ipa-adtrust-install(1)

1ipa-adtrust-install(1)       FreeIPA Manual Pages       ipa-adtrust-install(1)
2
3
4

NAME

6       ipa-adtrust-install  -  Prepare  an  IPA server to be able to establish
7       trust relationships with AD domains
8

SYNOPSIS

10       ipa-adtrust-install [OPTION]...
11

DESCRIPTION

13       Adds all necessary objects and configuration to allow an IPA server  to
14       create  a  trust  to an Active Directory domain. This requires that the
15       IPA server is already installed and configured.
16
17       ipa-adtrust-install can be run  multiple  times  to  reinstall  deleted
18       objects or broken configuration files. E.g. a fresh samba configuration
19       (smb.conf file and registry based configuration can be  created.  Other
20       items  like e.g. the configuration of the local range cannot be changed
21       by running ipa-adtrust-install a second time because with changes  here
22       other objects might be affected as well.
23
24

OPTIONS

26       -d, --debug
27              Enable debug logging when more verbose output is needed
28
29       --ip-address=IP_ADDRESS
30              The  IP  address of the IPA server. If not provided then this is
31              determined based on the hostname of the server.
32
33       --netbios-name=NETBIOS_NAME
34              The NetBIOS name for the IPA domain. If not provided  then  this
35              is  determined  based on the leading component of the DNS domain
36              name. Running ipa-adtrust-install for a second time with a  dif‐
37              ferent  NetBIOS  name  will  change  the  name. Please note that
38              changing the NetBIOS name might break existing  trust  relation‐
39              ships to other domains.
40
41       --no-msdcs
42              Do  not  create  DNS  service records for Windows in managed DNS
43              server. Since those DNS service records are the only way to dis‐
44              cover  domain  controllers  of  other domains they must be added
45              manually to a different DNS server to allow trust realationships
46              work  properly.  All  needed  service  records  are  listed when
47              ipa-adtrust-install finishes and either --no-msdcs was given  or
48              no  IPA DNS service is configured. Typically service records for
49              the following service names are needed for the IPA domain  which
50              should point to all IPA servers:
51
52              · _ldap._tcp
53
54              · _kerberos._tcp
55
56              · _kerberos._udp
57
58              · _ldap._tcp.dc._msdcs
59
60              · _kerberos._tcp.dc._msdcs
61
62              · _kerberos._udp.dc._msdcs
63
64              · _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
65
66              · _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
67
68              · _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
69
70       --add-sids
71              Add  SIDs  to  existing  users and groups as a final step of the
72              ipa-adtrust-install run. If there  a  many  existing  users  and
73              groups  and  a couple of replicas in the environment this opera‐
74              tion might lead to a high replication traffic and a  performance
75              degradation of all IPA servers in the environment. To avoid this
76              the SID generation can be run after ipa-adtrust-install  is  run
77              and scheduled independently. To start this task you have to load
78              an edited version of ipa-sidgen-task-run.ldif with the  ldapmod‐
79              ify command info the directory server.
80
81       -U, --unattended
82              An unattended installation that will never prompt for user input
83
84       -U, --rid-base=RID_BASE
85              First  RID  value of the local domain. The first Posix ID of the
86              local domain will be assigned to this RID, the second  to  RID+1
87              etc. See the online help of the idrange CLI for details.
88
89       -U, --secondary-rid-base=SECONDARY_RID_BASE
90              Start  value  of  the secondary RID range, which is only used in
91              the case a user and a group share numerically the same Posix ID.
92              See the online help of the idrange CLI for details.
93
94       -A, --admin-name=ADMIN_NAME
95              The name of the user with administrative privileges for this IPA
96              server. Defaults to 'admin'.
97
98       -a, --admin-password=password
99              The password of the user with administrative privileges for this
100              IPA server. Will be asked interactively if -U is not specified.
101
102       The  credentials  of  the  admin  user  will be used to obtain Kerberos
103       ticket before configuring cross-realm trusts support and afterwards, to
104       ensure that the ticket contains MS-PAC information required to actually
105       add a trust with Active Directory domain via 'ipa trust-add  --type=ad'
106       command.
107
108
109       EXIT STATUS
110              0 if the installation was successful
111
112              1 if an error occurred
113
114
115
116FreeIPA                           Aug 23 2011           ipa-adtrust-install(1)