Thanks Petr.

It seems like the only way to do it right now is to dump the keytab and
copy it to slave KDCs, as I couldn't find a way to have MIT Kerberos to use
the master key stored in the LDAP directly.

MIT Kerberos doesn't really support a master key stored elsewhere other
than using "key_stash_file" AFAIK, so I'm wondering how FreeIPA has
actually implemented it (I couldn't find any reference for it in the
kerberos conf files).

My use case involves having a "FreeIPA slave"  - a streamlined version
which will only provide authentication (via Kerberos). Sure, I can make a
standard replica and firewall what I don't wanna use, but when stretching
your authentication infrastructure you don't necessary need to expose all
other services FreeIPA provides, since that increases your attack surface.

Best regards

On Fri, Jul 22, 2016 at 10:14 AM, Petr Spacek <> wrote:

> On 21.7.2016 22:05, Diogenes S. Jesus wrote:
> > Hi everyone.
> >
> > I'm currently planning on deploying FreeIPA as the Master KDC (among
> other
> > things to leverage from the API and some other built-in features - like
> > replicas).
> > However I find (correct if I'm wrong) FreeIPA not very modular -
> therefore
> > I would like to know what's the strategy when deploying slave KDCs.
> >
> > I've seen this thread
> > <
> September/msg00319.html>
> > but I
> > don't really want to have a replica - the idea was to deploy a separate
> box
> > only running KDC - since the authentication is delegated to RADIUS for
> > Authentication, I don't need to expose LDAP Master to KDC slaves - If
> yes,
> > I would provide a read-only LDAP replica..
> >
> >
> > For starters, where is the FreeIPA KDC stash file stored?
> AFAIK there is no prior art in setting up MIT KDC slaves. First of all,
> FreeIPA does not use stash file and stores master key in LDAP instead.
> You can retrieve equivalent of stash file using following command:
> $ ipa-getkeytab --retrieve --principal K/M@<REALM> -k /tmp/stash.keytab
> --binddn='cn=Directory manager' --bindpw='<Directory manager password>'
> *Make sure* that --retrieve option is present otherwise it will destroy
> your
> Kerberos database.
> The rest is up to your experimentation. I wish you good luck and please
> report
> your findings back to the mailing list!
> --
> Petr^2 Spacek
> --
> Manage your subscription for the Freeipa-users mailing list:
> Go to for more info on the project



Diogenes S. de Jesus
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to