path: root/ipa-client/man
diff options
authorRob Crittenden <>2009-12-04 16:29:09 -0500
committerRob Crittenden <>2009-12-04 16:29:09 -0500
commit62d40286ac67faa6b009e121035f92afa1372cf3 (patch)
tree1c9bfa065b4398aa529a65bd28ff5606858e626e /ipa-client/man
parent8ecb5897c111b6243c5325dadf2af0e6cb1e4c33 (diff)
A utility for removing principals from a keytab.
When we un-enroll a client we'll do a bit of cleanup including removing any principals for the IPA realm from /etc/krb5.keytab. This removes principals in 2 ways: - By principal, only entries matching the full principal are removed - By realm. Any principal for that realm is removed This does not change the KDC at all, just removes entries from a file on the client machine.
Diffstat (limited to 'ipa-client/man')
2 files changed, 91 insertions, 0 deletions
diff --git a/ipa-client/man/ b/ipa-client/man/
index eee7144..bf11e39 100644
--- a/ipa-client/man/
+++ b/ipa-client/man/
@@ -6,6 +6,7 @@ NULL =
man_MANS = \
ipa-getkeytab.1 \
+ ipa-rmkeytab.1 \
ipa-client-install.1 \
diff --git a/ipa-client/man/ipa-rmkeytab.1 b/ipa-client/man/ipa-rmkeytab.1
new file mode 100644
index 0000000..a60f45c
--- /dev/null
+++ b/ipa-client/man/ipa-rmkeytab.1
@@ -0,0 +1,90 @@
+.\" A man page for ipa-rmkeytab
+.\" Copyright (C) 2009 Red Hat, Inc.
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; version 2 only
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" General Public License for more details.
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\" Author: Rob Crittenden <>
+.TH "ipa-rmkeytab" "1" "Oct 30 2009" "freeipa" ""
+ipa\-rmkeytab \- Remove a kerberos principal from a keytab
+ipa\-rmkeytab [ \fB\-p\fR principal\-name ] [ \fB\-k\fR keytab\-file ] [ \fB\-r\fR realm ] [ \fB\-d\fR ]
+Removes a kerberos principal from a \fIkeytab\fR.
+Kerberos keytabs are used for services (like sshd) to
+perform kerberos authentication. A keytab is a file
+with one or more secrets (or keys) for a kerberos
+A kerberos service principal is a kerberos identity
+that can be used for authentication. Service principals
+contain the name of the service, the hostname of the
+server, and the realm name.
+ipa\-rmkeytab provides two ways to remove principals.
+A specific principal can be removed or all principals for all
+principals for a given realm can be removed.
+All encryption types and versions of a principal are removed.
+The realm may be included when removing a specific principal but
+it is not required.
+\fBNOTE:\fR removing a principal from the keytab does not affect
+the Kerberos principal stored in the IPA server. It merely removes
+the entry from the local keytab.
+\fB\-p principal\-name\fR
+The non\-realm part of the full principal name.
+\fB\-k keytab\-file\fR
+The keytab file where to append the new key (will be
+created if it does not exist).
+\fB\-r realm\fR
+A realm to remove all principals for.
+Debug mode. Additional information is displayed.
+Remove the NFS service principal on the host from /tmp/nfs.keytab.
+ # ipa\-rmkeytab \-p nfs/ \-k /tmp/nfs.keytab
+Remove the ldap service principal onthe host from /etc/krb5.keytab.
+ # ipa\-rmkeytab \-p ldap/ \-k /tmp/ldap.keytab
+Remove all principals for the realm EXAMPLE.COM.
+ # ipa\-rmkeytab \-r EXAMPLE.COM \-k /tmp/ldap.keytab
+The exit status is 0 on success, nonzero on error.
+1 Kerberos initialization failed
+2 Memory allocation error
+3 Unable to open keytab
+4 Unable to parse the principal name
+5 Principal name not found in keytab
+6 Unable to remove principal from keytab