The FreeIPA team would like to announce FreeIPA 4.7.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 29 and Fedora 28 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR
repository].
== Highlights in 4.7.1 ==
* In Web UI now more pages can be in local languages, including a login page
* Complete drop of support for domain level 0 (DL0)
* FreeIPA is compatible with with Samba 4.9
* Support FIPS mode for trust to AD
* Remove Python 2 support packages
* Update licenses of 389-ds plugins to be in line with 389-ds
* New advises to ease management of systems with Cockpit
* Better test coverage for Web UI and certificate management
=== Enhancements ===
FreeIPA 4.7.1 provides an easy way to allow administrators to perform
management operations on all enrolled machines by creating a set of SUDO
and HBAC rules with a new FreeIPA advise available in ipa-advise tool.
Support for Domain Level 0 is removed. If you need to upgrade to FreeIPA
4.7, please consider first to upgrade masters and replicas to FreeIPA
4.4-4.6, raise domain level to 1, and then upgrade to FreeIPA 4.7.1.
Web UI localization was rewritten. Now Web UI allows to localize
pre-login static pages and localization can be more flexible in the way
how terms could be placed in non-English locales. Also Russian and
Ukrainian translations are complete now.
Support for Python 2 packages is removed from the provided RPM spec
files. Next releases will only support Python 3.
In FIPS mode under some conditions trust to Active Directory forest is
failing. Now FreeIPA will exclude RC4 cipher from the list of supported
ciphers when establishing trust under FIPS mode. As result, in FIPS mode
FreeIPA 4.7.1 will not be able to interoperate with Windows Server 2003
versions.
Samba 4.9 made implicit requirement to have BUILTIN\Guests group mapped
to POSIX environment. FreeIPA 4.7.1 is mapping this mandatory SMB group
to `nobody` group.
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.7.1 is a stabilization release for the features delivered as a
part of 4.7.0.
There are more than 20 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7711 python 3 fallout in ipa-server-install
* 7710 Update spec file to require sssd-ipa, not an sssd meta-package
* 7680 Detect Python interpreter during configure
* 7679 [WebUI] all validation items are rendered on each key typing at
login form
* 7678 [WebUI] JS error of 'reset' view
* 7674 client install fails on Fedora 29
* 7662 SELinux is preventing /usr/sbin/httpd from write access on the
directory /etc/httpd/alias/
* 7661 SELinux is preventing /usr/sbin/httpd from getattr access on the
file /usr/lib/systemd/system/fedora-domainname.service
* 7657 Leaving IPA domain fails: Failed to remove krb5/LDAP
configuration: expected str, bytes or os.PathLike object, not NoneType
* 7656 ipa-replica-install on DL0 doesn't completely honor --no-host-dns
* 7650 client installer uses invalid format in chmod (0x...)
* 7649 error shown when options are added to an existing sudo rule
* 7641 [Translation] ipa/migration/{error,index,invalid}.html are not
translated
* 7640 [Translation] ipa/config/{unauthorized,ssbrowser}.html are not
translated
* 7628 ipa ca-show <ca> --certificate-out=/tmp/ca fails with python type
error
* 7625 ipa-client-install fails with ScriptError(rval=CLIENT_INSTALL_ERROR)
* 7621 [Translation] sync otp page is not translated completely
* 7619 [Translation] reset password page is not translated
* 7608 FreeIPA 4.6.3 install fails when `/proc/sys/crypto` is absent
* 7538 sudo rule for "admins" members should be created by default
== Detailed changelog since 4.7.0 ==
=== Armando Neto (3) ===
* Add test for client installation with empty keytab file
* Fix certificate type error when exporting to file
* Delete empty keytab during client installation
=== Alexander Bokovoy (8) ===
* Update list of contributors
* Import updated translations from Zanata
* Re-sort the translations before importing new ones from Zanata
* When stripping PO files, sort the output
* Support Samba 4.9
* ipasam: do not use RC4 in FIPS mode
* Move fips_enabled to a common library to share across different plugins
* ipa-extdom-extop: Update licenses to GPLv3 or later with exceptions
=== Alexander Scheel (2) ===
* Add missing docstrings to kernel_keyring.py
* Add docstring to verify_kdc_cert_validity
=== Christian Heimes (21) ===
* Fix zonemgr encoding issue
* Py3: Replace six.moves imports
* Lint yaml and RPM spec
* Py3: Replace six.bytes_type with bytes
* Py3: Replace six.text_type with str
* Py3: Replace six.integer_types with int
* Py3: Replace six.string_types with str
* Require sssd-ipa instead of sssd meta pkg
* Py3: Remove subclassing from object
* Sprinkle raw strings across the code base
* Workaround for pyasn1 0.4
* Remove Python 2 support and packages
* Don't check for systemd service
* Refactor os-release and platform information
* Generate scripts from templates
* Rename Python scripts and add dynamic shebang
* Detect and prefer platform Python
* Disable DL0 specific tests
* Rename pytest_plugins to ipatests.pytest_ipa
* Add convenient template for temp commits
* Fix topology configuration of nightly runs
=== Felipe Barreto (1) ===
* Making nigthly test definition editable by FreeIPA's contributors
=== Florence Blanc-Renaud (21) ===
* ipatests: remove TestReplicaManageDel (dl0)
* ipatests: mark known failure for installation_TestInstallWithCA2
* ipa-server-upgrade: fix inconsistency in
setup_lightweight_ca_key_retrieval
* Tests: remove dl0 tests from nightly definition
* ipatests: mark known failures as xfail
* tests: add test for uninstall with incomplete sysrestore.state
* authselect: harden uninstallation of ipa client
* ipa-advise: configure pam_cert_auth=True for smart card on client
* Test: scenario replica install/uninstall should restore ssl.conf
* ipa-replica-install: properly use the file store
* Tests: test successful PKINIT install on replica
* ipa-replica-install: fix pkinit setup
* tests: add test for server install with --no-dnssec-validation
* ipa-server-install: do not perform forwarder validation with
--no-dnssec-validation
* DS replication settings: fix regression with <3.3 master
* Test: test ipa-* commands when IPA is not configured
* ipa commands: print 'IPA is not configured' when ipa is not setup
* ipautil.run: add test for runas parameter
* uninstall -v: remove Tracebacks
* PRCI: extend timeouts for gating
* Tests: add integration test for password changes by dir mgr
=== Fraser Tweedale (1) ===
* Fix writing certificate chain to file
=== Ganna Kaihorodova (1) ===
* Add check for occuring traceback during uninstallation ipa master
=== Michal Reznik (8) ===
* bump PRCI template version to 0.1.9
* add strip_cert_header() to tasks.py
* tests: sssd_ssh fd leaks when user cert converted into SSH key
* bump PRCI template version to 0.1.8
* Add "389-ds-base-legacy-tools" to requires.
* test: client uninstall fails when installed using non-existing hostname
* ipa_tests: test ssh keys login
* prci_definitions: fix wrong indentation in the nightly yaml
=== Mohammad Rizwan Yusuf (2) ===
* Test if WSGI worker process count is set to 4
* Check if user permssions and umask 0022 is set when executing ipa-restore
=== Orion Poplawski (1) ===
* ipaclient-install: chmod needs octal permissions
=== Pavel Picka (3) ===
* PRCI failures fix
* PR-CI extend timeouts
* WebUI Tests stabilize
=== Petr Vobornik (3) ===
* webui: redable color of invalid fields on login-screen-like pages
* webui: remove mixed indentation in App and LoginScreen
* webui: change indentation of freeipa/_base/debug.js
=== Rob Crittenden (11) ===
* Add entry for Serhii to mailmap
* Fix identifier typo in UI
* Add uninstallation tests to night master and rawhide
* Fix uninstallation test, use different method to stop dirsrv
* Try to resolve the name passed into the password reader to a file
* Advise plugin for enabling sudo for members of the admins group
* Update required version of dogtag to detect when FIPS is available
* Retrieve certificate subject base directly instead of ipa-join
* Honor no-host-dns when creating client host in replica install
* Convert members into types in sudorule-*-option
* Set development version to 4.7.90
=== Robbie Harwood (2) ===
* Add cmocka unit tests for ipa otpd queue code
* Clear next field when returnining list elements in queue.c
=== Stanislav Levin (115) ===
* Add title to 'add' dialog for 'association_table' widget of Topology
entity
* Add title to 'add' dialog for 'association_table' widget of Vaults entity
* Add title to 'add' dialog for 'association_table' widget of
Certificates entity
* Add title to 'add' dialog for 'association_table' widget of SELinux
User Maps entity
* Add title to 'add' dialog for 'association_table' widget of Sudo entity
* Add title to 'add' dialog for 'association_table' widget of HBAC entity
* Add title to 'add' dialog for 'association_table' widget of Groups entity
* Add title to 'add' dialog for 'association_table' widget of Services
entity
* Add title to 'add' dialog for 'association_table' widget of Hosts entity
* Drop concatenated title of add dialog for association_table widget
* Add title to 'add' dialog for details of 'RBAC' entity
* Add title to 'add' dialog for details of 'OTP Tokens' entity
* Add title to 'add' dialog for details of 'Sudo' entity
* Add title to 'add' dialog for details of 'HBAC' entity
* Add title to 'add' dialog for details of 'ID Views' entity
* Add title to 'add' dialog for details of 'Groups' entity
* Add title to 'add' dialog for details of 'Services' entity
* Add title to 'add' dialog for details of 'Hosts' entity
* Add title to 'add' dialog for details of 'Users' entity
* Add title to 'add' dialog for details of 'Certificate' entity
* Drop concatenated title of 'Add' dialog for details of entity
* Add title to 'add' dialog for 'Topology' entity
* Add title to 'add' dialog for 'Trusts' entity
* Add title to 'add' dialog for 'ID Ranges' entity
* Add title to 'add' dialog for 'RBAC' entity
* Add title to 'add' dialog for 'Vault' entity
* Add title to 'add' dialog for 'DNS' entity
* Add title to 'add' dialog for 'Automount' entity
* Add title to 'add' dialog for 'Certificate Identity' entity
* Add title to 'add' dialog for 'RADIUS' entity
* Add title to 'add' dialog for 'Certificates' entity
* Add title to 'add' dialog for 'Password Policies' entity
* Add title to 'add' dialog for 'SELinux' entity
* Add title to 'add' dialog for 'Sudo' entity
* Add title to 'add' dialog for 'HBAC' entity
* Add title to 'add' dialog for 'Automember' entity
* Drop concatenated title of 'add' dialog for 'attribute_table' widget
* Add title to 'add' dialog for 'ID Views' entity
* Add title to 'add' dialog for 'Groups' entity
* Add title to 'add' dialog for 'Service' entity
* Add title to 'add' dialog for 'Host' entity
* Add title to 'add' dialog for 'OTP' entity
* Add title to 'add' dialog for 'Users' entity
* Drop concatenated title of 'add' dialog
* Add jslint check to PR CI tests
* Fix javascript 'errors' found by jslint
* Add title to remove dialog of 'DNS' entity
* Add title to 'unprovision' dialog
* Add title to 'Remove' dialog for 'association_table' widget of 'Vault'
entity
* Add title to 'Remove' dialog for 'association_table' widget of
'Topology' entity
* Add title to 'Remove' dialog for 'association_table' widget of 'CA' entity
* Add title to 'Remove' dialog for 'association_table' widget of
'SELinux' entity
* Add title to 'Remove' dialog for 'association_table' widget of 'Sudo'
entity
* Add title to 'Remove' dialog for 'association_table' widget of 'HBAC'
entity
* Add title to 'Remove' dialog for 'association_table' widget of
'Automember' entity
* Allow having a custom title of 'Remove' dialog for 'attribute_table'
widget
* Add title to 'remove' dialog for 'association_table' widget of
'Groups' entity
* Add title to 'remove' dialog for 'association_table' widget of
'Services' entity
* Add title to 'remove' dialog for 'association_table' widget of 'Hosts'
entity
* Drop concatenated title of remove dialog
* Fix loading 'freeipa/text' at production mode
* Add a title to 'remove' dialog for details of 'Trusts' entity
* Add a title to 'remove' dialog for details of 'RBAC' entity
* Add a title to 'remove' dialog for details of 'OTP Tokens' entity
* Add a title to 'remove' dialog for details of 'Sudo' entity
* Add a title to 'remove' dialog for details of 'HBAC' entity
* Add a title to 'remove' dialog for details of 'Groups' entity
* Add a title to 'remove' dialog for details of 'Services' entity
* Add a title to 'remove' dialog for details of 'Hosts' entity
* Add a title to 'remove' dialog for details of 'Users' entity
* Drop concatenated title of remove dialog
* Add title to remove dialog of 'Trusts' entity
* Add title to remove dialog of 'Topology' entity
* Add title to remove dialog of 'ID Ranges' entity
* Add title to remove dialog of 'RBAC' entity
* Add title to remove dialog of 'DNS' entity
* Add title to remove dialog of 'Automount Locations' entity
* Add title to remove dialog of 'Certificate Identity Mapping Rules' entity
* Add title to remove dialog of 'RADIUS Servers' entity
* Add title to remove dialog of 'OTP Tokens' entity
* Add title to remove dialog of 'Certificates' entity
* Add title to remove dialog of 'Password Policies' entity
* Add title to remove dialog of 'SELinux User Maps' entity
* Add title to remove dialog of 'Sudo' entity
* Add title to remove dialog of 'HBAC' entity
* Add title to remove dialog of 'Automember' entity
* Add title to remove dialog of 'ID Views' entity
* Add title to remove dialog of 'Groups' entity
* Add title to remove dialog of 'Services' entity
* Add title to remove dialog of 'Hosts' entity
* Add title to remove dialog of 'Users' entity
* Drop concatenated title of remove dialog
* Add tests for LoginScreen widget
* Add "bounce" logic from "reset_password.js"
* Fix translations of messages in LoginScreen widget
* Clean up reset_password.js file from project
* Use "login" plugin instead of standalone JS file
* Add "reset_and_login" view to LoginScreen widget
* Replace the direct URL with config's one
* Add basic tests to web pages which are located at /ipa/config/
* Fix translation of "ssbrowser.html" Web page
* Fix translation of "unauthorized.html" Web page
* Fix render validation items on keypress event at login form
* Reindex 'key_indicies' after item delete
* Fix "get_key_index" to fit caller's expectations
* Add basic tests for "migration" end point
* Clean up migration "error" and "invalid" pages from project
* Provide translatable messages for MigrateScreen widget
* Integrate "migration" page to IPA Web framework.
* Return the result of "password migration" procedure
* Add "migrate" Web UI plugin
* Add MigrateScreen widget
* Fix translation of "SyncOTPScreen" widget
* Fix translation of "sync_otp" plugin
* Replace the direct URL with config's one
=== Serhii Tsymbaliuk (1) ===
* Replace logo images with new one (version 4.7)
=== Serhii Tsymbaliuk (15) ===
* Change Web UI tests setup flow
* Fix UI_driver.has_class exception. Handle situation when element has
no class attribute
* Increase some timeouts in Web UI tests
* Remove unnecessary session clearing in some Web UI tests
* Add cookies clearing for all Web UI tests
* Generate CSR for test_host::test_certificates (Web UI test)
* Add SAN extension for CSR generation in test_cert (Web UI tests)
* Fix unpermitted user session in test_selfservice (Web UI test)
* Fix test_user::test_login_without_username (Web UI test)
* Use random realmdomains in test_webui/test_realmdomains.py
* Fix test_realmdomains::test_add_single_labeled_domain (Web UI test)
* Increase request timeout for WebUI tests
* Use random IPs and domains in test_webui/test_host.py
* Fix hardcoded CSR in test_webui/test_cert.py
* Replace old login screen logo with new one
=== Thierry Bordaz (1) ===
* In IPA 4.4 when updating userpassword with ldapmodify does not update
krbPasswordExpiration nor krbLastPwdChange
=== Tibor Dudlák (3) ===
* Do not set ca_host when --setup-ca is used
* Add assert to check output of upgrade
* Re-open the ldif file to prevent error message
=== Thomas Woerner (40) ===
* Remove DL0 specific code from ipatests/test_integration/test_caless.py
* Remove DL0 specific code from ipatests/pytest_ipa/integration/tasks.py
* Remove DL0 specific tests from
ipatests/test_integration/test_replica_promotion.py
* Remove replica_file knob from ipalib/install/service.py
* Remove replica_file from ClientInstall class in
ipaclient/install/client.py
* Remove options.promote from install in ipaserver/install/server/install
* Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER
* Remove DL0 specific code from custodiainstance in ipaserver/install
* Remove create_replica_config from installutils in ipaserver/install
* Remove DL0 specific code from replicainstall in ipaserver/install/server
* Remove DL0 specific code from __init__ in ipaserver/install/server
* Remove DL0 specific code from ipa_replica_install in ipaserver/install
* Remove unused promote arg in krbinstance.create_replica in
ipaserver/install
* Remove DL0 specific code from kra in ipaserver/install
* Remove DL0 specific code from dsinstance ipaserver/install
* Remove DL0 specific code from ipa_kra_install in ipaserver/install
* Remove DL0 specific code from cainstance and ca in ipaserver/install
* Remove DL0 specific code from ipa-ca-install
* Remove ipa-replica-prepare script and man page
* Adapt freeipa.spec.in for latest Fedora, fix python2 ipatests
packaging bug
* replicainstall: Make sure that domain fulfills minimal domain level
requirement
* ipatests/test_xmlrpc/tracker/server_plugin.py: Increase hard coded
mindomainlevel
* ipaserver/install/adtrust.py: Do not use DOMAIN_LEVEL_0 for minimum
* ipatests/test_ipaserver/test_install/test_installer.py: Drop tempfile
import
* ipatests: Drop test_password_option_DL0
* Move DL0 raises outside if existing conditionals to calm down pylint
* Remove "at DL1" from ipa-server-install man page
* Remove "at DL1" from ipa-replica-manage man page
* Remove DL0 specific sections from ipa-replica-install man page
* Remove support for replica_file option from ipa-kra-install
* Remove support for replica_file option from ipa-ca-install
* Raise error if DL is set to 0 or DL0 options are used
* Mark replica_file option as deprecated
* Increase MIN_DOMAIN_LEVEL to DOMAIN_LEVEL_1
* Do not install ipa-replica-prepare
* ipaclient: Remove --no-sssd and --no-ac options
* ipa_restore: Restore SELinux context of template_dir
/var/log/dirsrv/slapd-X
* httpinstance: Restore SELinux context of session_dir /etc/httpd/alias
* ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound
* Fix $-style format string in ipa_ldap_init (util/ipa_ldap.c)
URL: https://github.com/freeipa/freeipa/pull/2431
Author: rcritten
Title: #2431: [Backport][ipa-4-7] ipatests: remove TestReplicaManageDel (dl0)
Action: opened
PR body:
"""
This PR was opened automatically because PR #2426 was pushed to master and backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2431/head:pr2431
git checkout pr2431
URL: https://github.com/freeipa/freeipa/pull/2429
Author: rcritten
Title: #2429: [Backport][ipa-4-7] [Py3] Fix zonemgr encoding issue
Action: opened
PR body:
"""
This PR was opened automatically because PR #2407 was pushed to master and backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2429/head:pr2429
git checkout pr2429
URL: https://github.com/freeipa/freeipa/pull/2428
Author: rcritten
Title: #2428: [Backport][ipa-4-7] ipatests: remove TestReplicaManageDel (dl0)
Action: opened
PR body:
"""
This PR was opened automatically because PR #2426 was pushed to master and backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2428/head:pr2428
git checkout pr2428
URL: https://github.com/freeipa/freeipa/pull/2407
Author: tiran
Title: #2407: [Py3] Fix zonemgr encoding issue
Action: opened
PR body:
"""
The zonemgr validator and handler performs additional encodings for IDNA
support. In Python 3, the extra steps are no longer necessary because
arguments are already proper text and stderr can handle text correctly.
This also fixes 'b' prefix in error messages like:
option zonemgr: b'empty DNS label'
Fixes: https://pagure.io/freeipa/issue/7711
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2407/head:pr2407
git checkout pr2407
URL: https://github.com/freeipa/freeipa/pull/2426
Author: flo-renaud
Title: #2426: ipatests: remove TestReplicaManageDel (dl0)
Action: opened
PR body:
"""
TestReplicaManageDel is a test using domain level 0
but we do not support it any more. Remove the test.
Related to https://pagure.io/freeipa/issue/7689
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2426/head:pr2426
git checkout pr2426
URL: https://github.com/freeipa/freeipa/pull/2421
Author: abbra
Title: #2421: Update list of contributors
Action: opened
PR body:
"""
Another part of the preparation for the 4.7 release: update list of contributors.
I tried to sort the list of translators, thus there is a bit more churn in that part.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2421/head:pr2421
git checkout pr2421