The FreeIPA team would like to announce FreeIPA v4.2.4 bug fixing release!

It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 23.

https://bodhi.fedoraproject.org/updates/freeipa-4.2.4-1.fc23

This release notes are also available on http://www.freeipa.org/page/Releases/4.2.4

== Highlights in 4.2.4 ==

FreeIPA 4.2.4 is a bugfix release to improve upgrade experience from FreeIPA 4.1 for Fedora 23.

=== Bug fixes ===
* Fixed issue in installation of server with external CA where second step of installation "forgot" options from previous step which could lead, e.g., to DNS server not being installed. #5556 * Fixed issue in ipa-adtrust-install when a dash character was used in NetBIOS name * Fixed issue with migration from old self-sign IPA(e.g. CentOS 6) and upgrading it to a server with CA #5611, #5598, #5602, #5595, #5636, #4492, #5506 * Fixed issue with bind not starting after update due to wrong file permissions. #5520 * Fixed issue in installation of server without CA when certmonger was not running. #5519
* Fixed issue in upgrade of NIS maps. #5507
* Fixed issue in handling of empty cookies. It prevented users from log in to Web UI using forms-based authentication. #5709
* Fixed issue with installation of KRA on a replica. #5346
* Fixed issue with DNSSEC key purging not being handled properly #5334
* Fixed issue in replica installation after update of master from previous version where certificate profiles and CA ACL were not properly added. #5269 * Fixed issue in installation of replica with external CA, when multiple certificates with the same nickname were provided. #5117 * Fixed issue after upgrade of sidgen and extdom plugins which prevented from generation of Security Identifiers(SIDs). As a result, all AD trust created after the upgrade did not work while advertising that the trust was established correctly. #5665 * Fixed issue with starting FreeIPA after upgrade which happened when FreeIPA server was turned off. #5655 * Fixed internal error during an upgrade from FreeIPA 4.0 to 4.2 which prevented the upgrade process from upgrading forward zones properly. #5472 * Fixed issue with missing "System: Read Replication Agreements" ACI on new replicas. #5631 * Fixed issue on Web UI password reset page where user was not notified when he entered invalid password #5567

=== Enhancements ===
* ipa-replica-prepare and ipa-replica-install no longer fails if PTR record is not resolvable #5686

== Upgrading ==
Upgrade instructions are available on upgrade page<http://www.freeipa.org/page/Upgrade>.

== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

== Detailed Changelog since 4.2.3 ==
=== Abhijeet Kasurde (2) ===
* Fixed small typo in stage-user documentation
* Fixed login error message box in LoginScreen page

=== Alexander Bokovoy (1) ===
* slapi-nis: update configuration to allow external members of IPA groups

=== Christian Heimes (1) ===
* Require Dogtag 10.2.6-13 to fix KRA uninstall

=== David Kupka (5) ===
* ipa-cacert-renew: Fix connection to ldap.
* ipa-otptoken-import: Fix connection to ldap.
* test: Temporarily increase timeout in vault test.
* installer: Propagate option values from components instead of copying them.
* installer: Fix logic of reading option values from cache.

=== Fraser Tweedale (5) ===
* TLS and Dogtag HTTPS request logging improvements
* Avoid race condition caused by profile delete and recreate
* Do not erroneously reinit NSS in Dogtag interface
* Add profiles and default CA ACL on migration
* Do not decode HTTP reason phrase from Dogtag

=== Gabe Alford (2) ===
* Incomplete ports for IPA AD Trust
* Check if IPA is configured before attempting a winsync migration

=== Jan Cholasta (9) ===
* install: fix command line option validation
* install: export KRA agent PEM file in ipa-kra-install
* cert renewal: make renewal of ipaCert atomic
* client install: do not corrupt OpenSSH config with Match sections
* ipalib: assume version 2.0 when skip_version_check is enabled
* cert renewal: import all external CA certs on IPA CA cert renewal
* CA install: explicitly set dogtag_version to 10
* replica install: validate DS and HTTP server certificates
* certdb: never use the -r option of certutil

=== Lenka Doudova (2) ===
* Adding descriptive IDs to stageuser tests
* Tests: Fix tests for (stage)user plugin

=== Martin Babinsky (13) ===
* fix error reporting when installer option is supplied with invalid choice
* suppress errors arising from adding existing LDAP entries during KRA install
* update idrange tests to reflect disabled modification of local ID ranges
* disconnect ldap2 backend after adding default CA ACL profiles
* do not disconnect when using existing connection to check default CA ACLs
* fix error message assertion in negative forced client reenrollment tests
* prevent crash of CA-less server upgrade due to absent certmonger
* use FFI call to rpmvercmp function for version comparison
* fix standalone installation of externally signed CA on IPA master
* always start certmonger during IPA server configuration upgrade
* upgrade: unconditional import of certificate profiles into LDAP
* CI tests: use old schema when testing hostmask-based sudo rules
* use LDAPS during standalone CA/KRA subsystem deployment

=== Martin Bašti (27) ===
* fix caching in get_ipa_config
* upgrade: fix migration of old dns forward zones
* Fix upgrade of forwardzones when zone is in realmdomains
* ipa-getkeytab: do not return error when translations cannot be loaded
* KRA: do not stop certmonger during standalone uninstall
* ipa-kra-install: allow to install first KRA on replica
* Modify error message to install first instance of KRA
* Fix version comparison
* DNS: fix file permissions
* Explicitly call chmod on newly created directories
* Fix: replace mkdir with chmod
* FIX: ipa_kdb_principals: add missing break statement
* Allow to used mixed case for sysrestore
* Upgrade: Fix upgrade of NIS Server configuration
* Tests: DNS replace 192.0.2.0/24 with 198.18.0.0/15 range
* make lint: use config file and plugin for pylint
* Disable new pylint checks
* upgrade: fix config of sidgen and extdom plugins
* trusts: use ipaNTTrustPartner attribute to detect trust entries
* Warn user if trust is broken
* fix upgrade: wait for proper DS socket after DS restart
* Pylint: add missing attributes of errors to definitions
* fix permission: Read Replication Agreements
* Make PTR records check optional for IPA installation
* Fix connections to DS during installation
* pylint: supress false positive no-member errors
* Fix broken trust warnings

=== Milan Kubik (1) ===
* Applied tier0 and tier1 marks on unit tests and xmlrpc tests

=== Milan Kubík (1) ===
* ipatests: Fix missed module import in ipaserver tests

=== Petr Voborník (3) ===
* advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
* cookie parser: do not fail on cookie with empty value
* fix incorrect name of ipa-winsync-migrate command in help

=== Petr Špaček (12) ===
* Makefile: disable parallel build
* DNSSEC: Improve error reporting from ipa-ods-exporter
* DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
* DNSSEC: Make sure that current key state in LDAP matches key state in BIND
* DNSSEC: remove obsolete TODO note
* DNSSEC: add debug mode to ldapkeydb.py
* DNSSEC: logging improvements in ipa-ods-exporter
* DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
* DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
* DNSSEC: ipa-ods-exporter: add ldap-cleanup command
* DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
* DNSSEC: Log debug messages at log level DEBUG

=== Simo Sorce (2) ===
* Return default TL_DATA is krbExtraData is missing
* Insure the admin_conn is disconnected on stop

=== Sumit Bose (4) ===
* ipasam: fix wrong usage of talloc_new()
* ipasam: use more restrictive search filter for group lookup
* ipasam: fix a use-after-free issue
* ipa-kdb: map_groups() consider all results

=== Tomáš Babej (4) ===
* tests: Fix incorrect uninstall method invocation
* tests: Add hostmask detection for sudo rules validating on hostmask
* ipa-adtrust-install: Allow dash in the NETBIOS name
* spec: Bump required sssd version to 1.13.3-5

--
Petr Vobornik

_______________________________________________
Freeipa-interest mailing list
Freeipa-interest@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-interest

Reply via email to