For testing purposes, I'd like to enroll my already IPA-enrolled
client to another IPA server, with different domain. My goal is to
then use Kerberos authencation in applications to use the second
realm and PAM authentication in applications to go to the second
domain in sssd while leaving the first realm/domain solely for OS-level

I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to
/etc/krb5.conf, but I'm not sure where my second keytab is supposed
to go. Reading

suggests having the keytab from the IPA server is essential ... but
where do I specify its location?

Ideally I'd like to just run ipa-client-install with proper parameters
but I always get

        IPA client is already configured on this system.

While that is technically correct, it does not move me forward
enrolling the system to another IPA server.

Does anyone have example steps that need to be done to have my system
enrolled to two IPA servers?

Thank you,

Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

Freeipa-users mailing list

Reply via email to