The FreeIPA team would like to announce FreeIPA v4.2.4 bug fixing release!

It can be downloaded from The builds are available for Fedora 23.

This release notes are also available on

== Highlights in 4.2.4 ==

FreeIPA 4.2.4 is a bugfix release to improve upgrade experience from FreeIPA 4.1 for Fedora 23.

=== Bug fixes ===
* Fixed issue in installation of server with external CA where second step of installation "forgot" options from previous step which could lead, e.g., to DNS server not being installed. #5556 * Fixed issue in ipa-adtrust-install when a dash character was used in NetBIOS name * Fixed issue with migration from old self-sign IPA(e.g. CentOS 6) and upgrading it to a server with CA #5611, #5598, #5602, #5595, #5636, #4492, #5506 * Fixed issue with bind not starting after update due to wrong file permissions. #5520 * Fixed issue in installation of server without CA when certmonger was not running. #5519
* Fixed issue in upgrade of NIS maps. #5507
* Fixed issue in handling of empty cookies. It prevented users from log in to Web UI using forms-based authentication. #5709
* Fixed issue with installation of KRA on a replica. #5346
* Fixed issue with DNSSEC key purging not being handled properly #5334
* Fixed issue in replica installation after update of master from previous version where certificate profiles and CA ACL were not properly added. #5269 * Fixed issue in installation of replica with external CA, when multiple certificates with the same nickname were provided. #5117 * Fixed issue after upgrade of sidgen and extdom plugins which prevented from generation of Security Identifiers(SIDs). As a result, all AD trust created after the upgrade did not work while advertising that the trust was established correctly. #5665 * Fixed issue with starting FreeIPA after upgrade which happened when FreeIPA server was turned off. #5655 * Fixed internal error during an upgrade from FreeIPA 4.0 to 4.2 which prevented the upgrade process from upgrading forward zones properly. #5472 * Fixed issue with missing "System: Read Replication Agreements" ACI on new replicas. #5631 * Fixed issue on Web UI password reset page where user was not notified when he entered invalid password #5567

=== Enhancements ===
* ipa-replica-prepare and ipa-replica-install no longer fails if PTR record is not resolvable #5686

== Upgrading ==
Upgrade instructions are available on upgrade page<>.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing list ( or #freeipa channel on Freenode.

== Detailed Changelog since 4.2.3 ==
=== Abhijeet Kasurde (2) ===
* Fixed small typo in stage-user documentation
* Fixed login error message box in LoginScreen page

=== Alexander Bokovoy (1) ===
* slapi-nis: update configuration to allow external members of IPA groups

=== Christian Heimes (1) ===
* Require Dogtag 10.2.6-13 to fix KRA uninstall

=== David Kupka (5) ===
* ipa-cacert-renew: Fix connection to ldap.
* ipa-otptoken-import: Fix connection to ldap.
* test: Temporarily increase timeout in vault test.
* installer: Propagate option values from components instead of copying them.
* installer: Fix logic of reading option values from cache.

=== Fraser Tweedale (5) ===
* TLS and Dogtag HTTPS request logging improvements
* Avoid race condition caused by profile delete and recreate
* Do not erroneously reinit NSS in Dogtag interface
* Add profiles and default CA ACL on migration
* Do not decode HTTP reason phrase from Dogtag

=== Gabe Alford (2) ===
* Incomplete ports for IPA AD Trust
* Check if IPA is configured before attempting a winsync migration

=== Jan Cholasta (9) ===
* install: fix command line option validation
* install: export KRA agent PEM file in ipa-kra-install
* cert renewal: make renewal of ipaCert atomic
* client install: do not corrupt OpenSSH config with Match sections
* ipalib: assume version 2.0 when skip_version_check is enabled
* cert renewal: import all external CA certs on IPA CA cert renewal
* CA install: explicitly set dogtag_version to 10
* replica install: validate DS and HTTP server certificates
* certdb: never use the -r option of certutil

=== Lenka Doudova (2) ===
* Adding descriptive IDs to stageuser tests
* Tests: Fix tests for (stage)user plugin

=== Martin Babinsky (13) ===
* fix error reporting when installer option is supplied with invalid choice
* suppress errors arising from adding existing LDAP entries during KRA install
* update idrange tests to reflect disabled modification of local ID ranges
* disconnect ldap2 backend after adding default CA ACL profiles
* do not disconnect when using existing connection to check default CA ACLs
* fix error message assertion in negative forced client reenrollment tests
* prevent crash of CA-less server upgrade due to absent certmonger
* use FFI call to rpmvercmp function for version comparison
* fix standalone installation of externally signed CA on IPA master
* always start certmonger during IPA server configuration upgrade
* upgrade: unconditional import of certificate profiles into LDAP
* CI tests: use old schema when testing hostmask-based sudo rules
* use LDAPS during standalone CA/KRA subsystem deployment

=== Martin Bašti (27) ===
* fix caching in get_ipa_config
* upgrade: fix migration of old dns forward zones
* Fix upgrade of forwardzones when zone is in realmdomains
* ipa-getkeytab: do not return error when translations cannot be loaded
* KRA: do not stop certmonger during standalone uninstall
* ipa-kra-install: allow to install first KRA on replica
* Modify error message to install first instance of KRA
* Fix version comparison
* DNS: fix file permissions
* Explicitly call chmod on newly created directories
* Fix: replace mkdir with chmod
* FIX: ipa_kdb_principals: add missing break statement
* Allow to used mixed case for sysrestore
* Upgrade: Fix upgrade of NIS Server configuration
* Tests: DNS replace with range
* make lint: use config file and plugin for pylint
* Disable new pylint checks
* upgrade: fix config of sidgen and extdom plugins
* trusts: use ipaNTTrustPartner attribute to detect trust entries
* Warn user if trust is broken
* fix upgrade: wait for proper DS socket after DS restart
* Pylint: add missing attributes of errors to definitions
* fix permission: Read Replication Agreements
* Make PTR records check optional for IPA installation
* Fix connections to DS during installation
* pylint: supress false positive no-member errors
* Fix broken trust warnings

=== Milan Kubik (1) ===
* Applied tier0 and tier1 marks on unit tests and xmlrpc tests

=== Milan Kubík (1) ===
* ipatests: Fix missed module import in ipaserver tests

=== Petr Voborník (3) ===
* advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
* cookie parser: do not fail on cookie with empty value
* fix incorrect name of ipa-winsync-migrate command in help

=== Petr Špaček (12) ===
* Makefile: disable parallel build
* DNSSEC: Improve error reporting from ipa-ods-exporter
* DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
* DNSSEC: Make sure that current key state in LDAP matches key state in BIND
* DNSSEC: remove obsolete TODO note
* DNSSEC: add debug mode to
* DNSSEC: logging improvements in ipa-ods-exporter
* DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
* DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
* DNSSEC: ipa-ods-exporter: add ldap-cleanup command
* DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
* DNSSEC: Log debug messages at log level DEBUG

=== Simo Sorce (2) ===
* Return default TL_DATA is krbExtraData is missing
* Insure the admin_conn is disconnected on stop

=== Sumit Bose (4) ===
* ipasam: fix wrong usage of talloc_new()
* ipasam: use more restrictive search filter for group lookup
* ipasam: fix a use-after-free issue
* ipa-kdb: map_groups() consider all results

=== Tomáš Babej (4) ===
* tests: Fix incorrect uninstall method invocation
* tests: Add hostmask detection for sudo rules validating on hostmask
* ipa-adtrust-install: Allow dash in the NETBIOS name
* spec: Bump required sssd version to 1.13.3-5

Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to