The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
Highlights in 4.9.1
- 3226: [RFE] ipa sudorule-add-user should accept more types of characters
- IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership
- IPA now supports adding users and groups from trusted Active Directory domains in SUDO rules without an intermediate non-POSIX group membership
- 7599: Leading / trailing white spaces in password are disallowed
- Allow leading and trailing whitespaces in passwords set through IPA commands. They were already allowed via Kerberos and LDAP.
- 7676: ipa-client-install changes system wide ssh configuration
- Skip ProxyCommand wrapper in SSH configuration in case user is configured with /sbin/nologin to allow automated tools to operate as expected
- 8528: Use separate logs for AD Trust and DNS installer
- ipa-adtrust-install and ipa-dns-install commands now log their activity into separate log files.
- 8618: ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
- ipa-cert-fix tool now handles situations when a CSR is missing from Dogtag's CA/KRA CS.cfg configuration files. Configuration file is updated with a CSR tracked by Certmonger.
- 8634: Install of CA fails on CentOS 8 Stream with pki-core 10.9
- IPA will not deploy ACME service if Dogtag PKI version is known to not provide a complete service. A complete ACME support requires Dogtag 10.10.0 or later.
- 8635: Memory availability detection does not work with cgroupsv2 environment
- Containerized environments on Linux with cgroup v2 are now recognized and supported.
- 8644: ipa-certupdate drops profile from the caSigningCert tracking
- ipa-certupdate tool now honors CA profile specified in the certificate request it tries to update
- 8646: permission-mod attrs, includedattrs and excludedattrs issues
- Managed permissions commands now properly rollback changes if a generated ACI has incorrect syntax
- 8655: Allow to establish trust to Active Directory in FIPS mode
- When IPA is deployed in FIPS mode, it is now possible to establish trust to Active Directory forest.
- 8659: ipa-kdb: provide correct logon time in MS-PAC from authentication time
- Trust to Active Directory support was improved to be more compatible with AD DC queries: lookup groups via LSA RPCs, allow user principal name lookups, more complete PAC record generation.
Enhancements
Known Issues
Bug fixes
FreeIPA 4.9.1 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 30 bug-fixes since FreeIPA 4.9.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
Upgrading
Upgrade instructions are available on Upgrade page.
Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.
Resolved tickets
- #3226 (rhbz#871208) [RFE] ipa sudorule-add-user should accept more types of characters
- #7599 (rhbz#1593745) Leading / trailing white spaces in password are disallowed
- #7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
- #8501 Unify how FreeIPA gets FQDN of current host
- #8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
- #8519 Fedora container platform is incomplete
- #8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
- #8528 Use separate logs for AD Trust and DNS installer
- #8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically
- #8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
- #8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
- #8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find
- #8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred:
- #8614 Remove ca.crt from the system-wide store on uninstall
- #8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
- #8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
- #8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
- #8635 Memory availability detection does not work with cgroupsv2 environment
- #8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
- #8646 permission-mod attrs, includedattrs and excludedattrs issues
- #8650 Updated dnspython-2.1.0 causes a test failure
- #8653 Nightly test failure in test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
- #8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
- #8656 Use client keytab for 389ds
- #8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
- #8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time
- #8660 ipasam: implement PASSDB getgrnam call
- #8661 ipasam: allow search of users by user principal name (UPN)
- #8662 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
- #8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True
- #8668 (rhbz#1915471) Nightly failure in (f33+updates-testing) test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
- #8670 Nightly failure (fed33) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
- #8674 test_ipahealthcheck divides KiB by 1000
- #8678 Nightly failure (master) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret
- #8682 [ipatests] TestIPACommand.test_login_wrong_password time to time fails
Detailed changelog since 4.9.1
Armando Neto (1)
- ipatests: Update PR-CI definitions for ipa-4-9 commit
Alexander Bokovoy (30)
- Become FreeIPA 4.9.1 commit
- Force-update translation po/uk.po commit
- Force-update translation po/ipa.pot commit
- Force-update translation po/hu.po commit
- Force-update translation po/de.po commit
- Update contributors list commit
- baseldap: allow rejecting unknown objects instead of adding to an external attr commit #3226
- ipatests: when talking to AD DCs, use FQDN credentials commit #8678
- test_trust: add tests for using AD users and groups in SUDO rules commit #3226
- ipatests: fix test_sudorule_plugin's wrong argument use commit #3226
- sudorule runAs: allow to add users and groups from trusted domains directly commit #3226
- sudorule-add-user: allow to reference users and groups from trusted domains directly commit #3226
- idviews: add extended validator for users from trusted domains commit #3226
- baseldap: when adding external objects, differentiate between them and failures commit #3226
- baseldap: refactor validator support in add_external_pre_callback commit #3226
- Add design document for using AD users/groups in SUDO rules commit #3226
- use a constant instead of /var/lib/sss/keytabs commit
- trust-fetch-domains: use custom krb5.conf overlay for all trust operations commit #8655, #8664
- ipaserver/dcerpc: store forest topology as a blob in ipasam commit #8576
- ipasam: derive parent domain for subdomains automatically commit #8576
- ipasam: free trusted domain context on failure commit #8576
- ipasam: allow search of users by user principal name (UPN) commit #8661
- ipasam: implement PASSDB getgrnam call commit #8660
- ipa-kdb: provide correct logon time in MS-PAC from authentication time commit #8659
- ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available commit #8655
- ipaserver/dcerpc.py: use Kerberos authentication for discovery commit #8655
- ipaserver/dcerpc: use Samba-provided trust helper to establish trust commit #8655
- ipatests: fix race condition in finalizer of encrypted backup test commit
- ipaplatform: add constant for systemd-run binary commit
- Get back to git snapshots commit
Antonio Torres (2)
- Check that IPA cert is added to trust store after server install commit #8614
- Test that IPA certs are removed on server uninstall commit #8614
Antonio Torres Moríñigo (2)
- ipatests: test that trailing/leading whitespaces in passwords are allowed commit
- Allow leading/trailing whitespaces in passwords commit #7599
Christian Heimes (1)
François Cami (1)
Florence Blanc-Renaud (12)
- ipatests: fix discrepancies in nightly defs commit
- ipatests: fix expected output for ipahealthcheck.ipa.files commit #8662
- ipatests: fix healthcheck test for ipahealthcheck.ds.encryption commit #8670
- ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser commit #8668
- ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection commit #8596, #8653
- selinux: modify policy to allow one-way trust commit #8508
- ipatests: add test_ipa_cert_fix to the nightly definitions commit #8618
- ipa-cert-fix: do not fail when CSR is missing from CS.cfg commit #8618
- ipatests: add a test for ipa-cert-fix commit #8618
- ipatests: clear initgroups cache in clear_sssd_cache commit
- ipatests: remove test_acme from gating commit #8602
- ipatests: fix expected error message in test_commands commit #8631
JoeDrane (1)
- Update ipa_sam.c commit
Rob Crittenden (16)
- ipatests: test the cgroup v2 memory restrictions commit #8635
- Add support for cgroup v2 to the installer memory checker commit #8635
- ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get commit #8658
- ipa-rmkeytab: convert numeric return values to #defines commit #8658
- ipa_pwd: Remove unnecessary conditional commit
- ipa_kdb: Fix memory leak commit
- ipa-kdb: Fix logic to prevent NULL pointer dereference commit
- ipa-kdb: Change mspac base RID logic from OR to AND commit
- Add missing break statement to password quality switch commit
- Revert "Remove test for minimum ACME support and rely on package deps" commit #8634
- ipatests: See if nologin supports -c before asserting message commit #7676
- ipatests: test that modifying a permission attrs handles failure commit #8646
- Remove virtual attributes before rolling back a permission commit #8646
- Remove invalid test case for DNS SRV priority commit #8650
- ipatests: test that no errors are reported after ipa-certupdate commit #8644
- Don't change the CA profile when modifying request in ipa_certupdate commit #8644
Robbie Harwood (1)
Stanislav Levin (2)
- ipatests: Don't assume sshd flush its logs immediately commit #8682
- ipatests: Raise log level of 389-ds replication commit
Sergey Orlov (2)
- ipatests: use fully qualified name for AD admin when establishing trust commit
- ipatests: do not set dns_lookup to true commit