The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.9.1
* 3226: [RFE] ipa sudorule-add-user should accept more types of characters
IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership + IPA now supports adding users and groups from trusted Active Directory domains in SUDO rules without an intermediate non-POSIX group membership
* 7599: Leading / trailing white spaces in password are disallowed
Allow leading and trailing whitespaces in passwords set through IPA commands. They were already allowed via Kerberos and LDAP.
* 7676: ipa-client-install changes system wide ssh configuration
Skip ProxyCommand wrapper in SSH configuration in case user is configured with /sbin/nologin to allow automated tools to operate as expected
* 8528: Use separate logs for AD Trust and DNS installer
ipa-adtrust-install and ipa-dns-install commands now log their activity into separate log files.
* 8618: ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg
ipa-cert-fix tool now handles situations when a CSR is missing from Dogtag's CA/KRA CS.cfg configuration files. Configuration file is updated with a CSR tracked by Certmonger.
* 8634: Install of CA fails on CentOS 8 Stream with pki-core 10.9
IPA will not deploy ACME service if Dogtag PKI version is known to not provide a complete service. A complete ACME support requires Dogtag 10.10.0 or later.
* 8635: Memory availability detection does not work with cgroupsv2 environment
Containerized environments on Linux with cgroup v2 are now recognized and supported.
* 8644: ipa-certupdate drops profile from the caSigningCert tracking
ipa-certupdate tool now honors CA profile specified in the certificate request it tries to update
* 8646: permission-mod attrs, includedattrs and excludedattrs issues
Managed permissions commands now properly rollback changes if a generated ACI has incorrect syntax
* 8655: Allow to establish trust to Active Directory in FIPS mode
When IPA is deployed in FIPS mode, it is now possible to establish trust to Active Directory forest.
* 8659: ipa-kdb: provide correct logon time in MS-PAC from authentication time
Trust to Active Directory support was improved to be more compatible with AD DC queries: lookup groups via LSA RPCs, allow user principal name lookups, more complete PAC record generation.
=== Enhancements
=== Known Issues
=== Bug fixes
FreeIPA 4.9.1 is a stabilization release for the features delivered as a part of 4.9 version series.
There are more than 30 bug-fixes since FreeIPA 4.9.1 release. Details of the bug-fixes can be seen in the list of resolved tickets below.
== Upgrading
Upgrade instructions are available on Upgrade page.
== Feedback
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...) or #freeipa channel on Freenode.
== Resolved tickets
#3226 (rhbz#871208) [RFE] ipa sudorule-add-user should accept more types of characters #7599 (rhbz#1593745) Leading / trailing white spaces in password are disallowed #7676 (rhbz#1544379) ipa-client-install changes system wide ssh configuration #8501 Unify how FreeIPA gets FQDN of current host #8508 Nightly failure (ipa-4-8/master, enforcing mode) in ipa trust-add #8519 Fedora container platform is incomplete #8524 (rhbz#1851835) Deploy & manage the ACME service topology wide from a single system #8528 Use separate logs for AD Trust and DNS installer #8576 (rhbz#1728015) ipasam: derive parent domain for subdomains automatically #8584 ACME communication with dogtag REST endpoints should be using the cookie it creates #8589 (rhbz#1812871) Intermittent IdM Client Registration Failures #8596 (rhbz#1895197) improve IPA PKI susbsystem detection by other means than a directory presence, use pki-server subsystem-find #8602 Nightly failure in test_acme.py::TestACME::test_certbot_certonly_standalone: An unexpected error occurred: #8614 Remove ca.crt from the system-wide store on uninstall #8618 (rhbz#1780782) ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg #8631 Nightly failure (389ds master branch) in test_commands.py::TestIPACommand::test_ipa_nis_manage_enable_incorrect_password #8634 (rhbz#1913089) Install of CA fails on CentOS 8 Stream with pki-core 10.9 #8635 Memory availability detection does not work with cgroupsv2 environment #8644 (rhbz#1912845) ipa-certupdate drops profile from the caSigningCert tracking #8646 permission-mod attrs, includedattrs and excludedattrs issues #8650 Updated dnspython-2.1.0 causes a test failure #8653 Nightly test failure in test_integration/test_upgrade.py::TestUpgrade::()::test_kra_detection #8655 (rhbz#1860129) Allow to establish trust to Active Directory in FIPS mode #8656 Use client keytab for 389ds #8658 Value stored to 'krberr' is never read in ipa-rmkeytab.c #8659 ipa-kdb: provide correct logon time in MS-PAC from authentication time #8660 ipasam: implement PASSDB getgrnam call #8661 ipasam: allow search of users by user principal name (UPN) #8662 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner #8664 Nightly test failure (fed33, rawhide) in ipa trust-add --external=True #8668 (rhbz#1915471) Nightly failure in (f33+updates-testing) test_trust.py::TestTrust::test_ipa_commands_run_as_aduser #8670 Nightly failure (fed33) in test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_encryption #8674 test_ipahealthcheck divides KiB by 1000 #8678 Nightly failure (master) in test_trust.py::TestTrust::test_establish_forest_trust_with_shared_secret #8682 [ipatests] TestIPACommand.test_login_wrong_password time to time fails
== Detailed changelog since 4.9.1
=== Armando Neto (1)
* ipatests: Update PR-CI definitions for ipa-4-9 https://pagure.io/freeipa/c/ccdecaa984ef6ebcc63d754e896b2229bcba3b88%5Bcommi...]
=== Alexander Bokovoy (30)
* Become FreeIPA 4.9.1 https://pagure.io/freeipa/c/aa58fad8eb98b0e8e248eb76b107b5e1faac4aeb%5Bcommi...] * Force-update translation po/uk.po https://pagure.io/freeipa/c/a97967ff3b56ba3c3894a5aadffbef68961b3581%5Bcommi...] * Force-update translation po/ipa.pot https://pagure.io/freeipa/c/cb583ac18e33698f9bd950490482a722cc993a06%5Bcommi...] * Force-update translation po/hu.po https://pagure.io/freeipa/c/a1c43ac3c91ae045f402610c88141d7f3d387011%5Bcommi...] * Force-update translation po/de.po https://pagure.io/freeipa/c/6f6dd6240c91b8a4a6c9e6f1090db33ec37c7857%5Bcommi...] * Update contributors list https://pagure.io/freeipa/c/2ac8028e1f8dca4b8bc37bd4995043da647dbfb8%5Bcommi...] * baseldap: allow rejecting unknown objects instead of adding to an external attr https://pagure.io/freeipa/c/51ca38772f41d3a26a4253a732338d09a69f9647%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * ipatests: when talking to AD DCs, use FQDN credentials https://pagure.io/freeipa/c/64b70be65698b12927795a7a8b79ef7aada010b8%5Bcommi...] https://pagure.io/freeipa/issue/8678%5B#8678] * test_trust: add tests for using AD users and groups in SUDO rules https://pagure.io/freeipa/c/a7c56fde7727bfad3f885cf50e21182cdc46024e%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * ipatests: fix test_sudorule_plugin's wrong argument use https://pagure.io/freeipa/c/f4d3c91e7f80659268e006dffa5f064b29b45c98%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * sudorule runAs: allow to add users and groups from trusted domains directly https://pagure.io/freeipa/c/78043bfb5e2a3b1fc0fae6d55ba605ba469ce5ae%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * sudorule-add-user: allow to reference users and groups from trusted domains directly https://pagure.io/freeipa/c/054a068f4705cd715789ceda75fa709404d5f884%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * idviews: add extended validator for users from trusted domains https://pagure.io/freeipa/c/a3563d1c35fbe9e6e96199ead211ec3b4ff1d2d2%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * baseldap: when adding external objects, differentiate between them and failures https://pagure.io/freeipa/c/ffc2edf61efccbcbd4294fbc8a8613decea299a3%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * baseldap: refactor validator support in add_external_pre_callback https://pagure.io/freeipa/c/132d7fb0ed21e2e7cc69366e2141ae69e7864afb%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * Add design document for using AD users/groups in SUDO rules https://pagure.io/freeipa/c/16b30cbe5e4f1fd8965ed27ba2ca9b4b7b295e9c%5Bcommi...] https://pagure.io/freeipa/issue/3226%5B#3226] * use a constant instead of /var/lib/sss/keytabs https://pagure.io/freeipa/c/9f63afb4408e308c2ee972a72875525afefa5d54%5Bcommi...] * trust-fetch-domains: use custom krb5.conf overlay for all trust operations https://pagure.io/freeipa/c/c842d4b5c2404d263d56aa0c4ba33fe32b2ca61e%5Bcommi...] https://pagure.io/freeipa/issue/8655%5B#8655], https://pagure.io/freeipa/issue/8664%5B#8664] * ipaserver/dcerpc: store forest topology as a blob in ipasam https://pagure.io/freeipa/c/3d706b6f57309ec394df617cecb9a73d021fc2f7%5Bcommi...] https://pagure.io/freeipa/issue/8576%5B#8576] * ipasam: derive parent domain for subdomains automatically https://pagure.io/freeipa/c/f103172954c259443f0c5b4ac89474e66cf3a1d6%5Bcommi...] https://pagure.io/freeipa/issue/8576%5B#8576] * ipasam: free trusted domain context on failure https://pagure.io/freeipa/c/e8f927db7da00d1671f871d3b2e89429aec3beb9%5Bcommi...] https://pagure.io/freeipa/issue/8576%5B#8576] * ipasam: allow search of users by user principal name (UPN) https://pagure.io/freeipa/c/2e8eb0f5fe82be58be88fa0d9b07ee7af69d8829%5Bcommi...] https://pagure.io/freeipa/issue/8661%5B#8661] * ipasam: implement PASSDB getgrnam call https://pagure.io/freeipa/c/962052a0567b6878843272b1882d0a0b3b2debd1%5Bcommi...] https://pagure.io/freeipa/issue/8660%5B#8660] * ipa-kdb: provide correct logon time in MS-PAC from authentication time https://pagure.io/freeipa/c/f8bf37422b7c49a4a39b4704b18158b37ee9ef80%5Bcommi...] https://pagure.io/freeipa/issue/8659%5B#8659] * ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available https://pagure.io/freeipa/c/3fa07a108030265dc89921a37216a1184e1e7516%5Bcommi...] https://pagure.io/freeipa/issue/8655%5B#8655] * ipaserver/dcerpc.py: use Kerberos authentication for discovery https://pagure.io/freeipa/c/8ab9bf68a4d12c8763c1669d0c14b7771a3289da%5Bcommi...] https://pagure.io/freeipa/issue/8655%5B#8655] * ipaserver/dcerpc: use Samba-provided trust helper to establish trust https://pagure.io/freeipa/c/753246f4e82af5697ee51bdc7f667959e1824be1%5Bcommi...] https://pagure.io/freeipa/issue/8655%5B#8655] * ipatests: fix race condition in finalizer of encrypted backup test https://pagure.io/freeipa/c/6fe573b3d953913bc94fd06c230703dac70f0e8d%5Bcommi...] * ipaplatform: add constant for systemd-run binary https://pagure.io/freeipa/c/8c7d1fbad15c5a906ffa261329dd49be048549ed%5Bcommi...] * Get back to git snapshots https://pagure.io/freeipa/c/0fd4a8936f5b41e83ffdbe00f88309e5a2e94f9f%5Bcommi...]
=== Antonio Torres (2)
* Check that IPA cert is added to trust store after server install https://pagure.io/freeipa/c/2715fbd4a73115949264298858ed0835fe982164%5Bcommi...] https://pagure.io/freeipa/issue/8614%5B#8614] * Test that IPA certs are removed on server uninstall https://pagure.io/freeipa/c/2a86a93e560e1d9ade2f78b0cf82d93b8833eb39%5Bcommi...] https://pagure.io/freeipa/issue/8614%5B#8614]
=== Antonio Torres Moríñigo (2)
* ipatests: test that trailing/leading whitespaces in passwords are allowed https://pagure.io/freeipa/c/3f3762ef92a809059f196e5553f1c31e9f1180e7%5Bcommi...] * Allow leading/trailing whitespaces in passwords https://pagure.io/freeipa/c/89eba7d38db2f510554b3365f9d099190ce80c51%5Bcommi...] https://pagure.io/freeipa/issue/7599%5B#7599]
=== Christian Heimes (1)
* Add ccache sweeper files to gitignore https://pagure.io/freeipa/c/56b84973b9f02e74f2518bd58694b673f88f8d5e%5Bcommi...] https://pagure.io/freeipa/issue/8589%5B#8589]
=== François Cami (1)
* ipatests: test_ipahealthcheck: fix units https://pagure.io/freeipa/c/34add4a2e091dc7bc6031f8fc6cc80904b1bea20%5Bcommi...] https://pagure.io/freeipa/issue/8674%5B#8674]
=== Florence Blanc-Renaud (12)
* ipatests: fix discrepancies in nightly defs https://pagure.io/freeipa/c/bb78693405aab603203e60a174b04cd3264e1855%5Bcommi...] * ipatests: fix expected output for ipahealthcheck.ipa.files https://pagure.io/freeipa/c/dc2a52abe256d2de09eafe8a07898b0cbea3404b%5Bcommi...] https://pagure.io/freeipa/issue/8662%5B#8662] * ipatests: fix healthcheck test for ipahealthcheck.ds.encryption https://pagure.io/freeipa/c/2a207918521b474a39c1689837db146800624af8%5Bcommi...] https://pagure.io/freeipa/issue/8670%5B#8670] * ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser https://pagure.io/freeipa/c/bd3bad88ee4d4535416ad5fc5f97b55a939534ef%5Bcommi...] https://pagure.io/freeipa/issue/8668%5B#8668] * ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection https://pagure.io/freeipa/c/0db289695c8225cad5c17c6a5846ff0a373c3ce6%5Bcommi...] https://pagure.io/freeipa/issue/8596%5B#8596], https://pagure.io/freeipa/issue/8653%5B#8653] * selinux: modify policy to allow one-way trust https://pagure.io/freeipa/c/952b6bdcceda9f460e17075404084f1f3ddb5eaa%5Bcommi...] https://pagure.io/freeipa/issue/8508%5B#8508] * ipatests: add test_ipa_cert_fix to the nightly definitions https://pagure.io/freeipa/c/7f2be8a45a1d4baff0074cf4d8c446e3d08db795%5Bcommi...] https://pagure.io/freeipa/issue/8618%5B#8618] * ipa-cert-fix: do not fail when CSR is missing from CS.cfg https://pagure.io/freeipa/c/eb711f781322657b0b3d77332f2462ecfb27db95%5Bcommi...] https://pagure.io/freeipa/issue/8618%5B#8618] * ipatests: add a test for ipa-cert-fix https://pagure.io/freeipa/c/f36e518b5704b02b81a4b80a1b84c429594cf5ce%5Bcommi...] https://pagure.io/freeipa/issue/8618%5B#8618] * ipatests: clear initgroups cache in clear_sssd_cache https://pagure.io/freeipa/c/286d0680a6d4ae53b79596e545f9291791e36aa5%5Bcommi...] * ipatests: remove test_acme from gating https://pagure.io/freeipa/c/dd1b596b5711aefd87fd6ec340c3713ee5932425%5Bcommi...] https://pagure.io/freeipa/issue/8602%5B#8602] * ipatests: fix expected error message in test_commands https://pagure.io/freeipa/c/8bc341868f9154a625b7aae2604a7aa7b6cd0696%5Bcommi...] https://pagure.io/freeipa/issue/8631%5B#8631]
=== JoeDrane (1)
* Update ipa_sam.c https://pagure.io/freeipa/c/b53592492879f87465774eb9a4d6c02a8ba26a5e%5Bcommi...]
=== Rob Crittenden (16)
* ipatests: test the cgroup v2 memory restrictions https://pagure.io/freeipa/c/85d944cea13725511973fa00c9db6a1ebeb90efa%5Bcommi...] https://pagure.io/freeipa/issue/8635%5B#8635] * Add support for cgroup v2 to the installer memory checker https://pagure.io/freeipa/c/1dd4501a9fe1e83964b1f008b91d20b4afe5051a%5Bcommi...] https://pagure.io/freeipa/issue/8635%5B#8635] * ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get https://pagure.io/freeipa/c/7b380969241b7f28b2aa275ff1a71fdf78912580%5Bcommi...] https://pagure.io/freeipa/issue/8658%5B#8658] * ipa-rmkeytab: convert numeric return values to #defines https://pagure.io/freeipa/c/06ffc7aae7f37bbd03dbd145e30c13f2234ed071%5Bcommi...] https://pagure.io/freeipa/issue/8658%5B#8658] * ipa_pwd: Remove unnecessary conditional https://pagure.io/freeipa/c/f6cfbffc8f2e45d0e8e6057e6ead6d35e99bf48a%5Bcommi...] * ipa_kdb: Fix memory leak https://pagure.io/freeipa/c/df0c2d7e0ca8c3620093a47c9592de4f37e86608%5Bcommi...] * ipa-kdb: Fix logic to prevent NULL pointer dereference https://pagure.io/freeipa/c/93f8840ed8f484c7880534b86aaad3d1f8fb0d2e%5Bcommi...] * ipa-kdb: Change mspac base RID logic from OR to AND https://pagure.io/freeipa/c/f0de557063b6db143fd0d2ff47b08610edb39706%5Bcommi...] * Add missing break statement to password quality switch https://pagure.io/freeipa/c/ec4511ec12dfeff2cc2f3a23171089bd32c5add0%5Bcommi...] * Revert "Remove test for minimum ACME support and rely on package deps" https://pagure.io/freeipa/c/3aeb9b8e40cc526fd5c5162158b9cc5755670f66%5Bcommi...] https://pagure.io/freeipa/issue/8634%5B#8634] * ipatests: See if nologin supports -c before asserting message https://pagure.io/freeipa/c/ca9f8d1c9feda6fd58220f1424970dcca5b730e0%5Bcommi...] https://pagure.io/freeipa/issue/7676%5B#7676] * ipatests: test that modifying a permission attrs handles failure https://pagure.io/freeipa/c/bdc383a1a906f97c06b2bfa281a4b290fb4b04b3%5Bcommi...] https://pagure.io/freeipa/issue/8646%5B#8646] * Remove virtual attributes before rolling back a permission https://pagure.io/freeipa/c/9ae744254dd845f9a459601cb8a1468aeaad028a%5Bcommi...] https://pagure.io/freeipa/issue/8646%5B#8646] * Remove invalid test case for DNS SRV priority https://pagure.io/freeipa/c/071b71290601d4a5f6a65adf2b55c34d3865172d%5Bcommi...] https://pagure.io/freeipa/issue/8650%5B#8650] * ipatests: test that no errors are reported after ipa-certupdate https://pagure.io/freeipa/c/ad1764a1fff885e1c386b0a9f50517b2e0725e03%5Bcommi...] https://pagure.io/freeipa/issue/8644%5B#8644] * Don't change the CA profile when modifying request in ipa_certupdate https://pagure.io/freeipa/c/10ba43ad35acecdd1c4b7981db31a90cce1b9fab%5Bcommi...] https://pagure.io/freeipa/issue/8644%5B#8644]
=== Robbie Harwood (1)
* Set client keytab location for 389ds https://pagure.io/freeipa/c/df411f00a3d1db2fcb0d122a54b9e13a57e35f3f%5Bcommi...] https://pagure.io/freeipa/issue/8656%5B#8656]
=== Stanislav Levin (2)
* ipatests: Don't assume sshd flush its logs immediately https://pagure.io/freeipa/c/cbe7d2258d6c900b2e02b2373e720275d9917316%5Bcommi...] https://pagure.io/freeipa/issue/8682%5B#8682] * ipatests: Raise log level of 389-ds replication https://pagure.io/freeipa/c/41a9cc637b4ea8794fc17f9fc06c6cf8d3a31caa%5Bcommi...]
=== Sergey Orlov (2)
* ipatests: use fully qualified name for AD admin when establishing trust https://pagure.io/freeipa/c/dc16c2484c1006bc249848383d86ef828abd921a%5Bcommi...] * ipatests: do not set dns_lookup to true https://pagure.io/freeipa/c/8d7697af269e68e051ce969ae9cc835f5ba6a3b7%5Bcommi...]
=== Sudhir Menon (2)
* ipatests: Test for IPATrustControllerPrincipalCheck https://pagure.io/freeipa/c/2035ba9925ae738d2dbdd1274168cb99a2364db0%5Bcommi...] * ipatests: ipahealthcheck remove test skipped in pytest run https://pagure.io/freeipa/c/27cc011ac286db20a4cd9dbdd65d4a8fd1cb7e3a%5Bcommi...]
On 27.01.21 10:11, Alexander Bokovoy via FreeIPA-users wrote:
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.9.1
- 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership
This means the right way to map an AD group would now be creating a POSIX group that has the AD group as its direct member?
Is an intermediate non-POSIX group still needed for HBAC?
Cheers, Ronald
On ke, 27 tammi 2021, Ronald Wimmer via FreeIPA-users wrote:
On 27.01.21 10:11, Alexander Bokovoy via FreeIPA-users wrote:
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.9.1
- 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership
This means the right way to map an AD group would now be creating a POSIX group that has the AD group as its direct member?
No. The way to include AD users/groups into POSIX groups did not change at all.
Is an intermediate non-POSIX group still needed for HBAC?
Correct.
What changed is that for SUDO rules (and SUDO rules alone) there is a way to include AD users/groups into the SUDO rules directly.
The design document explains it in more details: https://freeipa.readthedocs.io/en/latest/designs/adtrust/sudorules-with-ad-o...
There is one bug right now in SSSD with runAsGroup handling. It will be fixed in RHEL 8.4 and CentOS 8 Stream (and Fedora next week, I've been told).
Hello Alexander,
will this Version available in Fedora 33 or only in Rawhide?
See you
Dirk
Am 27.01.2021 10:48 schrieb Alexander Bokovoy via FreeIPA-users:
On ke, 27 tammi 2021, Ronald Wimmer via FreeIPA-users wrote:
On 27.01.21 10:11, Alexander Bokovoy via FreeIPA-users wrote:
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.9.1
- 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership
This means the right way to map an AD group would now be creating a POSIX group that has the AD group as its direct member?
No. The way to include AD users/groups into POSIX groups did not change at all.
Is an intermediate non-POSIX group still needed for HBAC?
Correct.
What changed is that for SUDO rules (and SUDO rules alone) there is a way to include AD users/groups into the SUDO rules directly.
The design document explains it in more details: https://freeipa.readthedocs.io/en/latest/designs/adtrust/sudorules-with-ad-o...
There is one bug right now in SSSD with runAsGroup handling. It will be fixed in RHEL 8.4 and CentOS 8 Stream (and Fedora next week, I've been told).
On ke, 27 tammi 2021, Dirk Streubel via FreeIPA-users wrote:
Hello Alexander,
will this Version available in Fedora 33 or only in Rawhide?
I am planning to update Rawhide first and then F33 later this week.
See you
Dirk
Am 27.01.2021 10:48 schrieb Alexander Bokovoy via FreeIPA-users:
On ke, 27 tammi 2021, Ronald Wimmer via FreeIPA-users wrote:
On 27.01.21 10:11, Alexander Bokovoy via FreeIPA-users wrote:
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.9.1
- 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership
This means the right way to map an AD group would now be creating a POSIX group that has the AD group as its direct member?
No. The way to include AD users/groups into POSIX groups did not change at all.
Is an intermediate non-POSIX group still needed for HBAC?
Correct.
What changed is that for SUDO rules (and SUDO rules alone) there is a way to include AD users/groups into the SUDO rules directly.
The design document explains it in more details: https://freeipa.readthedocs.io/en/latest/designs/adtrust/sudorules-with-ad-o...
There is one bug right now in SSSD with runAsGroup handling. It will be fixed in RHEL 8.4 and CentOS 8 Stream (and Fedora next week, I've been told).
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ke, 27 tammi 2021, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 27 tammi 2021, Dirk Streubel via FreeIPA-users wrote:
Hello Alexander,
will this Version available in Fedora 33 or only in Rawhide?
I am planning to update Rawhide first and then F33 later this week.
FreeIPA 4.9.1 builds are now available in Fedora 32 and Fedora 33 updates-testing:
Fedora 33: https://bodhi.fedoraproject.org/updates/FEDORA-2021-f9332084e0 Fedora 32: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5c95adf21c
Please test and express your karma in Fedora Bodhi requests.
See you
Dirk
Am 27.01.2021 10:48 schrieb Alexander Bokovoy via FreeIPA-users:
On ke, 27 tammi 2021, Ronald Wimmer via FreeIPA-users wrote:
On 27.01.21 10:11, Alexander Bokovoy via FreeIPA-users wrote:
The FreeIPA team would like to announce FreeIPA 4.9.1 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.
== Highlights in 4.9.1
- 3226: [RFE] ipa sudorule-add-user should accept more types of
characters
IPA now supports users and groups from trusted Active Directory domains in SUDO rules to specify runAsUser/runAsGroup properties without an intermediate non-POSIX group membership
This means the right way to map an AD group would now be creating a POSIX group that has the AD group as its direct member?
No. The way to include AD users/groups into POSIX groups did not change at all.
Is an intermediate non-POSIX group still needed for HBAC?
Correct.
What changed is that for SUDO rules (and SUDO rules alone) there is a way to include AD users/groups into the SUDO rules directly.
The design document explains it in more details: https://freeipa.readthedocs.io/en/latest/designs/adtrust/sudorules-with-ad-o...
There is one bug right now in SSSD with runAsGroup handling. It will be fixed in RHEL 8.4 and CentOS 8 Stream (and Fedora next week, I've been told).
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Tue, Feb 2, 2021 at 12:23 PM Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On ke, 27 tammi 2021, Alexander Bokovoy via FreeIPA-users wrote:
On ke, 27 tammi 2021, Dirk Streubel via FreeIPA-users wrote:
Hello Alexander,
will this Version available in Fedora 33 or only in Rawhide?
I am planning to update Rawhide first and then F33 later this week.
FreeIPA 4.9.1 builds are now available in Fedora 32 and Fedora 33 updates-testing:
Fedora 33: https://bodhi.fedoraproject.org/updates/FEDORA-2021-f9332084e0 Fedora 32: https://bodhi.fedoraproject.org/updates/FEDORA-2021-5c95adf21c
Please test and express your karma in Fedora Bodhi requests.
Tested ansible-freeipa against both (full test on F33, a few on F332) and it looks good.
Rafael
-- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
dirk.streubel@posteo.de -
Rafael Jeffman -
Ronald Wimmer