On Fri, July 19, 2013 15:23, KodaK wrote:
> On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie <sigbj...@nixtra.com> wrote:
>> Hi.
>> I've done the kerberos part with several Apache Web servers with success. 
>> I've not done the
>> fallback to ldap basic auth.
>> Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos 
>> keytab from AD and one
>> from IPA in the same keytab file. Reference this keytab file in httpd.conf.
> Thanks for the tips.
> You wouldn't happen to know how to coax a keytab out of AD when the
> box you're using doesn't have the the same domain name, do you?
> For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is
> When I try to get the keytab with:
> net ads keytab add HTTP -U myusername
> I get:
> libads/kerberos_keytab.c:326: unable to determine machine account's
> dns name in AD!
> I realize this is diverging wildly from the subject of IPA -- I can
> take this off list if anyone is annoyed, just let me know.


Please see below my notes for how to create a combined keytab file.

Retreive a keytab from IPA:

Make sure you have a valid kerberos TGT:
$ klist
Check to see if the service exists in IPA:
$ ipa service-find HTTP/webserver.ipa.domain

If it does not exist, create it with ipa service-add.

Retreive the keytab:
$ ipa-getkeytab -s ipa01 -p HTTP/webserver.ipa.domain -k 

Retreive a keytab from AD:

> ktpass -princ HTTP/webserver.ipa.domain@WINDOWS.DOMAIN +rndpass /mapuser 
> WINDOMAIN\webserver$
-crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab

The Windows admin will choose if they want to use a Computer Account or a User 
Account to bind the
keytab to.
Copy this keytab into /etc/httpd/HTTP.keytab-AD

Combine the keytabs using ktutil:
If an existing keytab exists, delete this keytab. /etc/httpd/HTTP.keytab
Failure to do so wll append the keytabs merging old and new keytabs into a 
single filre. THIS WILL

Fire up ktutil
$ ktutil

Read the IPA keytab
rkt /etc/httpd/HTTP.keytab-IPA

Read the MAIN keytab
rkt /etc/httpd/HTTP.keytab-AD

List the principals and verify that they look OK

Write them back to a combined keytab:
wkt /etc/httpd/HTTP.keytab



Freeipa-users mailing list

Reply via email to