This is the command ipa-getkeytab that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
ipa-getkeytab - Get a keytab for a Kerberos principal
ipa-getkeytab -p principal-name -k keytab-file [ -e encryption-types ] [ -s ipaserver ] [
-q ] [ -D|--binddn BINDDN ] [ -w|--bindpw ] [ -P|--password PASSWORD ] [ -r ]
Retrieves a Kerberos keytab.
Kerberos keytabs are used for services (like sshd) to perform Kerberos authentication. A
keytab is a file with one or more secrets (or keys) for a Kerberos principal.
A Kerberos service principal is a Kerberos identity that can be used for authentication.
Service principals contain the name of the service, the hostname of the server, and the
realm name. For example, the following is an example principal for an ldap server:
When using ipa-getkeytab the realm name is already provided, so the principal name is just
the service name and hostname (ldap/foo.example.com from the example above).
WARNING: retrieving the keytab resets the secret for the Kerberos principal. This renders
all other keytabs for that principal invalid.
This is used during IPA client enrollment to retrieve a host service principal and store
it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials
if the host was pre-created with a one-time password. The keytab can be retrieved by
binding as the host and authenticating with this one-time password. The -D|--binddn and
-w|--bindpw options are used for this authentication.
The non-realm part of the full principal name.
The keytab file where to append the new key (will be created if it does not exist).
The list of encryption types to use to generate keys. ipa-getkeytab will use local
client defaults if not provided. Valid values depend on the Kerberos library
version and configuration. Common values are: aes256-cts aes128-cts des3-hmac-sha1
arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
The IPA server to retrieve the keytab from (FQDN). If this option is not provided
the server name is read from the IPA configuration file (/etc/ipa/default.conf)
-q Quiet mode. Only errors are displayed.
This options returns a description of the permitted encryption types, like this:
Supported encryption types: AES-256 CTS mode with 96-bit SHA-1 HMAC AES-128 CTS
mode with 96-bit SHA-1 HMAC Triple DES cbc mode with HMAC/sha1 ArcFour with
HMAC/md5 DES cbc mode with CRC-32 DES cbc mode with RSA-MD5 DES cbc mode with
Use this password for the key instead of one randomly generated.
The LDAP DN to bind as when retrieving a keytab without Kerberos credentials.
Generally used with the -w option.
The LDAP password to use when not binding with Kerberos.
-r Retrieve mode. Retrieve an existing key from the server instead of generating a new
one. This is incompatibile with the --password option, and will work only against a
FreeIPA server more recent than version 3.3. The user requesting the keytab must
have access to the keys for this operation to succeed.
Add and retrieve a keytab for the NFS service principal on the host foo.example.com and
save it in the file /tmp/nfs.keytab and retrieve just the des-cbc-crc key.
# ipa-getkeytab -p nfs/foo.example.com -k /tmp/nfs.keytab -e des-cbc-crc
Add and retrieve a keytab for the ldap service principal on the host foo.example.com and
save it in the file /tmp/ldap.keytab.
# ipa-getkeytab -s ipaserver.example.com -p ldap/foo.example.com -k /tmp/ldap.keytab
Retrieve a keytab using LDAP credentials (this will typically be done by ipa-join(1) when
enrolling a client using the ipa-client-install(1) command:
# ipa-getkeytab -s ipaserver.example.com -p host/foo.example.com -k /etc/krb5.keytab -D
fqdn=foo.example.com,cn=computers,cn=accounts,dc=example,dc=com -w password
The exit status is 0 on success, nonzero on error.
1 Kerberos context initialization failed
2 Incorrect usage
3 Out of memory
4 Invalid service principal name
5 No Kerberos credentials cache
6 No Kerberos principal and no bind DN and password
7 Failed to open keytab
8 Failed to create key material
9 Setting keytab failed
10 Bind password required when using a bind DN
11 Failed to add key to keytab
12 Failed to close keytab
Use ipa-getkeytab online using onworks.net services