On Mon, 2014-07-21 at 16:39 +0200, Petr Vobornik wrote: > On 14.7.2014 21:01, Nathaniel McCallum wrote: > > The preexisting code would execute two steps. First, it would perform a > > kinit. If the kinit failed, it would attempt to bind using the same > > credentials to determine if the password were expired. While this method > > is fairly ugly, it mostly worked in the past. > > > > However, with OTP this breaks. This is because the OTP code is consumed > > by the kinit step. But because the password is expired, the kinit step > > fails. When the bind is executed, the OTP token is already consumed, so > > bind fails. This causes all password expirations to be reported as > > invalid credentials. > > > > After discussion with MIT, the best way to handle this case with the > > standard tools is to set LC_ALL=C and check the output from the command. > > This eliminates the bind step altogether. The end result is that OTP > > works and all password failures are more performant. > > > > https://fedorahosted.org/freeipa/ticket/4412 > > > > > > ACK > > Pushed to: > master: e4771302812388cc7f9773ce48d0bc3b34855248 > ipa-4-1: e4771302812388cc7f9773ce48d0bc3b34855248 > ipa-4-0: e4771302812388cc7f9773ce48d0bc3b34855248 > > Initially, when testing, I got preauthentication error because I had old > version of krb5: 1.11.5-4 instead of 1.11.5-5. > > Should we add version dependency >= 1.11.5-5 to spec file?
I would guess: yes. _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel