#2048558) ipa-join tests are failing due to changes in expected output
  • #9106 (rhbz#2050921) Nightly failure (rawhide) when calling kinit admin
  • #9107 (rhbz#2051575) Enable ipa-ccache-sweep.timer during server installation
  • #9108 ipatests: remove additional check for failed units.
  • #9110 (rhbz#2032738) IPA LDAP plugin ipa-cldap memory leak
  • #9111 Server host name not saved by the script ?
  • #9117 Pylint 2.12 issues
  • #9119 (rhbz#2057471) KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
  • #9123 Random nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
  • #9126 allow overriding systemd-tmpfiles program
  • #9127 (rhbz#2062379) Use new getorigby{user|group}name() calls in extdom plugin
  • #9129 Remove Python warning about PROTOCOL_SSLv23
  • #9133 Nightly test failure in test_fips.py::TestInstallFIPS::test_basic
  • #9134 Nightly test failure (rawhide) while establishing two-way trust
  • #9137 test_replica_install_after_restore is performing reinit in the wrong direction
  • #9141 ipatests: fix xfail assertion in auto private group tests

Detailed changelog since 4.9.8

Alexander Bokovoy (20)

  • ipatests: collect samba logs when setting up trust to AD commit
  • ipa-sam: retrieve trusted domain account credential from the TDO itself commit #9134
  • ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects commit #9134
  • ipatests: fix check for AD topology being present commit #9133
  • tests: ensure AD-SUPPORT subpolicy is active in more cases commit #9119
  • ipalib/util.py: switch to ssl.PROTOCOL_TLS_CLIENT by default commit #9129
  • test_krbtpolicy: skip SPAKE-related tests in FIPS mode commit #9119
  • test_otp: do not use paramiko unless it is really needed commit #9119
  • Kerberos instance: default to AES256-SHA2 for master key encryption commit #9119
  • freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream commit #9119
  • ipatests: extend AES keyset to SHA2-based ones commit #9119
  • tests: ensure AD-SUPPORT subpolicy is active commit #9119
  • KRB instance: make provision to work with crypto policy without SHA-1 HMAC types commit #9119
  • translations: regenerate translations after changes in help message in sudorule commit #9106
  • pylint: workaround incorrect pylint detection of a local function commit
  • OpenLDAP 2.6+: use only -H option to specify LDAP url commit #9106
  • ipa-kdb: refactor KDB driver to prepare for KDB version 9 commit #9083
  • Support building against OpenLDAP 2.6+ commit #9080
  • ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates commit #9031
  • ipa-kdb: issue PAC_REQUESTER_SID only for TGTs commit #9031

Anuja More (6)

  • Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid] commit
  • mark xfail for test_idoverride_with_auto_private_group[hybrid] commit
  • ipatests: Tests for Autoprivate group. commit #8807
  • ipatests: remove additional check for failed units. commit #9108
  • ipatests: webui: Tests for subordinate ids. commit #8361
  • ipatests: Test default value of nsslapd-sizelimit. commit #8962

Antonio Torres (1)

Brian Turek (1)

  • ipalib: Handle percent signs in saved values commit #9085

Christian Heimes (1)

Florence Blanc-Renaud (14)

  • ipatests: fix wrong condition in xfail_context for auto private grp commit #9141
  • ipatests: Fix a call to run_command with wildcard commit #8506
  • ipatests: remove certmonger tracking before uninstall commit #9123
  • ipatests: add missing test in the nightly defs commit
  • Commit template: use either Fixes or Related commit
  • ipatests: update images for f34 and f35 commit #9051, #9069
  • ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus commit #8582, #9099
  • ipatests: fix expected automount config in nsswitch.conf commit #9067
  • ipatests: update images for f34 and f35 commit #9087
  • config plugin: add a test ensuring EmptyModlist is returned commit #9063
  • Config plugin: return EmptyModlist when no change is applied commit #9063
  • automember default group: remove --desc parameter commit #9068
  • ipatests: update images for f34 and f35 commit #8865, #9024
  • ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout commit #9044

Francisco Trivino (3)

  • Set AES as default for KRA archival wrapping commit #6524
  • ipa_cldap: fix memory leak commit #9110
  • Custodia: use a stronger encryption algo when exporting keys commit #9101

Fraser Tweedale (1)

jh23453 (1)

  • Remove deprecation warning when installing a CA replica commit

Julien Rische (2)

  • ipatests: add case for hardened-only ticket policy commit
  • ipa-kdb: do not remove keys for hardened auth-enabled users commit #8001, #9065

Michal Polovka (2)

  • ipatests: webui: Use safe-loader for loading YAML configuration file commit #9009
  • pr-ci definitions: add web-ui subid-related jobs commit #8361

Mohammad Rizwan (8)

  • ipatests: extend find_segment with suffix param commit
  • ipatests: fix the topologysegment-reinitialize command commit #9137
  • ipatests: Check maxlife error message where minlife > maxlife specified commit #9038
  • Test ipa-ccache-sweep.timer enabled by default during installation commit #9107
  • PEP8 Fixes commit
  • Test cases for ipa-replica-conncheck command commit #9047
  • ipatests: Test empty cert request doesn't force certmonger to segfault commit
  • ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown commit #9052

Rob Crittenden (11)

  • Remove the --no-sssd option from ipa-client-automount commit #7671, #9084
  • Convert values using _SYNTAX_MAPPING with --delattr commit #9004
  • ipatests: Give the subCA more time to be loaded by the CA commit #9096
  • Strip off trailing period of a user-provided FQDN in installer commit #9111
  • Verify the user-provided hostname in the server installer commit #9111
  • ipa-restore: Mark a restored server as enabled commit #9095
  • Set the mode on ipaupgrade.log during RPM %post snipppet commit #8899
  • ipatests: Remove certmonger tracking before uninstall in cert tests commit #8506
  • Enable the ccache sweep timer during installation commit #9107
  • Remove ipa-join errors from behind the debug option commit #9103
  • Don't always override the port in import_included_profiles commit #9100

Sumit Bose (2)

Stanislav Levin (34)

Sumedh Sidhaye (3)

  • Added nightly job definitions commit
  • Added test automation for SHA384withRSA CSR support commit #8906
  • Extend test to see if replica is not shown when running `ipa-replica-manage list -v <FQDN>` commit #8605

Sudhir Menon (1)

  • ipatests: Test for pki.server.healthcheck.clones.connectivity_and_data commit

Timo Aaltonen (7)

  • configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in commit #9014
  • ipaplatform: Modify paths to fips-mode-setup and systemd-tmpfiles commit
  • ipatests/test_ipaplatform: Skip test_ipa_version on Debian commit
  • ipaplatform/debian: Fix ntpd service name commit
  • ipaplatform/debian: Fix named keytab name commit
  • ipaplatform: Add support for recognizing systemd-timesyncd commit
  • ipaplatform/debian: Fix HTTPD_ALIAS_DIR, and drop some obsolete paths. commit