Service Management

Overview

Service principals in FreeIPA represent network services that participate in Kerberos authentication. Each service running on an IPA-enrolled host that needs to accept authenticated connections requires a service principal, enabling mutual authentication where both clients and servers prove their identities. Service principals follow the format SERVICE/hostname@REALM, where SERVICE identifies the application type (HTTP, LDAP, NFS, etc.) and hostname specifies the system running the service.

Service entries store both Kerberos credentials (keytabs) and X.509 certificates, supporting both ticket-based and certificate-based authentication. This dual credential support enables services to participate in traditional Kerberos SSO workflows while also supporting modern TLS/SSL encrypted connections with certificate validation. Services can hold multiple certificates simultaneously, supporting certificate renewal transitions and diverse client capabilities.

Service management in IPA includes credential lifecycle, delegation configuration, and access control. Services can delegate authentication decisions to other services (constrained delegation), enabling multi-tier application architectures where frontend services authenticate users and backend services trust that authentication. Host-based delegation controls which hosts can manage service credentials, supporting distributed administration and automated provisioning workflows.

Service Principal Format and Components

Service principals consist of three components: service type, hostname, and realm. The service type indicates the application protocol (HTTP for web servers, LDAP for directory services, NFS for file sharing, etc.). The hostname identifies where the service runs, matching the system’s DNS name. The realm (typically implicit, matching the IPA domain) completes the principal identity.

Standard Service Types:

HTTP/: Web services, REST APIs, application servers
LDAP/: LDAP directory services
NFS/: Network File System services
cifs/: SMB/CIFS file sharing
DNS/: DNS servers
host/: Host-level services and SSH

Service type names are case-sensitive and conventionally uppercase for well-known services. Custom service types can be defined for organization-specific applications, though using standard types when applicable improves interoperability.

The hostname component must match the system’s canonical DNS name or be an alias configured in DNS. Mismatched hostnames cause Kerberos authentication failures as clients cannot locate the service’s principal. For services behind load balancers or virtual hosts, service principals should use the virtual hostname rather than physical server names.

Service Creation Prerequisites

Creating service principals requires the associated host to exist in IPA. This prerequisite ensures services are registered on legitimate, enrolled systems and establishes ownership relationships. The --skip-host-check flag bypasses this validation for special scenarios, but normal operations should create hosts before services.

The --force flag allows service creation even when the hostname doesn’t resolve in DNS. This supports pre-provisioning scenarios where DNS records are created after service principals, or isolated environments where DNS may not be fully configured. However, services with unresolvable hostnames will fail Kerberos authentication until DNS is corrected.

Service creation doesn’t automatically generate keytabs or certificates. After creating the service principal, separate operations retrieve keytabs (using ipa-getkeytab) or request certificates (using cert-request). This separation enables flexible deployment workflows and prevents premature credential generation.

Keytab Management

Keytabs are files containing Kerberos keys enabling services to authenticate without interactive password entry. Services store keytabs locally (typically in /etc/), loading them during startup to authenticate incoming connections. Keytab retrieval requires appropriate privileges: the service’s host, delegated administrators, or users granted explicit keytab retrieval permissions.

The ipa-getkeytab command retrieves keytabs from the IPA server, generating new keys if necessary. Generating new keys invalidates previous keytabs for that service, a critical consideration when multiple systems share a service principal (generally discouraged) or during service migration.

Keytab permissions control who can create (generate new keys) or retrieve (access existing keys) keytabs:

Create Keytab: Regenerates service keys, invalidating all existing keytabs. This permission should be restricted to trusted administrators and automation systems. Creating a new keytab for an active service causes authentication failures until all instances are updated.

Retrieve Keytab: Accesses current keys without regeneration. Less disruptive than creation but still sensitive as it grants access to service credentials. Retrieve permissions support scenarios where multiple systems legitimately need the same keytab.

Keytab delegation can target users (individual administrators), groups (operational teams), hosts (automation systems), or host groups (fleets of orchestration nodes). This flexibility enables both manual administration and automated provisioning while maintaining security boundaries.

Certificate Management for Services

Service certificates enable TLS/SSL encryption and certificate-based authentication. Certificates are requested through IPA’s integrated CA using cert-request, associating the certificate with the service principal. Unlike keytabs which are automatically generated, certificate requests require CSRs generated by the requestor containing the service’s public key.

Multiple certificates per service support certificate renewal overlaps and algorithm diversity. During renewal, services can hold both expiring and renewed certificates, enabling graceful transition without service interruption. Services may also hold RSA and ECDSA certificates simultaneously, selecting appropriate certificates based on client capabilities.

Certificate operations (adding, removing) can be performed by the service’s host, users with appropriate permissions, or through delegated management relationships. The service-add-host command designates hosts that can manage a service’s certificates, supporting scenarios where load balancers or orchestration systems manage backend service certificates.

Certmonger on IPA clients automates certificate renewal for services. When configured to track a service certificate, certmonger monitors expiration, requests renewal from the IPA CA, and updates certificate files without manual intervention. This automation prevents certificate expiration outages.

Constrained Delegation (S4U2Proxy)

Constrained delegation enables services to authenticate to backend services on behalf of users without requiring user credentials. This pattern is essential for multi-tier applications: a web application authenticates users, then accesses a database on their behalf. Without delegation, the database can’t verify the user’s identity; with delegation, the web app presents evidence of the user’s authentication.

IPA implements constrained delegation through Kerberos S4U2Proxy protocol extensions. Services configured for delegation can request service tickets to specific backend services on behalf of authenticated users. The backend service receives both the user’s identity and proof that delegation was authorized by IPA’s KDC.

ok-as-delegate: Marks a service as suitable for credential delegation. Clients seeing this flag may forward their TGTs to the service, enabling full delegation. This flag should only be set on highly trusted services as it grants access to user credentials.

ok-to-auth-as-delegate: Permits the service to use S4U2Self to obtain a service ticket on behalf of a user, necessary for protocol transition scenarios where the initial authentication wasn’t Kerberos-based (e.g., form-based web login).

Delegation targets are configured through service-add-delegation, specifying which backend service principals this service can obtain tickets for. Constrained delegation limits delegation to explicitly configured targets, preventing services from impersonating users to arbitrary services.

PAC Type Configuration

Privilege Attribute Certificates (PAC) are embedded in Kerberos tickets providing authorization information. PAC types determine what authorization data is included in tickets for the service. The default includes MS-PAC for Active Directory trust compatibility, but some services require PAC modification.

NONE: Disables PAC entirely. Required for services with ticket size constraints like NFS, where the Linux kernel has ticket size limits. Large PACs can exceed these limits causing authentication failures.

MS-PAC: Includes Microsoft PAC data for Active Directory trust integration. Services accessed by AD users typically require MS-PAC.

PAD: FreeIPA PAC data for IPA-specific authorization information.

PAC type configuration is service-specific through service-mod --pac-type. Most services use defaults, but specialized services may require custom PAC configuration to function correctly.

Authentication Indicators

Authentication indicators restrict how users can authenticate to services, enforcing security policies requiring specific authentication methods. The --auth-ind parameter configures allowed authentication indicators:

otp: Allows OTP-based two-factor authentication
radius: Allows RADIUS-based two-factor authentication
pkinit: Allows PKINIT (certificate-based) authentication
hardened: Allows hardened password authentication (SPAKE/FAST)
idp: Allows OAuth 2.0 Device Flow authentication
passkey: Allows passkey-based authentication

When authentication indicators are configured, users attempting authentication must have authenticated using one of the allowed methods. This enables service-specific security policies: highly sensitive services can require OTP or passkey authentication while general services allow all methods.

Host-Based Service Management

Services can be managed by hosts other than the host they run on. This delegation pattern supports orchestration systems, load balancers, and centralized management platforms. The service-add-host command designates hosts authorized to manage a service’s credentials and certificates.

When combined with role membership (e.g., certadmin role), delegated hosts can request certificates, regenerate keytabs, and modify service attributes. This enables automation where provisioning systems manage service lifecycle without requiring full administrative credentials.

Host-based management is directional: designating host A to manage service S doesn’t grant S permissions over A. This asymmetric relationship enables safe delegation where management hosts have limited, specific privileges over managed services.

Examples

Basic Service Management

Add a new service principal:

ipa service-add HTTP/web.example.com

Add a service bypassing host existence check (special scenarios only):

ipa service-add --skip-host-check HTTP/app.example.com

Add a service forcing creation even if DNS doesn’t resolve:

ipa service-add --force HTTP/web.example.com

Add an SMB service (special handling for Windows integration):

ipa service-add-smb web.example.com

Delete a service principal:

ipa service-del HTTP/web.example.com

Display comprehensive service information:

ipa service-show HTTP/web.example.com --all

Search for all services on a specific host:

ipa service-find web.example.com

Search for all services of a specific type:

ipa service-find HTTP

Search for services in specific host groups:

ipa service-find --in-hostgroups=webservers

Service Modification

Modify service description:

ipa service-mod HTTP/web.example.com --desc="Production web server"

Configure PAC type for NFS (disable PAC due to ticket size constraints):

ipa service-mod NFS/fileserver.example.com --pac-type=NONE

Configure PAC type for AD integration:

ipa service-mod HTTP/web.example.com --pac-type=MS-PAC

Set authentication indicator requirements (require OTP):

ipa service-mod HTTP/sensitive.example.com --auth-ind=otp

Set multiple authentication indicators:

ipa service-mod HTTP/secure.example.com --auth-ind=otp --auth-ind=passkey

Configure delegation flags:

ipa service-mod HTTP/web.example.com --ok-as-delegate=TRUE --ok-to-auth-as-delegate=TRUE

Principal Alias Management

Add a principal alias for a service (support alternative names):

ipa service-add-principal HTTP/web.example.com HTTP/www.example.com@EXAMPLE.COM

Remove a principal alias:

ipa service-remove-principal HTTP/web.example.com HTTP/www.example.com@EXAMPLE.COM

Keytab Management

Retrieve a keytab for a service (from the service’s host):

# On web.example.com:
kinit -kt /etc/krb5.keytab host/web.example.com
ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab

Allow a user to create keytabs (regenerate keys):

ipa service-allow-create-keytab HTTP/web.example.com --users=webadmin

Allow a group to create keytabs:

ipa service-allow-create-keytab HTTP/web.example.com --groups=webadmins

Allow a host to create keytabs (for automation):

ipa service-allow-create-keytab HTTP/web.example.com --hosts=provisioner.example.com

Allow host groups to create keytabs:

ipa service-allow-create-keytab HTTP/web.example.com --hostgroups=automation_servers

Revoke keytab creation permission:

ipa service-disallow-create-keytab HTTP/web.example.com --users=webadmin

Allow keytab retrieval (access without regeneration):

ipa service-allow-retrieve-keytab HTTP/web.example.com --users=operator

Revoke keytab retrieval permission:

ipa service-disallow-retrieve-keytab HTTP/web.example.com --users=operator

Certificate Management

Request a certificate for a service:

ipa cert-request --principal=HTTP/web.example.com web.csr

Add a certificate to a service entry:

ipa service-add-cert HTTP/web.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."

Remove a certificate from a service:

ipa service-remove-cert HTTP/web.example.com --certificate="MIIDXTCCAkWgAwIBAgI..."

Host-Based Service Management Delegation

Designate a host to manage a service:

ipa service-add-host HTTP/web.example.com --hosts=loadbalancer.example.com

Grant certadmin role to the managing host (enables certificate operations):

ipa role-add-member --hosts=loadbalancer.example.com certadmin

Remove host management delegation:

ipa service-remove-host HTTP/web.example.com --hosts=loadbalancer.example.com

Constrained Delegation

Add delegation target (allow frontend to access backend on behalf of users):

ipa service-add-delegation HTTP/frontend.example.com ldap/backend.example.com@EXAMPLE.COM

Remove delegation target:

ipa service-remove-delegation HTTP/frontend.example.com ldap/backend.example.com@EXAMPLE.COM

Allow a user to configure delegation:

ipa service-allow-add-delegation HTTP/web.example.com --users=appowner

Revoke delegation configuration privilege:

ipa service-disallow-add-delegation HTTP/web.example.com --users=appowner

Service Disablement

Disable service (revoke Kerberos keys and certificates):

ipa service-disable HTTP/web.example.com

Re-enable service (retrieve new keytab and request new certificate):

ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
ipa cert-request --principal=HTTP/web.example.com web.csr

Best Practices

Service Principal Design

Use canonical hostnames: Service principals should use canonical DNS names, not aliases or IP addresses. This ensures Kerberos reverse DNS lookups succeed and prevents authentication failures.

One service per application instance: Don’t share service principals across multiple physical hosts. Each instance should have its own principal (or use load balancer virtual hostname if truly load-balanced).

Follow standard service type conventions: Use standard service types (HTTP, LDAP, NFS) when applicable. Custom types reduce interoperability and complicate client configuration.

Plan for virtual hosting: Web services with multiple virtual hosts can use principal aliases to support multiple hostnames. Alternatively, use the virtual hostname as the primary principal.

Keytab Management

Protect keytab files: Keytabs are equivalent to passwords. Set strict file permissions (typically 0600, owned by service account) and protect them from unauthorized access.

Avoid sharing keytabs: Each service instance should have unique credentials. Shared keytabs multiply compromise impact and complicate key rotation.

Automate keytab retrieval: Use configuration management tools to retrieve keytabs during provisioning. Don’t manually copy keytab files between systems.

Monitor keytab expiration: While Kerberos keys don’t expire, keytab files can become invalid if keys are regenerated. Monitor for authentication failures indicating stale keytabs.

Document delegation relationships: Maintain clear records of which users/hosts can create or retrieve keytabs for each service. This aids security audits and incident response.

Certificate Operations

Leverage certmonger: Configure certmonger to manage service certificates automatically. This prevents expiration outages and eliminates manual renewal.

Plan certificate transitions: During renewal, ensure services support both old and new certificates during transition periods. Some services can load multiple certificates for this purpose.

Use appropriate certificate profiles: Select profiles matching service requirements. Server certificates need serverAuth extended key usage, client certificates need clientAuth.

Coordinate certificate deployment: When deploying new certificates, ensure all service instances receive updates before old certificates expire.

Constrained Delegation

Limit delegation targets: Only configure delegation to specific backend services required by the application. Broad delegation increases risk if the frontend is compromised.

Document delegation flows: Clearly document which services delegate to which backends and why. This helps security audits and troubleshooting.

Monitor delegation usage: Track delegation-related authentication to detect anomalous patterns that might indicate compromise.

Test delegation carefully: Constrained delegation configuration is complex. Thoroughly test in non-production before deploying to production.

PAC and Authentication Indicators

Set PAC type based on requirements: Most services use defaults. Only modify PAC type for specific needs (NFS ticket size, AD integration requirements).

Use authentication indicators for sensitive services: Services handling sensitive data should require stronger authentication (OTP, passkey) through authentication indicators.

Test PAC changes thoroughly: Incorrect PAC configuration can break authentication. Test changes in non-production environments first.

Document indicator requirements: Clearly communicate authentication requirements to users. Unexpected indicator requirements cause user confusion.

Service Lifecycle

Disable rather than delete: When decommissioning services, use service-disable initially rather than deletion. This allows recovery if the service is needed again.

Clean up obsolete services: Regularly audit service principals and delete truly obsolete entries. Stale services clutter the directory and may represent security risks.

Plan for service migration: When moving services between hosts, create the new service principal, migrate gradually, then disable the old principal.

Maintain service inventory: Track all service principals, their purposes, and ownership. This documentation aids management and security audits.

Security Considerations

Limit delegation permissions: Creating keytabs regenerates keys causing service disruption. Grant creation permissions sparingly and primarily to automation systems.

Audit service modifications: Monitor service principal changes, especially delegation configuration and keytab operations. Unusual changes may indicate compromise.

Protect managed-by relationships: Host-based management grants significant control. Ensure managing hosts are themselves well-secured.

Review authentication indicators regularly: As authentication methods evolve, review and update authentication indicator policies.

Integration with Other IPA Components

Host Entries

Service principals require host entries to exist. Host management (host-* commands) provides the foundation for service registration.

Certificate Management

Service certificates are issued through IPA’s CA using cert-* commands. Service entries track issued certificates and enable certificate-based authentication.

Groups

Services can be members of groups, enabling collective policy application. Service groups appear in HBAC rules and other policy contexts.

HBAC Rules

Host-based access control rules can restrict which users can access services. HBAC evaluates service membership in groups as part of access decisions.

Delegation Rules

Service delegation (servicedelegation-* commands) provides higher-level delegation rule management complementing service-specific delegation configuration.

Certmonger

Certmonger on IPA clients tracks service certificates and automatically renews them before expiration. Integration with IPA’s CA enables fully automated certificate lifecycle management.

Commands

Command Description

service-add Add a new IPA service.

service-add-cert Add new certificates to a service

service-add-delegation Add new resource delegation to a service

service-add-host Add hosts that can manage this service.

service-add-principal Add new principal alias to a service

service-add-smb Add a new SMB service.

service-allow-add-delegation Allow users, groups, hosts or host groups to handle a resource delegation of this service.

service-allow-create-keytab Allow users, groups, hosts or host groups to create a keytab of this service.

service-allow-retrieve-keytab Allow users, groups, hosts or host groups to retrieve a keytab of this service.

service-del Delete an IPA service.

service-disable Disable the Kerberos key and SSL certificate of a service.

service-disallow-add-delegation Disallow users, groups, hosts or host groups to handle a resource delegation of this service.

service-disallow-create-keytab Disallow users, groups, hosts or host groups to create a keytab of this service.

service-disallow-retrieve-keytab Disallow users, groups, hosts or host groups to retrieve a keytab of this service.

service-find Search for IPA services.

service-mod Modify an existing IPA service.

service-remove-cert Remove certificates from a service

service-remove-delegation Remove resource delegation from a service

service-remove-host Remove hosts that can manage this service.

service-remove-principal Remove principal alias from a service

service-show Display information about an IPA service.

service-add

Usage: ipa [global-options] service-add CANONICAL-PRINCIPAL [options]

Add a new IPA service.

Arguments

Argument Required Description

CANONICAL-PRINCIPAL yes Service principal

Options

Option Description

--certificate CERTIFICATE Base-64 encoded service certificate

--pac-type PAC-TYPE Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.

--auth-ind AUTH-IND Defines an allow list for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute-force hardened password authentication by SPAKE or FAST. Use ‘idp’ to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use ‘passkey’ to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.

--requires-pre-auth REQUIRES-PRE-AUTH Pre-authentication is required for the service

--ok-as-delegate OK-AS-DELEGATE Client credentials may be delegated to the service

--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE The service is allowed to authenticate on behalf of a client

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

Options

Option Description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--certificate CERTIFICATE Base-64 encoded service certificate

--ok-as-delegate OK-AS-DELEGATE Client credentials may be delegated to the service

--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE The service is allowed to authenticate on behalf of a client

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

`--no-members` Suppress processing of membership attributes.

service-allow-add-delegation

Usage: ipa [global-options] service-allow-add-delegation CANONICAL-PRINCIPAL [options]

Allow users, groups, hosts or host groups to handle a resource delegation of this service.

Arguments

Argument Required Description

CANONICAL-PRINCIPAL yes Service principal

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

--hosts HOSTS hosts to add

`--hostgroups HOSTGROUPS` host groups to add

service-allow-create-keytab

Usage: ipa [global-options] service-allow-create-keytab CANONICAL-PRINCIPAL [options]

Allow users, groups, hosts or host groups to create a keytab of this service.

Arguments

Argument Required Description

CANONICAL-PRINCIPAL yes Service principal

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

--hosts HOSTS hosts to add

`--hostgroups HOSTGROUPS` host groups to add

service-allow-retrieve-keytab

Usage: ipa [global-options] service-allow-retrieve-keytab CANONICAL-PRINCIPAL [options]

Allow users, groups, hosts or host groups to retrieve a keytab of this service.

Arguments

Argument Required Description

CANONICAL-PRINCIPAL yes Service principal

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

--hosts HOSTS hosts to add

`--hostgroups HOSTGROUPS` host groups to add

--groups GROUPS groups to remove

--hosts HOSTS hosts to remove

`--hostgroups HOSTGROUPS` host groups to remove

service-disallow-create-keytab

Usage: ipa [global-options] service-disallow-create-keytab CANONICAL-PRINCIPAL [options]

Disallow users, groups, hosts or host groups to create a keytab of this service.

Arguments

Argument Required Description

CANONICAL-PRINCIPAL yes Service principal

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

--hosts HOSTS hosts to remove

`--hostgroups HOSTGROUPS` host groups to remove

service-disallow-retrieve-keytab

Usage: ipa [global-options] service-disallow-retrieve-keytab CANONICAL-PRINCIPAL [options]

Disallow users, groups, hosts or host groups to retrieve a keytab of this service.

Arguments

Argument Required Description

CANONICAL-PRINCIPAL yes Service principal

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

--hosts HOSTS hosts to remove

`--hostgroups HOSTGROUPS` host groups to remove

service-find

Usage: ipa [global-options] service-find [CRITERIA] [options]

Search for IPA services.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--canonical-principal CANONICAL-PRINCIPAL Service principal

--principal PRINCIPAL Service principal alias

--pac-type PAC-TYPE Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“canonical-principal”)

--man-by-hosts MAN-BY-HOSTS Search for services with these managed by hosts.

`--not-man-by-hosts NOT-MAN-BY-HOSTS` Search for services without these managed by hosts.

service-mod

Usage: ipa [global-options] service-mod CANONICAL-PRINCIPAL [options]

Modify an existing IPA service.

Arguments

Argument Required Description

CANONICAL-PRINCIPAL yes Service principal

Options

Option Description

--principal PRINCIPAL Service principal alias

--certificate CERTIFICATE Base-64 encoded service certificate

--pac-type PAC-TYPE Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.

--requires-pre-auth REQUIRES-PRE-AUTH Pre-authentication is required for the service

--ok-as-delegate OK-AS-DELEGATE Client credentials may be delegated to the service

--ok-to-auth-as-delegate OK-TO-AUTH-AS-DELEGATE The service is allowed to authenticate on behalf of a client

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--out OUT file to store certificate in

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

Overview

Service Principal Format and Components

Service Creation Prerequisites

Keytab Management

Certificate Management for Services

Constrained Delegation (S4U2Proxy)

PAC Type Configuration

Authentication Indicators

Host-Based Service Management

Examples

Basic Service Management

Service Modification

Principal Alias Management

Keytab Management

Certificate Management

Host-Based Service Management Delegation

Constrained Delegation

Service Disablement

Best Practices

Service Principal Design

Keytab Management

Certificate Operations

Constrained Delegation

PAC and Authentication Indicators

Service Lifecycle

Security Considerations

Integration with Other IPA Components

Host Entries

Certificate Management

Groups

HBAC Rules

Delegation Rules

Certmonger

Commands

service-show Display information about an IPA service.

service-add

Arguments

Options

--no-members Suppress processing of membership attributes.

service-add-cert

Arguments

Options

--certificate CERTIFICATE Base-64 encoded service certificate

service-add-delegation

Arguments

PRINCIPAL yes Delegation principal

Options

--no-members Suppress processing of membership attributes.

service-add-host

Arguments

Options

--hosts HOSTS hosts to add

service-add-principal

Arguments

PRINCIPAL yes Service principal alias

Options

--no-members Suppress processing of membership attributes.

service-add-smb

Arguments

NETBIOSNAME no SMB service NetBIOS name

Options

--no-members Suppress processing of membership attributes.

service-allow-add-delegation

Arguments

Options

--hostgroups HOSTGROUPS host groups to add

service-allow-create-keytab

Arguments

Options

--hostgroups HOSTGROUPS host groups to add

service-allow-retrieve-keytab

Arguments

Options

--hostgroups HOSTGROUPS host groups to add

service-del

Arguments

Options

service-disable

Arguments

`--no-members` Suppress processing of membership attributes.

`--certificate CERTIFICATE` Base-64 encoded service certificate

`PRINCIPAL` yes Delegation principal

`--no-members` Suppress processing of membership attributes.

`--hosts HOSTS` hosts to add

`PRINCIPAL` yes Service principal alias

`--no-members` Suppress processing of membership attributes.

`NETBIOSNAME` no SMB service NetBIOS name

`--no-members` Suppress processing of membership attributes.

`--hostgroups HOSTGROUPS` host groups to add

`--hostgroups HOSTGROUPS` host groups to add

`--hostgroups HOSTGROUPS` host groups to add

`--hostgroups HOSTGROUPS` host groups to remove

`--hostgroups HOSTGROUPS` host groups to remove

`--hostgroups HOSTGROUPS` host groups to remove

`--not-man-by-hosts NOT-MAN-BY-HOSTS` Search for services without these managed by hosts.

`--no-members` Suppress processing of membership attributes.

`--certificate CERTIFICATE` Base-64 encoded service certificate

`PRINCIPAL` yes Delegation principal

`--no-members` Suppress processing of membership attributes.

`--hosts HOSTS` hosts to remove

`PRINCIPAL` yes Service principal alias

`--no-members` Suppress processing of membership attributes.

`--no-members` Suppress processing of membership attributes.