1ipa-replica-install(1) FreeIPA Manual Pages ipa-replica-install(1)
2
6 ipa-replica-install - Create an IPA replica
7
9 ipa-replica-install [OPTION]...
10
12 Configures a new IPA server that is a replica of the server. Once it
13 has been created it is an exact copy of the original IPA server and is
14 an equal master. Changes made to any master are automatically repli‐
15 cated to other masters.
16 Domain level 0 is not supported anymore.
18 To create a replica, the machine only needs to be enrolled in the
20 FreeIPA domain first. This process of turning the IPA client into a
21 replica is also referred to as replica promotion.
22 If you're starting with an existing IPA client, simply run
24 ipa-replica-install to have it promoted into a replica. The NTP config‐
25 uration cannot be updated during client promotion.
26 To promote a blank machine into a replica, you have two options, you
28 can either run ipa-client-install in a separate step, or pass the
29 enrollment related options to the ipa-replica-install (see CLIENT
30 ENROLLMENT OPTIONS). In the latter case, ipa-replica-install will join
31 the machine to the IPA realm automatically and will proceed with the
32 promotion step.
33 If the installation fails you may need to run ipa-server-install
35 --uninstall and ipa-client-install before running ipa-replica-install
36 again.
37 The installation will fail if the host you are installing the replica
39 on exists as a host in IPA or an existing replication agreement exists
40 (for example, from a previously failed installation).
41 A replica should only be installed on the same or higher version of IPA
43 on the remote system.
44
46 OPTIONS
47 -P, --principal
48 The user principal which will be used to promote the client to
49 the replica and enroll the client itself, if necessary.
50 -w, --admin-password
52 The Kerberos password for the given principal.
53 CLIENT ENROLLMENT OPTIONS
56 To install client and promote it to replica using a host keytab or One
57 Time Password, the host needs to be a member of ipaservers group. This
58 requires to create a host entry and add it to the host group prior
59 replica installation.
60 --server, --domain, --realm options are autodiscovered via DNS records
62 by default. See manual page ipa-client-install(1) for further details
63 about these options.
64 -p PASSWORD, --password=PASSWORD
67 One Time Password for joining a machine to the IPA realm.
68 -k, --keytab
70 Path to host keytab.
71 --server
73 The fully qualified domain name of the IPA server to enroll to.
74 -n, --domain=DOMAIN
76 The primary DNS domain of an existing IPA deployment, e.g. exam‐
77 ple.com. This DNS domain should contain the SRV records gener‐
78 ated by the IPA server installer.
79 -r, --realm=REALM_NAME
81 The Kerberos realm of an existing IPA deployment.
82 --hostname
84 The hostname of this machine (FQDN). If specified, the hostname
85 will be set and the system configuration will be updated to per‐
86 sist over reboot.
87 --force-join
89 Join the host even if it is already enrolled.
90 BASIC OPTIONS
93 --ip-address=IP_ADDRESS
94 The IP address of this server. If this address does not match
95 the address the host resolves to and --setup-dns is not selected
96 the installation will fail. If the server hostname is not
97 resolvable, a record for the hostname and IP_ADDRESS is added to
98 /etc/hosts. This option can be used multiple times to specify
99 more IP addresses of the server (e.g. multihomed and/or dual‐
100 stacked server).
101 --mkhomedir
103 Create home directories for users on their first login
104 --ntp-server=NTP_SERVER
106 Configure chronyd to use this NTP server. This option can be
107 used multiple times and it is used to specify exactly one time
108 server.
109 --ntp-pool=NTP_SERVER_POOL
111 Configure chronyd to use this NTP server pool. This option is
112 meant to be pool of multiple servers resolved as one host name.
113 This pool's servers may vary but pool address will be still same
114 and chrony will choose only one server from this pool.
115 -N, --no-ntp
117 Do not configure NTP client (chronyd).
118 --no-ui-redirect
120 Do not automatically redirect to the Web UI.
121 --ssh-trust-dns
123 Configure OpenSSH client to trust DNS SSHFP records.
124 --no-ssh
126 Do not configure OpenSSH client.
127 --no-sshd
129 Do not configure OpenSSH server.
130 --skip-conncheck
132 Skip connection check to remote master
133 -d, --debug
135 Enable debug logging when more verbose output is needed
136 -U, --unattended
138 An unattended installation that will never prompt for user input
139 --dirsrv-config-file
141 The path to LDIF file that will be used to modify configuration
142 of dse.ldif during installation of the directory server instance
143 CERTIFICATE SYSTEM OPTIONS
146 --setup-ca
147 Install and configure a CA on this replica. If a CA is not con‐
148 figured then certificate operations will be forwarded to a mas‐
149 ter with a CA installed.
150 --no-pkinit
152 Disables pkinit setup steps.
153 --dirsrv-cert-file=FILE
155 File containing the Directory Server SSL certificate and private
156 key
157 --http-cert-file=FILE
159 File containing the Apache Server SSL certificate and private
160 key
161 --pkinit-cert-file=FILE
163 File containing the Kerberos KDC SSL certificate and private key
164 --dirsrv-pin=PIN
166 The password to unlock the Directory Server private key
167 --http-pin=PIN
169 The password to unlock the Apache Server private key
170 --pkinit-pin=PIN
172 The password to unlock the Kerberos KDC private key
173 --dirsrv-cert-name=NAME
175 Name of the Directory Server SSL certificate to install
176 --http-cert-name=NAME
178 Name of the Apache Server SSL certificate to install
179 --pkinit-cert-name=NAME
181 Name of the Kerberos KDC SSL certificate to install
182 --pki-config-override=FILE
184 File containing overrides for CA and KRA installation.
185 --skip-schema-check
187 Skip check for updated CA DS schema on the remote master
188 SECRET MANAGEMENT OPTIONS
191 --setup-kra
192 Install and configure a KRA on this replica. If a KRA is not
193 configured then vault operations will be forwarded to a master
194 with a KRA installed.
195 DNS OPTIONS
198 --setup-dns
199 Configure an integrated DNS server, create a primary DNS zone
200 (name specified by --domain or taken from an existing deploy‐
201 ment), and fill it with service records necessary for IPA
202 deployment. In cases where the IPA server name does not belong
203 to the primary DNS domain and is not resolvable using DNS, cre‐
204 ate a DNS zone containing the IPA server name as well.
205 This option requires that you either specify at least one DNS
207 forwarder through the --forwarder option or use the --no-for‐
208 warders option.
209 Note that you can set up a DNS at any time after the initial IPA
211 server install by running ipa-dns-install (see ipa-dns-
212 install(1)). IPA DNS cannot be uninstalled.
213 --forwarder=IP_ADDRESS
215 Add a DNS forwarder to the DNS configuration. You can use this
216 option multiple times to specify more forwarders, but at least
217 one must be provided, unless the --no-forwarders option is spec‐
218 ified.
219 --no-forwarders
221 Do not add any DNS forwarders. Root DNS servers will be used
222 instead.
223 --auto-forwarders
225 Add DNS forwarders configured in /etc/resolv.conf to the list of
226 forwarders used by IPA DNS.
227 --forward-policy=first|only
229 DNS forwarding policy for global forwarders specified using
230 other options. Defaults to first if no IP address belonging to
231 a private or reserved ranges is detected on local interfaces
232 (RFC 6303). Defaults to only if a private IP address is
233 detected.
234 --reverse-zone=REVERSE_ZONE
236 The reverse DNS zone to use. This option can be used multiple
237 times to specify multiple reverse zones.
238 --no-reverse
240 Do not create new reverse DNS zone. If a reverse DNS zone
241 already exists for the subnet, it will be used.
242 --auto-reverse
244 Create necessary reverse zones
245 --allow-zone-overlap
247 Create DNS zone even if it already exists
248 --no-host-dns
250 Do not use DNS for hostname lookup during installation
251 --no-dns-sshfp
253 Do not automatically create DNS SSHFP records.
254 --no-dnssec-validation
256 Disable DNSSEC validation on this server.
257 AD TRUST OPTIONS
260 --setup-adtrust
261 Configure AD Trust capability on a replica.
262 --netbios-name=NETBIOS_NAME
264 The NetBIOS name for the IPA domain. If not provided then this
265 is determined based on the leading component of the DNS domain
266 name. Running ipa-adtrust-install for a second time with a dif‐
267 ferent NetBIOS name will change the name. Please note that
268 changing the NetBIOS name might break existing trust relation‐
269 ships to other domains.
270 --add-sids
272 Add SIDs to existing users and groups as on of final steps of
273 the ipa-adtrust-install run. If there a many existing users and
274 groups and a couple of replicas in the environment this opera‐
275 tion might lead to a high replication traffic and a performance
276 degradation of all IPA servers in the environment. To avoid this
277 the SID generation can be run after ipa-adtrust-install is run
278 and scheduled independently. To start this task you have to load
279 an edited version of ipa-sidgen-task-run.ldif with the ldapmod‐
280 ify command info the directory server.
281 --add-agents
283 Add IPA masters to the list that allows to serve information
284 about users from trusted forests. Starting with FreeIPA 4.2, a
285 regular IPA master can provide this information to SSSD clients.
286 IPA masters aren't added to the list automatically as restart of
287 the LDAP service on each of them is required. The host where
288 ipa-adtrust-install is being run is added automatically.
289 Note that IPA masters where ipa-adtrust-install wasn't run, can
291 serve information about users from trusted forests only if they
292 are enabled via ipa-adtrust-install run on any other IPA master.
293 At least SSSD version 1.13 on IPA master is required to be able
294 to perform as a trust agent.
295 --rid-base=RID_BASE
297 First RID value of the local domain. The first Posix ID of the
298 local domain will be assigned to this RID, the second to RID+1
299 etc. See the online help of the idrange CLI for details.
300 --secondary-rid-base=SECONDARY_RID_BASE
302 Start value of the secondary RID range, which is only used in
303 the case a user and a group share numerically the same Posix ID.
304 See the online help of the idrange CLI for details.
305 --enable-compat
307 Enables support for trusted domains users for old clients
308 through Schema Compatibility plugin. SSSD supports trusted
309 domains natively starting with version 1.9. For platforms that
310 lack SSSD or run older SSSD version one needs to use this
311 option. When enabled, slapi-nis package needs to be installed
312 and schema-compat-plugin will be configured to provide lookup of
313 users and groups from trusted domains via SSSD on IPA server.
314 These users and groups will be available under cn=users,cn=com‐
315 pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
316 normalize names of users and groups to lower case.
317 In addition to providing these users and groups through the com‐
319 pat tree, this option enables authentication over LDAP for
320 trusted domain users with DN under compat tree, i.e. using bind
321 DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
322 LDAP authentication performed by the compat tree is done via PAM
324 'system-auth' service. This service exists by default on Linux
325 systems and is provided by pam package as /etc/pam.d/sys‐
326 tem-auth. If your IPA install does not have default HBAC rule
327 'allow_all' enabled, then make sure to define in IPA special
328 service called 'system-auth' and create an HBAC rule to allow
329 access to anyone to this rule on IPA masters.
330 As 'system-auth' PAM service is not used directly by any other
332 application, it is safe to use it for trusted domain users via
333 compatibility path.
334
336 0 if the command was successful
337 1 if an error occurred
339 3 if the host exists in the IPA server or a replication agreement to
341 the remote master already exists
342FreeIPA Dec 19 2016 ipa-replica-install(1)