freeipa

Clone
Source Code
GIT

#3246 ipa-getkeytab usage instructions are incorrect
Closed: fixed a year ago by rcritten. Opened 11 years ago by pspacek.

Closed: fixed
Reopen Issue 
$ ipa-getkeytab 
Usage: ipa-getkeytab [-qP?] [-q|--quiet] [-s|--server Server Name] [-p|--principal Kerberos Service Principal Name] [-k|--keytab Keytab File Name]
        [-e|--enctypes Comma separated encryption types list] [--permitted-enctypes] [-P|--password] [-D|--binddn DN to bind as if not using kerberos]
        [-w|--bindpw password to use if not using kerberos] [-?|--help] [--usage]


- Usage text shown above marks all parameters as optional, but this is not true.
- In my experiments at least `-s`, `-p` and `-k` were required.
- IMHO `-s` should be determined from DNS if user omited this parameter
  • Same problem applies to manual page.
  • I would recommend to rename Server Name to IPA Server Name to make clear difference between Kerberos Server (= application server in other words) and IPA Server

Moving my tickets back to free-to-take pool.

Well, according to my research, similarly as e.g. rpm, ipa-getkeytab is written in C using popt for command-line argument parsing and there's no obvius support of required parameters in autohelp it generates, one recommendation was to use 'REQUIRED' in help to cmd-line param. Anyway, simple patch to rename 'Server Name' to 'IPA Server' and to properly enable server discovery (from /etc/ipa/default.conf) which is already there is something like below:

$ git diff
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index d492586..49c4b12 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -693,7 +693,7 @@ int main(int argc, const char *argv[])
               _("Print as little as possible"), _("Output only on errors")},
             { "server", 's', POPT_ARG_STRING, &server, 0,
               _("Contact this specific KDC Server"),
-              _("Server Name") },
+              _("IPA Server") },
             { "principal", 'p', POPT_ARG_STRING, &principal, 0,
               _("The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)"),
               _("Kerberos Service Principal Name") },
@@ -745,7 +745,7 @@ int main(int argc, const char *argv[])
        pc = poptGetContext("ipa-getkeytab", argc, (const char **)argv, options, 0);
        ret = poptGetNextOpt(pc);
        if (ret == -1 && permitted_enctypes &&
-           !(server || principal || keytab || quiet)) {
+           !(principal || keytab || quiet)) {
                krb5_enctype *ktypes;
                char enc[79]; /* fit std terminal or truncate */

Let me know if I should submit it via official channel. ;)

$ ipa service-add something/ipaclient.example.com
$ ./ipa-getkeytab -p something/ipaclient.example.com@EXAMPLE.COM -k here.keytab; echo $?
Keytab successfully retrieved and stored in: here.keytab
0

Sure, send it, there is more people on ipa-devel list so it can be properly reviewed there. Thank you!

@mstefany, are you still working on this issue ?

Metadata Update from @pspacek:
- Issue assigned to someone
- Issue set to the milestone: Future Releases
7 years ago

The original report asked for server discovery over DNS. That was implemented in ae05970 for issue https://pagure.io/freeipa/issue/8478

Marking as fixed.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
a year ago

Login to comment on this ticket.

Metadata
None
None
None
low
None
None
None
None
defect
None
None
CLI
None
0
easyfix
None
None
None
todo
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.