summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ipa-client/ipa-getkeytab.c13
-rw-r--r--ipa-client/man/ipa-getkeytab.128
2 files changed, 32 insertions, 9 deletions
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index e81f305fb..8e02a4316 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -330,7 +330,7 @@ static int ldap_set_keytab(const char *servername,
ret = ldap_sasl_interactive_bind_s(ld,
NULL, "GSSAPI",
NULL, NULL,
- LDAP_SASL_AUTOMATIC,
+ LDAP_SASL_QUIET,
ldap_sasl_interact, princ);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, "SASL Bind failed!\n");
@@ -449,11 +449,13 @@ int main(int argc, char *argv[])
static const char *principal = NULL;
static const char *keytab = NULL;
static const char *enctypes_string = NULL;
+ int quiet = 0;
struct poptOption options[] = {
{ "server", 's', POPT_ARG_STRING, &server, 0, "Contact this specific KDC Server", "Server Name" },
{ "principal", 'p', POPT_ARG_STRING, &principal, 0, "The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)", "Kerberos Service Principal Name" },
{ "keytab", 'k', POPT_ARG_STRING, &keytab, 0, "File were to store the keytab information", "Keytab File Name" },
{ "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0, "Encryption types to request", "Comma separated encription types list" },
+ { "quiet", 'q', POPT_ARG_NONE, &quiet, 0, "Print as little as possible", "Output only on errors"},
{ NULL, 0, POPT_ARG_NONE, NULL, 0, NULL, NULL }
};
poptContext pc;
@@ -474,7 +476,9 @@ int main(int argc, char *argv[])
pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0);
ret = poptGetNextOpt(pc);
if (ret != -1 || !server || !principal || !keytab) {
- poptPrintUsage(pc, stderr, 0);
+ if (!quiet) {
+ poptPrintUsage(pc, stderr, 0);
+ }
exit(1);
}
@@ -560,5 +564,10 @@ int main(int argc, char *argv[])
exit (12);
}
+ if (!quiet) {
+ fprintf(stderr,
+ "Keytab successfully retrieved and stored in: %s\n",
+ keytab);
+ }
exit(0);
}
diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1
index 3ca1b458b..29710918a 100644
--- a/ipa-client/man/ipa-getkeytab.1
+++ b/ipa-client/man/ipa-getkeytab.1
@@ -15,16 +15,16 @@
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Karl MacMillan <kmacmill@redhat.com>
+.\" Author: Simo Sorce <ssorce@redhat.com>
.\"
.TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" ""
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a kerberos principal
.SH "SYNOPSIS"
-ipa\-getkeytab [\fI-a\fR] \fIprincipal-name\fR \fIfile-name\fR
+ipa\-getkeytab <\fI-s ipaserver\fR> <\fI-p principal-name\fR> <\fI-k keytab-file\fR> [\fI-e encryption-types\fR] [\fI-q\fR]
.SH "DESCRIPTION"
-Retrieves a kerberos \fIkeytab\fR and optionally adds a
-service \fIprincipal\fR.
+Retrieves a kerberos \fIkeytab\fR.
Kerberos keytabs are used for services (like sshd) to
perform kerberos authentication. A keytab is a file
@@ -41,7 +41,7 @@ is an example principal for an ldap server:
When using ipa-getkeytab the realm name is already
provided, so the principal name is just the service
-name and hostname (ldap/foo.example.com from the
+name and hostname (ldap/foo.example.com from the
example above).
\fBWARNING:\fR retrieving the keytab resets the secret
@@ -49,15 +49,29 @@ rendering all other keytabs for that principal invalid.
.SH "OPTIONS"
.TP
-\fB\-a\fR
-Add the service principal in addition to getting the keytab
+\fB\-s ipaserver\fR
+The IPA Server to retrieve the keytab from (FQDN).
+
+\fB\-p principal-name\fR
+The non realm part of the full principal name.
+
+\fB\-k keytab-file\fR
+The keytab file where to append the new key (will be
+created if not existing).
+
+\fB\-e encryption-types\fR
+The list of encryption types to use to generate keys.
+ipa-getkeytab will use local client defaults if not provided.
+
+\fB\-q\fR
+Keep quiet.
.SH "EXAMPLES"
Add and retrieve a keytab for the ldap service principal on
the host foo.example.com and save it in the file ldap.keytab.
- # ipa-getkeytab -a ldap/foo.example.com ldap.keytab
+ # ipa-getkeytab -s ipaserver.example.com -p nfs/foo.example.com -k /tmp/ldap.keytab -e des-cbc-crc
.SH "EXIT STATUS"
The exit status is 0 on success, nonzero on error.