Service Management
Manage Kerberos service principals for network services requiring authentication. Service entries store service credentials, support certificate-based authentication, and enable delegation scenarios. Features include service principal management, certificate operations, host and user delegation, and support for constrained delegation (S4U2Proxy) for application integration and single sign-on.
Overview
Service principals in FreeIPA represent network services that participate in Kerberos authentication. Each service running on an IPA-enrolled host that needs to accept authenticated connections requires a service principal, enabling mutual authentication where both clients and servers prove their identities. Service principals follow the format SERVICE/hostname@REALM, where SERVICE identifies the application type (HTTP, LDAP, NFS, etc.) and hostname specifies the system running the service.
Service entries store both Kerberos credentials (keytabs) and X.509 certificates, supporting both ticket-based and certificate-based authentication. This dual credential support enables services to participate in traditional Kerberos SSO workflows while also supporting modern TLS/SSL encrypted connections with certificate validation. Services can hold multiple certificates simultaneously, supporting certificate renewal transitions and diverse client capabilities.
Service management in IPA includes credential lifecycle, delegation configuration, and access control. Services can delegate authentication decisions to other services (constrained delegation), enabling multi-tier application architectures where frontend services authenticate users and backend services trust that authentication. Host-based delegation controls which hosts can manage service credentials, supporting distributed administration and automated provisioning workflows.
Service Principal Format and Components
Service principals consist of three components: service type, hostname, and realm. The service type indicates the application protocol (HTTP for web servers, LDAP for directory services, NFS for file sharing, etc.). The hostname identifies where the service runs, matching the system’s DNS name. The realm (typically implicit, matching the IPA domain) completes the principal identity.
Standard Service Types:
- HTTP/: Web services, REST APIs, application servers
- LDAP/: LDAP directory services
- NFS/: Network File System services
- cifs/: SMB/CIFS file sharing
- DNS/: DNS servers
- host/: Host-level services and SSH
Service type names are case-sensitive and conventionally uppercase for well-known services. Custom service types can be defined for organization-specific applications, though using standard types when applicable improves interoperability.
The hostname component must match the system’s canonical DNS name or be an alias configured in DNS. Mismatched hostnames cause Kerberos authentication failures as clients cannot locate the service’s principal. For services behind load balancers or virtual hosts, service principals should use the virtual hostname rather than physical server names.
Service Creation Prerequisites
Creating service principals requires the associated host to exist in IPA. This prerequisite ensures services are registered on legitimate, enrolled systems and establishes ownership relationships. The --skip-host-check flag bypasses this validation for special scenarios, but normal operations should create hosts before services.
The --force flag allows service creation even when the hostname doesn’t resolve in DNS. This supports pre-provisioning scenarios where DNS records are created after service principals, or isolated environments where DNS may not be fully configured. However, services with unresolvable hostnames will fail Kerberos authentication until DNS is corrected.
Service creation doesn’t automatically generate keytabs or certificates. After creating the service principal, separate operations retrieve keytabs (using ipa-getkeytab) or request certificates (using cert-request). This separation enables flexible deployment workflows and prevents premature credential generation.
Keytab Management
Keytabs are files containing Kerberos keys enabling services to authenticate without interactive password entry. Services store keytabs locally (typically in /etc/), loading them during startup to authenticate incoming connections. Keytab retrieval requires appropriate privileges: the service’s host, delegated administrators, or users granted explicit keytab retrieval permissions.
The ipa-getkeytab command retrieves keytabs from the IPA server, generating new keys if necessary. Generating new keys invalidates previous keytabs for that service, a critical consideration when multiple systems share a service principal (generally discouraged) or during service migration.
Keytab permissions control who can create (generate new keys) or retrieve (access existing keys) keytabs:
Create Keytab: Regenerates service keys, invalidating all existing keytabs. This permission should be restricted to trusted administrators and automation systems. Creating a new keytab for an active service causes authentication failures until all instances are updated.
Retrieve Keytab: Accesses current keys without regeneration. Less disruptive than creation but still sensitive as it grants access to service credentials. Retrieve permissions support scenarios where multiple systems legitimately need the same keytab.
Keytab delegation can target users (individual administrators), groups (operational teams), hosts (automation systems), or host groups (fleets of orchestration nodes). This flexibility enables both manual administration and automated provisioning while maintaining security boundaries.
Certificate Management for Services
Service certificates enable TLS/SSL encryption and certificate-based authentication. Certificates are requested through IPA’s integrated CA using cert-request, associating the certificate with the service principal. Unlike keytabs which are automatically generated, certificate requests require CSRs generated by the requestor containing the service’s public key.
Multiple certificates per service support certificate renewal overlaps and algorithm diversity. During renewal, services can hold both expiring and renewed certificates, enabling graceful transition without service interruption. Services may also hold RSA and ECDSA certificates simultaneously, selecting appropriate certificates based on client capabilities.
Certificate operations (adding, removing) can be performed by the service’s host, users with appropriate permissions, or through delegated management relationships. The service-add-host command designates hosts that can manage a service’s certificates, supporting scenarios where load balancers or orchestration systems manage backend service certificates.
Certmonger on IPA clients automates certificate renewal for services. When configured to track a service certificate, certmonger monitors expiration, requests renewal from the IPA CA, and updates certificate files without manual intervention. This automation prevents certificate expiration outages.
Constrained Delegation (S4U2Proxy)
Constrained delegation enables services to authenticate to backend services on behalf of users without requiring user credentials. This pattern is essential for multi-tier applications: a web application authenticates users, then accesses a database on their behalf. Without delegation, the database can’t verify the user’s identity; with delegation, the web app presents evidence of the user’s authentication.
IPA implements constrained delegation through Kerberos S4U2Proxy protocol extensions. Services configured for delegation can request service tickets to specific backend services on behalf of authenticated users. The backend service receives both the user’s identity and proof that delegation was authorized by IPA’s KDC.
ok-as-delegate: Marks a service as suitable for credential delegation. Clients seeing this flag may forward their TGTs to the service, enabling full delegation. This flag should only be set on highly trusted services as it grants access to user credentials.
ok-to-auth-as-delegate: Permits the service to use S4U2Self to obtain a service ticket on behalf of a user, necessary for protocol transition scenarios where the initial authentication wasn’t Kerberos-based (e.g., form-based web login).
Delegation targets are configured through service-add-delegation, specifying which backend service principals this service can obtain tickets for. Constrained delegation limits delegation to explicitly configured targets, preventing services from impersonating users to arbitrary services.
PAC Type Configuration
Privilege Attribute Certificates (PAC) are embedded in Kerberos tickets providing authorization information. PAC types determine what authorization data is included in tickets for the service. The default includes MS-PAC for Active Directory trust compatibility, but some services require PAC modification.
NONE: Disables PAC entirely. Required for services with ticket size constraints like NFS, where the Linux kernel has ticket size limits. Large PACs can exceed these limits causing authentication failures.
MS-PAC: Includes Microsoft PAC data for Active Directory trust integration. Services accessed by AD users typically require MS-PAC.
PAD: FreeIPA PAC data for IPA-specific authorization information.
PAC type configuration is service-specific through service-mod --pac-type. Most services use defaults, but specialized services may require custom PAC configuration to function correctly.
Authentication Indicators
Authentication indicators restrict how users can authenticate to services, enforcing security policies requiring specific authentication methods. The --auth-ind parameter configures allowed authentication indicators:
- otp: Allows OTP-based two-factor authentication
- radius: Allows RADIUS-based two-factor authentication
- pkinit: Allows PKINIT (certificate-based) authentication
- hardened: Allows hardened password authentication (SPAKE/FAST)
- idp: Allows OAuth 2.0 Device Flow authentication
- passkey: Allows passkey-based authentication
When authentication indicators are configured, users attempting authentication must have authenticated using one of the allowed methods. This enables service-specific security policies: highly sensitive services can require OTP or passkey authentication while general services allow all methods.
Host-Based Service Management
Services can be managed by hosts other than the host they run on. This delegation pattern supports orchestration systems, load balancers, and centralized management platforms. The service-add-host command designates hosts authorized to manage a service’s credentials and certificates.
When combined with role membership (e.g., certadmin role), delegated hosts can request certificates, regenerate keytabs, and modify service attributes. This enables automation where provisioning systems manage service lifecycle without requiring full administrative credentials.
Host-based management is directional: designating host A to manage service S doesn’t grant S permissions over A. This asymmetric relationship enables safe delegation where management hosts have limited, specific privileges over managed services.
Use Cases
Web Application with Database Backend (S4U2Proxy)
Scenario: Web application needs to access PostgreSQL on behalf of authenticated users.
Solution:
# Create service principals
ipa service-add HTTP/webapp.example.com
ipa service-add postgres/db.example.com
# Configure webapp for delegation to database
ipa service-add-delegation HTTP/webapp.example.com \
postgres/db.example.com@EXAMPLE.COM
ipa service-mod HTTP/webapp.example.com --ok-to-auth-as-delegate=TRUE
# Retrieve keytabs on respective hosts
# On webapp.example.com:
ipa-getkeytab -s ipa.example.com -p HTTP/webapp.example.com \
-k /etc/httpd/conf/webapp.keytab
# On db.example.com:
ipa-getkeytab -s ipa.example.com -p postgres/db.example.com \
-k /var/lib/pgsql/postgres.keytab
# Webapp can now authenticate to postgres as authenticated user
Load Balancer Certificate Management
Scenario: HAProxy manages certificates for multiple backend web services.
Solution:
# Create backend service principals
ipa service-add HTTP/web01.example.com
ipa service-add HTTP/web02.example.com
# Create load balancer service and grant management rights
ipa service-add HTTP/lb.example.com
ipa service-add-host HTTP/web01.example.com --hosts=lb.example.com
ipa service-add-host HTTP/web02.example.com --hosts=lb.example.com
# From lb.example.com, request certificates for backends
ipa-getcert request -f /etc/haproxy/certs/web01.crt \
-k /etc/haproxy/certs/web01.key \
-N CN=web01.example.com \
-K HTTP/web01.example.com@EXAMPLE.COM
# Load balancer can manage backend certificates
NFS Service with PAC Type NONE
Scenario: NFS service failing due to large PAC size in tickets.
Solution:
# Create NFS service
ipa service-add NFS/fileserver.example.com
# Disable PAC due to kernel ticket size limits
ipa service-mod NFS/fileserver.example.com --pac-type=NONE
# Retrieve keytab
ipa-getkeytab -s ipa.example.com -p NFS/fileserver.example.com \
-k /etc/krb5.keytab
# NFS now works with smaller tickets
High-Security Service Requiring 2FA
Scenario: Financial application requires all users to authenticate with OTP.
Solution:
# Create service principal
ipa service-add HTTP/finance.example.com
# Require OTP authentication
ipa service-mod HTTP/finance.example.com --auth-ind=otp
# Users without OTP tokens cannot authenticate to this service
# Even with valid passwords
Automated Service Provisioning with Delegation
Scenario: Ansible controller needs to provision service keytabs on managed hosts.
Solution:
# Create Ansible controller host
ipa host-add ansible.example.com
# Create hostgroup for managed servers
ipa hostgroup-add webservers
ipa hostgroup-add-member webservers --hosts=web01.example.com,web02.example.com
# Create service principals for web servers
ipa service-add HTTP/web01.example.com
ipa service-add HTTP/web02.example.com
# Grant Ansible controller keytab creation for web services
ipa service-allow-create-keytab HTTP/web01.example.com --hosts=ansible.example.com
ipa service-allow-create-keytab HTTP/web02.example.com --hosts=ansible.example.com
# Ansible can now retrieve/create keytabs
# From ansible.example.com:
ipa-getkeytab -s ipa.example.com -p HTTP/web01.example.com \
-k /tmp/web01.keytab
# Deploy keytab to web01
Virtual Host Service Principal
Scenario: Apache virtual host www.example.com hosted on physical server web01.example.com.
Solution:
# Create DNS alias
ipa dnsrecord-add example.com www --cname-rec=web01.example.com.
# Create service for virtual hostname
ipa service-add HTTP/www.example.com
# Retrieve keytab on physical host
# On web01.example.com:
ipa-getkeytab -s ipa.example.com -p HTTP/www.example.com \
-k /etc/httpd/conf/www.keytab
# Configure Apache to use virtual host principal
# Clients authenticate to HTTP/www.example.com
Service Certificate with Automated Renewal
Scenario: LDAP service needs automated certificate renewal via certmonger.
Solution:
# Create service principal
ipa service-add LDAP/directory.example.com
# Request certificate with certmonger tracking
ipa-getcert request -f /etc/openldap/certs/server.crt \
-k /etc/openldap/certs/server.key \
-N CN=directory.example.com \
-K LDAP/directory.example.com@EXAMPLE.COM \
-D directory.example.com
# Certmonger automatically renews before expiration
# No manual intervention needed
Multi-Protocol Service (HTTPS + LDAPS)
Scenario: Server provides both HTTPS and LDAPS services.
Solution:
# Create service principals for each protocol
ipa service-add HTTP/server.example.com
ipa service-add LDAP/server.example.com
# Request certificates for each service
ipa-getcert request -f /etc/httpd/certs/server.crt \
-k /etc/httpd/certs/server.key \
-N CN=server.example.com \
-K HTTP/server.example.com@EXAMPLE.COM
ipa-getcert request -f /etc/openldap/certs/server.crt \
-k /etc/openldap/certs/server.key \
-N CN=server.example.com \
-K LDAP/server.example.com@EXAMPLE.COM
# Each service uses its own principal and certificate
Service with Principal Alias
Scenario: Service migrating from old hostname to new hostname.
Solution:
# Create service with new hostname
ipa service-add HTTP/new.example.com
# Add alias for old hostname during migration
ipa service-add-principal HTTP/new.example.com \
HTTP/old.example.com@EXAMPLE.COM
# Service accepts authentication for both hostnames
# Gradual migration of clients to new hostname
# After migration complete, remove alias
ipa service-remove-principal HTTP/new.example.com \
HTTP/old.example.com@EXAMPLE.COM
Examples
Basic Service Management
Add a new service principal:
ipa service-add HTTP/web.example.com
Add a service bypassing host existence check (special scenarios only):
ipa service-add --skip-host-check HTTP/app.example.com
Add a service forcing creation even if DNS doesn’t resolve:
ipa service-add --force HTTP/web.example.com
Add an SMB service (special handling for Windows integration):
ipa service-add-smb web.example.com
Delete a service principal:
ipa service-del HTTP/web.example.com
Display comprehensive service information:
ipa service-show HTTP/web.example.com --all
Search for all services on a specific host:
ipa service-find web.example.com
Search for all services of a specific type:
ipa service-find HTTP
Search for services in specific host groups:
ipa service-find --in-hostgroups=webservers
Service Modification
Modify service description:
ipa service-mod HTTP/web.example.com --desc="Production web server"
Configure PAC type for NFS (disable PAC due to ticket size constraints):
ipa service-mod NFS/fileserver.example.com --pac-type=NONE
Configure PAC type for AD integration:
ipa service-mod HTTP/web.example.com --pac-type=MS-PAC
Set authentication indicator requirements (require OTP):
ipa service-mod HTTP/sensitive.example.com --auth-ind=otp
Set multiple authentication indicators:
ipa service-mod HTTP/secure.example.com --auth-ind=otp --auth-ind=passkey
Configure delegation flags:
ipa service-mod HTTP/web.example.com --ok-as-delegate=TRUE --ok-to-auth-as-delegate=TRUE
Principal Alias Management
Add a principal alias for a service (support alternative names):
ipa service-add-principal HTTP/web.example.com HTTP/www.example.com@EXAMPLE.COM
Remove a principal alias:
ipa service-remove-principal HTTP/web.example.com HTTP/www.example.com@EXAMPLE.COM
Keytab Management
Retrieve a keytab for a service (from the service’s host):
# On web.example.com:
kinit -kt /etc/krb5.keytab host/web.example.com
ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
Allow a user to create keytabs (regenerate keys):
ipa service-allow-create-keytab HTTP/web.example.com --users=webadmin
Allow a group to create keytabs:
ipa service-allow-create-keytab HTTP/web.example.com --groups=webadmins
Allow a host to create keytabs (for automation):
ipa service-allow-create-keytab HTTP/web.example.com --hosts=provisioner.example.com
Allow host groups to create keytabs:
ipa service-allow-create-keytab HTTP/web.example.com --hostgroups=automation_servers
Revoke keytab creation permission:
ipa service-disallow-create-keytab HTTP/web.example.com --users=webadmin
Allow keytab retrieval (access without regeneration):
ipa service-allow-retrieve-keytab HTTP/web.example.com --users=operator
Revoke keytab retrieval permission:
ipa service-disallow-retrieve-keytab HTTP/web.example.com --users=operator
Certificate Management
Request a certificate for a service:
ipa cert-request --principal=HTTP/web.example.com web.csr
Add a certificate to a service entry:
ipa service-add-cert HTTP/web.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."
Remove a certificate from a service:
ipa service-remove-cert HTTP/web.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."
Host-Based Service Management Delegation
Designate a host to manage a service:
ipa service-add-host HTTP/web.example.com --hosts=loadbalancer.example.com
Grant certadmin role to the managing host (enables certificate operations):
ipa role-add-member --hosts=loadbalancer.example.com certadmin
Remove host management delegation:
ipa service-remove-host HTTP/web.example.com --hosts=loadbalancer.example.com
Constrained Delegation
Add delegation target (allow frontend to access backend on behalf of users):
ipa service-add-delegation HTTP/frontend.example.com ldap/backend.example.com@EXAMPLE.COM
Remove delegation target:
ipa service-remove-delegation HTTP/frontend.example.com ldap/backend.example.com@EXAMPLE.COM
Allow a user to configure delegation:
ipa service-allow-add-delegation HTTP/web.example.com --users=appowner
Revoke delegation configuration privilege:
ipa service-disallow-add-delegation HTTP/web.example.com --users=appowner
Service Disablement
Disable service (revoke Kerberos keys and certificates):
ipa service-disable HTTP/web.example.com
Re-enable service (retrieve new keytab and request new certificate):
ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
ipa cert-request --principal=HTTP/web.example.com web.csr
Best Practices
Service Principal Design
Use canonical hostnames: Service principals should use canonical DNS names, not aliases or IP addresses. This ensures Kerberos reverse DNS lookups succeed and prevents authentication failures.
One service per application instance: Don’t share service principals across multiple physical hosts. Each instance should have its own principal (or use load balancer virtual hostname if truly load-balanced).
Follow standard service type conventions: Use standard service types (HTTP, LDAP, NFS) when applicable. Custom types reduce interoperability and complicate client configuration.
Plan for virtual hosting: Web services with multiple virtual hosts can use principal aliases to support multiple hostnames. Alternatively, use the virtual hostname as the primary principal.
Keytab Management
Protect keytab files: Keytabs are equivalent to passwords. Set strict file permissions (typically 0600, owned by service account) and protect them from unauthorized access.
Avoid sharing keytabs: Each service instance should have unique credentials. Shared keytabs multiply compromise impact and complicate key rotation.
Automate keytab retrieval: Use configuration management tools to retrieve keytabs during provisioning. Don’t manually copy keytab files between systems.
Monitor keytab expiration: While Kerberos keys don’t expire, keytab files can become invalid if keys are regenerated. Monitor for authentication failures indicating stale keytabs.
Document delegation relationships: Maintain clear records of which users/hosts can create or retrieve keytabs for each service. This aids security audits and incident response.
Certificate Operations
Leverage certmonger: Configure certmonger to manage service certificates automatically. This prevents expiration outages and eliminates manual renewal.
Plan certificate transitions: During renewal, ensure services support both old and new certificates during transition periods. Some services can load multiple certificates for this purpose.
Use appropriate certificate profiles: Select profiles matching service requirements. Server certificates need serverAuth extended key usage, client certificates need clientAuth.
Coordinate certificate deployment: When deploying new certificates, ensure all service instances receive updates before old certificates expire.
Constrained Delegation
Limit delegation targets: Only configure delegation to specific backend services required by the application. Broad delegation increases risk if the frontend is compromised.
Document delegation flows: Clearly document which services delegate to which backends and why. This helps security audits and troubleshooting.
Monitor delegation usage: Track delegation-related authentication to detect anomalous patterns that might indicate compromise.
Test delegation carefully: Constrained delegation configuration is complex. Thoroughly test in non-production before deploying to production.
PAC and Authentication Indicators
Set PAC type based on requirements: Most services use defaults. Only modify PAC type for specific needs (NFS ticket size, AD integration requirements).
Use authentication indicators for sensitive services: Services handling sensitive data should require stronger authentication (OTP, passkey) through authentication indicators.
Test PAC changes thoroughly: Incorrect PAC configuration can break authentication. Test changes in non-production environments first.
Document indicator requirements: Clearly communicate authentication requirements to users. Unexpected indicator requirements cause user confusion.
Service Lifecycle
Disable rather than delete: When decommissioning services, use service-disable initially rather than deletion. This allows recovery if the service is needed again.
Clean up obsolete services: Regularly audit service principals and delete truly obsolete entries. Stale services clutter the directory and may represent security risks.
Plan for service migration: When moving services between hosts, create the new service principal, migrate gradually, then disable the old principal.
Maintain service inventory: Track all service principals, their purposes, and ownership. This documentation aids management and security audits.
Security Considerations
Keytab creation invalidates existing credentials: Creating new keytabs regenerates Kerberos keys, immediately invalidating all existing keytabs for that service. Active services experience authentication failures until updated. Grant keytab creation permission only to trusted administrators and automation systems.
Keytab retrieval grants service impersonation: Users/hosts with retrieve keytab permission can extract service credentials and impersonate the service. This enables man-in-the-middle attacks and unauthorized access. Restrict retrieve permissions to legitimate operational needs only.
Constrained delegation enables user impersonation: Services with S4U2Proxy delegation can obtain tickets on behalf of users to specified backend services. Misconfigured delegation could enable unauthorized access to sensitive backends. Carefully validate delegation targets and necessity.
ok-as-delegate grants TGT forwarding: Services marked ok-as-delegate receive forwarded user TGTs, granting full user credential access. Compromised services can use these TGTs for any operation as the user. Reserve ok-as-delegate for highly trusted services only.
Managed-by hosts have credential control: Hosts designated in managed-by relationships can retrieve and regenerate service keytabs. Compromise of managing host compromises all managed services. Ensure managing hosts have equivalent security to managed services.
Service certificates enable TLS interception: Services holding certificate private keys can decrypt TLS traffic. Compromised service certificates enable interception of encrypted communications. Rotate certificates upon suspicion of compromise.
PAC type NONE weakens authorization: Disabling PAC removes authorization information from tickets. Services relying on PAC data for access decisions may grant unauthorized access. Only use PAC type NONE when absolutely necessary (NFS kernel limits).
Authentication indicators can be bypassed: Auth indicators control which authentication methods are acceptable. However, users obtaining tickets without the service knowing the method may still succeed. Don’t rely solely on auth indicators for security-critical enforcement.
Stale service principals remain exploitable: Decommissioned services with unrevoked principals can be impersonated if old keytabs exist. Always disable or delete service principals when decommissioning services.
Service-to-service authentication trusts principals: Backend services trusting delegated tickets assume frontend validated user identity correctly. Compromised frontend service can forge user identities to backends via delegation. Validate frontend service security thoroughly.
Wildcard virtual host security: Services for virtual hosts (HTTP/www.example.com) trust DNS. DNS compromise could redirect authentication to attacker-controlled systems. Use DNSSEC or verify virtual host DNS configuration rigorously.
Keytab file permissions critical: Service keytabs stored as local files must have restrictive permissions (typically 600, owned by service account). Overly permissive keytab files enable local privilege escalation.
Certificate renewal gaps create outages: Failing to renew service certificates before expiration causes service authentication failures. Automated renewal via certmonger prevents this, but monitoring renewal status is essential.
Service principals visible to all authenticated users: Service principal existence and basic metadata (hostname, service type) is visible to all IPA users. In high-security environments, service inventory disclosure could aid reconnaissance. Minimize service metadata detail.
Troubleshooting
Service authentication fails with “service not found”:
# Verify service principal exists
ipa service-show HTTP/hostname.example.com
# If missing, create it
ipa service-add HTTP/hostname.example.com
# Retrieve keytab
ipa-getkeytab -s ipa.example.com -p HTTP/hostname.example.com \
-k /etc/httpd/conf/httpd.keytab
# Verify keytab contains correct principal
klist -kt /etc/httpd/conf/httpd.keytab
“Key version number mismatch” error:
# Symptom: Service fails with KVNO error
# Keytab is out of sync with IPA (keys regenerated)
# Retrieve fresh keytab
ipa-getkeytab -s ipa.example.com -p HTTP/hostname.example.com \
-k /etc/httpd/conf/httpd.keytab
# Restart service
systemctl restart httpd
Cannot retrieve keytab - permission denied:
# Verify retrieval delegation exists
ipa service-show HTTP/hostname.example.com --all | \
grep -A5 "retrieve keytab"
# Grant retrieve permission if missing
ipa service-allow-retrieve-keytab HTTP/hostname.example.com \
--users=adminuser
# Verify user authenticated as Kerberos principal
klist
# Retry retrieval
ipa-getkeytab -r -s ipa.example.com -p HTTP/hostname.example.com \
-k /tmp/test.keytab
Service creation fails with “host not found”:
# Service principals require host to exist first
# Create host entry
ipa host-add hostname.example.com
# Create service
ipa service-add HTTP/hostname.example.com
# For services on non-enrolled hosts (not recommended):
ipa service-add HTTP/external.example.com --skip-host-check --force
Constrained delegation not working:
# Verify delegation configured
ipa service-show HTTP/frontend.example.com --all | \
grep -i delegation
# Verify ok-to-auth-as-delegate flag set
ipa service-show HTTP/frontend.example.com | grep "ok-to-auth-as-delegate"
# Set if missing
ipa service-mod HTTP/frontend.example.com --ok-to-auth-as-delegate=TRUE
# Add delegation target if missing
ipa service-add-delegation HTTP/frontend.example.com \
HTTP/backend.example.com@EXAMPLE.COM
# Verify backend service exists
ipa service-show HTTP/backend.example.com
Certificate request fails for service:
# Verify service principal exists
ipa service-show HTTP/hostname.example.com
# Verify host running certmonger has service keytab
klist -kt /etc/httpd/conf/httpd.keytab
# Check certmonger status
getcert list
# Request certificate with correct principal
ipa-getcert request -f /etc/httpd/certs/server.crt \
-k /etc/httpd/certs/server.key \
-N CN=hostname.example.com \
-K HTTP/hostname.example.com@EXAMPLE.COM
# Check certmonger tracking
getcert list -i <request-id>
NFS service fails with “ticket too large”:
# NFS has Linux kernel ticket size limits
# PAC data causes tickets to exceed limits
# Check current PAC type
ipa service-show NFS/fileserver.example.com | grep "PAC type"
# Disable PAC
ipa service-mod NFS/fileserver.example.com --pac-type=NONE
# Clear existing tickets on clients
kdestroy
kinit username
# Retry NFS access
Service managed-by host cannot retrieve keytab:
# Verify managed-by relationship
ipa service-show HTTP/service.example.com --all | \
grep -A5 "Managed by"
# Add managing host if missing
ipa service-add-host HTTP/service.example.com \
--hosts=manager.example.com
# Verify manager host authenticated
# On manager.example.com:
klist # Should show host/manager.example.com@REALM
# Retrieve keytab from manager
ipa-getkeytab -s ipa.example.com -p HTTP/service.example.com \
-k /tmp/service.keytab
Virtual host service authentication fails:
# Verify DNS alias exists and resolves correctly
dig www.example.com # Should resolve to actual server
# Verify service principal uses virtual hostname
ipa service-show HTTP/www.example.com
# If using physical hostname instead:
# Create service with virtual hostname
ipa service-add HTTP/www.example.com
# Retrieve keytab on physical server
ipa-getkeytab -s ipa.example.com -p HTTP/www.example.com \
-k /etc/httpd/conf/www.keytab
Authentication indicator restriction preventing access:
# Symptom: "Required auth indicator not present" in logs
# Check service auth indicator requirements
ipa service-show HTTP/hostname.example.com | grep "Auth indicators"
# Verify user has required authentication method
# For OTP requirement, verify user has token:
ipa otptoken-find --user=username
# If requirement too strict, modify
ipa service-mod HTTP/hostname.example.com --auth-ind=
# Or configure user for required auth method
Cannot delete service - dependency exists:
# Find what depends on service
ipa service-show HTTP/hostname.example.com --all
# Check for delegation rules
ipa servicedelegation-find --member-principal=HTTP/hostname.example.com
# Remove from delegation rules
ipa servicedelegation-remove-member delegation-rule \
--principals=HTTP/hostname.example.com
# Retry deletion
ipa service-del HTTP/hostname.example.com
Service principal exists but clients cannot find it:
# DNS issues prevent Kerberos service location
# Verify DNS SRV records
dig -t SRV _kerberos._tcp.example.com
# Verify hostname resolves
dig hostname.example.com
# Verify reverse DNS (important for Kerberos)
dig -x <IP-address>
# If DNS issues, fix DNS or use /etc/hosts as workaround
Certificate renewal fails via certmonger:
# Check certmonger tracking status
getcert list
# Look for error messages
getcert list -i <request-id>
# Common issue: service keytab missing or invalid
klist -kt /etc/httpd/conf/httpd.keytab
# Verify certmonger can authenticate
getcert start-tracking -f /etc/httpd/certs/server.crt \
-k /etc/httpd/certs/server.key \
-K HTTP/hostname.example.com@EXAMPLE.COM
# Force immediate renewal attempt
getcert resubmit -i <request-id>
Multiple services on same host conflicting:
# Symptom: One service works, another doesn't
# Verify each service has distinct principal
ipa service-find --host=hostname.example.com
# Verify each service has separate keytab file
ls -l /etc/httpd/conf/*.keytab
ls -l /etc/openldap/certs/*.keytab
# Ensure services configured to use correct keytab files
# httpd: KRB5_KTNAME=/etc/httpd/conf/httpd.keytab
# slapd: KRB5_KTNAME=/etc/openldap/certs/slapd.keytab
Delegation works in test but fails in production:
# Verify delegation configuration identical in both environments
ipa service-show HTTP/frontend.example.com --all | grep -i delegate
# Verify backend service accessible from frontend
# On frontend host:
kinit -kt /etc/httpd/conf/httpd.keytab HTTP/frontend.example.com
kvno HTTP/backend.example.com
# If kvno fails, network/firewall blocking Kerberos
# Kerberos port 88 must be accessible
Integration with Other IPA Components
Host Entries
Service principals require host entries to exist. Host management (host-* commands) provides the foundation for service registration.
Certificate Management
Service certificates are issued through IPA’s CA using cert-* commands. Service entries track issued certificates and enable certificate-based authentication.
Groups
Services can be members of groups, enabling collective policy application. Service groups appear in HBAC rules and other policy contexts.
HBAC Rules
Host-based access control rules can restrict which users can access services. HBAC evaluates service membership in groups as part of access decisions.
Delegation Rules
Service delegation (servicedelegation-* commands) provides higher-level delegation rule management complementing service-specific delegation configuration.
Certmonger
Certmonger on IPA clients tracks service certificates and automatically renews them before expiration. Integration with IPA’s CA enables fully automated certificate lifecycle management.
Commands
service-add
Usage:
ipa [global-options] service-add CANONICAL-PRINCIPAL [options]
Add a new IPA service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--certificate CERTIFICATE | Base-64 encoded service certificate |
--pac-type PAC-TYPE | Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services. |
--auth-ind AUTH-IND | Defines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed. |
--requires-pre-auth REQUIRES-PRE-AUTH | Pre-authentication is required for the service |
--ok-as-delegate OK-AS-DELEGATE | Client credentials may be delegated to the service |
--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE | The service is allowed to authenticate on behalf of a client |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--force | force principal name even if host not in DNS |
--skip-host-check | force service to be created even when host object does not exist to manage it |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
service-add-cert
Usage:
ipa [global-options] service-add-cert CANONICAL-PRINCIPAL [options]
Add new certificates to a service
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--certificate CERTIFICATE | Base-64 encoded service certificate |
service-add-delegation
Usage:
ipa [global-options] service-add-delegation CANONICAL-PRINCIPAL PRINCIPAL [options]
Add new resource delegation to a service
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
PRINCIPAL yes Delegation principal
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
service-add-host
Usage:
ipa [global-options] service-add-host CANONICAL-PRINCIPAL [options]
Add hosts that can manage this service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--hosts HOSTS | hosts to add |
service-add-principal
Usage:
ipa [global-options] service-add-principal CANONICAL-PRINCIPAL PRINCIPAL [options]
Add new principal alias to a service
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
PRINCIPAL yes Service principal alias
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
service-add-smb
Usage:
ipa [global-options] service-add-smb HOSTNAME [NETBIOSNAME] [options]
Add a new SMB service.
Arguments
| Argument | Required | Description |
|---|---|---|
HOSTNAME | yes | Host name |
NETBIOSNAME no SMB service NetBIOS name
Options
| Option | Description |
|---|---|
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--certificate CERTIFICATE | Base-64 encoded service certificate |
--ok-as-delegate OK-AS-DELEGATE | Client credentials may be delegated to the service |
--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE | The service is allowed to authenticate on behalf of a client |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
service-allow-add-delegation
Usage:
ipa [global-options] service-allow-add-delegation CANONICAL-PRINCIPAL [options]
Allow users, groups, hosts or host groups to handle a resource delegation of this service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
--hosts HOSTS | hosts to add |
--hostgroups HOSTGROUPS | host groups to add |
service-allow-create-keytab
Usage:
ipa [global-options] service-allow-create-keytab CANONICAL-PRINCIPAL [options]
Allow users, groups, hosts or host groups to create a keytab of this service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
--hosts HOSTS | hosts to add |
--hostgroups HOSTGROUPS | host groups to add |
service-allow-retrieve-keytab
Usage:
ipa [global-options] service-allow-retrieve-keytab CANONICAL-PRINCIPAL [options]
Allow users, groups, hosts or host groups to retrieve a keytab of this service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
--hosts HOSTS | hosts to add |
--hostgroups HOSTGROUPS | host groups to add |
service-del
Usage:
ipa [global-options] service-del CANONICAL-PRINCIPAL [options]
Delete an IPA service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
service-disable
Usage:
ipa [global-options] service-disable CANONICAL-PRINCIPAL [options]
Disable the Kerberos key and SSL certificate of a service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
service-disallow-add-delegation
Usage:
ipa [global-options] service-disallow-add-delegation CANONICAL-PRINCIPAL [options]
Disallow users, groups, hosts or host groups to handle a resource delegation of this service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
--hosts HOSTS | hosts to remove |
--hostgroups HOSTGROUPS | host groups to remove |
service-disallow-create-keytab
Usage:
ipa [global-options] service-disallow-create-keytab CANONICAL-PRINCIPAL [options]
Disallow users, groups, hosts or host groups to create a keytab of this service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
--hosts HOSTS | hosts to remove |
--hostgroups HOSTGROUPS | host groups to remove |
service-disallow-retrieve-keytab
Usage:
ipa [global-options] service-disallow-retrieve-keytab CANONICAL-PRINCIPAL [options]
Disallow users, groups, hosts or host groups to retrieve a keytab of this service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
--hosts HOSTS | hosts to remove |
--hostgroups HOSTGROUPS | host groups to remove |
service-find
Usage: ipa [global-options] service-find [CRITERIA] [options]
Search for IPA services.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--canonical-principal CANONICAL-PRINCIPAL | Service principal |
--principal PRINCIPAL | Service principal alias |
--pac-type PAC-TYPE | Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services. |
--auth-ind AUTH-IND | Defines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed. |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“canonical-principal”) |
--man-by-hosts MAN-BY-HOSTS | Search for services with these managed by hosts. |
--not-man-by-hosts NOT-MAN-BY-HOSTS | Search for services without these managed by hosts. |
service-mod
Usage:
ipa [global-options] service-mod CANONICAL-PRINCIPAL [options]
Modify an existing IPA service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--principal PRINCIPAL | Service principal alias |
--certificate CERTIFICATE | Base-64 encoded service certificate |
--pac-type PAC-TYPE | Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services. |
--auth-ind AUTH-IND | Defines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed. |
--requires-pre-auth REQUIRES-PRE-AUTH | Pre-authentication is required for the service |
--ok-as-delegate OK-AS-DELEGATE | Client credentials may be delegated to the service |
--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE | The service is allowed to authenticate on behalf of a client |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
service-remove-cert
Usage:
ipa [global-options] service-remove-cert CANONICAL-PRINCIPAL [options]
Remove certificates from a service
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--certificate CERTIFICATE | Base-64 encoded service certificate |
service-remove-delegation
Usage:
ipa [global-options] service-remove-delegation CANONICAL-PRINCIPAL PRINCIPAL [options]
Remove resource delegation from a service
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
PRINCIPAL yes Delegation principal
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
service-remove-host
Usage:
ipa [global-options] service-remove-host CANONICAL-PRINCIPAL [options]
Remove hosts that can manage this service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--hosts HOSTS | hosts to remove |
service-remove-principal
Usage:
ipa [global-options] service-remove-principal CANONICAL-PRINCIPAL PRINCIPAL [options]
Remove principal alias from a service
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
PRINCIPAL yes Service principal alias
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
service-show
Usage:
ipa [global-options] service-show CANONICAL-PRINCIPAL [options]
Display information about an IPA service.
Arguments
| Argument | Required | Description |
|---|---|---|
CANONICAL-PRINCIPAL | yes | Service principal |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--out OUT | file to store certificate in |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |