The FreeIPA team would like to announce FreeIPA 4.10.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.10.2
* 5444: [RFE] Support Resource based kerberos constrained delegation
* 9287: [RFE] makeapi should validate the generated API doc vs stored doc
* 9294: Enable the certificate pruning job in PKI
Removing (pruning) expired certificates is supported when Random Serial Numbers are enabled. One cannot upgrade from sequential serial numbers to random. This feature is enabled using the ipa-acme-manage(1) command.
* 9331: Better handling of the command line and web UI cert search and/or list features
cert-find performance was improved dramatically when a large number of certificates are returned by changing the method IPA uses internally to parse results from the CA.
* 9354: Implement resource-based constrained delegation
FreeIPA provides initial implementation of resource-based constrained delegation (RBCD) for Kerberos services. RBCD and other Kerberos delegation services described in the design document: https://freeipa.readthedocs.io/en/latest/designs/rbcd.html. The initial implementation works for FreeIPA services, work on supporting cross-realm RBCD continues.
* 9373: Make sign_authdata() generate extended KDC signature
FreeIPA KDCs will automatically start requiring two new Kebreros ticket signatures when the whole realm is running on MIT Kerberos 1.21 or later. On older MIT Kerberos versions, the lack of the new ticket signature will be tolerated to allow gradual upgrades. More details are available at https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7. In addition, a 'full PAC' signature type was added to MIT Kerberos 1.21. FreeIPA will support the new signature when running against newer MIT Kerberos version. For older versions, please see https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463. This new PAC signature will be required by default by Active Directory in July 2023 for S4U requests, and opt-out will no longer be possible after October 2023. We recommend upgrading to newer versions of FreeIPA-based distributions to avoid interoperability break.
=== Known Issues
* 9298: [Tracker] Nightly test failure (updates-testing) in test_acme.py::TestACME::test_certbot_certonly_standalone
With Certbot update to 2.0.0, Certbot defaults to ECDSA certificate private keys for all new certificates. PKI ACME cert profile supports only rsa private keys, meaning that the key type needs to be forced to rsa when requesting an ACME certificate, using certbot --key-type rsa [...]
=== Bug fixes
FreeIPA 4.10.2 is a stabilization release for the features delivered as a part of 4.10 version series.
There are more than 60 bug-fixes since FreeIPA 4.10.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...) or #freeipa channel on libera.chat.
== Resolved tickets
* https://pagure.io/freeipa/issue/5130%5B#5130] (https://bugzilla.redhat.com/show_bug.cgi?id=1243261%5Brhbz#1243261]) non-admin users cannot search hbac rules * https://pagure.io/freeipa/issue/5444%5B#5444] [RFE] Support Resource based kerberos constrained delegation * https://pagure.io/freeipa/issue/6044%5B#6044] (https://bugzilla.redhat.com/show_bug.cgi?id=1353899%5Brhbz#1353899]) ipa-advise: object of type 'type' has no len() * https://pagure.io/freeipa/issue/8941%5B#8941] Usage of `/usr/bin/env` in Python scripts * https://pagure.io/freeipa/issue/8990%5B#8990] ipa group-mod should fail properly with --posix and --external options * https://pagure.io/freeipa/issue/9086%5B#9086] Have ipa-client-install additionally disable the unscd service if using SSSD * https://pagure.io/freeipa/issue/9124%5B#9124] Nightly test failure in test_smb.py::TestSMB::test_smb_service_s4u2self * https://pagure.io/freeipa/issue/9164%5B#9164] Cross realm s4u2self/s4u2proxy fails * https://pagure.io/freeipa/issue/9195%5B#9195] (https://bugzilla.redhat.com/show_bug.cgi?id=2158775%5Brhbz#2158775]) Hiding a server does not completely clean up DNS records * https://pagure.io/freeipa/issue/9226%5B#9226] (https://bugzilla.redhat.com/show_bug.cgi?id=2124547%5Brhbz#2124547]) Infinite redirect loop in the WebUI for user root * https://pagure.io/freeipa/issue/9232%5B#9232] ipaserver circular import * https://pagure.io/freeipa/issue/9249%5B#9249] (https://bugzilla.redhat.com/show_bug.cgi?id=2108630%5Brhbz#2108630]) Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones * https://pagure.io/freeipa/issue/9259%5B#9259] (https://bugzilla.redhat.com/show_bug.cgi?id=2144737%5Brhbz#2144737]) vault interoperability with older RHEL systems is broken * https://pagure.io/freeipa/issue/9264%5B#9264] Nightly failure in test_integration/test_sso.py::TestSsoBridge::test_ipa_login_with_sso_user * https://pagure.io/freeipa/issue/9267%5B#9267] (https://bugzilla.redhat.com/show_bug.cgi?id=2188567%5Brhbz#2188567]) Unconditionally adding 'includedir /var/lib/sss/pubconf/krb5.include.d' to /etc/krb5.conf break Java's ability to parse krb5.conf * https://pagure.io/freeipa/issue/9278%5B#9278] Pylint 2.15 issues * https://pagure.io/freeipa/issue/9279%5B#9279] ipa-otpd@.service: deprecated syslog setting * https://pagure.io/freeipa/issue/9282%5B#9282] Nightly test failure in test_webui/test_subid.py/test_subid/test_subid_range_deletion_not_allowed * https://pagure.io/freeipa/issue/9285%5B#9285] ipa-certupdate restarts HTTPd too early * https://pagure.io/freeipa/issue/9286%5B#9286] (https://bugzilla.redhat.com/show_bug.cgi?id=2056009%5Brhbz#2056009]) memberManager ACIs aren't allowing group-based manager access due to missing upgrade code * https://pagure.io/freeipa/issue/9287%5B#9287] [RFE] makeapi should validate the generated API doc vs stored doc * https://pagure.io/freeipa/issue/9290%5B#9290] (https://bugzilla.redhat.com/show_bug.cgi?id=2149889%5Brhbz#2149889]) idm:client is missing dependency on krb5-pkinit. * https://pagure.io/freeipa/issue/9291%5B#9291] Nightly test failure (rawhide) in test_ipa_dns_systemrecords_check * https://pagure.io/freeipa/issue/9294%5B#9294] (https://bugzilla.redhat.com/show_bug.cgi?id=2162677%5Brhbz#2162677]) Enable the certificate pruning job in PKI * https://pagure.io/freeipa/issue/9295%5B#9295] Nightly test failure (sssd) in test_trust.py::TestNonPosixAutoPrivateGroup and test_trust.py::TestPosixAutoPrivateGroup * https://pagure.io/freeipa/issue/9298%5B#9298] [Tracker] Nightly test failure (updates-testing) in test_acme.py::TestACME::test_certbot_certonly_standalone * https://pagure.io/freeipa/issue/9299%5B#9299] NixOS support for freeipa in ipaplatform * https://pagure.io/freeipa/issue/9306%5B#9306] (https://bugzilla.redhat.com/show_bug.cgi?id=2160389%5Brhbz#2160389]) 'ERROR Could not remove /tmp/tmpbkw6hawo.ipabkp' can be seen prior to 'ipa-client-install' command was successful. * https://pagure.io/freeipa/issue/9309%5B#9309] (https://bugzilla.redhat.com/show_bug.cgi?id=2160399%5Brhbz#2160399]) get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct * https://pagure.io/freeipa/issue/9310%5B#9310] (https://bugzilla.redhat.com/show_bug.cgi?id=2162335%5Brhbz#2162335]) ipa-trust-add with --range-type=ipa-ad-trust-posix fails while creating an ID range * https://pagure.io/freeipa/issue/9313%5B#9313] Nightly test failure (rawhide): automember-rebuild test * https://pagure.io/freeipa/issue/9314%5B#9314] Redundant build dependency on python3-paste (if with lint) * https://pagure.io/freeipa/issue/9315%5B#9315] [tests] test_ipa_healthcheck_fips_enabled fails on system without fips-mode-setup * https://pagure.io/freeipa/issue/9316%5B#9316] (https://bugzilla.redhat.com/show_bug.cgi?id=2166324%5Brhbz#2166324]) Passwordless (GSSAPI) SSH login with AD user * https://pagure.io/freeipa/issue/9318%5B#9318] Incomplete fast lint/codestyle check if both Python template files and Python modules were changed * https://pagure.io/freeipa/issue/9319%5B#9319] [tests] TestDNSResolver failures on systems without or empty /etc/resolv.conf * https://pagure.io/freeipa/issue/9320%5B#9320] (https://bugzilla.redhat.com/show_bug.cgi?id=2018198%5Brhbz#2018198]) RFE - Add a warning note about possible performance impact of the Auto Member rebuild task. * https://pagure.io/freeipa/issue/9322%5B#9322] (https://bugzilla.redhat.com/show_bug.cgi?id=2162677%5Brhbz#2162677]) Nightly test failure in test_integration/test_acme.py::TestACME * https://pagure.io/freeipa/issue/9323%5B#9323] Update the design doc for certificate pruning * https://pagure.io/freeipa/issue/9324%5B#9324] ipatests: Frequent timeout of test_acme * https://pagure.io/freeipa/issue/9325%5B#9325] (https://bugzilla.redhat.com/show_bug.cgi?id=2168244%5Brhbz#2168244]) requestsearchtimelimit=0 doesn't seems to be work with ipa-acme-manage pruning command * https://pagure.io/freeipa/issue/9326%5B#9326] ipatests: timeout of test_trust * https://pagure.io/freeipa/issue/9329%5B#9329] Azure test: WebUI_Unit_Tests are failing * https://pagure.io/freeipa/issue/9331%5B#9331] (https://bugzilla.redhat.com/show_bug.cgi?id=2164349%5Brhbz#2164349]) Better handling of the command line and web UI cert search and/or list features * https://pagure.io/freeipa/issue/9332%5B#9332] Extend negative test coverage for automember * https://pagure.io/freeipa/issue/9333%5B#9333] ipa-client-install --pkinit-identity can block in unattended mode * https://pagure.io/freeipa/issue/9338%5B#9338] Update 'Auth indicators' doc string to show 'ipd' usage * https://pagure.io/freeipa/issue/9339%5B#9339] Broken support for dnspython < 2 * https://pagure.io/freeipa/issue/9342%5B#9342] Fedora trasiition license from short names to SPDX license expression * https://pagure.io/freeipa/issue/9344%5B#9344] ipa-server-install fails when the named keytab location is overridden in ipaplatform/paths.py * https://pagure.io/freeipa/issue/9347%5B#9347] Azure Ci does not work with Fedora Rawhide * https://pagure.io/freeipa/issue/9349%5B#9349] (https://bugzilla.redhat.com/show_bug.cgi?id=2180914%5Brhbz#2180914]) Sequence processing failures for group_add using server context * https://pagure.io/freeipa/issue/9354%5B#9354] Implement resource-based constrained delegation * https://pagure.io/freeipa/issue/9355%5B#9355] support python cryptography 40.0 * https://pagure.io/freeipa/issue/9358%5B#9358] update_dna_shared_config sometimes blocks installation for 2 minutes * https://pagure.io/freeipa/issue/9361%5B#9361] [ipasphinx] deprecated sphinx.util.progress_message * https://pagure.io/freeipa/issue/9362%5B#9362] ipatests: Frequent timeout of test_ipahealthcheck * https://pagure.io/freeipa/issue/9368%5B#9368] Test wrong variable in ipadb_get_pac() * https://pagure.io/freeipa/issue/9369%5B#9369] (https://bugzilla.redhat.com/show_bug.cgi?id=2164348%5Brhbz#2164348]) Better catch of the IPA web UI event "IPA Error 4301:CertificateOperationError", and IPA httpd error CertificateOperationError * https://pagure.io/freeipa/issue/9371%5B#9371] (https://bugzilla.redhat.com/show_bug.cgi?id=2182683%5Brhbz#2182683]) Tolerate absence of PAC ticket signature depending of domain and servers capabilities * https://pagure.io/freeipa/issue/9372%5B#9372] (https://bugzilla.redhat.com/show_bug.cgi?id=2172107%5Brhbz#2172107]) 'ipa idview-show idviewname' & IPA WebUI takes longer time to return the results in RHEL 8.5 * https://pagure.io/freeipa/issue/9373%5B#9373] (https://bugzilla.redhat.com/show_bug.cgi?id=2176406%5Brhbz#2176406]) Make sign_authdata() generate extended KDC signature * https://pagure.io/freeipa/issue/9374%5B#9374] freeipa fails to build with updates-testing repo on f37 and f38 * https://pagure.io/freeipa/issue/9377%5B#9377] test_commands: pseudo-random failure in test_ssh_key_connection * https://pagure.io/freeipa/issue/9383%5B#9383] Random nightly test failure in test_acme.py::TestACMEPrune::test_prune_cert_manual
== Detailed changelog since 4.10.1
=== Alexander Bokovoy (23)
* ipa-kdb: be compatible with krb5 1.19 when checking for server referral https://pagure.io/freeipa/c/f2b821abca72e0d444c96598799c4947e2173d3f%5Bcommi...] https://pagure.io/freeipa/issue/9164%5B#9164] * ipalib/x509.py: Add signature_algorithm_parameters https://pagure.io/freeipa/c/11ce2b2133364916de06f4c42d8a19ce438bd41c%5Bcommi...] * ipa-kdb: skip verification of PAC full checksum https://pagure.io/freeipa/c/1b55e9b1cb4f192635878b0b7242104d58a37d2b%5Bcommi...] https://pagure.io/freeipa/issue/9371%5B#9371] * ipa-kdb: process out of realm server lookup during S4U https://pagure.io/freeipa/c/bd8fcd6f5bc62a4bfc544b69c0d960291be05d37%5Bcommi...] https://pagure.io/freeipa/issue/9164%5B#9164] * ipa-kdb: postpone ticket checksum configuration https://pagure.io/freeipa/c/fefa0248296413b6ee5ad2543d8feb1b31840aee%5Bcommi...] * ipa-kdb: protect against context corruption https://pagure.io/freeipa/c/803a44777f901217d634f8fd7feed8b66ece352a%5Bcommi...] * ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT https://pagure.io/freeipa/c/3d0decd9efc4883328e95f9ff89002aec32462ec%5Bcommi...] https://pagure.io/freeipa/issue/9124%5B#9124] * Change doc theme to 'book' https://pagure.io/freeipa/c/1c43d914d9a365097a80c5c2278017b91c619266%5Bcommi...] * doc/designs/rbcd.md: document use of S-1-18-* SIDs https://pagure.io/freeipa/c/cb18ca31697320a58ae23a67afbfe7a0ff9a55a5%5Bcommi...] https://pagure.io/freeipa/issue/9354%5B#9354] * doc/designs/rbcd.md: add usage examples https://pagure.io/freeipa/c/b63e6a257006e846ef5d0a008d9c3c0f935c09bb%5Bcommi...] https://pagure.io/freeipa/issue/9354%5B#9354] * RBCD: add basic test for RBCD handling https://pagure.io/freeipa/c/7d68f4f08361760adab90ad4b44c6da2c4ea664d%5Bcommi...] https://pagure.io/freeipa/issue/9354%5B#9354] * kdb: implement RBCD handling in KDB driver https://pagure.io/freeipa/c/7ac6adfaac30473b14b589a71fac42fe147bc0d9%5Bcommi...] https://pagure.io/freeipa/issue/9354%5B#9354] * IPA API changes to support RBCD https://pagure.io/freeipa/c/5b6ad0e65600a96bb4d6f3b1acf4e16773a03493%5Bcommi...] https://pagure.io/freeipa/issue/9354%5B#9354] * doc: add design document for Kerberos constrained delegation https://pagure.io/freeipa/c/18cd909b4ad854147008a1010c97c75640a54177%5Bcommi...] https://pagure.io/freeipa/issue/9354%5B#9354] * ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only https://pagure.io/freeipa/c/7a7ba45c10a6da4f9e110f6cc57cfc47e0a16a16%5Bcommi...] https://pagure.io/freeipa/issue/5444%5B#5444] * test_xmlrpc: adopt to automember plugin message changes in 389-ds https://pagure.io/freeipa/c/52e6da9056697e2210736d5528826ae424fec9b1%5Bcommi...] * Ignore empty modification error in case cifs/.. principal already added https://pagure.io/freeipa/c/e7506403a988b98cc3381d2d986b53aee48448cb%5Bcommi...] https://pagure.io/freeipa/issue/9354%5B#9354] * ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by https://pagure.io/freeipa/c/e07ead943abf070107a9669fc4564c9dc7518832%5Bcommi...] https://pagure.io/freeipa/issue/9355%5B#9355] * Fix tox in Azure CI https://pagure.io/freeipa/c/aacaafce9d074342e383ad7007dee1b0e09d9b12%5Bcommi...] https://pagure.io/freeipa/issue/9347%5B#9347] * Use system-wide chromium for webui tests https://pagure.io/freeipa/c/84f5f87b1f77267aa4c6c13fbc2496793d06a3c7%5Bcommi...] https://pagure.io/freeipa/issue/9347%5B#9347] * Don't fail if optional RPM macros file is missing https://pagure.io/freeipa/c/b93f6b52a29659663fae65be51dafe350606eb6d%5Bcommi...] https://pagure.io/freeipa/issue/9347%5B#9347] * ipa-kdb: PAC consistency checker needs to handle child domains as well https://pagure.io/freeipa/c/0206369eec8530e96c66986c4ca501d8962193ce%5Bcommi...] https://pagure.io/freeipa/issue/9316%5B#9316] * updates: fix memberManager ACI to allow managers from a specified group https://pagure.io/freeipa/c/42be04fe4ff317efe599dcbc2637f94ecc6fa220%5Bcommi...] https://pagure.io/freeipa/issue/9286%5B#9286]
=== Anuja More (4)
* ipatests: Test that non admin user can search hbac rule. https://pagure.io/freeipa/c/051bbe36dce57837bd1769aa4a88569e39565774%5Bcommi...] https://pagure.io/freeipa/issue/5130%5B#5130] * ipatests: Test ipa-advise is not failing with error. https://pagure.io/freeipa/c/983a6516f147ae95a512435cd05d237233d0b5fc%5Bcommi...] https://pagure.io/freeipa/issue/6044%5B#6044] * PRCI: update test_trust.py for nightly pipelines. https://pagure.io/freeipa/c/2a2132ccfd3cfb26f5da550a829b267ca0a4f6ae%5Bcommi...] https://pagure.io/freeipa/issue/9326%5B#9326] * Add test for SSH with GSSAPI auth. https://pagure.io/freeipa/c/a6cb905de74da38d62f9c3bd7957018924282521%5Bcommi...] https://pagure.io/freeipa/issue/9316%5B#9316]
=== Antonio Torres (10)
* Update list of contributors https://pagure.io/freeipa/c/03b92fb42f173e9ba26d6d19f0d6f35f6c5f38b2%5Bcommi...] * Update translations to FreeIPA ipa-4-10 state https://pagure.io/freeipa/c/e3797ca2e03097a36bd3795fc1687a2ed4922e59%5Bcommi...] * Extend API documentation https://pagure.io/freeipa/c/9c6b4f4445dbd1eefffbfff191063980a2f3a342%5Bcommi...] * doc: allow notes on Param API Reference pages https://pagure.io/freeipa/c/3eed25e92f951689658f6bbd178a5baca37442c6%5Bcommi...] * ipaserver: deepcopy objectclasses list from IPA config https://pagure.io/freeipa/c/b1b7cbc08d96e125ce21113ba1793a592d0ba35a%5Bcommi...] https://pagure.io/freeipa/issue/9349%5B#9349] * API doc: add usage guides for groups, HBAC and sudo rules https://pagure.io/freeipa/c/649c35aa3b46e6d2f034d9afdc4c7ae1542630da%5Bcommi...] * API doc: add note about ipa show-mappings to usage guide https://pagure.io/freeipa/c/a20acb6f833a22baad214a466848cb5833954532%5Bcommi...] * API doc: validate generated reference https://pagure.io/freeipa/c/364116c25f68b6b21c0a64466bda09c70cf146ec%5Bcommi...] https://pagure.io/freeipa/issue/9287%5B#9287] * API doc: add basic user management guide https://pagure.io/freeipa/c/a10627bdb90bb6eeaf6a156476253edc503c72df%5Bcommi...] * Back to git snapshots https://pagure.io/freeipa/c/657a7b2556e22b70802809dd784fe576d3edea95%5Bcommi...]
=== Carla Martinez (1)
* Update 'Auth indicators' doc string https://pagure.io/freeipa/c/6a4d34fba90ede0a9d600daa24a8d95190a42495%5Bcommi...] https://pagure.io/freeipa/issue/9338%5B#9338]
=== Christian Heimes (3)
* Speed up installer by restarting DS after DNA plugin https://pagure.io/freeipa/c/d63756eb08759740fe8b03f48d0a240f9935e6aa%5Bcommi...] https://pagure.io/freeipa/issue/9358%5B#9358] * Don't block when kinit_pkinit() fails https://pagure.io/freeipa/c/8803938570dfb70586fa89d2d2d7aad4b0965305%5Bcommi...] https://pagure.io/freeipa/issue/9333%5B#9333] * ipa-certupdate: Update client certs before KDC/HTTPd restart https://pagure.io/freeipa/c/8e7d1ac4e4779cc15b39a9901bb26c5f5997eb5b%5Bcommi...] https://pagure.io/freeipa/issue/9285%5B#9285]
=== Chris Kelley (1)
* Check that CADogtagCertsConfigCheck can handle cert renewal https://pagure.io/freeipa/c/a786d3d584c8696df3b18858df1c429cba03721f%5Bcommi...]
=== David Pascual (2)
* doc: Use case examples for PR-CI checker tool https://pagure.io/freeipa/c/41c32174b2b3cf71474ea74df32f1f763f4a2c5b%5Bcommi...] * ipatests: fix (prci_checker) duplicated check & error return code https://pagure.io/freeipa/c/1a965a3a6304607eb5acbdfee45843ebe8746c67%5Bcommi...]
=== Erik Belko (1)
* ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario https://pagure.io/freeipa/c/e1f4f655a65777f5096e65b8e5c3e079f77f6ecc%5Bcommi...] https://pagure.io/freeipa/issue/9286%5B#9286]
=== Filip Dvorak (1)
* ipa tests: Add LANG before kinit command to fix issue with locale settings https://pagure.io/freeipa/c/2520a7adff7a49ddcddaaf19f0e586425dc0d878%5Bcommi...]
=== Florence Blanc-Renaud (55)
* ipatest: remove xfail from test_smb https://pagure.io/freeipa/c/283f5463f091ac9fcc733092fc6becff586ae97f%5Bcommi...] https://pagure.io/freeipa/issue/9124%5B#9124] * ACME tests: fix issue_and_expire_acme_cert method https://pagure.io/freeipa/c/a6f485fcade619980f6538edadf115dca69e1314%5Bcommi...] https://pagure.io/freeipa/issue/9383%5B#9383] * user or group name: explain the supported format https://pagure.io/freeipa/c/7830ab96cc295e4151ad3d86cbbaf400a7ab2016%5Bcommi...] * azure tests: move to fedora 38 https://pagure.io/freeipa/c/627c1101a08a281d07cd930193232e434a0cd9a0%5Bcommi...] * Tests: test on f37 and f38 https://pagure.io/freeipa/c/12d1aafe60de457815adb822bbef466926626d6f%5Bcommi...] * idview: improve performance of idview-show https://pagure.io/freeipa/c/3a9a5bdae7cb3dee65ba74b00169badb72fe6dda%5Bcommi...] https://pagure.io/freeipa/issue/9372%5B#9372] * spec file: force nodejs < 20 on fedora < 39 https://pagure.io/freeipa/c/d95c4cf137574ffa79a191cbe5f6d0687b53cdc1%5Bcommi...] https://pagure.io/freeipa/issue/9374%5B#9374] * Nightly test: add +15min for test_ipahealthcheck https://pagure.io/freeipa/c/717228c908816c72b98cee86abfe7c22cb07c44e%5Bcommi...] https://pagure.io/freeipa/issue/9362%5B#9362] * cert_find: fix call with --all https://pagure.io/freeipa/c/918b6e011795ba4854d178d18c86ad54f3cf75ab%5Bcommi...] https://pagure.io/freeipa/issue/9331%5B#9331] * ipatests: mark known failures for autoprivategroup https://pagure.io/freeipa/c/e2b08433cf7cf74dea81b88953a4b8daa4c38614%5Bcommi...] https://pagure.io/freeipa/issue/9295%5B#9295] * ipatests: fix test definition for test_trust https://pagure.io/freeipa/c/def07260da883b1d27330b308bd0337205bf53a8%5Bcommi...] https://pagure.io/freeipa/issue/9326%5B#9326] * ipatests: increase timeout for test_trust https://pagure.io/freeipa/c/ae014c6a3e17da7b0775be79a425d769a2717243%5Bcommi...] https://pagure.io/freeipa/issue/9326%5B#9326] * ipatests: adapt for new automembership fixup behavior https://pagure.io/freeipa/c/34d048ede0c439b3a53e02f8ace96ff91aa1609d%5Bcommi...] https://pagure.io/freeipa/issue/9313%5B#9313] * ipatests: increase timeout for test_acme https://pagure.io/freeipa/c/0a8a3922487b8029c509635c85b533474008bb9d%5Bcommi...] https://pagure.io/freeipa/issue/9324%5B#9324] * automember-rebuild: add a notice about high CPU usage https://pagure.io/freeipa/c/2857bc69957bde7e59fff1c66c5a83c7f560616b%5Bcommi...] https://pagure.io/freeipa/issue/9320%5B#9320] * trust-add: handle missing msSFU30MaxGidNumber https://pagure.io/freeipa/c/97fc368df2db3b559a9def236d3c3e0a12bcdd0a%5Bcommi...] https://pagure.io/freeipa/issue/9310%5B#9310] * Spec file: use %autosetup instead of %setup https://pagure.io/freeipa/c/2a69d056176edd4ef0b1f4e59eb0548a483bc6e5%5Bcommi...] * Spec file: unify with RHEL9 spec https://pagure.io/freeipa/c/0e06786a44f8d12b08961fe0720a1b712e82c5cf%5Bcommi...] * Installer: create RID base before domain object https://pagure.io/freeipa/c/7d1a35852fa53bcf3b88a8a80a2e86ef88a75795%5Bcommi...] https://pagure.io/freeipa/issue/9309%5B#9309] * Tests: force key type in ACME tests https://pagure.io/freeipa/c/0fa95852c935c7b079f8ed966d4f194099217038%5Bcommi...] https://pagure.io/freeipa/issue/9298%5B#9298] * server install: remove error log about missing bkup file https://pagure.io/freeipa/c/894dca12c120f0bfa705307a0609da47326b8fb2%5Bcommi...] https://pagure.io/freeipa/issue/9306%5B#9306] * ipatests: mark test_smb as xfail https://pagure.io/freeipa/c/b5f2b0b1b213149b5bfe2653c9e40de98249dc73%5Bcommi...] https://pagure.io/freeipa/issue/9124%5B#9124] * pylint: disable deprecated-module message https://pagure.io/freeipa/c/85037db2e1927c76fba963c6fde4ce17d2b95929%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: fix comparison-of-constants https://pagure.io/freeipa/c/62e2d111fc3113aa5c9f22ae75068094403d1d39%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable comparison-of-constants https://pagure.io/freeipa/c/015e25a581353aaf628f9e2ea8306fda89842cd5%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: fix consider-iterating-dictionary https://pagure.io/freeipa/c/3d211b4f9f6950a2810496f30e57a421eeb31e85%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: globally disable useless-object-inheritance https://pagure.io/freeipa/c/4e998848f08b52760225c5bcb1afa9a6b2f6361b%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable unhashable-member https://pagure.io/freeipa/c/07111438389fde4a74845f9f797656712335795f%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable invalid-sequence-index https://pagure.io/freeipa/c/a95e11dbbff58804c5b85acaa4d70b72ce750ae0%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: fix deprecated-class SafeConfigParser https://pagure.io/freeipa/c/433599fdef1bf0608991d25ddbe6c891ae382ae0%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: fix duplicate-value https://pagure.io/freeipa/c/b9ea3fcbdb9ab07153873aeea7d3e1bd69e0d065%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: fix implicit-str-concat https://pagure.io/freeipa/c/71496be75f6523b51f9316d3dcf7e0662d2cb606%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable missing-timeout message https://pagure.io/freeipa/c/84c4792bdbf82108771d796ae317e2cb1f1d2100%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: globally disable unnecessary-lambda-assignment message https://pagure.io/freeipa/c/2b97c8caad267f97780d7ee8d940577c17ef1499%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable unnecessary-dunder-call message https://pagure.io/freeipa/c/3336236ff1133ae86a5c9e2caeb90db7169fa454%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable using-constant-test https://pagure.io/freeipa/c/5434c12b6012f035528f0b137c1af5c1be113542%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: remove arguments-renamed warnings https://pagure.io/freeipa/c/22f182ee9203be5e014d438f2a27b8721dd0c3ae%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable modified-iterating-list https://pagure.io/freeipa/c/ac69ad4ba5ec644fbb1b2768237fd2412d7e3101%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: replace deprecated distutils module https://pagure.io/freeipa/c/328fb642f6aba1a15040b7374a59cb6f7679f8f5%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable used-before-assignment https://pagure.io/freeipa/c/081dd26376b8ff704a83e1c783d97c40951c43b3%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: disable redefined-slots-in-subclass https://pagure.io/freeipa/c/240b46db1451b8fed5f04244e9927b8fc03f10c0%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: remove useless suppression https://pagure.io/freeipa/c/51e0f751e9c3b5cade75360d24ba64c75ec926ba%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: remove unneeded disable=unused-private-member https://pagure.io/freeipa/c/fd21204559bd8fcac6a1b321adda163cd88aa149%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * azure tests: move to fedora 37 https://pagure.io/freeipa/c/782873a2277ca7defa5554d2b7859f1c14767d68%5Bcommi...] * ipatests: update the xfail annotation for test_number_of_zones https://pagure.io/freeipa/c/304978924a09677805fd3b73614aad6a2de232a2%5Bcommi...] https://pagure.io/freeipa/issue/9135%5B#9135] * Spec file: bump krb5_kdb_version on rawhide https://pagure.io/freeipa/c/2904b15a94eebbb37ca6a289eccd6b95f063d7ca%5Bcommi...] * FIPS setup: fix typo filtering camellia encryption https://pagure.io/freeipa/c/dfba6ebf9ab7b7d17e65f928c90ae63b31d9cae7%5Bcommi...] * cert utilities: MAC verification is incompatible with FIPS mode https://pagure.io/freeipa/c/c853cfde56fb56798424bd402012d78ed47647c0%5Bcommi...] * ipatests: update the fake fips mode expected message https://pagure.io/freeipa/c/68f6574cb2bcf0b04840b4f62a8ac70b4d45cb1a%5Bcommi...] https://pagure.io/freeipa/issue/9002%5B#9002] * ipatests: xfail on all fedora for test_ipa_login_with_sso_user https://pagure.io/freeipa/c/9599e975bcdc0a58a32ccee6ad531c7298661a1d%5Bcommi...] https://pagure.io/freeipa/issue/9264%5B#9264] * Spec file: ipa-client depends on krb5-pkinit-openssl https://pagure.io/freeipa/c/2d0a0cc40fb8674f30ba62980b1953cef840009e%5Bcommi...] https://pagure.io/freeipa/issue/9290%5B#9290] * webui tests: fix assertion in test_subid.py https://pagure.io/freeipa/c/c411c2e7b2e400829ffac250db81609ef3c56faa%5Bcommi...] https://pagure.io/freeipa/issue/9282%5B#9282] * PRCI: update memory reqs for each topology https://pagure.io/freeipa/c/aeb9cc9b622d3d4a40a7eb3fe5800649c68c3b96%5Bcommi...] * API reference: update dnszone_add generated doc https://pagure.io/freeipa/c/660da9ab1d93fd8e561643728ae3821193953433%5Bcommi...] https://pagure.io/freeipa/issue/9249%5B#9249] * API reference: update vault doc https://pagure.io/freeipa/c/42957f9e7819ad76394b20337e65c7bee828dd8f%5Bcommi...] https://pagure.io/freeipa/issue/9259%5B#9259]
=== s1341 (1)
* ipaplatform: add initial nixos support https://pagure.io/freeipa/c/16a81062ba1c92773eb6206d68af6a2b3ba1d54d%5Bcommi...] https://pagure.io/freeipa/issue/9299%5B#9299]
=== Jarl Gullberg (2)
* install: Fix missing dyndb keytab directive https://pagure.io/freeipa/c/1b38ab1771944b51ddaeea972ea92a8e8ee5b92b%5Bcommi...] https://pagure.io/freeipa/issue/9344%5B#9344] * ipaplatform/debian: fix path to ldap.so https://pagure.io/freeipa/c/03180bedcf99075d98f206d271a31ae7ceddc50d%5Bcommi...]
=== Julien Rische (3)
* Filter out constrained delegation ACL from KDB entry https://pagure.io/freeipa/c/7ea3b86696f5451f1d227d365018ab7dc53024af%5Bcommi...] * Tolerate absence of PAC ticket signature depending of server capabilities https://pagure.io/freeipa/c/bbe545ff9feb972e549c743025e4a26b14ef8f89%5Bcommi...] https://pagure.io/freeipa/issue/9371%5B#9371] * kdb: Use krb5_pac_full_sign_compat() when available https://pagure.io/freeipa/c/630cda5c06428825dd5604493621b9cbdab70073%5Bcommi...] https://pagure.io/freeipa/issue/9373%5B#9373]
=== Jerry James (1)
* Change fontawesome-fonts requires to match fontawesome 4.x https://pagure.io/freeipa/c/58173c021388dd31b4501d1c7bc1e6747cea8bb8%5Bcommi...]
=== mbhalodi (5)
* ipatests: add remove automember condition tests https://pagure.io/freeipa/c/846c267f58ecfa4fc1a1a3be91c404e58074b1b3%5Bcommi...] https://pagure.io/freeipa/issue/9332%5B#9332] * ipatests: Test for sequence processing failures with server context https://pagure.io/freeipa/c/304fd550613e83d120c72f0dad89f6a89d31231c%5Bcommi...] https://pagure.io/freeipa/issue/9349%5B#9349] * ipatests: add missing automember-cli tests https://pagure.io/freeipa/c/6db9bbd85a837950d9244502507535c1f79ab64a%5Bcommi...] https://pagure.io/freeipa/issue/9332%5B#9332] * ipatests: WebUI - ensure that ipa automember-rebuild prints a warning https://pagure.io/freeipa/c/cd07413cba37150b12d6b279510941aad49b5afb%5Bcommi...] https://pagure.io/freeipa/issue/9320%5B#9320] * ipatests: ensure that ipa automember-rebuild prints a warning https://pagure.io/freeipa/c/88b9be29036a3580a8bccd31986fc30faa9852df%5Bcommi...] https://pagure.io/freeipa/issue/9320%5B#9320]
=== Michal Polovka (2)
* ipatests: commands: Wait for the SSSD to become available https://pagure.io/freeipa/c/bc39443211e998d7088571f0ef70233b6e456e1d%5Bcommi...] https://pagure.io/freeipa/issue/9377%5B#9377] * ipatest: loginscreen: do not use hardcoded password https://pagure.io/freeipa/c/1f10aebcc5b3568a9992111e377c5caecc1e035f%5Bcommi...] https://pagure.io/freeipa/issue/9226%5B#9226]
=== Mohammad Rizwan (3)
* ipatests: wait for sssd-kcm to settle after date change https://pagure.io/freeipa/c/edcdcf83452dce837c1522c353c4a80c967ea57b%5Bcommi...] * ipatests: fix tests in TestACMEPrune https://pagure.io/freeipa/c/e7c642bafcead5ce344f3b129d916045b00d0c1e%5Bcommi...] https://pagure.io/freeipa/issue/9294%5B#9294] * ipatests: tests for certificate pruning https://pagure.io/freeipa/c/0f77b359e241fc4055fb8d785e18f96338451ebf%5Bcommi...] https://pagure.io/freeipa/issue/9294%5B#9294]
=== Rob Crittenden (15)
* Don't allow a group to be converted to POSIX and external https://pagure.io/freeipa/c/58017abeb88b2f2c8ee2e4f5a6ed808d28c672a4%5Bcommi...] https://pagure.io/freeipa/issue/8990%5B#8990] * Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3 https://pagure.io/freeipa/c/325a13196b32c627854c8d7594e23b58167499f0%5Bcommi...] https://pagure.io/freeipa/issue/8941%5B#8941] * Mention in ipa-client-install that nscd is disabled https://pagure.io/freeipa/c/abe71fe145a3d16257043ccfbb43002607458cee%5Bcommi...] https://pagure.io/freeipa/issue/9086%5B#9086] * Return the value cert-find failures from the CA https://pagure.io/freeipa/c/81a6b9ad2d42fecdd94e17fa7c888bbdea2daf3c%5Bcommi...] https://pagure.io/freeipa/issue/9369%5B#9369] * Use the OpenSSL certificate parser in cert-find https://pagure.io/freeipa/c/50dd79d1a35549034bc281fbdffea4399baed3c7%5Bcommi...] https://pagure.io/freeipa/issue/9331%5B#9331] * Enforce sizelimit in cert-find https://pagure.io/freeipa/c/e2576670e692117c11987118abd5e9381bb90b1f%5Bcommi...] https://pagure.io/freeipa/issue/9331%5B#9331] * doc: Update pruning design with implement enable/disable options https://pagure.io/freeipa/c/fe13baa0acdb885dd981cbd8fdf6cee5e5ef22e3%5Bcommi...] https://pagure.io/freeipa/issue/9323%5B#9323] * Wipe the ipa-ca DNS record when updating system records https://pagure.io/freeipa/c/4e0ad96fbd9f438c884eeeaa60c2fb0c910a2b61%5Bcommi...] https://pagure.io/freeipa/issue/9195%5B#9195] * Fix setting values of 0 in ACME pruning https://pagure.io/freeipa/c/20ff7c16022793c707f6c2b8fb38a801870bc0e2%5Bcommi...] https://pagure.io/freeipa/issue/9325%5B#9325] * tests: add wrapper around ACME RSNv3 test https://pagure.io/freeipa/c/d24b69981d94fce7b1e1aa4a5c1ab88a123f96b5%5Bcommi...] https://pagure.io/freeipa/issue/9322%5B#9322] * doc: add the --run command for manual job execution https://pagure.io/freeipa/c/f10d1a0f84ed0f16ab4a1469f16ffadb3e79e59e%5Bcommi...] https://pagure.io/freeipa/issue/9294%5B#9294] * ipa-acme-manage: add certificate/request pruning management https://pagure.io/freeipa/c/9246a8a003b2b0062e07c289cd7cde8fe902b16f%5Bcommi...] https://pagure.io/freeipa/issue/9294%5B#9294] * tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck https://pagure.io/freeipa/c/6ca119686aadfa72c0474f72758b63cd671952d4%5Bcommi...] https://pagure.io/freeipa/issue/9291%5B#9291] * tests: Add ipa_ca_name checking to DNS system records https://pagure.io/freeipa/c/ff31b0c40cc5e046f839b98b80bd16bb649205ac%5Bcommi...] https://pagure.io/freeipa/issue/9291%5B#9291] * doc: Design for certificate pruning https://pagure.io/freeipa/c/51b1c22d025bf40e9ef488bb0faf0c8dff303ccd%5Bcommi...] https://pagure.io/freeipa/issue/9294%5B#9294]
=== Rafael Guterres Jeffman (2)
* Fix "no entry" condition when searching PAC info https://pagure.io/freeipa/c/8a7c068300a80f14b4b2fa4d63b0512768d326ad%5Bcommi...] https://pagure.io/freeipa/issue/9368%5B#9368] * Migrated to SPDX license. https://pagure.io/freeipa/c/e3507563877f1d64567f24b7f2e33ade8c310f86%5Bcommi...] https://pagure.io/freeipa/issue/9342%5B#9342]
=== Stanislav Levin (21)
* ipasphinx: Correct import of progress_message for Sphinx 6.1.0+ https://pagure.io/freeipa/c/3d787c2107ca10de15602afc757fc9b24fdd89bf%5Bcommi...] https://pagure.io/freeipa/issue/9361%5B#9361] * fastlint: Correct concatenation of file lists https://pagure.io/freeipa/c/540262700d73b701b0fd5dd3b79e5b20f0fc84c3%5Bcommi...] https://pagure.io/freeipa/issue/9318%5B#9318] * dns: Fix support for dnspython 1.1x https://pagure.io/freeipa/c/b152e8c3aea9f2c3ade319934fd7c81cb5432407%5Bcommi...] https://pagure.io/freeipa/issue/9339%5B#9339] * tests: webui: Update vendored qunit https://pagure.io/freeipa/c/9b8e8edc22ade3027a5c3da487783f598e0732fd%5Bcommi...] https://pagure.io/freeipa/issue/9329%5B#9329] * AP: webui: List installed nodejs packages https://pagure.io/freeipa/c/8fe8b262232ce65dddea8c92838200a1c5121f13%5Bcommi...] https://pagure.io/freeipa/issue/9329%5B#9329] * tests: webui: Load qunit only once https://pagure.io/freeipa/c/425cad6f114c981bfe41a30c7ad626164ac29be4%5Bcommi...] https://pagure.io/freeipa/issue/9329%5B#9329] * tests: webui: Allow file access from files in tests https://pagure.io/freeipa/c/450e78f5f3be3064d7ee1c6be5103dfae2ebaf87%5Bcommi...] https://pagure.io/freeipa/issue/9329%5B#9329] * tests: Configure DNSResolver as platform agnostic resolver https://pagure.io/freeipa/c/d662b125985369181a3ebcbad82a4a43215282f6%5Bcommi...] https://pagure.io/freeipa/issue/9319%5B#9319] * spec: Drop no longer used build dependency on paste https://pagure.io/freeipa/c/fb22c8e5bf9432b4a7c2866d5d210c353985ea50%5Bcommi...] https://pagure.io/freeipa/issue/9314%5B#9314] * ipatests: healthcheck: Handle missing fips-mode-setup https://pagure.io/freeipa/c/1be3188e3168e7a097e44a97f86e29b7e42fcae6%5Bcommi...] https://pagure.io/freeipa/issue/9315%5B#9315] * pylint: Replace deprecated cgi module https://pagure.io/freeipa/c/2009889d763ccc26479c966931ca1b60378496fd%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Fix useless-object-inheritance https://pagure.io/freeipa/c/bccd3c942084c753543d63b4d409ac46f819d314%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Fix unhashable-member https://pagure.io/freeipa/c/bd7b5bf71c443daa3ac12ff194748845a84b08f0%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Fix unnecessary-lambda-assignment https://pagure.io/freeipa/c/dc8c8a7824565178333ef7ae8ac7934467424691%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Fix modified-iterating-list https://pagure.io/freeipa/c/acc2daf25f5c12ef1d9a823de15df080ba42d059%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Fix used-before-assignment https://pagure.io/freeipa/c/b12376560da944b0845b9ac0d424adaf5435670f%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Replace deprecated pipes https://pagure.io/freeipa/c/1261bbf0016d4824f908a589d4943513e98f8b01%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Fix cyclic-import https://pagure.io/freeipa/c/c48c76e9d34bae09dc4eac1f3b33f7cb72355c25%5Bcommi...] https://pagure.io/freeipa/issue/9232%5B#9232], https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Replace deprecated extension-pkg-whitelist https://pagure.io/freeipa/c/68ab438f5c2250d96733a0c1b47cbb3a1c518bed%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: More allowed C extensions https://pagure.io/freeipa/c/f9822697659f134146e1dcfce0c48e2279a8becb%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278] * pylint: Lint in single process mode https://pagure.io/freeipa/c/d673fdab6097ae783bd0075c0e990e42bc24f833%5Bcommi...] https://pagure.io/freeipa/issue/9278%5B#9278]
=== Sudhir Menon (2)
* ipatests: ipa-adtrust-install command test scenarios https://pagure.io/freeipa/c/76c788274a2ee3993ee36d12d91e22200817dfc9%5Bcommi...] * Fixes: ipa-otpd@.service: deprecated syslog setting https://pagure.io/freeipa/c/65a14a36936b8ebfdb17560d5976447c6f4cdf7e%5Bcommi...] https://pagure.io/freeipa/issue/9279%5B#9279]
=== Timo Aaltonen (1)
* Drop duplicate includedir from krb5.conf https://pagure.io/freeipa/c/bdb77a3d810837e3e349ce6b5625662be281f2cd%5Bcommi...] https://pagure.io/freeipa/issue/9267%5B#9267]
=== Todd Zullinger (2)
* spec: silence krb5 pkgconf errors in %krb5_base_version https://pagure.io/freeipa/c/90d0f04987b5477efa64d64416d89890e6bcda75%5Bcommi...] * spec: verify upstream source signature https://pagure.io/freeipa/c/3b64eaa153d89920cbb0be87e5c2b512c4bf2008%5Bcommi...]
=== Thorsten Scherf (1)
* external-idp: change idp server name to reference name https://pagure.io/freeipa/c/9323bafb645a377192efe17b489124a440c055c3%5Bcommi...]
freeipa-users@lists.fedorahosted.org