summaryrefslogtreecommitdiffstats
path: root/ipa-client/man
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-12-04 16:29:09 -0500
committerRob Crittenden <rcritten@redhat.com>2009-12-04 16:29:09 -0500
commit62d40286ac67faa6b009e121035f92afa1372cf3 (patch)
tree1c9bfa065b4398aa529a65bd28ff5606858e626e /ipa-client/man
parent8ecb5897c111b6243c5325dadf2af0e6cb1e4c33 (diff)
downloadfreeipa-62d40286ac67faa6b009e121035f92afa1372cf3.zip
freeipa-62d40286ac67faa6b009e121035f92afa1372cf3.tar.gz
freeipa-62d40286ac67faa6b009e121035f92afa1372cf3.tar.xz
A utility for removing principals from a keytab.
When we un-enroll a client we'll do a bit of cleanup including removing any principals for the IPA realm from /etc/krb5.keytab. This removes principals in 2 ways: - By principal, only entries matching the full principal are removed - By realm. Any principal for that realm is removed This does not change the KDC at all, just removes entries from a file on the client machine.
Diffstat (limited to 'ipa-client/man')
-rw-r--r--ipa-client/man/Makefile.am1
-rw-r--r--ipa-client/man/ipa-rmkeytab.190
2 files changed, 91 insertions, 0 deletions
diff --git a/ipa-client/man/Makefile.am b/ipa-client/man/Makefile.am
index eee7144..bf11e39 100644
--- a/ipa-client/man/Makefile.am
+++ b/ipa-client/man/Makefile.am
@@ -6,6 +6,7 @@ NULL =
man_MANS = \
ipa-getkeytab.1 \
+ ipa-rmkeytab.1 \
ipa-client-install.1 \
ipa-join.1
diff --git a/ipa-client/man/ipa-rmkeytab.1 b/ipa-client/man/ipa-rmkeytab.1
new file mode 100644
index 0000000..a60f45c
--- /dev/null
+++ b/ipa-client/man/ipa-rmkeytab.1
@@ -0,0 +1,90 @@
+.\" A man page for ipa-rmkeytab
+.\" Copyright (C) 2009 Red Hat, Inc.
+.\"
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; version 2 only
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.\"
+.TH "ipa-rmkeytab" "1" "Oct 30 2009" "freeipa" ""
+.SH "NAME"
+ipa\-rmkeytab \- Remove a kerberos principal from a keytab
+.SH "SYNOPSIS"
+ipa\-rmkeytab [ \fB\-p\fR principal\-name ] [ \fB\-k\fR keytab\-file ] [ \fB\-r\fR realm ] [ \fB\-d\fR ]
+
+.SH "DESCRIPTION"
+Removes a kerberos principal from a \fIkeytab\fR.
+
+Kerberos keytabs are used for services (like sshd) to
+perform kerberos authentication. A keytab is a file
+with one or more secrets (or keys) for a kerberos
+principal.
+
+A kerberos service principal is a kerberos identity
+that can be used for authentication. Service principals
+contain the name of the service, the hostname of the
+server, and the realm name.
+
+ipa\-rmkeytab provides two ways to remove principals.
+A specific principal can be removed or all principals for all
+principals for a given realm can be removed.
+
+All encryption types and versions of a principal are removed.
+
+The realm may be included when removing a specific principal but
+it is not required.
+
+\fBNOTE:\fR removing a principal from the keytab does not affect
+the Kerberos principal stored in the IPA server. It merely removes
+the entry from the local keytab.
+.SH "OPTIONS"
+.TP
+\fB\-p principal\-name\fR
+The non\-realm part of the full principal name.
+.TP
+\fB\-k keytab\-file\fR
+The keytab file where to append the new key (will be
+created if it does not exist).
+.TP
+\fB\-r realm\fR
+A realm to remove all principals for.
+.TP
+\fB\-d\fR
+Debug mode. Additional information is displayed.
+.SH "EXAMPLES"
+Remove the NFS service principal on the host foo.example.com from /tmp/nfs.keytab.
+
+ # ipa\-rmkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab
+
+Remove the ldap service principal onthe host foo.example.com from /etc/krb5.keytab.
+
+ # ipa\-rmkeytab \-p ldap/foo.example.com \-k /tmp/ldap.keytab
+
+Remove all principals for the realm EXAMPLE.COM.
+
+ # ipa\-rmkeytab \-r EXAMPLE.COM \-k /tmp/ldap.keytab
+.SH "EXIT STATUS"
+The exit status is 0 on success, nonzero on error.
+
+1 Kerberos initialization failed
+
+2 Memory allocation error
+
+3 Unable to open keytab
+
+4 Unable to parse the principal name
+
+5 Principal name not found in keytab
+
+6 Unable to remove principal from keytab