The FreeIPA team would like to announce FreeIPA 4.9.13 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.13#
9289: Configure server affinity during replica installation
Replica installation process now happens against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests. This helps to avoid incomplete replicated details when adding a new replica to a complex topology.
9331: Better handling of the command line and web UI cert search and/or list features
cert-find performance was improved dramatically when a large number of certificates are returned by changing the method IPA uses internally to parse results from the CA.
9378: [RFE] Descriptive error message in ipa user-add
The commands `ipa user-add` or `ipa group-add` validate the format of the user/group name and display an error message. In this release, the message is expanded for better clarity.
9402: OTP authentication failure on s390x
Correct endianness issue that affected 2FA tokens use case for IPA server running on a mainframe (S390x architecture).
9422: Interrupt request processing in ipadb_fill_info3() if connection to 389ds is lost
Adjust error handling in MS-PAC processing code under high load. The fix should address krb5kdc crashes in a situation when a connection to LDAP server is severed.
9427: RHEL 8.8 & 9.2 fails to create AD trust with STIG applied
Make sure SSSD enables nss and pam services in all circumstances, even when existing SSSD configuration is present during deployment. In environments hardened with a STIG profile this fixes support for a trust to Active Directory .
9433: ipa user-mod –idp-user-id fails with: attribute “ipaIdpSub” not allowed
Allow to create user accounts with external IdP reference pre-defined.
9448: FreeIPA 4.9 KDB rejects FreeIPA 4.10 KDB-issued evidence ticket in S4U processing
Downstream only: coordinate fixes to MIT Kerberos 1.18 and FreeIPA 4.9 to allow interoperability with MIT Kerberos 1.20 or later which removed AD-SIGNTICKET support. MS-PAC information is required for S4U Kerberos extension to operate but older MIT Kerberos version expect AD-SIGNTICKET buffer as well. With this change tickets issued by FreeIPA using AD-SIGNTICKET-free code are accepted by older FreeIPA KDCs for S4U extensions as long as they contain MS-PAC buffers.
FreeIPA 4.9.13 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 30 bug-fixes since FreeIPA 4.9.12 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrade instructions are available on Upgrade page.
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://email@example.com/) or #freeipa channel on libera.chat.
#8941 Usage of `/usr/bin/env` in Python scripts
#8990 ipa group-mod should fail properly with –posix and –external options
#9003 ipa-server-install not validating hostname != domain
#9086 Have ipa-client-install additionally disable the unscd service if using SSSD
#9124 Nightly test failure in test_smb.py::TestSMB::test_smb_service_s4u2self
#9297 Minimum length parameter in pwpolicy cannot be removed with empty string.
#9317 Distinguish between different location meaning
#9379 Test failure in test_ipa_cert_fix.py::TestCertFixReplica::test_renew_expired_cert_replica
#9383 Random nightly test failure in test_acme.py::TestACMEPrune::test_prune_cert_manual
#9389 Nightly test failure in test_webui_service
#9395 Search for user by krbPrincipalExpiration not returning results
#9396 Renaming user or group with –setattr does not check supported formats
#9397 automountlocation-tofiles is not working after removing indirect automount map.
#9415 Nightly test failure in test_integration/test_installation.py::TestInstallMaster::test_ipactl_scenario_check
#9418 Typo in “Subordinate ID Selfservice User” role
#9431 Covscan issues: deadcode and Use after free
#9448 FreeIPA 4.9 KDB rejects FreeIPA 4.10 KDB-issued evidence ticket in S4U processing
#9449 Squished FreeIPA favicon
Detailed changelog since 4.9.12#
Alexander Bokovoy (4)#
Alexandra Nikandrova (1)#
doc: typo in basic_usage.md commit
Anuja More (1)#
Antonio Torres (1)#
Back to git snapshots commit
Erik Belko (1)#
Florence Blanc-Renaud (19)#
ipatests: fix test_topology commit
user or group name: explain the supported format commit
Francisco Trivino (1)#
Workshop: fix broken Sphinx cross-references. commit
Julien Rische (2)#
Mohammad Rizwan (2)#
Rob Crittenden (14)#
Rafael Guterres Jeffman (1)#
Sudhir Menon (1)#
ipatests: Skip the test failing due to FIPS policy commit