The FreeIPA team would like to announce FreeIPA 4.8.0 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 30 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-8/ COPR repository].
== Highlights in 4.8.0 ==
=== Enhancements ===
FreeIPA 4.8.0 is a major release. Below is the list of noticeable
changes between FreeIPA 4.7 and 4.8.0:
* Removal or deprecation of weak ciphers
Following a general effort to harden FreeIPA deployments, FreeIPA 4.8.0
removes default support for weak ciphers. 3DES and RC4 ciphers are not
accessible for use in Kerberos anymore, and, in addition, Camelia
ciphers are not accessible when FreeIPA is deployed in FIPS mode. The
only permitted ciphers are the AES family (called aes, which is the
combination of: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96,
aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode by the underlying
system crypto libraries. While 3DES is permitted, the KDF used for it
in Kerberos V protocol is not, and Microsoft doesn't implement 3DES
* 3999: [RFE] Fix and Document how to set up Samba File Server with IPA
FreeIPA 4.8.0 introduces a tool to configure Samba file server on IPA
client. The tool, "ipa-client-samba" performs Samba configuration and
creates all required services on IPA side. Both the client side and the
server side (IPA master) require FreeIPA 4.8.0 due to multiple changes
introduced. Please see
[https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-... domain controller] and
[https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-... domain member]
design documents for more details.
* 4440: Add support for bounce_url to /ipa/ui/reset_password.html
The /ipa/ui/reset_password.html page accepts url parameter to provide
the user with a back link after successful password reset, to support
resets initiated by external web applications. Additional parameter
delay automatically redirects back after the specified number of seconds
* 4491: Use lib389 to install 389-ds instead of setup-ds.pl
FreeIPA now utilizes Python-based installer of 389-ds directory server
* 4580: FreeIPA's LDAP server requires SASL security strength factor of >= 56
Original FreeIPA 4.7.90.pre1 set FreeIPA LDAP server default
configuration to require SASL security strength factor higher than 56
bit. However, this change caused "realmd" and other enrollment tools to
fail as they expected to be able to retrieve certain information from
FreeIPA LDAP server unauthenticated. The change for the server
configuration was backed off. We intend to revisit this hardnening later
in FreeIPA 4.8 series.
* 5608: Tech preview: add Dogtag configuration extensions
FreeIPA team started rewrite of the Certificate Authority configuration
to make possible passing additional options when configuring Dogtag.
This is required to allow use of hardware secure (HSM) modules within
FreeIPA CA but also to allow tuning CA defaults. HSM configuration is
not yet fully available due to a number of open issues in Dogtag itself.
* 5803: Add utility to promote CA replica to CRL master
New utility was added to promote a CA replica to be the CRL master.
Design page] provides more details and use examples.
* 6077: Support One-Way Trust authenticated by trust secret
Samba integration was updated to allow establishing trust to Active
Directory from Windows side using a Trust wizard. This allows to
establish a one-way trust authenticated by a shared trust secret.
Additionally, it allows to establish a trust with Samba AD DC 4.7 or
later, initiated from Samba AD DC side.
* 6790: Allow creating IPA CA with 3084-bit key.
CA key size default is raised to 3072 instead of 2048 because it's the
recommended size by NIST. An extensibility feature added with ticket
5608 allows increasing the CA key size further buta 4096-bit key is
considerably slower. The change only affects new deployments. There is
no way to upgrade existing CA infrastructure other than issuing a new CA
key and re-issuing new certificates to all existing users of the old
root CA. In addition, lightweight sub-CAs are currently hard-coded to
2048 bit key size. All relevant public root CAs in the CA/B forum use
2048-bit RSA keys and SHA-256 PKCS#1 v1.5 signatures.
* 7193: Warn or adjust umask if it is too restrictive to break installation
FreeIPA deployment now enforces own umask settings that are known to
work at install time at hardened sites which follow some of STIG
* 7200: ipa-pkinit-manage reports a switch from local pkinit to full pkinit configuration was successful although it was not
The command ipa-pkinit-manage enable|disable is reporting success even
though the PKINIT cert is not re-issued. The command triggers the
request of a new certificate (signed by IPA CA when state=enable,
selfsigned when disabled), but as the cert file is still present,
certmonger does not create a new request and the existing certificate is
The fix consists in deleting the cert and key file before calling certmonger to request a new cert.
* 7206: Provide an option to include FQDN in IDM topology graph
In the replication topology graph visualization, it is now possible to
see a fully qualified name of the server. This change helps to reduce
confusion when managing complex multi-datacenter topologies.
* 7365: make kdcproxy errors in httpd error log less annoying in case AD KDCs are not reachable
Log level for technical messages of a KDC proxy was reduced to keep logs
* 7451: Allow issuing certificates with IP addresses in subjectAltName
FreeIPA now allows issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true:
** One of the DNS names in the SAN resolves to the IP address (possibly through a CNAME).
** All of the DNS entries in the resolution chain are managed by this IPA instance.
** The IP address has a (correct) reverse DNS entry that is managed by this IPA instance
* 7568: FreeIPA no longer supports Python 2
Removed Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
* 7632: Allow IPA Services to Start After the IPA Backup Has Completed
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window. This fix restarts the services as soon as all the required files
are gathered, and compresses after services are restarted.
* 7619, 7640, 7641: UI migration, password reset and configuration pages support translations
Static pages in FreeIPA web UI now allow translated content
* 7658: sysadm_r should be included in default SELinux user map order
sysadm_r is a standard SELinux user role included in Red Hat Enterprise
* 7667: Use only TLS 1.2 by default
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet. TLS 1.0 and 1.1 are no longer state of the art and now
disabled by default. TLS 1.2 works everywhere and supports perfect
forward secrecy mode (PFS).
* 7689: Domain Level 0 is no longer supported
Code to support operation on Domain Level 0 is removed. In order to
upgrade to FreeIPA 4.8.0 via replication, an existing deployment must
first be brought up to Domain Level 1.
* 7716: [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
If a supplier or consumer of LDAP replication data has never done a
total update, its status is not shown anymore in "ipa-replica-manage
* 7747: Support interactive prompt for NTP options for FreeIPA
FreeIPA now asks user for NTP source server or pool address in
interactive mode if there is no server nor pool specified and
autodiscovery has not found any NTP source in DNS records.
* 7892: hidden / unadvertised IPA replica
A hidden replica is an IPA master server that is not advertised to
clients or other masters. Hidden replicas have all services running and
available, but none of the services has any DNS SRV records or enabled
LDAP server roles. This makes hidden replicas invisible for service
[https://pagure.io/freeipa/blob/master/f/doc/designs/hidden-replicas.md Design document]
provides more details on use cases and management of hidden replicas.
* PyPI packages have fewer dependencies
The official PyPI packages ipalib, ipapython, ipaplatform, and ipaclient
no longer depend on the binary extensions netifaces and python-ldap by
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.8.0 is a first stable release in 4.8 series.
There are more than 50 bug-fixes since 4.7.90pre1 pre-release. Details
of the bug-fixes can be seen in the list of resolved tickets below.
Changes for 4.7.90pre1 can be found at
[https://www.freeipa.org/page/Releases/4.7.90.pre1 4.7.90.pre1 release
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
or #freeipa channel on Freenode.
== Resolved tickets ==
* [https://pagure.io/freeipa/issue/2018 #2018] Change hostname length limit to 64
* [https://pagure.io/freeipa/issue/3999 #3999] [RFE] Fix and Document how to set up Samba File Server with IPA
* [https://pagure.io/freeipa/issue/4812 #4812] Switch nsslapd-unhashed-pw-switch to nolog
* [https://pagure.io/freeipa/issue/5062 #5062] [WebUI] Unlock option is enabled for all user.
* [https://pagure.io/freeipa/issue/6077 #6077] [RFE] Support One-Way Trust authenticated by trust secret
* [https://pagure.io/freeipa/issue/6627 #6627] WebUI: Enable pagination
* [https://pagure.io/freeipa/issue/7139 #7139] Traceback is seen when modification is done for user from ID Views - Default Trust View Tab.
* [https://pagure.io/freeipa/issue/7647 #7647] Error message should be more useful while ipa-backup fails for insufficient space
* [https://pagure.io/freeipa/issue/7667 #7667] When setting up mod_ssl, define range of the TLS protocols within the system-wide crypto policy
* [https://pagure.io/freeipa/issue/7716 #7716] [RFE] remove "last init status" from ipa-replica-manage list <node> if it's None.
* [https://pagure.io/freeipa/issue/7761 #7761] External CA renewal accepts issuer key < 2048-bit
* [https://pagure.io/freeipa/issue/7836 #7836] print appropriate message when uninstalling non-existent IPA client
* [https://pagure.io/freeipa/issue/7885 #7885] RFE: wrapper for Dogtag cert-fix command
* [https://pagure.io/freeipa/issue/7895 #7895] ipa trust fetch-domains, server parameter ignored
* [https://pagure.io/freeipa/issue/7917 #7917] Occasional 'whoami.data is undefined' error in FreeIPA web UI
* [https://pagure.io/freeipa/issue/7918 #7918] ipa-client-automount needs option to specify domain
* [https://pagure.io/freeipa/issue/7926 #7926] cert renewal is failing when ipa ca cert is renewed from self-signed > external ca > self-sign
* [https://pagure.io/freeipa/issue/7927 #7927] Wrong logic in ipactl restart leads to start instead of restart pki-tomcatd
* [https://pagure.io/freeipa/issue/7928 #7928] cn=cacert could show expired certificate
* [https://pagure.io/freeipa/issue/7930 #7930] Interactive promt for NTP options after install check.
* [https://pagure.io/freeipa/issue/7934 #7934] ipa-server-common expected file permissions in package don't match runtime permissions
* [https://pagure.io/freeipa/issue/7937 #7937] `build_requestinfo` crashes in OpenSSL1.1.0+ enviroments
* [https://pagure.io/freeipa/issue/7939 #7939] Upgrade failure when ipa-server-upgrade is being run on a system with no trust established but trust configured
* [https://pagure.io/freeipa/issue/7940 #7940] ipatests.test_integration.test_legacy_clients failure
* [https://pagure.io/freeipa/issue/7941 #7941] ipapython/dn_ctypes.py: libldap_r shared library missing
* [https://pagure.io/freeipa/issue/7942 #7942] WebUI test for automount is broken
* [https://pagure.io/freeipa/issue/7943 #7943] [FIPS] Use PKCS#8 instead of weaker traditional OpenSSL private key format
* [https://pagure.io/freeipa/issue/7948 #7948] [FIPS] Use 3DES for certificate encryption when creating a PKCS#12
* [https://pagure.io/freeipa/issue/7951 #7951] IPA i18n_messages call does not obey translations requests
* [https://pagure.io/freeipa/issue/7952 #7952] ipa-backup file logging does not work
* [https://pagure.io/freeipa/issue/7953 #7953] ipa-pwd-extop: do not remove MagicRegen mod, replace it
* [https://pagure.io/freeipa/issue/7956 #7956] Ipatests don't honor TMPDIR, TEMP or TMP environment variables
* [https://pagure.io/freeipa/issue/7959 #7959] ipa-client-install fails to add SSH public keys that are missing a whitespace as the last character
* [https://pagure.io/freeipa/issue/7960 #7960] tests are failing to create secure LDAP connection in some test configurations
* [https://pagure.io/freeipa/issue/7962 #7962] Different pycodestyle results: Travis vs Azure
* [https://pagure.io/freeipa/issue/7963 #7963] x509.Name -> ipapython.dn.DN does not handle multi-valued RDNs
* [https://pagure.io/freeipa/issue/7964 #7964] GSSAPI failure causing LWCA key replication failure on f30
* [https://pagure.io/freeipa/issue/7965 #7965] Stop using 389-ds legacy tools for backup and restore
* [https://pagure.io/freeipa/issue/7969 #7969] test failure in test_caless.py::TestServerInstall
* [https://pagure.io/freeipa/issue/7970 #7970] test failure in test_backup_and_restore.py::TestBackupAndRestore
* [https://pagure.io/freeipa/issue/7972 #7972] automember rebuild sometimes appears to return before the rebuild is complete
* [https://pagure.io/freeipa/issue/7974 #7974] Nightly test failure in ipatests.test_integration.test_user_permissions.TestUserPermissions
* [https://pagure.io/freeipa/issue/7977 #7977] tox 3.8.0+ fails on `make wheel_bundle`
* [https://pagure.io/freeipa/issue/7978 #7978] Missing configuration point for the default shell of user/admin
* [https://pagure.io/freeipa/issue/7981 #7981] Pytest4.x warnings
* [https://pagure.io/freeipa/issue/7982 #7982] Cannot modify TTL with ipa dnsrecord-mod --ttl alone on command line
* [https://pagure.io/freeipa/issue/7983 #7983] Staged user is not being recognized if the user entry doesn't have an objectClass "posixaccount"
* [https://pagure.io/freeipa/issue/7984 #7984] make sure 'make fastlint' processes Python .in files
* [https://pagure.io/freeipa/issue/7986 #7986] Increase debugging level of certmonger
* [https://pagure.io/freeipa/issue/7988 #7988] test_nfs.py: errors when running ipa-client-automount
* [https://pagure.io/freeipa/issue/7990 #7990] Assumptions about systemd name of `named`
* [https://pagure.io/freeipa/issue/7992 #7992] ipa upgrade fails with trust entry already exists
* [https://pagure.io/freeipa/issue/7996 #7996] `test_selinuxusermap_plugin` fails against not default SELinux settings
* [https://pagure.io/freeipa/issue/7998 #7998] Use system-wide crypto policy in TLS client
* [https://pagure.io/freeipa/issue/7999 #7999] download errors in dnf in Azure pipelines
== Detailed changelog since 4.7.90pre1 ==
Detailed changelog since 4.7.90pre1 is available at https://www.freeipa.org/page/Releases/4.8.0
Detailed changelog for 4.7.90pre1 release is available at https://www.freeipa.org/page/Releases/4.7.90.pre1
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
Got a strange one for the list ...
I've got a lovely multi-region replicating FreeIPA cluster spanning a
few AWS VPCs that is doing a fantastic job stitching together a complex
Active Directory topology
Now, however I have a need to support clients in a different, less
trusted VPC and the firewall people want to do a MiTM attack on the
TLS/HTTPS streams so they can intercept, decrypt and monitor HTTPS
traffic -- including apparently to and from the IPA nodes.
They want the SSL cert and key used by the HTTPS interface on the IPA
systems so they can set up the intercept properly.
My main question -- how do I properly extract the key and certificate
From reading and poking around it looks like the certs I want are in
/etc/httpd/alias but must be access by the 'certutil' utility which
seems .. under documented ... both in the IPA docs as well as from what
I can tell online.
I'm sort of terrified of breaking my installation by screwing up
Can anyone provide tips, URLs or a cheatsheet for pulling SSL
certificates and keys out of FreeIPA? Particularly the cert and key that
is used on the HTTPS TCP:443 interface?
In a IdM + AD trust setup; has anyone ever had the need to restrict IPA
client logins to a specific Active Directory server when using their AD
The problem I am having is that the one of my clients has a AD cluster and
some of the kdc servers in that cluster have clocks that are not
synchronized. Whenever someone tries to log in using their AD account, if
they hit a un-synchronized server then they get hit with the "kinit: clock
skew too great ..." error.
Since we don't control the AD server and since they refused to fix their
time sync issues, I have been trying to restrict AD logins to a specific
kdc server, but have been unable to do it. I have tried to edit the
sssd.conf and krb5.conf configuration files, but nothing seems to work.
after testing servers, replications et all (all with awesome success) I
am getting to test with clients.
Everything is working except Fedora 30 (Workstation, not Server). I can
do the usual ipa-client-install dance, which will create the kerberos
information. I can get a kerberos ticket using kinit as well as logging
in from a remote host to this one.
However, it is not possible to do a local (gdm) login with valid IPA
account. Neither with "Other User" nor via normal Linux Console (tty*).
sudo denies everything but the local login.
Hint: I am trying to login into the machine that has an existing user
account. Wait, what?
[ 10 Minutes later ]
I created a new user in IPA and logged in from that one. Worked like
magic. So no non-existent users.
So assuming that there might be some users that might have accounts
(read: all and everyone) -- what's the smartest way to mitigate or migrate?
Christian Reiss - email(a)christian-reiss.de /"\ ASCII Ribbon
support(a)alpha-labs.net \ / Campaign
X against HTML
WEB alpha-labs.net / \ in eMails
GPG Retrieval https://gpg.christian-reiss.de
GPG ID ABCD43C5, 0x44E29126ABCD43C5
GPG fingerprint = 9549 F537 2596 86BA 733C A4ED 44E2 9126 ABCD 43C5
"It's better to reign in hell than to serve in heaven.",
John Milton, Paradise lost.
I have follow the step from stepes from Freeipa web + Redhat to prepare the
replicat by commands :
DNS+Reverse : OK
On IPA Master : ipa-replica-prepare --password=XXXXX replicat.example.com
Scp the Gpg file from the Master to slave/replicat as root to /var/lib/ipa
On IPA Replicat : ipa-replica-install --password=XXXXX
/var/lib/ipa/replica-fil.gpg --setup-kra --setup-ca --setup-dns
After several secondes, the installation stop on stage :
[1/28] Configuring centificat server instaance
The first ERROR line: ipaserver.install.dogtaginstance: CRITICAL Failed to
configure CA instance: Command '/usr/sbin/pkispanw -s CA -f /tmp/tmMg7KE'
returned non-zero exist statut 1
The second ERROR line: ipaserver.install.dogtaginstance: CRITICAL See
The third ERROR line : ipaserver.install.dogtaginstance:CRITICAL
[error] RuntimeError: CA configuration failed.
My IPA Master was in Centos 7.3 IPA:v4.5.0
The replica server in Centos 7.6 IPA:v4.6.4
Can you help to resolve this pb ?
Mr Karim Bourenane