Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)

Make ipaclient a Python library like ipapython, ipalib, etc.
Use setup.py instead of autotools for installing it.

Move C client tools, Python scripts, and man pages, to client/.

Remove old, empty or outdated, boilerplate files (NEWS, README, AUTHORS).
Remove /setup-client.py (ipalib/setup.py should be used instead).

Update Makefiles and the spec file accordingly.

https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

8 files changed, 1064 insertions, 0 deletions

diff --git a/client/man/Makefile.am b/client/man/Makefile.am
new file mode 100644
index 000000000..9d8a9c03d
--- /dev/null
+++ b/client/man/Makefile.am
@@ -0,0 +1,24 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+man1_MANS = 				\
+		ipa-getkeytab.1		\
+		ipa-rmkeytab.1		\
+		ipa-client-install.1	\
+		ipa-client-automount.1	\
+		ipa-certupdate.1	\
+		ipa-join.1
+
+man5_MANS =				\
+		default.conf.5
+	
+install-data-hook:
+	@for i in $(man1_MANS) ; do gzip -f $(DESTDIR)$(man1dir)/$$i ; done
+	@for i in $(man5_MANS) ; do gzip -f $(DESTDIR)$(man5dir)/$$i ; done
+
+MAINTAINERCLEANFILES =          \
+	Makefile.in		\
+	$(NULL)
diff --git a/client/man/default.conf.5 b/client/man/default.conf.5
new file mode 100644
index 000000000..35ce6bb9f
--- /dev/null
+++ b/client/man/default.conf.5
@@ -0,0 +1,246 @@
+.\" A man page for default.conf
+.\" Copyright (C) 2011 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@@redhat.com>
+.\"
+.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+default.conf \- IPA configuration file
+.SH "SYNOPSIS"
+/etc/ipa/default.conf, ~/.ipa/default.conf, /etc/ipa/server.conf, /etc/ipa/cli.conf
+.SH "DESCRIPTION"
+The \fIdefault.conf \fRconfiguration file is used to set system\-wide defaults to be applied when running IPA clients and servers.
+
+Users may create an optional configuration file in \fI~/.ipa/default.conf\fR which will be merged into the system\-wide defaults file.
+
+The following files are read, in order:
+.nf
+    ~/.ipa/default.conf
+    /etc/ipa/<context>.conf
+    /etc/ipa/default.conf
+    built\-in constants
+.fi
+
+The IPA server does not read ~/.ipa/default.conf.
+
+The first setting wins.
+.SH "SYNTAX"
+The configuration options are not case sensitive. The values may be case sensitive, depending on the option.
+
+Blank lines are ignored.
+Lines beginning with # are comments and are ignored.
+
+Valid lines consist of an option name, an equals sign and a value. Spaces surrounding equals sign are ignored. An option terminates at the end of a line.
+
+Values should not be quoted, the quotes will not be stripped.
+
+.DS L
+    # Wrong \- don't include quotes
+    verbose = "True"
+
+    # Right \- Properly formatted options
+    verbose = True
+    verbose=True
+.DE
+
+Options must appear in the section named [global]. There are no other sections defined or used currently.
+
+Options may be defined that are not used by IPA. Be careful of misspellings, they will not be rejected.
+.SH "OPTIONS"
+The following options are relevant for the server:
+.TP
+.B basedn\fR <base>
+Specifies the base DN to use when performing LDAP operations. The base must be in DN format (dc=example,dc=com).
+.TP
+.B ca_agent_port <port>
+Specifies the secure CA agent port. The default is 8443.
+.TP
+.B ca_ee_port <port>
+Specifies the secure CA end user port. The default is 8443.
+.TP
+.B ca_host <hostname>
+Specifies the hostname of the dogtag CA server. The default is the hostname of the IPA server.
+.TP
+.B ca_port <port>
+Specifies the insecure CA end user port. The default is 8080.
+.TP
+.B context <context>
+Specifies the context that IPA is being executed in. IPA may operate differently depending on the context. The current defined contexts are cli and server. Additionally this value is used to load /etc/ipa/\fBcontext\fR.conf to provide context\-specific configuration. For example, if you want to always perform client requests in verbose mode but do not want to have verbose enabled on the server, add the verbose option to \fI/etc/ipa/cli.conf\fR.
+.TP
+.B debug <boolean>
+When True provides detailed information. Specifically this set the global log level to "debug". Default is False.
+.TP
+.B dogtag_version <version>
+Stores the version of Dogtag. Value 9 is assumed if not specified otherwise.
+.TP
+.B domain <domain>
+The domain of the IPA server e.g. example.com.
+.TP
+.B enable_ra <boolean>
+Specifies whether the CA is acting as an RA agent, such as when dogtag is being used as the Certificate Authority. This setting only applies to the IPA server configuration.
+.TP
+.B fallback <boolean>
+Specifies whether an IPA client should attempt to fall back and try other services if the first connection fails.
+.TP
+.B host <hostname>
+Specifies the local system hostname.
+.TP
+.B in_server <boolean>
+Specifies whether requests should be forwarded to an IPA server or handled locally. This is used internally by IPA in a similar way as context. The same IPA framework is used by the ipa command\-line tool and the server. This setting tells the framework whether it should execute the command as if on the server or forward it via XML\-RPC to a remote server.
+.TP
+.B in_tree  <boolean>
+This is used in development and is generally a detected value. It means that the code is being executed within a source tree.
+.TP
+.B interactive <boolean>
+Specifies whether values should be prompted for or not. The default is True.
+.TP
+.B ldap_uri <URI>
+Specifies the URI of the IPA LDAP server to connect to. The URI scheme may be one of \fBldap\fR or \fBldapi\fR. The default is to use ldapi, e.g. ldapi://%2fvar%2frun%2fslapd\-EXAMPLE\-COM.socket
+.TP
+.B log_logger_XXX <comma separated list of regexps>
+loggers matching regexp will be assigned XXX level.
+.IP
+Logger levels can be explicitly specified for specific loggers as
+opposed to a global logging level. Specific loggers are indicated
+by a list of regular expressions bound to a level. If a logger's
+name matches the regexp then it is assigned that level. This config item
+must begin with "log_logger_level_" and then be
+followed by a symbolic or numeric log level, for example:
+.IP
+  log_logger_level_debug = ipalib\\.dn\\..*
+.IP
+  log_logger_level_35 = ipalib\\.plugins\\.dogtag
+.IP
+The first line says any logger belonging to the ipalib.dn module
+will have it's level configured to debug.
+.IP
+The second line say the ipa.plugins.dogtag logger will be
+configured to level 35.
+.IP
+This config item is useful when you only want to see the log output from
+one or more selected loggers. Turning on the global debug flag will produce
+an enormous amount of output. This allows you to leave the global debug flag
+off and selectively enable output from a specific logger. Typically loggers
+are bound to classes and plugins.
+.IP
+Note: logger names are a dot ('.') separated list forming a path
+in the logger tree.  The dot character is also a regular
+expression metacharacter (matches any character) therefore you
+will usually need to escape the dot in the logger names by
+preceding it with a backslash.
+.TP
+.B mode <mode>
+Specifies the mode the server is running in. The currently support values are \fBproduction\fR and \fBdevelopment\fR. When running in production mode some self\-tests are skipped to improve performance.
+.TP
+.B mount_ipa <URI>
+Specifies the mount point that the development server will register. The default is /ipa/
+.TP
+.B prompt_all <boolean>
+Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
+.TP
+.B ra_plugin <name>
+Specifies the name of the CA back end to use. The current options are \fBdogtag\fR and \fBnone\fR. This is a server\-side setting. Changing this value is not recommended as the CA back end is only set up during initial installation.
+.TP
+.B realm <realm>
+Specifies the Kerberos realm.
+.TP
+.B session_auth_duration <time duration spec>
+Specifies the length of time authentication credentials cached in the session are valid. After the duration expires credentials will be automatically reacquired. Examples are "2 hours", "1h:30m", "10 minutes", "5min, 30sec".
+.TP
+.B session_duration_type <inactivity_timeout|from_start>
+Specifies how the expiration of a session is computed. With \fBinactivity_timeout\fR the expiration time is advanced by the value of session_auth_duration everytime the user accesses the service. With \fBfrom_start\fR the session expiration is the start of the user's session plus the value of session_auth_duration.
+.TP
+.B server <hostname>
+Specifies the IPA Server hostname.
+.TP
+.B skip_version_check <boolean>
+Skip client vs. server API version checking. Can lead to errors/strange behavior when newer clients talk to older servers. Use with caution.
+.TP
+.B startup_timeout <time in seconds>
+Controls the amount of time waited when starting a service. The default value is 120 seconds.
+.TP
+.B startup_traceback <boolean>
+If the IPA server fails to start and this value is True the server will attempt to generate a python traceback to make identifying the underlying problem easier.
+.TP
+.B validate_api <boolean>
+Used internally in the IPA source package to verify that the API has not changed. This is used to prevent regressions. If it is true then some errors are ignored so enough of the IPA framework can be loaded to verify all of the API, even if optional components are not installed. The default is False.
+.TP
+.B verbose <boolean>
+When True provides more information. Specifically this sets the global log level to "info".
+.TP
+.B wait_for_dns <number of attempts>
+Controls whether the IPA commands dnsrecord\-{add,mod,del} work synchronously or not. The DNS commands will repeat DNS queries up to the specified number of attempts until the DNS server returns an up-to-date answer to a query for modified records. Delay between retries is one second.
+.IP
+The DNS commands will raise a DNSDataMismatch exception if the answer doesn't match the expected value even after the specified number of attempts.
+.IP
+The DNS queries will be sent to the resolver configured in /etc/resolv.conf on the IPA server.
+.IP
+Do not enable this in production! This will cause problems if the resolver on IPA server uses a caching server instead of a local authoritative server or e.g. if DNS answers are modified by DNS64. The default is disabled (the option is not present).
+.TP
+.B xmlrpc_uri <URI>
+Specifies the URI of the XML\-RPC server for a client. This may be used by IPA, and is used by some external tools, such as ipa\-getcert. Example: https://ipa.example.com/ipa/xml
+.TP
+.B jsonrpc_uri <URI>
+Specifies the URI of the JSON server for a client. This is used by IPA. If not given, it is derived from xmlrpc_uri. Example: https://ipa.example.com/ipa/json
+.TP
+.B rpc_protocol <URI>
+Specifies the type of RPC calls IPA makes: 'jsonrpc' or 'xmlrpc'. Defaults to 'jsonrpc'.
+.TP
+The following define the containers for the IPA server. Containers define where in the DIT that objects can be found. The full location is the value of container + basedn.
+  container_accounts: cn=accounts
+  container_applications: cn=applications,cn=configs,cn=policies
+  container_automount: cn=automount
+  container_configs: cn=configs,cn=policies
+  container_dns: cn=dns
+  container_group: cn=groups,cn=accounts
+  container_hbac: cn=hbac
+  container_hbacservice: cn=hbacservices,cn=hbac
+  container_hbacservicegroup: cn=hbacservicegroups,cn=hbac
+  container_host: cn=computers,cn=accounts
+  container_hostgroup: cn=hostgroups,cn=accounts
+  container_netgroup: cn=ng,cn=alt
+  container_permission: cn=permissions,cn=pbac
+  container_policies: cn=policies
+  container_policygroups: cn=policygroups,cn=configs,cn=policies
+  container_policylinks: cn=policylinks,cn=configs,cn=policies
+  container_privilege: cn=privileges,cn=pbac
+  container_rolegroup: cn=roles,cn=accounts
+  container_roles: cn=roles,cn=policies
+  container_service: cn=services,cn=accounts
+  container_sudocmd: cn=sudocmds,cn=sudo
+  container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
+  container_sudorule: cn=sudorules,cn=sudo
+  container_user: cn=users,cn=accounts
+  container_vault: cn=vaults,cn=kra
+  container_virtual: cn=virtual operations,cn=etc
+
+.SH "FILES"
+.TP
+.I /etc/ipa/default.conf
+system\-wide IPA configuration file
+.TP
+.I $HOME/.ipa/default.conf
+user IPA configuration file
+.TP
+It is also possible to define context\-specific configuration files. The \fBcontext\fR is set when the IPA api is initialized. The two currently defined contexts in IPA are \fBcli\fR and \fBserver\fR. This is helpful, for example, if you only want \fBdebug\fR enabled on the server and not in the client. If this is set to True in \fIdefault.conf\fR it will affect both the ipa client tool and the IPA server. If it is only set in \fIserver.conf\fR then only the server will have \fBdebug\fR set. These files will be loaded if they exist:
+.TP
+.I /etc/ipa/cli.conf
+system\-wide IPA client configuration file
+.TP
+.I /etc/ipa/server.conf
+system\-wide IPA server configuration file
+.SH "SEE ALSO"
+.BR ipa (1)
diff --git a/client/man/ipa-certupdate.1 b/client/man/ipa-certupdate.1
new file mode 100644
index 000000000..d95790a36
--- /dev/null
+++ b/client/man/ipa-certupdate.1
@@ -0,0 +1,39 @@
+.\" A man page for ipa-certupdate
+.\" Copyright (C) 2014 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Jan Cholasta <jcholast@redhat.com>
+.\"
+.TH "ipa-certupdate" "1" "Jul 2 2014" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-certupdate \- Update local IPA certificate databases with certificates from the server
+.SH "SYNOPSIS"
+\fBipa\-certupdate\fR [\fIOPTIONS\fR...]
+.SH "DESCRIPTION"
+\fBipa\-certupdate\fR can be used to update local IPA certificate databases with certificates from the server.
+.SH "OPTIONS"
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Print debugging information.
+.TP
+\fB\-q\fR, \fB\-\-quiet\fR
+Output only errors.
+.TP
+\fB\-\-log\-file\fR=\fIFILE\fR
+Log to the given file.
+.SH "EXIT STATUS"
+0 if the command was successful
+
+1 if an error occurred
diff --git a/client/man/ipa-client-automount.1 b/client/man/ipa-client-automount.1
new file mode 100644
index 000000000..5b60503f1
--- /dev/null
+++ b/client/man/ipa-client-automount.1
@@ -0,0 +1,89 @@
+.\" A man page for ipa-client-automount
+.\" Copyright (C) 2012 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "ipa-client-automount" "1" "May 25 2012" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-client\-automount \- Configure automount and NFS for IPA
+.SH "SYNOPSIS"
+ipa\-client\-automount [\fIOPTION\fR]... <location>
+.SH "DESCRIPTION"
+Configures automount for IPA.
+
+The automount configuration consists of three files:
+.PP
+.IP  o
+/etc/nsswitch.conf
+.IP  o
+/etc/sysconfig/autofs
+.IP  o
+/etc/autofs_ldap_auth.conf
+
+.TP
+By default this will use DNS discovery to attempt to determine the IPA server(s) to use. If IPA servers are discovered then the automount client will be configured to use DNS discovery.
+.TP
+If DNS discovery fails or a specific server is desired, use the \-\-server option.
+.TP
+The default automount location is named default. To specify a different one use the \-\-location option.
+.TP
+The IPA client must already be configured in order to configure automount. The IPA client is configured as part of a server installation.
+.TP
+There are two ways to configure automount. The default is to use sssd to manage the automount maps. Alternatively autofs can configured to bind to LDAP over GSSAPI and authenticate using the machine's host principal.
+.TP
+The nsswitch automount service is configured to use either sss or ldap and files depending on whether SSSD is configured or not.
+.TP
+NFSv4 is also configured. The rpc.gssd and rpc.idmapd are started on clients to support Kerberos\-secured mounts.
+.SH "OPTIONS"
+\fB\-\-server\fR=\fISERVER\fR
+Set the IPA server to connect to
+.TP
+\fB\-\-location\fR=\fILOCATION\fR
+Automount location
+.TP
+\fB\-S\fR, \fB\-\-no\-sssd\fR
+Do not configure the client to use SSSD for automount
+.TP
+\fB\-d\fR, \fB\-\-debug\fR
+Print debugging information to stdout
+.TP
+\fB\-U\fR, \fB\-\-unattended\fR
+Unattended installation. The user will not be prompted
+.TP
+\fB\-\-uninstall\fR
+Restore the automount configuration files
+
+.SH "FILES"
+.TP
+Files that will be always be configured:
+
+/etc/nsswitch.conf
+.TP
+Files that will be configured when SSSD is the automount client (default):
+
+/etc/sssd/sssd.conf
+
+.TP
+Files that will be configured when using the ldap automount client:
+
+/etc/sysconfig/autofs
+
+/etc/autofs_ldap_auth.conf
+
+.SH "EXIT STATUS"
+0 if the installation was successful
+
+1 if an error occurred
diff --git a/client/man/ipa-client-install.1 b/client/man/ipa-client-install.1
new file mode 100644
index 000000000..494fd4952
--- /dev/null
+++ b/client/man/ipa-client-install.1
@@ -0,0 +1,288 @@
+.\" A man page for ipa-client-install
+.\" Copyright (C) 2008 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "ipa-client-install" "1" "Jan 31 2013" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-client\-install \- Configure an IPA client
+.SH "SYNOPSIS"
+ipa\-client\-install [\fIOPTION\fR]...
+.SH "DESCRIPTION"
+Configures a client machine to use IPA for authentication and identity services.
+
+By default this configures SSSD to connect to an IPA server for authentication and authorization. Optionally one can instead configure PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP.
+
+An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one\-time password associated with the machine.
+
+This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the principal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable <fqdn>).
+
+.SS "Assumptions"
+The ipa\-client\-install script assumes that the machine has already generated SSH keys. It will not generate SSH keys of its own accord. If SSH keys are not present (e.g when running the ipa\-client\-install in a kickstart, before ever running sshd), they will not be uploaded to the client host entry on the server.
+
+.SS "Hostname Requirements"
+Client must use a \fBstatic hostname\fR. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication.
+
+\-\-hostname option may be used to specify a static hostname that persists over reboot.
+
+.SS "DNS Autodiscovery"
+Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all domains that are parent to its hostname. For example, if a client machine has a hostname 'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records, respectively. The discovered domain is then used to configure client components (e.g. SSSD and Kerberos 5 configuration) on the machine.
+
+When the client machine hostname is not in a subdomain of an IPA server, its domain can be passed with \-\-domain option. In that case, both SSSD and Kerberos components have the domain set in the configuration files and will use it to autodiscover IPA servers.
+
+Client machine can also be configured without a DNS autodiscovery at all. When both \-\-server and \-\-domain options are used, client installer will use the specified server and domain directly. \-\-server option accepts multiple server hostnames which can be used for failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of KDC and  Admin servers. SSSD is still configured to either try to read domain's SRV records or the specified fixed list of servers. When \-\-fixed\-primary option is specified, SSSD will not try to read DNS SRV record at all (see sssd\-ipa(5) for details).
+
+.SS "The Failover Mechanism"
+When some of the IPA servers is not available, client components are able to fallback to other IPA replica and thus preserving a continued service. When client machine is configured to use DNS SRV record autodiscovery (no fixed server was passed to the installer), client components do the fallback automatically, based on the IPA server hostnames and priorities discovered from the DNS SRV records.
+
+If DNS autodiscovery is not available, clients should be configured at least with a fixed list of IPA servers that can be used in case of a failure. When only one IPA server is configured, IPA client services will not be available in case of a failure of the IPA server. Please note, that in case of a fixed list of IPA servers, the fixed server lists in client components need to be updated when a new IPA server is enrolled or a current IPA server is decommissioned.
+
+.SS "Coexistence With Other Directory Servers"
+Other directory servers deployed in the network (e.g. Microsoft Active Directory) may use the same DNS SRV records to denote hosts with a directory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the installation if the installer discovers these DNS records before it finds DNS SRV records pointing to IPA servers. The installer would then fail to discover the IPA server and exit with error.
+
+In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname should be in a domain with properly defined DNS SRV records pointing to IPA servers, either manually with a custom DNS server or with IPA DNS integrated solution. A second approach would be to avoid autodiscovery and configure the installer to use a fixed list of IPA server hostnames using the \-\-server option and with a \-\-fixed\-primary option disabling DNS SRV record autodiscovery in SSSD.
+
+.SS "Re\-enrollment of the host"
+Requirements:
+
+1. Host has not been un\-enrolled (the ipa\-client\-install \-\-uninstall command has not been run).
+.br
+2. The host entry has not been disabled via the ipa host\-disable command.
+
+If this has been the case, host can be re\-enrolled using the usual methods.
+
+There are two method of authenticating a re\-enrollment:
+
+1. You can use \-\-force\-join option with ipa\-client\-install command. This authenticates the re\-enrollment using the admin's credentials provided via the \-w/\-\-password option.
+.br
+2. If providing the admin's password via the command line is not an option (e.g you want to create a script to re\-enroll a host and keep the admin's password secure), you can use backed up keytab from the previous enrollment of this host to authenticate. See \-\-keytab option.
+
+Consequences of the re\-enrollment on the host entry:
+
+1. A new host certificate is issued
+.br
+2. The old host certificate is revoked
+.br
+3. New SSH keys are generated
+.br
+4. ipaUniqueID is preserved
+
+.SH "OPTIONS"
+.SS "BASIC OPTIONS"
+.TP
+\fB\-\-domain\fR=\fIDOMAIN\fR
+Set the domain name to DOMAIN. When no \-\-server option is specified, the installer will try to discover all available servers via DNS SRV record autodiscovery (see DNS Autodiscovery section for details).
+.TP
+\fB\-\-server\fR=\fISERVER\fR
+Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf or krb5.conf. Only the first value is considered when used with \-\-no\-sssd. When this option is used, DNS autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is configured.
+.TP
+\fB\-\-realm\fR=\fIREALM_NAME\fR
+Set the IPA realm name to REALM_NAME. Under normal circumstances, this option is not needed as the realm name is retrieved from the IPA server.
+.TP
+\fB\-\-fixed\-primary\fR
+Configure SSSD to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with \-\-server then no _srv_ value is set in the ipa_server option in sssd.conf.
+.TP
+\fB\-p\fR, \fB\-\-principal\fR
+Authorized kerberos principal to use to join the IPA realm.
+.TP
+\fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
+Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set.
+.TP
+\fB\-W\fR
+Prompt for the password for joining a machine to the IPA realm.
+.TP
+\fB\-k\fR, \fB\-\-keytab\fR
+Path to backed up host keytab from previous enrollment. Joins the host even if it is already enrolled.
+.TP
+\fB\-\-mkhomedir\fR
+Configure PAM to create a users home directory if it does not exist.
+.TP
+\fB\-\-hostname\fR
+The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used.
+.TP
+\fB\-\-force\-join\fR
+Join the host even if it is already enrolled.
+.TP
+\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR
+Configure ntpd to use this NTP server. This option can be used multiple times.
+.TP
+\fB\-N\fR, \fB\-\-no\-ntp\fR
+Do not configure or enable NTP.
+.TP
+\fB\-\-force\-ntpd\fR
+Stop and disable any time&date synchronization services besides ntpd.
+.TP
+\fB\-\-nisdomain\fR=\fINIS_DOMAIN\fR
+Set the NIS domain name as specified. By default, this is set to the IPA domain name.
+.TP
+\fB\-\-no\-nisdomain\fR
+Do not configure NIS domain name.
+.TP
+\fB\-\-ssh\-trust\-dns\fR
+Configure OpenSSH client to trust DNS SSHFP records.
+.TP
+\fB\-\-no\-ssh\fR
+Do not configure OpenSSH client.
+.TP
+\fB\-\-no\-sshd\fR
+Do not configure OpenSSH server.
+.TP
+\fB\-\-no\-sudo\fR
+Do not configure SSSD as a data source for sudo.
+.TP
+\fB\-\-no\-dns\-sshfp\fR
+Do not automatically create DNS SSHFP records.
+.TP
+\fB\-\-noac\fR
+Do not use Authconfig to modify the nsswitch.conf and PAM configuration.
+.TP
+\fB\-f\fR, \fB\-\-force\fR
+Force the settings even if errors occur
+.TP
+\fB\-\-kinit\-attempts\fR=\fIKINIT_ATTEMPTS\fR
+In case of unresponsive KDC (e.g. when enrolling multiple hosts at once in a
+heavy load environment) repeat the request for host Kerberos ticket up to a
+total number of \fIKINIT_ATTEMPTS\fR times before giving up and aborting client
+installation. Default number of attempts is 5. The request is not repeated when
+there is a problem with host credentials themselves (e.g. wrong keytab format
+or invalid principal) so using this option will not lead to account lockouts.
+.TP
+\fB\-d\fR, \fB\-\-debug\fR
+Print debugging information to stdout
+.TP
+\fB\-U\fR, \fB\-\-unattended\fR
+Unattended installation. The user will not be prompted.
+.TP
+\fB\-\-ca\-cert\-file\fR=\fICA_FILE\fR
+Do not attempt to acquire the IPA CA certificate via automated means,
+instead use the CA certificate found locally in in \fICA_FILE\fR.  The
+\fICA_FILE\fR must be an absolute path to a PEM formatted certificate
+file. The CA certificate found in \fICA_FILE\fR is considered
+authoritative and will be installed without checking to see if it's
+valid for the IPA domain.
+.TP
+\fB\-\-request\-cert\fR
+Request certificate for the machine. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host".
+.TP
+\fB\-\-automount\-location\fR=\fILOCATION\fR
+Configure automount by running ipa\-client\-automount(1) with \fILOCATION\fR as
+automount location.
+.TP
+\fB\-\-configure\-firefox\fR
+Configure Firefox to use IPA domain credentials.
+.TP
+\fB\-\-firefox\-dir\fR=\fIDIR\fR
+Specify Firefox installation directory. For example: '/usr/lib/firefox'
+.TP
+\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
+Use \fIIP_ADDRESS\fR in DNS A/AAAA record for this host. May be specified multiple times to add multiple DNS records.
+.TP
+\fB\-\-all\-ip\-addresses\fR
+Create DNS A/AAAA record for each IP address on this host.
+
+.SS "SSSD OPTIONS"
+.TP
+\fB\-\-permit\fR
+Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server.
+.TP
+\fB\-\-enable\-dns\-updates\fR
+This option tells SSSD to automatically update DNS with the IP address of this client.
+.TP
+\fB\-\-no\-krb5\-offline\-passwords\fR
+Configure SSSD not to store user password when the server is offline.
+.TP
+\fB\-S\fR, \fB\-\-no\-sssd\fR
+Do not configure the client to use SSSD for authentication, use nss_ldap instead.
+.TP
+\fB\-\-preserve\-sssd\fR
+Disabled by default. When enabled, preserves old SSSD configuration if it is
+not possible to merge it with a new one. Effectively, if the merge is not
+possible due to SSSDConfig reader encountering unsupported options,
+\fBipa\-client\-install\fR will not run further and ask to fix SSSD config
+first. When this option is not specified, \fBipa\-client\-install\fR will back
+up SSSD config and create new one. The back up version will be restored during
+uninstall.
+
+.SS "UNINSTALL OPTIONS"
+.TP
+\fB\-\-uninstall\fR
+Remove the IPA client software and restore the configuration to the pre\-IPA state.
+.TP
+\fB\-U\fR, \fB\-\-unattended\fR
+Unattended uninstallation. The user will not be prompted.
+
+.SH "FILES"
+.TP
+Files that will be replaced if SSSD is configured (default):
+
+/etc/sssd/sssd.conf
+.TP
+Files that will be replaced if they exist and SSSD is not configured (\-\-no\-sssd):
+
+/etc/ldap.conf
+.br
+/etc/nss_ldap.conf
+.br
+/etc/libnss\-ldap.conf
+.br
+/etc/pam_ldap.conf
+.br
+/etc/nslcd.conf
+.TP
+Files replaced if NTP is enabled:
+
+/etc/ntp.conf
+.br
+/etc/sysconfig/ntpd
+.br
+/etc/ntp/step\-tickers
+.TP
+Files always created (replacing existing content):
+
+/etc/krb5.conf
+.br
+/etc/ipa/ca.crt
+.br
+/etc/ipa/default.conf
+.br
+/etc/ipa/nssdb
+.br
+/etc/openldap/ldap.conf
+.TP
+Files updated, existing content is maintained:
+
+/etc/nsswitch.conf
+.br
+/etc/pki/nssdb
+.br
+/etc/krb5.keytab
+.br
+/etc/sysconfig/network
+.SH "EXIT STATUS"
+0 if the installation was successful
+
+1 if an error occurred
+
+2 if uninstalling and the client is not configured
+
+3 if installing and the client is already configured
+
+4 if an uninstall error occurred
+
+.SH "SEE ALSO"
+.BR ipa\-client\-automount(1),
+.BR krb5.conf(5),
+.BR sssd.conf(5)
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
new file mode 100644
index 000000000..1c270729e
--- /dev/null
+++ b/client/man/ipa-getkeytab.1
@@ -0,0 +1,147 @@
+.\" A man page for ipa-getkeytab
+.\" Copyright (C) 2007 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Karl MacMillan <kmacmill@redhat.com>
+.\" Author: Simo Sorce <ssorce@redhat.com>
+.\"
+.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-getkeytab \- Get a keytab for a Kerberos principal
+.SH "SYNOPSIS"
+ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-r\fR ]
+
+.SH "DESCRIPTION"
+Retrieves a Kerberos \fIkeytab\fR.
+
+Kerberos keytabs are used for services (like sshd) to
+perform Kerberos authentication. A keytab is a file
+with one or more secrets (or keys) for a Kerberos
+principal.
+
+A Kerberos service principal is a Kerberos identity
+that can be used for authentication. Service principals
+contain the name of the service, the hostname of the
+server, and the realm name. For example, the following
+is an example principal for an ldap server:
+
+   ldap/foo.example.com@EXAMPLE.COM
+
+When using ipa\-getkeytab the realm name is already
+provided, so the principal name is just the service
+name and hostname (ldap/foo.example.com from the
+example above).
+
+\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
+This renders all other keytabs for that principal invalid.
+
+This is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
+.SH "OPTIONS"
+.TP
+\fB\-p principal\-name\fR
+The non\-realm part of the full principal name.
+.TP
+\fB\-k keytab\-file\fR
+The keytab file where to append the new key (will be
+created if it does not exist).
+.TP
+\fB\-e encryption\-types\fR
+The list of encryption types to use to generate keys.
+ipa\-getkeytab will use local client defaults if not provided.
+Valid values depend on the Kerberos library version and configuration.
+Common values are:
+aes256\-cts
+aes128\-cts
+des3\-hmac\-sha1
+arcfour\-hmac
+des\-hmac\-sha1
+des\-cbc\-md5
+des\-cbc\-crc
+.TP
+\fB\-s ipaserver\fR
+The IPA server to retrieve the keytab from (FQDN). If this option is not
+provided the server name is read from the IPA configuration file
+(/etc/ipa/default.conf)
+.TP
+\fB\-q\fR
+Quiet mode. Only errors are displayed.
+.TP
+\fB\-\-permitted\-enctypes\fR
+This options returns a description of the permitted encryption types, like this:
+Supported encryption types:
+AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
+AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
+Triple DES cbc mode with HMAC/sha1
+ArcFour with HMAC/md5
+DES cbc mode with CRC\-32
+DES cbc mode with RSA\-MD5
+DES cbc mode with RSA\-MD4
+.TP
+\fB\-P, \-\-password\fR
+Use this password for the key instead of one randomly generated.
+.TP
+\fB\-D, \-\-binddn\fR
+The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
+.TP
+\fB\-w, \-\-bindpw\fR
+The LDAP password to use when not binding with Kerberos.
+.TP
+\fB\-r\fR
+Retrieve mode. Retrieve an existing key from the server instead of generating a
+new one. This is incompatibile with the \-\-password option, and will work only
+against a FreeIPA server more recent than version 3.3. The user requesting the
+keytab must have access to the keys for this operation to succeed.
+.SH "EXAMPLES"
+Add and retrieve a keytab for the NFS service principal on
+the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
+
+   # ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
+
+Add and retrieve a keytab for the ldap service principal on
+the host foo.example.com and save it in the file /tmp/ldap.keytab.
+
+   # ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab
+
+Retrieve a keytab using LDAP credentials (this will typically be done by \fBipa\-join(1)\fR when enrolling a client using the \fBipa\-client\-install(1)\fR command:
+
+   # ipa\-getkeytab \-s ipaserver.example.com \-p host/foo.example.com \-k /etc/krb5.keytab \-D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com \-w password
+.SH "EXIT STATUS"
+The exit status is 0 on success, nonzero on error.
+
+0 Success
+
+1 Kerberos context initialization failed
+
+2 Incorrect usage
+
+3 Out of memory
+
+4 Invalid service principal name
+
+5 No Kerberos credentials cache
+
+6 No Kerberos principal and no bind DN and password
+
+7 Failed to open keytab
+
+8 Failed to create key material
+
+9 Setting keytab failed
+
+10 Bind password required when using a bind DN
+
+11 Failed to add key to keytab
+
+12 Failed to close keytab
diff --git a/client/man/ipa-join.1 b/client/man/ipa-join.1
new file mode 100644
index 000000000..d88160784
--- /dev/null
+++ b/client/man/ipa-join.1
@@ -0,0 +1,142 @@
+.\" A man page for ipa-join
+.\" Copyright (C) 2009 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal
+.SH "SYNOPSIS"
+ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostname] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB-b\fR|\-\-\fBbasedn basedn\fR] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR]
+
+.SH "DESCRIPTION"
+Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal, or unenrolls an enrolled host from an IPA server.
+
+Kerberos keytabs are used for services (like sshd) to perform kerberos authentication. A keytab is a file with one or more secrets (or keys) for a kerberos principal.
+
+The ipa\-join command will create and retrieve a service principal for host/foo.example.com@EXAMPLE.COM and place it by default into /etc/krb5.keytab. The location can be overridden with the \-k option.
+
+The IPA server to contact is set in /etc/ipa/default.conf by default and can be overridden using the \-s,\-\-server option.
+
+In order to join the machine needs to be authenticated. This can happen in one of two ways:
+
+* Authenticate using the current kerberos principal
+
+* Provide a password to authenticate with
+
+If a client host has already been joined to the IPA realm the ipa\-join command will fail. The host will need to be removed from the server using `ipa host\-del FQDN` in order to join the client to the realm.
+
+This command is normally executed by the ipa\-client\-install command as part of the enrollment process.
+
+The reverse is unenrollment. Unenrolling a host removes the Kerberos key on the IPA server. This prepares the host to be re\-enrolled. This uses the host principal stored in /etc/krb5.conf to authenticate to the IPA server to perform the unenrollment.
+
+Please note, that while the ipa\-join option removes the client from the domain, it does not actually uninstall the client or properly remove all of the IPA\-related configuration. The only way to uninstall a client completely is to use ipa\-client\-install \-\-uninstall
+(see
+.BR ipa\-client\-install (1)).
+
+.SH "OPTIONS"
+.TP
+\fB\-h,\-\-hostname hostname\fR
+The hostname of this server (FQDN). By default of nodename from uname(2) is used.
+.TP
+\fB\-s,\-\-server server\fR
+The hostname of the IPA server (FQDN). Note that by default there is no /etc/ipa/default.conf, in most cases it needs to be supplied.
+.TP
+\fB\-k,\-\-keytab keytab\-file\fR
+The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab
+.TP
+\fB\-w,\-\-bindpw password\fR
+The password to use if not using Kerberos to authenticate. Use a password of this particular host (one time password created on IPA server)
+.TP
+\fB\-b,\-\-basedn basedn\fR
+The basedn of the IPA server (of the form dc=example,dc=com). This is only needed when not using Kerberos to authenticate and anonymous binds are disallowed in the IPA LDAP server.
+.TP
+\fB\-f,\-\-force\fR
+Force enrolling the host even if host entry exists.
+.TP
+\fB\-u,\-\-unenroll\fR
+Unenroll this host from the IPA server. No keytab entry is removed in the process
+(see
+.BR ipa-rmkeytab (1)).
+.TP
+\fB\-q,\-\-quiet\fR
+Quiet mode. Only errors are displayed.
+.TP
+\fB\-d,\-\-debug\fR
+Print the raw XML-RPC output in GSSAPI mode.
+.SH "EXAMPLES"
+Join IPA domain and retrieve a keytab with kerberos credentials.
+
+  # kinit admin
+  # ipa\-join
+
+Join IPA domain and retrieve a keytab using a one\-time password.
+
+  # ipa\-join \-w secret123
+
+Join IPA domain and save the keytab in another location.
+
+  # ipa\-join \-k /tmp/host.keytab
+.SH "EXIT STATUS"
+The exit status is 0 on success, nonzero on error.
+
+0 Success
+
+1 Kerberos context initialization failed
+
+2 Incorrect usage
+
+3 Out of memory
+
+4 Invalid service principal name
+
+5 No Kerberos credentials cache
+
+6 No Kerberos principal and no bind DN and password
+
+7 Failed to open keytab
+
+8 Failed to create key material
+
+9 Setting keytab failed
+
+10 Bind password required when using a bind DN
+
+11 Failed to add key to keytab
+
+12 Failed to close keytab
+
+13 Host is already enrolled
+
+14 LDAP failure
+
+15 Incorrect bulk password
+
+16 Host name must be fully\-qualified
+
+17 XML\-RPC fault
+
+18 Principal not found in host entry
+
+19 Unable to generate Kerberos credentials cache
+
+20 Unenrollment result not in XML\-RPC response
+
+21 Failed to get default Kerberos realm
+
+.SH "SEE ALSO"
+.BR ipa-rmkeytab (1)
+.BR ipa-client-install (1)
diff --git a/client/man/ipa-rmkeytab.1 b/client/man/ipa-rmkeytab.1
new file mode 100644
index 000000000..53f775439
--- /dev/null
+++ b/client/man/ipa-rmkeytab.1
@@ -0,0 +1,89 @@
+.\" A man page for ipa-rmkeytab
+.\" Copyright (C) 2009 Red Hat, Inc.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation, either version 3 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.\"
+.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages"
+.SH "NAME"
+ipa\-rmkeytab \- Remove a kerberos principal from a keytab
+.SH "SYNOPSIS"
+ipa\-rmkeytab [ \fB\-p\fR principal\-name ] [ \fB\-k\fR keytab\-file ] [ \fB\-r\fR realm ] [ \fB\-d\fR ]
+
+.SH "DESCRIPTION"
+Removes a kerberos principal from a \fIkeytab\fR.
+
+Kerberos keytabs are used for services (like sshd) to
+perform kerberos authentication. A keytab is a file
+with one or more secrets (or keys) for a kerberos
+principal.
+
+A kerberos service principal is a kerberos identity
+that can be used for authentication. Service principals
+contain the name of the service, the hostname of the
+server, and the realm name.
+
+ipa\-rmkeytab provides two ways to remove principals.
+A specific principal can be removed or all
+principals for a given realm can be removed.
+
+All encryption types and versions of a principal are removed.
+
+The realm may be included when removing a specific principal but
+it is not required.
+
+\fBNOTE:\fR removing a principal from the keytab does not affect
+the Kerberos principal stored in the IPA server. It merely removes
+the entry from the local keytab.
+.SH "OPTIONS"
+.TP
+\fB\-p principal\-name\fR
+The non\-realm part of the full principal name.
+.TP
+\fB\-k keytab\-file\fR
+The keytab file to remove the principal(s) from.
+.TP
+\fB\-r realm\fR
+A realm to remove all principals for.
+.TP
+\fB\-d\fR
+Debug mode. Additional information is displayed.
+.SH "EXAMPLES"
+Remove the NFS service principal on the host foo.example.com from /tmp/nfs.keytab.
+
+   # ipa\-rmkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab
+
+Remove the ldap service principal on the host foo.example.com from /etc/krb5.keytab.
+
+   # ipa\-rmkeytab \-p ldap/foo.example.com \-k /etc/krb5.keytab
+
+Remove all principals for the realm EXAMPLE.COM.
+
+  # ipa\-rmkeytab \-r EXAMPLE.COM \-k /etc/krb5.keytab
+.SH "EXIT STATUS"
+The exit status is 0 on success, nonzero on error.
+
+1 Kerberos initialization failed
+
+2 Memory allocation error
+
+3 Unable to open keytab
+
+4 Unable to parse the principal name
+
+5 Principal name or realm not found in keytab
+
+6 Unable to remove principal from keytab