The FreeIPA team is proud to announce FreeIPA v3.3.2!

It can be downloaded from Fedora 19
builds are already on their way to updates-testing repo.

== Highlights in 3.3.2 ==
=== Enhancements ===
* Multiple domains from a trusted Active Directory forest supported now
* Issue warnings when installed FreeIPA realm differs from the main domain as
this setup prevents configuring AD trusts
* Allow PKCS#12 files with empty password in install tools

=== Bug fixes ===
* ipa-replica-manage no longer returns RUV error when removing a replica
* ipa-replica-install no longer crashes when being run against a master with
older Directory Server
* When creating AD trust, report supported enctypes based on Kerberos realm
* ... and numerous other small fixes

=== Test improvements ===
* New tests for forced client re-enrollment feature
* Integration tests no longer require python-paramiko and can run on top of
bare SSH connection
* Numerous small fixes in beakerlib integration

== Supporting Multiple Domains from Trusted Active Directory Forest ==
Previously only a root level domain of a trusted AD forest was supported. Now
all domains of the trusted AD forest can access resources in a FreeIPA domain.
Free IPA admins are now able to refresh list of domains from a trusted AD
forest and selectively enable and disable specific domains from accessing
resources in FreeIPA domain.

Following commands were added to FreeIPA CLI:

* ipa trust-fetch-domains <trust>
** Refresh list of domains from a trusted AD forest. By default all found
domains belonging to the forest will be allowed to access IPA resources.
* ipa trustdomain-find <trust> [domain]
** List domains of the trusted AD forest, displaying their attributes. When
''domain'' is specified in addition to the trust name, only information about
''domain'' is shown.
* ipa trustdomain-disable <trust> <domain>
** Disable access from <domain> of the <trust> to IPA resources.
* ipa trustdomain-enable <trust> <domain>
** Enable access from <domain> of the <trust> to IPA resources.
* ipa trustdomain-del <trust> <domain>
** Remove information about <domain> of the <trust> from IPA view about the
trusted AD forest. Users from <domain> will not be able to access IPA resources.

Following IPA commands were extended:
* ipa trust-add <trust>
** When trust to an AD forest is established, list of domains of the forest
will be fetched and identity ranges for them will be created automatically. In
case of POSIX attributes being managed by the AD forest, a single identity
range for the trusted forest's root level domain will be re-used.
** When trust to an AD forest is established, list of domains associated with
IPA is provided to the DC of the forest root level domain. This information is
used to enable name suffix routing for systems belonging to IPA domain. As
result, if IPA master servers don't belong to IPA DNS domain namespace, they
will be able to access resources in the trusted AD forest.

FreeIPA 3.3.2 requires use of SSSD 1.11.1 due to integration of non-root level
forest domains support.

== Upgrading ==
=== FreeIPA servers with CA installed prior to version 3.1 ===
Manual upgrade procedure is required for FreeIPA servers installed with version
prior to 3.1.
Please see for

=== Other FreeIPA servers and clients ===
An IPA server can be upgraded simply by installing updated rpms. The server
does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment (e.g.
FedUp) which does not allow running the LDAP server during upgrade process,
upgrade scripts need to be run manually after the first boot:
# ipa-upgradeconfig
# ipa-ldap-updater --upgrade

Also note that the performance improvements require an extended set of indexes
to be configured. RPM update for an IPA server with a excessive number of users
may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected
that all servers will be upgraded in a relatively short period (days or weeks,
not months). They should be able to co-exist peacefully but new features will
not be available on old servers and enrolling a new client against an old
server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous
versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to
re-enroll it. SSH keys for already installed clients are not uploaded, you will
have to re-enroll the client or manually upload the keys.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list ( or #freeipa channel
on Freenode.

== Detailed Changelog since 3.3.1 ==
=== Alexander Bokovoy (11): ===
* ipa-sam: do not modify objectclass when trust object already created
* ipa-sam: do not leak LDAPMessage on ipa-sam initialization
* ipa-sam: report supported enctypes based on Kerberos realm configuration
* ipaserver/ populate forest trust information using realmdomains
* trusts: support subdomains in a forest
* frontend: report arguments errors with better detail
* ipaserver/dcerpc: remove use of trust account authentication
* trust: integrate subdomains support into trust-add
* ipasam: for subdomains pick up defaults for missing values
* KDC: implement transition check for trusted domains
* ipa-kdb: Handle parent-child relationship for subdomains

=== Ana Krivokapic (5): ===
* Add integration tests for forced client re-enrollment
* Create DS user and group during ipa-restore
* Add warning when uninstalling active replica
* Do not crash if DS is down during server uninstall
* Follow tmpfiles.d packaging guidelines

=== Jan Cholasta (3): ===
* Fix nsslapdPlugin object class after initial replication.
* Read passwords from stdin when importing PKCS#12 files with pk12util.
* Allow PKCS#12 files with empty password in install tools.

=== Martin Kosek (5): ===
* Use FQDN when creating MSDCS SRV records
* Do not set DNS discovery domain in server mode
* Require new SSSD to pull required AD subdomain fixes
* Remove faulty DNS memberOf Task
* Become IPA 3.3.2

=== Nathaniel McCallum (1): ===
* Ensure credentials structure is initialized

=== Petr Spacek (1): ===
* Add timestamps to named debug logs in /var/named/data/

=== Petr Viktorin (15): ===
* Remove __all__ specifications in ipaclient and ipaserver.install
* Make make-lint compatible with Pylint 1.0
* Move transport-related functionality to a new module
* test_integration: Add OpenSSHTransport, used if paramiko is not available
* ipatests.test_integration.test_caless: Fix mkdir_recursive call
* ipatests.beakerlib_plugin: Warn instead of failing when some logs are missing
* ipatests.order_plugin: Exclude test generators from the order
* ipatests.beakerlib_plugin: Add argument of generated tests to test captions
* ipatests.test_cmdline.test_help: Re-raise unexpected exceptions on failure
* Add tests for installing with empty PKCS#12 password
* Update translations from Transifex
* ipa-client-install: Use direct RPC instead of api.Command
* ipa-client-install: Verify RPC connection with a ping
* Do not fail upgrade if the global anonymous read ACI is not found
* ipapython.nsslib: Name arguments to NSPRError

=== Petr Vobornik (5): ===
* Fix RUV search scope in ipa-replica-manage
* Fix redirection on deletion of last dns record entry
* Allow edit of ipakrbokasdelegate in Web UI when attrlevelrights are unknown
* Fix enablement of automount map type selector
* Add logging to ldap_connect()

=== Simo Sorce (1): ===
* Add Delegation Info to MS-PAC

=== Sumit Bose (1): ===
* CLDAP: do not read IPA domain from hostname

=== Tomas Babej (3): ===
* Use getent admin@domain for nss check in ipa-client-install
* Do not add trust to AD in case of IPA realm-domain mismatch
* Warn user about realm-domain mismatch in install scripts

Freeipa-interest mailing list

Reply via email to