| Name: | ipa-client |
|---|
| Version: | 4.4.0 |
|---|
| Release: | 12.0.1.el7 |
|---|
| Architecture: | x86_64 |
|---|
| Group: | System Environment/Base |
|---|
| Size: | 367175 |
|---|
| License: | GPLv3+ |
|---|
| RPM: |
ipa-client-4.4.0-12.0.1.el7.x86_64.rpm
|
| Source RPM: |
ipa-4.4.0-12.0.1.el7.src.rpm
|
| Build Date: | Fri Nov 04 2016 |
|---|
| Build Host: | x86-ol7-builder-01.us.oracle.com |
|---|
| Vendor: | Oracle America |
|---|
| URL: | http://www.freeipa.org/ |
|---|
| Summary: | IPA authentication for use on clients |
|---|
| Description: | IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization
(host access control, SELinux user roles, services). The solution provides
features for further integration with Linux based clients (SUDO, automount)
and integration with Active Directory based infrastructures (Trusts).
If your network uses IPA for authentication, this package should be
installed on every client machine. |
|---|
-
Thu Nov 03 2016 EL Errata <el-errata_ww@oracle.com> - 4.4.0-12.0.1
- Blank out header-logo.png product-name.png
Replace login-screen-logo.png [20362818]
-
Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12
- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.
- Resolves: #1375269 ipa trust-fetch-domains throws internal error
-
Tue Sep 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-11
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
- Fix regression introduced in ipa-certupdate
-
Wed Sep 07 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-10
- Resolves: #1355753 adding two way non transitive(external) trust displays
internal error on the console
- Always fetch forest info from root DCs when establishing two-way trust
- factor out `populate_remote_domain` method into module-level function
- Always fetch forest info from root DCs when establishing one-way trust
- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger
after `ipa-replica-install`
- Track lightweight CAs on replica installation
- Resolves: #1357488 ipa command stuck forever on higher versioned client with
lower versioned server
- compat: Save server's API version in for pre-schema servers
- compat: Fix ping command call
- schema cache: Store and check info for pre-schema servers
- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag
- Fix man page ipa-replica-manage: remove duplicate -c option
from --no-lookup
- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA
when revoking certificate
- cert: include CA name in cert command output
- WebUI add support for sub-CAs while revoking certificates
- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI
- Add support for additional options taken from table facet
- WebUI: Fix showing certificates issued by sub-CA
- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts
internactively
- dns: normalize record type read interactively in dnsrecord_add
- dns: prompt for missing record parts in CLI
- dns: fix crash in interactive mode against old servers
- Resolves: #1370519 Certificate revocation in service-del and host-del isn't
aware of Sub CAs
- cert: fix cert-find --certificate when the cert is not in LDAP
- Make host/service cert revocation aware of lightweight CAs
- Resolves: #1371901 Use OAEP padding with custodia
- Use RSA-OAEP instead of RSA PKCS#1 v1.5
- Resolves: #1371915 When establishing external two-way trust, forest root
Administrator account is used to fetch domain info
- do not use trusted forest name to construct domain admin principal
- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in
certificate request
- Fix CA ACL Check on SubjectAltNames
- Resolves: #1373272 CLI always sends default command version
- cli: use full name when executing a command
- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
- Fix ipa-certupdate for CA-less installation
- Resolves: #1373540 client-install with IPv6 address fails on link-local
address (always)
- Fix parse errors with link-local addresses
-
Fri Sep 02 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-9
- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env
- Fix ipa-server-install in pure IPv6 environment
- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as
reachable via the forest root
- trust: make sure ID range is created for the child domain even if it exists
- ipa-kdb: simplify trusted domain parent search
- Resolves: #1335567 Update Warning in IdM Web UI API browser
- WebUI: add API browser is tech preview warning
- Resolves: #1348560 Mulitple domain Active Directory Trust conflict
- ipaserver/dcerpc: reformat to make the code closer to pep8
- trust: automatically resolve DNS trust conflicts for triangle trusts
- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
certificate revocation
- cert-revoke: fix permission check bypass (CVE-2016-5404)
- Resolves: #1353936 custodia.conf and server.keys file is world-readable.
- Remove Custodia server keys from LDAP
- Secure permissions of Custodia server.keys
- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
converted from CA-less to CA-full
- custodia: include known CA certs in the PKCS#12 file for Dogtag
- custodia: force reconnect before retrieving CA certs from LDAP
- Resolves: #1362333 ipa vault container owner cannot add vault
- Fix: container owner should be able to add vault
- Resolves: #1365546 External trust with root domain is transitive
- trust: make sure external trust topology is correctly rendered
- Resolves: #1365572 IPA server broken after upgrade
- Require pki-core-10.3.3-7
- Resolves: #1367864 Server assumes latest version of command instead of
version 1 for old / 3rd party clients
- rpcserver: assume version 1 for unversioned command calls
- rpcserver: fix crash in XML-RPC system commands
- Resolves: #1367773 thin client ignores locale change
- schema cache: Fallback to 'en_us' when locale is not available
- Resolves: #1368754 ipa server uninstall fails with Python "Global Name error"
- Fail on topology disconnect/last role removal
- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP
- otptoken, permission: Convert custom type parameters on server
- Resolves: #1369414 ipa server-del fails with Python stack trace
- Handled empty hostname in server-del command
- Resolves: #1369761 ipa-server must depend on a version of httpd that support
mod_proxy with UDS
- Require httpd 2.4.6-31 with mod_proxy Unix socket support
- Resolves: #1370512 Received ACIError instead of DuplicatedError in
stageuser_tests
- Raise DuplicatedEnrty error when user exists in delete_container
- Resolves: #1371479 cert-find --all does not show information about revocation
- cert: add missing param values to cert-find output
- Renamed patch 1011 to 0100, as it was merged upstream
-
Wed Aug 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-8
- Resolves: #1298288 [RFE] Improve performance in large environments.
- cert: speed up cert-find
- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card
authentication
- service: add flag to allow S4U2Self
- Add 'trusted to auth as user' checkbox
- Added new authentication method
- Resolves: #1353881 ipa-replica-install suggests about
non-existent --force-ntpd option
- Don't show --force-ntpd option in replica install
- Resolves: #1354441 DNS forwarder check is too strict: unable to add
sub-domain to already-broken domain
- DNS: allow to add forward zone to already broken sub-domain
- Resolves: #1356146 performance regression in CLI help
- schema: Speed up schema cache
- frontend: Change doc, summary, topic and NO_CLI to class properties
- schema: Introduce schema cache format
- schema: Generate bits for help load them on request
- help: Do not create instances to get information about commands and topics
- schema cache: Do not reset ServerInfo dirty flag
- schema cache: Do not read fingerprint and format from cache
- Access data for help separately
- frontent: Add summary class property to CommandOverride
- schema cache: Read server info only once
- schema cache: Store API schema cache in memory
- client: Do not create instance just to check isinstance
- schema cache: Read schema instead of rewriting it when SchemaUpToDate
- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file
- server install: do not prompt for cert file PIN repeatedly
- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create
cache directory: [Errno 13] Permission denied: '/home/test_user'
- schema: Speed up schema cache
- Resolves: #1366604 `cert-find` crashes on invalid certificate data
- cert: do not crash on invalid data in cert-find
- Resolves: #1366612 Middle replica uninstallation in line topology works
without '--ignore-topology-disconnect'
- Fail on topology disconnect/last role removal
- Resolves: #1366626 caacl-add-service: incorrect error message when service
does not exists
- Fix ipa-caalc-add-service error message
- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11
does not happen to run during dnf upgrade
- DNS server upgrade: do not fail when DNS server did not respond
- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server
with CA
- Add warning about only one existing CA server
- Set servers list as default facet in topology facet group
- Resolves: #1367773 thin client ignores locale change
- schema check: Check current client language against cached one
-
Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-7
- Resolves: #1361119 UPN-based search for AD users does not match an entry in
slapi-nis map cache
- support multiple uid values in schema compatibility tree
-
Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-6
- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
- Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
- Resolves: #1341249 Subsequent external CA installation fails
- install: fix external CA cert validation
- Resolves: #1353831 ipa-server-install fails in container because of
hostnamectl set-hostname
- server-install: Fix --hostname option to always override api.env values
- install: Call hostnamectl set-hostname only if --hostname option is used
- Resolves: #1356091 ipa-cacert-manage --help and man differ
- Improvements for the ipa-cacert-manage man and help
- Resolves: #1360631 ipa-backup is not keeping the
/etc/tmpfiles.d/dirsrv-<instance>.conf
- ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
- Resolves: #1361047 ipa-replica-install --help usage line suggests the replica
file is needed
- Update ipa-replica-install documentation
- Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does
not rpm-require it
- client: RPM require initscripts to get *-domainname.service
- Resolves: #1364197 caacl: error when instantiating rules with service
principals
- caacl: fix regression in rule instantiation
- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm
- parameters: move the `confirm` kwarg to Param
- Resolves: #1364464 Topology graph: ca and domain adders shows question marks
instead of plus icon
- Fix unicode characters in ca and domain adders
- Resolves: #1365083 Incomplete output returned for command ipa vault-add
- client: add missing output params to client-side commands
- Resolves: #1365526 build fails during "make check"
- ipa-kdb: Fix unit test after packaging changes in krb5
-
Fri Aug 05 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-5
- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file.
- Do not initialize API in ipa-client-automount uninstall
- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin
client changes
- idrange: fix unassigned global variable
- Resolves: #1360792 Migrating users doesn't update krbCanonicalName
- re-set canonical principal name on migrated users
- Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str'
and 'bool' objects
- Fix ipa hbactest output
- Resolves: #1362260 ipa vault-mod no longer allows defining salt
- vault: add missing salt option to vault_mod
- Resolves: #1362312 ipa vault-retrieve internal error when using the wrong
public key
- vault: Catch correct exception in decrypt
- Resolves: #1362537 ipa-server-install fails to create symlink from
/etc/ipa/kdcproxy/ to /etc/httpd/conf.d/
- Correct path to HTTPD's systemd service directory
- Resolves: #1363756 Increase length of passwords generated by installer
- Increase default length of auto generated passwords
-
Fri Jul 29 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-4
- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos
aliases)
- harden the check for trust namespace overlap in new principals
- Resolves: #1351142 CLI is not using session cookies for communication with
IPA API
- Fix session cookies
- Resolves: #1353888 Fix the help for ipa otp and other topics
- help: Add dnsserver commands to help topic 'dns'
- Resolves: #1354406 host-del updatedns options complains about missing ptr
record for host
- Host-del: fix behavior of --updatedns and PTR records
- Resolves: #1355718 ipa-replica-manage man page example output differs actual
command output
- Minor fix in ipa-replica-manage MAN page
- Resolves: #1358229 Traceback message should be fixed, seen while editing
winsync migrated user information in Default trust view.
- baseldap: Fix MidairCollision instantiation during entry modification
- Resolves: #1358849 CA replica install logs to wrong log file
- unite log file name of ipa-ca-install
- Resolves: #1359130 ipa-server-install command fails to install IPA server.
- DNS Locations: fix update-system-records unpacking error
- Resolves: #1359237 AVC on dirsrv config caused by IPA installer
- Use copy when replacing files to keep SELinux context
- Resolves: #1359692 ipa-client-install join fail with traceback against
RHEL-6.8 ipa-server
- compat: fix ping call
- Resolves: #1359738 ipa-replica-install --domain=<IPA primary domain> option
does not work
- replica-install: Fix --domain
- Resolves: #1360778 Vault commands are available in CLI even when the server
does not support them
- Revert "Enable vault-* commands on client"
- client: fix hiding of commands which lack server support
- Related: #1281704 Rebase to softhsm 2.1.0
- Remove the workaround for softhsm bug #1293340
- Related: #1298288 [RFE] Improve performance in large environments.
- Create indexes for krbCanonicalName attribute