[Freeipa-users] ipa v4 on CentOS6
Alexander Bokovoy
abokovoy at redhat.com
Mon Aug 17 12:59:49 UTC 2015
On Mon, 17 Aug 2015, Alexander Bokovoy wrote:
>On Mon, 17 Aug 2015, Lukas Slebodnik wrote:
>>On (17/08/15 14:37), Alexander Bokovoy wrote:
>>>On Mon, 17 Aug 2015, Ramy Allam wrote:
>>>>Hello,
>>>>
>>>>I'm running ipa-server-4.1.0-18.el7.centos.4.x86_64 on a CentoOS 7 machine.
>>>>And need to setup ipa-4.1.0 on a CentOS 6 machine.
>>>>
>>>>CentOS 6 repo has ipa-client-3 available. Where can i find v4 for CentOS 6
>>>>please ?
>>>Nowhere. Read this thread:
>>>https://www.redhat.com/archives/freeipa-users/2014-February/msg00255.html
>>>
>>>>The reason i need to setup ipa-clientv4 on CentOS6 is clientv3 doesn't
>>>>support OTP authentication.
>>>Regardless of IPA version, the lack of OTP authentication will not be
>>>fixed with a backport of IPA4. OTP authentication needs newer Kerberos
>>>library with changed ABI so it will not appear on RHEL6/CentOS6.
>>>
>>>Ideally you need newer SSSD which understands newer Kerberos API for
>>>pre-auth conversations and may be even more. This is definitely going
>>>outside of any sensible support scope, upstream or downstream.
>>>
>>rhel6.7 already contains sufficient version of sssd
>>sssd-1.12.4-4x.el6
>>
>>It just does not contain separate prompting for password and token.
>>https://fedorahosted.org/sssd/ticket/2335
>>
>>I'm also not aware of dependency on special feature from libkrb5 on sssd side.
>>At least, we do not detect it at compile time.
>>
>>SSSD is not a blocker for rhel6 client with ipa-server-4.1.
>See krb5_responder_otp_*(), the API is available in MIT Kerberos
>1.11+ CentOS 6 has 1.10.3 at most, it doesn't have API needed for OTP
>conversations, I don't see it backported in 1.10.3-42.el6 either.
>
>I wonder how src/providers/krb5/krb5_child.c is compiled with the
>absence of these functions?
We cleared this with Lukas -- the code has conditional checks for
HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER which allow it being compiled
against older libkrb5 at the cost of not supporting OTP conversations.
Rebuilding newer libkrb5 for RHEL6 is something that would be left for those
who want it to support.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list