[Freeipa-users] IPA + AD authentication in apache
KodaK
sakodak at gmail.com
Fri Jul 19 13:23:46 UTC 2013
On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie <sigbjorn at nixtra.com> wrote:
>
> Hi.
>
> I've done the kerberos part with several Apache Web servers with success. I've not done the fallback to ldap basic auth.
>
> Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos keytab from AD and one from IPA in the same keytab file. Reference this keytab file in httpd.conf.
Thanks for the tips.
You wouldn't happen to know how to coax a keytab out of AD when the
box you're using doesn't have the the same domain name, do you?
For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is
UNIX.COMPANY.COM.
When I try to get the keytab with:
net ads keytab add HTTP -U myusername
I get:
libads/kerberos_keytab.c:326: unable to determine machine account's
dns name in AD!
I realize this is diverging wildly from the subject of IPA -- I can
take this off list if anyone is annoyed, just let me know.
Thanks,
--Jason
More information about the Freeipa-users
mailing list