FreeIPA Bugfix Release 4.10.2

FreeIPA ist ein von RedHat unterstütztes Open-Source Softwareprojekt, dass als Ziel hat ein Identität-, Policy- und Auditsystem zur Verfügung zu stellen. Dabei geht FreeIPA weiter als vergleichsweise das Active Directory von Microsoft oder eDirectory von Novell und vereint viele Open-Source Technologien zu einem System. Die Entwickler haben das Bugfix Release 4.10.2 veröffentlicht, dass folgende Hauptänderungen durchführt:

FreeIPA 4.10.2 Release Notes

Highlights in 4.10.2

• 5444: [RFE] Support Resource based kerberos constrained delegation

---

• 9287: [RFE] makeapi should validate the generated API doc vs stored doc

---

• 9294: Enable the certificate pruning job in PKI

Removing (pruning) expired certificates is supported when Random Serial Numbers are enabled. One cannot upgrade from sequential serial numbers to random. This feature is enabled using the ipa-acme-manage(1) command.

---

• 9331: Better handling of the command line and web UI cert search and/or list features

cert-find performance was improved dramatically when a large number of certificates are returned by changing the method IPA uses internally to parse results from the CA.

---

• 9354: Implement resource-based constrained delegation

FreeIPA provides initial implementation of resource-based constrained delegation (RBCD) for Kerberos services. RBCD and other Kerberos delegation services described in the design document: https://freeipa.readthedocs.io/en/latest/designs/rbcd.html. The initial implementation works for FreeIPA services, work on supporting cross-realm RBCD continues.

---

• 9373: Make sign_authdata() generate extended KDC signature

FreeIPA KDCs will automatically start requiring two new Kebreros ticket signatures when the whole realm is running on MIT Kerberos 1.21 or later. On older MIT Kerberos versions, the lack of the new ticket signature will be tolerated to allow gradual upgrades. More details are available at https://pagure.io/freeipa/c/3f1b373cb2028416e40a26e3dd99b0f4c82525c7. In addition, a ‘full PAC’ signature type was added to MIT Kerberos 1.21. FreeIPA will support the new signature when running against newer MIT Kerberos version. For older versions, please see https://pagure.io/freeipa/c/9cd5f49c74f28dbe070b072b394747a039cef463. This new PAC signature will be required by default by Active Directory in July 2023 for S4U requests, and opt-out will no longer be possible after October 2023. We recommend upgrading to newer versions of FreeIPA-based distributions to avoid interoperability break.

---

Known Issues

• 9298: [Tracker] Nightly test failure (updates-testing) in test_acme.py::TestACME::test_certbot_certonly_standalone

With Certbot update to 2.0.0, Certbot defaults to ECDSA certificate private keys for all new certificates. PKI ACME cert profile supports only rsa private keys, meaning that the key type needs to be forced to rsa when requesting an ACME certificate, using certbot –key-type rsa […]

Bug fixes

FreeIPA 4.10.2 is a stabilization release for the features delivered as a part of 4.10 version series.

There are more than 60 bug-fixes since FreeIPA 4.10.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets

• #5130 (rhbz#1243261) non-admin users cannot search hbac rules
• #5444 [RFE] Support Resource based kerberos constrained delegation
• #6044 (rhbz#1353899) ipa-advise: object of type ‘type’ has no len()
• #8941 Usage of `/usr/bin/env` in Python scripts
• #8990 ipa group-mod should fail properly with –posix and –external options
• #9086 Have ipa-client-install additionally disable the unscd service if using SSSD
• #9124 Nightly test failure in test_smb.py::TestSMB::test_smb_service_s4u2self
• #9164 Cross realm s4u2self/s4u2proxy fails
• #9195 (rhbz#2158775) Hiding a server does not completely clean up DNS records
• #9226 (rhbz#2124547) Infinite redirect loop in the WebUI for user root
• #9232 ipaserver circular import
• #9249 (rhbz#2108630) Deprecated feature idnssoaserial in IdM appears when creating reverse dns zones
• #9259 (rhbz#2144737) vault interoperability with older RHEL systems is broken
• #9264 Nightly failure in test_integration/test_sso.py::TestSsoBridge::test_ipa_login_with_sso_user
• #9267 (rhbz#2188567) Unconditionally adding ‘includedir /var/lib/sss/pubconf/krb5.include.d’ to /etc/krb5.conf break Java’s ability to parse krb5.conf
• #9278 Pylint 2.15 issues
• #9279 ipa-otpd@.service: deprecated syslog setting
• #9282 Nightly test failure in test_webui/test_subid.py/test_subid/test_subid_range_deletion_not_allowed
• #9285 ipa-certupdate restarts HTTPd too early
• #9286 (rhbz#2056009) memberManager ACIs aren’t allowing group-based manager access due to missing upgrade code
• #9287 [RFE] makeapi should validate the generated API doc vs stored doc
• #9290 (rhbz#2149889) idm:client is missing dependency on krb5-pkinit.
• #9291 Nightly test failure (rawhide) in test_ipa_dns_systemrecords_check
• #9294 (rhbz#2162677) Enable the certificate pruning job in PKI
• #9295 Nightly test failure (sssd) in test_trust.py::TestNonPosixAutoPrivateGroup and test_trust.py::TestPosixAutoPrivateGroup
• #9298 [Tracker] Nightly test failure (updates-testing) in test_acme.py::TestACME::test_certbot_certonly_standalone
• #9299 NixOS support for freeipa in ipaplatform
• #9306 (rhbz#2160389) ‘ERROR Could not remove /tmp/tmpbkw6hawo.ipabkp’ can be seen prior to ‘ipa-client-install’ command was successful.
• #9309 (rhbz#2160399) get_ranges – [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct
• #9310 (rhbz#2162335) ipa-trust-add with –range-type=ipa-ad-trust-posix fails while creating an ID range
• #9313 Nightly test failure (rawhide): automember-rebuild test
• #9314 Redundant build dependency on python3-paste (if with lint)
• #9315 [tests] test_ipa_healthcheck_fips_enabled fails on system without fips-mode-setup
• #9316 (rhbz#2166324) Passwordless (GSSAPI) SSH login with AD user
• #9318 Incomplete fast lint/codestyle check if both Python template files and Python modules were changed
• #9319 [tests] TestDNSResolver failures on systems without or empty /etc/resolv.conf
• #9320 (rhbz#2018198) RFE – Add a warning note about possible performance impact of the Auto Member rebuild task.
• #9322 (rhbz#2162677) Nightly test failure in test_integration/test_acme.py::TestACME
• #9323 Update the design doc for certificate pruning
• #9324 ipatests: Frequent timeout of test_acme
• #9325 (rhbz#2168244) requestsearchtimelimit=0 doesn’t seems to be work with ipa-acme-manage pruning command
• #9326 ipatests: timeout of test_trust
• #9329 Azure test: WebUI_Unit_Tests are failing
• #9331 (rhbz#2164349) Better handling of the command line and web UI cert search and/or list features
• #9332 Extend negative test coverage for automember
• #9333 ipa-client-install –pkinit-identity can block in unattended mode
• #9338 Update ‘Auth indicators’ doc string to show ‘ipd’ usage
• #9339 Broken support for dnspython < 2
• #9342 Fedora trasiition license from short names to SPDX license expression
• #9344 ipa-server-install fails when the named keytab location is overridden in ipaplatform/paths.py
• #9347 Azure Ci does not work with Fedora Rawhide
• #9349 (rhbz#2180914) Sequence processing failures for group_add using server context
• #9354 Implement resource-based constrained delegation
• #9355 support python cryptography 40.0
• #9358 update_dna_shared_config sometimes blocks installation for 2 minutes
• #9361 [ipasphinx] deprecated sphinx.util.progress_message
• #9362 ipatests: Frequent timeout of test_ipahealthcheck
• #9368 Test wrong variable in ipadb_get_pac()
• #9369 (rhbz#2164348) Better catch of the IPA web UI event “IPA Error 4301:CertificateOperationError”, and IPA httpd error CertificateOperationError
• #9371 (rhbz#2182683) Tolerate absence of PAC ticket signature depending of domain and servers capabilities
• #9372 (rhbz#2172107) ‘ipa idview-show idviewname’ & IPA WebUI takes longer time to return the results in RHEL 8.5
• #9373 (rhbz#2176406) Make sign_authdata() generate extended KDC signature
• #9374 freeipa fails to build with updates-testing repo on f37 and f38
• #9377 test_commands: pseudo-random failure in test_ssh_key_connection
• #9383 Random nightly test failure in test_acme.py::TestACMEPrune::test_prune_cert_manual

Detailed changelog since 4.10.1

Alexander Bokovoy (23)

• ipa-kdb: be compatible with krb5 1.19 when checking for server referral commit #9164
• ipalib/x509.py: Add signature_algorithm_parameters commit
• ipa-kdb: skip verification of PAC full checksum commit #9371
• ipa-kdb: process out of realm server lookup during S4U commit #9164
• ipa-kdb: postpone ticket checksum configuration commit
• ipa-kdb: protect against context corruption commit
• ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT commit #9124
• Change doc theme to ‘book’ commit
• doc/designs/rbcd.md: document use of S-1-18-* SIDs commit #9354
• doc/designs/rbcd.md: add usage examples commit #9354
• RBCD: add basic test for RBCD handling commit #9354
• kdb: implement RBCD handling in KDB driver commit #9354
• IPA API changes to support RBCD commit #9354
• doc: add design document for Kerberos constrained delegation commit #9354
• ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only commit #5444
• test_xmlrpc: adopt to automember plugin message changes in 389-ds commit
• Ignore empty modification error in case cifs/.. principal already added commit #9354
• ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by commit #9355
• Fix tox in Azure CI commit #9347
• Use system-wide chromium for webui tests commit #9347
• Don’t fail if optional RPM macros file is missing commit #9347
• ipa-kdb: PAC consistency checker needs to handle child domains as well commit #9316
• updates: fix memberManager ACI to allow managers from a specified group commit #9286

Anuja More (4)

• ipatests: Test that non admin user can search hbac rule. commit #5130
• ipatests: Test ipa-advise is not failing with error. commit #6044
• PRCI: update test_trust.py for nightly pipelines. commit #9326
• Add test for SSH with GSSAPI auth. commit #9316

Antonio Torres (10)

• Update list of contributors commit
• Update translations to FreeIPA ipa-4-10 state commit
• Extend API documentation commit
• doc: allow notes on Param API Reference pages commit
• ipaserver: deepcopy objectclasses list from IPA config commit #9349
• API doc: add usage guides for groups, HBAC and sudo rules commit
• API doc: add note about ipa show-mappings to usage guide commit
• API doc: validate generated reference commit #9287
• API doc: add basic user management guide commit
• Back to git snapshots commit

Carla Martinez (1)

• Update ‘Auth indicators’ doc string commit #9338

Christian Heimes (3)

• Speed up installer by restarting DS after DNA plugin commit #9358
• Don’t block when kinit_pkinit() fails commit #9333
• ipa-certupdate: Update client certs before KDC/HTTPd restart commit #9285

Chris Kelley (1)

• Check that CADogtagCertsConfigCheck can handle cert renewal commit

David Pascual (2)

• doc: Use case examples for PR-CI checker tool commit
• ipatests: fix (prci_checker) duplicated check & error return code commit

Erik Belko (1)

• ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario commit #9286

Filip Dvorak (1)

• ipa tests: Add LANG before kinit command to fix issue with locale settings commit

Florence Blanc-Renaud (55)

• ipatest: remove xfail from test_smb commit #9124
• ACME tests: fix issue_and_expire_acme_cert method commit #9383
• user or group name: explain the supported format commit
• azure tests: move to fedora 38 commit
• Tests: test on f37 and f38 commit
• idview: improve performance of idview-show commit #9372
• spec file: force nodejs < 20 on fedora < 39 commit #9374
• Nightly test: add +15min for test_ipahealthcheck commit #9362
• cert_find: fix call with –all commit #9331
• ipatests: mark known failures for autoprivategroup commit #9295
• ipatests: fix test definition for test_trust commit #9326
• ipatests: increase timeout for test_trust commit #9326
• ipatests: adapt for new automembership fixup behavior commit #9313
• ipatests: increase timeout for test_acme commit #9324
• automember-rebuild: add a notice about high CPU usage commit #9320
• trust-add: handle missing msSFU30MaxGidNumber commit #9310
• Spec file: use %autosetup instead of %setup commit
• Spec file: unify with RHEL9 spec commit
• Installer: create RID base before domain object commit #9309
• Tests: force key type in ACME tests commit #9298
• server install: remove error log about missing bkup file commit #9306
• ipatests: mark test_smb as xfail commit #9124
• pylint: disable deprecated-module message commit #9278
• pylint: fix comparison-of-constants commit #9278
• pylint: disable comparison-of-constants commit #9278
• pylint: fix consider-iterating-dictionary commit #9278
• pylint: globally disable useless-object-inheritance commit #9278
• pylint: disable unhashable-member commit #9278
• pylint: disable invalid-sequence-index commit #9278
• pylint: fix deprecated-class SafeConfigParser commit #9278
• pylint: fix duplicate-value commit #9278
• pylint: fix implicit-str-concat commit #9278
• pylint: disable missing-timeout message commit #9278
• pylint: globally disable unnecessary-lambda-assignment message commit #9278
• pylint: disable unnecessary-dunder-call message commit #9278
• pylint: disable using-constant-test commit #9278
• pylint: remove arguments-renamed warnings commit #9278
• pylint: disable modified-iterating-list commit #9278
• pylint: replace deprecated distutils module commit #9278
• pylint: disable used-before-assignment commit #9278
• pylint: disable redefined-slots-in-subclass commit #9278
• pylint: remove useless suppression commit #9278
• pylint: remove unneeded disable=unused-private-member commit #9278
• azure tests: move to fedora 37 commit
• ipatests: update the xfail annotation for test_number_of_zones commit #9135
• Spec file: bump krb5_kdb_version on rawhide commit
• FIPS setup: fix typo filtering camellia encryption commit
• cert utilities: MAC verification is incompatible with FIPS mode commit
• ipatests: update the fake fips mode expected message commit #9002
• ipatests: xfail on all fedora for test_ipa_login_with_sso_user commit #9264
• Spec file: ipa-client depends on krb5-pkinit-openssl commit #9290
• webui tests: fix assertion in test_subid.py commit #9282
• PRCI: update memory reqs for each topology commit
• API reference: update dnszone_add generated doc commit #9249
• API reference: update vault doc commit #9259

s1341 (1)

• ipaplatform: add initial nixos support commit #9299

Jarl Gullberg (2)

• install: Fix missing dyndb keytab directive commit #9344
• ipaplatform/debian: fix path to ldap.so commit

Julien Rische (3)

• Filter out constrained delegation ACL from KDB entry commit
• Tolerate absence of PAC ticket signature depending of server capabilities commit #9371
• kdb: Use krb5_pac_full_sign_compat() when available commit #9373

Jerry James (1)

• Change fontawesome-fonts requires to match fontawesome 4.x commit

mbhalodi (5)

• ipatests: add remove automember condition tests commit #9332
• ipatests: Test for sequence processing failures with server context commit #9349
• ipatests: add missing automember-cli tests commit #9332
• ipatests: WebUI – ensure that ipa automember-rebuild prints a warning commit #9320
• ipatests: ensure that ipa automember-rebuild prints a warning commit #9320

Michal Polovka (2)

• ipatests: commands: Wait for the SSSD to become available commit #9377
• ipatest: loginscreen: do not use hardcoded password commit #9226

Mohammad Rizwan (3)

• ipatests: wait for sssd-kcm to settle after date change commit
• ipatests: fix tests in TestACMEPrune commit #9294
• ipatests: tests for certificate pruning commit #9294

Rob Crittenden (15)

• Don’t allow a group to be converted to POSIX and external commit #8990
• Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3 commit #8941
• Mention in ipa-client-install that nscd is disabled commit #9086
• Return the <Message> value cert-find failures from the CA commit #9369
• Use the OpenSSL certificate parser in cert-find commit #9331
• Enforce sizelimit in cert-find commit #9331
• doc: Update pruning design with implement enable/disable options commit #9323
• Wipe the ipa-ca DNS record when updating system records commit #9195
• Fix setting values of 0 in ACME pruning commit #9325
• tests: add wrapper around ACME RSNv3 test commit #9322
• doc: add the –run command for manual job execution commit #9294
• ipa-acme-manage: add certificate/request pruning management commit #9294
• tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck commit #9291
• tests: Add ipa_ca_name checking to DNS system records commit #9291
• doc: Design for certificate pruning commit #9294

Rafael Guterres Jeffman (2)

• Fix “no entry” condition when searching PAC info commit #9368
• Migrated to SPDX license. commit #9342

Stanislav Levin (21)

• ipasphinx: Correct import of progress_message for Sphinx 6.1.0+ commit #9361
• fastlint: Correct concatenation of file lists commit #9318
• dns: Fix support for dnspython 1.1x commit #9339
• tests: webui: Update vendored qunit commit #9329
• AP: webui: List installed nodejs packages commit #9329
• tests: webui: Load qunit only once commit #9329
• tests: webui: Allow file access from files in tests commit #9329
• tests: Configure DNSResolver as platform agnostic resolver commit #9319
• spec: Drop no longer used build dependency on paste commit #9314
• ipatests: healthcheck: Handle missing fips-mode-setup commit #9315
• pylint: Replace deprecated cgi module commit #9278
• pylint: Fix useless-object-inheritance commit #9278
• pylint: Fix unhashable-member commit #9278
• pylint: Fix unnecessary-lambda-assignment commit #9278
• pylint: Fix modified-iterating-list commit #9278
• pylint: Fix used-before-assignment commit #9278
• pylint: Replace deprecated pipes commit #9278
• pylint: Fix cyclic-import commit #9232, #9278
• pylint: Replace deprecated extension-pkg-whitelist commit #9278
• pylint: More allowed C extensions commit #9278
• pylint: Lint in single process mode commit #9278

Sudhir Menon (2)

• ipatests: ipa-adtrust-install command test scenarios commit
• Fixes: ipa-otpd@.service: deprecated syslog setting commit #9279

Timo Aaltonen (1)

• Drop duplicate includedir from krb5.conf commit #9267

Todd Zullinger (2)

• spec: silence krb5 pkgconf errors in %krb5_base_version commit
• spec: verify upstream source signature commit

Thorsten Scherf (1)

• external-idp: change idp server name to reference name commit

Quelle: Releases/4.10.2 – FreeIPA