[Freeipa-users] Enrolling client to second IPA server

Jan Pazdziora jpazdziora at redhat.com
Mon Apr 7 11:51:18 UTC 2014 

On Tue, Jan 07, 2014 at 08:11:12AM +0200, Alexander Bokovoy wrote:
>
> The problem here is that you would have the same host name assigned to
> two different realms which means there would be a single principal but
> two different keys associated with it from different realms. A single
> keytab could contain only principals from the single realm.
> 
> Thus, you need to use different keytabs and make sure that access to
> a non-default KDC is always using non-default keytab.

Understood.

> You'd also need to fetch IPA2's CA certificate and trust it. Here might
> be a problem since it will have the same nickname, 'IPA CA' and thus
> cannot be placed in the same /etc/pki/nssdb database. You can, however,
> put the cert file in a separate file somewhere, for example,
> /etc/ipa/ipa2-ca.crt.

Understood.

> Now, suppose you have a non-default keytab set at /etc/krb5.keytab.IPA2.
> 
> # kinit admin at IPA2
> # ipa-getkeytab -s ipaserver.example.com  -p  host/foo.example.com  -k /etc/krb5.keytab.IPA2
> 
> would fetch the host keytab there.
> 
> Then SSSD would need to be configured to use a different location for
> the keytab for this realm and a different TLS cert.
> 
> [domain/example.com]
> ...
> krb5_keytab = /etc/krb5.keytab.IPA2
> ldap_tls_cacert = /etc/ipa/ipa2-ca.crt
> ...
> 
> So, off my head (not tested):
> 1. Set up krb5.conf to have realm and domain_realm mappings for the
> second realm. You can only have one of the realms as default one.
> 2. Set up sssd.conf to have a second domain which points krb5_keytab to
> a different keytab, /etc/krb5.keytab.IPA2, and a different TLS CA
> certificate.
> 3. kinit as a principal from the second realm
> 4. Use ipa-getkeytab to fetch the keytab to /etc/krb5.keytab.IPA2

I have this set up and Kerberos works -- I can do kinit
user123 at REALM1.NET and kinit user678 at REALM2.NET and they pass and
klist will show respective prinsipals.

> Finally, for LDAP operations you can't have profiles in ldap.conf, so
> defaults will only point to the original one. You can create another one
> in /etc/openldap and then use LDAPCONF environmental variable to point
> to the second config file for the defaults.

Here is where I got stuck -- when I run

	getent passwd user123 at REALM1.NET

I can see the record but

	getent passwd user678 at REALM2.NET

will not return anything. Is that because of the LDAP operations still
using whatever is in /etc/openldap/ldap.conf? When I put IPA2's data
to /etc/openldap/ldap.conf.IPA2 and run

	LDAPCONF=/etc/openldap/ldap.conf.IPA2 getent passwd user678 at REALM2.NET

I still don't get anything. I assume that it's because it's actually
sssd which does the calls ... but how would I set LDAPCONF for sssd?

-- 
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-users mailing list