CentOS 7.0 - man page for ipa-getkeytab (centos section 1)

Linux & Unix Commands - Search Man Pages

Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


ipa-getkeytab(1)			 IPA Manual Pages			 ipa-getkeytab(1)

NAME
       ipa-getkeytab - Get a keytab for a Kerberos principal

SYNOPSIS
       ipa-getkeytab -s ipaserver -p principal-name -k keytab-file [ -e encryption-types ] [ -q ]
       [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -P|--password PASSWORD ]

DESCRIPTION
       Retrieves a Kerberos keytab.

       Kerberos keytabs are used for services (like sshd) to perform Kerberos  authentication.	A
       keytab is a file with one or more secrets (or keys) for a Kerberos principal.

       A  Kerberos  service principal is a Kerberos identity that can be used for authentication.
       Service principals contain the name of the service, the hostname of the	server,  and  the
       realm name. For example, the following is an example principal for an ldap server:

	  ldap/foo.example.com@EXAMPLE.COM

       When using ipa-getkeytab the realm name is already provided, so the principal name is just
       the service name and hostname (ldap/foo.example.com from the example above).

       WARNING: retrieving the keytab resets the secret for the Kerberos principal.  This renders
       all other keytabs for that principal invalid.

       This  is  used during IPA client enrollment to retrieve a host service principal and store
       it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials
       if the host was pre-created with a one-time password. The keytab can be retrieved by bind-
       ing as the host and authenticating  with  this  one-time  password.  The  -D|--binddn  and
       -w|--bindpw options are used for this authentication.

OPTIONS
       -s ipaserver
	      The IPA server to retrieve the keytab from (FQDN).

       -p principal-name
	      The non-realm part of the full principal name.

       -k keytab-file
	      The keytab file where to append the new key (will be created if it does not exist).

       -e encryption-types
	      The list of encryption types to use to generate keys.  ipa-getkeytab will use local
	      client defaults if not provided.	Valid values depend on the Kerberos library  ver-
	      sion  and  configuration.   Common values are: aes256-cts aes128-cts des3-hmac-sha1
	      arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc

       -q     Quiet mode. Only errors are displayed.

       --permitted-enctypes
	      This options returns a description of the permitted encryption  types,  like  this:
	      Supported  encryption  types:  AES-256  CTS mode with 96-bit SHA-1 HMAC AES-128 CTS
	      mode with 96-bit SHA-1 HMAC  Triple  DES	cbc  mode  with  HMAC/sha1  ArcFour  with
	      HMAC/md5	DES  cbc  mode	with  CRC-32  DES cbc mode with RSA-MD5 DES cbc mode with
	      RSA-MD4

       -P, --password
	      Use this password for the key instead of one randomly generated.

       -D, --binddn
	      The LDAP DN to bind as when retrieving a keytab without Kerberos credentials.  Gen-
	      erally used with the -w option.

       -w, --bindpw
	      The LDAP password to use when not binding with Kerberos.

EXAMPLES
       Add  and  retrieve  a keytab for the NFS service principal on the host foo.example.com and
       save it in the file /tmp/nfs.keytab and retrieve just the des-cbc-crc key.

	  # ipa-getkeytab -s ipaserver.example.com -p nfs/foo.example.com -k  /tmp/nfs.keytab  -e
       des-cbc-crc

       Add  and  retrieve a keytab for the ldap service principal on the host foo.example.com and
       save it in the file /tmp/ldap.keytab.

	  # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab

       Retrieve a keytab using LDAP credentials (this will typically be done by ipa-join(1)  when
       enrolling a client using the ipa-client-install(1) command:

	  # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D
       fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password

EXIT STATUS
       The exit status is 0 on success, nonzero on error.

       0 Success

       1 Kerberos context initialization failed

       2 Incorrect usage

       3 Out of memory

       4 Invalid service principal name

       5 No Kerberos credentials cache

       6 No Kerberos principal and no bind DN and password

       7 Failed to open keytab

       8 Failed to create key material

       9 Setting keytab failed

       10 Bind password required when using a bind DN

       11 Failed to add key to keytab

       12 Failed to close keytab

IPA					   Oct 10 2007				 ipa-getkeytab(1)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 03:49 AM.

Unix & Linux Forums Content Copyright©1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password





Not a Forum Member?
Forgot Password?