1ipa-replica-install(1)         IPA Manual Pages         ipa-replica-install(1)
2
3
4

NAME

6       ipa-replica-install - Create an IPA replica
7

SYNOPSIS

9       ipa-replica-install [OPTION]...
10

DESCRIPTION

12       Configures  a  new  IPA server that is a replica of the server. Once it
13       has been created it is an exact copy of the original IPA server and  is
14       an  equal  master.  Changes made to any master are automatically repli‐
15       cated to other masters.
16
17       Domain level 0 is not supported anymore.
18
19       To create a replica, the machine only needs to be enrolled in  the  IPA
20       domain  first. This process of turning the IPA client into a replica is
21       also referred to as replica promotion.
22
23       If  you're  starting  with  an  existing   IPA   client,   simply   run
24       ipa-replica-install to have it promoted into a replica. The NTP config‐
25       uration cannot be updated during client promotion.
26
27       To promote a blank machine into a replica, you have  two  options,  you
28       can  either  run  ipa-client-install  in  a  separate step, or pass the
29       enrollment related  options  to  the  ipa-replica-install  (see  CLIENT
30       ENROLLMENT  OPTIONS). In the latter case, ipa-replica-install will join
31       the machine to the IPA realm automatically and will  proceed  with  the
32       promotion step.
33
34       If  the  installation  fails  you  may  need  to run ipa-server-install
35       --uninstall and ipa-client-install before  running  ipa-replica-install
36       again.
37
38       The  installation  will fail if the host you are installing the replica
39       on exists as a host in IPA or an existing replication agreement  exists
40       (for example, from a previously failed installation).
41
42       A replica should only be installed on the same or higher version of IPA
43       on the remote system.
44

OPTIONS

46   OPTIONS
47       -P, --principal
48              The user principal which will be used to promote the  client  to
49              the replica and enroll the client itself, if necessary.
50
51       -w, --admin-password
52              The Kerberos password for the given principal.
53
54
55   CLIENT ENROLLMENT OPTIONS
56       To  install client and promote it to replica using a host keytab or One
57       Time Password, the host needs to be a member of ipaservers group.  This
58       requires  to  create  a  host  entry and add it to the host group prior
59       replica installation.
60
61       --server, --domain, --realm  options are autodiscovered via DNS records
62       by  default.  See manual page ipa-client-install(1) for further details
63       about these options.
64
65
66       -p PASSWORD, --password=PASSWORD
67              One Time Password for joining a machine to the IPA realm.
68
69       -k, --keytab
70              Path to host keytab.
71
72       --server
73              The fully qualified domain name of the IPA server to enroll  to.
74              The  IPA server must provide the CA role if --setup-ca option is
75              specified, and the KRA role if --setup-kra option is specified.
76
77       -n, --domain=DOMAIN
78              The primary DNS domain of an existing IPA deployment, e.g. exam‐
79              ple.com.   This DNS domain should contain the SRV records gener‐
80              ated by the IPA server installer.
81
82       -r, --realm=REALM_NAME
83              The Kerberos realm of an existing IPA deployment.
84
85       --hostname
86              The hostname of this machine (FQDN). If specified, the  hostname
87              will be set and the system configuration will be updated to per‐
88              sist over reboot.
89
90       --force-join
91              Join the host even if it is already enrolled.
92
93
94   BASIC OPTIONS
95       --ip-address=IP_ADDRESS
96              The IP address of this server. If this address  does  not  match
97              the address the host resolves to and --setup-dns is not selected
98              the installation will  fail.  If  the  server  hostname  is  not
99              resolvable, a record for the hostname and IP_ADDRESS is added to
100              /etc/hosts.  This option can be used multiple times  to  specify
101              more  IP  addresses  of the server (e.g. multihomed and/or dual‐
102              stacked server).
103
104       --mkhomedir
105              Create home directories for users on their first login
106
107       --ntp-server=NTP_SERVER
108              Configure chronyd to use this NTP server.  This  option  can  be
109              used  multiple  times and it is used to specify exactly one time
110              server.
111
112       --ntp-pool=NTP_SERVER_POOL
113              Configure chronyd to use this NTP server pool.  This  option  is
114              meant  to be pool of multiple servers resolved as one host name.
115              This pool's servers may vary but pool address will be still same
116              and chrony will choose only one server from this pool.
117
118       -N, --no-ntp
119              Do not configure NTP client (chronyd).
120
121       --no-ui-redirect
122              Do not automatically redirect to the Web UI.
123
124       --ssh-trust-dns
125              Configure OpenSSH client to trust DNS SSHFP records.
126
127       --no-ssh
128              Do not configure OpenSSH client.
129
130       --no-sshd
131              Do not configure OpenSSH server.
132
133       --skip-conncheck
134              Skip connection check to remote master
135
136       -d, --debug
137              Enable debug logging when more verbose output is needed
138
139       -U, --unattended
140              An unattended installation that will never prompt for user input
141
142       --dirsrv-config-file
143              The  path to LDIF file that will be used to modify configuration
144              of dse.ldif during installation of the directory server instance
145
146
147   CERTIFICATE SYSTEM OPTIONS
148       --setup-ca
149              Install and configure a CA on this replica. If a CA is not  con‐
150              figured  then certificate operations will be forwarded to a mas‐
151              ter with a CA installed.
152
153       --no-pkinit
154              Disables pkinit setup steps.
155
156       --dirsrv-cert-file=FILE
157              File containing the Directory Server SSL certificate and private
158              key
159
160       --http-cert-file=FILE
161              File  containing  the  Apache Server SSL certificate and private
162              key
163
164       --pkinit-cert-file=FILE
165              File containing the Kerberos KDC SSL certificate and private key
166
167       --dirsrv-pin=PIN
168              The password to unlock the Directory Server private key
169
170       --http-pin=PIN
171              The password to unlock the Apache Server private key
172
173       --pkinit-pin=PIN
174              The password to unlock the Kerberos KDC private key
175
176       --dirsrv-cert-name=NAME
177              Name of the Directory Server SSL certificate to install
178
179       --http-cert-name=NAME
180              Name of the Apache Server SSL certificate to install
181
182       --pkinit-cert-name=NAME
183              Name of the Kerberos KDC SSL certificate to install
184
185       --pki-config-override=FILE
186              File containing overrides for CA and KRA installation.
187
188       --skip-schema-check
189              Skip check for updated CA DS schema on the remote master
190
191
192   SECRET MANAGEMENT OPTIONS
193       --setup-kra
194              Install and configure a KRA on this replica. If  a  KRA  is  not
195              configured  then  vault operations will be forwarded to a master
196              with a KRA installed.
197
198
199   DNS OPTIONS
200       --setup-dns
201              Configure  an integrated DNS server, create a primary  DNS  zone
202              (name  specified  by  --domain or taken from an existing deploy‐
203              ment), and fill  it  with  service  records  necessary  for  IPA
204              deployment.   In cases where the IPA server name does not belong
205              to the primary DNS domain and is not resolvable using DNS,  cre‐
206              ate a DNS zone containing the IPA server name as well.
207
208              This  option  requires  that you either specify at least one DNS
209              forwarder through the --forwarder option or  use  the  --no-for‐
210              warders option.
211
212              Note that you can set up a DNS at any time after the initial IPA
213              server  install  by  running   ipa-dns-install   (see   ipa-dns-
214              install(1)).  IPA DNS cannot be uninstalled.
215
216       --forwarder=IP_ADDRESS
217              Add  a  DNS forwarder to the DNS configuration. You can use this
218              option multiple times to specify more forwarders, but  at  least
219              one must be provided, unless the --no-forwarders option is spec‐
220              ified.
221
222       --no-forwarders
223              Do not add any DNS forwarders. Root DNS  servers  will  be  used
224              instead.
225
226       --auto-forwarders
227              Add DNS forwarders configured in /etc/resolv.conf to the list of
228              forwarders used by IPA DNS.
229
230       --forward-policy=first|only
231              DNS forwarding policy  for  global  forwarders  specified  using
232              other  options.  Defaults to first if no IP address belonging to
233              a private or reserved ranges is  detected  on  local  interfaces
234              (RFC  6303).  Defaults  to  only  if  a  private  IP  address is
235              detected.
236
237       --reverse-zone=REVERSE_ZONE
238              The reverse DNS zone to use. This option can  be  used  multiple
239              times to specify multiple reverse zones.
240
241       --no-reverse
242              Do  not  create  new  reverse  DNS  zone.  If a reverse DNS zone
243              already exists for the subnet, it will be used.
244
245       --auto-reverse
246              Create necessary reverse zones
247
248       --allow-zone-overlap
249              Create DNS zone even if it already exists
250
251       --no-host-dns
252              Do not use DNS for hostname lookup during installation
253
254       --no-dns-sshfp
255              Do not automatically create DNS SSHFP records.
256
257       --no-dnssec-validation
258              Disable DNSSEC validation on this server.
259
260
261   AD TRUST OPTIONS
262       --setup-adtrust
263              Configure AD Trust capability on a replica.
264
265       --netbios-name=NETBIOS_NAME
266              The NetBIOS name for the IPA domain. If not provided  then  this
267              is  determined  based on the leading component of the DNS domain
268              name. Running ipa-adtrust-install for a second time with a  dif‐
269              ferent  NetBIOS  name  will  change  the  name. Please note that
270              changing the NetBIOS name might break existing  trust  relation‐
271              ships to other domains.
272
273       --add-sids
274              Add  SIDs  to  existing users and groups as on of final steps of
275              the ipa-adtrust-install run. If there a many existing users  and
276              groups  and  a couple of replicas in the environment this opera‐
277              tion might lead to a high replication traffic and a  performance
278              degradation of all IPA servers in the environment. To avoid this
279              the SID generation can be run after ipa-adtrust-install  is  run
280              and scheduled independently. To start this task you have to load
281              an edited version of ipa-sidgen-task-run.ldif with the  ldapmod‐
282              ify command info the directory server.
283
284       --add-agents
285              Add  IPA  masters  to  the list that allows to serve information
286              about users from trusted forests. Starting with IPA 4.2, a regu‐
287              lar IPA master can provide this information to SSSD clients. IPA
288              masters aren't added to the list automatically as restart of the
289              LDAP  service  on  each  of  them  is  required.  The host where
290              ipa-adtrust-install is being run is added automatically.
291
292              Note that IPA masters where ipa-adtrust-install wasn't run,  can
293              serve  information about users from trusted forests only if they
294              are enabled via ipa-adtrust-install run on any other IPA master.
295              At  least SSSD version 1.13 on IPA master is required to be able
296              to perform as a trust agent.
297
298       --rid-base=RID_BASE
299              First RID value of the local domain. The first Posix ID  of  the
300              local  domain  will be assigned to this RID, the second to RID+1
301              etc. See the online help of the idrange CLI for details.
302
303       --secondary-rid-base=SECONDARY_RID_BASE
304              Start value of the secondary RID range, which is  only  used  in
305              the case a user and a group share numerically the same Posix ID.
306              See the online help of the idrange CLI for details.
307
308       --enable-compat
309              Enables support  for  trusted  domains  users  for  old  clients
310              through  Schema  Compatibility  plugin.   SSSD  supports trusted
311              domains natively starting with version 1.9. For  platforms  that
312              lack  SSSD  or  run  older  SSSD  version  one needs to use this
313              option. When enabled, slapi-nis package needs  to  be  installed
314              and schema-compat-plugin will be configured to provide lookup of
315              users and groups from trusted domains via SSSD  on  IPA  server.
316              These  users and groups will be available under cn=users,cn=com‐
317              pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX  trees.   SSSD  will
318              normalize names of users and groups to lower case.
319
320              In addition to providing these users and groups through the com‐
321              pat tree, this  option  enables  authentication  over  LDAP  for
322              trusted  domain users with DN under compat tree, i.e. using bind
323              DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
324
325              LDAP authentication performed by the compat tree is done via PAM
326              'system-auth'  service.  This service exists by default on Linux
327              systems and  is  provided  by  pam  package  as  /etc/pam.d/sys‐
328              tem-auth.   If  your IPA install does not have default HBAC rule
329              'allow_all' enabled, then make sure to  define  in  IPA  special
330              service  called  'system-auth'  and create an HBAC rule to allow
331              access to anyone to this rule on IPA masters.
332
333              As 'system-auth' PAM service is not used directly by  any  other
334              application,  it  is safe to use it for trusted domain users via
335              compatibility path.
336

EXIT STATUS

338       0 if the command was successful
339
340       1 if an error occurred
341
342       3 if the host exists in the IPA server or a  replication  agreement  to
343       the remote master already exists
344
345       4  if  the  remote  master  specified  for  enrollment does not provide
346       required services such as CA or KRA
347
348
349
350IPA                               Dec 19 2016           ipa-replica-install(1)
Impressum