[Freeipa-users] Enrolling client to second IPA server
Jan Pazdziora
jpazdziora at redhat.com
Tue Jan 7 04:02:41 UTC 2014
For testing purposes, I'd like to enroll my already IPA-enrolled
client to another IPA server, with different domain. My goal is to
then use Kerberos authencation in applications to use the second
realm and PAM authentication in applications to go to the second
domain in sssd while leaving the first realm/domain solely for OS-level
authentication.
I was able to copy and tweak /etc/sssd/sssd.conf, add a realm to
/etc/krb5.conf, but I'm not sure where my second keytab is supposed
to go. Reading
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/enrolling-machines.html
suggests having the keytab from the IPA server is essential ... but
where do I specify its location?
Ideally I'd like to just run ipa-client-install with proper parameters
but I always get
IPA client is already configured on this system.
While that is technically correct, it does not move me forward
enrolling the system to another IPA server.
Does anyone have example steps that need to be done to have my system
enrolled to two IPA servers?
Thank you,
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list