Remove Kerberos Keytab Entry (RMVKRBKTE)

The Remove Kerberos Keytab Entry (RMVKRBKTE) command is used to remove an entry from the keytab file for a specified principal name. A principal name consists of the user name or service name and the name of the realm in which that user or service belongs. If a principal name and version number match an existing keytab entry, the entry is removed.

Restrictions:

The Network Authentication Service Commands and APIs support job environments for most EBCDIC CCSIDs. CCSID 290 and 5026 are not supported because of the variance of lower-case letters a to z.

Parameters

Principal (PRINCIPAL)

Specifies the principal name of a user or service principal on a host name in a Kerberos network. The principal and key pairs in the keytab file allow services running on the host to be authenticated by a Key Distribution Center (KDC). All the principals are added to the Kerberos server which maintains a database of all users and services within a Kerberos realm.

This is a required parameter.

Element 1: Name

Specifies the principal name or service principal on a specified host name.

character-value

Specify the user name of the Kerberos principal.

The Kerberos principal has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).

Special characters allowed:

/ - delimit name components.

Element 2: Realm

Specifies the realm in which the Kerberos user is registered and in which initial authentication took place.

*DFT

The default realm for the local system will be used. Typically, the default realm and the KDC for that realm are indicated in the Kerberos krb5.conf configuration file. If the default realm has not been set, it is obtained from the default_realm entry in the [libdefaults] section of the Kerberos configuration file.

character-value

Specify the name of the Kerberos realm where the user specified for the first element of this parameter is registered.

The name has a minimum length of 1 character and a maximum length of 256 characters. Valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9) and any printable ASCII character. The principal name format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964).

Special characters allowed:

@ - start realm.

Keytab file (KEYTABFILE)

Specifies the Kerberos keytab file where the group of principals and its keys are stored.

*DFT

The default keytab file for the current user will be used. If the KRB5_KTNAME environment variable is set, this is the name of the default keytab file. Otherwise, the keytab file name is obtained from the default_keytab_name entry in the [libdefaults] section of the Kerberos configuration file. If this entry is not defined, the default keytab file name is /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab.

path-name

Specify the path name of the stream file which contains the Kerberos keytab file to use.

Examples

Example 1: Removing a Single Keytab Entry

RMVKRBKTE   PRINCIPAL(krbsvr400/my.gmyco.com  *DFT)
            VERSION(1)  KEYTABFILE(*DFT)

This command removes the keytab entry for the principal my.gmyco.com that has a version number of 1 that is stored in the default keytab file.

Example 2: Removing All the Keytab Entries

RMVKRBKTE   PRINCIPAL(krbsvr400/my.gmyco.com  *DFT)
            VERSION(*ALL)  KEYTABFILE(*DFT)

This command removes all the entries for the principal my.gmyco.com stored in the default keytab file.

Error messages

*ESCAPE Messages

CPFC601

No default keytab file found.

CPFC602

Keytab file &3 not found.

CPFC603

Keytab entry &2 not found.

CPFC604

Entry &1 of keytab file &2 can not be removed.

CPFC607

Key version &1 not found for &2.

CPFC61B

The principal name &3 can not be parsed.