[CentOS] Apache/Active Directory authentication

Wed Mar 9 15:09:58 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Wed, 9 Mar 2011, John Hodrien wrote:

> On Wed, 9 Mar 2011, Dvorkin, Asya wrote:
>
>> Thank you, John.
>>
>> I forgot to add that we cannot generate keytab from AD server for various
>> reasons that I have no control over.

And are you really sure this is the case?  If you can join to a domain, you
can get a keytab (you don't need AD admin rights to do this).

If you were just using Samba to do the join, something like:

use kerberos keytab = yes

in your smb.conf

and a:

net ads keytab create
net ads keytab add http

on the joined machine would get you a keytab suitable for web auth.

klist -k would then show you what you'd got.

jh