1ipa-getkeytab(1)               IPA Manual Pages               ipa-getkeytab(1)
2
3
4

NAME

6       ipa-getkeytab - Get a keytab for a Kerberos principal
7

SYNOPSIS

9       ipa-getkeytab  -p principal-name -k keytab-file [ -e encryption-types ]
10       [ -s ipaserver ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -W ] [
11       -P|--password  PASSWORD  ]  [  --cacert CACERT ] [ -H|--ldapuri URI ] [
12       -Y|--mech GSSAPI|EXTERNAL ] [ -r ]
13
14

DESCRIPTION

16       Retrieves a Kerberos keytab.
17
18       Kerberos keytabs are used for services (like sshd) to perform  Kerberos
19       authentication.  A  keytab is a file with one or more secrets (or keys)
20       for a Kerberos principal.
21
22       A Kerberos service principal is a Kerberos identity that  can  be  used
23       for authentication. Service principals contain the name of the service,
24       the hostname of the server, and the realm name. For example,  the  fol‐
25       lowing is an example principal for an ldap server:
26
27          ldap/foo.example.com@EXAMPLE.COM
28
29       When  using  ipa-getkeytab  the  realm name is already provided, so the
30       principal name is just the service name  and  hostname  (ldap/foo.exam‐
31       ple.com from the example above).
32
33       ipa-getkeytab  is  used during IPA client enrollment to retrieve a host
34       service principal and store it in /etc/krb5.keytab. It is  possible  to
35       retrieve  the  keytab  without  Kerberos  credentials  if  the host was
36       pre-created with a one-time password. The keytab can  be  retrieved  by
37       binding as the host and authenticating with this one-time password. The
38       -D|--binddn -w|--bindpw options are used for  this  authentication.  -W
39       can be used instead of -w|--bindpw to interactively prompt for the bind
40       password.
41
42       WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
43       cipal.   This  renders  all  other  keytabs for that principal invalid.
44       When multiple hosts or services need to share the  same  key  (for  in‐
45       stance  in high availability or load balancing clusters), the -r option
46       must be used to retrieve the existing key instead of generating  a  new
47       one (please refer to the EXAMPLES section).
48
49       Note that the user or host calling ipa-getkeytab needs to be allowed to
50       generate the key with ipa host-allow-create-keytab or  ipa  service-al‐
51       low-create-keytab,  and the user or host calling ipa-getkeytab -r needs
52       to be allowed to retrieve the keytab for the host or service  with  ipa
53       host-allow-retrieve-keytab or ipa service-allow-retrieve-keytab.
54
55

OPTIONS

57       -p principal-name
58              The non-realm part of the full principal name.
59
60       -k keytab-file
61              The  keytab file where to append the new key (will be created if
62              it does not exist).
63
64       -e encryption-types
65              The  list  of  encryption  types  to  use  to   generate   keys.
66              ipa-getkeytab  will  use  local client defaults if not provided.
67              Valid values depend on the Kerberos library version and configu‐
68              ration.   Common  values  are: aes256-cts aes128-cts aes256-sha2
69              aes128-sha2   camellia256-cts-cmac   camellia128-cts-cmac   arc‐
70              four-hmac
71
72       -s ipaserver
73              The  IPA  server to retrieve the keytab from (FQDN). If this op‐
74              tion is not provided the server name is read from the  IPA  con‐
75              figuration file (/etc/ipa/default.conf). Cannot be used together
76              with -H. If the value is _srv_ then DNS discovery will  be  used
77              to  determine  a  server.   If this discovery fails then it will
78              fall back to using the configuration file.
79
80       -q     Quiet mode. Only errors are displayed.
81
82       --permitted-enctypes
83              This options returns a description of the  permitted  encryption
84              types,  like  this: Supported encryption types: AES-256 CTS mode
85              with 96-bit SHA-1 HMAC AES-128 CTS mode with 96-bit  SHA-1  HMAC
86              AES-128 CTS mode with 128-bit SHA-256 HMAC AES-256 CTS mode with
87              192-bit SHA-384 HMAC ArcFour with HMAC/md5
88
89       -P, --password
90              Use this password for the key instead of one randomly generated.
91              The  length  of the password is limited by 1024 characters. Note
92              that MIT Kerberos also limits passwords entered through  kpasswd
93              and kadmin commands to the same length.
94
95       -D, --binddn
96              The LDAP DN to bind as when retrieving a keytab without Kerberos
97              credentials. Generally used with the -w or -W options.
98
99       -w, --bindpw
100              The LDAP password to use when not binding with Kerberos. -D  and
101              -w can not be used together with -Y.
102
103       -W     Interactive  prompt  for the bind password. -D and -W can not be
104              used together with -Y
105
106       --cacert
107              The path to the IPA CA certificate used to validate LDAPS/START‐
108              TLS connections.  Defaults to /etc/ipa/ca.crt
109
110       -H, --ldapuri
111              LDAP  URI. If ldap:// is specified, STARTTLS is initiated by de‐
112              fault. Can not be used with -s.
113
114       -Y, --mech
115              SASL mechanism to use if -D and -w are not specified. Use either
116              GSSAPI or EXTERNAL.
117
118       -r     Retrieve  mode. Retrieve an existing key from the server instead
119              of generating a new one. This is incompatible with  the  --pass‐
120              word option, and will work only against a IPA server more recent
121              than version 3.3. The user requesting the keytab must  have  ac‐
122              cess to the keys for this operation to succeed.
123

EXAMPLES

125       Add  and  retrieve  a  keytab for the NFS service principal on the host
126       foo.example.com and save it in the file  /tmp/nfs.keytab  and  retrieve
127       just the aes256-sha2 key.
128
129          # ipa-getkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab -e aes-sha2
130
131       Add  and  retrieve  a keytab for the ldap service principal on the host
132       foo.example.com and save it in the file /tmp/ldap.keytab.
133
134          # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab
135
136       Retrieve a keytab using LDAP credentials (this will typically  be  done
137       by  ipa-join(1) when enrolling a client using the ipa-client-install(1)
138       command:
139
140          # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password
141
142       Add and retrieve a keytab for a  clustered  HTTP  service  deployed  on
143       client1.example.com  and  client2.example.com (already enrolled), using
144       the client-frontend.example.com host name:
145
146          # ipa host-add client-frontend.example.com --ip-address 10.1.2.3
147          # ipa service-add HTTP/client-frontend.example.com
148          # ipa service-allow-retrieve-keytab HTTP/client-frontend.example.com --hosts={client1.example.com,client2.example.com}
149          # ipa server-allow-create-keytab HTTP/client-frontend.example.com --hosts=client1.example.com
150
151          On client1, generate and retrieve a  new  keytab  for  client-front‐
152       end.example.com:
153          # kinit -k
154          # ipa-getkeytab -p HTTP/client-frontend.example.com -k /tmp/http.keytab
155
156          On  client2,  retrieve the existing keytab for client-frontend.exam‐
157       ple.com:
158          # kinit -k
159          # ipa-getkeytab -r -p HTTP/client-frontend.example.com -k /tmp/http.keytab
160
161

EXIT STATUS

163       The exit status is 0 on success, nonzero on error.
164
165       0 Success
166
167       1 Kerberos context initialization failed
168
169       2 Incorrect usage
170
171       3 Out of memory
172
173       4 Invalid service principal name
174
175       5 No Kerberos credentials cache
176
177       6 No Kerberos principal and no bind DN and password
178
179       7 Failed to open keytab
180
181       8 Failed to create key material
182
183       9 Setting keytab failed
184
185       10 Bind password required when using a bind DN
186
187       11 Failed to add key to keytab
188
189       12 Failed to close keytab
190
191
192
193IPA                               Oct 10 2007                 ipa-getkeytab(1)
Impressum