Re: [Freeipa-users] IPA + AD authentication in apache
On Fri, Jul 19, 2013 at 9:55 AM, natxo asenjo wrote: > On 07/19/2013 04:09 PM, Sigbjorn Lie wrote: >> >> >> Retreive a keytab from AD: >> >>> ktpass -princ HTTP/webserver.ipa.domain@WINDOWS.DOMAIN +rndpass /mapuser >>> WINDOMAIN\webserver$ >> >> -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab >> >> The Windows admin will choose if they want to use a Computer Account or a >> User Account to bind the >> keytab to. >> Copy this keytab into /etc/httpd/HTTP.keytab-AD > > > just filling in (just in case this was not clear): ktpass.exe is a > windows tool you run in the domain controller (or in a workstation with > the admins tool installed). Thanks, everyone. I'm still waiting for a Windows admin to help me out with this. Unfortunately I'm not a domain admin, so I can't do this myself. :/ --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + AD authentication in apache
You definitely don't need domain admin. I do not have much rights with my active directory account, still I can retrieve keytabs from ad. Sorry, I'm not at work so I can't figure out exactly what my access level is. Regards Siggi KodaK wrote: >On Fri, Jul 19, 2013 at 9:55 AM, natxo asenjo >wrote: >> On 07/19/2013 04:09 PM, Sigbjorn Lie wrote: >>> >>> >>> Retreive a keytab from AD: >>> ktpass -princ HTTP/webserver.ipa.domain@WINDOWS.DOMAIN +rndpass >/mapuser WINDOMAIN\webserver$ >>> >>> -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab >>> >>> The Windows admin will choose if they want to use a Computer Account >or a >>> User Account to bind the >>> keytab to. >>> Copy this keytab into /etc/httpd/HTTP.keytab-AD >> >> >> just filling in (just in case this was not clear): ktpass.exe is a >> windows tool you run in the domain controller (or in a workstation >with >> the admins tool installed). > >Thanks, everyone. > >I'm still waiting for a Windows admin to help me out with this. >Unfortunately I'm not a domain admin, so I can't do this myself. :/ > >--Jason > >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + AD authentication in apache
On 07/19/2013 04:09 PM, Sigbjorn Lie wrote: Retreive a keytab from AD: ktpass -princ HTTP/webserver.ipa.domain@WINDOWS.DOMAIN +rndpass /mapuser WINDOMAIN\webserver$ -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab The Windows admin will choose if they want to use a Computer Account or a User Account to bind the keytab to. Copy this keytab into /etc/httpd/HTTP.keytab-AD just filling in (just in case this was not clear): ktpass.exe is a windows tool you run in the domain controller (or in a workstation with the admins tool installed). -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + AD authentication in apache
On Fri, July 19, 2013 15:23, KodaK wrote: > On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie wrote: > >> >> Hi. >> >> >> I've done the kerberos part with several Apache Web servers with success. >> I've not done the >> fallback to ldap basic auth. >> >> Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos >> keytab from AD and one >> from IPA in the same keytab file. Reference this keytab file in httpd.conf. > > > Thanks for the tips. > > > You wouldn't happen to know how to coax a keytab out of AD when the > box you're using doesn't have the the same domain name, do you? > > For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is > UNIX.COMPANY.COM. > > > When I try to get the keytab with: > > > net ads keytab add HTTP -U myusername > > I get: > > > libads/kerberos_keytab.c:326: unable to determine machine account's > dns name in AD! > > I realize this is diverging wildly from the subject of IPA -- I can > take this off list if anyone is annoyed, just let me know. > Hi, Please see below my notes for how to create a combined keytab file. Retreive a keytab from IPA: Make sure you have a valid kerberos TGT: $ klist Check to see if the service exists in IPA: $ ipa service-find HTTP/webserver.ipa.domain If it does not exist, create it with ipa service-add. Retreive the keytab: $ ipa-getkeytab -s ipa01 -p HTTP/webserver.ipa.domain -k /etc/httpd/HTTP.keytab-IPA Retreive a keytab from AD: > ktpass -princ HTTP/webserver.ipa.domain@WINDOWS.DOMAIN +rndpass /mapuser > WINDOMAIN\webserver$ -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab The Windows admin will choose if they want to use a Computer Account or a User Account to bind the keytab to. Copy this keytab into /etc/httpd/HTTP.keytab-AD Combine the keytabs using ktutil: If an existing keytab exists, delete this keytab. /etc/httpd/HTTP.keytab Failure to do so wll append the keytabs merging old and new keytabs into a single filre. THIS WILL MAKE AUTHENTCATION FAIL!! Fire up ktutil $ ktutil Read the IPA keytab rkt /etc/httpd/HTTP.keytab-IPA Read the MAIN keytab rkt /etc/httpd/HTTP.keytab-AD List the principals and verify that they look OK list Write them back to a combined keytab: wkt /etc/httpd/HTTP.keytab Quit: q Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + AD authentication in apache
On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie wrote: > > Hi. > > I've done the kerberos part with several Apache Web servers with success. > I've not done the fallback to ldap basic auth. > > Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos > keytab from AD and one from IPA in the same keytab file. Reference this > keytab file in httpd.conf. Thanks for the tips. You wouldn't happen to know how to coax a keytab out of AD when the box you're using doesn't have the the same domain name, do you? For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is UNIX.COMPANY.COM. When I try to get the keytab with: net ads keytab add HTTP -U myusername I get: libads/kerberos_keytab.c:326: unable to determine machine account's dns name in AD! I realize this is diverging wildly from the subject of IPA -- I can take this off list if anyone is annoyed, just let me know. Thanks, --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA + AD authentication in apache
Hi. I've done the kerberos part with several Apache Web servers with success. I've not done the fallback to ldap basic auth. Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos keytab from AD and one from IPA in the same keytab file. Reference this keytab file in httpd.conf. Regards Siggi KodaK wrote: >Another off the wall one from me, but I just want to know if this is >worth >pursuing. > >I have a series of internal web applications that authenticate >variously to >AD or IPA via prompted credentials. > >I'd like to use Kerberos tickets (and fall back to LDAP) instead. > >I have an IPA connected apache server that most of this stuff runs on. > >Is it possible to use both? > >I'm going to try following this example to get my feet wet: > >http://www.tuxlanding.net/kerberos-authentication-with-apache-in-a-multi-domain-active-directory/ > >but that's just talking about mutilple AD realms. I'd like to know if >there was any special considerations for IPA > >Thanks again, > >--Jason > >-- >The government is going to read our mail anyway, might as well make it >tough for them. GPG Public key ID: B6A1A7C6 > > > > >___ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA + AD authentication in apache
Another off the wall one from me, but I just want to know if this is worth pursuing. I have a series of internal web applications that authenticate variously to AD or IPA via prompted credentials. I'd like to use Kerberos tickets (and fall back to LDAP) instead. I have an IPA connected apache server that most of this stuff runs on. Is it possible to use both? I'm going to try following this example to get my feet wet: http://www.tuxlanding.net/kerberos-authentication-with-apache-in-a-multi-domain-active-directory/ but that's just talking about mutilple AD realms. I'd like to know if there was any special considerations for IPA Thanks again, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users