Setup1) I'm not using DNS, just testing with VMs, so I had to make sure my VMs were assigned a consistent IP address via dhcp - and edit /etc/hosts to use the fqdn 2) I did not assign a hostname at install time, so I had to edit /etc/sysconfig/network to assign the hostname and reboot - probably could have done that with dhcp too (anyone know how?) 3) I had to edit the firewall settings to allow 389 and 636 tcp (and udp for good measure) on both the master and replica 4) I added the --no-host-dns option to ipa-server-install, but I'll need to add that to several other ipa- cmd line tools as well - I just hacked them instead to pass in verify_fqdn(name, True)
Notes1) ipa-replica-install did not add a replication agreement from the replica to the master, but it configured the replica as a master (for MMR) - is this expected? 2) There was no principal for ldap/fqdn of replica REALM - do I have to add this manually? I did anyway and it made kerberos happier (but not work) with replication, but it seemed to break lots of stuff on the replica (could no longer ldapsearch -Y GSSAPI on the replica, could not ipa-finduser on the replica)
* Server to Server SASL/GSSAPII modified Fedora DS to do SASL/GSSAPI bind for replication from the master to the replica. I then had to modify /etc/sysconfig/dirsrv to do the following:
kinit -k -t /etc/dirsrv/ds.keytab ldap/fqdn of master REALM parse klist to get the tgt filename export KRB5CCNAME=tgtfilename chown dirsrv:dirsrv $KRB5CCNAMEI then had to add the ldap host principal for ldap/fqdn of replica REALM (not sure why it wasn't there?). After startup, the master attempts to do a SASL/GSSAPI bind to the replica, and gets this error in kdc5krb log on the master: NO PREAUTH: authtime xxxx, ldap/fqdn of master REALM <mailto:ldap/fqdn of master REALM> for ldap/fqdn of replica REALM <mailto:ldap/fqdn of replica REALM>, Generic error (see e-text)
Is what I'm trying to do possible within the IPA kerberos framework?
Description: S/MIME Cryptographic Signature