The FreeIPA team would like to announce FreeIPA 4.8.9 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. == Highlights in 4.8.9 * 5011: [RFE] Forward CA requests to dogtag or helper by GSSAPI * 7137: [RFE]: Able to browse different links from IPA web gui in new tabs * 8129: Tests: Replace paramiko with OpenSSH Paramiko is not compatible with FIPS mode, therefore convert most tests to using ssh directly. The only non-converted test is the 2-prompt OTP test because sshpass does not support 2-prompt password authentication ( https://pagure.io/freeipa/issue/8431 ). * 8151: test_commands timing-out Re-enable test_sss_ssh_authorizedkeys ; add -v to ssh in order to get debug information if this test fails or stalls again. The test was run 16 times without a failure before re-enabling it. * 8189: NIghtly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd Previously, ipa-client-installation saved the pre-install state using "authselect current" command and the uninstallation reverted to the same authselect state. In cases where the system was installed using authconfig instead of authselect, the uninstallation was unable to revert to the same state and picked "sssd"'s authselect profile instead. Now, the client installation relies on the backup functionality of authselect and is able to revert to the exact pre-install state * 8304: [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting "ChallengeResponseAuthentication yes" take precedence. * 8335: [WebUI] manage IPA resources as a user from a trusted Active Directory domain When users from trusted Active Directory domains have permissions to manage IPA resources, they can do so through a Web UI management console. * 8374: EPN does not ship its default configuration ( /etc/ipa/epn.conf) in freeipa-client-epn EPN did not ship any configuration file. This was an oversight, but the tool itself would work fine as it had sane defaults ; moreover, the man page for the configuration file was present. * 8391: Remove dnf workaround from test_epn.y The new PR-CI images are cleaner and do not need the *epn* packages to be uninstalled/reinstalled. * 8401: Create platform definitions for freeipa-container ipaplatform now provides container platform flavors for freeipa/freeipa-container * 8432: test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError Sometimes test_login_wrong_password fails because the log window the string message is searched in is too narrow. Broaden the window by looking at the past 10 seconds. * 8444: EPN: enhance input validation Various input validation checks were added to EPN. * 8445: EPN: '[Errno 111] Connection refused' when the SMTP is down EPN now displays a proper message if the configured SMTP server cannot be contacted. * 8449: EPN: enhance CLI option tests EPN: enhance existing tests for --dry-run, --from-nbdays and --to-nbdays. === Enhancements === Known Issues === Bug fixes FreeIPA 4.8.9 is a stabilization release for the features delivered as a part of 4.8 version series. There are more than 50 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading Upgrade instructions are available on Upgrade page. == Feedback Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-us...@lists.fedorahosted.org/) or #freeipa channel on Freenode. == Resolved tickets * https://pagure.io/freeipa/issue/5011[#5011] (https://bugzilla.redhat.com/show_bug.cgi?id=1527185[rhbz#1527185]) [RFE] Forward CA requests to dogtag or helper by GSSAPI * https://pagure.io/freeipa/issue/5628[#5628] webui: Unclear(UX) purpose of OTP field in password reset form on login * https://pagure.io/freeipa/issue/7137[#7137] (https://bugzilla.redhat.com/show_bug.cgi?id=1484088[rhbz#1484088]) [RFE]: Able to browse different links from IPA web gui in new tabs * https://pagure.io/freeipa/issue/8129[#8129] Tests: Replace paramiko with OpenSSH * https://pagure.io/freeipa/issue/8151[#8151] test_commands timing-out * https://pagure.io/freeipa/issue/8189[#8189] (https://bugzilla.redhat.com/show_bug.cgi?id=1810179[rhbz#1810179]) Nightly test failure in test_integration/test_nfs.py::TestIpaClientAutomountFileRestore::test_nsswitch_backup_restore_sssd * https://pagure.io/freeipa/issue/8300[#8300] Replace uglify-js with python3-rjsmin * https://pagure.io/freeipa/issue/8304[#8304] [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf * https://pagure.io/freeipa/issue/8326[#8326] CVE-2020-10747 * https://pagure.io/freeipa/issue/8335[#8335] [WebUI] manage IPA resources as a user from a trusted Active Directory domain * https://pagure.io/freeipa/issue/8336[#8336] [WebUI] "User attributes for SMB services" section always shown * https://pagure.io/freeipa/issue/8364[#8364] Nightly test failure while establishing trust: Cannot find specified domain or server name * https://pagure.io/freeipa/issue/8366[#8366] CA-less replica deployment fails with --setup-ca * https://pagure.io/freeipa/issue/8367[#8367] IPA-EPN fails to build in ONLY_CLIENT mode * https://pagure.io/freeipa/issue/8368[#8368] (https://bugzilla.redhat.com/show_bug.cgi?id=1846349[rhbz#1846349]) cannot issue certs with multiple IP addresses corresponding to different hosts * https://pagure.io/freeipa/issue/8369[#8369] cert_find returns "CA not configured" in CA-less install * https://pagure.io/freeipa/issue/8370[#8370] ipa-join does not set nshardwareplatform and nsosversion * https://pagure.io/freeipa/issue/8371[#8371] Nightly test failure [testing_master_testing] in test_integration/test_idviews.py::TestCertsInIDOverrides * https://pagure.io/freeipa/issue/8372[#8372] (https://bugzilla.redhat.com/show_bug.cgi?id=1849914[rhbz#1849914]) FreeIPA - Utilize 256-bit AJP connector passwords * https://pagure.io/freeipa/issue/8374[#8374] (https://bugzilla.redhat.com/show_bug.cgi?id=1847999[rhbz#1847999]) EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn * https://pagure.io/freeipa/issue/8377[#8377] Nightly test failure (timeout) in test_caless_TestReplicaInstall * https://pagure.io/freeipa/issue/8379[#8379] Nightly test failure [testing_master_pki] while installing CA replica * https://pagure.io/freeipa/issue/8381[#8381] Nightly test failure in test_webui/test_loginscreen.py::TestLoginScreen::test_login_view * https://pagure.io/freeipa/issue/8384[#8384] Provide reliable way to know if a server installation is complete * https://pagure.io/freeipa/issue/8388[#8388] Make help() on plugins more useful * https://pagure.io/freeipa/issue/8391[#8391] Remove dnf workaround from test_epn.py * https://pagure.io/freeipa/issue/8395[#8395] selinux don't audit rules deny fetching trust topology * https://pagure.io/freeipa/issue/8396[#8396] [WebUI] Font type of "Enabled" column in user search facet wrong * https://pagure.io/freeipa/issue/8399[#8399] certmonger attempts to add LWCA tracking requests on non-CA server. * https://pagure.io/freeipa/issue/8400[#8400] sshd template file is installed in a wrong (server) location while used by the client side * https://pagure.io/freeipa/issue/8401[#8401] Create platform definitions for freeipa-container * https://pagure.io/freeipa/issue/8403[#8403] Add option to add ipaapi user as an allowed uid for ifp in /etc/sssd/sssd.conf when running ipa-replica-install * https://pagure.io/freeipa/issue/8407[#8407] Support changelog integrated into main database * https://pagure.io/freeipa/issue/8412[#8412] (https://bugzilla.redhat.com/show_bug.cgi?id=1857157[rhbz#1857157]) AVC: httpd cannot connect to ipa-custodia.sock * https://pagure.io/freeipa/issue/8413[#8413] Nightly test failure in test_integration/test_replica_promotion.py::TestUnprivilegedUserPermissions::test_sssd_config_allows_ipaapi_access_to_ifp * https://pagure.io/freeipa/issue/8414[#8414] Nightly test failure in test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1::test_sssd_config_allows_ipaapi_access_to_ifp * https://pagure.io/freeipa/issue/8416[#8416] [WebUI] Error while adding user ID overrides to group * https://pagure.io/freeipa/issue/8419[#8419] Azure is reporting a slew of new no-member lint errors * https://pagure.io/freeipa/issue/8425[#8425] Nightly test failure in test_cert.test_cert.TestInstallMasterClient (certmonger timeout) * https://pagure.io/freeipa/issue/8428[#8428] [ipatests] fails due to new python-cryptography 3.0 * https://pagure.io/freeipa/issue/8429[#8429] Add fips-mode-setup to ipaplatform.paths * https://pagure.io/freeipa/issue/8432[#8432] test failure in test_commands.py::TestIPACommand::test_login_wrong_password: AssertionError * https://pagure.io/freeipa/issue/8435[#8435] [ipatests] failures due to new Pytest6.0 (pypi part) * https://pagure.io/freeipa/issue/8437[#8437] unit tests for ipa-extdom-extop are failing in Fedora 33 * https://pagure.io/freeipa/issue/8439[#8439] Nightly test failure in test_integration/test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring * https://pagure.io/freeipa/issue/8440[#8440] (https://bugzilla.redhat.com/show_bug.cgi?id=1863616[rhbz#1863616]) CA-less install does not set required permissions on KDC certificate * https://pagure.io/freeipa/issue/8441[#8441] (https://bugzilla.redhat.com/show_bug.cgi?id=1870202[rhbz#1870202]) File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less * https://pagure.io/freeipa/issue/8442[#8442] [pylint] warnings/errors against pylint 2.5.3 * https://pagure.io/freeipa/issue/8444[#8444] (https://bugzilla.redhat.com/show_bug.cgi?id=1866291[rhbz#1866291]) EPN: enhance input validation * https://pagure.io/freeipa/issue/8445[#8445] (https://bugzilla.redhat.com/show_bug.cgi?id=1863079[rhbz#1863079]) EPN: '[Errno 111] Connection refused' when the SMTP is down * https://pagure.io/freeipa/issue/8447[#8447] Nightly test failure in test_integration/test_ipahealthcheck/TestIpaHealthCheckWithoutDNS * https://pagure.io/freeipa/issue/8449[#8449] (https://bugzilla.redhat.com/show_bug.cgi?id=1866291[rhbz#1866291]) EPN: enhance CLI option tests * https://pagure.io/freeipa/issue/8456[#8456] Need new aci's for the new replication changelog entries * https://pagure.io/freeipa/issue/8459[#8459] [upgrade] handle missing openssh-clients * https://pagure.io/freeipa/issue/8461[#8461] [ALTLinux] server uninstall error on missing /var/lib/samba * https://pagure.io/freeipa/issue/8463[#8463] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring * https://pagure.io/freeipa/issue/8464[#8464] Increase replication changelog trimming interval == Detailed changelog since 4.8.8 Detailed changelog is available at https://www.freeipa.org/page/Releases/4.8.9#Detailed_changelog_since_4.8.8 -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org