[Freeipa-users] IPA + AD authentication in apache

Sigbjorn Lie sigbjorn at nixtra.com
Fri Jul 19 14:09:02 UTC 2013




On Fri, July 19, 2013 15:23, KodaK wrote:
> On Thu, Jul 18, 2013 at 4:43 PM, Sigbjorn Lie <sigbjorn at nixtra.com> wrote:
>
>>
>> Hi.
>>
>>
>> I've done the kerberos part with several Apache Web servers with success. I've not done the
>> fallback to ldap basic auth.
>>
>> Set KrbServiceName to Any in httpd.conf and put a HTTP service kerberos keytab from AD and one
>> from IPA in the same keytab file. Reference this keytab file in httpd.conf.
>
>
> Thanks for the tips.
>
>
> You wouldn't happen to know how to coax a keytab out of AD when the
> box you're using doesn't have the the same domain name, do you?
>
> For example, the AD domain is SUB.AD.COMPANY.COM but the Linux box is
> UNIX.COMPANY.COM.
>
>
> When I try to get the keytab with:
>
>
> net ads keytab add HTTP -U myusername
>
> I get:
>
>
> libads/kerberos_keytab.c:326: unable to determine machine account's
> dns name in AD!
>
> I realize this is diverging wildly from the subject of IPA -- I can
> take this off list if anyone is annoyed, just let me know.
>

Hi,

Please see below my notes for how to create a combined keytab file.


Retreive a keytab from IPA:

Make sure you have a valid kerberos TGT:
$ klist
Check to see if the service exists in IPA:
$ ipa service-find HTTP/webserver.ipa.domain

If it does not exist, create it with ipa service-add.

Retreive the keytab:
$ ipa-getkeytab -s ipa01 -p HTTP/webserver.ipa.domain -k /etc/httpd/HTTP.keytab-IPA



Retreive a keytab from AD:

> ktpass -princ HTTP/webserver.ipa.domain at WINDOWS.DOMAIN +rndpass /mapuser WINDOMAIN\webserver$
-crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab

The Windows admin will choose if they want to use a Computer Account or a User Account to bind the
keytab to.
Copy this keytab into /etc/httpd/HTTP.keytab-AD


Combine the keytabs using ktutil:
If an existing keytab exists, delete this keytab. /etc/httpd/HTTP.keytab
Failure to do so wll append the keytabs merging old and new keytabs into a single filre. THIS WILL
MAKE AUTHENTCATION FAIL!!

Fire up ktutil
$ ktutil

Read the IPA keytab
rkt /etc/httpd/HTTP.keytab-IPA

Read the MAIN keytab
rkt /etc/httpd/HTTP.keytab-AD

List the principals and verify that they look OK
list

Write them back to a combined keytab:
wkt /etc/httpd/HTTP.keytab

Quit:
q


Regards,
Siggi





More information about the Freeipa-users mailing list