path: root/ipa-client/man
diff options
authorRob Crittenden <>2010-10-06 09:23:33 -0400
committerRob Crittenden <>2010-10-11 22:35:47 -0400
commit81fe26bdcfdfc1673d4c499eaa1183be1ccee281 (patch)
treee90d9eaee44eff24c59cd3aba2fedf1d856f9d20 /ipa-client/man
parentd2a9ccf407709aa7a2a2378f758fb4db40181684 (diff)
Add missing options to ipa-getkeytab man page.
ticket 229
Diffstat (limited to 'ipa-client/man')
1 files changed, 20 insertions, 8 deletions
diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1
index cb4c184..ed07875 100644
--- a/ipa-client/man/ipa-getkeytab.1
+++ b/ipa-client/man/ipa-getkeytab.1
@@ -19,19 +19,19 @@
.TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" ""
-ipa\-getkeytab \- Get a keytab for a kerberos principal
+ipa\-getkeytab \- Get a keytab for a Kerberos principal
-ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ]
+ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ]
-Retrieves a kerberos \fIkeytab\fR.
+Retrieves a Kerberos \fIkeytab\fR.
Kerberos keytabs are used for services (like sshd) to
-perform kerberos authentication. A keytab is a file
-with one or more secrets (or keys) for a kerberos
+perform Kerberos authentication. A keytab is a file
+with one or more secrets (or keys) for a Kerberos
-A kerberos service principal is a kerberos identity
+A Kerberos service principal is a Kerberos identity
that can be used for authentication. Service principals
contain the name of the service, the hostname of the
server, and the realm name. For example, the following
@@ -46,6 +46,8 @@ example above).
\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
This renders all other keytabs for that principal invalid.
+This is used during IPA client enrollement to retrieve a host service principal and store it in /etc/krb5.conf. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-binddn\fR options are used for this authentication.
\fB\-s ipaserver\fR
@@ -61,7 +63,7 @@ created if it does not exist).
\fB\-e encryption\-types\fR
The list of encryption types to use to generate keys.
ipa\-getkeytab will use local client defaults if not provided.
-Valid values depend on the kerberos library version and configuration.
+Valid values depend on the Kerberos library version and configuration.
Common values are:
@@ -84,6 +86,15 @@ ArcFour with HMAC/md5
DES cbc mode with CRC\-32
DES cbc mode with RSA\-MD5
DES cbc mode with RSA\-MD4
+\fB\-P, \-\-password\fR
+Use this password for the key instead of one randomly generated.
+\fB\-D, \-\-binddn\fR
+The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
+\fB\-w, \-\-bindpw\fR
+The LDAP password to use when not when not binding with Kerberos.
Add and retrieve a keytab for the NFS service principal on
the host and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
@@ -95,8 +106,9 @@ the host and save it in the file /tmp/ldap.keytab.
# ipa\-getkeytab \-s \-p ldap/ \-k /tmp/ldap.keytab
+Retrieve a keytab using LDAP credentials (this will typically be done by \fBipa\-join(1)\fR when enrolling a client using the \fBipa\-client\-install(1)\fR command:
+ # ipa\-getkeytab \-s \-p host/ \-k /etc/krb5.keytab \-D,cn=computers,cn=accounts,dc=example,dc=com \-w password
The exit status is 0 on success, nonzero on error.