I have a number of IPA client hosts joined to my FreeIPA domain. The IPA client hosts provide a set of app services, which use Kerberos authentication.

I have the requirement that the services must use a separate MIT KDC. I'd like to use one of the IPA domain member machines to run the additional KDC and authenticate the app services on the other domain members against it.

Will this setup affect the IPA client services running on the IPA domain member hosts? I think that some IPA client services authenticate in the IPA KDC. I am wondering if this won't destroy anything.

My plan is to modify the /etc/krb5.conf file on the IPA client machines, add the new realm, modify the 'default_realm' parameter and configure the 'domain_realm' section to point that the client hosts belong now to the new realm.

Will that work? Will IPA managed services work correctly on the client machines? All in all I am building a test environment to verify this, but would be grateful for suggestions of the things that may go wrong. Any configuration suggestions will be also highly appreciated


Thanks and Regards,
Pit