On Tue, Jan 07, 2014 at 08:11:12AM +0200, Alexander Bokovoy wrote: > > The problem here is that you would have the same host name assigned to > two different realms which means there would be a single principal but > two different keys associated with it from different realms. A single > keytab could contain only principals from the single realm. > > Thus, you need to use different keytabs and make sure that access to > a non-default KDC is always using non-default keytab.
Understood. > You'd also need to fetch IPA2's CA certificate and trust it. Here might > be a problem since it will have the same nickname, 'IPA CA' and thus > cannot be placed in the same /etc/pki/nssdb database. You can, however, > put the cert file in a separate file somewhere, for example, > /etc/ipa/ipa2-ca.crt. Understood. > Now, suppose you have a non-default keytab set at /etc/krb5.keytab.IPA2. > > # kinit admin@IPA2 > # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k > /etc/krb5.keytab.IPA2 > > would fetch the host keytab there. > > Then SSSD would need to be configured to use a different location for > the keytab for this realm and a different TLS cert. > > [domain/example.com] > ... > krb5_keytab = /etc/krb5.keytab.IPA2 > ldap_tls_cacert = /etc/ipa/ipa2-ca.crt > ... > > So, off my head (not tested): > 1. Set up krb5.conf to have realm and domain_realm mappings for the > second realm. You can only have one of the realms as default one. > 2. Set up sssd.conf to have a second domain which points krb5_keytab to > a different keytab, /etc/krb5.keytab.IPA2, and a different TLS CA > certificate. > 3. kinit as a principal from the second realm > 4. Use ipa-getkeytab to fetch the keytab to /etc/krb5.keytab.IPA2 I have this set up and Kerberos works -- I can do kinit [email protected] and kinit [email protected] and they pass and klist will show respective prinsipals. > Finally, for LDAP operations you can't have profiles in ldap.conf, so > defaults will only point to the original one. You can create another one > in /etc/openldap and then use LDAPCONF environmental variable to point > to the second config file for the defaults. Here is where I got stuck -- when I run getent passwd [email protected] I can see the record but getent passwd [email protected] will not return anything. Is that because of the LDAP operations still using whatever is in /etc/openldap/ldap.conf? When I put IPA2's data to /etc/openldap/ldap.conf.IPA2 and run LDAPCONF=/etc/openldap/ldap.conf.IPA2 getent passwd [email protected] I still don't get anything. I assume that it's because it's actually sssd which does the calls ... but how would I set LDAPCONF for sssd? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
