The FreeIPA team would like to announce FreeIPA 4.9.9 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.9

• 6524: Vault key archival using AES

  The vault plugin now uses AES-128-CBC as default wrapping algorithm for the transport of secrets.

---

• 9084: ipa-client-automount –no-sssd broken with authselect 1.3.0

  The command ipa-client-automount does not support any more the –no-sssd option. As a consequence, the command always configures the client to use SSSD for automount.

---

• 9095: After ipa-restore, a hidden server is not made visible

  When a hidden server is restored using ipa-restore, it is now always made visible by marking all its services as enabled instead of hidden.

---

• 9106: Nightly failure (rawhide) when calling kinit admin

  OpenLDAP 2.6+ removed -h and -p options from OpenLDAP command line utilities (ldapadd/ldapmodify/…). FreeIPA now uses only -H url option to specify the target server and protocol to use.

---

• 9107: Enable ipa-ccache-sweep.timer during server installation

  New installations of IPA now enable the ipa-ccache-sweep.timer that is removing expired credential caches from the filesystem.

---

Bug fixes

FreeIPA 4.9.9 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 50 bug-fixes since FreeIPA 4.9.8 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets

• #6524 Vault key archival using AES

• #7671 Remove –no-sssd and –noac options

• #8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth

• #8361 Add support for managing subuids and subgids in FreeIPA

• #8506 (rhbz#1930038) Nightly failure in ipa-server-install –uninstall: org.freedesktop.DBus.Error.NoReply

• #8582 Nightly test failure in test_replica_promotion.py::TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica - ClonesConnectivyAndDataCheck

• #8605 (rhbz#1903250) backtrace using ipa-replica-manage

• #8807 (rhbz#1688267) [RFE] IPA to allow setting a new range type.

• #8865 [Tracker] ipa-replica-install fails on 2nd run (f35+)

• #8899 (rhbz#2061957) healthcheck 0.9 warns about permissions of /var/log/ipaupgrade.log

• #8906 (rhbz#1731484) support for SHA384withRSA signing algo missing

• #8962 (rhbz#1966289) Info about searchrecordslimit set search limit to 10,000 after upgrade

• #9004 Can’t use –delattr with a date value

• #9009 Nightly failure (rawhide) in webui_tests: yaml.load() now requires Loader

• #9014 ‘init/tmpfilesd/ipa.conf.in’ hardcodes apache group

• #9024 Nightly failure (updates-testing) in test_fips.py::TestInstallFIPS

• #9031 Harden FreeIPA KDC processing of PAC buffers

• #9038 (rhbz#1825010) Concerns regarding ‘ipa pwpolicy-mod –minlife 24 –maxlife 1’

• #9044 Random nightly failure in test_otp.py::TestOTPToken::test_check_otpd_after_idle_timeout

• #9047 Add automation for ipa-replica-conncheck in upstream tests

• #9051 Nightly test failure (selinux/updates-testing) in ipa-restore

• #9052 Nightly test failure (updates-testing) in test_ipa_cert_fix.py::TestCertFixReplica teardown

• #9054 [ipatests] ipa-healthcheck and URI RRs

• #9063 (rhbz#2031825) Changing default pac type to ‘nfs:NONE and MS-PAC’ doesnot display error ‘ipa: ERROR: no modifications to be performed’

• #9065 (rhbz#2033342) Can’t log in after ipa user-mod USER –user-auth-type=hardened

• #9067 Nightly test failure (rawhide) in test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd

• #9068 –desc in automember-default-group-set and automember-default-group-remove

• #9069 Nightly test failure (updates-testing) in test_winsyncmigrate.py::TestWinsyncMigrate

• #9080 (rhbz#2032701) Build against OpenLDAP 2.6

• #9083 Support MIT Kerberos KDB version 9

• #9084 ipa-client-automount –no-sssd broken with authselect 1.3.0

• #9085 ipa-client-install fails if pre-existing NIS domain contains a “%”

• #9087 cifs mounts fails with error: cifs filesystem not supported by the system

• #9095 After ipa-restore, a hidden server is not made visible

• #9096 Nightly test failure in testing_master_pki: certificate not retrieved on replica

• #9099 (rhbz#2049167) KRA GetStatus service blocked by IPA proxy

• #9100 (rhbz#2022483) Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes

• #9101 (rhbz#2032806) Error replacing a replica with CentOS Stream 9

• #9103 (rhbz#2048558) ipa-join tests are failing due to changes in expected output

• #9106 (rhbz#2050921) Nightly failure (rawhide) when calling kinit admin

• #9107 (rhbz#2051575) Enable ipa-ccache-sweep.timer during server installation

• #9108 ipatests: remove additional check for failed units.

• #9110 (rhbz#2032738) IPA LDAP plugin ipa-cldap memory leak

• #9111 Server host name not saved by the script ?

• #9117 Pylint 2.12 issues

• #9119 (rhbz#2057471) KRB instance: make provision to work with crypto policy without SHA-1 HMAC types

• #9123 Random nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring

• #9126 allow overriding systemd-tmpfiles program

• #9127 (rhbz#2062379) Use new getorigby{user|group}name() calls in extdom plugin

• #9129 Remove Python warning about PROTOCOL_SSLv23

• #9133 Nightly test failure in test_fips.py::TestInstallFIPS::test_basic

• #9134 Nightly test failure (rawhide) while establishing two-way trust

• #9137 test_replica_install_after_restore is performing reinit in the wrong direction

• #9141 ipatests: fix xfail assertion in auto private group tests

Detailed changelog since 4.9.8

Alexander Bokovoy (20)

• ipatests: collect samba logs when setting up trust to AD commit

• ipa-sam: retrieve trusted domain account credential from the TDO itself commit #9134

• ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects commit #9134

• ipatests: fix check for AD topology being present commit #9133

• tests: ensure AD-SUPPORT subpolicy is active in more cases commit #9119

• ipalib/util.py: switch to ssl.PROTOCOL_TLS_CLIENT by default commit #9129

• test_krbtpolicy: skip SPAKE-related tests in FIPS mode commit #9119

• test_otp: do not use paramiko unless it is really needed commit #9119

• Kerberos instance: default to AES256-SHA2 for master key encryption commit #9119

• freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream commit #9119

• ipatests: extend AES keyset to SHA2-based ones commit #9119

• tests: ensure AD-SUPPORT subpolicy is active commit #9119

• KRB instance: make provision to work with crypto policy without SHA-1 HMAC types commit #9119

• translations: regenerate translations after changes in help message in sudorule commit #9106

• pylint: workaround incorrect pylint detection of a local function commit

• OpenLDAP 2.6+: use only -H option to specify LDAP url commit #9106

• ipa-kdb: refactor KDB driver to prepare for KDB version 9 commit #9083

• Support building against OpenLDAP 2.6+ commit #9080

• ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates commit #9031

• ipa-kdb: issue PAC_REQUESTER_SID only for TGTs commit #9031

Anuja More (6)

• Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid] commit

• mark xfail for test_idoverride_with_auto_private_group[hybrid] commit

• ipatests: Tests for Autoprivate group. commit #8807

• ipatests: remove additional check for failed units. commit #9108

• ipatests: webui: Tests for subordinate ids. commit #8361

• ipatests: Test default value of nsslapd-sizelimit. commit #8962

Antonio Torres (1)

• Back to git snapshots commit

Brian Turek (1)

• ipalib: Handle percent signs in saved values commit #9085

Christian Heimes (1)

• Support AES for KRA archival wrapping commit #6524

Florence Blanc-Renaud (14)

• ipatests: fix wrong condition in xfail_context for auto private grp commit #9141

• ipatests: Fix a call to run_command with wildcard commit #8506

• ipatests: remove certmonger tracking before uninstall commit #9123

• ipatests: add missing test in the nightly defs commit

• Commit template: use either Fixes or Related commit

• ipatests: update images for f34 and f35 commit #9051, #9069

• ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus commit #8582, #9099

• ipatests: fix expected automount config in nsswitch.conf commit #9067

• ipatests: update images for f34 and f35 commit #9087

• config plugin: add a test ensuring EmptyModlist is returned commit #9063

• Config plugin: return EmptyModlist when no change is applied commit #9063

• automember default group: remove –desc parameter commit #9068

• ipatests: update images for f34 and f35 commit #8865, #9024

• ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout commit #9044

Francisco Trivino (3)

• Set AES as default for KRA archival wrapping commit #6524

• ipa_cldap: fix memory leak commit #9110

• Custodia: use a stronger encryption algo when exporting keys commit #9101

Fraser Tweedale (1)

• allow overriding systemd-tmpfiles program commit #9126

jh23453 (1)

• Remove deprecation warning when installing a CA replica commit

Julien Rische (2)

• ipatests: add case for hardened-only ticket policy commit

• ipa-kdb: do not remove keys for hardened auth-enabled users commit #8001, #9065

Michal Polovka (2)

• ipatests: webui: Use safe-loader for loading YAML configuration file commit #9009

• pr-ci definitions: add web-ui subid-related jobs commit #8361

Mohammad Rizwan (8)

• ipatests: extend find_segment with suffix param commit

• ipatests: fix the topologysegment-reinitialize command commit #9137

• ipatests: Check maxlife error message where minlife > maxlife specified commit #9038

• Test ipa-ccache-sweep.timer enabled by default during installation commit #9107

• PEP8 Fixes commit

• Test cases for ipa-replica-conncheck command commit #9047

• ipatests: Test empty cert request doesn’t force certmonger to segfault commit

• ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown commit #9052

Rob Crittenden (11)

• Remove the –no-sssd option from ipa-client-automount commit #7671, #9084

• Convert values using _SYNTAX_MAPPING with –delattr commit #9004

• ipatests: Give the subCA more time to be loaded by the CA commit #9096

• Strip off trailing period of a user-provided FQDN in installer commit #9111

• Verify the user-provided hostname in the server installer commit #9111

• ipa-restore: Mark a restored server as enabled commit #9095

• Set the mode on ipaupgrade.log during RPM %post snipppet commit #8899

• ipatests: Remove certmonger tracking before uninstall in cert tests commit #8506

• Enable the ccache sweep timer during installation commit #9107

• Remove ipa-join errors from behind the debug option commit #9103

• Don’t always override the port in import_included_profiles commit #9100

Sumit Bose (2)

• ipa-kdb: fix make check commit #9083

• extdom: user getorigby{user|group}name if available commit #9127

Stanislav Levin (34)

• azure: Bump supported Pylint commit #9117

• pylint: Skip false-positive invalid-sequence-index commit #9117

• pylint: Fix useless-suppression commit #9117

• pylint: Fix format-string-without-interpolation commit #9117

• pylint: Skip unsupported-assignment-operation commit #9117

• pylint: Fix deprecated-method for threading commit #9117

• pylint: Skip deprecated-method for match_hostname commit #9117

• pylint: Fix consider-using-in commit #9117

• pylint: Fix arguments-renamed commit #9117

• pylint: Skip use-implicit-booleaness-not-comparison commit #9117

• pylint: Enable useless-suppression commit #9117

• pylint: Skip raising-bad-type commit #9117

• pylint: Fix consider-using-dict-items commit #9117

• pylint: Skip not-callable commit #9117

• pylint: Fix unused-variable commit #9117

• pylint: Fix no-member commit #9117

• pylint: Skip isinstance-second-argument-not-valid-type commit #9117

• pylint: Fix deprecated-decorator commit #9117

• pylint: Fix unnecessary-dict-index-lookup commit #9117

• pylint: Fix deprecated-class commit #9117

• pylint: Remove unused __convert_iter commit #9117

• pylint: Drop no longer used __home commit #9117

• pylint: Fix unused-private-member commit #9117

• pylint: Skip unused-private-member for unsupported cases commit #9117

• pylint: Skip unused-private-member for property case commit #9117

• pylint: Drop no longer used __finalized commit #9117

• pylint: Drop never used __remove_lightweight_ca_key_retrieval_custodia commit #9117

• pylint: Clean up __convert_to_gssapi_replication commit #9117

• pylint: Fix use-maxsplit-arg commit #9117

• pylint: Skip unspecified-encoding commit #9117

• pylint: Skip use-dict-literal/use-list-literal commit #9117

• pylint: Skip consider-using-f-string commit #9117

• pylint: Skip redundant-u-string-prefix commit #9117

• ipatests: healthcheck: Sync the expected system RRs commit #9054

Sumedh Sidhaye (3)

• Added nightly job definitions commit

• Added test automation for SHA384withRSA CSR support commit #8906

• Extend test to see if replica is not shown when running `ipa-replica-manage list -v ` commit #8605

Sudhir Menon (1)

• ipatests: Test for pki.server.healthcheck.clones.connectivity_and_data commit

Timo Aaltonen (7)

• configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in commit #9014

• ipaplatform: Modify paths to fips-mode-setup and systemd-tmpfiles commit

• ipatests/test_ipaplatform: Skip test_ipa_version on Debian commit

• ipaplatform/debian: Fix ntpd service name commit

• ipaplatform/debian: Fix named keytab name commit

• ipaplatform: Add support for recognizing systemd-timesyncd commit

• ipaplatform/debian: Fix HTTPD_ALIAS_DIR, and drop some obsolete paths. commit