Installation and Maintenance
Generation of keytab files
To be able to decrypt the tickets issued from the Kerberos service, Linux and Apache need a copy of the workstation key stored in the Kerberos database. The key(s) are stored in a local file called keytab. The computer object in the Kerberos database may store keys for different encryptions and different service types, so the keytab file stores multiple keys for different encryptions and several "Service Principal Names (SPN)" to identify workstation names and services.
The command:
net ads keytab add HTTP -U username
creates (or extends) a file "/etc/krb5.keytab" with the HTTP SPNs associated with the linux system (Many instructions use the "net ads keytab create -U username" command first, but I could configure working keytables without this step).
After that a first test of the keytab, SPNs and UPS can be done:
kinit -k -t /etc/krb5.keytab HTTP/canonical-fqdn@REALM
should give no messages (which means, Linux could request a ticket for the HTTP SPN of the system).
This step simulates a user's request (User's UPN is the last parameter) for a ticked using a keytable (-k) and specifying the keytab file to be used (-t /etc/krb5.keytab). UPNs are usually not configured for machine accounts in the Kerberos database, that was done with the createupn= parameter during the join process.
klist
shows the tickets issued to the system including ticket type and SPN. (Don't forget to "kdestroy" this).
To make the keytab file usable for the Apache service, move the keytab file to a location with no public access and grant read permission (440) to the Apache user and group. If Apache can't access the file, a http 500 error is reported.