diff options
Diffstat (limited to 'ipa-client/man/ipa-getkeytab.1')
| -rw-r--r-- | ipa-client/man/ipa-getkeytab.1 | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1 new file mode 100644 index 00000000..93db094e --- /dev/null +++ b/ipa-client/man/ipa-getkeytab.1 @@ -0,0 +1,101 @@ +.\" A man page for ipa-getkeytab +.\" Copyright (C) 2007 Red Hat, Inc. +.\" +.\" This is free software; you can redistribute it and/or modify it under +.\" the terms of the GNU Library General Public License as published by +.\" the Free Software Foundation; version 2 only +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU Library General Public +.\" License along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" Author: Karl MacMillan <kmacmill@redhat.com> +.\" Author: Simo Sorce <ssorce@redhat.com> +.\" +.TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" "" +.SH "NAME" +ipa\-getkeytab \- Get a keytab for a kerberos principal +.SH "SYNOPSIS" +ipa\-getkeytab [ \fB\-s\fR ipaserver ] [ \fB\-p\fR principal\-name ] [ \fB\-k\fR keytab\-file ] [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ] + +.SH "DESCRIPTION" +Retrieves a kerberos \fIkeytab\fR. + +Kerberos keytabs are used for services (like sshd) to +perform kerberos authentication. A keytab is a file +with one or more secrets (or keys) for a kerberos +principal. + +A kerberos service principal is a kerberos identity +that can be used for authentication. Service principals +contain the name of the service, the hostname of the +server, and the realm name. For example, the following +is an example principal for an ldap server: + + ldap/foo.example.com@EXAMPLE.COM + +When using ipa\-getkeytab the realm name is already +provided, so the principal name is just the service +name and hostname (ldap/foo.example.com from the +example above). + +\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal. +This renders all other keytabs for that principal invalid. +.SH "OPTIONS" +.TP +\fB\-s ipaserver\fR +The IPA server to retrieve the keytab from (FQDN). +.TP +\fB\-p principal\-name\fR +The non\-realm part of the full principal name. +.TP +\fB\-k keytab\-file\fR +The keytab file where to append the new key (will be +created if it does not exist). +.TP +\fB\-e encryption\-types\fR +The list of encryption types to use to generate keys. +ipa\-getkeytab will use local client defaults if not provided. +Valid values depend on the kerberos library version and configuration. +Common values are: +aes256\-cts +aes128\-cts +des3\-hmac\-sha1 +arcfour\-hmac +des\-hmac\-sha1 +des\-cbc\-md5 +des\-cbc\-crc +.TP +\fB\-q\fR +Quiet mode. Only errors are displayed. +.TP +\fB\-\-permitted\-enctypes\fR +This options returns a description of the permitted encryption types, like this: +Supported encryption types: +AES\-256 CTS mode with 96\-bit SHA\-1 HMAC +AES\-128 CTS mode with 96\-bit SHA\-1 HMAC +Triple DES cbc mode with HMAC/sha1 +ArcFour with HMAC/md5 +DES cbc mode with CRC\-32 +DES cbc mode with RSA\-MD5 +DES cbc mode with RSA\-MD4 +.SH "EXAMPLES" +Add and retrieve a keytab for the NFS service principal on +the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key. + + # ipa\-getkeytab \-s ipaserver.example.com \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc + +Add and retrieve a keytab for the ldap service principal on +the host foo.example.com and save it in the file /tmp/ldap.keytab. + + # ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab + + + +.SH "EXIT STATUS" +The exit status is 0 on success, nonzero on error. |