On Mon, 17 Aug 2015, Lukas Slebodnik wrote:
On (17/08/15 14:37), Alexander Bokovoy wrote:
On Mon, 17 Aug 2015, Ramy Allam wrote:
Hello,
I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine.
And need to setup ipa-4.1.0 on a CentOS 6 machine.
CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6
please ?
Nowhere. Read this thread:
https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html
The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't
support OTP authentication.
Regardless of IPA version, the lack of OTP authentication will not be
fixed with a backport of IPA4. OTP authentication needs newer Kerberos
library with changed ABI so it will not appear on RHEL6/CentOS6.
Ideally you need newer SSSD which understands newer Kerberos API for
pre-auth conversations and may be even more. This is definitely going
outside of any sensible support scope, upstream or downstream.
rhel6.7 already contains sufficient version of sssd
sssd-1.12.4-4x.el6
It just does not contain separate prompting for password and token.
https://fedorahosted.org/sssd/ticket/2335
I'm also not aware of dependency on special feature from libkrb5 on sssd side.
At least, we do not detect it at compile time.
SSSD is not a blocker for rhel6 client with ipa-server-4.1.
See krb5_responder_otp_*(), the API is available in MIT Kerberos
1.11+ CentOS 6 has 1.10.3 at most, it doesn't have API needed for OTP
conversations, I don't see it backported in 1.10.3-42.el6 either.
I wonder how src/providers/krb5/krb5_child.c is compiled with the
absence of these functions?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
