1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
.\" A man page for ipa-join
.\" Copyright (C) 2009 Red Hat, Inc.
.\"
.\" This is free software; you can redistribute it and/or modify it under
.\" the terms of the GNU Library General Public License as published by
.\" the Free Software Foundation; version 2 only
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU Library General Public
.\" License along with this program; if not, write to the Free Software
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-join" "1" "Oct 8 2009" "freeipa" ""
.SH "NAME"
ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
.SH "SYNOPSIS"
ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-s\fR server ] [ \fB\-w\fR bulk\-bind\-password ] [ \fB\-d\fR ] [ \fB\-q\fR ]
.SH "DESCRIPTION"
Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal.
Kerberos keytabs are used for services (like sshd) to perform kerberos authentication. A keytab is a file with one or more secrets (or keys) for a kerberos principal.
The ipa\-join command will create and retrieve a service principal for host/foo.example.com@EXAMPLE.COM and place it by default into /etc/krb5.keytab. The location can be overridden with the \-k option.
The IPA server to contact is set in /etc/ipa/default.conf by default and can be overridden using the -s,--server option.
In order to join the machine needs to be authenticated. This can happen in one of two ways:
* Authenticate using the current kerberos principal
* Provide a password to authenticate with
If a client host has already been joined to the IPA realm the ipa-join command will fail. The host will need to be removed from the server using `ipa host-del FQDN` in order to join the client to the realm.
This command is normally executed by the ipa-client-install command as part of the enrollment process.
.SH "OPTIONS"
.TP
\fB\-h,--hostname hostname\fR
The hostname of this server (FQDN). By default of nodename from uname(2) is used.
.TP
\fB\-s,--server server\fR
The hostname of this server (FQDN). By default of nodename from uname(2) is used.
.TP
\fB\-k,--keytab keytab\-file\fR
The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab
.TP
\fB\-w,--bindpw password\fR
The password to use if not using kerberos to authenticate
.TP
\fB\-q,--quiet\fR
Quiet mode. Only errors are displayed.
.TP
\fB\-d,--debug\fR
Debug mode.
.SH "EXAMPLES"
Join IPA domain and retrieve a keytab with kerberos credentials.
# kinit admin
# ipa\-join
Join IPA domain and retrieve a keytab using a one\-time password.
# ipa\-join \-w secret123
Join IPA domain and save the keytab in another location.
# ipa\-join \-k /tmp/host.keytab
.SH "EXIT STATUS"
The exit status is 0 on success, nonzero on error.
|
