[Freeipa-interest] [Announce] FreeIPA 4.8.2 released

Wed Nov 13 08:55:15 UTC 2019

On ke, 13 marras 2019, Alexander Bokovoy wrote:
>Hello!
>
>The FreeIPA team would like to announce FreeIPA 4.8.1 release!
>
>It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
>Fedora 30 will be available in the official Fedora repository soon.

Correction: Builds for Fedora 31 are already available in the official
Fedora repository. In order to get them to the stable updates, we need
your help with testing the update:
https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb

Please give karma points!

>
>== Highlights in 4.8.2 ==
>
>--------
>* 5608: [RFE] Add Dogtag configuration extensions
>
>Dogtag CA allows to specify additional options in the configuration file used
>to deploy CA. FreeIPA installers can now pass through an overlay configuration
>file to fine-tune the CA.
>
>--------
>* 7971: [RFE] Include hint for replication_wait_timeout if timeout fails
>
>In case replica set up times out, suggest increasing replication_wait_timeout
>option before running the replica installation.
>
>--------
>
>=== Enhancements ===
>
>* 8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
>
>When Kerberos authentication is performed with the help of SPAKE or PKINIT
>pre-authentication methods, add authentication indicator to resulting tickets.
>This allows filtering access to resources by a wider variety of
>pre-authentication methods.
>
>--------
>* 8110 Enable AES SHA 256 and 384 Kerberos enctypes
>
>Allow use of AES SHA 256 and 384 Kerberos encryption types by default for new Kerberos principals.
>
>--------
>* 8111 [FIPS] Don't add camellia KRB5 encsalttypes in FIPS mode
>
>Expose only encryption types allowed in FIPS mode when creating a master in FIPS mode.
>
>--------
>* 8020 support AES in LWCA key replication
>
>Sub-CA key replication between CA replicas now can use AES encryption to wrap the secrets.
>
>--------
>* 8044 Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
>
>An LDAP control used by SSSD for retrieval of information about AD users and
>groups was extended to properly differentiate lack of information and its
>unavailability.
>
>
>--------
>=== Known Issues ===
>=== Bug fixes ===
>FreeIPA 4.8.2 is a stabilization release for the features delivered as a
>part of '''FIXME''' 4.7.0 '''END FIXME'''.
>There are more than 40 bug-fixes details of which can be seen in
>the list of resolved tickets below.
>
>== Upgrading ==
>Upgrade instructions are available on [[Upgrade]] page.
>
>== Feedback ==
>Please provide comments, bugs and other feedback via the freeipa-users mailing
>list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
>or #freeipa channel on Freenode.
>
>
>== Resolved tickets ==
>* 2018 Change hostname length limit to 64
>* 3999 [RFE] Fix and Document how to set up Samba File Server with IPA
>* 4972 check for existence of private group is done even if UPG definition is disabled
>* 5062 [WebUI] Unlock option is enabled for all user.
>* 5608 [RFE] Add Dogtag configuration extensions
>* 5879 Attempt to fix capitalization fails with ipa: ERROR: Type or value exists:
>* 6210 When master's IP address does not resolve to its name, ipa-replica-install fails
>* 6843 ipa-backup does not create log file at /var/log/
>* 7307 RFE: Extend IPA to support unadvertised replicas
>* 7522 Disable cert publishing in dogtag
>* 7566 Installation of replica against a specific master
>* 7725 ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd-<instance> directory
>* 7870 [certmonger][upgrade] "Failed to get request: bus, object_path and dbus_interface must not be None."
>* 7961 [WebUI] Identity Manager WebUI requires you to save changes after changing specifications before making other change
>* 7971 [RFE] Include hint for replication_wait_timeout if timeout fails
>* 7987 Python shebang: Use isolated mode
>* 7995 Removing TLSv1.0, TLSv1.1 from nss.conf
>* 8001 Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth
>* 8017 host-add --password logs cleartext userpassword to Apache error log
>* 8020 support AES in LWCA key replication
>* 8031 HBAC Test Validation error when running the HBAC test the second time round via the IPA Web GUI
>* 8034 Existing p11-kit config file is not restored on uninstall
>* 8038 ipa-client-automount --uninstall is not restoring  nsswitch.conf
>* 8044 Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors
>* 8048 Travis-CI sometimes fails at dnf
>* 8052 test failure in test_integration/test_sudo.py::TestSudo::()::test_domain_resolution_order on fedora29
>* 8053 [WebUI] Fix login screen loading issue in test_loginscreen
>* 8054 ipa-client-install calls "authselect select sssd --force" at uninstall time before restoring user-nsswitch.conf
>* 8055 Test for PG6843: ipa-backup does not create log file at /var/log is failing
>* 8056 BuildRequires is not compatible with %{_libdir}
>* 8057 Running ipa-server-install produces SyntaxWarning: "is not" with a literal. Did you mean "!="?
>* 8062 Re-add configure_nsswitch_database, configure_nsswitch, ... to ipaclient.install
>* 8066 Don't use -t option to klist in adtrust code when timestamp is not needed
>* 8067 add default access control configuration to trusted domain objects
>* 8070 Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install
>* 8073 Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module
>* 8075 Don't create log file for helper scripts
>* 8077 New pylint 2.4.0 errors
>* 8079 [Security] By default, DNS recursion is open, breaking best practices
>* 8084 KRA authentication fails when IPA CA has custom Subject DN
>* 8086 ipa-server-certinstall man page does not match built-in help.
>* 8099 ipa-backup command is failing on rhel-7.8
>* 8102 Pylint 2.4.3 + Astroid 2.3.2 errors
>* 8105 getcert with -F option returns before cacert file is created
>* 8110 Enable AES SHA 256 and 384 Kerberos enctypes
>* 8111 [FIPS] Don't add camellia KRB5 encsalttypes in FIPS mode
>* 8113 ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client
>* 8114 [RFE] Delegate group membership management
>* 8115 Nightly test failure in fedora-30/test_smb and fedora-29/test_smb
>== Detailed changelog since 4.8.1 ==
>=== Armando Neto (4) ===
>* prci: bump template version
>* prci: increase timeout argument for test_sssd.py
>* prci: increase timeout for jobs that required AD
>* prci: Update box used in branch ipa-4-8
>
>=== Alexander Bokovoy (9) ===
>* Become FreeIPA 4.8.2
>* Update list of contributors
>* Update translations
>* Add local helpers to handle unixid structure
>* adtrust: add default read_keys permission for TDO objects
>* add default access control when migrating trust objects
>* adtrust: avoid using timestamp in klist output
>* Mark failing test as xfail for use of python-dns make_ds method
>* ipa-extdom-extop: test timed out getgrgid_r
>
>=== Alexandre Mulatinho (1) ===
>* ipa-scripts: fix all ipa command line scripts to operate with -I
>
>=== Anuja More (1) ===
>* Extdom plugin should not return error (32)/'No such object'
>
>=== Christian Heimes (12) ===
>* Add tests for member management
>* Add group membership management
>* Skip commented lines after substitution
>* Block camellia in krbenctypes update in FIPS
>* Don't install a preexec_fn by default
>* Don't create log files from help scripts
>* Fix ca_initialize_hsm_state
>* Add new env vars to pylint plugin
>* Fix wrong use of identity operation
>* Enable literal-comparison linter again
>* Replace %{_libdir} macro in BuildRequires
>* Store HSM token and state
>
>=== Cédric Jeanneret (1) ===
>* Prevents DNS Amplification Attack and allow to customize named
>
>=== Changmin Teng (5) ===
>* Add design document
>* Modify webUI to adhere to new IPA server API
>* Implement user pre-authentication control with kdcpolicy plugin
>* Extend the list of supported pre-auth mechanisms in IPA server API
>* Add new authentication indicators in kdc.conf.template
>
>=== François Cami (8) ===
>* ipatests: temporarily remove test_smb from gating
>* ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf)
>* ipapython/ipachangeconf.py: change "is not 0" for "!= 0"
>* travis-ci: make dnf invocations more resilient
>* authconfig.py: restore user-nsswitch.conf at uninstall time
>* ipatests: remove xfail in TestIpaClientAutomountFileRestore
>* ipa-client-automount: always restore nsswitch.conf at uninstall time
>* ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time
>
>=== Florence Blanc-Renaud (11) ===
>* smartcard: make the ipa-advise script compatible with authselect/authconfig
>* ipa-backup: fix python2 issue with os.mkdir
>* ipa-server-certinstall manpage: add missing options
>* ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion
>* ipatests: add XMLRPC test for user-add when UPG plugin is disabled
>* ipa user_add: do not check group if UPG is disabled
>* replica install: enforce --server arg
>* ipatests: ensure that backup/restore restores pkcs 11 modules config file
>* ipa-backup: backup the PKCS module config files setup by IPA
>* config plugin: replace 'is 0' with '== 0'
>* ipatests: fix wrong xfail in test_domain_resolution_order
>
>=== Francisco Trivino (1) ===
>* prci: increase gating tasks priority
>
>=== Fraser Tweedale (7) ===
>* test_integration: add tests for custom CA subject DN
>* upgrade: fix ipakra people entry 'description' attribute
>* krainstance: set correct issuer DN in uid=ipakra entry
>* Bump Dogtag min version to 10.7.3
>* ipa-pki-retrieve-key: request AES encryption (with fallback)
>* NSSWrappedCertDB: accept optional symmetric algorithm
>* IPASecStore: support extra key arguments
>
>=== Michal Polovka (3) ===
>* ipatests: add tests for ipa host-add with non-default maxhostnamelength
>* ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions
>* ipatests: Test for ipa-backup with ipa not configured
>
>=== Mohammad Rizwan Yusuf (3) ===
>* Add test to nightly yamls.
>* Installation of replica against a specific server
>* Check file ownership and permission for dirsrv log instance
>
>=== ndehadra (1) ===
>* Hidden Replica: Add a test for Automatic CRL configuration
>
>=== Spencer E. Olson (1) ===
>* Fixes debian path for IPA_CUSTODIA_HANDLER
>
>=== Rob Crittenden (16) ===
>* Conditionally restart certmonger after client installation
>* Add conditional restart (try-restart) capability to services
>* Enable AES SHA 256 and 384-bit enctypes in Kerberos
>* Add missing timeout option to logging statement
>* Log dogtag auth timeout in install, provide hint to increase it
>* Log the replication wait timeout for debugging purposes
>* Replace replication_wait_timeout with certmonger_wait_timeout
>* Disable dogtag cert publishing
>* ipa-restore: Restore ownership and perms on 389-ds log directory
>* Report if a certmonger CA is missing
>* Re-order tasks.restore_pkcs11_modules() to run earlier
>* Don't log host passwords when they are set/modified
>* Skip lock and fork in ipa-server-guard on unsupported ops
>* Defer initializing the API in dogtag-ipa-ca-renew-agent-submit
>* Use tasks to configure automount nsswitch settings
>* Move ipachangeconf from ipaclient.install to ipapython
>
>=== Robbie Harwood (7) ===
>* Provide modern example enctypes in ipa-getkeytab(1)
>* Fix segfault in ipadb_parse_ldap_entry()
>* Add a skeleton kdcpolicy plugin
>* Move certauth configuration into a server krb5.conf template
>* Enable krb5 snippet updates on client update
>* Fix NULL pointer dereference in maybe_require_preauth()
>* Log INFO message when LDAP connection fails on startup
>
>=== Rafael Guterres Jeffman (1) ===
>* Fixes pylint errors introduced by version 2.4.0.
>
>=== Rafael Guterres Jeffman (6) ===
>* Removed unnecessary imports after code review.
>* Removes several pylint warnings.
>* Removed unnecessary imports after code review.
>* Removes several pylint warnings.
>* Removes rpmlint warning on freeipa.spec.
>* Re-add function façades removed by commit 2da9088.
>
>=== Sumit Bose (1) ===
>* extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
>
>=== Stanislav Levin (5) ===
>* Fix errors found by Pylint-2.4.3
>* Install language packs for tests
>* Restore running of 'test_ipaserver' tests on Azure
>* Setup DNS for AP Docker container
>* Fixed errors newly exposed by pylint 2.4.0
>
>=== Sergey Orlov (14) ===
>* ipatests: enable test_smb.py in gating.yaml
>* ipatests: replace ad hoc backup with FileBackup helper
>* ipatests: refactor FileBackup helper
>* ipatests: in DNS zone file add A record for name server
>* ipatests: strip newline character when getting name of temp file
>* ipatests: add test to check that only TLS 1.2 is enabled in Apache
>* ipatests: fix DNS forwarders setup for AD trust tests with non-root domains
>* ipatests: add tests for cached_auth_timeout in sssd.conf
>* ipatests: refactoring: use library function to check if selinux is enabled
>* ipatests: add new utilities for file management
>* ipatests: refactor and extend tests for IPA-Samba integration
>* ipatests: modify run_command to allow specify successful return codes
>* ipatests: add utility functions related to using and managing user accounts
>* ipatests: allow to pass additional options for clients installation
>
>=== Serhii Tsymbaliuk (4) ===
>* WebUI: Fix new test initialization on "HBAC Test" page
>* WebUI: Fix changing category on HBAC/Sudo/etc Rule pages
>* WebUI: Make 'Unlock' option is available only on locked user page
>* WebUI tests: Fix login screen loading issue
>
>=== Sudhir Menon (1) ===
>* Added testcase to check capitalization fix while running ipa user-mod
>
>=== Tibor Dudlák (1) ===
>* Add container environment check to replicainstall
>
>=== Tomas Halman (4) ===
>* extdom: add extdom protocol documentation
>* extdom: use sss_nss_*_timeout calls
>* extdom: plugin doesn't use timeout in blocking call
>* extdom: plugin doesn't allow @ in group name
>
>-- 
>/ Alexander Bokovoy
>Sr. Principal Software Engineer
>Security / Identity Management Engineering
>Red Hat Limited, Finland

-- 
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland