.\" A man page for ipa-join .\" Copyright (C) 2009 Red Hat, Inc. .\" .\" This is free software; you can redistribute it and/or modify it under .\" the terms of the GNU Library General Public License as published by .\" the Free Software Foundation; version 2 only .\" .\" This program is distributed in the hope that it will be useful, but .\" WITHOUT ANY WARRANTY; without even the implied warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU .\" General Public License for more details. .\" .\" You should have received a copy of the GNU Library General Public .\" License along with this program; if not, write to the Free Software .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. .\" .\" Author: Rob Crittenden .\" .TH "ipa-join" "1" "Oct 8 2009" "freeipa" "" .SH "NAME" ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal .SH "SYNOPSIS" ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-s\fR server ] [ \fB\-w\fR bulk\-bind\-password ] [ \fB\-d\fR ] [ \fB\-q\fR ] .SH "DESCRIPTION" Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal. Kerberos keytabs are used for services (like sshd) to perform kerberos authentication. A keytab is a file with one or more secrets (or keys) for a kerberos principal. The ipa\-join command will create and retrieve a service principal for host/foo.example.com@EXAMPLE.COM and place it by default into /etc/krb5.keytab. The location can be overridden with the \-k option. The IPA server to contact is set in /etc/ipa/default.conf by default and can be overridden using the -s,--server option. In order to join the machine needs to be authenticated. This can happen in one of two ways: * Authenticate using the current kerberos principal * Provide a password to authenticate with If a client host has already been joined to the IPA realm the ipa-join command will fail. The host will need to be removed from the server using `ipa host-del FQDN` in order to join the client to the realm. This command is normally executed by the ipa-client-install command as part of the enrollment process. .SH "OPTIONS" .TP \fB\-h,--hostname hostname\fR The hostname of this server (FQDN). By default of nodename from uname(2) is used. .TP \fB\-s,--server server\fR The hostname of this server (FQDN). By default of nodename from uname(2) is used. .TP \fB\-k,--keytab keytab\-file\fR The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab .TP \fB\-w,--bindpw password\fR The password to use if not using kerberos to authenticate .TP \fB\-q,--quiet\fR Quiet mode. Only errors are displayed. .TP \fB\-d,--debug\fR Debug mode. .SH "EXAMPLES" Join IPA domain and retrieve a keytab with kerberos credentials. # kinit admin # ipa\-join Join IPA domain and retrieve a keytab using a one\-time password. # ipa\-join \-w secret123 Join IPA domain and save the keytab in another location. # ipa\-join \-k /tmp/host.keytab .SH "EXIT STATUS" The exit status is 0 on success, nonzero on error.