ipa-getkeytab(1)

1ipa-getkeytab(1)                                              ipa-getkeytab(1)
2
3
4

NAME

6       ipa-getkeytab - Get a keytab for a kerberos principal
7

SYNOPSIS

9       ipa-getkeytab  <-s  ipaserver> <-p principal-name> <-k keytab-file> [-e
10       encryption-types] [-q]
11
12

DESCRIPTION

14       Retrieves a kerberos keytab.
15
16       Kerberos keytabs are used for services (like sshd) to perform  kerberos
17       authentication.  A  keytab is a file with one or more secrets (or keys)
18       for a kerberos principal.
19
20       A kerberos service principal is a kerberos identity that  can  be  used
21       for authentication. Service principals contain the name of the service,
22       the hostname of the server, and the realm name. For example,  the  fol‐
23       lowing is an example principal for an ldap server:
24
25          ldap/foo.example.com@EXAMPLE.COM
26
27       When  using  ipa-getkeytab  the  realm name is already provided, so the
28       principal name is just the service name  and  hostname  (ldap/foo.exam‐
29       ple.com from the example above).
30
31       WARNING:  retrieving  the  keytab resets the secret rendering all other
32       keytabs for that principal invalid.
33
34

OPTIONS

36       -s ipaserver
37              The IPA Server to retrieve the keytab from (FQDN).
38
39              -p principal-name The non realm part of the full principal name.
40
41              -k keytab-file The keytab file where to append the new key (will
42              be created if not existing).
43
44              -e  encryption-types The list of encryption types to use to gen‐
45              erate keys.  ipa-getkeytab will use local client defaults if not
46              provided.   Valid  values depend on the kerberos library version
47              and configuration.  Common  values  are:  aes256-cts  aes128-cts
48              des3-hmac-sha1  arcfour-hmac  des-hmac-sha1 des-cbc-md5 des-cbc-
49              crc
50
51              -q Keep quiet.
52
53              --permitted-enctypes This options returns a description  of  the
54              permitted  encryption  types,  like  this:  Supported encryption
55              types: AES-256 CTS mode with 96-bit SHA-1 HMAC AES-128 CTS  mode
56              with  96-bit  SHA-1 HMAC Triple DES cbc mode with HMAC/sha1 Arc‐
57              Four with HMAC/md5 DES cbc mode with CRC-32 DES  cbc  mode  with
58              RSA-MD5 DES cbc mode with RSA-MD4
59
60
61

EXAMPLES

63       Add  and  retrieve  a keytab for the ldap service principal on the host
64       foo.example.com and save it in the file ldap.keytab.
65
66          # ipa-getkeytab -s ipaserver.example.com -p  nfs/foo.example.com  -k
67       /tmp/ldap.keytab -e des-cbc-crc
68
69

EXIT STATUS

71       The exit status is 0 on success, nonzero on error.
72
73
74
75freeipa                           Oct 10 2007                 ipa-getkeytab(1)