On Fri, July 19, 2013 15:23, KodaK wrote:
> On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie <sigbj...@nixtra.com> wrote:
>> I've done the kerberos part with several Apache Web servers with success.
>> I've not done the
>> fallback to ldap basic auth.
>> Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos
>> keytab from AD and one
>> from IPA in the same keytab file. Reference this keytab file in httpd.conf.
> Thanks for the tips.
> You wouldn't happen to know how to coax a keytab out of AD when the
> box you're using doesn't have the the same domain name, do you?
> For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is
> When I try to get the keytab with:
> net ads keytab add HTTP -U myusername
> I get:
> libads/kerberos_keytab.c:326: unable to determine machine account's
> dns name in AD!
> I realize this is diverging wildly from the subject of IPA -- I can
> take this off list if anyone is annoyed, just let me know.
Please see below my notes for how to create a combined keytab file.
Retreive a keytab from IPA:
Make sure you have a valid kerberos TGT:
Check to see if the service exists in IPA:
$ ipa service-find HTTP/webserver.ipa.domain
If it does not exist, create it with ipa service-add.
Retreive the keytab:
$ ipa-getkeytab -s ipa01 -p HTTP/webserver.ipa.domain -k
Retreive a keytab from AD:
> ktpass -princ HTTP/webserver.ipa.domain@WINDOWS.DOMAIN +rndpass /mapuser
-crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab
The Windows admin will choose if they want to use a Computer Account or a User
Account to bind the
Copy this keytab into /etc/httpd/HTTP.keytab-AD
Combine the keytabs using ktutil:
If an existing keytab exists, delete this keytab. /etc/httpd/HTTP.keytab
Failure to do so wll append the keytabs merging old and new keytabs into a
single filre. THIS WILL
MAKE AUTHENTCATION FAIL!!
Fire up ktutil
Read the IPA keytab
Read the MAIN keytab
List the principals and verify that they look OK
Write them back to a combined keytab:
Freeipa-users mailing list