For testing purposes, I'd like to enroll my already IPA-enrolled client to another IPA server, with different domain. My goal is to then use Kerberos authencation in applications to use the second realm and PAM authentication in applications to go to the second domain in sssd while leaving the first realm/domain solely for OS-level authentication.
I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to /etc/krb5.conf, but I'm not sure where my second keytab is supposed to go. Reading http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/enrolling-machines.html suggests having the keytab from the IPA server is essential ... but where do I specify its location? Ideally I'd like to just run ipa-client-install with proper parameters but I always get IPA client is already configured on this system. While that is technically correct, it does not move me forward enrolling the system to another IPA server. Does anyone have example steps that need to be done to have my system enrolled to two IPA servers? Thank you, -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users