Change the 404 error pages on Tomcat
by Boyd Ako
Anybody know how to change the 404 error pages so it doesn't display server information? It's an ACAS finding; plugin 12085. https://www.tenable.com/plugins/nessus/12085
I did try to do the OWASP securing stuff, but it's not a "standard install" of tomcat as far as i can tell.
Running `find / -fstype xfs -type f -name "web.xml"` I added the below error page lines to the web.xml files that have the "welcome-file-list" as the OWASP document stated. But it's still doing the default 404 error page.
<error-page>
<error-code>404</error-code>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>
The only thing that the server is doing is for FreeIPA. No other web services as far as I know. The ports reported are 8080 and 8443 which I believe are related to the OCSP stuff.
4 years, 9 months
Can I join older clients to a newer server?
by Janez Molicnik
I have IPA server installed on CentOS Linux 7.6. (IPA VERSION: 4.6.4, API_VERSION: 2.229), but I have some older servers, that run older versions of CentOS:
- on the ones that have CentOS version 6.x, there is only version 3.0.0 of ipa-client available in repository
- on the ones that have CentOS version 7 or lower that 7.6 there is only version 4.4.0 of ipa-client available in repository
On the page about the client ( https://www.freeipa.org/page/Client ) I have found some compatibility notes, but the article talks mainly about connecting newer clients to older servers. What about the other way around? Which problems can I expect when I connect older clients to the newer server? Will I have to configure SSSD manually?
4 years, 9 months
unregister old EMail address on this mailing list?
by Harald Dunkel
Hi folks,
I have a new EMail address.
Problem is, there is no option on [Manage subscription] to replace
the EMail address. The old address is not available to send an
unsubscribe to mailman, either. I could subscribe my new address
via mail to mailman, but
https://lists.fedorahosted.org/admin/accounts/subscriptions/
doesn't show these subscriptions, either.
Since the old address is still valid for receiving mails I get all
EMails twice now. How can I unsubscribe the old EMail address from
freeipa-users and freeipa-devel?
Every helpful comment is highly appreciated
Harri
4 years, 9 months
Random [Preauthentication failed] error in krb5 after a few days
by Raul Gomez
Hello list,
I'm facing an issue here that prevents authenticating within a client machine.
When an sssd daemon has been running for a few days, suddenly krb5 fails to authenticate a user with the following error from krb5
[[sssd[krb5_child[1616]]]] [get_and_save_tgt] (0x0020): 1695: [-1765328360][Preauthentication failed]
[[sssd[krb5_child[1616]]]] [map_krb5_error] (0x0020): 1808: [-1765328360][Preauthentication failed]
[[sssd[krb5_child[1616]]]] [k5c_send_data] (0x0200): Received error code 1432158221
4 years, 9 months
Configuring polkit policy on Ubuntu
by Kees Bakker
Hey,
Does anyone have a suggestion how to combine FreeIPA and polkit (policykit)
on Ubuntu? Notice that, for some reason, Ubuntu (and Debian) is stuck at polkit 0.105.
I'm looking for ways to use HBAC rules in combination with service polkit-1. So that
we're able to say: this user can do polkit things on this host.
--
Kees
4 years, 9 months
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)
by Harald Dunkel
Hi folks,
Setup: ipa-server 4.6.4-7 on CentOS 7
Problem:
ipa host-del gives me
[root@ipa1 ~]# ipa host-del ppcl027.example.com
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (404)
Google pointed me to https://access.redhat.com/solutions/3624671,
but AFAICS this fix is not applicable. "^/ca/rest/certs/search" is
already in
:
# matches for CA REST API
<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/authorities|^/ca/rest/certrequests|^/ca/rest/admin/kraconnector/remove|^/ca/rest/certs/search">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient optional
ProxyPassMatch ajp://localhost:8009
ProxyPassReverse ajp://localhost:8009
</LocationMatch>
:
?
Every helpful comment is highly appreciated
Harri
4 years, 9 months
unable to login to fedora server cockpit-ws
by Albert Szostkiewicz
After running fedora update, I am unable to log-in into the cocpit-ws and I am not sure what went wrong.
I am able to ssh to the box using ipa credentials without issue. But cocpit gives me "wrong username or password"
Errors I'm getting in journal 'couldn't read from connection: Peer sent fatal TLS alert: Unknown certificate'
I'm running FreeIpa server and cocpit-ws on same machine
Maybe someone had similar issue or some ideas where to start debugging it ?
Log snippet when I am trying to log in:
myserver.domain.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=cockpit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
myserver.domain.com cockpit-ws[13295]: Using certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert
myserver.domain.com cockpit-ws[13295]: couldn't read from connection: Peer sent fatal TLS alert: Unknown certificate
myserver.domain.com cockpit-session[13298]: pam_sss(cockpit:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost=10.0.5.44 user=myuser
myserver.domain.com audit[13298]: USER_AUTH pid=13298 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com audit[13298]: USER_ACCT pid=13298 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com audit[13298]: CRED_ACQ pid=13298 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com cockpit-session[13298]: pam_ssh_add: Identity added: /home/myuser/.ssh/id_rsa (myuser(a)myserver.domain.com)
myserver.domain.com systemd-logind[1067]: New session 39 of user myuser.
-- Subject: A new session 39 has been created for user myuser
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: https://www.freedesktop.org/wiki/Software/systemd/multiseat
--
-- A new session with the ID 39 has been created for the user myuser.
--
-- The leading process of the session is 13298.
myserver.domain.com systemd[1]: Started Session 39 of user myuser.
-- Subject: Unit session-39.scope has finished start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-39.scope has finished starting up.
--
-- The start-up result is done.
myserver.domain.com cockpit-session[13298]: pam_unix(cockpit:session): session opened for user myuser by (uid=0)
myserver.domain.com audit[13298]: USER_START pid=13298 uid=0 auid=1907400001 ses=39 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_ssh_add,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_umask,pam_lastlog acct="myuser" exe="/usr/libexec/cockpit-sessi>
myserver.domain.com audit[13298]: CRED_REFR pid=13298 uid=0 auid=1907400001 ses=39 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com cockpit-ws[13295]: 3: Permission denied.
myserver.domain.com audit[13298]: CRED_DISP pid=13298 uid=0 auid=1907400001 ses=39 msg='op=PAM:setcred grantors=pam_localuser,pam_sss acct="myuser" exe="/usr/libexec/cockpit-session" hostname=10.0.5.44 addr=10.0.5.44 terminal=? res=success'
myserver.domain.com cockpit-session[13298]: pam_unix(cockpit:session): session closed for user myuser
myserver.domain.com audit[13298]: USER_END pid=13298 uid=0 auid=1907400001 ses=39 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_keyinit,pam_ssh_add,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss,pam_umask,pam_lastlog acct="myuser" exe="/usr/libexec/cockpit-sessio>
myserver.domain.com systemd-logind[1067]: Session 39 logged out. Waiting for processes to exit.
myserver.domain.com systemd-logind[1067]: Removed session 39.
-- Subject: Session 39 has been terminated
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: https://www.freedesktop.org/wiki/Software/systemd/multiseat
--
-- A session with the ID 39 has been terminated.
4 years, 9 months
Error when trying to login on a CentOS 6 and OTP Token is enabled but not enforced in an account
by Raul Gomez
Hello list!
I'm new to FreeIPA, so probably this is something that has an easy fix but I can't find a way around it.
I have an environment where there are several CentOS 6 and CentOS 7 machines and I'm trying to centralize the user authentication and management, so I installed a cluster of 3 FreeIPA servers for this.
Now, by company policies, it is mandatory to have ssh pubkey authentication and ideally 2FA enabled in all servers (2FA just for sudo in this case), but CentOS 6 is not able to use 2FA because of the old sss/krb versions it provides, so I decided to enable it just in the CentOS 7 servers via auth indicators and they are working fine there!
BUT! When I enroll a CentOS 6 server, I'm facing an issue when the 2FA via OTP Token is enabled in a user account, even if it is not enforced; that is, the "Two factor authentication (password + OTP)" check box is unchecked within the FreeIPA WebAdmin portal in the user account and of course, there is no auth indicators set for the CentOS 6 server.
If I disable the user's OTP Token, or if it is removed from the user account, then I can execute sudo correctly on CentOS 6, but then I can't successfully run any sudo command in any CentOS 7 server (it ask for First/Second factor), and it fails even if I remove the auth indicator on them.
I'm I correct to assume that selectively enabling authentication indicators per host OS version I can implement the solution I want? If so, could anyone tell me what I'm missing here?
With debud_level = 6 on sssd.conf in the CentOS 6 client, this is the relevant output regarding this failure when OTP Token is enabled:
Jul 5 20:09:07.842 sshd[6883]: Accepted publickey for my.user from 172.30.2.147 port 41876 ssh2
Jul 5 20:09:07.850 sshd[6883]: pam_unix(sshd:session): session opened for user my.user by (uid=0)
Jul 5 20:09:12.828 sudo: pam_unix(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:09:12.898 sudo: pam_sss(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:09:12.898 sudo: pam_sss(sudo:auth): received for user my.user: 17 (Failure setting user credentials)
Jul 5 20:11:40.930 sudo: pam_unix(sudo:auth): conversation failed
Jul 5 20:11:40.930 sudo: pam_unix(sudo:auth): auth could not identify password for [my.user]
Jul 5 20:11:40.975 sudo: pam_sss(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:11:40.975 sudo: pam_sss(sudo:auth): received for user my.user: 7 (Authentication failure)
Jul 5 20:11:40.975 sudo: my.user : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/my.user ; USER=root ; COMMAND=list
These are my IPA/sss/krb versions on CentOS 6.10 servers:
sssd: 1.13.3-60.el6_10.2
ipa-client: 3.0.0-51.el6
krb5: 1.10.3-65.el6
And these are the IPA/sss/krb versions on CentOS 7.6 IPA servers:
sssd: 1.16.2-13.el7_6.8
ipa-server: 4.6.4-10.el7_6.3
krb5-server: 1.15.1-37.el7_6
Thank you very much in advance for any help, regards...
4 years, 9 months
Share value between pre and post operation
by Elena Fedorov
Hello,
what is the best way of sharing a private value between pre and post
operation of two plugins, for example between prebind and postbind plugins.
I was looking at the Slapi_PBlock *pb - can I use a field of this structure
to set a value in the prebind plugin and then read this value in the post
bind plugin?
If yes, which field can be used for this?
If no, what other mechanism is available for sharing values between pre
and post plugins?
Thanks,
Elena Fedorov
Senior Consultant, Analytics Cloud Expert Services SDK API
T:613-356-6106
https://www.ibm.com/analytics/us/en/services/cloud-expert-services.html
4 years, 9 months
Announcing FreeIPA 4.8.0
by Alexander Bokovoy
The FreeIPA team would like to announce FreeIPA 4.8.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 30 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-8/ COPR repository].
== Highlights in 4.8.0 ==
=== Enhancements ===
FreeIPA 4.8.0 is a major release. Below is the list of noticeable
changes between FreeIPA 4.7 and 4.8.0:
* Removal or deprecation of weak ciphers
Following a general effort to harden FreeIPA deployments, FreeIPA 4.8.0
removes default support for weak ciphers. 3DES and RC4 ciphers are not
accessible for use in Kerberos anymore, and, in addition, Camelia
ciphers are not accessible when FreeIPA is deployed in FIPS mode. The
only permitted ciphers are the AES family (called aes, which is the
combination of: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96,
aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode by the underlying
system crypto libraries. While 3DES is permitted, the KDF used for it
in Kerberos V protocol is not, and Microsoft doesn't implement 3DES
anyway.
--------
* 3999: [RFE] Fix and Document how to set up Samba File Server with IPA
FreeIPA 4.8.0 introduces a tool to configure Samba file server on IPA
client. The tool, "ipa-client-samba" performs Samba configuration and
creates all required services on IPA side. Both the client side and the
server side (IPA master) require FreeIPA 4.8.0 due to multiple changes
introduced. Please see
[https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-... domain controller] and
[https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-... domain member]
design documents for more details.
--------
* 4440: Add support for bounce_url to /ipa/ui/reset_password.html
The /ipa/ui/reset_password.html page accepts url parameter to provide
the user with a back link after successful password reset, to support
resets initiated by external web applications. Additional parameter
delay automatically redirects back after the specified number of seconds
has elapsed.
--------
* 4491: Use lib389 to install 389-ds instead of setup-ds.pl
FreeIPA now utilizes Python-based installer of 389-ds directory server
--------
* 4580: FreeIPA's LDAP server requires SASL security strength factor of >= 56
Original FreeIPA 4.7.90.pre1 set FreeIPA LDAP server default
configuration to require SASL security strength factor higher than 56
bit. However, this change caused "realmd" and other enrollment tools to
fail as they expected to be able to retrieve certain information from
FreeIPA LDAP server unauthenticated. The change for the server
configuration was backed off. We intend to revisit this hardnening later
in FreeIPA 4.8 series.
--------
* 5608: Tech preview: add Dogtag configuration extensions
FreeIPA team started rewrite of the Certificate Authority configuration
to make possible passing additional options when configuring Dogtag.
This is required to allow use of hardware secure (HSM) modules within
FreeIPA CA but also to allow tuning CA defaults. HSM configuration is
not yet fully available due to a number of open issues in Dogtag itself.
--------
* 5803: Add utility to promote CA replica to CRL master
New utility was added to promote a CA replica to be the CRL master.
[https://www.freeipa.org/page/V4/Promotion_to_CRL_generation_master
Design page] provides more details and use examples.
--------
* 6077: Support One-Way Trust authenticated by trust secret
Samba integration was updated to allow establishing trust to Active
Directory from Windows side using a Trust wizard. This allows to
establish a one-way trust authenticated by a shared trust secret.
Additionally, it allows to establish a trust with Samba AD DC 4.7 or
later, initiated from Samba AD DC side.
--------
* 6790: Allow creating IPA CA with 3084-bit key.
CA key size default is raised to 3072 instead of 2048 because it's the
recommended size by NIST. An extensibility feature added with ticket
5608 allows increasing the CA key size further buta 4096-bit key is
considerably slower. The change only affects new deployments. There is
no way to upgrade existing CA infrastructure other than issuing a new CA
key and re-issuing new certificates to all existing users of the old
root CA. In addition, lightweight sub-CAs are currently hard-coded to
2048 bit key size. All relevant public root CAs in the CA/B forum use
2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.
--------
* 7193: Warn or adjust umask if it is too restrictive to break installation
FreeIPA deployment now enforces own umask settings that are known to
work at install time at hardened sites which follow some of STIG
recommendations.
--------
* 7200: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not
The command ipa-pkinit-manage enable|disable is reporting success even
though the PKINIT cert is not re-issued. The command triggers the
request of a new certificate (signed by IPA CA when state=enable,
selfsigned when disabled), but as the cert file is still present,
certmonger does not create a new request and the existing certificate is
kept.
The fix consists in deleting the cert and key file before calling certmonger to request a new cert.
--------
* 7206: Provide an option to include FQDN in IDM topology graph
In the replication topology graph visualization, it is now possible to
see a fully qualified name of the server. This change helps to reduce
confusion when managing complex multi-datacenter topologies.
--------
* 7365: make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable
Log level for technical messages of a KDC proxy was reduced to keep logs
clean.
--------
* 7451: Allow issuing certificates with IP addresses in subjectAltName
FreeIPA now allows issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true:
** One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).
** All of the DNS entries in the resolution chain are managed by this IPA instance.
** The IP address has a (correct) reverse DNS entry that is managed by this IPA instance
--------
* 7568: FreeIPA no longer supports Python 2
Removed Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility anymore.
--------
* 7632: Allow IPA Services to Start After the IPA Backup Has Completed
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window. This fix restarts the services as soon as all the required files
are gathered, and compresses after services are restarted.
--------
* 7619, 7640, 7641: UI migration, password reset and configuration pages support translations
Static pages in FreeIPA web UI now allow translated content
--------
* 7658: sysadm_r should be included in default SELinux user map order
sysadm_r is a standard SELinux user role included in Red Hat Enterprise
Linux.
--------
* 7667: Use only TLS 1.2 by default
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet. TLS 1.0 and 1.1 are no longer state of the art and now
disabled by default. TLS 1.2 works everywhere and supports perfect
forward secrecy mode (PFS).
--------
* 7689: Domain Level 0 is no longer supported
Code to support operation on Domain Level 0 is removed. In order to
upgrade to FreeIPA 4.8.0 via replication, an existing deployment must
first be brought up to Domain Level 1.
--------
* 7716: [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
If a supplier or consumer of LDAP replication data has never done a
total update, its status is not shown anymore in "ipa-replica-manage
list" output
--------
* 7747: Support interactive prompt for NTP options for FreeIPA
FreeIPA now asks user for NTP source server or pool address in
interactive mode if there is no server nor pool specified and
autodiscovery has not found any NTP source in DNS records.
--------
* 7892: hidden / unadvertised IPA replica
A hidden replica is an IPA master server that is not advertised to
clients or other masters. Hidden replicas have all services running and
available, but none of the services has any DNS SRV records or enabled
LDAP server roles. This makes hidden replicas invisible for service
discovery.
[https://pagure.io/freeipa/blob/master/f/doc/designs/hidden-replicas.md Design document]
provides more details on use cases and management of hidden replicas.
--------
* PyPI packages have fewer dependencies
The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient
no longer depend on the binary extensions netifaces and python-ldap by
default.
--------
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.8.0 is a first stable release in 4.8 series.
There are more than 50 bug-fixes since 4.7.90pre1 pre-release. Details
of the bug-fixes can be seen in the list of resolved tickets below.
Changes for 4.7.90pre1 can be found at
[https://www.freeipa.org/page/Releases/4.7.90.pre1 4.7.90.pre1 release
page]
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...)
or #freeipa channel on Freenode.
== Resolved tickets ==
* [https://pagure.io/freeipa/issue/2018 #2018] Change hostname length limit to 64
* [https://pagure.io/freeipa/issue/3999 #3999] [RFE] Fix and Document how to set up Samba File Server with IPA
* [https://pagure.io/freeipa/issue/4812 #4812] Switch nsslapd-unhashed-pw-switch to nolog
* [https://pagure.io/freeipa/issue/5062 #5062] [WebUI] Unlock option is enabled for all user.
* [https://pagure.io/freeipa/issue/6077 #6077] [RFE] Support One-Way Trust authenticated by trust secret
* [https://pagure.io/freeipa/issue/6627 #6627] WebUI: Enable pagination
* [https://pagure.io/freeipa/issue/7139 #7139] Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.
* [https://pagure.io/freeipa/issue/7647 #7647] Error message should be more useful while ipa-backup fails for insufficient space
* [https://pagure.io/freeipa/issue/7667 #7667] When setting up mod_ssl, define range of the TLS protocols within the system-wide crypto policy
* [https://pagure.io/freeipa/issue/7716 #7716] [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
* [https://pagure.io/freeipa/issue/7761 #7761] External CA renewal accepts issuer key < 2048-bit
* [https://pagure.io/freeipa/issue/7836 #7836] print appropriate message when uninstalling non-existent IPA client
* [https://pagure.io/freeipa/issue/7885 #7885] RFE: wrapper for Dogtag cert-fix command
* [https://pagure.io/freeipa/issue/7895 #7895] ipa trust fetch-domains, server parameter ignored
* [https://pagure.io/freeipa/issue/7917 #7917] Occasional 'whoami.data is undefined' error in FreeIPA web UI
* [https://pagure.io/freeipa/issue/7918 #7918] ipa-client-automount needs option to specify domain
* [https://pagure.io/freeipa/issue/7926 #7926] cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign
* [https://pagure.io/freeipa/issue/7927 #7927] Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd
* [https://pagure.io/freeipa/issue/7928 #7928] cn=cacert could show expired certificate
* [https://pagure.io/freeipa/issue/7930 #7930] Interactive promt for NTP options after install check.
* [https://pagure.io/freeipa/issue/7934 #7934] ipa-server-common expected file permissions in package don't match runtime permissions
* [https://pagure.io/freeipa/issue/7937 #7937] `build_requestinfo` crashes in OpenSSL1.1.0+ enviroments
* [https://pagure.io/freeipa/issue/7939 #7939] Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured
* [https://pagure.io/freeipa/issue/7940 #7940] ipatests.test_integration.test_legacy_clients failure
* [https://pagure.io/freeipa/issue/7941 #7941] ipapython/dn_ctypes.py: libldap_r shared library missing
* [https://pagure.io/freeipa/issue/7942 #7942] WebUI test for automount is broken
* [https://pagure.io/freeipa/issue/7943 #7943] [FIPS] Use PKCS#8 instead of weaker traditional OpenSSL private key format
* [https://pagure.io/freeipa/issue/7948 #7948] [FIPS] Use 3DES for certificate encryption when creating a PKCS#12
* [https://pagure.io/freeipa/issue/7951 #7951] IPA i18n_messages call does not obey translations requests
* [https://pagure.io/freeipa/issue/7952 #7952] ipa-backup file logging does not work
* [https://pagure.io/freeipa/issue/7953 #7953] ipa-pwd-extop: do not remove MagicRegen mod, replace it
* [https://pagure.io/freeipa/issue/7956 #7956] Ipatests don't honor TMPDIR, TEMP or TMP environment variables
* [https://pagure.io/freeipa/issue/7959 #7959] ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character
* [https://pagure.io/freeipa/issue/7960 #7960] tests are failing to create secure LDAP connection in some test configurations
* [https://pagure.io/freeipa/issue/7962 #7962] Different pycodestyle results: Travis vs Azure
* [https://pagure.io/freeipa/issue/7963 #7963] x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs
* [https://pagure.io/freeipa/issue/7964 #7964] GSSAPI failure causing LWCA key replication failure on f30
* [https://pagure.io/freeipa/issue/7965 #7965] Stop using 389-ds legacy tools for backup and restore
* [https://pagure.io/freeipa/issue/7969 #7969] test failure in test_caless.py::TestServerInstall
* [https://pagure.io/freeipa/issue/7970 #7970] test failure in test_backup_and_restore.py::TestBackupAndRestore
* [https://pagure.io/freeipa/issue/7972 #7972] automember rebuild sometimes appears to return before the rebuild is complete
* [https://pagure.io/freeipa/issue/7974 #7974] Nightly test failure in ipatests.test_integration.test_user_permissions.TestUserPermissions
* [https://pagure.io/freeipa/issue/7977 #7977] tox 3.8.0+ fails on `make wheel_bundle`
* [https://pagure.io/freeipa/issue/7978 #7978] Missing configuration point for the default shell of user/admin
* [https://pagure.io/freeipa/issue/7981 #7981] Pytest4.x warnings
* [https://pagure.io/freeipa/issue/7982 #7982] Cannot modify TTL with ipa dnsrecord-mod --ttl alone on command line
* [https://pagure.io/freeipa/issue/7983 #7983] Staged user is not being recognized if the user entry doesn't have an objectClass "posixaccount"
* [https://pagure.io/freeipa/issue/7984 #7984] make sure 'make fastlint' processes Python .in files
* [https://pagure.io/freeipa/issue/7986 #7986] Increase debugging level of certmonger
* [https://pagure.io/freeipa/issue/7988 #7988] test_nfs.py: errors when running ipa-client-automount
* [https://pagure.io/freeipa/issue/7990 #7990] Assumptions about systemd name of `named`
* [https://pagure.io/freeipa/issue/7992 #7992] ipa upgrade fails with trust entry already exists
* [https://pagure.io/freeipa/issue/7996 #7996] `test_selinuxusermap_plugin` fails against not default SELinux settings
* [https://pagure.io/freeipa/issue/7998 #7998] Use system-wide crypto policy in TLS client
* [https://pagure.io/freeipa/issue/7999 #7999] download errors in dnf in Azure pipelines
== Detailed changelog since 4.7.90pre1 ==
Detailed changelog since 4.7.90pre1 is available at https://www.freeipa.org/page/Releases/4.8.0
Detailed changelog for 4.7.90pre1 release is available at https://www.freeipa.org/page/Releases/4.7.90.pre1
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 years, 9 months