Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ipa-rmkeytab(1) [centos man page]

ipa-rmkeytab(1) 						 IPA Manual Pages						   ipa-rmkeytab(1)

NAME

       ipa-rmkeytab - Remove a kerberos principal from a keytab

SYNOPSIS

       ipa-rmkeytab [ -p principal-name ] [ -k keytab-file ] [ -r realm ] [ -d ]

DESCRIPTION

       Removes a kerberos principal from a keytab.

       Kerberos  keytabs  are  used  for  services (like sshd) to perform kerberos authentication. A keytab is a file with one or more secrets (or
       keys) for a kerberos principal.

       A kerberos service principal is a kerberos identity that can be used for authentication. Service principals contain the name  of  the  ser-
       vice, the hostname of the server, and the realm name.

       ipa-rmkeytab  provides  two  ways  to  remove  principals.   A specific principal can be removed or all principals for a given realm can be
       removed.

       All encryption types and versions of a principal are removed.

       The realm may be included when removing a specific principal but it is not required.

       NOTE: removing a principal from the keytab does not affect the Kerberos principal stored in the IPA server. It  merely  removes	the  entry
       from the local keytab.

OPTIONS

       -p principal-name
	      The non-realm part of the full principal name.

       -k keytab-file
	      The keytab file to append the principal(s) from.

       -r realm
	      A realm to remove all principals for.

       -d     Debug mode. Additional information is displayed.

EXAMPLES

       Remove the NFS service principal on the host foo.example.com from /tmp/nfs.keytab.

	  # ipa-rmkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab

       Remove the ldap service principal on the host foo.example.com from /etc/krb5.keytab.

	  # ipa-rmkeytab -p ldap/foo.example.com -k /etc/krb5.keytab

       Remove all principals for the realm EXAMPLE.COM.

	 # ipa-rmkeytab -r EXAMPLE.COM -k /etc/krb5.keytab

EXIT STATUS

       The exit status is 0 on success, nonzero on error.

       1 Kerberos initialization failed

       2 Memory allocation error

       3 Unable to open keytab

       4 Unable to parse the principal name

       5 Principal name or realm not found in keytab

       6 Unable to remove principal from keytab

IPA
								    Oct 30 2009 						   ipa-rmkeytab(1)

Check Out this Related Man Page

certmonger(8)						      System Manager's Manual						     certmonger(8)

NAME

       ipa-submit

SYNOPSIS

       ipa-submit  [-h	serverHost]  [-H  serverURL] [-c cafile] [-C capath] [[-K]  | [-t keytab] [-k submitterPrincipal]] [-P principalOfRequest]
       [csrfile]

DESCRIPTION

       ipa-submit is the helper which certmonger uses to make requests to IPA-based CAs.  It is not normally run interactively, but it can be  for
       troubleshooting	purposes.   The signing request which is to be submitted should either be in a file whose name is given as an argument, or
       fed into ipa-submit via stdin.

OPTIONS

       -P csrPrincipal
	      Identifies the principal name of the service for which the certificate is being issued.  This setting is required by  IPA  and  must
	      always be specified.

       -h serverHost
	      Submit  the  request  to	the  IPA  server  running  on  the  named  host.   The	default  is  to read the location of the host from
	      /etc/ipa/default.conf.

       -H serverURL
	      Submit the request to the IPA server  at	the  specified	location.   The  default  is  to  read	the  location  of  the	host  from
	      /etc/ipa/default.conf.

       -c cafile
	      The server's certificate was issued by the CA whose certificate is in the named file.  The default value is /etc/ipa/ca.crt.

       -C capath
	      Trust  the  server if its certificate was issued by a CA whose certificate is in a file in the named directory.  There is no default
	      for this option, and it is not expected to be necessary.

       -t keytab
	      Authenticate to the IPA server using credentials derived from keys stored in the named keytab.  The default value can vary,  but	it
	      is usually /etc/krb5.keytab.  This option conflicts with the -K option.

       -k authPrincipal
	      Authenticate  to the IPA server using credentials derived from keys stored in the named keytab for this principal name.  The default
	      value is the host service for the local host in the local realm.	This option conflicts with the -K option.

       -K     Authenticate to the IPA server using credentials derived from the default credential cache rather than a keytab.	This  option  con-
	      flicts with the -k option.

EXIT STATUS

       0      if the certificate was issued. The certificate will be printed.

       1      if the CA is still thinking.  A cookie value will be printed.

       2      if the CA rejected the request.  An error message may be printed.

       3      if the CA was unreachable.  An error message may be printed.

       4      if critical configuration information is missing.  An error message may be printed.

FILES

       /etc/ipa/default.conf
	      is the IPA client configuration file.  This file is consulted to determine the URL for the IPA server's XML-RPC interface.

BUGS

       Please file tickets for any that you find at https://fedorahosted.org/certmonger/

SEE ALSO

       certmonger(8)  getcert(1)  getcert-list(1) getcert-list-cas(1) getcert-resubmit(1) getcert-start-tracking(1) getcert-stop-tracking(1) cert-
       monger-dogtag-ipa-renew-agent-submit(8) certmonger-certmaster-submit(8) certmonger_selinux(8)

certmonger Manual						    7 June 2010 						     certmonger(8)
Man Page