[Freeipa-interest] FreeIPA 4.9.1 released
Alexander Bokovoy
abokovoy at redhat.com
Wed Jan 27 09:11:20 UTC 2021
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora distributions will be available from the official repository
soon.
== Highlights in 4.9.1
* 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory
domains in SUDO rules to specify runAsUser/runAsGroup properties
without an intermediate non-POSIX group membership
+
IPA now supports adding users and groups from trusted Active
Directory domains in SUDO rules without an intermediate non-POSIX
group membership
* 7599: Leading / trailing white spaces in password are disallowed
Allow leading and trailing whitespaces in passwords set through IPA
commands. They were already allowed via Kerberos and LDAP.
* 7676: ipa-client-install changes system wide ssh configuration
Skip ProxyCommand wrapper in SSH configuration in case user is
configured with /sbin/nologin to allow automated tools to operate as
expected
* 8528: Use separate logs for AD Trust and DNS installer
ipa-adtrust-install and ipa-dns-install commands now log their
activity into separate log files.
* 8618: ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing
from CS.cfg
ipa-cert-fix tool now handles situations when a CSR is missing from
Dogtag's CA/KRA CS.cfg configuration files. Configuration file is
updated with a CSR tracked by Certmonger.
* 8634: Install of CA fails on CentOS 8 Stream with pki-core 10.9
IPA will not deploy ACME service if Dogtag PKI version is known to
not provide a complete service. A complete ACME support requires
Dogtag 10.10.0 or later.
* 8635: Memory availability detection does not work with cgroupsv2
environment
Containerized environments on Linux with cgroup v2 are now
recognized and supported.
* 8644: ipa-certupdate drops profile from the caSigningCert tracking
ipa-certupdate tool now honors CA profile specified in the
certificate request it tries to update
* 8646: permission-mod attrs, includedattrs and excludedattrs issues
Managed permissions commands now properly rollback changes if a
generated ACI has incorrect syntax
* 8655: Allow to establish trust to Active Directory in FIPS mode
When IPA is deployed in FIPS mode, it is now possible to establish
trust to Active Directory forest.
* 8659: ipa-kdb: provide correct logon time in MS-PAC from
authentication time
Trust to Active Directory support was improved to be more compatible
with AD DC queries: lookup groups via LSA RPCs, allow user principal
name lookups, more complete PAC record generation.
=== Enhancements
=== Known Issues
=== Bug fixes
FreeIPA 4.9.1 is a stabilization release for the features delivered as a
part of 4.9 version series.
There are more than 30 bug-fixes since FreeIPA 4.9.1 release. Details of
the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/)
or #freeipa channel on Freenode.
== Resolved tickets
#3226 (rhbz#871208) [RFE] ipa sudorule-add-user should accept more types of characters
#7599 (rhbz#1593745) Leading / trailing white spaces in password are disallowed
#7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration
#8501 Unify how FreeIPA gets FQDN of current host
#8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add
#8519 Fedora container platform is incomplete
#8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system
#8528 Use separate logs for AD Trust and DNS installer
#8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically
#8584 ACME communication with dogtag REST endpoints should be using the cookie it creates
#8589 (rhbz#1812871) Intermittent IdM Client Registration Failures
#8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find
#8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred:
#8614 Remove ca.crt from the system-wide store on uninstall
#8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
#8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password
#8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9
#8635 Memory availability detection does not work with cgroupsv2 environment
#8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking
#8646 permission-mod attrs, includedattrs and excludedattrs issues
#8650 Updated dnspython-2.1.0 causes a test failure
#8653 Nightly test failure in test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection
#8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode
#8656 Use client keytab for 389ds
#8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c
#8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time
#8660 ipasam: implement PASSDB getgrnam call
#8661 ipasam: allow search of users by user principal name (UPN)
#8662 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
#8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True
#8668 (rhbz#1915471) Nightly failure in (f33+updates-testing) test_trust.py::TestTrust::test_ipa_commands_run_as_aduser
#8670 Nightly failure (fed33) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption
#8674 test_ipahealthcheck divides KiB by 1000
#8678 Nightly failure (master) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret
#8682 [ipatests] TestIPACommand.test_login_wrong_password time to time fails
== Detailed changelog since 4.9.1
=== Armando Neto (1)
* ipatests: Update PR-CI definitions for ipa-4-9
https://pagure.io/freeipa/c/ccdecaa984ef6ebcc63d754e896b2229bcba3b88[commit]
=== Alexander Bokovoy (30)
* Become FreeIPA 4.9.1
https://pagure.io/freeipa/c/aa58fad8eb98b0e8e248eb76b107b5e1faac4aeb[commit]
* Force-update translation po/uk.po
https://pagure.io/freeipa/c/a97967ff3b56ba3c3894a5aadffbef68961b3581[commit]
* Force-update translation po/ipa.pot
https://pagure.io/freeipa/c/cb583ac18e33698f9bd950490482a722cc993a06[commit]
* Force-update translation po/hu.po
https://pagure.io/freeipa/c/a1c43ac3c91ae045f402610c88141d7f3d387011[commit]
* Force-update translation po/de.po
https://pagure.io/freeipa/c/6f6dd6240c91b8a4a6c9e6f1090db33ec37c7857[commit]
* Update contributors list
https://pagure.io/freeipa/c/2ac8028e1f8dca4b8bc37bd4995043da647dbfb8[commit]
* baseldap: allow rejecting unknown objects instead of adding to an
external attr
https://pagure.io/freeipa/c/51ca38772f41d3a26a4253a732338d09a69f9647[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* ipatests: when talking to AD DCs, use FQDN credentials
https://pagure.io/freeipa/c/64b70be65698b12927795a7a8b79ef7aada010b8[commit]
https://pagure.io/freeipa/issue/8678[#8678]
* test_trust: add tests for using AD users and groups in SUDO rules
https://pagure.io/freeipa/c/a7c56fde7727bfad3f885cf50e21182cdc46024e[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* ipatests: fix test_sudorule_plugin's wrong argument use
https://pagure.io/freeipa/c/f4d3c91e7f80659268e006dffa5f064b29b45c98[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* sudorule runAs: allow to add users and groups from trusted domains
directly
https://pagure.io/freeipa/c/78043bfb5e2a3b1fc0fae6d55ba605ba469ce5ae[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* sudorule-add-user: allow to reference users and groups from trusted
domains directly
https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* idviews: add extended validator for users from trusted domains
https://pagure.io/freeipa/c/a3563d1c35fbe9e6e96199ead211ec3b4ff1d2d2[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* baseldap: when adding external objects, differentiate between them and
failures
https://pagure.io/freeipa/c/ffc2edf61efccbcbd4294fbc8a8613decea299a3[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* baseldap: refactor validator support in add_external_pre_callback
https://pagure.io/freeipa/c/132d7fb0ed21e2e7cc69366e2141ae69e7864afb[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* Add design document for using AD users/groups in SUDO rules
https://pagure.io/freeipa/c/16b30cbe5e4f1fd8965ed27ba2ca9b4b7b295e9c[commit]
https://pagure.io/freeipa/issue/3226[#3226]
* use a constant instead of /var/lib/sss/keytabs
https://pagure.io/freeipa/c/9f63afb4408e308c2ee972a72875525afefa5d54[commit]
* trust-fetch-domains: use custom krb5.conf overlay for all trust
operations
https://pagure.io/freeipa/c/c842d4b5c2404d263d56aa0c4ba33fe32b2ca61e[commit]
https://pagure.io/freeipa/issue/8655[#8655],
https://pagure.io/freeipa/issue/8664[#8664]
* ipaserver/dcerpc: store forest topology as a blob in ipasam
https://pagure.io/freeipa/c/3d706b6f57309ec394df617cecb9a73d021fc2f7[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: derive parent domain for subdomains automatically
https://pagure.io/freeipa/c/f103172954c259443f0c5b4ac89474e66cf3a1d6[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: free trusted domain context on failure
https://pagure.io/freeipa/c/e8f927db7da00d1671f871d3b2e89429aec3beb9[commit]
https://pagure.io/freeipa/issue/8576[#8576]
* ipasam: allow search of users by user principal name (UPN)
https://pagure.io/freeipa/c/2e8eb0f5fe82be58be88fa0d9b07ee7af69d8829[commit]
https://pagure.io/freeipa/issue/8661[#8661]
* ipasam: implement PASSDB getgrnam call
https://pagure.io/freeipa/c/962052a0567b6878843272b1882d0a0b3b2debd1[commit]
https://pagure.io/freeipa/issue/8660[#8660]
* ipa-kdb: provide correct logon time in MS-PAC from authentication time
https://pagure.io/freeipa/c/f8bf37422b7c49a4a39b4704b18158b37ee9ef80[commit]
https://pagure.io/freeipa/issue/8659[#8659]
* ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available
https://pagure.io/freeipa/c/3fa07a108030265dc89921a37216a1184e1e7516[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipaserver/dcerpc.py: use Kerberos authentication for discovery
https://pagure.io/freeipa/c/8ab9bf68a4d12c8763c1669d0c14b7771a3289da[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipaserver/dcerpc: use Samba-provided trust helper to establish trust
https://pagure.io/freeipa/c/753246f4e82af5697ee51bdc7f667959e1824be1[commit]
https://pagure.io/freeipa/issue/8655[#8655]
* ipatests: fix race condition in finalizer of encrypted backup test
https://pagure.io/freeipa/c/6fe573b3d953913bc94fd06c230703dac70f0e8d[commit]
* ipaplatform: add constant for systemd-run binary
https://pagure.io/freeipa/c/8c7d1fbad15c5a906ffa261329dd49be048549ed[commit]
* Get back to git snapshots
https://pagure.io/freeipa/c/0fd4a8936f5b41e83ffdbe00f88309e5a2e94f9f[commit]
=== Antonio Torres (2)
* Check that IPA cert is added to trust store after server install
https://pagure.io/freeipa/c/2715fbd4a73115949264298858ed0835fe982164[commit]
https://pagure.io/freeipa/issue/8614[#8614]
* Test that IPA certs are removed on server uninstall
https://pagure.io/freeipa/c/2a86a93e560e1d9ade2f78b0cf82d93b8833eb39[commit]
https://pagure.io/freeipa/issue/8614[#8614]
=== Antonio Torres Moríñigo (2)
* ipatests: test that trailing/leading whitespaces in passwords are
allowed
https://pagure.io/freeipa/c/3f3762ef92a809059f196e5553f1c31e9f1180e7[commit]
* Allow leading/trailing whitespaces in passwords
https://pagure.io/freeipa/c/89eba7d38db2f510554b3365f9d099190ce80c51[commit]
https://pagure.io/freeipa/issue/7599[#7599]
=== Christian Heimes (1)
* Add ccache sweeper files to gitignore
https://pagure.io/freeipa/c/56b84973b9f02e74f2518bd58694b673f88f8d5e[commit]
https://pagure.io/freeipa/issue/8589[#8589]
=== François Cami (1)
* ipatests: test_ipahealthcheck: fix units
https://pagure.io/freeipa/c/34add4a2e091dc7bc6031f8fc6cc80904b1bea20[commit]
https://pagure.io/freeipa/issue/8674[#8674]
=== Florence Blanc-Renaud (12)
* ipatests: fix discrepancies in nightly defs
https://pagure.io/freeipa/c/bb78693405aab603203e60a174b04cd3264e1855[commit]
* ipatests: fix expected output for ipahealthcheck.ipa.files
https://pagure.io/freeipa/c/dc2a52abe256d2de09eafe8a07898b0cbea3404b[commit]
https://pagure.io/freeipa/issue/8662[#8662]
* ipatests: fix healthcheck test for ipahealthcheck.ds.encryption
https://pagure.io/freeipa/c/2a207918521b474a39c1689837db146800624af8[commit]
https://pagure.io/freeipa/issue/8670[#8670]
* ipatests: fix expected errmsg in
TestTrust::test_ipa_commands_run_as_aduser
https://pagure.io/freeipa/c/bd3bad88ee4d4535416ad5fc5f97b55a939534ef[commit]
https://pagure.io/freeipa/issue/8668[#8668]
* ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection
https://pagure.io/freeipa/c/0db289695c8225cad5c17c6a5846ff0a373c3ce6[commit]
https://pagure.io/freeipa/issue/8596[#8596],
https://pagure.io/freeipa/issue/8653[#8653]
* selinux: modify policy to allow one-way trust
https://pagure.io/freeipa/c/952b6bdcceda9f460e17075404084f1f3ddb5eaa[commit]
https://pagure.io/freeipa/issue/8508[#8508]
* ipatests: add test_ipa_cert_fix to the nightly definitions
https://pagure.io/freeipa/c/7f2be8a45a1d4baff0074cf4d8c446e3d08db795[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipa-cert-fix: do not fail when CSR is missing from CS.cfg
https://pagure.io/freeipa/c/eb711f781322657b0b3d77332f2462ecfb27db95[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipatests: add a test for ipa-cert-fix
https://pagure.io/freeipa/c/f36e518b5704b02b81a4b80a1b84c429594cf5ce[commit]
https://pagure.io/freeipa/issue/8618[#8618]
* ipatests: clear initgroups cache in clear_sssd_cache
https://pagure.io/freeipa/c/286d0680a6d4ae53b79596e545f9291791e36aa5[commit]
* ipatests: remove test_acme from gating
https://pagure.io/freeipa/c/dd1b596b5711aefd87fd6ec340c3713ee5932425[commit]
https://pagure.io/freeipa/issue/8602[#8602]
* ipatests: fix expected error message in test_commands
https://pagure.io/freeipa/c/8bc341868f9154a625b7aae2604a7aa7b6cd0696[commit]
https://pagure.io/freeipa/issue/8631[#8631]
=== JoeDrane (1)
* Update ipa_sam.c
https://pagure.io/freeipa/c/b53592492879f87465774eb9a4d6c02a8ba26a5e[commit]
=== Rob Crittenden (16)
* ipatests: test the cgroup v2 memory restrictions
https://pagure.io/freeipa/c/85d944cea13725511973fa00c9db6a1ebeb90efa[commit]
https://pagure.io/freeipa/issue/8635[#8635]
* Add support for cgroup v2 to the installer memory checker
https://pagure.io/freeipa/c/1dd4501a9fe1e83964b1f008b91d20b4afe5051a[commit]
https://pagure.io/freeipa/issue/8635[#8635]
* ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get
https://pagure.io/freeipa/c/7b380969241b7f28b2aa275ff1a71fdf78912580[commit]
https://pagure.io/freeipa/issue/8658[#8658]
* ipa-rmkeytab: convert numeric return values to #defines
https://pagure.io/freeipa/c/06ffc7aae7f37bbd03dbd145e30c13f2234ed071[commit]
https://pagure.io/freeipa/issue/8658[#8658]
* ipa_pwd: Remove unnecessary conditional
https://pagure.io/freeipa/c/f6cfbffc8f2e45d0e8e6057e6ead6d35e99bf48a[commit]
* ipa_kdb: Fix memory leak
https://pagure.io/freeipa/c/df0c2d7e0ca8c3620093a47c9592de4f37e86608[commit]
* ipa-kdb: Fix logic to prevent NULL pointer dereference
https://pagure.io/freeipa/c/93f8840ed8f484c7880534b86aaad3d1f8fb0d2e[commit]
* ipa-kdb: Change mspac base RID logic from OR to AND
https://pagure.io/freeipa/c/f0de557063b6db143fd0d2ff47b08610edb39706[commit]
* Add missing break statement to password quality switch
https://pagure.io/freeipa/c/ec4511ec12dfeff2cc2f3a23171089bd32c5add0[commit]
* Revert "Remove test for minimum ACME support and rely on package deps"
https://pagure.io/freeipa/c/3aeb9b8e40cc526fd5c5162158b9cc5755670f66[commit]
https://pagure.io/freeipa/issue/8634[#8634]
* ipatests: See if nologin supports -c before asserting message
https://pagure.io/freeipa/c/ca9f8d1c9feda6fd58220f1424970dcca5b730e0[commit]
https://pagure.io/freeipa/issue/7676[#7676]
* ipatests: test that modifying a permission attrs handles failure
https://pagure.io/freeipa/c/bdc383a1a906f97c06b2bfa281a4b290fb4b04b3[commit]
https://pagure.io/freeipa/issue/8646[#8646]
* Remove virtual attributes before rolling back a permission
https://pagure.io/freeipa/c/9ae744254dd845f9a459601cb8a1468aeaad028a[commit]
https://pagure.io/freeipa/issue/8646[#8646]
* Remove invalid test case for DNS SRV priority
https://pagure.io/freeipa/c/071b71290601d4a5f6a65adf2b55c34d3865172d[commit]
https://pagure.io/freeipa/issue/8650[#8650]
* ipatests: test that no errors are reported after ipa-certupdate
https://pagure.io/freeipa/c/ad1764a1fff885e1c386b0a9f50517b2e0725e03[commit]
https://pagure.io/freeipa/issue/8644[#8644]
* Don't change the CA profile when modifying request in ipa_certupdate
https://pagure.io/freeipa/c/10ba43ad35acecdd1c4b7981db31a90cce1b9fab[commit]
https://pagure.io/freeipa/issue/8644[#8644]
=== Robbie Harwood (1)
* Set client keytab location for 389ds
https://pagure.io/freeipa/c/df411f00a3d1db2fcb0d122a54b9e13a57e35f3f[commit]
https://pagure.io/freeipa/issue/8656[#8656]
=== Stanislav Levin (2)
* ipatests: Don't assume sshd flush its logs immediately
https://pagure.io/freeipa/c/cbe7d2258d6c900b2e02b2373e720275d9917316[commit]
https://pagure.io/freeipa/issue/8682[#8682]
* ipatests: Raise log level of 389-ds replication
https://pagure.io/freeipa/c/41a9cc637b4ea8794fc17f9fc06c6cf8d3a31caa[commit]
=== Sergey Orlov (2)
* ipatests: use fully qualified name for AD admin when establishing
trust
https://pagure.io/freeipa/c/dc16c2484c1006bc249848383d86ef828abd921a[commit]
* ipatests: do not set dns_lookup to true
https://pagure.io/freeipa/c/8d7697af269e68e051ce969ae9cc835f5ba6a3b7[commit]
=== Sudhir Menon (2)
* ipatests: Test for IPATrustControllerPrincipalCheck
https://pagure.io/freeipa/c/2035ba9925ae738d2dbdd1274168cb99a2364db0[commit]
* ipatests: ipahealthcheck remove test skipped in pytest run
https://pagure.io/freeipa/c/27cc011ac286db20a4cd9dbdd65d4a8fd1cb7e3a[commit]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the Freeipa-interest
mailing list