Headnode has keytab, there are also 3 login nodes and they have keytab too.  then there are 100 compute nodes which presently do not.

anonymous is clever idea, but i was hoping to instrument compute nodes such that my user and group filters on headnode sssd config would be in effect.  IE the users and groups the headnode sees the computes also see.

of the two the groups is the tricky one as i need special permissions on my host keytab to actually get that data (its not avail anonymously).

thank you for the help i would really like to get this working.

On Fri, Apr 12, 2013 at 1:57 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Thu, Apr 11, 2013 at 10:30:26PM -0700, Jason Bishop wrote:
> hi errbody, i may have an easy question, but i haven't found anything in
> the documentation which describes my use-case exactly.  i hope you can help.
> my environment is kerberos for authentication and kerberos using
> host-keytab for ldap binds.  sssd is working fine for this setup.  the
> wrinkle is that i am trying to get this to work on a (Rocks) hpc cluster
> where i have kerberos running on headnode but not the compute nodes.

Do I get it right that only the head node has a ketab?

> i am hoping that i can use the sssd config with kerberos authentication on
> the head node and have a simpler setup for the compute nodes.  since ssh
> public keys are used for authentication on compute nodes, i really only
> need user and group enumeration working there.  is there a simple way to
> get user list from sssd on head node for use on compute nodes?
> thank u
> jason

Can you just use anonymous LDAP binds on the other nodes?
sssd-users mailing list