1ipa-getkeytab(1) FreeIPA Manual Pages ipa-getkeytab(1)
2
3
4
6 ipa-getkeytab - Get a keytab for a Kerberos principal
7
9 ipa-getkeytab -p principal-name -k keytab-file [ -e encryption-types ]
10 [ -s ipaserver ] [ -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -W ] [
11 -P|--password PASSWORD ] [ --cacert CACERT ] [ -H|--ldapuri URI ] [
12 -Y|--mech GSSAPI|EXTERNAL ] [ -r ]
13
14
16 Retrieves a Kerberos keytab.
17
18 Kerberos keytabs are used for services (like sshd) to perform Kerberos
19 authentication. A keytab is a file with one or more secrets (or keys)
20 for a Kerberos principal.
21
22 A Kerberos service principal is a Kerberos identity that can be used
23 for authentication. Service principals contain the name of the service,
24 the hostname of the server, and the realm name. For example, the fol‐
25 lowing is an example principal for an ldap server:
26
27 ldap/foo.example.com@EXAMPLE.COM
28
29 When using ipa-getkeytab the realm name is already provided, so the
30 principal name is just the service name and hostname (ldap/foo.exam‐
31 ple.com from the example above).
32
33 ipa-getkeytab is used during IPA client enrollment to retrieve a host
34 service principal and store it in /etc/krb5.keytab. It is possible to
35 retrieve the keytab without Kerberos credentials if the host was
36 pre-created with a one-time password. The keytab can be retrieved by
37 binding as the host and authenticating with this one-time password. The
38 -D|--binddn -w|--bindpw options are used for this authentication. -W
39 can be used instead of -w|--bindpw to interactively prompt for the bind
40 password.
41
42 WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
43 cipal. This renders all other keytabs for that principal invalid.
44 When multiple hosts or services need to share the same key (for
45 instance in high availability or load balancing clusters), the -r
46 option must be used to retrieve the existing key instead of generating
47 a new one (please refer to the EXAMPLES section).
48
49 Note that the user or host calling ipa-getkeytab needs to be allowed to
50 generate the key with ipa host-allow-create-keytab or ipa ser‐
51 vice-allow-create-keytab, and the user or host calling ipa-getkeytab -r
52 needs to be allowed to retrieve the keytab for the host or service with
53 ipa host-allow-retrieve-keytab or ipa service-allow-retrieve-keytab.
54
55
57 -p principal-name
58 The non-realm part of the full principal name.
59
60 -k keytab-file
61 The keytab file where to append the new key (will be created if
62 it does not exist).
63
64 -e encryption-types
65 The list of encryption types to use to generate keys.
66 ipa-getkeytab will use local client defaults if not provided.
67 Valid values depend on the Kerberos library version and configu‐
68 ration. Common values are: aes256-cts aes128-cts aes256-sha2
69 aes128-sha2 camellia256-cts-cmac camellia128-cts-cmac arc‐
70 four-hmac
71
72 -s ipaserver
73 The IPA server to retrieve the keytab from (FQDN). If this
74 option is not provided the server name is read from the IPA con‐
75 figuration file (/etc/ipa/default.conf). Cannot be used together
76 with -H.
77
78 -q Quiet mode. Only errors are displayed.
79
80 --permitted-enctypes
81 This options returns a description of the permitted encryption
82 types, like this: Supported encryption types: AES-256 CTS mode
83 with 96-bit SHA-1 HMAC AES-128 CTS mode with 96-bit SHA-1 HMAC
84 AES-128 CTS mode with 128-bit SHA-256 HMAC AES-256 CTS mode with
85 192-bit SHA-384 HMAC ArcFour with HMAC/md5
86
87 -P, --password
88 Use this password for the key instead of one randomly generated.
89
90 -D, --binddn
91 The LDAP DN to bind as when retrieving a keytab without Kerberos
92 credentials. Generally used with the -w or -W options.
93
94 -w, --bindpw
95 The LDAP password to use when not binding with Kerberos. -D and
96 -w can not be used together with -Y.
97
98 -W Interactive prompt for the bind password. -D and -W can not be
99 used together with -Y
100
101 --cacert
102 The path to the IPA CA certificate used to validate LDAPS/START‐
103 TLS connections. Defaults to /etc/ipa/ca.crt
104
105 -H, --ldapuri
106 LDAP URI. If ldap:// is specified, STARTTLS is initiated by
107 default. Can not be used with -s.
108
109 -Y, --mech
110 SASL mechanism to use if -D and -w are not specified. Use either
111 GSSAPI or EXTERNAL.
112
113 -r Retrieve mode. Retrieve an existing key from the server instead
114 of generating a new one. This is incompatible with the --pass‐
115 word option, and will work only against a FreeIPA server more
116 recent than version 3.3. The user requesting the keytab must
117 have access to the keys for this operation to succeed.
118
120 Add and retrieve a keytab for the NFS service principal on the host
121 foo.example.com and save it in the file /tmp/nfs.keytab and retrieve
122 just the aes256-sha2 key.
123
124 # ipa-getkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab -e aes-sha2
125
126 Add and retrieve a keytab for the ldap service principal on the host
127 foo.example.com and save it in the file /tmp/ldap.keytab.
128
129 # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab
130
131 Retrieve a keytab using LDAP credentials (this will typically be done
132 by ipa-join(1) when enrolling a client using the ipa-client-install(1)
133 command:
134
135 # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password
136
137 Add and retrieve a keytab for a clustered HTTP service deployed on
138 client1.example.com and client2.example.com (already enrolled), using
139 the client-frontend.example.com host name:
140
141 # ipa host-add client-frontend.example.com --ip-address 10.1.2.3
142 # ipa service-add HTTP/client-frontend.example.com
143 # ipa service-allow-retrieve-keytab HTTP/client-frontend.example.com --hosts={client1.example.com,client2.example.com}
144 # ipa server-allow-create-keytab HTTP/client-frontend.example.com --hosts=client1.example.com
145
146 On client1, generate and retrieve a new keytab for client-fron‐
147 tend.example.com:
148 # kinit -k
149 # ipa-getkeytab -p HTTP/client-frontend.example.com -k /tmp/http.keytab
150
151 On client2, retrieve the existing keytab for client-frontend.exam‐
152 ple.com:
153 # kinit -k
154 # ipa-getkeytab -r -p HTTP/client-frontend.example.com -k /tmp/http.keytab
155
156
158 The exit status is 0 on success, nonzero on error.
159
160 0 Success
161
162 1 Kerberos context initialization failed
163
164 2 Incorrect usage
165
166 3 Out of memory
167
168 4 Invalid service principal name
169
170 5 No Kerberos credentials cache
171
172 6 No Kerberos principal and no bind DN and password
173
174 7 Failed to open keytab
175
176 8 Failed to create key material
177
178 9 Setting keytab failed
179
180 10 Bind password required when using a bind DN
181
182 11 Failed to add key to keytab
183
184 12 Failed to close keytab
185
186
187
188FreeIPA Oct 10 2007 ipa-getkeytab(1)