1ipa-server-install(1)          IPA Manual Pages          ipa-server-install(1)
2
3
4

NAME

6       ipa-server-install - Configure an IPA server
7

SYNOPSIS

9       ipa-server-install [OPTION]...
10

DESCRIPTION

12       Configures  the services needed by an IPA server. This includes setting
13       up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14       LDAP  back-end, configuring Apache, configuring NTP and optionally con‐
15       figuring and starting an LDAP-backed DNS  server.  By  default  a  dog‐
16       tag-based CA will be configured to issue server certificates.
17
18

OPTIONS

20   BASIC OPTIONS
21       -r REALM_NAME, --realm=REALM_NAME
22              The Kerberos realm name for the new IPA deployment.
23
24              It  is  strongly  recommended  to use an upper-cased name of the
25              primary DNS domain name of your IPA deployment. You will not  be
26              able  to  establish trust with Active Directory unless the realm
27              name is the upper-cased domain name.
28
29              The realm name cannot be changed after the installation.
30
31       -n DOMAIN_NAME, --domain=DOMAIN_NAME
32              The primary DNS domain of the IPA deployment, e.g.  example.com.
33              This  DNS domain should contain the SRV records generated by the
34              IPA server installer. The specified DNS domain must not  contain
35              DNS  records of any other LDAP or Kerberos based management sys‐
36              tem (like Active Directory or MIT Kerberos).
37
38              It is strongly recommended to use a lower-cased name of the  IPA
39              Kerberos realm name.
40
41              The  primary DNS domain name cannot be changed after the instal‐
42              lation.
43
44       -p DM_PASSWORD, --ds-password=DM_PASSWORD
45              The password to be used by the Directory Server for  the  Direc‐
46              tory Manager user.
47
48       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49              The password for the IPA admin user.
50
51       --mkhomedir
52              Create home directories for users on their first login.
53
54       --hostname=HOST_NAME
55              The fully-qualified DNS name of this server.
56
57       --ip-address=IP_ADDRESS
58              The  IP  address  of this server. If this address does not match
59              the  address  the  host  resolves  to  and  --setup-dns  is  not
60              selected,  the installation will fail. If the server hostname is
61              not resolvable, a record for  the  hostname  and  IP_ADDRESS  is
62              added  to /etc/hosts.  This option can be used multiple times to
63              specify more IP addresses of the server (e.g. multihomed  and/or
64              dualstacked server).
65
66       -N, --no-ntp
67              Do not configure NTP.
68
69       --idstart=IDSTART
70              The starting user and group id number (default random).
71
72       --idmax=IDMAX
73              The  maximum user and group id number (default: idstart+199999).
74              If set to zero, the default value will be used.
75
76       --no-hbac-allow
77              Don't install allow_all HBAC rule. This rule lets any user  from
78              any  host  access  any service on any other host. It is expected
79              that users will remove this rule before moving to production.
80
81       --ignore-topology-disconnect
82              Ignore errors reported when IPA server uninstall would  lead  to
83              disconnected  topology. This option can be used only when domain
84              level is 1 or more.
85
86       --ignore-last-of-role
87              Ignore errors reported when IPA server uninstall would  lead  to
88              removal  of last CA/DNS server or DNSSec master. This option can
89              be used only when domain level is 1 or more.
90
91       --no-ui-redirect
92              Do not automatically redirect to the Web UI.
93
94       --ssh-trust-dns
95              Configure OpenSSH client to trust DNS SSHFP records.
96
97       --no-ssh
98              Do not configure OpenSSH client.
99
100       --no-sshd
101              Do not configure OpenSSH server.
102
103       -d, --debug
104              Enable debug logging when more verbose output is needed.
105
106       -U, --unattended
107              An unattended installation  that  will  never  prompt  for  user
108              input.
109
110       --dirsrv-config-file
111              The  path to LDIF file that will be used to modify configuration
112              of  dse.ldif  during  installation  of  the   directory   server
113              instance.
114
115
116   CERTIFICATE SYSTEM OPTIONS
117       --external-ca
118              Generate  a  CSR  for  the IPA CA certificate to be signed by an
119              external CA.
120
121       --external-ca-type=TYPE
122              Type of the external CA. Possible values are "generic", "ms-cs".
123              Default  value is "generic". Use "ms-cs" to include the template
124              name required by Microsoft Certificate Services (MS CS)  in  the
125              generated CSR (see --external-ca-profile for full details).
126
127
128       --external-ca-profile=PROFILE_SPEC
129              Specify the certificate profile or template to use at the exter‐
130              nal CA.
131
132              When --external-ca-type is "ms-cs" the following specifiers  may
133              be used:
134
135
136              <oid>:<majorVersion>[:<minorVersion>]
137                     Specify  a certificate template by OID and major version,
138                     optionally also specifying minor version.
139
140              <name> Specify a certificate template by name.  The name  cannot
141                     contain  any : characters and cannot be an OID (otherwise
142                     the OID-based  template  specifier  syntax  takes  prece‐
143                     dence).
144
145              default
146                     If no template is specified, the template name "SubCA" is
147                     used.
148
149
150       --external-cert-file=FILE
151              File containing the IPA CA certificate and the external CA  cer‐
152              tificate  chain. The file is accepted in PEM and DER certificate
153              and PKCS#7 certificate chain formats. This option  may  be  used
154              multiple times.
155
156       --no-pkinit
157              Disables  pkinit  setup  steps.  This  is  the  default and only
158              allowed behavior on domain level 0.
159
160       --dirsrv-cert-file=FILE
161              File containing the Directory Server SSL certificate and private
162              key.  The  files are accepted in PEM and DER certificate, PKCS#7
163              certificate chain, PKCS#8 and raw private key and  PKCS#12  for‐
164              mats. This option may be used multiple times.
165
166       --http-cert-file=FILE
167              File  containing  the  Apache Server SSL certificate and private
168              key. The files are accepted in PEM and DER  certificate,  PKCS#7
169              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
170              mats. This option may be used multiple times.
171
172       --pkinit-cert-file=FILE
173              File containing the Kerberos KDC  SSL  certificate  and  private
174              key.  The  files are accepted in PEM and DER certificate, PKCS#7
175              certificate chain, PKCS#8 and raw private key and  PKCS#12  for‐
176              mats. This option may be used multiple times.
177
178       --dirsrv-pin=PIN
179              The password to unlock the Directory Server private key.
180
181       --http-pin=PIN
182              The password to unlock the Apache Server private key.
183
184       --pkinit-pin=PIN
185              The password to unlock the Kerberos KDC private key.
186
187       --dirsrv-cert-name=NAME
188              Name of the Directory Server SSL certificate to install.
189
190       --http-cert-name=NAME
191              Name of the Apache Server SSL certificate to install.
192
193       --pkinit-cert-name=NAME
194              Name of the Kerberos KDC SSL certificate to install.
195
196       --ca-cert-file=FILE
197              File  containing  the  CA certificate of the CA which issued the
198              Directory Server, Apache Server and Kerberos  KDC  certificates.
199              The  file is accepted in PEM and DER certificate and PKCS#7 cer‐
200              tificate chain formats. This option may be used multiple  times.
201              Use this option if the CA certificate is not present in the cer‐
202              tificate files.
203
204       --ca-subject=SUBJECT
205              The CA certificate subject DN  (default  CN=Certificate  Author‐
206              ity,O=REALM.NAME).   RDNs  are  in LDAP order (most specific RDN
207              first).
208
209       --subject-base=SUBJECT
210              The  subject  base  for  certificates  issued  by  IPA  (default
211              O=REALM.NAME).   RDNs  are  in  LDAP  order  (most  specific RDN
212              first).
213
214       --ca-signing-algorithm=ALGORITHM
215              Signing algorithm of the IPA CA certificate. Possible values are
216              SHA1withRSA,  SHA256withRSA,  SHA512withRSA.  Default  value  is
217              SHA256withRSA. Use this option with --external-ca if the  exter‐
218              nal CA does not support the default signing algorithm.
219
220
221   SECRET MANAGEMENT OPTIONS
222       --setup-kra
223              Install and configure a KRA on this server.
224
225
226   DNS OPTIONS
227       IPA provides an integrated DNS server which can be used to simplify IPA
228       deployment. If you decide to use it, IPA  will  automatically  maintain
229       SRV and other service records when you change your topology.
230
231       The  DNS  component in IPA is optional and you may choose to manage all
232       your DNS records manually on another third party DNS server. IPA DNS is
233       not  a  general-purpose  DNS server. If you need advanced features like
234       DNS views, do not deploy IPA DNS.
235
236
237       --setup-dns
238              Configure an integrated DNS server, create DNS zone specified by
239              --domain,  and  fill  it  with service records necessary for IPA
240              deployment.  In cases where the IPA server name does not  belong
241              to  the primary DNS domain and is not resolvable using DNS, cre‐
242              ate a DNS zone containing the IPA server name as well.
243
244              This option requires that you either specify at  least  one  DNS
245              forwarder  through  the  --forwarder option or use the --no-for‐
246              warders option.
247
248              Note that you can set up a DNS at any time after the initial IPA
249              server   install   by   running  ipa-dns-install  (see  ipa-dns-
250              install(1)).  IPA DNS cannot be uninstalled.
251
252
253       --forwarder=IP_ADDRESS
254              Add a DNS forwarder to the DNS configuration. You can  use  this
255              option  multiple  times to specify more forwarders, but at least
256              one must be provided, unless the --no-forwarders option is spec‐
257              ified.
258
259       --no-forwarders
260              Do  not  add  any  DNS forwarders. Root DNS servers will be used
261              instead.
262
263       --auto-forwarders
264              Add DNS forwarders configured in /etc/resolv.conf to the list of
265              forwarders used by IPA DNS.
266
267       --forward-policy=first|only
268              DNS  forwarding  policy  for  global  forwarders specified using
269              other options.  Defaults to first if no IP address belonging  to
270              a  private  or  reserved  ranges is detected on local interfaces
271              (RFC 6303).  Defaults  to  only  if  a  private  IP  address  is
272              detected.
273
274       --reverse-zone=REVERSE_ZONE
275              The  reverse  DNS  zone to use. This option can be used multiple
276              times to specify multiple reverse zones.
277
278       --no-reverse
279              Do not create reverse DNS zone.
280
281       --auto-reverse
282              Try to resolve reverse records and reverse zones for  server  IP
283              addresses. If neither is resolvable, creates the reverse zones.
284
285       --zonemgr
286              The e-mail address of the DNS zone manager. Defaults to hostmas‐
287              ter@DOMAIN
288
289       --no-host-dns
290              Do not use DNS for hostname lookup during installation.
291
292       --no-dns-sshfp
293              Do not automatically create DNS SSHFP records.
294
295       --no-dnssec-validation
296              Disable DNSSEC validation on this server.
297
298       --allow-zone-overlap
299              Allow creation of (reverse) zone even if  the  zone  is  already
300              resolvable.  Using  this  option  is discouraged as it result in
301              later problems with domain name resolution.
302
303
304   AD TRUST OPTIONS
305       --setup-adtrust
306              Configure AD Trust capability.
307
308       --netbios-name=NETBIOS_NAME
309              The NetBIOS name for the IPA domain. If not  provided,  this  is
310              determined  based  on  the  leading  component of the DNS domain
311              name. Running ipa-adtrust-install for a second time with a  dif‐
312              ferent  NetBIOS  name  will  change  the  name. Please note that
313              changing the NetBIOS name might break existing  trust  relation‐
314              ships to other domains.
315
316       --rid-base=RID_BASE
317              First  RID  value of the local domain. The first POSIX ID of the
318              local domain will be assigned to this RID, the second  to  RID+1
319              etc. See the online help of the idrange CLI for details.
320
321       --secondary-rid-base=SECONDARY_RID_BASE
322              Start  value  of  the secondary RID range, which is only used in
323              the case a user and a group share numerically the same POSIX ID.
324              See the online help of the idrange CLI for details.
325
326       --enable-compat
327              Enables  support  for  trusted  domains  users  for  old clients
328              through Schema  Compatibility  plugin.   SSSD  supports  trusted
329              domains  natively  starting with version 1.9. For platforms that
330              lack SSSD or run older  SSSD  version  one  needs  to  use  this
331              option.  When  enabled,  slapi-nis package needs to be installed
332              and schema-compat-plugin will be configured to provide lookup of
333              users  and  groups  from trusted domains via SSSD on IPA server.
334              These users and groups will be available under  cn=users,cn=com‐
335              pat,$SUFFIX  and  cn=groups,cn=compat,$SUFFIX  trees.  SSSD will
336              normalize names of users and groups to lower case.
337
338              In addition to providing these users and groups through the com‐
339              pat  tree,  this  option  enables  authentication  over LDAP for
340              trusted domain users with DN under compat tree, i.e. using  bind
341              DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
342
343              LDAP authentication performed by the compat tree is done via PAM
344              'system-auth' service.  This service exists by default on  Linux
345              systems  and  is  provided  by  pam  package  as /etc/pam.d/sys‐
346              tem-auth.  If your IPA install does not have default  HBAC  rule
347              'allow_all'  enabled,  then  make  sure to define in IPA special
348              service called 'system-auth' and create an HBAC  rule  to  allow
349              access to anyone to this rule on IPA masters.
350
351              As  'system-auth'  PAM service is not used directly by any other
352              application, it is safe to use it for trusted domain  users  via
353              compatibility path.
354
355
356   UNINSTALL OPTIONS
357       --uninstall
358              Uninstall an existing IPA installation.
359
360       -U, --unattended
361              An  unattended  uninstallation  that  will never prompt for user
362              input.
363
364

DEPRECATED OPTIONS

366       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
367              The kerberos master password (normally autogenerated).
368
369

EXIT STATUS

371       0 if the (un)installation was successful
372
373       1 if an error occurred
374
375

SEE ALSO

377       ipa-dns-install(1) ipa-adtrust-install(1)
378
379
380
381IPA                               Feb 17 2017            ipa-server-install(1)
Impressum