On Tue, 07 Jan 2014, Jan Pazdziora wrote:

For testing purposes, I'd like to enroll my already IPA-enrolled
client to another IPA server, with different domain. My goal is to
then use Kerberos authencation in applications to use the second
realm and PAM authentication in applications to go to the second
domain in sssd while leaving the first realm/domain solely for OS-level

I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to
/etc/krb5.conf, but I'm not sure where my second keytab is supposed
to go. Reading


suggests having the keytab from the IPA server is essential ... but
where do I specify its location?

Ideally I'd like to just run ipa-client-install with proper parameters
but I always get

        IPA client is already configured on this system.

While that is technically correct, it does not move me forward
enrolling the system to another IPA server.

Does anyone have example steps that need to be done to have my system
enrolled to two IPA servers?
The problem here is that you would have the same host name assigned to
two different realms which means there would be a single principal but
two different keys associated with it from different realms. A single
keytab could contain only principals from the single realm.

Thus, you need to use different keytabs and make sure that access to
a non-default KDC is always using non-default keytab.

You'd also need to fetch IPA2's CA certificate and trust it. Here might
be a problem since it will have the same nickname, 'IPA CA' and thus
cannot be placed in the same /etc/pki/nssdb database. You can, however,
put the cert file in a separate file somewhere, for example,

Now, suppose you have a non-default keytab set at /etc/krb5.keytab.IPA2.

# kinit admin@IPA2
# ipa-getkeytab -s ipaserver.example.com  -p  host/foo.example.com  -k 

would fetch the host keytab there.

Then SSSD would need to be configured to use a different location for
the keytab for this realm and a different TLS cert.

krb5_keytab = /etc/krb5.keytab.IPA2
ldap_tls_cacert = /etc/ipa/ipa2-ca.crt

So, off my head (not tested):
1. Set up krb5.conf to have realm and domain_realm mappings for the
second realm. You can only have one of the realms as default one.
2. Set up sssd.conf to have a second domain which points krb5_keytab to
a different keytab, /etc/krb5.keytab.IPA2, and a different TLS CA
3. kinit as a principal from the second realm
4. Use ipa-getkeytab to fetch the keytab to /etc/krb5.keytab.IPA2

Finally, for LDAP operations you can't have profiles in ldap.conf, so
defaults will only point to the original one. You can create another one
in /etc/openldap and then use LDAPCONF environmental variable to point
to the second config file for the defaults.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to