ipa-getkeytab(1)

1ipa-getkeytab(1)               IPA Manual Pages               ipa-getkeytab(1)
2
3
4

NAME

6       ipa-getkeytab - Get a keytab for a Kerberos principal
7

SYNOPSIS

9       ipa-getkeytab  -p principal-name -k keytab-file [ -e encryption-types ]
10       [ -s ipaserver ] [ -q ] [  -D|--binddn  BINDDN  ]  [  -w|--bindpw  ]  [
11       -P|--password  PASSWORD  ]  [  --cacert CACERT ] [ -H|--ldapuri URI ] [
12       -Y|--mech GSSAPI|EXTERNAL ] [ -r ]
13
14

DESCRIPTION

16       Retrieves a Kerberos keytab.
17
18       Kerberos keytabs are used for services (like sshd) to perform  Kerberos
19       authentication.  A  keytab is a file with one or more secrets (or keys)
20       for a Kerberos principal.
21
22       A Kerberos service principal is a Kerberos identity that  can  be  used
23       for authentication. Service principals contain the name of the service,
24       the hostname of the server, and the realm name. For example,  the  fol‐
25       lowing is an example principal for an ldap server:
26
27          ldap/foo.example.com@EXAMPLE.COM
28
29       When  using  ipa-getkeytab  the  realm name is already provided, so the
30       principal name is just the service name  and  hostname  (ldap/foo.exam‐
31       ple.com from the example above).
32
33       ipa-getkeytab  is  used during IPA client enrollment to retrieve a host
34       service principal and store it in /etc/krb5.keytab. It is  possible  to
35       retrieve  the  keytab  without  Kerberos  credentials  if  the host was
36       pre-created with a one-time password. The keytab can  be  retrieved  by
37       binding as the host and authenticating with this one-time password. The
38       -D|--binddn and -w|--bindpw options are used for this authentication.
39
40       WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
41       cipal.   This  renders  all  other  keytabs for that principal invalid.
42       When multiple hosts or  services  need  to  share  the  same  key  (for
43       instance  in  high  availability  or  load  balancing clusters), the -r
44       option must be used to retrieve the existing key instead of  generating
45       a new one (please refer to the EXAMPLES section).
46
47       Note that the user or host calling ipa-getkeytab needs to be allowed to
48       generate  the  key  with  ipa  host-allow-create-keytab  or  ipa   ser‐
49       vice-allow-create-keytab, and the user or host calling ipa-getkeytab -r
50       needs to be allowed to retrieve the keytab for the host or service with
51       ipa host-allow-retrieve-keytab or ipa service-allow-retrieve-keytab.
52
53

OPTIONS

55       -p principal-name
56              The non-realm part of the full principal name.
57
58       -k keytab-file
59              The  keytab file where to append the new key (will be created if
60              it does not exist).
61
62       -e encryption-types
63              The  list  of  encryption  types  to  use  to   generate   keys.
64              ipa-getkeytab  will  use  local client defaults if not provided.
65              Valid values depend on the Kerberos library version and configu‐
66              ration.  Common values are: aes256-cts aes128-cts des3-hmac-sha1
67              arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
68
69       -s ipaserver
70              The IPA server to retrieve  the  keytab  from  (FQDN).  If  this
71              option is not provided the server name is read from the IPA con‐
72              figuration file (/etc/ipa/default.conf). Cannot be used together
73              with -H.
74
75       -q     Quiet mode. Only errors are displayed.
76
77       --permitted-enctypes
78              This  options  returns a description of the permitted encryption
79              types, like this: Supported encryption types: AES-256  CTS  mode
80              with  96-bit  SHA-1 HMAC AES-128 CTS mode with 96-bit SHA-1 HMAC
81              Triple DES cbc mode with HMAC/sha1 ArcFour with HMAC/md5 DES cbc
82              mode  with  CRC-32  DES  cbc mode with RSA-MD5 DES cbc mode with
83              RSA-MD4
84
85       -P, --password
86              Use this password for the key instead of one randomly generated.
87
88       -D, --binddn
89              The LDAP DN to bind as when retrieving a keytab without Kerberos
90              credentials. Generally used with the -w option.
91
92       -w, --bindpw
93              The  LDAP password to use when not binding with Kerberos. -D and
94              -w can not be used together with -Y.
95
96       --cacert
97              The path to the IPA CA certificate used to validate LDAPS/START‐
98              TLS connections.  Defaults to /etc/ipa/ca.crt
99
100       -H, --ldapuri
101              LDAP  URI.  If  ldap://  is  specified, STARTTLS is initiated by
102              default. Can not be used with -s.
103
104       -Y, --mech
105              SASL mechanism to use if -D and -w are not specified. Use either
106              GSSAPI or EXTERNAL.
107
108       -r     Retrieve  mode. Retrieve an existing key from the server instead
109              of generating a new one. This is incompatibile with the  --pass‐
110              word option, and will work only against a IPA server more recent
111              than version 3.3. The  user  requesting  the  keytab  must  have
112              access to the keys for this operation to succeed.
113

EXAMPLES

115       Add  and  retrieve  a  keytab for the NFS service principal on the host
116       foo.example.com and save it in the file  /tmp/nfs.keytab  and  retrieve
117       just the des-cbc-crc key.
118
119          # ipa-getkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab -e des-cbc-crc
120
121       Add  and  retrieve  a keytab for the ldap service principal on the host
122       foo.example.com and save it in the file /tmp/ldap.keytab.
123
124          # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab
125
126       Retrieve a keytab using LDAP credentials (this will typically  be  done
127       by  ipa-join(1) when enrolling a client using the ipa-client-install(1)
128       command:
129
130          # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password
131
132       Add and retrieve a keytab for a  clustered  HTTP  service  deployed  on
133       client1.example.com  and  client2.example.com (already enrolled), using
134       the client-frontend.example.com host name:
135
136          # ipa host-add client-frontend.example.com --ip-address 10.1.2.3
137          # ipa service-add HTTP/client-frontend.example.com
138          # ipa service-allow-retrieve-keytab HTTP/client-frontend.example.com --hosts={client1.example.com,client2.example.com}
139          # ipa server-allow-create-keytab HTTP/client-frontend.example.com --hosts=client1.example.com
140
141          On client1, generate and retrieve  a  new  keytab  for  client-fron‐
142       tend.example.com:
143          # kinit -k
144          # ipa-getkeytab -p HTTP/client-frontend.example.com -k /tmp/http.keytab
145
146          On  client2,  retrieve the existing keytab for client-frontend.exam‐
147       ple.com:
148          # kinit -k
149          # ipa-getkeytab -r -p HTTP/client-frontend.example.com -k /tmp/http.keytab
150
151

EXIT STATUS

153       The exit status is 0 on success, nonzero on error.
154
155       0 Success
156
157       1 Kerberos context initialization failed
158
159       2 Incorrect usage
160
161       3 Out of memory
162
163       4 Invalid service principal name
164
165       5 No Kerberos credentials cache
166
167       6 No Kerberos principal and no bind DN and password
168
169       7 Failed to open keytab
170
171       8 Failed to create key material
172
173       9 Setting keytab failed
174
175       10 Bind password required when using a bind DN
176
177       11 Failed to add key to keytab
178
179       12 Failed to close keytab
180
181
182
183IPA                               Oct 10 2007                 ipa-getkeytab(1)