diff options
-rw-r--r-- | ipa-client/ipa-getkeytab.c | 13 | ||||
-rw-r--r-- | ipa-client/man/ipa-getkeytab.1 | 28 |
2 files changed, 32 insertions, 9 deletions
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c index e81f305fb..8e02a4316 100644 --- a/ipa-client/ipa-getkeytab.c +++ b/ipa-client/ipa-getkeytab.c @@ -330,7 +330,7 @@ static int ldap_set_keytab(const char *servername, ret = ldap_sasl_interactive_bind_s(ld, NULL, "GSSAPI", NULL, NULL, - LDAP_SASL_AUTOMATIC, + LDAP_SASL_QUIET, ldap_sasl_interact, princ); if (ret != LDAP_SUCCESS) { fprintf(stderr, "SASL Bind failed!\n"); @@ -449,11 +449,13 @@ int main(int argc, char *argv[]) static const char *principal = NULL; static const char *keytab = NULL; static const char *enctypes_string = NULL; + int quiet = 0; struct poptOption options[] = { { "server", 's', POPT_ARG_STRING, &server, 0, "Contact this specific KDC Server", "Server Name" }, { "principal", 'p', POPT_ARG_STRING, &principal, 0, "The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)", "Kerberos Service Principal Name" }, { "keytab", 'k', POPT_ARG_STRING, &keytab, 0, "File were to store the keytab information", "Keytab File Name" }, { "enctypes", 'e', POPT_ARG_STRING, &enctypes_string, 0, "Encryption types to request", "Comma separated encription types list" }, + { "quiet", 'q', POPT_ARG_NONE, &quiet, 0, "Print as little as possible", "Output only on errors"}, { NULL, 0, POPT_ARG_NONE, NULL, 0, NULL, NULL } }; poptContext pc; @@ -474,7 +476,9 @@ int main(int argc, char *argv[]) pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0); ret = poptGetNextOpt(pc); if (ret != -1 || !server || !principal || !keytab) { - poptPrintUsage(pc, stderr, 0); + if (!quiet) { + poptPrintUsage(pc, stderr, 0); + } exit(1); } @@ -560,5 +564,10 @@ int main(int argc, char *argv[]) exit (12); } + if (!quiet) { + fprintf(stderr, + "Keytab successfully retrieved and stored in: %s\n", + keytab); + } exit(0); } diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1 index 3ca1b458b..29710918a 100644 --- a/ipa-client/man/ipa-getkeytab.1 +++ b/ipa-client/man/ipa-getkeytab.1 @@ -15,16 +15,16 @@ .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. .\" .\" Author: Karl MacMillan <kmacmill@redhat.com> +.\" Author: Simo Sorce <ssorce@redhat.com> .\" .TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" "" .SH "NAME" ipa\-getkeytab \- Get a keytab for a kerberos principal .SH "SYNOPSIS" -ipa\-getkeytab [\fI-a\fR] \fIprincipal-name\fR \fIfile-name\fR +ipa\-getkeytab <\fI-s ipaserver\fR> <\fI-p principal-name\fR> <\fI-k keytab-file\fR> [\fI-e encryption-types\fR] [\fI-q\fR] .SH "DESCRIPTION" -Retrieves a kerberos \fIkeytab\fR and optionally adds a -service \fIprincipal\fR. +Retrieves a kerberos \fIkeytab\fR. Kerberos keytabs are used for services (like sshd) to perform kerberos authentication. A keytab is a file @@ -41,7 +41,7 @@ is an example principal for an ldap server: When using ipa-getkeytab the realm name is already provided, so the principal name is just the service -name and hostname (ldap/foo.example.com from the +name and hostname (ldap/foo.example.com from the example above). \fBWARNING:\fR retrieving the keytab resets the secret @@ -49,15 +49,29 @@ rendering all other keytabs for that principal invalid. .SH "OPTIONS" .TP -\fB\-a\fR -Add the service principal in addition to getting the keytab +\fB\-s ipaserver\fR +The IPA Server to retrieve the keytab from (FQDN). + +\fB\-p principal-name\fR +The non realm part of the full principal name. + +\fB\-k keytab-file\fR +The keytab file where to append the new key (will be +created if not existing). + +\fB\-e encryption-types\fR +The list of encryption types to use to generate keys. +ipa-getkeytab will use local client defaults if not provided. + +\fB\-q\fR +Keep quiet. .SH "EXAMPLES" Add and retrieve a keytab for the ldap service principal on the host foo.example.com and save it in the file ldap.keytab. - # ipa-getkeytab -a ldap/foo.example.com ldap.keytab + # ipa-getkeytab -s ipaserver.example.com -p nfs/foo.example.com -k /tmp/ldap.keytab -e des-cbc-crc .SH "EXIT STATUS" The exit status is 0 on success, nonzero on error. |