For testing purposes, I'd like to enroll my already IPA-enrolled
client to another IPA server, with different domain. My goal is to
then use Kerberos authencation in applications to use the second
realm and PAM authentication in applications to go to the second
domain in sssd while leaving the first realm/domain solely for OS-level
I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to
/etc/krb5.conf, but I'm not sure where my second keytab is supposed
to go. Reading
suggests having the keytab from the IPA server is essential ... but
where do I specify its location?
Ideally I'd like to just run ipa-client-install with proper parameters
but I always get
IPA client is already configured on this system.
While that is technically correct, it does not move me forward
enrolling the system to another IPA server.
Does anyone have example steps that need to be done to have my system
enrolled to two IPA servers?
Principal Software Engineer, Identity Management Engineering, Red Hat
Freeipa-users mailing list