29.4. Removing Keytabs

Removing a keytab and creating a new keytab is necessary for example when you unenroll and re-enroll a host or when you experience Kerberos connection errors.
To remove all keytabs on a host, use the ipa-rmkeytab utility, and pass these options:
  • --realm (-r) to specify the Kerberos realm
  • --keytab (-k) to specify the path to the keytab file
# ipa-rmkeytab --realm EXAMPLE.COM --keytab /etc/krb5.keytab
To remove a keytab for a specific service, use the --principal (-p) option to specify the service principal:
# ipa-rmkeytab --principal ldap/client.example.com --keytab /etc/krb5.keytab