FreeIPA 4.9.2 draft release notes

The FreeIPA team would like to announce FreeIPA 4.9.2 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.2

TODO RELEASE NOTES - put release notes (if any) to proper categories

  • 8404: Detect and fail if not enough memory is available for installation
FreeIPA server now requires at least 1.2 GiB RAM for installation to prevent performance degradation.

END TODO

Enhancements

Known Issues

Bug fixes

FreeIPA 4.9.2 is a stabilization release for the features delivered as a part of 4.9 version series.

There are more than 20 bug-fixes since FreeIPA 4.9.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode.

Resolved tickets

  • #6739 Cannot login to replica's WebUI
  • #8404 Detect and fail if not enough memory is available for installation
  • #8452 update samba configuration on IPA master to explicitly use 'server role' setting
  • #8506 Nightly failure in ipa-server-install --uninstall: org.freedesktop.DBus.Error.NoReply
  • #8533 Nightly failure in ipa-replica-install configuring renewals: DBusException: org.freedesktop.DBus.Error.NoReply
  • #8550 (rhbz#1902173) Uninstallation of server with KRA diplays error but proceeds successfully (unable to access security domain)
  • #8554 (rhbz#1891056) ipa-kdb: support subordinate/superior UPN suffixes
  • #8588 The 'ipactl status' command exit code does not fail on a partial error
  • #8630 (rhbz#1909876) Do not resolve user/group UID/GID in the service constructors
  • #8636 (rhbz#1923900) Samba on IdM member failure
  • #8647 (rhbz#1912556) Incorrect DNSKEY created when DNSSEC enabled for zone
  • #8658 (rhbz#1924501) Value stored to 'krberr' is never read in ipa-rmkeytab.c
  • #8669 Reduce difference between upstream and downstream releases
  • #8675 Update failed: NSS is built without support of the legacy database(DBM)
  • #8683 [ipatests] `test_ipa_dns_systemrecords_check` and `test_ipa_healthcheck_no_errors` fail in Azure Pipelines
  • #8685 KDC cert has no SAN DNSname
  • #8686 (rhbz#1922955) Resubmitting KDC cert fails with internal server error
  • #8689 Add centos platform module
  • #8690 Add a tool to control interactive programs on remote hosts in IPA tests
  • #8699 (rhbz#1926699) avc denial for gpg-agent with systemd-run
  • #8704 (rhbz#1926910) ipa cert-remove-hold returns an incorrect error message
  • #8712 Support new baseURL config option for ACME

Detailed changelog since 4.9.1

Alexander Bokovoy (14)

  • Back to git commits commit
  • Become IPA 4.9.2 commit
  • po: refresh translations to remove outdated strings commit
  • po: update translations template commit
  • test_installutils: run gpg-agent under a specific SELinux context commit #8699
  • Force-update translation after FreeIPA to IPA change: po/fr.po commit
  • Force-update translation after FreeIPA to IPA change: po/es.po commit
  • Force-update translation po/id.po commit
  • Force-update translation po/fr.po commit
  • Force-update translation po/es.po commit
  • Force-update translation po/de.po commit
  • client: synchronize ignored return codes with ipa-rmkeytab commit #8658
  • ipa-sam: return NetBIOS domain name instead of DNS one commit #8636
  • Back to git commits commit

Antonio Torres (4)

  • ipatests: test addition of invalid sudo command commit
  • sudocmd: ensure command doesn't contain trailing dot before adding it commit
  • WebUI: change FreeIPA naming to IPA in About dialog commit #8669
  • Update samba configuration on IPA master to explicitly use 'server role' setting commit #8452

Christian Heimes (4)

Florence Blanc-Renaud (8)

  • ipatests: update expected error message commit #8704
  • xmlrpc tests: add a test for cert-remove-hold commit #8704
  • cert plugin: propagate the error for non-existent cert commit #8704
  • ipatests: ipactl status now exits with 3 when a service is stopped commit #8588
  • ipatests: fix ipahealthcheck fixture _modify_permission commit
  • OpenDNSSEC: fix timezone in key creation date commit
  • ipatests: add a test for ZSK/KSK keytype in DNSKEY record commit #8647
  • dnssec: fix the key type with OpenDNSSEC 2.1 commit #8647

Mohammad Rizwan (1)

  • ipatests: Test if server setup without dns uninstall properly commit #8630

Rob Crittenden (20)

  • Remove the option stop_certmonger from stop_tracking_* commit #8506, #8533
  • Add some logging around initial ACME deployment commit #8712
  • Add versions to the ACME config templates and update on upgrade commit #8712
  • Set the ACME baseURL in order to pin a client to a single IPA server commit #8712
  • Add RHEL 9 UI branding patch reference commit #8669
  • Force-update translation after FreeIPA to IPA change: po/ipa.pot commit
  • Remove references to rjsmin in UI compile.sh commit #8669
  • Remove support for csrgen commit #8669
  • Change FreeIPA references to IPA and Identity Management commit #8669
  • ipatests: Handle non-zero return code in test_ipactl_scenario_check commit #8550
  • Add exit status to the ipactl man page commit #8550
  • Ensure IPA is running (ideally) before uninstalling the KRA commit #8550
  • ipactl: support script status 3, program is not running commit #8588
  • Use the new API introduced in PKI 10.8 commit
  • Change CA profile migration message from info to debug commit
  • Only build the UI with uglifyjs on RHEL 8 commit #8669
  • Provide more detailed logging around memory detection commit #8404
  • ipatests: Update NSSDatabase DBM test on non-DBM-capable installs commit #8675
  • Ignore database errors when trying to extract ipaCert on upgrade commit #8675
  • Report the NSS database directory if it cannot be opened commit #8675

Stanislav Levin (3)

  • rpm-spec: Require crypto-policies-scripts commit
  • ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check commit #8683
  • Azure: Populate containers with self-AAAA records commit #8683

Sergey Orlov (5)

  • ipatests: use pexpect to control inetractive session of ipa-adtrust-install commit #8690
  • ipatests: use pexpect to invoke ktutil commit #8690
  • ipatests: add a tests-oriented wrapper for pexpect module commit #8690
  • ipatests: rewrite test for requests routing to subordinate suffixes commit #8554
  • fix collecting log files which are symlinks commit

Thorsten Scherf (1)

  • man: fix ipa-client-samba.1 typos commit