{{ReleaseDate|2018-12-03}} The FreeIPA team would like to announce FreeIPA 4.7.2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 28 and Fedora 29 will be available in the official '''FIXME LINK''' [https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-4/ COPR repository]. '''END FIXME''' == Highlights in 4.7.2 == '''TODO RELEASE NOTES - put release notes (if any) to proper categories''' '''END TODO''' === Enhancements === === Known Issues === === Bug fixes === FreeIPA 4.7.2 is a stabilization release for the features delivered as a part of 4.7 series. There are more than 10 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on Freenode. == Resolved tickets == * 7776 authselect 1.0.2 fails on unknown feature * 7772 pylint 2.2.0 violations * 7769 Installer does not detect that kadmin port 749/UDP is blocked * 7767 make fasttest errors because of missing python3-lib389 * 7758 pylint-2.1.1 errors on Fedora 29 * 7754 Replace archaic term messagebus with dbus * 7753 CID 323644: logically dead code in ipaserver.install.adtrust.py * 7741 Smart card advise script uses hard-coded Python interpreter * 7729 Bad output on failed client installation rollback * 7728 RFE: Validation and better error messages when novajoin fails because of SSL errors * 7723 NTP options fails on ipa replica * 7671 Remove --no-sssd and --noac options * 7658 [RFE] sysadm_r should be included in default SELinux user map order * 7651 ipa-replica-install --setup-kra broken on DL1 * 7408 ipa-replica-install command should display proper message on the console. * 5378 Incorrect error message at wrong password from private key file == Detailed changelog since 4.7.1 == === Alexander Bokovoy (5) === * ipa-kdb: reduce LDAP operations timeout to 30 seconds * ipa-4-7: merge translations from zanata * ipaserver.install.adtrust: fix CID 323644 * net groupmap: force using empty config when mapping Guests * adtrust: define Guests mapping after creating cifs/ principal === Adam Williamson (1) === * Fix authselect invocations to work with 1.0.2 === Christian Heimes (34) === * Increase debugging for blocked port 749 and 464 * Address misc pylint issues in CLI scripts * pylint: also verify scripts * pylint: Fix duplicate-string-formatting-argument * pylint 2.2: Fix unnecessary pass statement * PR-CI: Restart rpcbind when it blocks kadmin port * Fix pytest deprecation warning * certdb: validate server cert signature * Require pylint 2.1.1-2 * Silence comparison-with-itself in tests * Fix raising-format-tuple * Fix various dict related pylint warnings * Fix Module 'pytest' has no 'config' member * Fix useless-import-alias * Fix comparison-with-callable * Address consider-using-in * Ignore consider-using-enumerate for now * Address inconsistent-return-statements * Address pylint violations in lite-server * Ignore W504 code style like in travis config * Fix test_cli_fsencoding on Python 3.7, take 2 * Replace messagebus with modern name dbus * Copy-paste error in permssions plugin, CID 323649 * Allow ipaapi user to access SSSD's info pipe * Fix test_cli_fsencoding on Python 3.7 * ipapwd_pre_mod: NULL ptr deref * ipadb_mspac_get_trusted_domains: NULL ptr deref * has_krbprincipalkey: avoid double free * Require Dogtag 10.6.7-3 * Use tasks.install_master() in external_ca tests * Keep Dogtag's client db in external CA step 1 * Replace hard-coded interpreter with sys.executable * Don't abuse strncpy() length limitation * Fix ipadb_multires resource handling === François Cami (3) === * Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes. * Add a shared-vault-retrieve test * Add sysadm_r to default SELinux user map order === Florence Blanc-Renaud (19) === * ipatests: add upgrade test for double-encoded cacert * ipa upgrade: handle double-encoded certificates * ipatests: add xmlrpc test for user|host-find --certificate * ipaldap.py: fix method creating a ldap filter for IPACertificate * ipatests: fix test_replica_uninstall_deletes_ruvs * ipatests: add test for ipa-replica-install options * ipa-replica-install: password and admin-password options mutually exclusive * freeipa.spec.in: add BuildRequires for python3-lib389 * ipatests: add integration test for "Read radius servers" perm * radiusproxy: add permission for reading radius proxy servers * tests: add xmlrpc test for ipa user-add --radius-username * ipa user-add: add optional objectclass for radius-username * ipatest: add functional test for ipa-backup * ipa-backup: restart services before compressing the backup * ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad * ipatests: fix path in expected error message * Bump requires 389-ds-base * ipa tests: CA less * certdb: provide meaningful err msg for wrong PIN === Francisco Trivino (1) === * prci_definitions: update vagrant memory topology requirements === Fraser Tweedale (6) === * certdb: validate certificate signatures * Print correct subject on CA cert verification failure * certdb: ensure non-empty Subject Key Identifier * ipaldap: avoid invalid modlist when attribute encoding differs * rpc: always read response * Restore KRA clone installation integration test === Varun Mylaraiah (1) === * Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418 === Petr Vobornik (1) === * ipa-advise: update url of cacerdir_rehash tool === Rob Crittenden (10) === * Add support for multiple certificates/formats to ipa-cacert-manage * Add tests for ipa-cacert-manage install * Enable replica install info logging to match ipa-server-install * Demote log message in custodia _wait_keys to debug * Pass a list of values into add_master_dns_records * Collect the client and server uninstall logs in tests * Fix misleading errors during client install rollback * Remove the authselect profile warning if sssd was not configured. * Handle NTP configuration in a replica server installation * Enable LDAP debug output in client to display TLS errors in join === Stanislav Levin (1) === * Move ipa's systemd tmpfiles from /var/run to /run === Sergey Orlov (2) === * ipatests: add test for ipa-restore in multi-master configuration * ipatests: add test for ipa-advise for enabling sudo for admins group === sudharsanomprakash (1) === * Don't use deprecated Apache Access options. === Thomas Woerner (5) === * Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon * Fix ressource leak in client/config.c get_config_entry * Update annobin to fix continuous-integration/travis-ci/pr issues * Find orphan automember rules * ipaclient: Remove --no-sssd and --no-ac options