FreeIPA 4.9.8 release notes draft

The FreeIPA team would like to announce FreeIPA 4.9.8 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

Highlights in 4.9.8

TODO RELEASE NOTES - put release notes (if any) to proper categories

• 8397: Cannot remove First master server with KRA after the server hard disk failed ( destructed)

The KRA role search was too narrow resulting in false positives when trying to delete a server with a KRA, resulting in an error that the last KRA was being removed when this was not the case.

• 8492: RFE: Include the server schema version in communication with the client

IPA clients store a copy of the server command schema, with a TTL of 1 hour by default. During plugin development command options, labels, etc may change and because some values are cached, new values will not display until the cache expires. This change adds a new configuration option, schema_ttl, so that a user can control how long the data is cached. A setting of 0 disables the cache. Tuning this is not recommended on production servers.

• 8962: Info about searchrecordslimit set search limit to 10,000 after upgrade

Set the server-side search size limit to 10,000 entries. By default the client side will still be 100. Consider carefully when increasing the client side value as it adds additional load on the server to retrieve more entries.

• 8968: Add URI records for KDC

FreeIPA DNS integration now provides URI records for a dynamic discovery of Kerberos KDCs. This allows automatic discover and use of MS-KKDCP proxies. URI records are also Kubernetes-friendly as Kubernetes does not support SRV records with the same name and different protocols.

• 8974: RHEL 8.5 IPA Replica setup fails against a RHEL 7.9 IPA server

When creating a new replica against an older existing server that lacks the sanToCNDefaultImpl capability, the ACME certificate profile cannot be added. Running ipa-server-upgrade manually after ipa-replica-install has completed will correctly add in the missing profile.

• 8980: Nightly test failure in pki-fedora/test_integration/test_backup_and_restore

Make Dogtag return XML for ipa cert-find

• 8986: ipa cert-request replaces user certificate instead of adding

By default IPA caches LDAP entries within a given request. Entries with a userCertificate value are not cached because the attribute may be represented with or without a ;binary tag and this confuses the cache. This will be revisted in the future but for now we are favoring correctness over speed.

• 8995: Integrate SID configuration into base IPA installers

New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part of the ipa-adtrust-install command.

• 9031: Harden FreeIPA KDC processing of PAC buffers

FreeIPA now implements PAC structure hardening as coordinated with Samba Team and Microsoft in CVE-2020-25719 and CVE-2021-42287 correspondingly.

• 9038: Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'

ipa pwpolicy-mod --minlife $min --maxlife $max accepts $max >= $min, yet the error message says: "Maximum password life must be greater than minimum." Change the error message so that it conveys the actual logic.

END TODO

Enhancements

• 8492: RFE: Include the server schema version in communication with the client

IPA clients store a copy of the server command schema, with a TTL of 1 hour by default. During plugin development command options, labels, etc may change and because some values are cached, new values will not display until the cache expires. This change adds a new configuration option, schema_ttl, so that a user can control how long the data is cached. A setting of 0 disables the cache. Tuning this is not recommended on production servers.

• 8968: Add URI records for KDC

FreeIPA DNS integration now provides URI records for a dynamic discovery of Kerberos KDCs. This allows automatic discover and use of MS-KKDCP proxies. URI records are also Kubernetes-friendly as Kubernetes does not support SRV records with the same name and different protocols.

• 8995: Integrate SID configuration into base IPA installers

New installations of IPA now configure the server to generate SIDs by default. Previously, this setup was executed as part of the ipa-adtrust-install command.

• 9031: Harden FreeIPA KDC processing of PAC buffers

FreeIPA now implements PAC structure hardening as coordinated with Samba Team and Microsoft in CVE-2020-25719 and CVE-2021-42287 correspondingly.

Known Issues

• 8700: ipa-server-install --auto-reverse does not create reverse DNS zone in Fedora 33

Previously, systemd-resolved presented reverse record for host's IP address which made ipa-server-install skip creation of reverse zone. The issue was fixed in systemd on Fedora 35 and is not a problem anymore.

Bug fixes

FreeIPA 4.9.8 is a stabilization release for the features delivered as a part of 4.9.0 version series.

There are more than 30 bug-fixes since FreeIPA 4.9.7 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets

• #7885 (rhbz#1690191) RFE: wrapper for Dogtag cert-fix command
• #8353 Sporadic: Nightly test failure in test_adtrust_install.py::TestIpaAdTrustInstall::test_add_agent_not_allowed - kinit: Password has expired while getting initial credentials
• #8397 (rhbz#1985069) Cannot remove First master server with KRA after the server hard disk failed ( destructed)
• #8492 RFE: Include the server schema version in communication with the client
• #8687 (rhbz#1980356) Nightly failure (rawhide/f34) reinstalling samba client: winbindd coredump
• #8700 ipa-server-install --auto-reverse does not create reverse DNS zone in Fedora 33
• #8755 (rhbz#1921007) ipa-server-install : No such file or directory: '/etc/authselect/user-nsswitch.conf'
• #8815 Nightly test failure in new test test_ipa_cert_fix.py::TestCertFixReplica
• #8846 Nightly test failure in test_webui_policy::test_selinuxusermap::test_undo_refresh_reset_update_cancel
• #8932 ipatests: move_date is defined twice
• #8953 test_certmonger_ipa_responder_jsonrpc random failure
• #8954 Issues in commands of `schema` plugin
• #8955 Unstable fingerprints for the same API schema
• #8961 [azure] inconsistent results for `Quick code style check` and `Lint` tasks
• #8962 (rhbz#1966289) Info about searchrecordslimit set search limit to 10,000 after upgrade
• #8965 (rhbz#2000261) extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
• #8966 Invoke pkispawn with --log-file
• #8968 Add URI records for KDC
• #8972 (rhbz#1998129) AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
• #8974 (rhbz#1999142) RHEL 8.5 IPA Replica setup fails against a RHEL 7.9 IPA server
• #8975 Nightly test failure in test_integration/test_commands.py/TestIPACommand/test_reset_password_unlock
• #8979 Nightly test failure (rawhide) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret
• #8980 Nightly test failure in pki-fedora/test_integration/test_backup_and_restore
• #8983 [azure] tar sometimes fails on changed in process files
• #8984 (rhbz#1999992) ipa migrate-ds command fails to warn when compat plugin is enabled
• #8985 [azure] docs build fails with Pygments 2.8.0+
• #8986 (rhbz#1999893) ipa cert-request replaces user certificate instead of adding
• #8987 Nightly test failure in test_integration/test_trust.py/TestTrust/test_extdom_plugin
• #8989 Nightly failure (rawhide) in tasks.run_ssh_cmd
• #8995 Integrate SID configuration into base IPA installers
• #8999 Nightly failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
• #9000 Nightly failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheck::test_sosreport_includes_healthcheck
• #9006 Nightly failure in test_commands.py::TestIPACommand::test_cacert_manage
• #9008 [azure] clone3 and glibc 2.34 in container
• #9009 Nightly failure (rawhide) in webui_tests: yaml.load() now requires Loader
• #9011 [azure] pip's builddir
• #9013 [ipatests] test_external_ca.py::TestMultipleExternalCA::test_master_install_ca1 fails
• #9029 Nightly webui test failure (rawhide): selenium issue
• #9031 Harden FreeIPA KDC processing of PAC buffers
• #9036 (rhbz#2009114) Invalid PTR records created when navigated from host details page
• #9038 (rhbz#1825010) Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
• #9046 Stacktrace when using 'ipa server-del' in non-English locale

Detailed changelog since 4.9.7

Armando Neto (2)

• ipatests: Fix UI_driver method after Selenium upgrade commit #9029
• ipatests: Bump PR-CI latest templates to Fedora 35 commit

Alexander Bokovoy (12)

• freeipa.spec.in: -server subpackage should require samba-client-libs commit #9031
• ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U commit #9031
• ipa-kdb: honor SID from the host or service entry commit #9031
• SMB: switch IPA domain controller role commit #9031
• ipa-kdb: Use proper account flags for Kerberos principal in PAC commit #9031
• ipa-kdb: add PAC_ATTRIBUTES_INFO PAC buffer support commit #9031
• ipa-kdb: add support for PAC_REQUESTER_SID buffer commit #9031
• ipa-kdb: add support for PAC_UPN_DNS_INFO_EX commit #9031
• ipa-kdb: S4U2Proxy target should use a service name without realm commit #9031
• ipa-kdb: use entry DN to compare aliased entries in S4U operations commit #9031
• ipa-kdb: enforce SID checks when generating PAC commit #9031
• ipa-kdb: store SID in the principal entry commit #9031

Christian Heimes (1)

• Add URI system records for KDC commit #8968

Chris Kelley (1)

• Make Dogtag return XML for ipa cert-find commit #8980

Endi Sukma Dewata (1)

• Specify PKI installation log paths commit #8966

François Cami (5)

• pwpolicy: change lifetime error message commit #9038
• subid: subid-match: display the owner's ID not DN commit
• ipatests: refactor test_ipa_cert_fix with tasks commit #8932
• freeipa.spec.in: update 389-DS version commit
• Back to git snapshots commit

Florence Blanc-Renaud (27)

• ipatests: remove xfail on f35+ for test_number_of_zones commit #8700
• ipatests: mark test_installation_TestInstallWithCA_DNS3 as xfail commit #8700
• ipatests: fix get_user_result method commit #8995
• ipatests: update the expected output of user-add cmd commit #8995
• User plugin: do not return the SID on user creation commit #8995
• Webui tests: new idrange now requires base RID commit #8995
• ipatests: backup-reinstall-restore needs to clear sssd cache commit #8995
• User lifecycle: ignore SID when moving from preserved to staged commit #8995
• ipatests: adapt expected output with SID commit #8995
• ipatests: interactive install prompts for netbios name commit #8995
• ipatests: add test ensuring SIDs are generated for new installs commit #8995
• ipa config: add --enable-sid option commit #8995
• adtrust install: define constants for rid bases commit #8995
• Installers: configure sid generation in server/replica installer commit #8995
• SID generation: define SIDInstallInterface commit #8995
• ipa-server-install uninstall: remove tdb files commit #8687
• ipa-client-samba uninstall: remove tdb files commit #8687
• ipatests: Update the subca used in TestIPACommand::test_cacert_manage commit #9006
• webui test: close notification after selinux user map update commit #8846
• ipatests: increase sosreport verbosity commit #9000
• ipatests: update expected error message for openssl verify commit #8999
• ipatests: fix expected msg in tasks.run_ssh_cmd commit #8989
• ipatests: fix logic waiting for repl in TestIPACommand commit #8975
• migrate-ds: workaround to detect compat tree commit #8984
• ipatests: rpcclient now uses --use-kerberos=desired commit #8979
• selinux policy: allow custodia to access /proc/cpuinfo commit #8972
• ipatests: use whole date for journalctl --since commit #8953

Jochen Kellner (1)

• Remove duplicate _() in the error path commit #9046

Michal Polovka (1)

• ipatests: webui: Specify configuration loader commit #9009

Mohammad Rizwan (4)

• ipatests: remove redundant kinit from test commit
• ipatests: update the timemout for test_ipa_cert_fix.py in nightlies commit
• ipatests: wait while http/ldap/pkinit cert get renew on replica commit #8815
• ipatests: test to renew certs on replica using ipa-cert-fix commit #7885

Pavel Březina (1)

• kdb: fix typo in ipa_kdcpolicy_check_as commit

Petr Voborník (2)

• webui tests: remove unnecessary code in add_record commit #9036
• fix(webui): create correct PTR record when navigated from host page commit #9036

Rob Crittenden (7)

• Don't limit role-find by hostname when searching for last KRA commit #8397
• Make the schema cache TTL user-configurable commit #8492
• On redhat-based platforms rely on authselect to enable sudo commit #8755
• ipatests: Test that a user can be issued multiple certificates commit #8986
• Don't store entries with a usercertificate in the LDAP cache commit #8986
• Increase default limit on LDAP searches to 100k commit #8962
• Catch and log errors when adding CA profiles commit #8974

Sumit Bose (1)

• extdom: return LDAP_NO_SUCH_OBJECT if domains differ commit #8965

Stanislav Levin (15)

• ipatests: TestMultipleExternalCA: Create tempfiles on remote host commit #9013
• azure: Don't customize pip's builddir commit #9011
• seccomp profile: Default to ENOSYS instead of EPERM commit #9008
• test_schema_plugin: Add missing tests for command, class and topic commands commit #8954
• test_schema_plugin: Drop dependency on Tracker commit #8954
• command_defaults: Don't crash on nonexistent command commit #8954
• schema plugin: Fix commands without metaobject arg commit #8954
• ipatests: Log debug messages for locator plugin commit #8353
• krb5: Pin kpasswd server to a primary one commit #8353
• azure: Ignore tar errors commit #8983
• docs: Make use of `text` highlighting commit #8985
• ipatests: Add tests for `schema` Command commit #8955
• schema plugin: Generate stable fingerprint commit #8955
• pycodestyle: Check *.in Python files commit #8961
• Azure: Run pycodestyle check in Lint job commit #8961

Sergey Orlov (2)

• ipatests: use AD domain name from config instead of hardcoded value commit
• ipatests: check for message in sssd log only during actual test action commit #8987

Sumedh Sidhaye (1)

• Test to verify if the case of a request for /ca/rest/authority/{id}/cert (or .../chain) commit

Vit Mojzis (1)

• selinux: Fix file context definition for /var/run commit