IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add missing options to ipa-getkeytab man page.

Browse Source 
ticket 229
This commit is contained in:
Rob Crittenden 2010-10-06 09:23:33 -04:00
parent d2a9ccf407
commit 81fe26bdcf
1 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
ipa-client/man/ipa-getkeytab.1
View File

@ -19,19 +19,19 @@
.\"
.TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" ""
.SH "NAME"
ipa\-getkeytab \- Get a keytab for a kerberos principal
ipa\-getkeytab \- Get a keytab for a Kerberos principal
.SH "SYNOPSIS"
ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ]
ipa\-getkeytab \fB\-s\fR \fIipaserver\fR \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ]
.SH "DESCRIPTION"
Retrieves a kerberos \fIkeytab\fR.
Retrieves a Kerberos \fIkeytab\fR.
Kerberos keytabs are used for services (like sshd) to
perform kerberos authentication. A keytab is a file
with one or more secrets (or keys) for a kerberos
perform Kerberos authentication. A keytab is a file
with one or more secrets (or keys) for a Kerberos
principal.
A kerberos service principal is a kerberos identity
A Kerberos service principal is a Kerberos identity
that can be used for authentication. Service principals
contain the name of the service, the hostname of the
server, and the realm name. For example, the following
@ -46,6 +46,8 @@ example above).
\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
This renders all other keytabs for that principal invalid.
This is used during IPA client enrollement to retrieve a host service principal and store it in /etc/krb5.conf. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-binddn\fR options are used for this authentication.
.SH "OPTIONS"
.TP
\fB\-s ipaserver\fR
@ -61,7 +63,7 @@ created if it does not exist).
\fB\-e encryption\-types\fR
The list of encryption types to use to generate keys.
ipa\-getkeytab will use local client defaults if not provided.
Valid values depend on the kerberos library version and configuration.
Valid values depend on the Kerberos library version and configuration.
Common values are:
aes256\-cts
aes128\-cts
@ -84,6 +86,15 @@ ArcFour with HMAC/md5
DES cbc mode with CRC\-32
DES cbc mode with RSA\-MD5
DES cbc mode with RSA\-MD4
.TP
\fB\-P, \-\-password\fR
Use this password for the key instead of one randomly generated.
.TP
\fB\-D, \-\-binddn\fR
The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
.TP
\fB\-w, \-\-bindpw\fR
The LDAP password to use when not when not binding with Kerberos.
.SH "EXAMPLES"
Add and retrieve a keytab for the NFS service principal on
the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
@ -95,8 +106,9 @@ the host foo.example.com and save it in the file /tmp/ldap.keytab.
# ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab
Retrieve a keytab using LDAP credentials (this will typically be done by \fBipa\-join(1)\fR when enrolling a client using the \fBipa\-client\-install(1)\fR command:
# ipa\-getkeytab \-s ipaserver.example.com \-p host/foo.example.com \-k /etc/krb5.keytab \-D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com \-w password
.SH "EXIT STATUS"
The exit status is 0 on success, nonzero on error.