On Mon, 17 Aug 2015, Alexander Bokovoy wrote:
On Mon, 17 Aug 2015, Lukas Slebodnik wrote:
On (17/08/15 14:37), Alexander Bokovoy wrote:
On Mon, 17 Aug 2015, Ramy Allam wrote:
Hello,
I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine.
And need to setup ipa-4.1.0 on a CentOS 6 machine.
CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6
please ?
Nowhere. Read this thread:
https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html
The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't
support OTP authentication.
Regardless of IPA version, the lack of OTP authentication will not be
fixed with a backport of IPA4. OTP authentication needs newer Kerberos
library with changed ABI so it will not appear on RHEL6/CentOS6.
Ideally you need newer SSSD which understands newer Kerberos API for
pre-auth conversations and may be even more. This is definitely going
outside of any sensible support scope, upstream or downstream.
rhel6.7 already contains sufficient version of sssd
sssd-1.12.4-4x.el6
It just does not contain separate prompting for password and token.
https://fedorahosted.org/sssd/ticket/2335
I'm also not aware of dependency on special feature from libkrb5 on sssd side.
At least, we do not detect it at compile time.
SSSD is not a blocker for rhel6 client with ipa-server-4.1.
See krb5_responder_otp_*(), the API is available in MIT Kerberos
1.11+ CentOS 6 has 1.10.3 at most, it doesn't have API needed for OTP
conversations, I don't see it backported in 1.10.3-42.el6 either.
I wonder how src/providers/krb5/krb5_child.c is compiled with the
absence of these functions?
We cleared this with Lukas -- the code has conditional checks for
HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER which allow it being compiled
against older libkrb5 at the cost of not supporting OTP conversations.
Rebuilding newer libkrb5 for RHEL6 is something that would be left for those
who want it to support.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
