Bret Wortman wrote:
Is this (like 3.1.0) also intended for f18? The sss_idmap package
doesn't seem to be available for f17.

No, F-18 will have 3.1.

3.0 GA won't be backported to F-17. We did a couple of pre-releases of 3.0 in F-17 because F-18 wasn't easily usable for quite a long time (in our humble opinion).


On Tue, Dec 11, 2012 at 4:44 PM, Rob Crittenden <
<>> wrote:

    The FreeIPA team is proud to announce version FreeIPA v3.0.2.

    It can be downloaded from

    == Highlights in 3.0.2 ==

    * WebUI: Change of default value of type of new group back to POSIX.
    * Lookup the user SID in external group as well.
    * Include sssd-managed domain/realm mapping file managed in krb5.conf.
    * Fix potential security error in cookie handling in ipa client
    tool, CVE-2012-5631.

    == Upgrading ==

    An IPA server can be upgraded simply by installing updated rpms. The
    server does not need to be shut down in advance.

    Please note, that the referential integrity extension requires an
    extended set of indexes to be configured. RPM update for an IPA
    server with a excessive number of hosts, SUDO or HBAC entries may
    require several minutes to finish.

    If you have multiple servers you may upgrade them one at a time. It
    is expected that all servers will be upgraded in a relatively short
    period (days or weeks not months). They should be able to co-exist
    peacefully but new features will not be available on old servers and
    enrolling a new client against an old server will result in the SSH
    keys not being uploaded.

    Downgrading a server once upgraded is not supported.

    Upgrading from 2.2.0 is supported. Upgrading from previous versions
    is not supported and has not been tested.

    An enrolled client does not need the new packages installed unless
    you want to re-enroll it. SSH keys for already installed clients are
    not uploaded, you will have to re-enroll the client or manually
    upload the keys.

    == Feedback ==

    Please provide comments, bugs and other feedback via the
    freeipa-devel mailing list:

    == Detailed Changelog since 3.0.1 ==

    Alexander Bokovoy (3):
    * ipasam: better Kerberos error handling in ipasam
    * trusts: replace use of python-crypto by m2crypto
    * Propagate kinit errors with trust account

    Jakub Hrozek (4):
    * Make enabling the autofs service more robust
    * ipachangeconf: allow specifying non-default delimeter for options
    * Specify includedir in krb5.conf on new installs
    * Add the includedir to krb5.conf on upgrades

    John Dennis (1):
    * Compliant client side session cookie behavior

    Lubomir Rintel (1):
    * Drop unused readline import

    Martin Kosek (5):
    * Prepare spec file for Fedora 18
    * Filter suffix in replication management tools
    * Change network configuration file
    * Improve ipa-replica-prepare error message
    * Fix sshd feature check

    Petr Viktorin (2):
    * Provide explicit user name for Dogtag installation scripts
    * Add Lubomir Rintel to Contributors.txt

    Petr Vobornik (4):
    * WebUI: Change of default value of type of new group back to POSIX
    * Editable sshkey, mac address field after upgrade
    * Better licensing information of 3rd party code
    * Better error message for login of users from other realms

    Rob Crittenden (5):
    * Honor the kdb options disabling KDC writes in ipa_lockout plugin
    * Only update the list of running services in the installer or ipactl.
    * Set min for selinux-policy to 3.11.1-60
    * Reorder XML-RPC initialization in ipa-join to avoid segfault.
    * Become IPA 3.0.2

    Simo Sorce (1):
    * MS-PAC: Special case NFS services

    Sumit Bose (3):
    * Lookup the user SID in external group as well
    * Restart sssd after authconfig update
    * Do not recommend how to configure DNS in error message

    Tomas Babej (1):
    * Add detection for users from trusted/invalid realms

    Freeipa-users mailing list <>

Bret Wortman
The Damascus Group
Fairfax, VA

Freeipa-users mailing list

Reply via email to