[Freeipa-users] Enrolling client to second IPA server
Alexander Bokovoy
abokovoy at redhat.com
Tue Jan 7 06:11:12 UTC 2014
On Tue, 07 Jan 2014, Jan Pazdziora wrote:
>
>For testing purposes, I'd like to enroll my already IPA-enrolled
>client to another IPA server, with different domain. My goal is to
>then use Kerberos authencation in applications to use the second
>realm and PAM authentication in applications to go to the second
>domain in sssd while leaving the first realm/domain solely for OS-level
>authentication.
>
>I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to
>/etc/krb5.conf, but I'm not sure where my second keytab is supposed
>to go. Reading
>
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/enrolling-machines.html
>
>suggests having the keytab from the IPA server is essential ... but
>where do I specify its location?
>
>Ideally I'd like to just run ipa-client-install with proper parameters
>but I always get
>
> IPA client is already configured on this system.
>
>While that is technically correct, it does not move me forward
>enrolling the system to another IPA server.
>
>Does anyone have example steps that need to be done to have my system
>enrolled to two IPA servers?
The problem here is that you would have the same host name assigned to
two different realms which means there would be a single principal but
two different keys associated with it from different realms. A single
keytab could contain only principals from the single realm.
Thus, you need to use different keytabs and make sure that access to
a non-default KDC is always using non-default keytab.
You'd also need to fetch IPA2's CA certificate and trust it. Here might
be a problem since it will have the same nickname, 'IPA CA' and thus
cannot be placed in the same /etc/pki/nssdb database. You can, however,
put the cert file in a separate file somewhere, for example,
/etc/ipa/ipa2-ca.crt.
Now, suppose you have a non-default keytab set at /etc/krb5.keytab.IPA2.
# kinit admin at IPA2
# ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab.IPA2
would fetch the host keytab there.
Then SSSD would need to be configured to use a different location for
the keytab for this realm and a different TLS cert.
[domain/example.com]
...
krb5_keytab = /etc/krb5.keytab.IPA2
ldap_tls_cacert = /etc/ipa/ipa2-ca.crt
...
So, off my head (not tested):
1. Set up krb5.conf to have realm and domain_realm mappings for the
second realm. You can only have one of the realms as default one.
2. Set up sssd.conf to have a second domain which points krb5_keytab to
a different keytab, /etc/krb5.keytab.IPA2, and a different TLS CA
certificate.
3. kinit as a principal from the second realm
4. Use ipa-getkeytab to fetch the keytab to /etc/krb5.keytab.IPA2
Finally, for LDAP operations you can't have profiles in ldap.conf, so
defaults will only point to the original one. You can create another one
in /etc/openldap and then use LDAPCONF environmental variable to point
to the second config file for the defaults.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list