[Freeipa-interest] FreeIPA 4.8.9 released
Alexander Bokovoy
abokovoy at redhat.com
Thu Aug 20 11:07:06 UTC 2020
The FreeIPA team would like to announce FreeIPA 4.8.9 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.8.9
* 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI
* 7137: [RFE]: Able to browse different links from IPA web gui in new
tabs
* 8129: Tests: Replace paramiko with OpenSSH
Paramiko is not compatible with FIPS mode, therefore convert most
tests to using ssh directly. The only non-converted test is the
2-prompt OTP test because sshpass does not support 2-prompt password
authentication ( https://pagure.io/freeipa/issue/8431 ).
* 8151: test_commands timing-out
Re-enable test_sss_ssh_authorizedkeys ; add -v to ssh in order to
get debug information if this test fails or stalls again. The test
was run 16 times without a failure before re-enabling it.
* 8189: NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
Previously, ipa-client-installation saved the pre-install state
using "authselect current" command and the uninstallation reverted
to the same authselect state. In cases where the system was
installed using authconfig instead of authselect, the uninstallation
was unable to revert to the same state and picked "sssd"'s
authselect profile instead. Now, the client installation relies on
the backup functionality of authselect and is able to revert to the
exact pre-install state
* 8304: [fed32] client-install does not properly set
ChallengeResponseAuthentication yes in sshd conf
ipa-client-installation now writes the sshd configuration to the
drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf
snippet, thus ensuring that the setting
"ChallengeResponseAuthentication yes" take precedence.
* 8335: [WebUI] manage IPA resources as a user from a trusted Active
Directory domain
When users from trusted Active Directory domains have permissions to
manage IPA resources, they can do so through a Web UI management
console.
* 8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf) in freeipa-client-epn
EPN did not ship any configuration file. This was an oversight, but
the tool itself would work fine as it had sane defaults ; moreover,
the man page for the configuration file was present.
* 8391: Remove dnf workaround from test_epn.y
The new PR-CI images are cleaner and do not need the *epn* packages
to be uninstalled/reinstalled.
* 8401: Create platform definitions for freeipa-container
ipaplatform now provides container platform flavors for
freeipa/freeipa-container
* 8432: test failure in test_commands.py::TestIPACommand::test_login_wrong_password:
AssertionError
Sometimes test_login_wrong_password fails because the log window the
string message is searched in is too narrow. Broaden the window by
looking at the past 10 seconds.
* 8444: EPN: enhance input validation
Various input validation checks were added to EPN.
* 8445: EPN: '[Errno 111] Connection refused' when the SMTP is down
EPN now displays a proper message if the configured SMTP server
cannot be contacted.
* 8449: EPN: enhance CLI option tests
EPN: enhance existing tests for --dry-run, --from-nbdays and
--to-nbdays.
=== Enhancements
=== Known Issues
=== Bug fixes
FreeIPA 4.8.9 is a stabilization release for the features delivered as a
part of 4.8 version series.
There are more than 50 bug-fixes details of which can be seen in the
list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.
== Resolved tickets
* https://pagure.io/freeipa/issue/5011[#5011]
(https://bugzilla.redhat.com/show_bug.cgi?id=1527185[rhbz#1527185])
[RFE] Forward CA requests to dogtag or helper by GSSAPI
* https://pagure.io/freeipa/issue/5628[#5628] webui: Unclear(UX) purpose
of OTP field in password reset form on login
* https://pagure.io/freeipa/issue/7137[#7137]
(https://bugzilla.redhat.com/show_bug.cgi?id=1484088[rhbz#1484088])
[RFE]: Able to browse different links from IPA web gui in new tabs
* https://pagure.io/freeipa/issue/8129[#8129] Tests: Replace paramiko
with OpenSSH
* https://pagure.io/freeipa/issue/8151[#8151] test_commands timing-out
* https://pagure.io/freeipa/issue/8189[#8189]
(https://bugzilla.redhat.com/show_bug.cgi?id=1810179[rhbz#1810179])
Nightly test failure in
test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd
* https://pagure.io/freeipa/issue/8300[#8300] Replace uglify-js with
python3-rjsmin
* https://pagure.io/freeipa/issue/8304[#8304] [fed32] client-install
does not properly set ChallengeResponseAuthentication yes in sshd conf
* https://pagure.io/freeipa/issue/8326[#8326] CVE-2020-10747
* https://pagure.io/freeipa/issue/8335[#8335] [WebUI] manage IPA
resources as a user from a trusted Active Directory domain
* https://pagure.io/freeipa/issue/8336[#8336] [WebUI] "User attributes
for SMB services" section always shown
* https://pagure.io/freeipa/issue/8364[#8364] Nightly test failure while
establishing trust: Cannot find specified domain or server name
* https://pagure.io/freeipa/issue/8366[#8366] CA-less replica deployment
fails with --setup-ca
* https://pagure.io/freeipa/issue/8367[#8367] IPA-EPN fails to build in
ONLY_CLIENT mode
* https://pagure.io/freeipa/issue/8368[#8368]
(https://bugzilla.redhat.com/show_bug.cgi?id=1846349[rhbz#1846349])
cannot issue certs with multiple IP addresses corresponding to different
hosts
* https://pagure.io/freeipa/issue/8369[#8369] cert_find returns "CA not
configured" in CA-less install
* https://pagure.io/freeipa/issue/8370[#8370] ipa-join does not set
nshardwareplatform and nsosversion
* https://pagure.io/freeipa/issue/8371[#8371] Nightly test failure
[testing_master_testing] in
test_integration/test_idviews.py::TestCertsInIDOverrides
* https://pagure.io/freeipa/issue/8372[#8372]
(https://bugzilla.redhat.com/show_bug.cgi?id=1849914[rhbz#1849914])
FreeIPA - Utilize 256-bit AJP connector passwords
* https://pagure.io/freeipa/issue/8374[#8374]
(https://bugzilla.redhat.com/show_bug.cgi?id=1847999[rhbz#1847999]) EPN
does not ship its default configuration ( /etc/ipa/epn.conf ) in
freeipa-client-epn
* https://pagure.io/freeipa/issue/8377[#8377] Nightly test failure
(timeout) in test_caless_TestReplicaInstall
* https://pagure.io/freeipa/issue/8379[#8379] Nightly test failure
[testing_master_pki] while installing CA replica
* https://pagure.io/freeipa/issue/8381[#8381] Nightly test failure in
test_webui/test_loginscreen.py::TestLoginScreen::test_login_view
* https://pagure.io/freeipa/issue/8384[#8384] Provide reliable way to
know if a server installation is complete
* https://pagure.io/freeipa/issue/8388[#8388] Make help() on plugins
more useful
* https://pagure.io/freeipa/issue/8391[#8391] Remove dnf workaround from
test_epn.py
* https://pagure.io/freeipa/issue/8395[#8395] selinux don't audit rules
deny fetching trust topology
* https://pagure.io/freeipa/issue/8396[#8396] [WebUI] Font type of
"Enabled" column in user search facet wrong
* https://pagure.io/freeipa/issue/8399[#8399] certmonger attempts to add
LWCA tracking requests on non-CA server.
* https://pagure.io/freeipa/issue/8400[#8400] sshd template file is
installed in a wrong (server) location while used by the client side
* https://pagure.io/freeipa/issue/8401[#8401] Create platform
definitions for freeipa-container
* https://pagure.io/freeipa/issue/8403[#8403] Add option to add ipaapi
user as an allowed uid for ifp in /etc/sssd/sssd.conf when running
ipa-replica-install
* https://pagure.io/freeipa/issue/8407[#8407] Support changelog
integrated into main database
* https://pagure.io/freeipa/issue/8412[#8412]
(https://bugzilla.redhat.com/show_bug.cgi?id=1857157[rhbz#1857157]) AVC:
httpd cannot connect to ipa-custodia.sock
* https://pagure.io/freeipa/issue/8413[#8413] Nightly test failure in
test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp
* https://pagure.io/freeipa/issue/8414[#8414] Nightly test failure in
test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp
* https://pagure.io/freeipa/issue/8416[#8416] [WebUI] Error while adding
user ID overrides to group
* https://pagure.io/freeipa/issue/8419[#8419] Azure is reporting a slew
of new no-member lint errors
* https://pagure.io/freeipa/issue/8425[#8425] Nightly test failure in
test_cert.test_cert.TestInstallMasterClient (certmonger timeout)
* https://pagure.io/freeipa/issue/8428[#8428] [ipatests] fails due to
new python-cryptography 3.0
* https://pagure.io/freeipa/issue/8429[#8429] Add fips-mode-setup to
ipaplatform.paths
* https://pagure.io/freeipa/issue/8432[#8432] test failure in
test_commands.py::TestIPACommand::test_login_wrong_password:
AssertionError
* https://pagure.io/freeipa/issue/8435[#8435] [ipatests] failures due to
new Pytest6.0 (pypi part)
* https://pagure.io/freeipa/issue/8437[#8437] unit tests for
ipa-extdom-extop are failing in Fedora 33
* https://pagure.io/freeipa/issue/8439[#8439] Nightly test failure in
test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
* https://pagure.io/freeipa/issue/8440[#8440]
(https://bugzilla.redhat.com/show_bug.cgi?id=1863616[rhbz#1863616])
CA-less install does not set required permissions on KDC certificate
* https://pagure.io/freeipa/issue/8441[#8441]
(https://bugzilla.redhat.com/show_bug.cgi?id=1870202[rhbz#1870202]) File
permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less
* https://pagure.io/freeipa/issue/8442[#8442] [pylint] warnings/errors
against pylint 2.5.3
* https://pagure.io/freeipa/issue/8444[#8444]
(https://bugzilla.redhat.com/show_bug.cgi?id=1866291[rhbz#1866291]) EPN:
enhance input validation
* https://pagure.io/freeipa/issue/8445[#8445]
(https://bugzilla.redhat.com/show_bug.cgi?id=1863079[rhbz#1863079]) EPN:
'[Errno 111] Connection refused' when the SMTP is down
* https://pagure.io/freeipa/issue/8447[#8447] Nightly test failure in
test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS
* https://pagure.io/freeipa/issue/8449[#8449]
(https://bugzilla.redhat.com/show_bug.cgi?id=1866291[rhbz#1866291]) EPN:
enhance CLI option tests
* https://pagure.io/freeipa/issue/8456[#8456] Need new aci's for the new
replication changelog entries
* https://pagure.io/freeipa/issue/8459[#8459] [upgrade] handle missing
openssh-clients
* https://pagure.io/freeipa/issue/8461[#8461] [ALTLinux] server
uninstall error on missing /var/lib/samba
* https://pagure.io/freeipa/issue/8463[#8463] Nightly test failure in
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
* https://pagure.io/freeipa/issue/8464[#8464] Increase replication
changelog trimming interval
== Detailed changelog since 4.8.8
Detailed changelog is available at https://www.freeipa.org/page/Releases/4.8.9#Detailed_changelog_since_4.8.8
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the Freeipa-interest
mailing list