Here are the draft release notes for the second pre-release of 4.7.0.
Let me know if I've missed anything.
{{ReleaseDate|2018-05-14}}
The FreeIPA team would like to announce FreeIPA 4.6.90.pre2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds
for Fedora 28 and rawhide will be available in the Fedora repositories.
== Highlights in 4.6.90.pre2 ==
The major new features of this release are:
* Switch from using mod_nss for the Apache TLS engine to using mod_ssl.
Upgrading will move the certificates and keys from /etc/httpd/alias to
/var/lib/ipa/certs/.
* Switch time client and server from ntp to chrony.
* Switch from using authconfig to authselect to configure the PAM stack.
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.6.90.pre2 is a preview release for the features delivered as a
part of 4.7.0.
There are more than 70 bug-fixes details of which can be seen ina
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing list
(https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7530 external CA replica installation fails with CA_UNREACHABLE
* 7529 AVC denials and errors for IPA server installed on Fedora28
* 7524 ipa-client-install fails because of missing file
/usr/share/ipa/freeipa.template
* 7523 external CA installation: step two reports self-signed configuration
* 7520 ipa certmap-match throwing "ipa: ERROR: an internal error has
occurred"
* 7519 Adding SSH keys for AD users as I created overrides
* 7518 Improve Custodia client and key distribution handling
* 7515 ipa-advise config-server-for-smart-card-auth refers to nss.conf
despite the migration to ssl.conf
* 7514 Allow to create Kerberos services without a corresponding host object
* 7513 Allow Kerberos services to be members of IPA groups
* 7512 Missing dependency for freeipa-client: python3-augeas
* 7510 validate_selinuxuser does not allow a period in selinux user
identifier
* 7508 Trust tests for Posix support are failing with Assertion Error
None on Windows Server 2016
* 7507 ui_tests: extend test_user suite
* 7505 WebUI tests: Extend netgroup tests
* 7503 multiple occurrences of profileId in certprofile causes incorrect
behaviour
* 7499 Integration tests dns_location in regards of check NTP records
failing
* 7498 [F28] CA replica fails with could not find certificate named
"caSigningCert cert-pki-ca"
* 7496 csrgen fails if subject base contains lower-case attribute names
* 7490 installutils.set_directive doesn't handle debian ssl.conf properly
* 7489 Test test_caless_TestCertInstall is failing in nightly
* 7488 Set nsds5ReplicaReleaseTimeout on all replicas and databases
* 7486 Allow hosts to delete their own services
* 7485 Extending webui user group test
* 7484 Load ipaclient.csrgen on demand to speed up CLI
* 7478 [F28] ipa-backup fails with "Failed to execute authconfig command"
* 7474 ipa-server-install --uninstall on replica fails with
"NoOptionError: No option 'ldap_uri' in section: 'global'"
* 7473 ERROR: No valid Negotiate header in server response
* 7470 TestBasicADTrust.test_ipauser_authentication is failing with
error "Confidentiality required"
* 7469 ipa-replica-prepare fail with "stat: path should be string,
bytes, os.PathLike or integer, not NoneType"
* 7468 test_host.py::test_host::test_crud is failing in nightly tests
* 7466 [F28] Replica installs fails with CA_REJECTED caused by ACIError
* 7463 test_webui: add user life-cycles tests
* 7461 Hardening of topology plugin to prevent erronous deletion of a
replica agreement
* 7459 [RFE] replica-install: warn when only one CA exists in topology
* 7458 ui_tests: extend test_hostgroup.py suite
* 7456 ipa otptoken-add should use LDAP Whoami call
* 7454 Upgrade from F27 to F28 produces an error while updating
ipa.conf.template
* 7450 "This entry already exists" error when upgrading on IPA 4.5
* 7442 Replication agreement status incorrectly checked
* 7441 ui_tests: extend test_service.py suite
* 7436 ipa: Please log something after restarting the KDC
* 7427 User Administrator doesn't have enough privileges to edit
homeDirectory attribute
* 7426 DogtagInstance.backup_config creates backup with wrong owner
* 7425 ipa-server-install with different IP fails on /usr/sbin/pkispawn
-s CA
* 7424 Improve Realm Domains doc text
* 7421 Store HTTPD private keys encrypted
* 7415 CA installer need to check availability of port 8080
* 7410 ipa-replica-install --add-agents option doesn't install
trust-agent on replica
* 7377 Investigate and define plan of authconfig replacement in FreeIPA
* 7376 clear sssd cache when uninstalling client
* 7366 RFE: ipa client should setup openldap for GSSAPI
* 7330 ipa-server-install --uninstall does not return error code on error
* 7183 /etc/gssproxy/10-ipa.conf not removed on uninstall
* 7095 [tracker] please rotate & compress
/var/lib/pki/pki-tomcat/logs/ca/debug
* 7041 [ipa-replica-install] - KDC has no support for encryption type -
reoccurence in multireplica scenario
* 7024 freeipa depends on ntp
* 6884 ipa group-del gives ipa: ERROR: Insufficient access: but still
deletes group
* 6843 ipa-backup does not create log file at /var/log/
* 5776 webui: some data disappear from user details page after the save
action is performed
* 5673 contrib/nssciphersuite/nssciphersuite.py raising error in tests
* 4853 Utilize system-wide crypto-policies
== Detailed changelog since 4.6.90.pre1 ==
=== Alexander Bokovoy (13) ===
* group: allow services as members of groups
* service: allow creating services without a host to manage them
* group-del: add a warning to logs when password policy could not be removed
* idoverrideuser-add: allow adding ssh key in web ui
* ACL: Allow hosts to remove services they manage
* install: validate AD trust-related options in installers
* replication: support error messages from 389-ds 1.3.5 or later
* upgrade: treat duplicate entry when updating as not an error
* Allow anonymous access to parentID attribute
* upgrade: Run configuration upgrade under empty ccache collection
* use LDAP Whoami command when creating an OTP token
* Update template directory with new variables when upgrading
ipa.conf.template
* Processing of server roles should ignore errors.EmptyResult
=== Alexey Slaykovsky (1) ===
* Make tox tests to generate results in JUnit XML
=== amitkuma (5) ===
* RFE: ipa client should setup openldap for GSSAPI
* Correcting detect typo in server.m4
* Correction of management spelling.
* clear sssd cache when uninstalling client
* clear sssd cache when uninstalling client
=== Anuja More (2) ===
* Adding test-cases for ipa-cacert-manage
* Adding test-cases for ipa-cacert-manage
=== Christian Heimes (32) ===
* Revert "Validate the Directory Manager password"
* Create missing /etc/httpd/alias for ipasession.key
* Only run subset of external CA tests
* Require Dogtag 10.6.1
* Require nss with fix for nickname bug
* ipa-client package needs sssd-tool
* Make ipatests' create_external_ca a script
* Load certificate files as binary data
* Remove contrib/nssciphersuite
* Compatibility with pytest 3.4
* Use shutil to copy file
* Use single Custodia instance in installers
* Add augeas dependency to client package
* Create users in server-common pre hook
* Require 389-ds-base >= 1.4.0.8-1
* CA replica PKCS12 workaround for SQL NSSDB
* Add nsds5ReplicaReleaseTimeout to replica config
* Fix Python dependencies
* Remove os.chdir() from test_ipap11helper
* certdb: Move chdir into subprocess call
* Provide ldap_uri in Custodia uninstaller
* Defer import of ipaclient.csrgen
* Require more recent glibc on F27
* Load librpm on demand for IPAVersion
* Fix installer CA port check for port 8080
* Temporarily disable authconfig backup and restore
* Cleanup and remove more files on uninstall
* Fix compatibility with latest pytest
* More cleanup after uninstall
* Require Dogtag PKI >= 10.6
* Keep owner when backing up CA.cfg
* Pylint 1.8.3 fixes
=== Felipe Barreto (10) ===
* Fixing tests on TestReplicaManageDel
* Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
* Fixing
TestBackupAndRestore::test_full_backup_and_restore_with_removed_users
* Adding GSSPROXY_CONF to be backed up on ipa-backup
* Reverting commit 6b145bf3e696e6d40b74055ccdf8d14da7828a09
* Fix TestSubCAkeyReplication providing the right path to pki log
* temp commit: adding test to PR CI run
* Adding right parameters to install IPA in
TestInstallMasterReservedIPasForwarder
* Changing Django's CoC to reflect FreeIPA CoC
* Adding Django's Code of Conduct
=== Florence Blanc-Renaud (8) ===
* authselect migration: use stable interface to query current config
* authselect test: skip test if authselect is not available
* ipa-advise: adapt config-client-for-smart-card-auth to authselect
* Revert commit d705320ec136abc2fcf524f2b63a76d3fc0ba97a
* New tests for authselect migration
* Migration from authconfig to authselect
* ipa-advise config-server-for-smart-card-auth: use mod-ssl
* ipa-replica-install: make sure that certmonger picks the right master
=== Fraser Tweedale (12) ===
* install: fix reported external CA configuration
* csrgen: fix when attribute shortname is lower case
* csrgen: drive-by docstring
* csrgen: support initialising OpenSSL adaptor with key object
* py3: fix csrgen error handling
* certprofile: add tests for config profileId scenarios
* certprofile: reject config with multiple profileIds
* Fix upgrade (update_replica_config) in single master mode
* Add commentary about PKI admin password
* Fix upgrade when named.conf does not exist
* replica-install: warn when there is only one CA in topology
* install: configure dogtag status request timeout
=== Ganna Kaihorodova (5) ===
* Fix trust tests for Posix Support
* Fix for integration tests dns_locations
* Fix in IPA's multihost fixture
* TestBasicADTrust.test_ipauser_authentication
* Fix for test TestInstallMasterReservedIPasForwarder
=== Takeshi MIZUTA (1) ===
* Fix some typos in man page
=== Michal Reznik (18) ===
* ui_tests: introduce new test_misc cases file
* ui_driver: extension and modifications related to test_user
* ui_tests: extend test_user suite
* test_web_ui: extend ui_driver methods
* test_webui: add user life-cycles tests
* ui_tests: run ipa-get/rmkeytab command on UI host
* ui_tests: select_combobox() fixes
* ui_tests: test cancel and delete without button
* ui_tests: make associations cancelable
* ui_tests: add function to run cmd on UI host
* ui_tests: add funcs to add/remove users public SSH key
* ui_tests: add assert_field_required()
* ui_tests: add assert_notification()
* ui_tests: add more test cases
* ui_tests: add more test cases to test_certification
* ui_tests: add_service() support func in test_service
* ui_tests: add_host() support func in test_service
* ui_tests: change get_http_pkey() function
=== Varun Mylaraiah (3) ===
* WebUI tests: Extend netgroup tests with more scenarios
* Fixed improper clean-up in test_host::test_kerberos_flags added
closing the notification in kerberos flags
* WebUI tests: Extend user group tests with more scenarios
=== Pavel Picka (1) ===
* WebUI Hostgroups tests cases added
=== Petr Vobornik (4) ===
* webui: refresh complex pages after modification
* Fix order of commands in test for removing topology segments
* webui tests: fix test_host:test_crud failure
* realm domains: improve doc text
=== Rob Crittenden (16) ===
* Fix certificate retrieval in ipa-replica-prepare for DL0
* Disable message about log in ipa-backup if IPA is not configured
* Use a regex in installutils.get_directive instead of line splitting
* Handle whitespace, add separator to regex in set_directive_lines
* Validate the Directory Manager password before starting restore
* Log service start/stop/restart message
* Update project metadata in ipasetup.py.in
* Allow dot as a valid character in an selinux identity name
* Remove xfail from CALes test test_http_intermediate_ca
* Some PKCS#12 errors are reported with full path names
* ipa-server-certinstall failing, unknown option realm
* Revert run_pk12util part of 807a5cbe7cc52690336c5095ec6aeeb0a4e8483c
* Break out of teardown in test_replica_promotion.py if no config
* Remove the Continuous installer class, it is unused
* Return a value if exceptions are raised in server uninstall
* VERSION.m4: Set back to git snapshot
=== Robbie Harwood (2) ===
* Move krb5 snippet into freeipa-client-common
* Enable SPAKE support using krb5.conf.d snippet
=== Stanislav Laznicka (11) ===
* Allow user administrator to change user homedir
* mod_ssl: add SSLVerifyDepth for external CA installs
* Add absolute_import to test_authselect
* Fix typo in ipa-getkeytab --help
* Add absolute_import future imports
* replica-install: pass --ip-address to client install
* ipa_backup: Backup the password to HTTPD priv key
* Fix upgrading of FreeIPA HTTPD
* Remove py35 env from tox testing
* Encrypt httpd key stored on disk
* Dogtag configs: rename deprecated options
=== Thierry Bordaz (1) ===
* Hardening of topology plugin to prevent erronous deletion of a replica
agreement
=== Tibor Dudlák (14) ===
* Use temporary pid file for chronyd -q task
* Fix format string passed to pytest-multihost
* Configure chrony with pool when server not set
* Add enabling chrony daemon when not configured
* Remove unnecessary option --force-chrony
* Remove NTP server role while upgrading
* Removes NTP server role from servroles and description
* Update man pages for FreeIPA client, replica and server install
* Adding method to ipa-server-upgrade to cleanup ntpd
* Add --ntp-pool option to installers
* FreeIPA server is time synchronization client only
* Replace ntpd with chronyd in installation
* Add dependency and paths for chrony
* Removes ntp from dependencies and behave as there is always -N option
Hi all,
Ticket https://pagure.io/freeipa/issue/7482 made me think about the
current revocation behaviour in `ipa cert-request`. For hosts and
services, all old certificates get revoked.
I wrote a blog post[1] outlining the problems with the current
behaviour, and some suggested changes. I'd like to know others'
thoughts. If we go ahead it would be something for a major release,
not a bugfix release. The actual amount of work is pretty small.
[1] https://frasertweedale.github.io/blog-redhat/posts/2018-05-11-renewal-and-r…
Thanks,
Fraser
URL: https://github.com/freeipa/freeipa/pull/1918
Author: stlaz
Title: #1918: [Backport][ipa-4-5] Allow user administrator to change user homedir
Action: opened
PR body:
"""
This PR was opened automatically because PR #1912 was pushed to master and backport to ipa-4-5 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1918/head:pr1918
git checkout pr1918
URL: https://github.com/freeipa/freeipa/pull/1917
Author: stlaz
Title: #1917: [Backport][ipa-4-6] Allow user administrator to change user homedir
Action: opened
PR body:
"""
This PR was opened automatically because PR #1912 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1917/head:pr1917
git checkout pr1917
URL: https://github.com/freeipa/freeipa/pull/1831
Author: felipevolpone
Title: #1831: Fixing test_topology tests
Action: opened
PR body:
"""
#### Fixing TestCASpecificRUVs::test_replica_uninstall_deletes_ruvs
This test will setup a master and a replica, uninstall replica and check
for the replica RUVs on the master. It was missing the step of running
ipa-replica-manage del <replica hostname> to properly remove the RUVs.
#### Fixing tests on TestReplicaManageDel
This commit fixes the tests on class TestReplicaManageDel:
- test_replica_managed_del_domlevel1
- test_clean_dangling_ruv_multi_ca
- test_replica_managed_del_domlevel0
Given that domain level 0 doest not have autodiscovery, we need to
configure /etc/resolv.conf with the master data (search <domain> and
nameserver <master_ip>) in order to ipa-replica-install succeed.
---
**Atention**: This patch should not be pushed until PR #1748 get merged.
As usual, as soon as we have an ack, I'll rebase the PR and remove the temp commit.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1831/head:pr1831
git checkout pr1831
URL: https://github.com/freeipa/freeipa/pull/1906
Author: stlaz
Title: #1906: mod_ssl: add SSLVerifyDepth for external CA installs
Action: opened
PR body:
"""
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.
https://pagure.io/freeipa/issue/7530
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1906/head:pr1906
git checkout pr1906
URL: https://github.com/freeipa/freeipa/pull/1866
Author: abbra
Title: #1866: Allow more flexible services
Action: opened
PR body:
"""
This patchset makes service objects more usable in dynamic environments like Kubernetes. Kubernetes hosts could create service objects that have no corresponding host object in IPA and need to be able to retrieve keytabs for them.
Such keytabs would be used for client authentication against other resources in the same IPA realm. As such, applications running in containers on a Kubernetes host would not need to accept any Kerberos authentication from their users but instead they would use own keytabs to talk to database or file servers (or anything else). Since in Kerberos for client authentication there is no real requirement that a service name has a corresponding host (it just a string with one or more / in it), we can allow to skip a host object check when creating the service.
As result, Web UI needs to be changed to also allow editing a host part of the service name when adding a service. We considered making a more dynamic handling of the UI but that would require a complete re-factor of the entity_select widget to allow dynamic change of the contained input widgets.
A second patch adds services as members of groups. This would allow to add services to groups and, in turn, use groups to grant ability for services to retrieve keytabs of other services. This approach reduces substantially amount of changes needed to support services as first class objects.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1866/head:pr1866
git checkout pr1866