Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

CentOS 7.0 - man page for ipa-getkeytab (centos section 1)

ipa-getkeytab(1)						 IPA Manual Pages						  ipa-getkeytab(1)

NAME
ipa-getkeytab - Get a keytab for a Kerberos principal
SYNOPSIS
ipa-getkeytab -s ipaserver -p principal-name -k keytab-file [ -e encryption-types ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -P|--password PASSWORD ]
DESCRIPTION
Retrieves a Kerberos keytab. Kerberos keytabs are used for services (like sshd) to perform Kerberos authentication. A keytab is a file with one or more secrets (or keys) for a Kerberos principal. A Kerberos service principal is a Kerberos identity that can be used for authentication. Service principals contain the name of the ser- vice, the hostname of the server, and the realm name. For example, the following is an example principal for an ldap server: ldap/foo.example.com@EXAMPLE.COM When using ipa-getkeytab the realm name is already provided, so the principal name is just the service name and hostname (ldap/foo.exam- ple.com from the example above). WARNING: retrieving the keytab resets the secret for the Kerberos principal. This renders all other keytabs for that principal invalid. This is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre-created with a one-time password. The keytab can be retrieved by binding as the host and authenticating with this one-time password. The -D|--binddn and -w|--bindpw options are used for this authentication.
OPTIONS
-s ipaserver The IPA server to retrieve the keytab from (FQDN). -p principal-name The non-realm part of the full principal name. -k keytab-file The keytab file where to append the new key (will be created if it does not exist). -e encryption-types The list of encryption types to use to generate keys. ipa-getkeytab will use local client defaults if not provided. Valid values depend on the Kerberos library version and configuration. Common values are: aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc -q Quiet mode. Only errors are displayed. --permitted-enctypes This options returns a description of the permitted encryption types, like this: Supported encryption types: AES-256 CTS mode with 96-bit SHA-1 HMAC AES-128 CTS mode with 96-bit SHA-1 HMAC Triple DES cbc mode with HMAC/sha1 ArcFour with HMAC/md5 DES cbc mode with CRC-32 DES cbc mode with RSA-MD5 DES cbc mode with RSA-MD4 -P, --password Use this password for the key instead of one randomly generated. -D, --binddn The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the -w option. -w, --bindpw The LDAP password to use when not binding with Kerberos.
EXAMPLES
Add and retrieve a keytab for the NFS service principal on the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des-cbc-crc key. # ipa-getkeytab -s ipaserver.example.com -p nfs/foo.example.com -k /tmp/nfs.keytab -e des-cbc-crc Add and retrieve a keytab for the ldap service principal on the host foo.example.com and save it in the file /tmp/ldap.keytab. # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab Retrieve a keytab using LDAP credentials (this will typically be done by ipa-join(1) when enrolling a client using the ipa-client-install(1) command: # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D fqdn=foo.example.com,cn=comput- ers,cn=accounts,dc=example,dc=com -w password
EXIT STATUS
The exit status is 0 on success, nonzero on error. 0 Success 1 Kerberos context initialization failed 2 Incorrect usage 3 Out of memory 4 Invalid service principal name 5 No Kerberos credentials cache 6 No Kerberos principal and no bind DN and password 7 Failed to open keytab 8 Failed to create key material 9 Setting keytab failed 10 Bind password required when using a bind DN 11 Failed to add key to keytab 12 Failed to close keytab
IPA
Oct 10 2007 ipa-getkeytab(1)