On Mon, Jul 14, 2014 at 3:02 PM, Jitse Klomp <jitseklomp at gmail.com> wrote: > RH will *not* do a backport of 3.3 to RHEL 6.x. > > Alexander Bokovoy (from Red Hat) on the freeipa-users list (feb. 17): > "RHEL 6.x lacks many of the dependencies required for IPA 3.3. Newer > MIT Kerberos (with API and ABI change for KDC database driver and many > other changes required for trusts and two-factor authentication), newer > Dogtag which relies on several dozens of Java packages and newer tomcat, > systemd (we use socket activation and tmpfiles.d a lot), newer SSSD. > Kerberos ccache stored in the kernel space (KEYRING ccache type) > requires changes at kernel level which are also needed for kerberized > NFSv4 for trusts as AD users have large Kerebros tickets when they are > members of many groups and so on." > Thanks for the info. We'll stick with 6.5 / 3.0 for now and hope the upgrade path is not strenuous. From first glances, it seems the manual part is going from 3.1 to something above, with the DogTag change. Hopefully that's the only laborious part.