On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie <sigbj...@nixtra.com> wrote: > > Hi. > > I've done the kerberos part with several Apache Web servers with success. > I've not done the fallback to ldap basic auth. > > Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos > keytab from AD and one from IPA in the same keytab file. Reference this > keytab file in httpd.conf.
Thanks for the tips. You wouldn't happen to know how to coax a keytab out of AD when the box you're using doesn't have the the same domain name, do you? For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is UNIX.COMPANY.COM. When I try to get the keytab with: net ads keytab add HTTP -U myusername I get: libads/kerberos_keytab.c:326: unable to determine machine account's dns name in AD! I realize this is diverging wildly from the subject of IPA -- I can take this off list if anyone is annoyed, just let me know. Thanks, --Jason _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users