From 81fe26bdcfdfc1673d4c499eaa1183be1ccee281 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 6 Oct 2010 09:23:33 -0400 Subject: Add missing options to ipa-getkeytab man page. ticket 229 --- ipa-client/man/ipa-getkeytab.1 | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) (limited to 'ipa-client/man') diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1 index cb4c184c5..ed078759d 100644 --- a/ipa-client/man/ipa-getkeytab.1 +++ b/ipa-client/man/ipa-getkeytab.1 @@ -19,19 +19,19 @@ .\" .TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" "" .SH "NAME" -ipa\-getkeytab \- Get a keytab for a kerberos principal +ipa\-getkeytab \- Get a keytab for a Kerberos principal .SH "SYNOPSIS" -ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ] +ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] .SH "DESCRIPTION" -Retrieves a kerberos \fIkeytab\fR. +Retrieves a Kerberos \fIkeytab\fR. Kerberos keytabs are used for services (like sshd) to -perform kerberos authentication. A keytab is a file -with one or more secrets (or keys) for a kerberos +perform Kerberos authentication. A keytab is a file +with one or more secrets (or keys) for a Kerberos principal. -A kerberos service principal is a kerberos identity +A Kerberos service principal is a Kerberos identity that can be used for authentication. Service principals contain the name of the service, the hostname of the server, and the realm name. For example, the following @@ -46,6 +46,8 @@ example above). \fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal. This renders all other keytabs for that principal invalid. + +This is used during IPA client enrollement to retrieve a host service principal and store it in /etc/krb5.conf. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-binddn\fR options are used for this authentication. .SH "OPTIONS" .TP \fB\-s ipaserver\fR @@ -61,7 +63,7 @@ created if it does not exist). \fB\-e encryption\-types\fR The list of encryption types to use to generate keys. ipa\-getkeytab will use local client defaults if not provided. -Valid values depend on the kerberos library version and configuration. +Valid values depend on the Kerberos library version and configuration. Common values are: aes256\-cts aes128\-cts @@ -84,6 +86,15 @@ ArcFour with HMAC/md5 DES cbc mode with CRC\-32 DES cbc mode with RSA\-MD5 DES cbc mode with RSA\-MD4 +.TP +\fB\-P, \-\-password\fR +Use this password for the key instead of one randomly generated. +.TP +\fB\-D, \-\-binddn\fR +The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option. +.TP +\fB\-w, \-\-bindpw\fR +The LDAP password to use when not when not binding with Kerberos. .SH "EXAMPLES" Add and retrieve a keytab for the NFS service principal on the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key. @@ -95,8 +106,9 @@ the host foo.example.com and save it in the file /tmp/ldap.keytab. # ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab +Retrieve a keytab using LDAP credentials (this will typically be done by \fBipa\-join(1)\fR when enrolling a client using the \fBipa\-client\-install(1)\fR command: - + # ipa\-getkeytab \-s ipaserver.example.com \-p host/foo.example.com \-k /etc/krb5.keytab \-D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com \-w password .SH "EXIT STATUS" The exit status is 0 on success, nonzero on error. -- cgit