On 21.7.2016 22:05, Diogenes S. Jesus wrote: > Hi everyone. > > I'm currently planning on deploying FreeIPA as the Master KDC (among other > things to leverage from the API and some other built-in features - like > replicas). > However I find (correct if I'm wrong) FreeIPA not very modular - therefore > I would like to know what's the strategy when deploying slave KDCs. > > I've seen this thread > <https://www.redhat.com/archives/freeipa-users/2013-September/msg00319.html> > but I > don't really want to have a replica - the idea was to deploy a separate box > only running KDC - since the authentication is delegated to RADIUS for > Authentication, I don't need to expose LDAP Master to KDC slaves - If yes, > I would provide a read-only LDAP replica.. > > > For starters, where is the FreeIPA KDC stash file stored?
AFAIK there is no prior art in setting up MIT KDC slaves. First of all, FreeIPA does not use stash file and stores master key in LDAP instead. You can retrieve equivalent of stash file using following command: $ ipa-getkeytab --retrieve --principal K/M@<REALM> -k /tmp/stash.keytab --binddn='cn=Directory manager' --bindpw='<Directory manager password>' *Make sure* that --retrieve option is present otherwise it will destroy your Kerberos database. The rest is up to your experimentation. I wish you good luck and please report your findings back to the mailing list! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
