The FreeIPA team would like to announce FreeIPA v4.2.1 bug fixing release!

It can be downloaded from The builds are available for Fedora 23 and rawhide. Builds for Fedora 22 are available in the official COPR repository <>.

This announcement is also available at <>.

== Highlights in 4.2.1 ==
=== Enhancements ===
* Added support for multiple IP addresses during client installation

=== Bug fixes ===
* Various fixes for new Vault feature
* Various fixes for new Certificates Profiles feature
* Fixed ACI issue in search for hbac rules, sudo rules, users and other IPA objects by non-admin users
* Backup and restore fixes, mostly related to DNSSEC
* ipa-client-install is able to request a certificate in kickstart environment
* Fixed server upgrade failure in "Enabling KDC proxy" step
* Added option to establish bidirectional trust in Web UI

== Upgrading ==
Upgrade instructions are available on Upgrade page <>.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

== Detailed Changelog since 4.2.0 ==

=== Alexander Bokovoy (5) ===
* selinux: enable httpd_run_ipa to allow communicating with oddjobd services
* oddjob: avoid chown keytab to sssd if sssd user does not exist
* Fix selector of protocol for LSA RPC binding string
* trusts: harden trust-fetch-domains oddjobd-based script
* trusts: format Kerberos principal properly when fetching trust topology

=== Christian Heimes (10) ===
* Start dirsrv for kdcproxy upgrade
* Fix selinux denial during kdcproxy user creation
* certprofile-import: improve profile format documentation
* otptoken: use ipapython.nsslib instead of Python's ssl module
* Require Dogtag PKI >= 10.2.6
* Validate vault's file parameters
* certprofile-import: do not require profileId in profile data
* Asymmetric vault: validate public key in client
* Add flag to list all service and user vaults
* Change internal rsa_(public|private)_key variable names

=== David Kupka (9) ===
* migration: Use api.env variables.
* cermonger: Use private unix socket when DBus SystemBus is not available.
* ipa-client-install: Do not (re)start certmonger and DBus daemons.
* user-undel: Fix error messages.
* client: Add support for multiple IP addresses during installation.
* client: Add description of --ip-address and --all-ip-addresses to man page
* Backup/resore authentication control configuration
* vault: Limit size of data stored in vault
* ipactl: Do not start/stop/restart single service multiple times

=== Endi Sukma Dewata (6) ===
* Fixed missing KRA agent cert on replica.
* Added CLI param and ACL for vault service operations.
* Fixed vault container ownership.
* Added support for changing vault encryption.
* Removed clear text passwords from KRA install log.
* Using LDAPI to setup CA and KRA agents.

=== Fraser Tweedale (14) ===
* user-show: add --out option to save certificates to file
* Fix otptoken-remove-managedby command summary
* Give more info on virtual command access denial
* Allow SAN extension for cert-request self-service
* Add profile for DNP3 / IEC 62351-8 certificates
* Work around python-nss bug on unrecognised OIDs
* Fix default CA ACL added during upgrade
* Fix KRB5PrincipalName / UPN SAN comparison
* certprofile: add profile format explanation
* Add permission for bypassing CA ACL enforcement
* Prohibit deletion of predefined profiles
* cert-request: remove allowed extensions check
* certprofile: prevent rename (modrdn)
* certprofile: remove 'rename' option

=== Jan Cholasta (14) ===
* spec file: Move /etc/ipa/kdcproxy to the server subpackage
* spec file: Update minimum required version of krb5
* install: Fix server and replica install options
* ULC: Prevent preserved users from being assigned membership
* spec file: Fix install with the server-dns subpackage
* baseldap: Allow overriding member param label in LDAPModMember
* vault: Fix param labels in output of vault owner commands
* install: Fix replica install with custom certificates
* vault: Fix vault-find with criteria
* vault: Add container information to vault command results
* spec file: Add Requires(post) on selinux-policy
* cert renewal: Include KRA users in Dogtag LDAP update
* cert renewal: Automatically update KRA agent PEM file
* ldap: Make ldap2 connection management thread-safe again

=== Lenka Doudova (2) ===
* Automated test for stageuser plugin
* Fix user tracker to reflect new user-del message

=== Martin Babinsky (12) ===
* ipa-ca-install: print more specific errors when CA is already installed
* enable debugging of ntpd during client installation
* fix broken search for users by their manager
* ACI plugin: correctly parse bind rules enclosed in parentheses
* test suite for user/host/service certificate management API commands
* store certificates issued for user entries as userCertificate;binary
* idranges: raise an error when local IPA ID range is being modified
* fix typo in BasePathNamespace member pointing to ods exporter config
* ipa-backup: archive DNSSEC zone file and kasp.db
* ipa-restore: check whether DS is running before attempting connection
* improve the handling of krb5-related errors in dnssec daemons
* improve the usability of `ipa user-del --preserve` command

=== Martin Bašti (23) ===
* Prevent to rename certprofile profile id
* Stageusedr-activate: show username instead of DN
* copy-schema-to-ca: allow to overwrite schema files
* fix selinuxusermap search for non-admin users
* Validate adding privilege to a permission
* sysrestore: copy files instead of moving them to avoind SELinux issues
* Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand
* Py3: replace tab with space
* DNS: Consolidate DNS RR types in API and schema
* DNS: check if DNS package is installed
* Remove ico files from Makefile
* Use 'mv -Z' in specfile to restore SELinux context
* ULC: Fix stageused-add --from-delete command
* Fix upgrade of sidgen and extdom plugins
* Add dependency to SSSD 1.13.1
* Server Upgrade: Start DS before CA is started.
* Add user-stage command
* DNSSEC: fix forward zone forwarders checks
* DNSSEC: remove "DNSSEC is experimental" warnings
* Backup: back up the hosts file
* Installer: do not modify /etc/hosts before user agreement
* DNSSEC: backup and restore opendnssec zone list file
* DNSSEC: remove ccache and keytab of ipa-ods-exporter

=== Milan Kubík (4) ===
* ipalib: pass api instance into textui in doctest snippets
* spec file: update the python package names for libipa_hbac and libsss_nss_idmap
* tests: Allow Tracker.dn be an instance of Fuzzy
* ipatests: Take otptoken import test out of execution

=== Oleg Fayans (2) ===
* Added a user-friendly output to an import error
* Temporary fix for ticket 5240

=== Petr Voborník (17) ===
* Become IPA 4.2.0
* do not import memcache on client
* webui: fix user reset password dialog
* fix hbac rule search for non-admin users
* webui: add Kerberos configuration instructions for Chrome
* webui: fix regressions failed auth messages
* webui: add LDAP vs Kerberos behavior description to user auth types
* adjust search so that it works for non-admin users
* validate mutually exclusive options in vault-add
* add permission: System: Manage User Certificates
* vault: normalize service principal in service vault operations
* vault: validate vault type
* vault: change default vault type to symmetric
* fix missing information in object metadata
* webui: add option to establish bidirectional trust
* vault: fix vault tests after default type change
* Become IPA 4.2.1

=== Petr Špaček (6) ===
* Create server-dns sub-package.
* DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart
* DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
* DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC key master
* DNSSEC: Fix key metadata export
* DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.

=== Rob Crittenden (1) ===
* Use %license instead of %doc for packaging the license

=== Simo Sorce (1) ===
* Fix DNS records installation for replicas

=== Stanislav Laznicka (1) ===
* ipa-client-install: warn when IP used in --server

=== Tomáš Babej (24) ===
* ipalib: Fix missing format for InvalidDomainLevelError
* trusts: Check for AD root domain among our trusted domains
* ipaplatform: Add constants submodule
* tests: user_plugin: Add preserved flag when --all is used
* dcerpc: Expand explanation for WERR_ACCESS_DENIED
* idviews: Check for the Default Trust View only if applying the view
* tests: service_plugin: Make sure the cert is decoded from base64
* tests: realmdomains_plugin: Add explanatory comment
* tests: Version is currently generated during command call
* tests: vault_plugin: Skip tests if KRA not available
* tests: test_rpc: Create connection for the current thread
* tests: test_cert: Services can have multiple certificates
* dcerpc: Fix UnboundLocalError for ccache_name
* dcerpc: Add get_trusted_domain_object_type method
* idviews: Restrict anchor to name and name to anchor conversions
* idviews: Enforce objectclass check in idoverride*-del
* replication: Fix incorrect exception invocation
* Fix incorrect type comparison in trust-fetch-domains
* dcerpc: Simplify generation of LSA-RPC binding strings
* adtrust-install: Correctly determine 4.2 FreeIPA servers
* trusts: Detect domain clash with IPA domain when adding a AD trust
* trusts: Detect missing Samba instance
* winsync-migrate: Add warning about passsync
* winsync-migrate: Expand the man page

=== Yuri Chornoivan (1) ===
* Fix minor typos

Petr Vobornik

Freeipa-interest mailing list

Reply via email to