FreeIPA 4.9.13#

The FreeIPA team would like to announce FreeIPA 4.9.13 release!

It can be downloaded from Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.13#

  • 9289: Configure server affinity during replica installation

    Replica installation process now happens against a chosen server, not only for Kerberos authentication but also for all IPA API and CA requests. This helps to avoid incomplete replicated details when adding a new replica to a complex topology.

  • 9331: Better handling of the command line and web UI cert search and/or list features

    cert-find performance was improved dramatically when a large number of certificates are returned by changing the method IPA uses internally to parse results from the CA.

  • 9378: [RFE] Descriptive error message in ipa user-add

    The commands `ipa user-add` or `ipa group-add` validate the format of the user/group name and display an error message. In this release, the message is expanded for better clarity.

  • 9402: OTP authentication failure on s390x

    Correct endianness issue that affected 2FA tokens use case for IPA server running on a mainframe (S390x architecture).

  • 9422: Interrupt request processing in ipadb_fill_info3() if connection to 389ds is lost

    Adjust error handling in MS-PAC processing code under high load. The fix should address krb5kdc crashes in a situation when a connection to LDAP server is severed.

  • 9427: RHEL 8.8 & 9.2 fails to create AD trust with STIG applied

    Make sure SSSD enables nss and pam services in all circumstances, even when existing SSSD configuration is present during deployment. In environments hardened with a STIG profile this fixes support for a trust to Active Directory .

  • 9433: ipa user-mod –idp-user-id fails with: attribute “ipaIdpSub” not allowed

    Allow to create user accounts with external IdP reference pre-defined.

  • 9448: FreeIPA 4.9 KDB rejects FreeIPA 4.10 KDB-issued evidence ticket in S4U processing

    Downstream only: coordinate fixes to MIT Kerberos 1.18 and FreeIPA 4.9 to allow interoperability with MIT Kerberos 1.20 or later which removed AD-SIGNTICKET support. MS-PAC information is required for S4U Kerberos extension to operate but older MIT Kerberos version expect AD-SIGNTICKET buffer as well. With this change tickets issued by FreeIPA using AD-SIGNTICKET-free code are accepted by older FreeIPA KDCs for S4U extensions as long as they contain MS-PAC buffers.

Bug fixes#

FreeIPA 4.9.13 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 30 bug-fixes since FreeIPA 4.9.12 release. Details of the bug-fixes can be seen in the list of resolved tickets below.


Upgrade instructions are available on Upgrade page.


Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on

Resolved tickets#

  • #8878 (rhbz#1821181, rhbz#2229712) Prevent deletion of ‘admin’ account with web UI

  • #8941 Usage of `/usr/bin/env` in Python scripts

  • #8990 ipa group-mod should fail properly with –posix and –external options

  • #9003 ipa-server-install not validating hostname != domain

  • #9086 Have ipa-client-install additionally disable the unscd service if using SSSD

  • #9124 Nightly test failure in

  • #9267 (rhbz#2188567) Unconditionally adding ‘includedir /var/lib/sss/pubconf/krb5.include.d’ to /etc/krb5.conf break Java’s ability to parse krb5.conf

  • #9289 (rhbz#2149344) Configure server affinity during replica installation

  • #9297 Minimum length parameter in pwpolicy cannot be removed with empty string.

  • #9317 Distinguish between different location meaning

  • #9331 (rhbz#2164349) Better handling of the command line and web UI cert search and/or list features

  • #9378 (rhbz#2150217) [RFE] Descriptive error message in ipa user-add

  • #9379 Test failure in

  • #9381 (rhbz#2215336) Race condition in ipa-server-upgrade where pki-tomcat needs dirsrv while it’s stopped

  • #9383 Random nightly test failure in

  • #9385 (rhbz#2216549) Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin

  • #9389 Nightly test failure in test_webui_service

  • #9395 Search for user by krbPrincipalExpiration not returning results

  • #9396 Renaming user or group with –setattr does not check supported formats

  • #9397 automountlocation-tofiles is not working after removing indirect automount map.

  • #9402 (rhbz#2216872) OTP authentication failure on s390x

  • #9403 (rhbz#2209636) libipa_otp_lasttoken plugin memory leak

  • #9415 Nightly test failure in test_integration/

  • #9416 (rhbz#2224570) Better error description when managing a user with ‘–idp’

  • #9418 Typo in “Subordinate ID Selfservice User” role

  • #9422 (rhbz#2214638, rhbz#2227831, rhbz#2227832) Interrupt request processing in ipadb_fill_info3() if connection to 389ds is lost

  • #9427 (rhbz#2216532) RHEL 8.8 & 9.2 fails to create AD trust with STIG applied

  • #9431 Covscan issues: deadcode and Use after free

  • #9433 (rhbz#2234480) ipa user-mod –idp-user-id fails with: attribute “ipaIdpSub” not allowed

  • #9446 (rhbz#2149344) Nightly test failure for replica installation with –setup-ca

  • #9448 FreeIPA 4.9 KDB rejects FreeIPA 4.10 KDB-issued evidence ticket in S4U processing

  • #9449 Squished FreeIPA favicon

Detailed changelog since 4.9.12#

Alexander Bokovoy (4)#

  • Azure CI: increase memory for forced reenrollment test commit

  • Increase memory usage for Azure CI upgrade test commit

  • support more DateTime attributes in LDAP searches in IPA API commit #9395

  • ipalib/ Add signature_algorithm_parameters commit

Alexandra Nikandrova (1)#

  • doc: typo in commit

Anuja More (1)#

  • ipatests: Check that SSSD_PUBCONF_KRB5_INCLUDE_D_DIR is not included in krb5.conf commit #9267

Antonio Torres (1)#

  • Back to git snapshots commit

Erik Belko (1)#

  • test: add tests for descriptive error message in ipa user-add commit #9378

Florence Blanc-Renaud (19)#

  • ipatests: fix test_ipactl_scenario_check commit #9415

  • Covscan issues: Use after free commit #9431

  • idp: add the ipaidpuser objectclass when needed commit #9433

  • Installer: activate nss and pam services in sssd.conf commit #9427

  • ipatests: fix test_topology commit

  • ipatests: update expected webui msg for admin deletion commit #8878

  • xmlrpc tests: add a test for user plugin with non-existing idp commit #9416

  • User plugin: improve error related to non existing idp commit #9416

  • OTP: fix data type to avoid endianness issue commit #9402

  • Integration tests: add a test to ipa-server-upgrade commit #9385

  • Upgrade: fix replica agreement commit #9385

  • Integration test: add a test for upgrade and PKI drop-in file commit #9381

  • Upgrade: add PKI drop-in file if missing commit #9381

  • xmlrpc tests: add test renaming user or group with setattr commit #9396

  • User and groups: rename with –setattr must check format commit #9396

  • webuitests: close notification which hides Add button commit #9389

  • ipatest: remove xfail from test_smb commit #9124

  • ACME tests: fix issue_and_expire_acme_cert method commit #9383

  • user or group name: explain the supported format commit

Francisco Trivino (1)#

  • Workshop: fix broken Sphinx cross-references. commit

Julien Rische (2)#

  • ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older commit #9448

  • ipa-kdb: fix error handling of is_master_host() commit #9422

Mohammad Rizwan (2)#

  • ipatests: restart ipa services after moving date commit #9379

  • ipatests: enable firewall rule for http service on acme client commit

Rob Crittenden (14)#

  • Allow password policy minlength to be removed like other values commit #9297

  • Don’t assume KRB5CCNAME is in the environment in replica install commit #9446

  • Configure affinity during server installation commit #9289

  • Remove all references to deleted indirect map from parent map commit #9397

  • Prevent the admin user from being deleted commit #8878

  • Fix memory leak in the OTP last token plugin commit #9403

  • Differentiate location meaning between host and server commit #9317

  • Use the python-cryptography parser directly in cert-find commit #9331

  • Revert “cert_find: fix call with –all” commit #9331

  • Revert “Use the OpenSSL certificate parser in cert-find” commit #9331

  • Don’t allow the FQDN to match the domain on server installs commit #9003

  • Don’t allow a group to be converted to POSIX and external commit #8990

  • Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3 commit #8941

  • Mention in ipa-client-install that nscd is disabled commit #9086

Rafael Guterres Jeffman (1)#

  • Fix typo in “Subordinate ID Selfservice User” role commit #9418

Sudhir Menon (1)#

  • ipatests: Skip the test failing due to FIPS policy commit

Viktor Ashirov (1)#