1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
.\" A man page for ipa-getkeytab
.\" Copyright (C) 2007 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Karl MacMillan <kmacmill@redhat.com>
.\" Author: Simo Sorce <ssorce@redhat.com>
.\"
.TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" ""
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a kerberos principal
.SH "SYNOPSIS"
ipa\-getkeytab [ \fB\-s\fR ipaserver ] [ \fB\-p\fR principal\-name ] [ \fB\-k\fR keytab\-file ] [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ]
.SH "DESCRIPTION"
Retrieves a kerberos \fIkeytab\fR.
Kerberos keytabs are used for services (like sshd) to
perform kerberos authentication. A keytab is a file
with one or more secrets (or keys) for a kerberos
principal.
A kerberos service principal is a kerberos identity
that can be used for authentication. Service principals
contain the name of the service, the hostname of the
server, and the realm name. For example, the following
is an example principal for an ldap server:
ldap/foo.example.com@EXAMPLE.COM
When using ipa\-getkeytab the realm name is already
provided, so the principal name is just the service
name and hostname (ldap/foo.example.com from the
example above).
\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
This renders all other keytabs for that principal invalid.
.SH "OPTIONS"
.TP
\fB\-s ipaserver\fR
The IPA server to retrieve the keytab from (FQDN).
.TP
\fB\-p principal\-name\fR
The non\-realm part of the full principal name.
.TP
\fB\-k keytab\-file\fR
The keytab file where to append the new key (will be
created if it does not exist).
.TP
\fB\-e encryption\-types\fR
The list of encryption types to use to generate keys.
ipa\-getkeytab will use local client defaults if not provided.
Valid values depend on the kerberos library version and configuration.
Common values are:
aes256\-cts
aes128\-cts
des3\-hmac\-sha1
arcfour\-hmac
des\-hmac\-sha1
des\-cbc\-md5
des\-cbc\-crc
.TP
\fB\-q\fR
Quiet mode. Only errors are displayed.
.TP
\fB\-\-permitted\-enctypes\fR
This options returns a description of the permitted encryption types, like this:
Supported encryption types:
AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
Triple DES cbc mode with HMAC/sha1
ArcFour with HMAC/md5
DES cbc mode with CRC\-32
DES cbc mode with RSA\-MD5
DES cbc mode with RSA\-MD4
.SH "EXAMPLES"
Add and retrieve a keytab for the NFS service principal on
the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
# ipa\-getkeytab \-s ipaserver.example.com \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
Add and retrieve a keytab for the ldap service principal on
the host foo.example.com and save it in the file /tmp/ldap.keytab.
# ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab
.SH "EXIT STATUS"
The exit status is 0 on success, nonzero on error.
|