mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-27 16:46:42 -06:00
5c916a1cc8
438771
102 lines
3.5 KiB
Groff
102 lines
3.5 KiB
Groff
.\" A man page for ipa-getkeytab
|
|
.\" Copyright (C) 2007 Red Hat, Inc.
|
|
.\"
|
|
.\" This is free software; you can redistribute it and/or modify it under
|
|
.\" the terms of the GNU Library General Public License as published by
|
|
.\" the Free Software Foundation; version 2 only
|
|
.\"
|
|
.\" This program is distributed in the hope that it will be useful, but
|
|
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
.\" General Public License for more details.
|
|
.\"
|
|
.\" You should have received a copy of the GNU Library General Public
|
|
.\" License along with this program; if not, write to the Free Software
|
|
.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
.\"
|
|
.\" Author: Karl MacMillan <kmacmill@redhat.com>
|
|
.\" Author: Simo Sorce <ssorce@redhat.com>
|
|
.\"
|
|
.TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" ""
|
|
.SH "NAME"
|
|
ipa\-getkeytab \- Get a keytab for a kerberos principal
|
|
.SH "SYNOPSIS"
|
|
ipa\-getkeytab [ \fB\-s\fR ipaserver ] [ \fB\-p\fR principal\-name ] [ \fB\-k\fR keytab\-file ] [ \fB\-e\fR encryption\-types ] [ \fB\-q\fR ]
|
|
|
|
.SH "DESCRIPTION"
|
|
Retrieves a kerberos \fIkeytab\fR.
|
|
|
|
Kerberos keytabs are used for services (like sshd) to
|
|
perform kerberos authentication. A keytab is a file
|
|
with one or more secrets (or keys) for a kerberos
|
|
principal.
|
|
|
|
A kerberos service principal is a kerberos identity
|
|
that can be used for authentication. Service principals
|
|
contain the name of the service, the hostname of the
|
|
server, and the realm name. For example, the following
|
|
is an example principal for an ldap server:
|
|
|
|
ldap/foo.example.com@EXAMPLE.COM
|
|
|
|
When using ipa\-getkeytab the realm name is already
|
|
provided, so the principal name is just the service
|
|
name and hostname (ldap/foo.example.com from the
|
|
example above).
|
|
|
|
\fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
|
|
This renders all other keytabs for that principal invalid.
|
|
.SH "OPTIONS"
|
|
.TP
|
|
\fB\-s ipaserver\fR
|
|
The IPA server to retrieve the keytab from (FQDN).
|
|
.TP
|
|
\fB\-p principal\-name\fR
|
|
The non\-realm part of the full principal name.
|
|
.TP
|
|
\fB\-k keytab\-file\fR
|
|
The keytab file where to append the new key (will be
|
|
created if it does not exist).
|
|
.TP
|
|
\fB\-e encryption\-types\fR
|
|
The list of encryption types to use to generate keys.
|
|
ipa\-getkeytab will use local client defaults if not provided.
|
|
Valid values depend on the kerberos library version and configuration.
|
|
Common values are:
|
|
aes256\-cts
|
|
aes128\-cts
|
|
des3\-hmac\-sha1
|
|
arcfour\-hmac
|
|
des\-hmac\-sha1
|
|
des\-cbc\-md5
|
|
des\-cbc\-crc
|
|
.TP
|
|
\fB\-q\fR
|
|
Quiet mode. Only errors are displayed.
|
|
.TP
|
|
\fB\-\-permitted\-enctypes\fR
|
|
This options returns a description of the permitted encryption types, like this:
|
|
Supported encryption types:
|
|
AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
|
|
AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
|
|
Triple DES cbc mode with HMAC/sha1
|
|
ArcFour with HMAC/md5
|
|
DES cbc mode with CRC\-32
|
|
DES cbc mode with RSA\-MD5
|
|
DES cbc mode with RSA\-MD4
|
|
.SH "EXAMPLES"
|
|
Add and retrieve a keytab for the NFS service principal on
|
|
the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
|
|
|
|
# ipa\-getkeytab \-s ipaserver.example.com \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
|
|
|
|
Add and retrieve a keytab for the ldap service principal on
|
|
the host foo.example.com and save it in the file /tmp/ldap.keytab.
|
|
|
|
# ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab
|
|
|
|
|
|
|
|
.SH "EXIT STATUS"
|
|
The exit status is 0 on success, nonzero on error.
|