[Freeipa-users] ipa v4 on CentOS6
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 17 12:33:25 UTC 2015
On Mon, 17 Aug 2015, Lukas Slebodnik wrote:
>On (17/08/15 14:37), Alexander Bokovoy wrote:
>>On Mon, 17 Aug 2015, Ramy Allam wrote:
>>>Hello,
>>>
>>>I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine.
>>>And need to setup ipa-4.1.0 on a CentOS 6 machine.
>>>
>>>CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6
>>>please ?
>>Nowhere. Read this thread:
>>https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html
>>
>>>The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't
>>>support OTP authentication.
>>Regardless of IPA version, the lack of OTP authentication will not be
>>fixed with a backport of IPA4. OTP authentication needs newer Kerberos
>>library with changed ABI so it will not appear on RHEL6/CentOS6.
>>
>>Ideally you need newer SSSD which understands newer Kerberos API for
>>pre-auth conversations and may be even more. This is definitely going
>>outside of any sensible support scope, upstream or downstream.
>>
>rhel6.7 already contains sufficient version of sssd
>sssd-1.12.4-4x.el6
>
>It just does not contain separate prompting for password and token.
>https://fedorahosted.org/sssd/ticket/2335
>
>I'm also not aware of dependency on special feature from libkrb5 on sssd side.
>At least, we do not detect it at compile time.
>
>SSSD is not a blocker for rhel6 client with ipa-server-4.1.
See krb5_responder_otp_*(), the API is available in MIT Kerberos
1.11+ CentOS 6 has 1.10.3 at most, it doesn't have API needed for OTP
conversations, I don't see it backported in 1.10.3-42.el6 either.
I wonder how src/providers/krb5/krb5_child.c is compiled with the
absence of these functions?
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list