On Mon, 2014-07-21 at 16:39 +0200, Petr Vobornik wrote:
> On 14.7.2014 21:01, Nathaniel McCallum wrote:
> > The preexisting code would execute two steps. First, it would perform a
> > kinit. If the kinit failed, it would attempt to bind using the same
> > credentials to determine if the password were expired. While this method
> > is fairly ugly, it mostly worked in the past.
> >
> > However, with OTP this breaks. This is because the OTP code is consumed
> > by the kinit step. But because the password is expired, the kinit step
> > fails. When the bind is executed, the OTP token is already consumed, so
> > bind fails. This causes all password expirations to be reported as
> > invalid credentials.
> >
> > After discussion with MIT, the best way to handle this case with the
> > standard tools is to set LC_ALL=C and check the output from the command.
> > This eliminates the bind step altogether. The end result is that OTP
> > works and all password failures are more performant.
> >
> > https://fedorahosted.org/freeipa/ticket/4412
> >
> >
> 
> ACK
> 
> Pushed to:
> master: e4771302812388cc7f9773ce48d0bc3b34855248
> ipa-4-1: e4771302812388cc7f9773ce48d0bc3b34855248
> ipa-4-0: e4771302812388cc7f9773ce48d0bc3b34855248
> 
> Initially, when testing, I got preauthentication error because I had old 
> version of krb5: 1.11.5-4 instead of 1.11.5-5.
> 
> Should we add version dependency >= 1.11.5-5 to spec file?

I would guess: yes.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to