1ipa-getkeytab(1)             FreeIPA Manual Pages             ipa-getkeytab(1)
2
3
4

NAME

6       ipa-getkeytab - Get a keytab for a Kerberos principal
7

SYNOPSIS

9       ipa-getkeytab  -p principal-name -k keytab-file [ -e encryption-types ]
10       [ -s ipaserver ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -W ] [
11       -P|--password  PASSWORD  ]  [  --cacert CACERT ] [ -H|--ldapuri URI ] [
12       -Y|--mech GSSAPI|EXTERNAL ] [ -r ]
13
14

DESCRIPTION

16       Retrieves a Kerberos keytab.
17
18       Kerberos keytabs are used for services (like sshd) to perform  Kerberos
19       authentication.  A  keytab is a file with one or more secrets (or keys)
20       for a Kerberos principal.
21
22       A Kerberos service principal is a Kerberos identity that  can  be  used
23       for authentication. Service principals contain the name of the service,
24       the hostname of the server, and the realm name. For example,  the  fol‐
25       lowing is an example principal for an ldap server:
26
27          ldap/foo.example.com@EXAMPLE.COM
28
29       When  using  ipa-getkeytab  the  realm name is already provided, so the
30       principal name is just the service name  and  hostname  (ldap/foo.exam‐
31       ple.com from the example above).
32
33       ipa-getkeytab  is  used during IPA client enrollment to retrieve a host
34       service principal and store it in /etc/krb5.keytab. It is  possible  to
35       retrieve  the  keytab  without  Kerberos  credentials  if  the host was
36       pre-created with a one-time password. The keytab can  be  retrieved  by
37       binding as the host and authenticating with this one-time password. The
38       -D|--binddn -w|--bindpw options are used for  this  authentication.  -W
39       can be used instead of -w|--bindpw to interactively prompt for the bind
40       password.
41
42       WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
43       cipal.   This  renders  all  other  keytabs for that principal invalid.
44       When multiple hosts or  services  need  to  share  the  same  key  (for
45       instance  in  high  availability  or  load  balancing clusters), the -r
46       option must be used to retrieve the existing key instead of  generating
47       a new one (please refer to the EXAMPLES section).
48
49       Note that the user or host calling ipa-getkeytab needs to be allowed to
50       generate  the  key  with  ipa  host-allow-create-keytab  or  ipa   ser‐
51       vice-allow-create-keytab, and the user or host calling ipa-getkeytab -r
52       needs to be allowed to retrieve the keytab for the host or service with
53       ipa host-allow-retrieve-keytab or ipa service-allow-retrieve-keytab.
54
55

OPTIONS

57       -p principal-name
58              The non-realm part of the full principal name.
59
60       -k keytab-file
61              The  keytab file where to append the new key (will be created if
62              it does not exist).
63
64       -e encryption-types
65              The  list  of  encryption  types  to  use  to   generate   keys.
66              ipa-getkeytab  will  use  local client defaults if not provided.
67              Valid values depend on the Kerberos library version and configu‐
68              ration.   Common  values  are: aes256-cts aes128-cts aes256-sha2
69              aes128-sha2   camellia256-cts-cmac   camellia128-cts-cmac   arc‐
70              four-hmac
71
72       -s ipaserver
73              The  IPA  server  to  retrieve  the  keytab from (FQDN). If this
74              option is not provided the server name is read from the IPA con‐
75              figuration file (/etc/ipa/default.conf). Cannot be used together
76              with -H.
77
78       -q     Quiet mode. Only errors are displayed.
79
80       --permitted-enctypes
81              This options returns a description of the  permitted  encryption
82              types,  like  this: Supported encryption types: AES-256 CTS mode
83              with 96-bit SHA-1 HMAC AES-128 CTS mode with 96-bit  SHA-1  HMAC
84              AES-128 CTS mode with 128-bit SHA-256 HMAC AES-256 CTS mode with
85              192-bit SHA-384 HMAC ArcFour with HMAC/md5
86
87       -P, --password
88              Use this password for the key instead of one randomly generated.
89
90       -D, --binddn
91              The LDAP DN to bind as when retrieving a keytab without Kerberos
92              credentials. Generally used with the -w or -W options.
93
94       -w, --bindpw
95              The  LDAP password to use when not binding with Kerberos. -D and
96              -w can not be used together with -Y.
97
98       -W     Interactive prompt for the bind password. -D and -W can  not  be
99              used together with -Y
100
101       --cacert
102              The path to the IPA CA certificate used to validate LDAPS/START‐
103              TLS connections.  Defaults to /etc/ipa/ca.crt
104
105       -H, --ldapuri
106              LDAP URI. If ldap:// is  specified,  STARTTLS  is  initiated  by
107              default. Can not be used with -s.
108
109       -Y, --mech
110              SASL mechanism to use if -D and -w are not specified. Use either
111              GSSAPI or EXTERNAL.
112
113       -r     Retrieve mode. Retrieve an existing key from the server  instead
114              of  generating  a new one. This is incompatible with the --pass‐
115              word option, and will work only against a  FreeIPA  server  more
116              recent  than  version  3.3.  The user requesting the keytab must
117              have access to the keys for this operation to succeed.
118

EXAMPLES

120       Add and retrieve a keytab for the NFS service  principal  on  the  host
121       foo.example.com  and  save  it in the file /tmp/nfs.keytab and retrieve
122       just the aes256-sha2 key.
123
124          # ipa-getkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab -e aes-sha2
125
126       Add and retrieve a keytab for the ldap service principal  on  the  host
127       foo.example.com and save it in the file /tmp/ldap.keytab.
128
129          # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab
130
131       Retrieve  a  keytab using LDAP credentials (this will typically be done
132       by ipa-join(1) when enrolling a client using the  ipa-client-install(1)
133       command:
134
135          # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password
136
137       Add  and  retrieve  a  keytab  for a clustered HTTP service deployed on
138       client1.example.com and client2.example.com (already  enrolled),  using
139       the client-frontend.example.com host name:
140
141          # ipa host-add client-frontend.example.com --ip-address 10.1.2.3
142          # ipa service-add HTTP/client-frontend.example.com
143          # ipa service-allow-retrieve-keytab HTTP/client-frontend.example.com --hosts={client1.example.com,client2.example.com}
144          # ipa server-allow-create-keytab HTTP/client-frontend.example.com --hosts=client1.example.com
145
146          On  client1,  generate  and  retrieve  a new keytab for client-fron‐
147       tend.example.com:
148          # kinit -k
149          # ipa-getkeytab -p HTTP/client-frontend.example.com -k /tmp/http.keytab
150
151          On client2, retrieve the existing keytab  for  client-frontend.exam‐
152       ple.com:
153          # kinit -k
154          # ipa-getkeytab -r -p HTTP/client-frontend.example.com -k /tmp/http.keytab
155
156

EXIT STATUS

158       The exit status is 0 on success, nonzero on error.
159
160       0 Success
161
162       1 Kerberos context initialization failed
163
164       2 Incorrect usage
165
166       3 Out of memory
167
168       4 Invalid service principal name
169
170       5 No Kerberos credentials cache
171
172       6 No Kerberos principal and no bind DN and password
173
174       7 Failed to open keytab
175
176       8 Failed to create key material
177
178       9 Setting keytab failed
179
180       10 Bind password required when using a bind DN
181
182       11 Failed to add key to keytab
183
184       12 Failed to close keytab
185
186
187
188FreeIPA                           Oct 10 2007                 ipa-getkeytab(1)
Impressum