Provided by: freeipa-client_4.3.1-0ubuntu1_amd64 bug

NAME
       ipa-getkeytab - Get a keytab for a Kerberos principal


SYNOPSIS
       ipa-getkeytab  -p principal-name -k keytab-file [ -e encryption-types ] [ -s ipaserver ] [
       -q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -P|--password PASSWORD ] [ -r ]


DESCRIPTION
       Retrieves a Kerberos keytab.

       Kerberos keytabs are used for services (like sshd) to perform Kerberos  authentication.  A
       keytab is a file with one or more secrets (or keys) for a Kerberos principal.

       A  Kerberos  service principal is a Kerberos identity that can be used for authentication.
       Service principals contain the name of the service, the hostname of the  server,  and  the
       realm name. For example, the following is an example principal for an ldap server:

          ldap/foo.example.com@EXAMPLE.COM

       When using ipa-getkeytab the realm name is already provided, so the principal name is just
       the service name and hostname (ldap/foo.example.com from the example above).

       WARNING: retrieving the keytab resets the secret for the Kerberos principal.  This renders
       all other keytabs for that principal invalid.

       This  is  used during IPA client enrollment to retrieve a host service principal and store
       it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials
       if  the  host  was  pre-created  with  a one-time password. The keytab can be retrieved by
       binding as the host and authenticating with this one-time password.  The  -D|--binddn  and
       -w|--bindpw options are used for this authentication.


OPTIONS
       -p principal-name
              The non-realm part of the full principal name.

       -k keytab-file
              The keytab file where to append the new key (will be created if it does not exist).

       -e encryption-types
              The list of encryption types to use to generate keys.  ipa-getkeytab will use local
              client defaults if not provided.  Valid  values  depend  on  the  Kerberos  library
              version and configuration.  Common values are: aes256-cts aes128-cts des3-hmac-sha1
              arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc

       -s ipaserver
              The IPA server to retrieve the keytab from (FQDN). If this option is  not  provided
              the server name is read from the IPA configuration file (/etc/ipa/default.conf)

       -q     Quiet mode. Only errors are displayed.

       --permitted-enctypes
              This  options  returns  a description of the permitted encryption types, like this:
              Supported encryption types: AES-256 CTS mode with 96-bit  SHA-1  HMAC  AES-128  CTS
              mode  with  96-bit  SHA-1  HMAC  Triple  DES  cbc  mode with HMAC/sha1 ArcFour with
              HMAC/md5 DES cbc mode with CRC-32 DES cbc mode  with  RSA-MD5  DES  cbc  mode  with
              RSA-MD4

       -P, --password
              Use this password for the key instead of one randomly generated.

       -D, --binddn
              The  LDAP  DN  to  bind  as  when retrieving a keytab without Kerberos credentials.
              Generally used with the -w option.

       -w, --bindpw
              The LDAP password to use when not binding with Kerberos.

       -r     Retrieve mode. Retrieve an existing key from the server instead of generating a new
              one. This is incompatibile with the --password option, and will work only against a
              FreeIPA server more recent than version 3.3. The user requesting  the  keytab  must
              have access to the keys for this operation to succeed.


EXAMPLES
       Add  and  retrieve  a keytab for the NFS service principal on the host foo.example.com and
       save it in the file /tmp/nfs.keytab and retrieve just the des-cbc-crc key.

          # ipa-getkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab -e des-cbc-crc

       Add and retrieve a keytab for the ldap service principal on the host  foo.example.com  and
       save it in the file /tmp/ldap.keytab.

          # ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab

       Retrieve  a keytab using LDAP credentials (this will typically be done by ipa-join(1) when
       enrolling a client using the ipa-client-install(1) command:

          # ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D
       fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password


EXIT STATUS
       The exit status is 0 on success, nonzero on error.

       0 Success

       1 Kerberos context initialization failed

       2 Incorrect usage

       3 Out of memory

       4 Invalid service principal name

       5 No Kerberos credentials cache

       6 No Kerberos principal and no bind DN and password

       7 Failed to open keytab

       8 Failed to create key material

       9 Setting keytab failed

       10 Bind password required when using a bind DN

       11 Failed to add key to keytab

       12 Failed to close keytab