1ipa-getkeytab(1)                                              ipa-getkeytab(1)
2
3
4

NAME

6       ipa-getkeytab - Get a keytab for a kerberos principal
7

SYNOPSIS

9       ipa-getkeytab [ -s ipaserver ] [ -p principal-name ] [ -k keytab-file ]
10       [ -e encryption-types ] [ -q ]
11
12

DESCRIPTION

14       Retrieves a kerberos keytab.
15
16       Kerberos keytabs are used for services (like sshd) to perform  kerberos
17       authentication.  A  keytab is a file with one or more secrets (or keys)
18       for a kerberos principal.
19
20       A kerberos service principal is a kerberos identity that  can  be  used
21       for authentication. Service principals contain the name of the service,
22       the hostname of the server, and the realm name. For example,  the  fol‐
23       lowing is an example principal for an ldap server:
24
25          ldap/foo.example.com@EXAMPLE.COM
26
27       When  using  ipa-getkeytab  the  realm name is already provided, so the
28       principal name is just the service name  and  hostname  (ldap/foo.exam‐
29       ple.com from the example above).
30
31       WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
32       cipal.  This renders all other keytabs for that principal invalid.
33

OPTIONS

35       -s ipaserver
36              The IPA server to retrieve the keytab from (FQDN).
37
38       -p principal-name
39              The non-realm part of the full principal name.
40
41       -k keytab-file
42              The keytab file where to append the new key (will be created  if
43              it does not exist).
44
45       -e encryption-types
46              The   list   of  encryption  types  to  use  to  generate  keys.
47              ipa-getkeytab will use local client defaults  if  not  provided.
48              Valid values depend on the kerberos library version and configu‐
49              ration.  Common values are: aes256-cts aes128-cts des3-hmac-sha1
50              arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
51
52       -q     Quiet mode. Only errors are displayed.
53
54       --permitted-enctypes
55              This  options  returns a description of the permitted encryption
56              types, like this: Supported encryption types: AES-256  CTS  mode
57              with  96-bit  SHA-1 HMAC AES-128 CTS mode with 96-bit SHA-1 HMAC
58              Triple DES cbc mode with HMAC/sha1 ArcFour with HMAC/md5 DES cbc
59              mode  with  CRC-32  DES  cbc mode with RSA-MD5 DES cbc mode with
60              RSA-MD4
61

EXAMPLES

63       Add and retrieve a keytab for the NFS service  principal  on  the  host
64       foo.example.com  and  save  it in the file /tmp/nfs.keytab and retrieve
65       just the des-cbc-crc key.
66
67          # ipa-getkeytab -s ipaserver.example.com -p  nfs/foo.example.com  -k
68       /tmp/nfs.keytab -e des-cbc-crc
69
70       Add  and  retrieve  a keytab for the ldap service principal on the host
71       foo.example.com and save it in the file /tmp/ldap.keytab.
72
73          # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com  -k
74       /tmp/ldap.keytab
75
76
77
78

EXIT STATUS

80       The exit status is 0 on success, nonzero on error.
81
82
83
84freeipa                           Oct 10 2007                 ipa-getkeytab(1)