1ipa-getkeytab(1) FreeIPA Manual Pages ipa-getkeytab(1)
2
3
4
6 ipa-getkeytab - Get a keytab for a Kerberos principal
7
9 ipa-getkeytab -p principal-name -k keytab-file [ -e encryption-types ]
10 [ -s ipaserver ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [
11 -P|--password PASSWORD ] [ --cacert CACERT ] [ -H|--ldapuri URI ] [
12 -Y|--mech GSSAPI|EXTERNAL ] [ -r ]
13
14
16 Retrieves a Kerberos keytab.
17
18 Kerberos keytabs are used for services (like sshd) to perform Kerberos
19 authentication. A keytab is a file with one or more secrets (or keys)
20 for a Kerberos principal.
21
22 A Kerberos service principal is a Kerberos identity that can be used
23 for authentication. Service principals contain the name of the service,
24 the hostname of the server, and the realm name. For example, the fol‐
25 lowing is an example principal for an ldap server:
26
27 ldap/foo.example.com@EXAMPLE.COM
28
29 When using ipa-getkeytab the realm name is already provided, so the
30 principal name is just the service name and hostname (ldap/foo.exam‐
31 ple.com from the example above).
32
33 ipa-getkeytab is used during IPA client enrollment to retrieve a host
34 service principal and store it in /etc/krb5.keytab. It is possible to
35 retrieve the keytab without Kerberos credentials if the host was
36 pre-created with a one-time password. The keytab can be retrieved by
37 binding as the host and authenticating with this one-time password. The
38 -D|--binddn and -w|--bindpw options are used for this authentication.
39
40 WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
41 cipal. This renders all other keytabs for that principal invalid.
42 When multiple hosts or services need to share the same key (for
43 instance in high availability or load balancing clusters), the -r
44 option must be used to retrieve the existing key instead of generating
45 a new one (please refer to the EXAMPLES section).
46
47 Note that the user or host calling ipa-getkeytab needs to be allowed to
48 generate the key with ipa host-allow-create-keytab or ipa ser‐
49 vice-allow-create-keytab, and the user or host calling ipa-getkeytab -r
50 needs to be allowed to retrieve the keytab for the host or service with
51 ipa host-allow-retrieve-keytab or ipa service-allow-retrieve-keytab.
52
53
55 -p principal-name
56 The non-realm part of the full principal name.
57
58 -k keytab-file
59 The keytab file where to append the new key (will be created if
60 it does not exist).
61
62 -e encryption-types
63 The list of encryption types to use to generate keys.
64 ipa-getkeytab will use local client defaults if not provided.
65 Valid values depend on the Kerberos library version and configu‐
66 ration. Common values are: aes256-cts aes128-cts des3-hmac-sha1
67 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
68
69 -s ipaserver
70 The IPA server to retrieve the keytab from (FQDN). If this
71 option is not provided the server name is read from the IPA con‐
72 figuration file (/etc/ipa/default.conf). Cannot be used together
73 with -H.
74
75 -q Quiet mode. Only errors are displayed.
76
77 --permitted-enctypes
78 This options returns a description of the permitted encryption
79 types, like this: Supported encryption types: AES-256 CTS mode
80 with 96-bit SHA-1 HMAC AES-128 CTS mode with 96-bit SHA-1 HMAC
81 Triple DES cbc mode with HMAC/sha1 ArcFour with HMAC/md5 DES cbc
82 mode with CRC-32 DES cbc mode with RSA-MD5 DES cbc mode with
83 RSA-MD4
84
85 -P, --password
86 Use this password for the key instead of one randomly generated.
87
88 -D, --binddn
89 The LDAP DN to bind as when retrieving a keytab without Kerberos
90 credentials. Generally used with the -w option.
91
92 -w, --bindpw
93 The LDAP password to use when not binding with Kerberos. -D and
94 -w can not be used together with -Y.
95
96 --cacert
97 The path to the IPA CA certificate used to validate LDAPS/START‐
98 TLS connections. Defaults to /etc/ipa/ca.crt
99
100 -H, --ldapuri
101 LDAP URI. If ldap:// is specified, STARTTLS is initiated by
102 default. Can not be used with -s.
103
104 -Y, --mech
105 SASL mechanism to use if -D and -w are not specified. Use either
106 GSSAPI or EXTERNAL.
107
108 -r Retrieve mode. Retrieve an existing key from the server instead
109 of generating a new one. This is incompatible with the --pass‐
110 word option, and will work only against a FreeIPA server more
111 recent than version 3.3. The user requesting the keytab must
112 have access to the keys for this operation to succeed.
113
115 Add and retrieve a keytab for the NFS service principal on the host
116 foo.example.com and save it in the file /tmp/nfs.keytab and retrieve
117 just the des-cbc-crc key.
118
119 # ipa-getkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab -e des-cbc-crc
120
121 Add and retrieve a keytab for the ldap service principal on the host
122 foo.example.com and save it in the file /tmp/ldap.keytab.
123
124 # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab
125
126 Retrieve a keytab using LDAP credentials (this will typically be done
127 by ipa-join(1) when enrolling a client using the ipa-client-install(1)
128 command:
129
130 # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password
131
132 Add and retrieve a keytab for a clustered HTTP service deployed on
133 client1.example.com and client2.example.com (already enrolled), using
134 the client-frontend.example.com host name:
135
136 # ipa host-add client-frontend.example.com --ip-address 10.1.2.3
137 # ipa service-add HTTP/client-frontend.example.com
138 # ipa service-allow-retrieve-keytab HTTP/client-frontend.example.com --hosts={client1.example.com,client2.example.com}
139 # ipa server-allow-create-keytab HTTP/client-frontend.example.com --hosts=client1.example.com
140
141 On client1, generate and retrieve a new keytab for client-fron‐
142 tend.example.com:
143 # kinit -k
144 # ipa-getkeytab -p HTTP/client-frontend.example.com -k /tmp/http.keytab
145
146 On client2, retrieve the existing keytab for client-frontend.exam‐
147 ple.com:
148 # kinit -k
149 # ipa-getkeytab -r -p HTTP/client-frontend.example.com -k /tmp/http.keytab
150
151
153 The exit status is 0 on success, nonzero on error.
154
155 0 Success
156
157 1 Kerberos context initialization failed
158
159 2 Incorrect usage
160
161 3 Out of memory
162
163 4 Invalid service principal name
164
165 5 No Kerberos credentials cache
166
167 6 No Kerberos principal and no bind DN and password
168
169 7 Failed to open keytab
170
171 8 Failed to create key material
172
173 9 Setting keytab failed
174
175 10 Bind password required when using a bind DN
176
177 11 Failed to add key to keytab
178
179 12 Failed to close keytab
180
181
182
183FreeIPA Oct 10 2007 ipa-getkeytab(1)