directory

Service Management

Manage Kerberos service principals for network services requiring authentication. Service entries store service credentials, support certificate-based authentication, and enable delegation scenarios. Features include service principal management, certificate operations, host and user delegation, and support for constrained delegation (S4U2Proxy) for application integration and single sign-on.

21 commands
directory

Overview

Service principals in FreeIPA represent network services that participate in Kerberos authentication. Each service running on an IPA-enrolled host that needs to accept authenticated connections requires a service principal, enabling mutual authentication where both clients and servers prove their identities. Service principals follow the format SERVICE/hostname@REALM, where SERVICE identifies the application type (HTTP, LDAP, NFS, etc.) and hostname specifies the system running the service.

Service entries store both Kerberos credentials (keytabs) and X.509 certificates, supporting both ticket-based and certificate-based authentication. This dual credential support enables services to participate in traditional Kerberos SSO workflows while also supporting modern TLS/SSL encrypted connections with certificate validation. Services can hold multiple certificates simultaneously, supporting certificate renewal transitions and diverse client capabilities.

Service management in IPA includes credential lifecycle, delegation configuration, and access control. Services can delegate authentication decisions to other services (constrained delegation), enabling multi-tier application architectures where frontend services authenticate users and backend services trust that authentication. Host-based delegation controls which hosts can manage service credentials, supporting distributed administration and automated provisioning workflows.

Service Principal Format and Components

Service principals consist of three components: service type, hostname, and realm. The service type indicates the application protocol (HTTP for web servers, LDAP for directory services, NFS for file sharing, etc.). The hostname identifies where the service runs, matching the system’s DNS name. The realm (typically implicit, matching the IPA domain) completes the principal identity.

Standard Service Types:

  • HTTP/: Web services, REST APIs, application servers
  • LDAP/: LDAP directory services
  • NFS/: Network File System services
  • cifs/: SMB/CIFS file sharing
  • DNS/: DNS servers
  • host/: Host-level services and SSH

Service type names are case-sensitive and conventionally uppercase for well-known services. Custom service types can be defined for organization-specific applications, though using standard types when applicable improves interoperability.

The hostname component must match the system’s canonical DNS name or be an alias configured in DNS. Mismatched hostnames cause Kerberos authentication failures as clients cannot locate the service’s principal. For services behind load balancers or virtual hosts, service principals should use the virtual hostname rather than physical server names.

Service Creation Prerequisites

Creating service principals requires the associated host to exist in IPA. This prerequisite ensures services are registered on legitimate, enrolled systems and establishes ownership relationships. The --skip-host-check flag bypasses this validation for special scenarios, but normal operations should create hosts before services.

The --force flag allows service creation even when the hostname doesn’t resolve in DNS. This supports pre-provisioning scenarios where DNS records are created after service principals, or isolated environments where DNS may not be fully configured. However, services with unresolvable hostnames will fail Kerberos authentication until DNS is corrected.

Service creation doesn’t automatically generate keytabs or certificates. After creating the service principal, separate operations retrieve keytabs (using ipa-getkeytab) or request certificates (using cert-request). This separation enables flexible deployment workflows and prevents premature credential generation.

Keytab Management

Keytabs are files containing Kerberos keys enabling services to authenticate without interactive password entry. Services store keytabs locally (typically in /etc/), loading them during startup to authenticate incoming connections. Keytab retrieval requires appropriate privileges: the service’s host, delegated administrators, or users granted explicit keytab retrieval permissions.

The ipa-getkeytab command retrieves keytabs from the IPA server, generating new keys if necessary. Generating new keys invalidates previous keytabs for that service, a critical consideration when multiple systems share a service principal (generally discouraged) or during service migration.

Keytab permissions control who can create (generate new keys) or retrieve (access existing keys) keytabs:

Create Keytab: Regenerates service keys, invalidating all existing keytabs. This permission should be restricted to trusted administrators and automation systems. Creating a new keytab for an active service causes authentication failures until all instances are updated.

Retrieve Keytab: Accesses current keys without regeneration. Less disruptive than creation but still sensitive as it grants access to service credentials. Retrieve permissions support scenarios where multiple systems legitimately need the same keytab.

Keytab delegation can target users (individual administrators), groups (operational teams), hosts (automation systems), or host groups (fleets of orchestration nodes). This flexibility enables both manual administration and automated provisioning while maintaining security boundaries.

Certificate Management for Services

Service certificates enable TLS/SSL encryption and certificate-based authentication. Certificates are requested through IPA’s integrated CA using cert-request, associating the certificate with the service principal. Unlike keytabs which are automatically generated, certificate requests require CSRs generated by the requestor containing the service’s public key.

Multiple certificates per service support certificate renewal overlaps and algorithm diversity. During renewal, services can hold both expiring and renewed certificates, enabling graceful transition without service interruption. Services may also hold RSA and ECDSA certificates simultaneously, selecting appropriate certificates based on client capabilities.

Certificate operations (adding, removing) can be performed by the service’s host, users with appropriate permissions, or through delegated management relationships. The service-add-host command designates hosts that can manage a service’s certificates, supporting scenarios where load balancers or orchestration systems manage backend service certificates.

Certmonger on IPA clients automates certificate renewal for services. When configured to track a service certificate, certmonger monitors expiration, requests renewal from the IPA CA, and updates certificate files without manual intervention. This automation prevents certificate expiration outages.

Constrained Delegation (S4U2Proxy)

Constrained delegation enables services to authenticate to backend services on behalf of users without requiring user credentials. This pattern is essential for multi-tier applications: a web application authenticates users, then accesses a database on their behalf. Without delegation, the database can’t verify the user’s identity; with delegation, the web app presents evidence of the user’s authentication.

IPA implements constrained delegation through Kerberos S4U2Proxy protocol extensions. Services configured for delegation can request service tickets to specific backend services on behalf of authenticated users. The backend service receives both the user’s identity and proof that delegation was authorized by IPA’s KDC.

ok-as-delegate: Marks a service as suitable for credential delegation. Clients seeing this flag may forward their TGTs to the service, enabling full delegation. This flag should only be set on highly trusted services as it grants access to user credentials.

ok-to-auth-as-delegate: Permits the service to use S4U2Self to obtain a service ticket on behalf of a user, necessary for protocol transition scenarios where the initial authentication wasn’t Kerberos-based (e.g., form-based web login).

Delegation targets are configured through service-add-delegation, specifying which backend service principals this service can obtain tickets for. Constrained delegation limits delegation to explicitly configured targets, preventing services from impersonating users to arbitrary services.

PAC Type Configuration

Privilege Attribute Certificates (PAC) are embedded in Kerberos tickets providing authorization information. PAC types determine what authorization data is included in tickets for the service. The default includes MS-PAC for Active Directory trust compatibility, but some services require PAC modification.

NONE: Disables PAC entirely. Required for services with ticket size constraints like NFS, where the Linux kernel has ticket size limits. Large PACs can exceed these limits causing authentication failures.

MS-PAC: Includes Microsoft PAC data for Active Directory trust integration. Services accessed by AD users typically require MS-PAC.

PAD: FreeIPA PAC data for IPA-specific authorization information.

PAC type configuration is service-specific through service-mod --pac-type. Most services use defaults, but specialized services may require custom PAC configuration to function correctly.

Authentication Indicators

Authentication indicators restrict how users can authenticate to services, enforcing security policies requiring specific authentication methods. The --auth-ind parameter configures allowed authentication indicators:

  • otp: Allows OTP-based two-factor authentication
  • radius: Allows RADIUS-based two-factor authentication
  • pkinit: Allows PKINIT (certificate-based) authentication
  • hardened: Allows hardened password authentication (SPAKE/FAST)
  • idp: Allows OAuth 2.0 Device Flow authentication
  • passkey: Allows passkey-based authentication

When authentication indicators are configured, users attempting authentication must have authenticated using one of the allowed methods. This enables service-specific security policies: highly sensitive services can require OTP or passkey authentication while general services allow all methods.

Host-Based Service Management

Services can be managed by hosts other than the host they run on. This delegation pattern supports orchestration systems, load balancers, and centralized management platforms. The service-add-host command designates hosts authorized to manage a service’s credentials and certificates.

When combined with role membership (e.g., certadmin role), delegated hosts can request certificates, regenerate keytabs, and modify service attributes. This enables automation where provisioning systems manage service lifecycle without requiring full administrative credentials.

Host-based management is directional: designating host A to manage service S doesn’t grant S permissions over A. This asymmetric relationship enables safe delegation where management hosts have limited, specific privileges over managed services.

Use Cases

Web Application with Database Backend (S4U2Proxy)

Scenario: Web application needs to access PostgreSQL on behalf of authenticated users.

Solution:

# Create service principals
ipa service-add HTTP/webapp.example.com
ipa service-add postgres/db.example.com

# Configure webapp for delegation to database
ipa service-add-delegation HTTP/webapp.example.com \
    postgres/db.example.com@EXAMPLE.COM
ipa service-mod HTTP/webapp.example.com --ok-to-auth-as-delegate=TRUE

# Retrieve keytabs on respective hosts
# On webapp.example.com:
ipa-getkeytab -s ipa.example.com -p HTTP/webapp.example.com \
    -k /etc/httpd/conf/webapp.keytab

# On db.example.com:
ipa-getkeytab -s ipa.example.com -p postgres/db.example.com \
    -k /var/lib/pgsql/postgres.keytab

# Webapp can now authenticate to postgres as authenticated user

Load Balancer Certificate Management

Scenario: HAProxy manages certificates for multiple backend web services.

Solution:

# Create backend service principals
ipa service-add HTTP/web01.example.com
ipa service-add HTTP/web02.example.com

# Create load balancer service and grant management rights
ipa service-add HTTP/lb.example.com
ipa service-add-host HTTP/web01.example.com --hosts=lb.example.com
ipa service-add-host HTTP/web02.example.com --hosts=lb.example.com

# From lb.example.com, request certificates for backends
ipa-getcert request -f /etc/haproxy/certs/web01.crt \
    -k /etc/haproxy/certs/web01.key \
    -N CN=web01.example.com \
    -K HTTP/web01.example.com@EXAMPLE.COM

# Load balancer can manage backend certificates

NFS Service with PAC Type NONE

Scenario: NFS service failing due to large PAC size in tickets.

Solution:

# Create NFS service
ipa service-add NFS/fileserver.example.com

# Disable PAC due to kernel ticket size limits
ipa service-mod NFS/fileserver.example.com --pac-type=NONE

# Retrieve keytab
ipa-getkeytab -s ipa.example.com -p NFS/fileserver.example.com \
    -k /etc/krb5.keytab

# NFS now works with smaller tickets

High-Security Service Requiring 2FA

Scenario: Financial application requires all users to authenticate with OTP.

Solution:

# Create service principal
ipa service-add HTTP/finance.example.com

# Require OTP authentication
ipa service-mod HTTP/finance.example.com --auth-ind=otp

# Users without OTP tokens cannot authenticate to this service
# Even with valid passwords

Automated Service Provisioning with Delegation

Scenario: Ansible controller needs to provision service keytabs on managed hosts.

Solution:

# Create Ansible controller host
ipa host-add ansible.example.com

# Create hostgroup for managed servers
ipa hostgroup-add webservers
ipa hostgroup-add-member webservers --hosts=web01.example.com,web02.example.com

# Create service principals for web servers
ipa service-add HTTP/web01.example.com
ipa service-add HTTP/web02.example.com

# Grant Ansible controller keytab creation for web services
ipa service-allow-create-keytab HTTP/web01.example.com --hosts=ansible.example.com
ipa service-allow-create-keytab HTTP/web02.example.com --hosts=ansible.example.com

# Ansible can now retrieve/create keytabs
# From ansible.example.com:
ipa-getkeytab -s ipa.example.com -p HTTP/web01.example.com \
    -k /tmp/web01.keytab
# Deploy keytab to web01

Virtual Host Service Principal

Scenario: Apache virtual host www.example.com hosted on physical server web01.example.com.

Solution:

# Create DNS alias
ipa dnsrecord-add example.com www --cname-rec=web01.example.com.

# Create service for virtual hostname
ipa service-add HTTP/www.example.com

# Retrieve keytab on physical host
# On web01.example.com:
ipa-getkeytab -s ipa.example.com -p HTTP/www.example.com \
    -k /etc/httpd/conf/www.keytab

# Configure Apache to use virtual host principal
# Clients authenticate to HTTP/www.example.com

Service Certificate with Automated Renewal

Scenario: LDAP service needs automated certificate renewal via certmonger.

Solution:

# Create service principal
ipa service-add LDAP/directory.example.com

# Request certificate with certmonger tracking
ipa-getcert request -f /etc/openldap/certs/server.crt \
    -k /etc/openldap/certs/server.key \
    -N CN=directory.example.com \
    -K LDAP/directory.example.com@EXAMPLE.COM \
    -D directory.example.com

# Certmonger automatically renews before expiration
# No manual intervention needed

Multi-Protocol Service (HTTPS + LDAPS)

Scenario: Server provides both HTTPS and LDAPS services.

Solution:

# Create service principals for each protocol
ipa service-add HTTP/server.example.com
ipa service-add LDAP/server.example.com

# Request certificates for each service
ipa-getcert request -f /etc/httpd/certs/server.crt \
    -k /etc/httpd/certs/server.key \
    -N CN=server.example.com \
    -K HTTP/server.example.com@EXAMPLE.COM

ipa-getcert request -f /etc/openldap/certs/server.crt \
    -k /etc/openldap/certs/server.key \
    -N CN=server.example.com \
    -K LDAP/server.example.com@EXAMPLE.COM

# Each service uses its own principal and certificate

Service with Principal Alias

Scenario: Service migrating from old hostname to new hostname.

Solution:

# Create service with new hostname
ipa service-add HTTP/new.example.com

# Add alias for old hostname during migration
ipa service-add-principal HTTP/new.example.com \
    HTTP/old.example.com@EXAMPLE.COM

# Service accepts authentication for both hostnames
# Gradual migration of clients to new hostname
# After migration complete, remove alias
ipa service-remove-principal HTTP/new.example.com \
    HTTP/old.example.com@EXAMPLE.COM

Examples

Basic Service Management

Add a new service principal:

ipa service-add HTTP/web.example.com

Add a service bypassing host existence check (special scenarios only):

ipa service-add --skip-host-check HTTP/app.example.com

Add a service forcing creation even if DNS doesn’t resolve:

ipa service-add --force HTTP/web.example.com

Add an SMB service (special handling for Windows integration):

ipa service-add-smb web.example.com

Delete a service principal:

ipa service-del HTTP/web.example.com

Display comprehensive service information:

ipa service-show HTTP/web.example.com --all

Search for all services on a specific host:

ipa service-find web.example.com

Search for all services of a specific type:

ipa service-find HTTP

Search for services in specific host groups:

ipa service-find --in-hostgroups=webservers

Service Modification

Modify service description:

ipa service-mod HTTP/web.example.com --desc="Production web server"

Configure PAC type for NFS (disable PAC due to ticket size constraints):

ipa service-mod NFS/fileserver.example.com --pac-type=NONE

Configure PAC type for AD integration:

ipa service-mod HTTP/web.example.com --pac-type=MS-PAC

Set authentication indicator requirements (require OTP):

ipa service-mod HTTP/sensitive.example.com --auth-ind=otp

Set multiple authentication indicators:

ipa service-mod HTTP/secure.example.com --auth-ind=otp --auth-ind=passkey

Configure delegation flags:

ipa service-mod HTTP/web.example.com --ok-as-delegate=TRUE --ok-to-auth-as-delegate=TRUE

Principal Alias Management

Add a principal alias for a service (support alternative names):

ipa service-add-principal HTTP/web.example.com HTTP/www.example.com@EXAMPLE.COM

Remove a principal alias:

ipa service-remove-principal HTTP/web.example.com HTTP/www.example.com@EXAMPLE.COM

Keytab Management

Retrieve a keytab for a service (from the service’s host):

# On web.example.com:
kinit -kt /etc/krb5.keytab host/web.example.com
ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab

Allow a user to create keytabs (regenerate keys):

ipa service-allow-create-keytab HTTP/web.example.com --users=webadmin

Allow a group to create keytabs:

ipa service-allow-create-keytab HTTP/web.example.com --groups=webadmins

Allow a host to create keytabs (for automation):

ipa service-allow-create-keytab HTTP/web.example.com --hosts=provisioner.example.com

Allow host groups to create keytabs:

ipa service-allow-create-keytab HTTP/web.example.com --hostgroups=automation_servers

Revoke keytab creation permission:

ipa service-disallow-create-keytab HTTP/web.example.com --users=webadmin

Allow keytab retrieval (access without regeneration):

ipa service-allow-retrieve-keytab HTTP/web.example.com --users=operator

Revoke keytab retrieval permission:

ipa service-disallow-retrieve-keytab HTTP/web.example.com --users=operator

Certificate Management

Request a certificate for a service:

ipa cert-request --principal=HTTP/web.example.com web.csr

Add a certificate to a service entry:

ipa service-add-cert HTTP/web.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."

Remove a certificate from a service:

ipa service-remove-cert HTTP/web.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."

Host-Based Service Management Delegation

Designate a host to manage a service:

ipa service-add-host HTTP/web.example.com --hosts=loadbalancer.example.com

Grant certadmin role to the managing host (enables certificate operations):

ipa role-add-member --hosts=loadbalancer.example.com certadmin

Remove host management delegation:

ipa service-remove-host HTTP/web.example.com --hosts=loadbalancer.example.com

Constrained Delegation

Add delegation target (allow frontend to access backend on behalf of users):

ipa service-add-delegation HTTP/frontend.example.com ldap/backend.example.com@EXAMPLE.COM

Remove delegation target:

ipa service-remove-delegation HTTP/frontend.example.com ldap/backend.example.com@EXAMPLE.COM

Allow a user to configure delegation:

ipa service-allow-add-delegation HTTP/web.example.com --users=appowner

Revoke delegation configuration privilege:

ipa service-disallow-add-delegation HTTP/web.example.com --users=appowner

Service Disablement

Disable service (revoke Kerberos keys and certificates):

ipa service-disable HTTP/web.example.com

Re-enable service (retrieve new keytab and request new certificate):

ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
ipa cert-request --principal=HTTP/web.example.com web.csr

Best Practices

Service Principal Design

Use canonical hostnames: Service principals should use canonical DNS names, not aliases or IP addresses. This ensures Kerberos reverse DNS lookups succeed and prevents authentication failures.

One service per application instance: Don’t share service principals across multiple physical hosts. Each instance should have its own principal (or use load balancer virtual hostname if truly load-balanced).

Follow standard service type conventions: Use standard service types (HTTP, LDAP, NFS) when applicable. Custom types reduce interoperability and complicate client configuration.

Plan for virtual hosting: Web services with multiple virtual hosts can use principal aliases to support multiple hostnames. Alternatively, use the virtual hostname as the primary principal.

Keytab Management

Protect keytab files: Keytabs are equivalent to passwords. Set strict file permissions (typically 0600, owned by service account) and protect them from unauthorized access.

Avoid sharing keytabs: Each service instance should have unique credentials. Shared keytabs multiply compromise impact and complicate key rotation.

Automate keytab retrieval: Use configuration management tools to retrieve keytabs during provisioning. Don’t manually copy keytab files between systems.

Monitor keytab expiration: While Kerberos keys don’t expire, keytab files can become invalid if keys are regenerated. Monitor for authentication failures indicating stale keytabs.

Document delegation relationships: Maintain clear records of which users/hosts can create or retrieve keytabs for each service. This aids security audits and incident response.

Certificate Operations

Leverage certmonger: Configure certmonger to manage service certificates automatically. This prevents expiration outages and eliminates manual renewal.

Plan certificate transitions: During renewal, ensure services support both old and new certificates during transition periods. Some services can load multiple certificates for this purpose.

Use appropriate certificate profiles: Select profiles matching service requirements. Server certificates need serverAuth extended key usage, client certificates need clientAuth.

Coordinate certificate deployment: When deploying new certificates, ensure all service instances receive updates before old certificates expire.

Constrained Delegation

Limit delegation targets: Only configure delegation to specific backend services required by the application. Broad delegation increases risk if the frontend is compromised.

Document delegation flows: Clearly document which services delegate to which backends and why. This helps security audits and troubleshooting.

Monitor delegation usage: Track delegation-related authentication to detect anomalous patterns that might indicate compromise.

Test delegation carefully: Constrained delegation configuration is complex. Thoroughly test in non-production before deploying to production.

PAC and Authentication Indicators

Set PAC type based on requirements: Most services use defaults. Only modify PAC type for specific needs (NFS ticket size, AD integration requirements).

Use authentication indicators for sensitive services: Services handling sensitive data should require stronger authentication (OTP, passkey) through authentication indicators.

Test PAC changes thoroughly: Incorrect PAC configuration can break authentication. Test changes in non-production environments first.

Document indicator requirements: Clearly communicate authentication requirements to users. Unexpected indicator requirements cause user confusion.

Service Lifecycle

Disable rather than delete: When decommissioning services, use service-disable initially rather than deletion. This allows recovery if the service is needed again.

Clean up obsolete services: Regularly audit service principals and delete truly obsolete entries. Stale services clutter the directory and may represent security risks.

Plan for service migration: When moving services between hosts, create the new service principal, migrate gradually, then disable the old principal.

Maintain service inventory: Track all service principals, their purposes, and ownership. This documentation aids management and security audits.

Security Considerations

Keytab creation invalidates existing credentials: Creating new keytabs regenerates Kerberos keys, immediately invalidating all existing keytabs for that service. Active services experience authentication failures until updated. Grant keytab creation permission only to trusted administrators and automation systems.

Keytab retrieval grants service impersonation: Users/hosts with retrieve keytab permission can extract service credentials and impersonate the service. This enables man-in-the-middle attacks and unauthorized access. Restrict retrieve permissions to legitimate operational needs only.

Constrained delegation enables user impersonation: Services with S4U2Proxy delegation can obtain tickets on behalf of users to specified backend services. Misconfigured delegation could enable unauthorized access to sensitive backends. Carefully validate delegation targets and necessity.

ok-as-delegate grants TGT forwarding: Services marked ok-as-delegate receive forwarded user TGTs, granting full user credential access. Compromised services can use these TGTs for any operation as the user. Reserve ok-as-delegate for highly trusted services only.

Managed-by hosts have credential control: Hosts designated in managed-by relationships can retrieve and regenerate service keytabs. Compromise of managing host compromises all managed services. Ensure managing hosts have equivalent security to managed services.

Service certificates enable TLS interception: Services holding certificate private keys can decrypt TLS traffic. Compromised service certificates enable interception of encrypted communications. Rotate certificates upon suspicion of compromise.

PAC type NONE weakens authorization: Disabling PAC removes authorization information from tickets. Services relying on PAC data for access decisions may grant unauthorized access. Only use PAC type NONE when absolutely necessary (NFS kernel limits).

Authentication indicators can be bypassed: Auth indicators control which authentication methods are acceptable. However, users obtaining tickets without the service knowing the method may still succeed. Don’t rely solely on auth indicators for security-critical enforcement.

Stale service principals remain exploitable: Decommissioned services with unrevoked principals can be impersonated if old keytabs exist. Always disable or delete service principals when decommissioning services.

Service-to-service authentication trusts principals: Backend services trusting delegated tickets assume frontend validated user identity correctly. Compromised frontend service can forge user identities to backends via delegation. Validate frontend service security thoroughly.

Wildcard virtual host security: Services for virtual hosts (HTTP/www.example.com) trust DNS. DNS compromise could redirect authentication to attacker-controlled systems. Use DNSSEC or verify virtual host DNS configuration rigorously.

Keytab file permissions critical: Service keytabs stored as local files must have restrictive permissions (typically 600, owned by service account). Overly permissive keytab files enable local privilege escalation.

Certificate renewal gaps create outages: Failing to renew service certificates before expiration causes service authentication failures. Automated renewal via certmonger prevents this, but monitoring renewal status is essential.

Service principals visible to all authenticated users: Service principal existence and basic metadata (hostname, service type) is visible to all IPA users. In high-security environments, service inventory disclosure could aid reconnaissance. Minimize service metadata detail.

Troubleshooting

Service authentication fails with “service not found”:

# Verify service principal exists
ipa service-show HTTP/hostname.example.com

# If missing, create it
ipa service-add HTTP/hostname.example.com

# Retrieve keytab
ipa-getkeytab -s ipa.example.com -p HTTP/hostname.example.com \
    -k /etc/httpd/conf/httpd.keytab

# Verify keytab contains correct principal
klist -kt /etc/httpd/conf/httpd.keytab

“Key version number mismatch” error:

# Symptom: Service fails with KVNO error

# Keytab is out of sync with IPA (keys regenerated)
# Retrieve fresh keytab
ipa-getkeytab -s ipa.example.com -p HTTP/hostname.example.com \
    -k /etc/httpd/conf/httpd.keytab

# Restart service
systemctl restart httpd

Cannot retrieve keytab - permission denied:

# Verify retrieval delegation exists
ipa service-show HTTP/hostname.example.com --all | \
    grep -A5 "retrieve keytab"

# Grant retrieve permission if missing
ipa service-allow-retrieve-keytab HTTP/hostname.example.com \
    --users=adminuser

# Verify user authenticated as Kerberos principal
klist

# Retry retrieval
ipa-getkeytab -r -s ipa.example.com -p HTTP/hostname.example.com \
    -k /tmp/test.keytab

Service creation fails with “host not found”:

# Service principals require host to exist first
# Create host entry
ipa host-add hostname.example.com

# Create service
ipa service-add HTTP/hostname.example.com

# For services on non-enrolled hosts (not recommended):
ipa service-add HTTP/external.example.com --skip-host-check --force

Constrained delegation not working:

# Verify delegation configured
ipa service-show HTTP/frontend.example.com --all | \
    grep -i delegation

# Verify ok-to-auth-as-delegate flag set
ipa service-show HTTP/frontend.example.com | grep "ok-to-auth-as-delegate"

# Set if missing
ipa service-mod HTTP/frontend.example.com --ok-to-auth-as-delegate=TRUE

# Add delegation target if missing
ipa service-add-delegation HTTP/frontend.example.com \
    HTTP/backend.example.com@EXAMPLE.COM

# Verify backend service exists
ipa service-show HTTP/backend.example.com

Certificate request fails for service:

# Verify service principal exists
ipa service-show HTTP/hostname.example.com

# Verify host running certmonger has service keytab
klist -kt /etc/httpd/conf/httpd.keytab

# Check certmonger status
getcert list

# Request certificate with correct principal
ipa-getcert request -f /etc/httpd/certs/server.crt \
    -k /etc/httpd/certs/server.key \
    -N CN=hostname.example.com \
    -K HTTP/hostname.example.com@EXAMPLE.COM

# Check certmonger tracking
getcert list -i <request-id>

NFS service fails with “ticket too large”:

# NFS has Linux kernel ticket size limits
# PAC data causes tickets to exceed limits

# Check current PAC type
ipa service-show NFS/fileserver.example.com | grep "PAC type"

# Disable PAC
ipa service-mod NFS/fileserver.example.com --pac-type=NONE

# Clear existing tickets on clients
kdestroy
kinit username

# Retry NFS access

Service managed-by host cannot retrieve keytab:

# Verify managed-by relationship
ipa service-show HTTP/service.example.com --all | \
    grep -A5 "Managed by"

# Add managing host if missing
ipa service-add-host HTTP/service.example.com \
    --hosts=manager.example.com

# Verify manager host authenticated
# On manager.example.com:
klist  # Should show host/manager.example.com@REALM

# Retrieve keytab from manager
ipa-getkeytab -s ipa.example.com -p HTTP/service.example.com \
    -k /tmp/service.keytab

Virtual host service authentication fails:

# Verify DNS alias exists and resolves correctly
dig www.example.com  # Should resolve to actual server

# Verify service principal uses virtual hostname
ipa service-show HTTP/www.example.com

# If using physical hostname instead:
# Create service with virtual hostname
ipa service-add HTTP/www.example.com

# Retrieve keytab on physical server
ipa-getkeytab -s ipa.example.com -p HTTP/www.example.com \
    -k /etc/httpd/conf/www.keytab

Authentication indicator restriction preventing access:

# Symptom: "Required auth indicator not present" in logs

# Check service auth indicator requirements
ipa service-show HTTP/hostname.example.com | grep "Auth indicators"

# Verify user has required authentication method
# For OTP requirement, verify user has token:
ipa otptoken-find --user=username

# If requirement too strict, modify
ipa service-mod HTTP/hostname.example.com --auth-ind=

# Or configure user for required auth method

Cannot delete service - dependency exists:

# Find what depends on service
ipa service-show HTTP/hostname.example.com --all

# Check for delegation rules
ipa servicedelegation-find --member-principal=HTTP/hostname.example.com

# Remove from delegation rules
ipa servicedelegation-remove-member delegation-rule \
    --principals=HTTP/hostname.example.com

# Retry deletion
ipa service-del HTTP/hostname.example.com

Service principal exists but clients cannot find it:

# DNS issues prevent Kerberos service location

# Verify DNS SRV records
dig -t SRV _kerberos._tcp.example.com

# Verify hostname resolves
dig hostname.example.com

# Verify reverse DNS (important for Kerberos)
dig -x <IP-address>

# If DNS issues, fix DNS or use /etc/hosts as workaround

Certificate renewal fails via certmonger:

# Check certmonger tracking status
getcert list

# Look for error messages
getcert list -i <request-id>

# Common issue: service keytab missing or invalid
klist -kt /etc/httpd/conf/httpd.keytab

# Verify certmonger can authenticate
getcert start-tracking -f /etc/httpd/certs/server.crt \
    -k /etc/httpd/certs/server.key \
    -K HTTP/hostname.example.com@EXAMPLE.COM

# Force immediate renewal attempt
getcert resubmit -i <request-id>

Multiple services on same host conflicting:

# Symptom: One service works, another doesn't

# Verify each service has distinct principal
ipa service-find --host=hostname.example.com

# Verify each service has separate keytab file
ls -l /etc/httpd/conf/*.keytab
ls -l /etc/openldap/certs/*.keytab

# Ensure services configured to use correct keytab files
# httpd: KRB5_KTNAME=/etc/httpd/conf/httpd.keytab
# slapd: KRB5_KTNAME=/etc/openldap/certs/slapd.keytab

Delegation works in test but fails in production:

# Verify delegation configuration identical in both environments
ipa service-show HTTP/frontend.example.com --all | grep -i delegate

# Verify backend service accessible from frontend
# On frontend host:
kinit -kt /etc/httpd/conf/httpd.keytab HTTP/frontend.example.com
kvno HTTP/backend.example.com

# If kvno fails, network/firewall blocking Kerberos
# Kerberos port 88 must be accessible

Integration with Other IPA Components

Host Entries

Service principals require host entries to exist. Host management (host-* commands) provides the foundation for service registration.

Certificate Management

Service certificates are issued through IPA’s CA using cert-* commands. Service entries track issued certificates and enable certificate-based authentication.

Groups

Services can be members of groups, enabling collective policy application. Service groups appear in HBAC rules and other policy contexts.

HBAC Rules

Host-based access control rules can restrict which users can access services. HBAC evaluates service membership in groups as part of access decisions.

Delegation Rules

Service delegation (servicedelegation-* commands) provides higher-level delegation rule management complementing service-specific delegation configuration.

Certmonger

Certmonger on IPA clients tracks service certificates and automatically renews them before expiration. Integration with IPA’s CA enables fully automated certificate lifecycle management.

Commands

service-add

Usage: ipa [global-options] service-add CANONICAL-PRINCIPAL [options]

Add a new IPA service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--certificate CERTIFICATEBase-64 encoded service certificate
--pac-type PAC-TYPEOverride default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.
--auth-ind AUTH-INDDefines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.
--requires-pre-auth REQUIRES-PRE-AUTHPre-authentication is required for the service
--ok-as-delegate OK-AS-DELEGATEClient credentials may be delegated to the service
--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATEThe service is allowed to authenticate on behalf of a client
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--forceforce principal name even if host not in DNS
--skip-host-checkforce service to be created even when host object does not exist to manage it
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

service-add-cert

Usage: ipa [global-options] service-add-cert CANONICAL-PRINCIPAL [options]

Add new certificates to a service

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--certificate CERTIFICATEBase-64 encoded service certificate

service-add-delegation

Usage: ipa [global-options] service-add-delegation CANONICAL-PRINCIPAL PRINCIPAL [options]

Add new resource delegation to a service

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

PRINCIPAL yes Delegation principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

service-add-host

Usage: ipa [global-options] service-add-host CANONICAL-PRINCIPAL [options]

Add hosts that can manage this service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--hosts HOSTShosts to add

service-add-principal

Usage: ipa [global-options] service-add-principal CANONICAL-PRINCIPAL PRINCIPAL [options]

Add new principal alias to a service

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

PRINCIPAL yes Service principal alias

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

service-add-smb

Usage: ipa [global-options] service-add-smb HOSTNAME [NETBIOSNAME] [options]

Add a new SMB service.

Arguments

ArgumentRequiredDescription
HOSTNAMEyesHost name

NETBIOSNAME no SMB service NetBIOS name

Options

OptionDescription
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--certificate CERTIFICATEBase-64 encoded service certificate
--ok-as-delegate OK-AS-DELEGATEClient credentials may be delegated to the service
--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATEThe service is allowed to authenticate on behalf of a client
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

service-allow-add-delegation

Usage: ipa [global-options] service-allow-add-delegation CANONICAL-PRINCIPAL [options]

Allow users, groups, hosts or host groups to handle a resource delegation of this service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to add
--groups GROUPSgroups to add
--hosts HOSTShosts to add
--hostgroups HOSTGROUPShost groups to add

service-allow-create-keytab

Usage: ipa [global-options] service-allow-create-keytab CANONICAL-PRINCIPAL [options]

Allow users, groups, hosts or host groups to create a keytab of this service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to add
--groups GROUPSgroups to add
--hosts HOSTShosts to add
--hostgroups HOSTGROUPShost groups to add

service-allow-retrieve-keytab

Usage: ipa [global-options] service-allow-retrieve-keytab CANONICAL-PRINCIPAL [options]

Allow users, groups, hosts or host groups to retrieve a keytab of this service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to add
--groups GROUPSgroups to add
--hosts HOSTShosts to add
--hostgroups HOSTGROUPShost groups to add

service-del

Usage: ipa [global-options] service-del CANONICAL-PRINCIPAL [options]

Delete an IPA service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

service-disable

Usage: ipa [global-options] service-disable CANONICAL-PRINCIPAL [options]

Disable the Kerberos key and SSL certificate of a service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

service-disallow-add-delegation

Usage: ipa [global-options] service-disallow-add-delegation CANONICAL-PRINCIPAL [options]

Disallow users, groups, hosts or host groups to handle a resource delegation of this service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to remove
--groups GROUPSgroups to remove
--hosts HOSTShosts to remove
--hostgroups HOSTGROUPShost groups to remove

service-disallow-create-keytab

Usage: ipa [global-options] service-disallow-create-keytab CANONICAL-PRINCIPAL [options]

Disallow users, groups, hosts or host groups to create a keytab of this service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to remove
--groups GROUPSgroups to remove
--hosts HOSTShosts to remove
--hostgroups HOSTGROUPShost groups to remove

service-disallow-retrieve-keytab

Usage: ipa [global-options] service-disallow-retrieve-keytab CANONICAL-PRINCIPAL [options]

Disallow users, groups, hosts or host groups to retrieve a keytab of this service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--users USERSusers to remove
--groups GROUPSgroups to remove
--hosts HOSTShosts to remove
--hostgroups HOSTGROUPShost groups to remove

service-find

Usage: ipa [global-options] service-find [CRITERIA] [options]

Search for IPA services.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--canonical-principal CANONICAL-PRINCIPALService principal
--principal PRINCIPALService principal alias
--pac-type PAC-TYPEOverride default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.
--auth-ind AUTH-INDDefines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“canonical-principal”)
--man-by-hosts MAN-BY-HOSTSSearch for services with these managed by hosts.
--not-man-by-hosts NOT-MAN-BY-HOSTSSearch for services without these managed by hosts.

service-mod

Usage: ipa [global-options] service-mod CANONICAL-PRINCIPAL [options]

Modify an existing IPA service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--principal PRINCIPALService principal alias
--certificate CERTIFICATEBase-64 encoded service certificate
--pac-type PAC-TYPEOverride default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.
--auth-ind AUTH-INDDefines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.
--requires-pre-auth REQUIRES-PRE-AUTHPre-authentication is required for the service
--ok-as-delegate OK-AS-DELEGATEClient credentials may be delegated to the service
--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATEThe service is allowed to authenticate on behalf of a client
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

service-remove-cert

Usage: ipa [global-options] service-remove-cert CANONICAL-PRINCIPAL [options]

Remove certificates from a service

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--certificate CERTIFICATEBase-64 encoded service certificate

service-remove-delegation

Usage: ipa [global-options] service-remove-delegation CANONICAL-PRINCIPAL PRINCIPAL [options]

Remove resource delegation from a service

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

PRINCIPAL yes Delegation principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

service-remove-host

Usage: ipa [global-options] service-remove-host CANONICAL-PRINCIPAL [options]

Remove hosts that can manage this service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--hosts HOSTShosts to remove

service-remove-principal

Usage: ipa [global-options] service-remove-principal CANONICAL-PRINCIPAL PRINCIPAL [options]

Remove principal alias from a service

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

PRINCIPAL yes Service principal alias

Options

OptionDescription
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

service-show

Usage: ipa [global-options] service-show CANONICAL-PRINCIPAL [options]

Display information about an IPA service.

Arguments

ArgumentRequiredDescription
CANONICAL-PRINCIPALyesService principal

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--out OUTfile to store certificate in
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

Related Topics