mirror of
				https://salsa.debian.org/freeipa-team/freeipa.git
				synced 2025-02-25 18:55:28 -06:00 
			
		
		
		
	The man page does not provide enough information about replicated
environments and the use of the -r option.
This fix adds an example how to use the same keytab on 2 different
hosts, and points to ipa {service/host}-allow-retrieve-keytab.
Fixes:
https://pagure.io/freeipa/issue/7237
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
		
	
		
			
				
	
	
		
			192 lines
		
	
	
		
			7.6 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
			
		
		
	
	
			192 lines
		
	
	
		
			7.6 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
| .\" A man page for ipa-getkeytab
 | |
| .\" Copyright (C) 2007 Red Hat, Inc.
 | |
| .\"
 | |
| .\" This program is free software; you can redistribute it and/or modify
 | |
| .\" it under the terms of the GNU General Public License as published by
 | |
| .\" the Free Software Foundation, either version 3 of the License, or
 | |
| .\" (at your option) any later version.
 | |
| .\"
 | |
| .\" This program is distributed in the hope that it will be useful, but
 | |
| .\" WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
| .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 | |
| .\" General Public License for more details.
 | |
| .\"
 | |
| .\" You should have received a copy of the GNU General Public License
 | |
| .\" along with this program.  If not, see <http://www.gnu.org/licenses/>.
 | |
| .\"
 | |
| .\" Author: Karl MacMillan <kmacmill@redhat.com>
 | |
| .\" Author: Simo Sorce <ssorce@redhat.com>
 | |
| .\"
 | |
| .TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages"
 | |
| .SH "NAME"
 | |
| ipa\-getkeytab \- Get a keytab for a Kerberos principal
 | |
| .SH "SYNOPSIS"
 | |
| ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ]
 | |
| 
 | |
| .SH "DESCRIPTION"
 | |
| Retrieves a Kerberos \fIkeytab\fR.
 | |
| 
 | |
| Kerberos keytabs are used for services (like sshd) to
 | |
| perform Kerberos authentication. A keytab is a file
 | |
| with one or more secrets (or keys) for a Kerberos
 | |
| principal.
 | |
| 
 | |
| A Kerberos service principal is a Kerberos identity
 | |
| that can be used for authentication. Service principals
 | |
| contain the name of the service, the hostname of the
 | |
| server, and the realm name. For example, the following
 | |
| is an example principal for an ldap server:
 | |
| 
 | |
|    ldap/foo.example.com@EXAMPLE.COM
 | |
| 
 | |
| When using ipa\-getkeytab the realm name is already
 | |
| provided, so the principal name is just the service
 | |
| name and hostname (ldap/foo.example.com from the
 | |
| example above).
 | |
| 
 | |
| ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication.
 | |
| 
 | |
| \fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal.
 | |
| This renders all other keytabs for that principal invalid.
 | |
| When multiple hosts or services need to share the same key (for instance in high availability or load balancing clusters), the \fB\-r\fR option must be used to retrieve the existing key instead of generating a new one (please refer to the EXAMPLES section).
 | |
| 
 | |
| Note that the user or host calling \fBipa-getkeytab\fR needs to be allowed to generate the key with \fBipa host\-allow\-create\-keytab\fR or \fBipa service\-allow\-create\-keytab\fR,
 | |
| and the user or host calling \fBipa-getkeytab \-r\fR needs to be allowed to retrieve the keytab for the host or service with \fBipa host\-allow\-retrieve\-keytab\fR or \fBipa service\-allow\-retrieve\-keytab\fR.
 | |
| 
 | |
| .SH "OPTIONS"
 | |
| .TP
 | |
| \fB\-p principal\-name\fR
 | |
| The non\-realm part of the full principal name.
 | |
| .TP
 | |
| \fB\-k keytab\-file\fR
 | |
| The keytab file where to append the new key (will be
 | |
| created if it does not exist).
 | |
| .TP
 | |
| \fB\-e encryption\-types\fR
 | |
| The list of encryption types to use to generate keys.
 | |
| ipa\-getkeytab will use local client defaults if not provided.
 | |
| Valid values depend on the Kerberos library version and configuration.
 | |
| Common values are:
 | |
| aes256\-cts
 | |
| aes128\-cts
 | |
| des3\-hmac\-sha1
 | |
| arcfour\-hmac
 | |
| des\-hmac\-sha1
 | |
| des\-cbc\-md5
 | |
| des\-cbc\-crc
 | |
| .TP
 | |
| \fB\-s ipaserver\fR
 | |
| The IPA server to retrieve the keytab from (FQDN). If this option is not
 | |
| provided the server name is read from the IPA configuration file
 | |
| (/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR.
 | |
| .TP
 | |
| \fB\-q\fR
 | |
| Quiet mode. Only errors are displayed.
 | |
| .TP
 | |
| \fB\-\-permitted\-enctypes\fR
 | |
| This options returns a description of the permitted encryption types, like this:
 | |
| Supported encryption types:
 | |
| AES\-256 CTS mode with 96\-bit SHA\-1 HMAC
 | |
| AES\-128 CTS mode with 96\-bit SHA\-1 HMAC
 | |
| Triple DES cbc mode with HMAC/sha1
 | |
| ArcFour with HMAC/md5
 | |
| DES cbc mode with CRC\-32
 | |
| DES cbc mode with RSA\-MD5
 | |
| DES cbc mode with RSA\-MD4
 | |
| .TP
 | |
| \fB\-P, \-\-password\fR
 | |
| Use this password for the key instead of one randomly generated.
 | |
| .TP
 | |
| \fB\-D, \-\-binddn\fR
 | |
| The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option.
 | |
| .TP
 | |
| \fB\-w, \-\-bindpw\fR
 | |
| The LDAP password to use when not binding with Kerberos. \fB\-D\fR and \fB\-w\fR can not be used together with \fB\-Y\fR.
 | |
| .TP
 | |
| \fB\-\-cacert\fR
 | |
| The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections.
 | |
| Defaults to /etc/ipa/ca.crt
 | |
| .TP
 | |
| \fB\-H, \-\-ldapuri\fR
 | |
| LDAP URI. If ldap:// is specified, STARTTLS is initiated by default. Can not be used with \fB\-s\fR.
 | |
| .TP
 | |
| \fB\-Y, \-\-mech\fR
 | |
| SASL mechanism to use if \fB\-D\fR and \fB\-w\fR are not specified. Use either
 | |
| GSSAPI or EXTERNAL.
 | |
| .TP
 | |
| \fB\-r\fR
 | |
| Retrieve mode. Retrieve an existing key from the server instead of generating a
 | |
| new one. This is incompatibile with the \-\-password option, and will work only
 | |
| against a FreeIPA server more recent than version 3.3. The user requesting the
 | |
| keytab must have access to the keys for this operation to succeed.
 | |
| .SH "EXAMPLES"
 | |
| Add and retrieve a keytab for the NFS service principal on
 | |
| the host foo.example.com and save it in the file /tmp/nfs.keytab and retrieve just the des\-cbc\-crc key.
 | |
| 
 | |
| .nf
 | |
|    # ipa\-getkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab \-e des\-cbc\-crc
 | |
| .fi
 | |
| 
 | |
| Add and retrieve a keytab for the ldap service principal on
 | |
| the host foo.example.com and save it in the file /tmp/ldap.keytab.
 | |
| 
 | |
| .nf
 | |
|    # ipa\-getkeytab \-s ipaserver.example.com \-p ldap/foo.example.com \-k /tmp/ldap.keytab
 | |
| .fi
 | |
| 
 | |
| Retrieve a keytab using LDAP credentials (this will typically be done by \fBipa\-join(1)\fR when enrolling a client using the \fBipa\-client\-install(1)\fR command:
 | |
| 
 | |
| .nf
 | |
|    # ipa\-getkeytab \-s ipaserver.example.com \-p host/foo.example.com \-k /etc/krb5.keytab \-D fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com \-w password
 | |
| .fi
 | |
| 
 | |
| Add and retrieve a keytab for a clustered HTTP service deployed on client1.example.com and client2.example.com (already enrolled), using the client-frontend.example.com host name:
 | |
| 
 | |
| .nf
 | |
|    # ipa host-add client-frontend.example.com --ip-address 10.1.2.3
 | |
|    # ipa service-add HTTP/client-frontend.example.com
 | |
|    # ipa service-allow-retrieve-keytab HTTP/client-frontend.example.com --hosts={client1.example.com,client2.example.com}
 | |
|    # ipa server-allow-create-keytab HTTP/client-frontend.example.com --hosts=client1.example.com
 | |
| .fi
 | |
| 
 | |
|    On client1, generate and retrieve a new keytab for client-frontend.example.com:
 | |
| .nf
 | |
|    # kinit -k
 | |
|    # ipa-getkeytab -p HTTP/client-frontend.example.com -k /tmp/http.keytab
 | |
| 
 | |
| .fi
 | |
|    On client2, retrieve the existing keytab for client-frontend.example.com:
 | |
| .nf
 | |
|    # kinit -k
 | |
|    # ipa-getkeytab -r -p HTTP/client-frontend.example.com -k /tmp/http.keytab
 | |
| .fi
 | |
| 
 | |
| .SH "EXIT STATUS"
 | |
| The exit status is 0 on success, nonzero on error.
 | |
| 
 | |
| 0 Success
 | |
| 
 | |
| 1 Kerberos context initialization failed
 | |
| 
 | |
| 2 Incorrect usage
 | |
| 
 | |
| 3 Out of memory
 | |
| 
 | |
| 4 Invalid service principal name
 | |
| 
 | |
| 5 No Kerberos credentials cache
 | |
| 
 | |
| 6 No Kerberos principal and no bind DN and password
 | |
| 
 | |
| 7 Failed to open keytab
 | |
| 
 | |
| 8 Failed to create key material
 | |
| 
 | |
| 9 Setting keytab failed
 | |
| 
 | |
| 10 Bind password required when using a bind DN
 | |
| 
 | |
| 11 Failed to add key to keytab
 | |
| 
 | |
| 12 Failed to close keytab
 |