On Wed, 9 Mar 2011, John Hodrien wrote: > On Wed, 9 Mar 2011, Dvorkin, Asya wrote: > >> Thank you, John. >> >> I forgot to add that we cannot generate keytab from AD server for various >> reasons that I have no control over. And are you really sure this is the case? If you can join to a domain, you can get a keytab (you don't need AD admin rights to do this). If you were just using Samba to do the join, something like: use kerberos keytab = yes in your smb.conf and a: net ads keytab create net ads keytab add http on the joined machine would get you a keytab suitable for web auth. klist -k would then show you what you'd got. jh