Highlights in 3.3.3#

Enhancements#

New ipa-advise plugins for configuring legacy clients via nss-pam-ldapd
New ipa-advise plugins for configuring legacy clients via nss_ldap
FreeIPA server can now co-exist with mod_ssl serving other non-443 ports

Bug fixes#

ipa-replica-install no longer crashes when being installed with a CA support
winsync reinitialization no longer prints error
Samba configuration added by ipa-adtrust-install is now properly removed
Administrative password changes (e.g. by Directory Manager) now respect maximum password life as defined in password policy
nsds5ReplicaStripAttrs is now properly set on replication agreements, avoiding potential replication issues
… and numerous other small fixes

Test improvements#

New integration test for external CA installation
New integration tests for AD Trust legacy clients feature
Numerous small fixes in test framework and beaker integration

Deprecated functionality#

DNS can no longer be configured with –no-serial-autoincrement option. Serial autoincrement is a requirement for several DNS main features, including zone transfers and future DNSSEC support
LanMan hash is no longer supported or generated. LanMan hash has several security weaknesses allowing attacker to crack it in a reasonable time. As such, the LanMan hash was already not allowed in a default configuration and had to be explicitly enabled.

Upgrading#

An IPA server can be upgraded simply by installing updated rpms. The server does not need to be shut down in advance.

Please note that if you are doing the upgrade in special environment (e.g. FedUp) which does not allow running the LDAP server during upgrade process, upgrade scripts need to be run manually after the first boot:

ipa-upgradeconfig
ipa-ldap-updater –upgrade

Also note that the performance improvements require an extended set of indexes to be configured. RPM update for an IPA server with a excessive number of users may require several minutes to finish.

If you have multiple servers you may upgrade them one at a time. It is expected that all servers will be upgraded in a relatively short period (days or weeks, not months). They should be able to co-exist peacefully but new features will not be available on old servers and enrolling a new client against an old server will result in the SSH keys not being uploaded.

Downgrading a server once upgraded is not supported.

Upgrading from 2.2.0 and later versions is supported. Upgrading from previous versions is not supported and has not been tested.

An enrolled client does not need the new packages installed unless you want to re-enroll it. SSH keys for already installed clients are not uploaded, you will have to re-enroll the client or manually upload the keys.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Detailed Changelog since 3.3.2#

Ana Krivokapic (4):#

Add ipa-advise plugins for nss-pam-ldapd legacy clients
Do not roll back failed client installation on server
Make sure nsds5ReplicaStripAttrs is set on agreements
Add test for external CA installation

Jakub Hrozek (1):#

trusts: combine filters with AND to make sure only the intended domain matches

Jan Cholasta (1):#

Track DS certificate with certmonger on replicas.

Martin Kosek (14):#

Do not allow ‘%’ in DM password
Remove –no-serial-autoincrement
PKI installation on replica failing due to missing proxy conf
Use consistent realm name in cainstance and dsinstance
Winsync re-initialize should not run memberOf fixup task
Installer should always wait until CA starts up
Administrative password change does not respect password policy
Do not add kadmin/changepw ACIs on new installs
Make set_directive and get_directive more strict
Remove mod_ssl conflict
Add nsswitch.conf to FILES section of ipa-client-install man page
Remove ipa-pwd-extop and ipa-enrollment duplicate error strings
Remove deprecated AllowLMhash config
Become IPA 3.3.3

Petr Viktorin (6):#

test_caless.TestCertInstall: Fix ‘test_no_ds_password’ test case
Use new CLI options in certinstall tests
test_simple_replication: Fix waiting for replication
freeipa.spec: Fix changelog dates
Tests: mkdir_recursive: Don’t fail when top-level directory doesn’t exist
beakerlib plugin: Don’t try to submit logs if they are missing

Petr Vobornik (1):#

Fix password expiration notification

Sumit Bose (3):#

Use the right attribute with ipapwd_entry_checks for MagicRegen
Remove AllowLMhash from the allowed IPA config strings
Remove generation and handling of LM hashes

Tomas Babej (23):#

trusts: Do not create ranges for subdomains in case of POSIX trust
ipa-upgradeconfig: Remove backed up smb.conf
ipa-adtrust-install: Add warning that we will break existing samba configuration
adtrustinstance: Properly handle uninstall of AD trust instance
adtrustinstance: Move attribute definitions from setup to init method
ipatests: Extend the order plugin to properly handle inheritance
Get the created range type in case of re-establishing trust
ipatests: Add Active Directory support to configuration
ipatests: Extend domain object with ‘ad’ role support and WinHosts
ipatests: Extend IntegrationTest with multiple AD domain support
ipatests: Create util module for ipatests
ipatests: Add WinHost class
ipatests: Add AD-integration related tasks
ipatests: Add AD integration test case
trusts: Fix typo in error message for realm-domain mismatch
advice: Add legacy client configuration script using nss-ldap
ipatests: Extend clear_sssd_cache to support non-systemd platforms
ipatests: Restore SELinux context after restoring files from backup
ipatests: Do not use /usr/bin hardcoded paths
ipatests: Add support for extra roles referenced by a keyword
ipatests: Use command -v instead of which in legacy client advice
ipatests: Add integration tests for legacy clients
ipatests: test_trust: use domain name instead of realm for user lookups

Highlights in 3.3.3

Contents