Removes a kerberos principal from a keytab.
Kerberos keytabs are used for services (like sshd) to perform kerberos authentication. A keytab is a file with one or more secrets (or
keys) for a kerberos principal.
A kerberos service principal is a kerberos identity that can be used for authentication. Service principals contain the name of the ser-
vice, the hostname of the server, and the realm name.
ipa-rmkeytab provides two ways to remove principals. A specific principal can be removed or all principals for a given realm can be
All encryption types and versions of a principal are removed.
The realm may be included when removing a specific principal but it is not required.
NOTE: removing a principal from the keytab does not affect the Kerberos principal stored in the IPA server. It merely removes the entry
from the local keytab.
The non-realm part of the full principal name.
The keytab file to append the principal(s) from.
A realm to remove all principals for.
-d Debug mode. Additional information is displayed.
Remove the NFS service principal on the host foo.example.com from /tmp/nfs.keytab.
# ipa-rmkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab
Remove the ldap service principal on the host foo.example.com from /etc/krb5.keytab.
# ipa-rmkeytab -p ldap/foo.example.com -k /etc/krb5.keytab
Remove all principals for the realm EXAMPLE.COM.
# ipa-rmkeytab -r EXAMPLE.COM -k /etc/krb5.keytab
The exit status is 0 on success, nonzero on error.
1 Kerberos initialization failed
2 Memory allocation error
3 Unable to open keytab
4 Unable to parse the principal name
5 Principal name or realm not found in keytab
6 Unable to remove principal from keytab