<html><head/><body><html><head></head><body>You definitely don't need domain admin. I do not have much rights with my active directory account, still I can retrieve keytabs from ad. Sorry, I'm not at work so I can't figure out exactly what my access level is. Regards Siggi <div class="gmail_quote">KodaK <sakodak@gmail.com> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"> <pre style="white-space: pre-wrap; word-wrap:break-word; font-family: sans-serif; margin-top: 0px">On Fri, Jul 19, 2013 at 9:55 AM, natxo asenjo <natxo.asenjo@gmail.com> wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">On 07/19/2013 04:09 PM, Sigbjorn Lie wrote: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Retreive a keytab from AD: <blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;">ktpass -princ HTTP/webserver.ipa.domain@WINDOWS.DOMAIN +rndpass /mapuser WINDOMAIN\webserver$</blockquote> -crypto all -ptype KRB5_NT_PRINCIPAL -out webserver.keytab The Windows admin will choose if they want to use a Computer Account or a User Account to bind the keytab to. Copy this keytab into /etc/httpd/HTTP.keytab-AD</blockquote> just filling in (just in case this was not clear): ktpass.exe is a windows tool you run in the domain controller (or in a workstation with the admins tool installed).</blockquote> Thanks, everyone. I'm still waiting for a Windows admin to help me out with this. Unfortunately I'm not a domain admin, so I can't do this myself. :/ --Jason <hr /> Freeipa-users mailing list Freeipa-users@redhat.com <a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </pre></blockquote></div> -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.</body></html></body></html>