FreeIPA 4.9.1 final release notes

The FreeIPA team would like to announce FreeIPA 4.9.1 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.1

  • 3226: [RFE] ipa sudorule-add-user should accept more types of characters
IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership
IPA now supports adding users and groups from trusted Active Directory domains in SUDO rules without an intermediate non-POSIX group membership
  • 7599: Leading / trailing white spaces in password are disallowed
Allow leading and trailing whitespaces in passwords set through IPA commands. They were already allowed via Kerberos and LDAP.
  • 7676: ipa-client-install changes system wide ssh configuration
Skip ProxyCommand wrapper in SSH configuration in case user is configured with /sbin/nologin to allow automated tools to operate as expected
  • 8528: Use separate logs for AD Trust and DNS installer
ipa-adtrust-install and ipa-dns-install commands now log their activity into separate log files.
  • 8618: ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
ipa-cert-fix tool now handles situations when a CSR is missing from Dogtag's CA/KRA CS.cfg configuration files. Configuration file is updated with a CSR tracked by Certmonger.
  • 8634: Install of CA fails on CentOS 8 Stream with pki-core 10.9
IPA will not deploy ACME service if Dogtag PKI version is known to not provide a complete service. A complete ACME support requires Dogtag 10.10.0 or later.
  • 8635: Memory availability detection does not work with cgroupsv2 environment
Containerized environments on Linux with cgroup v2 are now recognized and supported.
  • 8644: ipa-certupdate drops profile from the caSigningCert tracking
ipa-certupdate tool now honors CA profile specified in the certificate request it tries to update
  • 8646: permission-mod attrs, includedattrs and excludedattrs issues
Managed permissions commands now properly rollback changes if a generated ACI has incorrect syntax
  • 8655: Allow to establish trust to Active Directory in FIPS mode
When IPA is deployed in FIPS mode, it is now possible to establish trust to Active Directory forest.
  • 8659: ipa-kdb: provide correct logon time in MS-PAC from authentication time
Trust to Active Directory support was improved to be more compatible with AD DC queries: lookup groups via LSA RPCs, allow user principal name lookups, more complete PAC record generation.

Enhancements

Known Issues

Bug fixes

FreeIPA 4.9.1 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 30 bug-fixes since FreeIPA 4.9.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • #3226 (rhbz#871208) [RFE] ipa sudorule-add-user should accept more types of characters
  • #7599 (rhbz#1593745) Leading / trailing white spaces in password are disallowed
  • #7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
  • #8501 Unify how FreeIPA gets FQDN of current host
  • #8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
  • #8519 Fedora container platform is incomplete
  • #8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
  • #8528 Use separate logs for AD Trust and DNS installer
  • #8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically
  • #8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
  • #8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
  • #8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find
  • #8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred:
  • #8614 Remove ca.crt from the system-wide store on uninstall
  • #8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
  • #8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
  • #8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
  • #8635 Memory availability detection does not work with cgroupsv2 environment
  • #8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
  • #8646 permission-mod attrs, includedattrs and excludedattrs issues
  • #8650 Updated dnspython-2.1.0 causes a test failure
  • #8653 Nightly test failure in test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
  • #8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
  • #8656 Use client keytab for 389ds
  • #8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
  • #8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time
  • #8660 ipasam: implement PASSDB getgrnam call
  • #8661 ipasam: allow search of users by user principal name (UPN)
  • #8662 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
  • #8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True
  • #8668 (rhbz#1915471) Nightly failure in (f33+updates-testing) test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
  • #8670 Nightly failure (fed33) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
  • #8674 test_ipahealthcheck divides KiB by 1000
  • #8678 Nightly failure (master) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret
  • #8682 [ipatests] TestIPACommand.test_login_wrong_password time to time fails

Detailed changelog since 4.9.1

Armando Neto (1)

  • ipatests: Update PR-CI definitions for ipa-4-9 commit

Alexander Bokovoy (30)

  • Become FreeIPA 4.9.1 commit
  • Force-update translation po/uk.po commit
  • Force-update translation po/ipa.pot commit
  • Force-update translation po/hu.po commit
  • Force-update translation po/de.po commit
  • Update contributors list commit
  • baseldap: allow rejecting unknown objects instead of adding to an external attr commit #3226
  • ipatests: when talking to AD DCs, use FQDN credentials commit #8678
  • test_trust: add tests for using AD users and groups in SUDO rules commit #3226
  • ipatests: fix test_sudorule_plugin's wrong argument use commit #3226
  • sudorule runAs: allow to add users and groups from trusted domains directly commit #3226
  • sudorule-add-user: allow to reference users and groups from trusted domains directly commit #3226
  • idviews: add extended validator for users from trusted domains commit #3226
  • baseldap: when adding external objects, differentiate between them and failures commit #3226
  • baseldap: refactor validator support in add_external_pre_callback commit #3226
  • Add design document for using AD users/groups in SUDO rules commit #3226
  • use a constant instead of /var/lib/sss/keytabs commit
  • trust-fetch-domains: use custom krb5.conf overlay for all trust operations commit #8655, #8664
  • ipaserver/dcerpc: store forest topology as a blob in ipasam commit #8576
  • ipasam: derive parent domain for subdomains automatically commit #8576
  • ipasam: free trusted domain context on failure commit #8576
  • ipasam: allow search of users by user principal name (UPN) commit #8661
  • ipasam: implement PASSDB getgrnam call commit #8660
  • ipa-kdb: provide correct logon time in MS-PAC from authentication time commit #8659
  • ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available commit #8655
  • ipaserver/dcerpc.py: use Kerberos authentication for discovery commit #8655
  • ipaserver/dcerpc: use Samba-provided trust helper to establish trust commit #8655
  • ipatests: fix race condition in finalizer of encrypted backup test commit
  • ipaplatform: add constant for systemd-run binary commit
  • Get back to git snapshots commit

Antonio Torres (2)

  • Check that IPA cert is added to trust store after server install commit #8614
  • Test that IPA certs are removed on server uninstall commit #8614

Antonio Torres Moríñigo (2)

  • ipatests: test that trailing/leading whitespaces in passwords are allowed commit
  • Allow leading/trailing whitespaces in passwords commit #7599

Christian Heimes (1)

François Cami (1)

  • ipatests: test_ipahealthcheck: fix units commit #8674

Florence Blanc-Renaud (12)

  • ipatests: fix discrepancies in nightly defs commit
  • ipatests: fix expected output for ipahealthcheck.ipa.files commit #8662
  • ipatests: fix healthcheck test for ipahealthcheck.ds.encryption commit #8670
  • ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser commit #8668
  • ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection commit #8596, #8653
  • selinux: modify policy to allow one-way trust commit #8508
  • ipatests: add test_ipa_cert_fix to the nightly definitions commit #8618
  • ipa-cert-fix: do not fail when CSR is missing from CS.cfg commit #8618
  • ipatests: add a test for ipa-cert-fix commit #8618
  • ipatests: clear initgroups cache in clear_sssd_cache commit
  • ipatests: remove test_acme from gating commit #8602
  • ipatests: fix expected error message in test_commands commit #8631

JoeDrane (1)

Rob Crittenden (16)

  • ipatests: test the cgroup v2 memory restrictions commit #8635
  • Add support for cgroup v2 to the installer memory checker commit #8635
  • ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get commit #8658
  • ipa-rmkeytab: convert numeric return values to #defines commit #8658
  • ipa_pwd: Remove unnecessary conditional commit
  • ipa_kdb: Fix memory leak commit
  • ipa-kdb: Fix logic to prevent NULL pointer dereference commit
  • ipa-kdb: Change mspac base RID logic from OR to AND commit
  • Add missing break statement to password quality switch commit
  • Revert "Remove test for minimum ACME support and rely on package deps" commit #8634
  • ipatests: See if nologin supports -c before asserting message commit #7676
  • ipatests: test that modifying a permission attrs handles failure commit #8646
  • Remove virtual attributes before rolling back a permission commit #8646
  • Remove invalid test case for DNS SRV priority commit #8650
  • ipatests: test that no errors are reported after ipa-certupdate commit #8644
  • Don't change the CA profile when modifying request in ipa_certupdate commit #8644

Robbie Harwood (1)

Stanislav Levin (2)

  • ipatests: Don't assume sshd flush its logs immediately commit #8682
  • ipatests: Raise log level of 389-ds replication commit

Sergey Orlov (2)

  • ipatests: use fully qualified name for AD admin when establishing trust commit
  • ipatests: do not set dns_lookup to true commit

Sudhir Menon (2)

  • ipatests: Test for IPATrustControllerPrincipalCheck commit
  • ipatests: ipahealthcheck remove test skipped in pytest run commit