The FreeIPA team would like to announce FreeIPA 4.9.0 release candidate 1!
It can be downloaded from http://www.freeipa.org/page/Downloads. At this point, we do not plan to provide releases to Fedora 33 or earlier versions due to a large number of changes coming with FreeIPA 4.9 series.
This is a short version of the release notes. A full changelog can be found at https://www.freeipa.org/page/Releases/4.9.0rc1
== Highlights in 4.9.0 release candidate 1
* 298: [RFE] Add support for cracklib to password policies
FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords.
* 2445: [RFE] IdM password policy should include checks for repeating characters
FreeIPA password quality checking plugin has been extended to use libpwquality library. Password policies can now check for a reuse of a user name, dictionary words using a cracklib package, numbers and symbols replacement and repeating characters in the passwords.
* 3687: [RFE] IPA user account expiry warning.
EPN stands for Expiring Password Notification. It is a standalone tool designed to build a list of users whose password would expire in the near future, and either display the list in a machine-readable (JSON) format, or send email notifications to these users. EPN provides command-line options to display the list of affected users. This provides data introspection and helps understand how many emails would be sent for a given day, or a given date range. The command-line options can also be used by a monitoring system to alert whenever a number of emails over the SMTP quota would be sent. EPN is meant to be launched once a day from an IPA client (preferred) or replica from a systemd timer. EPN does not keep state: the list of affected users is built at runtime but never kept.
* 3827: [RFE] Expose TTL in web UI
DNS record time to live (TTL) parameters can be edited in Web UI
* 3999: [RFE] Fix and Document how to set up Samba File Server with IPA
Samba file server can now be configured on the FreeIPA-enrolled system to provide file services to users in IPA domain and to users from trusted Active Directory forests
* 4751: Implement ACME certificate enrolment
Configure the Automatic Certificate Management Environment (ACME) protocol support provided by the dogtag CA.
* 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI
* 5608: [RFE] Add Dogtag configuration extensions
* 5662: ID Views: do not allow custom Views for the masters
Custom ID views cannot be applied to IPA masters. A check was added to both IPA CLI and Web UI to prevent applying custom ID views to avoid confusion and unintended side-effects.
* 5948: [RFE] Implement pam_pwquality featureset in IPA password policies
* 6783: [RFE] Host-group names command rename
host groups can now be renamed with IPA CLI: 'ipa hostgroup-mod group-name --rename new-name'. Protected hostgroups ('ipaservers') cannot be renamed.
* 7137: [RFE]: Able to browse different links from IPA web gui in new tabs
* 7181: ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled
FreeIPA password policy plugin in 389-ds was extended to exempt non-Kerberos LDAP objects from checking Kerberos policy during password changes by the Directory Manager or a password synchronization manager. This issue affected, among others, an integrated CA administrator account during deployment of more than one replica in some cases.
* 7522: Disable cert publishing in dogtag
Dogtag certificate publishing facility is not configured anymore as it is not used in FreeIPA.
* 7577: [RFE] DNS package check should be called earlier in installation routine
The ``--setup-dns`` knob and interactive installer now both check for the presence of freeipa-server-dns early and abort the installer with an error before starting actual deployment.
* 7695: ipa service-del should display principal name instead of Invalid 'principal'.
When deleting services, report exact name of a system required principal that couldn't be deleted.
* 7966: Add support for JSON-RPC in ipa-join
ipa-join tool defaults to use of JSON-RPC protocol when communicating to IPA masters by default. The choice of JSON-RPC or XML-RPC is a compile-time setting now.
* 7971: [RFE] Include hint for replication_wait_timeout if timeout fails
* 8106: ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install
On Debian-based platforms update-ca-certificates does not support multiple certificates in a single file. IPA installers now write individual files per each certificate for Debian-based platforms.
* 8114: [RFE] Delegate group membership management
It is now possible to associate group managers with the groups. Group managers have rights to add and remove members of the individual group rather than being administrators for every group.
* 8217: RFE: ipa-backup should compare locally and globally installed server roles
ipa-backup now checks whether the local replica's roles match those used in the cluster and exits with a warning if this is not the case as backups taken on this host would not be sufficient for a proper restore. FreeIPA administrators are advised to double check whether the host backups are run has all the necessary (used) roles.
* 8222: Upgrade dojo.js
Version of dojo.js framework used by FreeIPA Web UI was upgraded to 1.16.2.
* 8233: 4.8.5 master Installation error
On Debian and ALT Linux setup of AJP connector did restart Apache instance before it was configured. The restart wasn't actually needed and thus was removed.
* 8236: Enforce a check to prevent adding objects from IPA as external members of external groups
Command 'ipa group-add-member' allowed to specify any user or group for '--external' option. A stricter check is added to verify that a group or user to be added as an external member does not come from IPA domain.
* 8239: Actualize Bootstrap version
Bootstrap Javascript framework used by FreeIPA web UI was updated to version 3.4.1.
* 8241: Build fails on Fedora 30
SELinux rules for ipa-custodia were merged into FreeIPA SELinux policy. The policy relied on an SELinux interface that is not available in Fedora 30. The logic was changed to allow better portability across SELinux versions.
* 8268: Prevent use of too long passwords
Kerberos tools limit password entered in kpasswd or kadmin tools to 1024 characters but do not allow to distinguish between passwords cut off at 1024 characters and passwords with 1024 characters. Thus, a limit of 1000 characters is now applied everywhere in FreeIPA.
* 8275: Support systemd-resolved
FreeIPA DNS servers now detect systemd-resolved and configure it to pass through itself.
* 8276: Add default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system accounts with krbPrincipalAux object class. This allows system accounts to have a keytab that does not expire. The "Default System Accounts Password Policy" has a minimum password length in case the password is directly modified with LDAP.
* 8284: Upgrade jQuery version to actual one
Version of jQuery framework used by FreeIPA Web UI was updated to 3.4.1.
* 8289: ipa servicedelegationtarget-add-member does not allow to add hosts as targets
service delegation rules and targets now allow to specify hosts as a rule or a target's member principal.
* 8291: krb5kdc crashes in IPA plugin on use of IPA Windows principal alias
Memory handling in various FreeIPA KDC functions was improved, preventing potential crashes when looking up machine account aliases for Windows machines.
* 8301: The value of the first character in target* keywords is expected to be a double quote
389-ds 1.4 enforces syntax for target* keywords (targetattr, targetfilter, etc) to have quoted attributes. Otherwise the aci that contains unquoted parameters is ignored. Default FreeIPA access controls were fixed to follow 389-ds syntax. Any third-party ACIs need to be updated manually.
* 8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting "ChallengeResponseAuthentication yes" take precedence.
* 8315: [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings
389-ds 1.4.1.6 introduced automatic password hash upgrade on LDAP binds. FreeIPA now disables this feature because changing password hash in FreeIPA is not allowed by the internal plugins that synchronize password hashes between LDAP and Kerberos.
* 8322: [RFE] Changing default hostgroup is too easy
In Web UI a confirmation dialog was added to automember configuration to prevent unintended modification of a default host group.
* 8325: [WebUI] Fix htmlPrefilter issue in jQuery
CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. FreeIPA is not allowing to pass arbitrary code into affected jQuery path but we applied jQuery fix anyway.
* 8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain
When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console.
* 8348: Allow managed permissions with ldap:///self bind rule
Managed permissions can now address self-service operations. This makes possible for 3rd-party plugins to supply full set of managed permissions.
* 8357: Allow managing IPA resources as a user from a trusted Active Directory forest
A 3rd-party plugin to provide management of IPA resources as users from trusted Active Directory domains was merged into FreeIPA core. ID user overrides can now be added to IPA management groups and roles and thus allow AD users to manage IPA.
* 8362: IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp
LDAP authentication now handles Kerberos principal and password expiration time in UTC time zone. Previously, a local server time zone was applied even though UTC was implied in the settings.
* 8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn
EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present.
* 8401: Create platform definitions for freeipa-container
ipaplatform now provides container platform flavors for freeipa/freeipa-container
* 8404: Detect and fail if not enough memory is available for installation
FreeIPA server now requires at least 1.2 GiB RAM for installation to prevent performance degradation.
* 8444: EPN: enhance input validation
Various input validation checks were added to EPN.
* 8445: EPN: '[Errno 111] Connection refused' when the SMTP is down
EPN now displays a proper message if the configured SMTP server cannot be contacted.
* 8449: EPN: enhance CLI option tests
EPN: enhance existing tests for --dry-run, --from-nbdays and --to-nbdays.
* 8488: SELinux blocks custodia key replication / retrieval for sub-CAs
SELinux: Make sure ipa_custodia_t has the necessary rights ; add dedicated policy rules for ipa-pki-retrieve-key.
* 8490: It is not possible to edit KDC database when the FreeIPA server is running
kadmin.local command 'getprincs' is now supported
* 8493: Synchronize index LDIF and index update files
Configuration of LDAP indices was moved into a single place. New indices were added to attributes related to trusted domains operations. Performance improvement is expected for Kerberos service tickets requested by users from trusted Active Directory domains.
* 8503: pkispawn logs files are empty
On recent versions of Dogtag PKI, pkispawn does not create logs by default, making debugging failed IPA installs impossible. Invoke pkispawn with --debug to revert to the previous behavior.
* 8507: [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0)
Support reproducible builds for jQuery library
* 8510: create_active_user and kinit_as_user should collect kdcinfo.REALM on failure
Sometimes, requesting a TGT after a password reset fails because SSSD seems to select different hosts for these two sequential tasks, leaving no time for replication to replicate the password hashes. Add debug information to the test suites that exhibit the problem and always display the kdcinfo file maintained by SSSD that contains the KRB5KDC IP it should be pinned to.
* 8530: Running ipa-server-install fails on machine where libsss_sudo is not installed
The FreeIPA client RPM now has a soft dependency on libsss_sudo and sudo itself.
=== Known Issues
* 8240: KRA install fails if all KRA members are Hidden Replicas
If the first KRA instance is installed on a hidden replica, more KRA instances cannot be added to the cluster. As a workaround, temporarily make the the hidden replica with the KRA role visible before adding more KRA instances. The previously-hidden replica can be hidden again as soon as ipa-kra-install is complete.
=== Bug fixes
FreeIPA 4.9.0 release candidate 1 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 350 bug-fixes since FreeIPA 4.8.10 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...) or #freeipa channel on Freenode.
== Resolved tickets
* https://pagure.io/freeipa/issue/298%5B#298] (https://bugzilla.redhat.com/show_bug.cgi?id=587752%5Brhbz#587752]) [RFE] Add support for cracklib to password policies * https://pagure.io/freeipa/issue/2018%5B#2018] (https://bugzilla.redhat.com/show_bug.cgi?id=1703564%5Brhbz#1703564]) Change hostname length limit to 64 * https://pagure.io/freeipa/issue/2445%5B#2445] (https://bugzilla.redhat.com/show_bug.cgi?id=798359%5Brhbz#798359]) [RFE] IdM password policy should include checks for repeating characters * https://pagure.io/freeipa/issue/3473%5B#3473] Switch to using RESTful interface in dogtag CA interface * https://pagure.io/freeipa/issue/3687%5B#3687] (https://bugzilla.redhat.com/show_bug.cgi?id=913799%5Brhbz#913799]) [RFE] IPA user account expiry warning. * https://pagure.io/freeipa/issue/3827%5B#3827] [RFE] Expose TTL in web UI * https://pagure.io/freeipa/issue/3999%5B#3999] (https://bugzilla.redhat.com/show_bug.cgi?id=837604%5Brhbz#837604]) [RFE] Fix and Document how to set up Samba File Server with IPA * https://pagure.io/freeipa/issue/4751%5B#4751] (https://bugzilla.redhat.com/show_bug.cgi?id=1851835%5Brhbz#1851835]) Implement ACME certificate enrolment * https://pagure.io/freeipa/issue/4972%5B#4972] (https://bugzilla.redhat.com/show_bug.cgi?id=1206690%5Brhbz#1206690]) check for existence of private group is done even if UPG definition is disabled * https://pagure.io/freeipa/issue/5011%5B#5011] (https://bugzilla.redhat.com/show_bug.cgi?id=1527185%5Brhbz#1527185]) [RFE] Forward CA requests to dogtag or helper by GSSAPI * https://pagure.io/freeipa/issue/5062%5B#5062] (https://bugzilla.redhat.com/show_bug.cgi?id=1229657%5Brhbz#1229657]) [WebUI] Unlock option is enabled for all user. * https://pagure.io/freeipa/issue/5566%5B#5566] Permit creation of PTR records in non-.arpa master zones via the DNS UI * https://pagure.io/freeipa/issue/5608%5B#5608] (https://bugzilla.redhat.com/show_bug.cgi?id=1405935%5Brhbz#1405935]) [RFE] Add Dogtag configuration extensions * https://pagure.io/freeipa/issue/5628%5B#5628] webui: Unclear(UX) purpose of OTP field in password reset form on login * https://pagure.io/freeipa/issue/5662%5B#5662] (https://bugzilla.redhat.com/show_bug.cgi?id=1404770%5Brhbz#1404770]) ID Views: do not allow custom Views for the masters * https://pagure.io/freeipa/issue/5879%5B#5879] (https://bugzilla.redhat.com/show_bug.cgi?id=1334619%5Brhbz#1334619]) Attempt to fix capitalization fails with ipa: ERROR: Type or value exists: * https://pagure.io/freeipa/issue/5914%5B#5914] (https://bugzilla.redhat.com/show_bug.cgi?id=1298288%5Brhbz#1298288]) invalid setting of DS lock table size * https://pagure.io/freeipa/issue/5948%5B#5948] (https://bugzilla.redhat.com/show_bug.cgi?id=1340463%5Brhbz#1340463]) [RFE] Implement pam_pwquality featureset in IPA password policies * https://pagure.io/freeipa/issue/6115%5B#6115] (https://bugzilla.redhat.com/show_bug.cgi?id=1357495%5Brhbz#1357495]) ipa command provides stack trace when provided with single hypen commands * https://pagure.io/freeipa/issue/6210%5B#6210] (https://bugzilla.redhat.com/show_bug.cgi?id=1364139%5Brhbz#1364139], https://bugzilla.redhat.com/show_bug.cgi?id=1751951%5Brhbz#1751951]) When master's IP address does not resolve to its name, ipa-replica-install fails * https://pagure.io/freeipa/issue/6423%5B#6423] Validate cert requests in Dogtag * https://pagure.io/freeipa/issue/6474%5B#6474] Remove ipaplatform dependency from ipa modules * https://pagure.io/freeipa/issue/6708%5B#6708] Unused config options * https://pagure.io/freeipa/issue/6783%5B#6783] (https://bugzilla.redhat.com/show_bug.cgi?id=1430365%5Brhbz#1430365]) [RFE] Host-group names command rename * https://pagure.io/freeipa/issue/6843%5B#6843] (https://bugzilla.redhat.com/show_bug.cgi?id=1428690%5Brhbz#1428690]) ipa-backup does not create log file at /var/log/ * https://pagure.io/freeipa/issue/6857%5B#6857] ipa_pwd.c: Use OpenSSL instead of NSS for hashing * https://pagure.io/freeipa/issue/6884%5B#6884] (https://bugzilla.redhat.com/show_bug.cgi?id=1441262%5Brhbz#1441262]) ipa group-del gives ipa: ERROR: Insufficient access: but still deletes group * https://pagure.io/freeipa/issue/6891%5B#6891] (https://bugzilla.redhat.com/show_bug.cgi?id=1461914%5Brhbz#1461914]) Move FreeIPA SELinux policy from system policy to project policy * https://pagure.io/freeipa/issue/6951%5B#6951] (https://bugzilla.redhat.com/show_bug.cgi?id=1449133%5Brhbz#1449133]) Update samba config file and use sss idmap module * https://pagure.io/freeipa/issue/6964%5B#6964] (https://bugzilla.redhat.com/show_bug.cgi?id=1442413%5Brhbz#1442413]) IPA password policy has no password difference checking * https://pagure.io/freeipa/issue/7125%5B#7125] (https://bugzilla.redhat.com/show_bug.cgi?id=1480102%5Brhbz#1480102]) ipa-server-upgrade failes with "This entry already exists" * https://pagure.io/freeipa/issue/7137%5B#7137] (https://bugzilla.redhat.com/show_bug.cgi?id=1484088%5Brhbz#1484088]) [RFE]: Able to browse different links from IPA web gui in new tabs * https://pagure.io/freeipa/issue/7181%5B#7181] (https://bugzilla.redhat.com/show_bug.cgi?id=1545755%5Brhbz#1545755]) ipa-replica-prepare fails for 2nd replica when passwordHistory is enabled * https://pagure.io/freeipa/issue/7188%5B#7188] Issues after promoting one CA-less IPA server to CA-full * https://pagure.io/freeipa/issue/7255%5B#7255] baseidoverride.get_dn() does not default to a default ID view when resolving user IDs * https://pagure.io/freeipa/issue/7305%5B#7305] (https://bugzilla.redhat.com/show_bug.cgi?id=1518153%5Brhbz#1518153]) PKINIT status not displayed in the web UI (IPA Server > Configuration) * https://pagure.io/freeipa/issue/7307%5B#7307] (https://bugzilla.redhat.com/show_bug.cgi?id=1518939%5Brhbz#1518939]) RFE: Extend IPA to support unadvertised replicas * https://pagure.io/freeipa/issue/7323%5B#7323] IPv6 hack for Travis CI * https://pagure.io/freeipa/issue/7329%5B#7329] update_ra_cert_store does not remove private key from NSSDB * https://pagure.io/freeipa/issue/7416%5B#7416] Uninstalling IPA requires on being in a existent working directory * https://pagure.io/freeipa/issue/7522%5B#7522] Disable cert publishing in dogtag * https://pagure.io/freeipa/issue/7534%5B#7534] (https://bugzilla.redhat.com/show_bug.cgi?id=1569011%5Brhbz#1569011]) Investigate failures to restore 389-ds attriubtes on upgrade failure * https://pagure.io/freeipa/issue/7548%5B#7548] Need integration test for --external-ca-type=ms-cs * https://pagure.io/freeipa/issue/7566%5B#7566] (https://bugzilla.redhat.com/show_bug.cgi?id=1591824%5Brhbz#1591824]) Installation of replica against a specific master * https://pagure.io/freeipa/issue/7577%5B#7577] (https://bugzilla.redhat.com/show_bug.cgi?id=1579296%5Brhbz#1579296]) [RFE] DNS package check should be called earlier in installation routine * https://pagure.io/freeipa/issue/7597%5B#7597] (https://bugzilla.redhat.com/show_bug.cgi?id=1583950%5Brhbz#1583950]) IPA: IDM drops all custom attributes when moving account from preserved to stage * https://pagure.io/freeipa/issue/7600%5B#7600] (https://bugzilla.redhat.com/show_bug.cgi?id=1585020%5Brhbz#1585020]) Enable compat tree to provide information about AD users and groups on trust agents * https://pagure.io/freeipa/issue/7610%5B#7610] ldapupdate.py users ldap.LOCAL_ERROR and other direct ldap exceptions while relying on ipaldap * https://pagure.io/freeipa/issue/7630%5B#7630] (https://bugzilla.redhat.com/show_bug.cgi?id=1613015%5Brhbz#1613015]) ipa-restore should check that optional feature packages are installed before restoring a backup using a feature * https://pagure.io/freeipa/issue/7677%5B#7677] HSM: ipa ca-add fails with error in ipa-pki-retrieve-key * https://pagure.io/freeipa/issue/7695%5B#7695] (https://bugzilla.redhat.com/show_bug.cgi?id=1623763%5Brhbz#1623763]) ipa service-del should display principal name instead of Invalid 'principal'. * https://pagure.io/freeipa/issue/7725%5B#7725] (https://bugzilla.redhat.com/show_bug.cgi?id=1636765%5Brhbz#1636765]) ipa-restore set wrong file permissions and ownership for /var/log/dirsrv/slapd- directory * https://pagure.io/freeipa/issue/7804%5B#7804] (https://bugzilla.redhat.com/show_bug.cgi?id=1777811%5Brhbz#1777811]) `ipa otptoken-sync` fails with stack trace * https://pagure.io/freeipa/issue/7810%5B#7810] [F28] Require NSS with fix for p11-kit issue. * https://pagure.io/freeipa/issue/7816%5B#7816] (https://bugzilla.redhat.com/show_bug.cgi?id=1642395%5Brhbz#1642395]) [WebUI] not able to set a password for user as Active Directory Administrator user * https://pagure.io/freeipa/issue/7870%5B#7870] (https://bugzilla.redhat.com/show_bug.cgi?id=1680039%5Brhbz#1680039]) [certmonger][upgrade] "Failed to get request: bus, object_path and dbus_interface must not be None." * https://pagure.io/freeipa/issue/7895%5B#7895] (https://bugzilla.redhat.com/show_bug.cgi?id=1686302%5Brhbz#1686302]) ipa trust fetch-domains, server parameter ignored * https://pagure.io/freeipa/issue/7902%5B#7902] 389-ds-base-1.4.0.22-1 breaks TestAutomemberFindOrphans.test_find_orphan_automember_rules * https://pagure.io/freeipa/issue/7908%5B#7908] Write tests for interactive prompt for NTP options. * https://pagure.io/freeipa/issue/7929%5B#7929] (https://bugzilla.redhat.com/show_bug.cgi?id=1712794%5Brhbz#1712794]) ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled * https://pagure.io/freeipa/issue/7932%5B#7932] FreeIPA queries rely on missing attribute altsecurityidentities * https://pagure.io/freeipa/issue/7933%5B#7933] FreeIPA must index certmap attributes. * https://pagure.io/freeipa/issue/7938%5B#7938] 'ipa dnszone-show/find' should display "Dynamic Update" and "Bind update policy" by default * https://pagure.io/freeipa/issue/7949%5B#7949] test_integration/test_nfs.py fails at cleanup * https://pagure.io/freeipa/issue/7958%5B#7958] (https://bugzilla.redhat.com/show_bug.cgi?id=1782169%5Brhbz#1782169]) traceback in idview * https://pagure.io/freeipa/issue/7961%5B#7961] [WebUI] Identity Manager WebUI requires you to save changes after changing specifications before making other change * https://pagure.io/freeipa/issue/7966%5B#7966] Add support for JSON-RPC in ipa-join * https://pagure.io/freeipa/issue/7971%5B#7971] (https://bugzilla.redhat.com/show_bug.cgi?id=1715961%5Brhbz#1715961]) [RFE] Include hint for replication_wait_timeout if timeout fails * https://pagure.io/freeipa/issue/7985%5B#7985] test failure in test_dnssec.py::TestInstallDNSSECLast::()::test_disable_reenable_signing_replica::teardown * https://pagure.io/freeipa/issue/7987%5B#7987] Python shebang: Use isolated mode * https://pagure.io/freeipa/issue/7989%5B#7989] Pytest4.2+ errors * https://pagure.io/freeipa/issue/7991%5B#7991] Use profile-based renewal for system certificates * https://pagure.io/freeipa/issue/7995%5B#7995] (https://bugzilla.redhat.com/show_bug.cgi?id=1711172%5Brhbz#1711172]) Removing TLSv1.0, TLSv1.1 from nss.conf * https://pagure.io/freeipa/issue/7996%5B#7996] `test_selinuxusermap_plugin` fails against not default SELinux settings * https://pagure.io/freeipa/issue/8001%5B#8001] Need default authentication indicators for SPAKE, PKINIT and encrypted challenge preauth * https://pagure.io/freeipa/issue/8004%5B#8004] RHEL 8 uses nis-domainname instead of rhel-domainname * https://pagure.io/freeipa/issue/8005%5B#8005] (https://bugzilla.redhat.com/show_bug.cgi?id=1729099%5Brhbz#1729099]) User field separator uses '$$' within ipaSELinuxUserMapOrder * https://pagure.io/freeipa/issue/8007%5B#8007] Not stable nodeids within pytest * https://pagure.io/freeipa/issue/8008%5B#8008] Azure Pipeline slicing * https://pagure.io/freeipa/issue/8009%5B#8009] Missing execution bit on `ipa-run-tests` within virtualenv * https://pagure.io/freeipa/issue/8010%5B#8010] Extended Kerberos Ticket Policy * https://pagure.io/freeipa/issue/8012%5B#8012] test_webui/test_loginscreen.py::TestLoginScreen::()::test_reset_password_and_login_view failure * https://pagure.io/freeipa/issue/8013%5B#8013] (https://bugzilla.redhat.com/show_bug.cgi?id=1731433%5Brhbz#1731433]) ipa service-find does not list cifs service created by ipa-client-samba * https://pagure.io/freeipa/issue/8015%5B#8015] p11helper: insufficient logging when loading LIBSOFTHSM2_SO * https://pagure.io/freeipa/issue/8017%5B#8017] (https://bugzilla.redhat.com/show_bug.cgi?id=1817927%5Brhbz#1817927]) host-add --password logs cleartext userpassword to Apache error log * https://pagure.io/freeipa/issue/8019%5B#8019] (https://bugzilla.redhat.com/show_bug.cgi?id=1732524%5Brhbz#1732524]) repeated uninstallation of ipa-client-samba crashes * https://pagure.io/freeipa/issue/8020%5B#8020] support AES in LWCA key replication * https://pagure.io/freeipa/issue/8021%5B#8021] (https://bugzilla.redhat.com/show_bug.cgi?id=1732528%5Brhbz#1732528]) ipa-client-samba can not install samba after uninstallation * https://pagure.io/freeipa/issue/8022%5B#8022] azure pipeline: fail if dnf builddep exits on failure * https://pagure.io/freeipa/issue/8024%5B#8024] [WebUI] test_webui/test_trust.py failed because of request timeout * https://pagure.io/freeipa/issue/8026%5B#8026] Update pr-ci definitions with master_3client topology * https://pagure.io/freeipa/issue/8027%5B#8027] test_nfs.py: migrate to master_3client * https://pagure.io/freeipa/issue/8029%5B#8029] (https://bugzilla.redhat.com/show_bug.cgi?id=1749788%5Brhbz#1749788]) ipa host-find --pkey-only includes SSH keys in output * https://pagure.io/freeipa/issue/8030%5B#8030] azure pipelines fail at "Install prerequisites" of Tox job * https://pagure.io/freeipa/issue/8031%5B#8031] (https://bugzilla.redhat.com/show_bug.cgi?id=1734369%5Brhbz#1734369]) HBAC Test Validation error when running the HBAC test the second time round via the IPA Web GUI * https://pagure.io/freeipa/issue/8034%5B#8034] Existing p11-kit config file is not restored on uninstall * https://pagure.io/freeipa/issue/8038%5B#8038] (https://bugzilla.redhat.com/show_bug.cgi?id=1740167%5Brhbz#1740167]) ipa-client-automount --uninstall is not restoring nsswitch.conf * https://pagure.io/freeipa/issue/8040%5B#8040] (https://bugzilla.redhat.com/show_bug.cgi?id=1731963%5Brhbz#1731963]) ipa migrate-ds fails with internal error. * https://pagure.io/freeipa/issue/8044%5B#8044] (https://bugzilla.redhat.com/show_bug.cgi?id=1717008%5Brhbz#1717008]) Extdom plugin should not return LDAP_NO_SUCH_OBJECT if there are timeout or other errors * https://pagure.io/freeipa/issue/8048%5B#8048] Travis-CI sometimes fails at dnf * https://pagure.io/freeipa/issue/8052%5B#8052] test failure in test_integration/test_sudo.py::TestSudo::()::test_domain_resolution_order on fedora29 * https://pagure.io/freeipa/issue/8053%5B#8053] [WebUI] Fix login screen loading issue in test_loginscreen * https://pagure.io/freeipa/issue/8054%5B#8054] (https://bugzilla.redhat.com/show_bug.cgi?id=1746557%5Brhbz#1746557]) ipa-client-install calls "authselect select sssd --force" at uninstall time before restoring user-nsswitch.conf * https://pagure.io/freeipa/issue/8055%5B#8055] Test for PG6843: ipa-backup does not create log file at /var/log is failing * https://pagure.io/freeipa/issue/8056%5B#8056] (https://bugzilla.redhat.com/show_bug.cgi?id=1746882%5Brhbz#1746882]) BuildRequires is not compatible with %{_libdir} * https://pagure.io/freeipa/issue/8057%5B#8057] (https://bugzilla.redhat.com/show_bug.cgi?id=1747895%5Brhbz#1747895]) Running ipa-server-install produces SyntaxWarning: "is not" with a literal. Did you mean "!="? * https://pagure.io/freeipa/issue/8062%5B#8062] Re-add configure_nsswitch_database, configure_nsswitch, ... to ipaclient.install * https://pagure.io/freeipa/issue/8063%5B#8063] Nightly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::()::test_nsswitch_backup_restore_sssd * https://pagure.io/freeipa/issue/8064%5B#8064] Request for IPA CI to enable DS audit/auditfail logging * https://pagure.io/freeipa/issue/8066%5B#8066] (https://bugzilla.redhat.com/show_bug.cgi?id=1750242%5Brhbz#1750242]) Don't use -t option to klist in adtrust code when timestamp is not needed * https://pagure.io/freeipa/issue/8067%5B#8067] (https://bugzilla.redhat.com/show_bug.cgi?id=1750700%5Brhbz#1750700]) add default access control configuration to trusted domain objects * https://pagure.io/freeipa/issue/8070%5B#8070] Test failure in test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::()::test_hidden_replica_install * https://pagure.io/freeipa/issue/8073%5B#8073] Backup/restore does not restore /etc/pkcs11/modules/softhsm2.module * https://pagure.io/freeipa/issue/8075%5B#8075] Don't create log file for helper scripts * https://pagure.io/freeipa/issue/8077%5B#8077] New pylint 2.4.0 errors * https://pagure.io/freeipa/issue/8079%5B#8079] (https://bugzilla.redhat.com/show_bug.cgi?id=1754530%5Brhbz#1754530]) [Security] By default, DNS recursion is open, breaking best practices * https://pagure.io/freeipa/issue/8082%5B#8082] (https://bugzilla.redhat.com/show_bug.cgi?id=1756432%5Brhbz#1756432]) Default client configuration breaks ssh in FIPS mode. * https://pagure.io/freeipa/issue/8084%5B#8084] (https://bugzilla.redhat.com/show_bug.cgi?id=1758406%5Brhbz#1758406]) KRA authentication fails when IPA CA has custom Subject DN * https://pagure.io/freeipa/issue/8086%5B#8086] (https://bugzilla.redhat.com/show_bug.cgi?id=1756568%5Brhbz#1756568]) ipa-server-certinstall man page does not match built-in help. * https://pagure.io/freeipa/issue/8094%5B#8094] Allow using of a custom OpenSSL engine for ISC BIND * https://pagure.io/freeipa/issue/8097%5B#8097] ipa user-add-certmapdata is not able to add several entries correctly * https://pagure.io/freeipa/issue/8098%5B#8098] Host principals lack ACI to look up DNS objects in LDAP * https://pagure.io/freeipa/issue/8099%5B#8099] (https://bugzilla.redhat.com/show_bug.cgi?id=1762317%5Brhbz#1762317]) ipa-backup command is failing on rhel-7.8 * https://pagure.io/freeipa/issue/8101%5B#8101] Wrong pytest requirement in specfile * https://pagure.io/freeipa/issue/8102%5B#8102] Pylint 2.4.3 + Astroid 2.3.2 errors * https://pagure.io/freeipa/issue/8104%5B#8104] RFE: Disable Stale/Inactive Users - Upstream Design Document * https://pagure.io/freeipa/issue/8105%5B#8105] (https://bugzilla.redhat.com/show_bug.cgi?id=1759281%5Brhbz#1759281]) getcert with -F option returns before cacert file is created * https://pagure.io/freeipa/issue/8106%5B#8106] ca-certificate file not being parsed correctly on Ubuntu with p11-kit-trust.so due to data inserted by FreeIPA Client install * https://pagure.io/freeipa/issue/8110%5B#8110] (https://bugzilla.redhat.com/show_bug.cgi?id=1768015%5Brhbz#1768015]) Enable AES SHA 256 and 384 Kerberos enctypes * https://pagure.io/freeipa/issue/8111%5B#8111] (https://bugzilla.redhat.com/show_bug.cgi?id=1768959%5Brhbz#1768959]) [FIPS] Don't add camellia KRB5 encsalttypes in FIPS mode * https://pagure.io/freeipa/issue/8113%5B#8113] (https://bugzilla.redhat.com/show_bug.cgi?id=1755535%5Brhbz#1755535]) ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client * https://pagure.io/freeipa/issue/8114%5B#8114] [RFE] Delegate group membership management * https://pagure.io/freeipa/issue/8115%5B#8115] Nightly test failure in fedora-30/test_smb and fedora-29/test_smb * https://pagure.io/freeipa/issue/8116%5B#8116] Pylint parallel execution with custom plugin * https://pagure.io/freeipa/issue/8118%5B#8118] Run smoke tests in FIPS mode * https://pagure.io/freeipa/issue/8120%5B#8120] (https://bugzilla.redhat.com/show_bug.cgi?id=1769791%5Brhbz#1769791]) Invisible part of notification area in Web UI intercepts clicks of some page elements * https://pagure.io/freeipa/issue/8122%5B#8122] (https://bugzilla.redhat.com/show_bug.cgi?id=1773528%5Brhbz#1773528]) group-add-member-manager does not report errors * https://pagure.io/freeipa/issue/8123%5B#8123] (https://bugzilla.redhat.com/show_bug.cgi?id=1773528%5Brhbz#1773528]) [WebUI] Finish group membership management UI * https://pagure.io/freeipa/issue/8124%5B#8124] Add option to ipa-cacert-manage to delete certificates * https://pagure.io/freeipa/issue/8125%5B#8125] (https://bugzilla.redhat.com/show_bug.cgi?id=1777809%5Brhbz#1777809]) Use default crypto policy for TLS and enable TLS 1.3 support * https://pagure.io/freeipa/issue/8129%5B#8129] Tests: Replace paramiko with OpenSSH * https://pagure.io/freeipa/issue/8131%5B#8131] (https://bugzilla.redhat.com/show_bug.cgi?id=1777920%5Brhbz#1777920]) covscan memory leaks report * https://pagure.io/freeipa/issue/8133%5B#8133] check_client_configuration() no longer works with IPA_CONFDIR * https://pagure.io/freeipa/issue/8134%5B#8134] ipa user-add is inefficient * https://pagure.io/freeipa/issue/8135%5B#8135] (https://bugzilla.redhat.com/show_bug.cgi?id=1777806%5Brhbz#1777806]) When Service weight is set as 0 for server in IPA location "IPA Error 903: InternalError" is displayed * https://pagure.io/freeipa/issue/8137%5B#8137] reinstall failed in adding delegation layout * https://pagure.io/freeipa/issue/8138%5B#8138] (https://bugzilla.redhat.com/show_bug.cgi?id=1780548%5Brhbz#1780548]) Man page ipa-cacert-manage does not display correctly on RHEL * https://pagure.io/freeipa/issue/8142%5B#8142] check Not Before / Not After in externally signed CA sanity check * https://pagure.io/freeipa/issue/8143%5B#8143] service.ldap_disable() does not remove "enabledService" * https://pagure.io/freeipa/issue/8144%5B#8144] test_nfs.py: umount.nfs4: /home: device is busy * https://pagure.io/freeipa/issue/8148%5B#8148] (https://bugzilla.redhat.com/show_bug.cgi?id=1782587%5Brhbz#1782587]) add "systemctl restart sssd" to warning message when adding trust agents to replicas * https://pagure.io/freeipa/issue/8149%5B#8149] (https://bugzilla.redhat.com/show_bug.cgi?id=1783046%5Brhbz#1783046]) SIDs of AD domains do not display in ipa-client-samba installer * https://pagure.io/freeipa/issue/8150%5B#8150] (https://bugzilla.redhat.com/show_bug.cgi?id=1784003%5Brhbz#1784003]) IPA Server install fail * https://pagure.io/freeipa/issue/8151%5B#8151] test_commands timing-out * https://pagure.io/freeipa/issue/8153%5B#8153] (https://bugzilla.redhat.com/show_bug.cgi?id=1784761%5Brhbz#1784761]) Kerberos ticket policy reset does not reset per-indicator policies * https://pagure.io/freeipa/issue/8157%5B#8157] NIghtly test failure in fedora-rawhide/test_webui_network * https://pagure.io/freeipa/issue/8159%5B#8159] please migrate to the new Fedora translation platform * https://pagure.io/freeipa/issue/8163%5B#8163] (https://bugzilla.redhat.com/show_bug.cgi?id=1782572%5Brhbz#1782572]) "Internal Server Error" reported for minor issues implies IPA is broken [IdmHackfest2019] * https://pagure.io/freeipa/issue/8164%5B#8164] (https://bugzilla.redhat.com/show_bug.cgi?id=1788907%5Brhbz#1788907]) Renewed certs are not picked up by IPA CAs * https://pagure.io/freeipa/issue/8169%5B#8169] NIghtly test failure in fedora-rawhide/test_webui_policy * https://pagure.io/freeipa/issue/8170%5B#8170] Nightly test failure in fedora-rawhide/test_backup_and_restore_TestBackupReinstallRestoreWithDNS * https://pagure.io/freeipa/issue/8173%5B#8173] Broken -k argument parsing in ipa-run-tests 4.8.4-1 package * https://pagure.io/freeipa/issue/8176%5B#8176] External CA is tracked for renewals and replaced with a self-signed certificate * https://pagure.io/freeipa/issue/8179%5B#8179] Tests broken with python version < 3.7 (module 're' has no attribute 'Pattern') * https://pagure.io/freeipa/issue/8186%5B#8186] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates * https://pagure.io/freeipa/issue/8189%5B#8189] (https://bugzilla.redhat.com/show_bug.cgi?id=1810179%5Brhbz#1810179]) NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd * https://pagure.io/freeipa/issue/8190%5B#8190] (https://bugzilla.redhat.com/show_bug.cgi?id=1790886%5Brhbz#1790886]) ipa-client-automount fails after repeated installation/uninstallation * https://pagure.io/freeipa/issue/8192%5B#8192] (https://bugzilla.redhat.com/show_bug.cgi?id=1665051%5Brhbz#1665051]) ipa-adtrust-install does not list service records for manual addition to DNS zone * https://pagure.io/freeipa/issue/8193%5B#8193] (https://bugzilla.redhat.com/show_bug.cgi?id=1801791%5Brhbz#1801791]) Re-order 50-externalmembers.update to be after 80-schema_compat.update * https://pagure.io/freeipa/issue/8196%5B#8196] API: dnsrecord_del failure with empty list aaaarecord * https://pagure.io/freeipa/issue/8200%5B#8200] (https://bugzilla.redhat.com/show_bug.cgi?id=1803786%5Brhbz#1803786]) ipa krb5kdc db: krb5kdc coredump * https://pagure.io/freeipa/issue/8201%5B#8201] update ssbrowser.html * https://pagure.io/freeipa/issue/8202%5B#8202] Azure: add support for multi-container tests * https://pagure.io/freeipa/issue/8204%5B#8204] (https://bugzilla.redhat.com/show_bug.cgi?id=1810148%5Brhbz#1810148]) ipa-server-certinstall -> certmonger add_subject template-subject dbus 'unable to set arguments' a{sv} * https://pagure.io/freeipa/issue/8207%5B#8207] Extend Web UI for Kerberos ticket policy to add authentication indicator support * https://pagure.io/freeipa/issue/8214%5B#8214] Support for opendnssec 2.1.6 * https://pagure.io/freeipa/issue/8217%5B#8217] (https://bugzilla.redhat.com/show_bug.cgi?id=1810154%5Brhbz#1810154]) RFE: ipa-backup should compare locally and globally installed server roles * https://pagure.io/freeipa/issue/8219%5B#8219] ipatests: unify editing of sssd.conf * https://pagure.io/freeipa/issue/8221%5B#8221] (https://bugzilla.redhat.com/show_bug.cgi?id=1812169%5Brhbz#1812169]) Secure AJP connector between Dogtag and Apache proxy * https://pagure.io/freeipa/issue/8222%5B#8222] Upgrade dojo.js * https://pagure.io/freeipa/issue/8226%5B#8226] (https://bugzilla.redhat.com/show_bug.cgi?id=1813330%5Brhbz#1813330]) ipa-restore does not restart httpd * https://pagure.io/freeipa/issue/8228%5B#8228] Nightly failure in backup/restore while calling 'id admin' * https://pagure.io/freeipa/issue/8233%5B#8233] 4.8.5 master Installation error * https://pagure.io/freeipa/issue/8236%5B#8236] (https://bugzilla.redhat.com/show_bug.cgi?id=1809835%5Brhbz#1809835]) Enforce a check to prevent adding objects from IPA as external members of external groups * https://pagure.io/freeipa/issue/8239%5B#8239] Actualize Bootstrap version * https://pagure.io/freeipa/issue/8240%5B#8240] (https://bugzilla.redhat.com/show_bug.cgi?id=1816784%5Brhbz#1816784]) KRA install fails if all KRA members are Hidden Replicas * https://pagure.io/freeipa/issue/8241%5B#8241] Build fails on Fedora 30 * https://pagure.io/freeipa/issue/8247%5B#8247] test_fips PR-CI templates have a too-short timeout * https://pagure.io/freeipa/issue/8248%5B#8248] httpd ccaches created during server upgrade aren't cleaned up on uninstall/install * https://pagure.io/freeipa/issue/8251%5B#8251] [Azure] Catch coredumps * https://pagure.io/freeipa/issue/8254%5B#8254] [Azure] 'Tox' task fails against Python3.8 * https://pagure.io/freeipa/issue/8261%5B#8261] [ipatests] Integration tests fail on non-firewalld distros * https://pagure.io/freeipa/issue/8262%5B#8262] test_ipahealthcheck needs a higher timeout than 3600 * https://pagure.io/freeipa/issue/8264%5B#8264] Nightly test failure in test_integration.test_commands.TestIPACommand.test_hbac_systemd_user * https://pagure.io/freeipa/issue/8265%5B#8265] [ipatests] `/var/log/ipaupgrade.log` is not collected * https://pagure.io/freeipa/issue/8266%5B#8266] test_webui_server requires a higher timeout than 3600 * https://pagure.io/freeipa/issue/8268%5B#8268] Prevent use of too long passwords * https://pagure.io/freeipa/issue/8272%5B#8272] Use /run instead of /var/run * https://pagure.io/freeipa/issue/8273%5B#8273] (https://bugzilla.redhat.com/show_bug.cgi?id=1834385%5Brhbz#1834385]) Man page syntax issue detected by rpminspect * https://pagure.io/freeipa/issue/8275%5B#8275] (https://bugzilla.redhat.com/show_bug.cgi?id=1880628%5Brhbz#1880628]) Support systemd-resolved * https://pagure.io/freeipa/issue/8276%5B#8276] Add default password policy for sysaccounts * https://pagure.io/freeipa/issue/8283%5B#8283] Failures and AVCs with OpenDNSSEC 2.1 * https://pagure.io/freeipa/issue/8284%5B#8284] Upgrade jQuery version to actual one * https://pagure.io/freeipa/issue/8287%5B#8287] named not starting after #8079, ipa-ext.conf breaks bind * https://pagure.io/freeipa/issue/8289%5B#8289] ipa servicedelegationtarget-add-member does not allow to add hosts as targets * https://pagure.io/freeipa/issue/8290%5B#8290] API inconsistencies * https://pagure.io/freeipa/issue/8291%5B#8291] krb5kdc crashes in IPA plugin on use of IPA Windows principal alias * https://pagure.io/freeipa/issue/8297%5B#8297] Fix new pylint 2.5.0 warnings and errors * https://pagure.io/freeipa/issue/8298%5B#8298] [WebUI] Cover membership management with UI tests * https://pagure.io/freeipa/issue/8300%5B#8300] Replace uglify-js with python3-rjsmin * https://pagure.io/freeipa/issue/8301%5B#8301] The value of the first character in target* keywords is expected to be a double quote * https://pagure.io/freeipa/issue/8304%5B#8304] [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf * https://pagure.io/freeipa/issue/8306%5B#8306] Adopt Black code style * https://pagure.io/freeipa/issue/8307%5B#8307] make devcheck fails for test_ipatests_plugins/test_ipa_run_tests.py * https://pagure.io/freeipa/issue/8308%5B#8308] (https://bugzilla.redhat.com/show_bug.cgi?id=1829787%5Brhbz#1829787]) ipa service-del deletes the required principal when specified in lower/upper case * https://pagure.io/freeipa/issue/8309%5B#8309] Convert ipaplatform from namespace package to regular package * https://pagure.io/freeipa/issue/8311%5B#8311] (https://bugzilla.redhat.com/show_bug.cgi?id=1825829%5Brhbz#1825829]) ipa-advise on a RHEL7 IdM server generate a configuration script for client having hardcoded python3 * https://pagure.io/freeipa/issue/8312%5B#8312] Fix api.env.in_tree detection logic * https://pagure.io/freeipa/issue/8313%5B#8313] Values of api.env.mode are inconsistent * https://pagure.io/freeipa/issue/8315%5B#8315] (https://bugzilla.redhat.com/show_bug.cgi?id=1833266%5Brhbz#1833266]) [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings * https://pagure.io/freeipa/issue/8316%5B#8316] [Azure] Whitelist clock_adjtime syscall * https://pagure.io/freeipa/issue/8317%5B#8317] XML-RCP and CLI tests depend on internal --force option * https://pagure.io/freeipa/issue/8319%5B#8319] Support server referrals for enterprise principals * https://pagure.io/freeipa/issue/8322%5B#8322] [RFE] Changing default hostgroup is too easy * https://pagure.io/freeipa/issue/8323%5B#8323] [Build failure] Race: make po fails on parallel build * https://pagure.io/freeipa/issue/8325%5B#8325] [WebUI] Fix htmlPrefilter issue in jQuery * https://pagure.io/freeipa/issue/8326%5B#8326] CVE-2020-10747 * https://pagure.io/freeipa/issue/8328%5B#8328] krbtpolicy-mod cannot handle two auth ind options of the same type at the same time * https://pagure.io/freeipa/issue/8330%5B#8330] [Azure] Build job fails on `tests` container preparation * https://pagure.io/freeipa/issue/8335%5B#8335] [WebUI] manage IPA resources as a user from a trusted Active Directory domain * https://pagure.io/freeipa/issue/8336%5B#8336] [WebUI] "User attributes for SMB services" section always shown * https://pagure.io/freeipa/issue/8338%5B#8338] [WebUI] Host detail with no assigned ID view makes invalid RPC call * https://pagure.io/freeipa/issue/8339%5B#8339] [WebUI] User details tab headers don't show member count when on settings tab * https://pagure.io/freeipa/issue/8344%5B#8344] Nightly test failure in test_smb.py::TestSMB::test_smb_service_s4u2self * https://pagure.io/freeipa/issue/8348%5B#8348] Allow managed permissions with ldap:///self bind rule * https://pagure.io/freeipa/issue/8349%5B#8349] bind-9.16 and dnssec-enable * https://pagure.io/freeipa/issue/8350%5B#8350] bind-9.16 and DLV * https://pagure.io/freeipa/issue/8352%5B#8352] RPC API crashes when a user is disabled while a session exists * https://pagure.io/freeipa/issue/8357%5B#8357] Allow managing IPA resources as a user from a trusted Active Directory forest * https://pagure.io/freeipa/issue/8358%5B#8358] TTL of DNS record can be set to negative value * https://pagure.io/freeipa/issue/8359%5B#8359] [WebUI] dnsrecord_mod results in JS error * https://pagure.io/freeipa/issue/8360%5B#8360] lite-server: Werkzeug deprecation warnings * https://pagure.io/freeipa/issue/8362%5B#8362] (https://bugzilla.redhat.com/show_bug.cgi?id=1826659%5Brhbz#1826659]) IPA: Ldap authentication failure due to Kerberos principal expiration UTC timestamp * https://pagure.io/freeipa/issue/8363%5B#8363] DNS config upgrade code fails * https://pagure.io/freeipa/issue/8364%5B#8364] Nightly test failure while establishing trust: Cannot find specified domain or server name * https://pagure.io/freeipa/issue/8366%5B#8366] CA-less replica deployment fails with --setup-ca * https://pagure.io/freeipa/issue/8367%5B#8367] IPA-EPN fails to build in ONLY_CLIENT mode * https://pagure.io/freeipa/issue/8368%5B#8368] (https://bugzilla.redhat.com/show_bug.cgi?id=1846349%5Brhbz#1846349]) cannot issue certs with multiple IP addresses corresponding to different hosts * https://pagure.io/freeipa/issue/8369%5B#8369] cert_find returns "CA not configured" in CA-less install * https://pagure.io/freeipa/issue/8370%5B#8370] ipa-join does not set nshardwareplatform and nsosversion * https://pagure.io/freeipa/issue/8371%5B#8371] Nightly test failure [testing_master_testing] in test_integration/test_idviews.py::TestCertsInIDOverrides * https://pagure.io/freeipa/issue/8372%5B#8372] (https://bugzilla.redhat.com/show_bug.cgi?id=1849914%5Brhbz#1849914]) FreeIPA - Utilize 256-bit AJP connector passwords * https://pagure.io/freeipa/issue/8374%5B#8374] (https://bugzilla.redhat.com/show_bug.cgi?id=1847999%5Brhbz#1847999]) EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn * https://pagure.io/freeipa/issue/8377%5B#8377] Nightly test failure (timeout) in test_caless_TestReplicaInstall * https://pagure.io/freeipa/issue/8378%5B#8378] CA validity past year 2038 breaks cert.py plugin on 32-bit platform * https://pagure.io/freeipa/issue/8379%5B#8379] Nightly test failure [testing_master_pki] while installing CA replica * https://pagure.io/freeipa/issue/8381%5B#8381] Nightly test failure in test_webui/test_loginscreen.py::TestLoginScreen::test_login_view * https://pagure.io/freeipa/issue/8383%5B#8383] Test with dnspython 2.0 * https://pagure.io/freeipa/issue/8384%5B#8384] Provide reliable way to know if a server installation is complete * https://pagure.io/freeipa/issue/8388%5B#8388] Make help() on plugins more useful * https://pagure.io/freeipa/issue/8391%5B#8391] Remove dnf workaround from test_epn.y * https://pagure.io/freeipa/issue/8394%5B#8394] Nightly test failure in cert-related tests * https://pagure.io/freeipa/issue/8395%5B#8395] selinux don't audit rules deny fetching trust topology * https://pagure.io/freeipa/issue/8396%5B#8396] [WebUI] Font type of "Enabled" column in user search facet wrong * https://pagure.io/freeipa/issue/8399%5B#8399] certmonger attempts to add LWCA tracking requests on non-CA server. * https://pagure.io/freeipa/issue/8400%5B#8400] sshd template file is installed in a wrong (server) location while used by the client side * https://pagure.io/freeipa/issue/8401%5B#8401] Create platform definitions for freeipa-container * https://pagure.io/freeipa/issue/8403%5B#8403] Add option to add ipaapi user as an allowed uid for ifp in /etc/sssd/sssd.conf when running ipa-replica-install * https://pagure.io/freeipa/issue/8404%5B#8404] Detect and fail if not enough memory is available for installation * https://pagure.io/freeipa/issue/8405%5B#8405] Don't delegate full TGT in ipa-join * https://pagure.io/freeipa/issue/8407%5B#8407] Support changelog integrated into main database * https://pagure.io/freeipa/issue/8408%5B#8408] Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_client_enrollment_by_unprivileged_user * https://pagure.io/freeipa/issue/8412%5B#8412] (https://bugzilla.redhat.com/show_bug.cgi?id=1857157%5Brhbz#1857157]) AVC: httpd cannot connect to ipa-custodia.sock * https://pagure.io/freeipa/issue/8413%5B#8413] Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp * https://pagure.io/freeipa/issue/8414%5B#8414] Nightly test failure in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp * https://pagure.io/freeipa/issue/8416%5B#8416] [WebUI] Error while adding user ID overrides to group * https://pagure.io/freeipa/issue/8419%5B#8419] Azure is reporting a slew of new no-member lint errors * https://pagure.io/freeipa/issue/8425%5B#8425] Nightly test failure in test_cert.test_cert.TestInstallMasterClient (certmonger timeout) * https://pagure.io/freeipa/issue/8428%5B#8428] [ipatests] fails due to new python-cryptography 3.0 * https://pagure.io/freeipa/issue/8429%5B#8429] Add fips-mode-setup to ipaplatform.paths * https://pagure.io/freeipa/issue/8432%5B#8432] test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError * https://pagure.io/freeipa/issue/8435%5B#8435] [ipatests] failures due to new Pytest6.0 (pypi part) * https://pagure.io/freeipa/issue/8437%5B#8437] unit tests for ipa-extdom-extop are failing in Fedora 33 * https://pagure.io/freeipa/issue/8439%5B#8439] Nightly test failure in test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring * https://pagure.io/freeipa/issue/8440%5B#8440] (https://bugzilla.redhat.com/show_bug.cgi?id=1863616%5Brhbz#1863616]) CA-less install does not set required permissions on KDC certificate * https://pagure.io/freeipa/issue/8441%5B#8441] (https://bugzilla.redhat.com/show_bug.cgi?id=1870202%5Brhbz#1870202]) File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less * https://pagure.io/freeipa/issue/8442%5B#8442] [pylint] warnings/errors against pylint 2.5.3 * https://pagure.io/freeipa/issue/8443%5B#8443] ipa delegation-add can add permissions and attributes several times * https://pagure.io/freeipa/issue/8444%5B#8444] (https://bugzilla.redhat.com/show_bug.cgi?id=1866291%5Brhbz#1866291]) EPN: enhance input validation * https://pagure.io/freeipa/issue/8445%5B#8445] (https://bugzilla.redhat.com/show_bug.cgi?id=1863079%5Brhbz#1863079]) EPN: '[Errno 111] Connection refused' when the SMTP is down * https://pagure.io/freeipa/issue/8446%5B#8446] ipa dnszone-add ignores --name-from-ip option if name is given * https://pagure.io/freeipa/issue/8447%5B#8447] Nightly test failure in test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS * https://pagure.io/freeipa/issue/8449%5B#8449] (https://bugzilla.redhat.com/show_bug.cgi?id=1866291%5Brhbz#1866291]) EPN: enhance CLI option tests * https://pagure.io/freeipa/issue/8456%5B#8456] Need new aci's for the new replication changelog entries * https://pagure.io/freeipa/issue/8458%5B#8458] auto-upgrade will never happen for existing installations * https://pagure.io/freeipa/issue/8459%5B#8459] [upgrade] handle missing openssh-clients * https://pagure.io/freeipa/issue/8461%5B#8461] [ALTLinux] server uninstall error on missing /var/lib/samba * https://pagure.io/freeipa/issue/8463%5B#8463] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring * https://pagure.io/freeipa/issue/8464%5B#8464] Increase replication changelog trimming interval * https://pagure.io/freeipa/issue/8468%5B#8468] [pylint] new warnings on dev branch * https://pagure.io/freeipa/issue/8472%5B#8472] [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA * https://pagure.io/freeipa/issue/8473%5B#8473] Nightly test failure in all webui tests: Invalid or corrupt jarfile /opt/selenium.jar * https://pagure.io/freeipa/issue/8474%5B#8474] Mozilla's NSS without DBM * https://pagure.io/freeipa/issue/8475%5B#8475] Azure: tox task and virtualenv 20+ * https://pagure.io/freeipa/issue/8481%5B#8481] Nightly test failure in rawhide in tasks.configure_dns_for_trust * https://pagure.io/freeipa/issue/8482%5B#8482] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_source_ipahealthcheck_meta_services_check * https://pagure.io/freeipa/issue/8488%5B#8488] (https://bugzilla.redhat.com/show_bug.cgi?id=1868432%5Brhbz#1868432]) SELinux blocks custodia key replication / retrieval for sub-CAs * https://pagure.io/freeipa/issue/8490%5B#8490] (https://bugzilla.redhat.com/show_bug.cgi?id=1875001%5Brhbz#1875001]) It is not possible to edit KDC database when the FreeIPA server is running * https://pagure.io/freeipa/issue/8491%5B#8491] Unindexed searches in FreeIPA git master * https://pagure.io/freeipa/issue/8493%5B#8493] Synchronize index LDIF and index update files * https://pagure.io/freeipa/issue/8494%5B#8494] Azure Pipelines are broken due to docker compose tool upgrade * https://pagure.io/freeipa/issue/8496%5B#8496] [Tracker] Multiple nightly test failures in test_dnssec * https://pagure.io/freeipa/issue/8498%5B#8498] Check 3rd-party IPA server HTTP cert for ipa-ca.$DOMAIN dnsName on CA replicas * https://pagure.io/freeipa/issue/8501%5B#8501] Unify how FreeIPA gets FQDN of current host * https://pagure.io/freeipa/issue/8502%5B#8502] Don't create DirSRV SSCA * https://pagure.io/freeipa/issue/8503%5B#8503] (https://bugzilla.redhat.com/show_bug.cgi?id=1879604%5Brhbz#1879604]) pkispawn logs files are empty * https://pagure.io/freeipa/issue/8505%5B#8505] Nightly failure (fedora31) in test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self * https://pagure.io/freeipa/issue/8507%5B#8507] [WebUI] Backport jQuery patches from newer versions of the library (e.g. 3.5.0) * https://pagure.io/freeipa/issue/8510%5B#8510] (https://bugzilla.redhat.com/show_bug.cgi?id=1881630%5Brhbz#1881630]) create_active_user and kinit_as_user should collect kdcinfo.REALM on failure * https://pagure.io/freeipa/issue/8511%5B#8511] The selinux subpackage does not have a requirement to match the server install * https://pagure.io/freeipa/issue/8512%5B#8512] Import of psutil can trigger SELinux violation * https://pagure.io/freeipa/issue/8513%5B#8513] (https://bugzilla.redhat.com/show_bug.cgi?id=1868432%5Brhbz#1868432]) SELinux module fails to load: Re-declaration of type node_t * https://pagure.io/freeipa/issue/8515%5B#8515] (https://bugzilla.redhat.com/show_bug.cgi?id=1882340%5Brhbz#1882340]) nsslapd-db-locks patching no longer works * https://pagure.io/freeipa/issue/8516%5B#8516] Nightly test failure (master) in ipa trust-add * https://pagure.io/freeipa/issue/8518%5B#8518] Upgrade F32 to F33 fails in DNS upgrade code * https://pagure.io/freeipa/issue/8519%5B#8519] Fedora container platform is incomplete * https://pagure.io/freeipa/issue/8521%5B#8521] Speed up ipa-server-install * https://pagure.io/freeipa/issue/8522%5B#8522] Remove cainstance.migrate_profiles_to_ldap() * https://pagure.io/freeipa/issue/8523%5B#8523] Topology Graph returns Runtime Error * https://pagure.io/freeipa/issue/8524%5B#8524] (https://bugzilla.redhat.com/show_bug.cgi?id=1851835%5Brhbz#1851835]) Deploy & manage the ACME service topology wide from a single system * https://pagure.io/freeipa/issue/8528%5B#8528] Use separate logs for AD Trust and DNS installer * https://pagure.io/freeipa/issue/8529%5B#8529] ipa-ca record incomplete when hostname is not in DNS * https://pagure.io/freeipa/issue/8530%5B#8530] (https://bugzilla.redhat.com/show_bug.cgi?id=1859185%5Brhbz#1859185]) Running ipa-server-install fails on machine where libsss_sudo is not installed * https://pagure.io/freeipa/issue/8533%5B#8533] Nightly failure in ipa-replica-install configuring renewals: DBusException: org.freedesktop.DBus.Error.NoReply * https://pagure.io/freeipa/issue/8535%5B#8535] (https://bugzilla.redhat.com/show_bug.cgi?id=1887928%5Brhbz#1887928]) RPM spec moves ssh server config to a snippet but does not ensure sshd_config includes the snippet * https://pagure.io/freeipa/issue/8536%5B#8536] RFE: ipatests: run healthcheck on hidden replica * https://pagure.io/freeipa/issue/8541%5B#8541] Nightly failure (fed33) in test_installation.py::TestInstallMaster::test_selinux_avcs * https://pagure.io/freeipa/issue/8551%5B#8551] (https://bugzilla.redhat.com/show_bug.cgi?id=1784657%5Brhbz#1784657]) Unlock user accounts after a password reset and replicate that unlock to all IdM servers * https://pagure.io/freeipa/issue/8554%5B#8554] (https://bugzilla.redhat.com/show_bug.cgi?id=1891056%5Brhbz#1891056]) ipa-kdb: support subordinate/superior UPN suffixes * https://pagure.io/freeipa/issue/8555%5B#8555] (https://bugzilla.redhat.com/show_bug.cgi?id=1340463%5Brhbz#1340463]) Nightly test failure in test_pwpolicy.py::test_pwpolicy::test_misc * https://pagure.io/freeipa/issue/8558%5B#8558] Create backend entry before creating mapping tree entry for ipaca backend * https://pagure.io/freeipa/issue/8559%5B#8559] Nightly test failure in test_trust.py::TestTrust::test_password_login_as_aduser * https://pagure.io/freeipa/issue/8560%5B#8560] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption * https://pagure.io/freeipa/issue/8563%5B#8563] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck * https://pagure.io/freeipa/issue/8566%5B#8566] Subordinate suffixes aren't treated as subordinate in trust to Active Directory (crash part) * https://pagure.io/freeipa/issue/8567%5B#8567] (https://bugzilla.redhat.com/show_bug.cgi?id=1894800%5Brhbz#1894800]) IPA WebUI inaccessible after upgrading to RHEL 8.3.- idoverride-memberof.js missing * https://pagure.io/freeipa/issue/8572%5B#8572] Nightly failure in test_acme.py::TestACMECALess::test_enable_caless_to_cafull_replica * https://pagure.io/freeipa/issue/8573%5B#8573] Nightly failure in test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS::test_ipa_dns_systemrecords_check * https://pagure.io/freeipa/issue/8578%5B#8578] EPN: SMTP client downgrade smtp_security from `starttls` to `none` * https://pagure.io/freeipa/issue/8579%5B#8579] EPN: SMTP client doesn't validate server certificate * https://pagure.io/freeipa/issue/8580%5B#8580] EPN: SMTP client authentication by certificate * https://pagure.io/freeipa/issue/8584%5B#8584] ACME communication with dogtag REST endpoints should be using the cookie it creates * https://pagure.io/freeipa/issue/8585%5B#8585] Compile warnings on rawhide
freeipa-users@lists.fedorahosted.org