$ ipa-getkeytab Usage: ipa-getkeytab [-qP?] [-q|--quiet] [-s|--server Server Name] [-p|--principal Kerberos Service Principal Name] [-k|--keytab Keytab File Name] [-e|--enctypes Comma separated encryption types list] [--permitted-enctypes] [-P|--password] [-D|--binddn DN to bind as if not using kerberos] [-w|--bindpw password to use if not using kerberos] [-?|--help] [--usage] - Usage text shown above marks all parameters as optional, but this is not true. - In my experiments at least `-s`, `-p` and `-k` were required. - IMHO `-s` should be determined from DNS if user omited this parameter
Server Name
IPA Server Name
Kerberos Server
IPA Server
Moving my tickets back to free-to-take pool.
Well, according to my research, similarly as e.g. rpm, ipa-getkeytab is written in C using popt for command-line argument parsing and there's no obvius support of required parameters in autohelp it generates, one recommendation was to use 'REQUIRED' in help to cmd-line param. Anyway, simple patch to rename 'Server Name' to 'IPA Server' and to properly enable server discovery (from /etc/ipa/default.conf) which is already there is something like below:
$ git diff diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c index d492586..49c4b12 100644 --- a/client/ipa-getkeytab.c +++ b/client/ipa-getkeytab.c @@ -693,7 +693,7 @@ int main(int argc, const char *argv[]) _("Print as little as possible"), _("Output only on errors")}, { "server", 's', POPT_ARG_STRING, &server, 0, _("Contact this specific KDC Server"), - _("Server Name") }, + _("IPA Server") }, { "principal", 'p', POPT_ARG_STRING, &principal, 0, _("The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)"), _("Kerberos Service Principal Name") }, @@ -745,7 +745,7 @@ int main(int argc, const char *argv[]) pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0); ret = poptGetNextOpt(pc); if (ret == -1 && permitted_enctypes && - !(server || principal || keytab || quiet)) { + !(principal || keytab || quiet)) { krb5_enctype *ktypes; char enc[79]; /* fit std terminal or truncate */
Let me know if I should submit it via official channel. ;)
$ ipa service-add something/ipaclient.example.com $ ./ipa-getkeytab -p something/ipaclient.example.com@EXAMPLE.COM -k here.keytab; echo $? Keytab successfully retrieved and stored in: here.keytab 0
Sure, send it, there is more people on ipa-devel list so it can be properly reviewed there. Thank you!
@mstefany, are you still working on this issue ?
Metadata Update from @pspacek: - Issue assigned to someone - Issue set to the milestone: Future Releases
The original report asked for server discovery over DNS. That was implemented in ae05970 for issue https://pagure.io/freeipa/issue/8478
Marking as fixed.
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.