FreeIPA 4.8.9 release notes

The FreeIPA team would like to announce FreeIPA 4.8.9 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.8.9

5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI

7137: [RFE]: Able to browse different links from IPA web gui in new tabs

8129: Tests: Replace paramiko with OpenSSH

: Paramiko is not compatible with FIPS mode, therefore convert most tests to using ssh directly. The only non-converted test is the 2-prompt OTP test because sshpass does not support 2-prompt password authentication ( https://pagure.io/freeipa/issue/8431 ).

8151: test_commands timing-out

: Re-enable test_sss_ssh_authorizedkeys ; add -v to ssh in order to get debug information if this test fails or stalls again. The test was run 16 times without a failure before re-enabling it.

8189: NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd

: Previously, ipa-client-installation saved the pre-install state using "authselect current" command and the uninstallation reverted to the same authselect state. In cases where the system was installed using authconfig instead of authselect, the uninstallation was unable to revert to the same state and picked "sssd"'s authselect profile instead. Now, the client installation relies on the backup functionality of authselect and is able to revert to the exact pre-install state

8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf

: ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting "ChallengeResponseAuthentication yes" take precedence.

8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain

: When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.

8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn

: EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present.

8391: Remove dnf workaround from test_epn.y

: The new PR-CI images are cleaner and do not need the *epn* packages to be uninstalled/reinstalled.

8401: Create platform definitions for freeipa-container

: ipaplatform now provides container platform flavors for freeipa/freeipa-container

8432: test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError

: Sometimes test_login_wrong_password fails because the log window the string message is searched in is too narrow. Broaden the window by looking at the past 10 seconds.

8444: EPN: enhance input validation

: Various input validation checks were added to EPN.

8445: EPN: '[Errno 111] Connection refused' when the SMTP is down

: EPN now displays a proper message if the configured SMTP server cannot be contacted.

8449: EPN: enhance CLI option tests

: EPN: enhance existing tests for --dry-run, --from-nbdays and --to-nbdays.

Enhancements

Known Issues

Bug fixes

FreeIPA 4.8.9 is a stabilization release for the features delivered as a part of 4.8 version series.

There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

#5011 (rhbz#1527185) [RFE] Forward CA requests to dogtag or helper by GSSAPI
#5628 webui: Unclear(UX) purpose of OTP field in password reset form on login
#7137 (rhbz#1484088) [RFE]: Able to browse different links from IPA web gui in new tabs
#8129 Tests: Replace paramiko with OpenSSH
#8151 test_commands timing-out
#8189 (rhbz#1810179) NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
#8300 Replace uglify-js with python3-rjsmin
#8304 [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
#8326 CVE-2020-10747
#8335 [WebUI] manage IPA resources as a user from a trusted Active Directory domain
#8336 [WebUI] "User attributes for SMB services" section always shown
#8364 Nightly test failure while establishing trust: Cannot find specified domain or server name
#8366 CA-less replica deployment fails with --setup-ca
#8367 IPA-EPN fails to build in ONLY_CLIENT mode
#8368 (rhbz#1846349) cannot issue certs with multiple IP addresses corresponding to different hosts
#8369 cert_find returns "CA not configured" in CA-less install
#8370 ipa-join does not set nshardwareplatform and nsosversion
#8371 Nightly test failure [testing_master_testing] in test_integration/test_idviews.py::TestCertsInIDOverrides
#8372 (rhbz#1849914) FreeIPA - Utilize 256-bit AJP connector passwords
#8374 (rhbz#1847999) EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
#8377 Nightly test failure (timeout) in test_caless_TestReplicaInstall
#8379 Nightly test failure [testing_master_pki] while installing CA replica
#8381 Nightly test failure in test_webui/test_loginscreen.py::TestLoginScreen::test_login_view
#8384 Provide reliable way to know if a server installation is complete
#8388 Make help() on plugins more useful
#8391 Remove dnf workaround from test_epn.y
#8395 selinux don't audit rules deny fetching trust topology
#8396 [WebUI] Font type of "Enabled" column in user search facet wrong
#8399 certmonger attempts to add LWCA tracking requests on non-CA server.
#8400 sshd template file is installed in a wrong (server) location while used by the client side
#8401 Create platform definitions for freeipa-container
#8403 Add option to add ipaapi user as an allowed uid for ifp in /etc/sssd/sssd.conf when running ipa-replica-install
#8407 Support changelog integrated into main database
#8412 (rhbz#1857157) AVC: httpd cannot connect to ipa-custodia.sock
#8413 Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp
#8414 Nightly test failure in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp
#8416 [WebUI] Error while adding user ID overrides to group
#8419 Azure is reporting a slew of new no-member lint errors
#8425 Nightly test failure in test_cert.test_cert.TestInstallMasterClient (certmonger timeout)
#8428 [ipatests] fails due to new python-cryptography 3.0
#8429 Add fips-mode-setup to ipaplatform.paths
#8432 test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError
#8435 [ipatests] failures due to new Pytest6.0 (pypi part)
#8437 unit tests for ipa-extdom-extop are failing in Fedora 33
#8439 Nightly test failure in test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#8440 (rhbz#1863616) CA-less install does not set required permissions on KDC certificate
#8441 (rhbz#1870202) File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
#8442 [pylint] warnings/errors against pylint 2.5.3
#8444 (rhbz#1866291) EPN: enhance input validation
#8445 (rhbz#1863079) EPN: '[Errno 111] Connection refused' when the SMTP is down
#8447 Nightly test failure in test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS
#8449 (rhbz#1866291) EPN: enhance CLI option tests
#8456 Need new aci's for the new replication changelog entries
#8459 [upgrade] handle missing openssh-clients
#8461 [ALTLinux] server uninstall error on missing /var/lib/samba
#8463 Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
#8464 Increase replication changelog trimming interval

Detailed changelog since 4.8.8

Armando Neto (4)

ipatests: bump pr-ci templates commit
ipatests: bump pr-ci templates commit
ipatests: bump prci templates commit
ipatests: bump prci templates commit

Alexander Bokovoy (6)

extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration commit #8437
selinux: support running ipa-custodia with PrivateTmp=yes commit #8395
selinux: allow oddjobd to set up ipa_helper_t context for execution commit #8395
Get back to git snapshots commit
Become FreeIPA 4.8.8 commit
VERSION: back to git snapshots commit

Anuja More (5)

ipatests: cleanup in test_subdomain_lookup_with_certmaprule_containing_dn commit
ipatests: xfail test with older versions of sssd commit
ipatests : Test to verify override_gid works with subdomain. commit
ipatests: xfail test with older versions of sssd commit
ipatests: Test that trusted AD users should not lose their AD domains. commit

Alexander Scheel (3)

Specify cert_paths when calling PKIConnection commit #8379
Configure PKI AJP Secret with 256-bit secret commit #8372
Clarify AJP connector creation process commit

Peter Keresztes Schmidt (7)

WebUI: Unify adapter property definition for state evaluators commit #8336
WebUI: Make object_class_evaluator evaluator compatible with batch responses commit #8336
Populate nshardwareplatform and nsosversion during join operation commit #8370
WebUI: Fix rendering of boolean_status_formatter commit #8396
Unify spelling of "One-Time Password" commit
WebUI: reword OTP info message displayed during PW reset commit #5628
WebUI: move OTP to be the last field in the PW reset form commit #5628

Christian Heimes (17)

Treat container subplatforms like main platform commit #8401
Don't configure authselect in containers commit #8401
Convert ipa-httpd-pwdreader into Python script commit #8401
Explicitly pass keytab to ipa-join commit
Write state dir to smb.conf commit #8401
Add ipaplatform for Fedora and RHEL container commit #8401
Allow to override ipaplatform with env var commit #8401
Teach pylint how dnspython 2.x works commit #8419
Add missing SELinux rule for ipa-custodia.sock commit #8412
Make tab completion in console more useful commit
Add __signature__ to plugins commit #8388
SELinux: Backport dirsrv_systemctl interface commit
RHEL 8.3 has KRB5 1.18 with KDB 8.0 commit
Use old uglifyjs on RHEL 8 commit #8300
Build ipa-selinux package on RHEL 8 commit
Prevent local account takeover commit #8326
Move ipa-epn systemd files and run RPM hooks commit #8367

François Cami (28)

IPA-EPN: enhance input validation commit #8444
ipatests: test_epn: update error messages commit #8449
IPA-EPN: Fix SMTP connection error handling commit #8445
ipatests: test_epn: add test_EPN_connection_refused commit #8445
IPA-EPN: fix configuration file typo commit
IPA-EPN: Use a helper to retrieve LDAP attributes from an entry commit
ipatests: test_epn: test_EPN_nbdays enhancements commit #8449
ipatests: tasks.py: fix ipa-epn invocation commit #8449
ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd commit #8129
ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd commit #8129
ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_from_controller: refactor commit #8129
ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH commit #8129
ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH commit #8129
tasks: add run_ssh_cmd commit #8129
ipatests: test_commands: test_login_wrong_password: look farther in time commit #8432
ipatests: test_sss_ssh_authorizedkeys commit #8151
ipatests: re-enable test_sss_ssh_authorizedkeys commit #8151
ipatests: xfail TestIpaClientAutomountFileRestore's final test commit #8189
ipatests: remove dnf workaround from test_epn.py commit #8391
ipatests: display SSSD kdcinfo in test_adtrust_install.py commit
ipatests: increase test_caless_TestReplicaInstall timeout commit #8377
ipatests: ipa_epn: uninstall/reinstall ipa-client-epn commit #8374
ipatests: check that EPN's configuration file is installed. commit #8374
man pages: fix epn.conf.5 and ipa-epn.1 formatting commit
EPN: ship the configuration file. commit #8374
.mailmap: add fcami commit

Florence Blanc-Renaud (20)

ipatests: remove xfail from test_dnssec commit
ipatests: fix TestIpaHealthCheckWithoutDNS failure commit #8447
ipatests: fix test_ipahealthcheck.py::TestIpaHealthCheck commit #8439
ipatests: increase test_trust timeout commit
ipatests: check KDC cert permissions in CA less install commit #8440
CAless installation: set the perms on KDC cert file commit #8440
ipatests: fix test_authselect commit #8189
ipatests: remove the xfail for test_nfs.py commit #8189
ipa-client-install: use the authselect backup during uninstall commit #8189
ipatests: Fix TestReplicaPromotionLevel1 commit #8414
ipatests: fix TestUnprivilegedUserPermissions commit #8413
sshd template must be part of client package commit #8400
Bump requires for selinux-policy commit
ipatests: fix the method adding ifp to sssd.conf commit #8371
Unify spelling of "One-Time Password" (take 2) commit #5628, #8381
client install: fix broken sshd config commit #8304
ipa-client-install: use sshd drop-in configuration commit #8304
ipatests: add a test for ipa-replica-install --setup-ca --http-cert-file commit #8366
ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive commit #8366
ipatests: fix the disable_dnssec_validation method commit #8364

Fraser Tweedale (5)

certupdate: only add LWCA tracking requests on CA servers commit #8399
cainstance.is_crlgen_enabled: handle missing ipa-pki-proxy.conf commit
Define errors_by_code in ipalib.errors commit #5011
fix iPAddress cert issuance for >1 host/service commit #8368
fix cert-find errors in CA-less deployment commit #8369

Jeremy Frasier (2)

replica: Add tests to ensure the ipaapi user is allowed access to ifp on replicas commit #8403
replica: Ensure the ipaapi user is allowed to access ifp on replicas commit #8403

Kaleemullah Siddiqui (1)

Tests for fake_mname parameter setup commit

Michal Polovka (2)

ipatests: test_epn: test_EPN_config_file: Package name fix commit
ipatests: test_epn: Fix package installation commit

Mark Reynolds (3)

Increase replication changelog trimming to 30 days commit #8464
Issue 8456 - Add new aci's for the new replication changelog entries commit #8456
Issue 8407 - Support changelog integration into main database commit #8407

Mohammad Rizwan (3)

ipatests: Test certmonger rekey command works fine commit
Xfail test for sssd < 2.3.0 commit
ipatests: Test ipa user login with wrong password commit

Petr Voborník (2)

baseuser: fix ipanthomedirectorydrive option name commit
webui: hide user attributes for SMB services section if empty commit #8336

Rob Crittenden (23)

ipatests: stop the CA during healthcheck expiration test commit #8463
Improve performance of ipa-server-guard commit #8425
IPA-EPN: Test that EPN can be install, uninstalled and re-installed commit
Added negative test case for --list-sources option commit
ipatests: CLI validation of ipa-healthcheck command commit
IPA-EPN: Test that users without givenname and/or mail are handled commit
Address legacy pylint issues in sysrestore.py commit #8384
Update check_client_configuration to use new client fact commit #8384
Don't use the has_files() to know if client/server is configured commit #8384
Create a common place to retrieve facts about an IPA installation commit #8384
Simplify determining if IPA client configuration is complete commit #8384
Simplify determining if an IPA server installation is complete commit #8384
ipatests: Check permissions of /etc/ipa/ca.crt new installations commit #8441
Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations commit #8441
ipatests: Test healthcheck revocation checker commit
ipatests: Use healthcheck namespacing in stopped server test commit
ipatests: lib389 is now providing healthchecks, update naming commit
ipatests: Add healthcheck test for FileSystemSpaceCheck commit
ipatests: verify that all services can be detected by healthcheck commit
ipatests: Test that healthcheck detects and reports expiration commit
ipatests: Test cases for healthcheck File checker(s) commit
Replace SSLCertVerificationError with CertificateError for py36 commit
Add fips-mode-setup to ipaplatform.paths to determine FIPS status commit #8429

Stanislav Levin (9)

spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package commit
uninstall: Clean up no longer used flag commit #8461
uninstall: Don't fail on missing /var/lib/samba commit #8461
rpm-spec: Don't fail on missing /etc/ssh/ssh_config commit #8459
ipatests: Skip keyring tests on containerized platforms commit
Azure: Switch to dockerhub provider commit
ipatests: Add compatibility against python-cryptography 3.0 commit #8428
pylint: Fix warning and error commit #8442
ipatests: Don't turn Pytest IPA deprecation warnings into errors commit #8435

Sergey Orlov (1)

Fix password file permission commit

Serhii Tsymbaliuk (5)

WebUI tests: Add test case to cover user ID override feature commit #8416
WebUI: Fix error "unknown command 'idoverrideuser_add_member'" commit #8416
WebUI tests: Change navigation tests to find menu items using data-name instead of href commit #7137
WebUI: Fix issue with opening links in new tab/window commit #7137
WebUI: Fix "IPA Error 3007: RequirmentError" while adding idoverrideuser association commit #8335

sumenon (9)

Modified YAML files to include healthcheck externalCA tests commit
ipatests: Tests for ipahealthcheck tool with IPA external commit
ipatests: Test IPACertNSSTrust check when trust attributes is modified for specific cert commit
ipatests: Test to check IPACAChainExpirationCheck when IPA cacrt is renamed commit
ipatests: Increase timeout value in test_getcert_list_profile_using_subca commit
ipatests: Test for ipa-nis-manage CLI tool. commit
ipatests: Tests to check profile is displayed for getcert request. commit
Modified YAML to include healthcheck IPA-AD trust scenario commit
ipatests: Tests to check ipahealthcheck tool with IPA-AD trust scenario commit

Zdenek Pytela (1)

Allow ipa-adtrust-install restart sssd and dirsrv services commit