[Freeipa-users] IPA + AD authentication in apache
Sigbjorn Lie
sigbjorn at nixtra.com
Fri Jul 19 22:00:06 UTC 2013
You definitely don't need domain admin. I do not have much rights with my active directory account, still I can retrieve keytabs from ad. Sorry, I'm not at work so I can't figure out exactly what my access level is.
Regards
Siggi
KodaK <sakodak at gmail.com> wrote:
>On Fri, Jul 19, 2013 at 9:55 AM, natxo asenjo <natxo.asenjo at gmail.com>
>wrote:
>> On 07/19/2013 04:09 PM, Sigbjorn Lie wrote:
>>>
>>>
>>> Retreive a keytab from AD:
>>>
>>>> ktpass -princ HTTP/webserver.ipa.domain at WINDOWS.DOMAIN +rndpass
>/mapuser
>>>> WINDOMAIN\webserver$
>>>
>>> -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab
>>>
>>> The Windows admin will choose if they want to use a Computer Account
>or a
>>> User Account to bind the
>>> keytab to.
>>> Copy this keytab into /etc/httpd/HTTP.keytab-AD
>>
>>
>> just filling in (just in case this was not clear): ktpass.exe is a
>> windows tool you run in the domain controller (or in a workstation
>with
>> the admins tool installed).
>
>Thanks, everyone.
>
>I'm still waiting for a Windows admin to help me out with this.
>Unfortunately I'm not a domain admin, so I can't do this myself. :/
>
>--Jason
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130720/730008e0/attachment.htm>
More information about the Freeipa-users
mailing list