1ipa-client-install(1)          IPA Manual Pages          ipa-client-install(1)
2
3
4

NAME

6       ipa-client-install - Configure an IPA client
7

SYNOPSIS

9       ipa-client-install [OPTION]...
10

DESCRIPTION

12       Configures  a client machine to use IPA for authentication and identity
13       services.
14
15       By default this configures SSSD to connect to an IPA server for authen‐
16       tication  and  authorization.  Optionally one can instead configure PAM
17       and NSS (Name Switching Service) to work with an IPA server  over  Ker‐
18       beros and LDAP.
19
20       An authorized account is required to join a client machine to IPA. This
21       can take the form of a kerberos principal, a one-time password  associ‐
22       ated with the machine, or PKINIT identity associated with the machine.
23
24       This  same  tool  is used to unconfigure IPA and attempts to return the
25       machine to its previous state. Part of this process is to unenroll  the
26       host  from the IPA server. Unenrollment consists of disabling the prin‐
27       cipal key on the IPA server so that it may be re-enrolled. The  machine
28       principal  in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenti‐
29       cate to the IPA server to unenroll itself. If this principal  does  not
30       exist  then  unenrollment  will  fail and an administrator will need to
31       disable the host principal (ipa host-disable <fqdn>).
32
33
34   Assumptions
35       The ipa-client-install script assumes that the machine has already gen‐
36       erated  SSH  keys.  It will not generate SSH keys of its own accord. If
37       SSH keys are not present (e.g. when running the ipa-client-install in a
38       kickstart,  before ever running sshd), they will not be uploaded to the
39       client host entry on the server.
40
41
42   Hostname Requirements
43       Client must use a static hostname. If the machine hostname changes  for
44       example  due  to a dynamic hostname assignment by a DHCP server, client
45       enrollment to IPA server breaks and user then would not be able to per‐
46       form Kerberos authentication.
47
48       --hostname  option  may  be used to specify a static hostname that per‐
49       sists over reboot.
50
51
52   DNS Autodiscovery
53       Client installer by default tries to search for  _ldap._tcp.DOMAIN  DNS
54       SRV  records for all domains that are parent to its hostname. For exam‐
55       ple, if a client machine has a hostname 'client1.lab.example.com',  the
56       installer   will   try   to   retrieve  an  IPA  server  hostname  from
57       _ldap._tcp.lab.example.com, _ldap._tcp.example.com  and  _ldap._tcp.com
58       DNS  SRV  records,  respectively. The discovered domain is then used to
59       configure client components (e.g. SSSD and Kerberos 5 configuration) on
60       the machine.
61
62       When  the  client  machine  hostname  is  not  in a subdomain of an IPA
63       server, its domain can be passed with --domain option.  In  that  case,
64       both SSSD and Kerberos components have the domain set in the configura‐
65       tion files and will use it to autodiscover IPA servers.
66
67       Client machine can also be configured without a  DNS  autodiscovery  at
68       all. When both --server and --domain options are used, client installer
69       will use the specified server and domain directly. --server option  ac‐
70       cepts  multiple  server hostnames which can be used for failover mecha‐
71       nism. Without DNS autodiscovery, Kerberos is configured  with  a  fixed
72       list  of KDC and  Admin servers. SSSD is still configured to either try
73       to read domain's SRV records or the specified fixed  list  of  servers.
74       When --fixed-primary option is specified, SSSD will not try to read DNS
75       SRV record at all (see sssd-ipa(5) for details).
76
77
78   The Failover Mechanism
79       When some of the IPA servers is not available,  client  components  are
80       able  to  fallback to other IPA replica and thus preserving a continued
81       service. When client machine is configured to use DNS  SRV  record  au‐
82       todiscovery  (no fixed server was passed to the installer), client com‐
83       ponents do the fallback automatically, based on the  IPA  server  host‐
84       names and priorities discovered from the DNS SRV records.
85
86       If  DNS autodiscovery is not available, clients should be configured at
87       least with a fixed list of IPA servers that can be used in  case  of  a
88       failure.  When  only  one IPA server is configured, IPA client services
89       will not be available in case of a failure of the  IPA  server.  Please
90       note,  that  in  case  of a fixed list of IPA servers, the fixed server
91       lists in client components need to be updated when a new IPA server  is
92       enrolled or a current IPA server is decommissioned.
93
94
95   Coexistence With Other Directory Servers
96       Other  directory servers deployed in the network (e.g. Microsoft Active
97       Directory) may use the same DNS SRV records to denote hosts with a  di‐
98       rectory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the
99       installation if the installer discovers these  DNS  records  before  it
100       finds DNS SRV records pointing to IPA servers. The installer would then
101       fail to discover the IPA server and exit with error.
102
103       In order to avoid the  aforementioned  DNS  autodiscovery  issues,  the
104       client machine hostname should be in a domain with properly defined DNS
105       SRV records pointing to IPA servers, either manually with a custom  DNS
106       server  or with IPA DNS integrated solution. A second approach would be
107       to avoid autodiscovery and configure the installer to use a fixed  list
108       of   IPA  server  hostnames  using  the  --server  option  and  with  a
109       --fixed-primary option disabling DNS SRV record autodiscovery in SSSD.
110
111
112   Re-enrollment of the host
113       Requirements:
114
115       1. Host has not been un-enrolled  (the  ipa-client-install  --uninstall
116       command has not been run).
117       2.  The  host entry has not been disabled via the ipa host-disable com‐
118       mand.
119
120       If this has been the case, host can  be  re-enrolled  using  the  usual
121       methods.
122
123       There are two method of authenticating a re-enrollment:
124
125       1.  You  can  use  --force-join option with ipa-client-install command.
126       This authenticates the re-enrollment using the admin's credentials pro‐
127       vided via the -w/--password option.
128       2. If providing the admin's password via the command line is not an op‐
129       tion (e.g. you want to create a script to re-enroll a host and keep the
130       admin's  password secure), you can use backed up keytab from the previ‐
131       ous enrollment of this host to authenticate. See --keytab option.
132
133       Consequences of the re-enrollment on the host entry:
134
135       1. A new host certificate is issued
136       2. The old host certificate is revoked
137       3. New SSH keys are generated
138       4. ipaUniqueID is preserved
139
140

OPTIONS

142   BASIC OPTIONS
143       --domain=DOMAIN
144              The primary DNS domain of an existing IPA deployment, e.g. exam‐
145              ple.com.  This  DNS domain should contain the SRV records gener‐
146              ated by the IPA server installer. Usually the name is  a  lower-
147              cased name of an IPA Kerberos realm name.
148
149              When  no  --server option is specified, this domain will be used
150              by the installer to discover all available servers via  DNS  SRV
151              record  autodiscovery  (see  DNS  Autodiscovery  section for de‐
152              tails).
153
154              The default value used by the installer is the  domain  part  of
155              the  hostname.  This option needs to be specified if the primary
156              IPA DNS domain is different from the default value.
157
158       --server=SERVER
159              Set the FQDN of the IPA server to connect to. May  be  specified
160              multiple  times  to  add multiple servers to ipa_server value in
161              sssd.conf or krb5.conf. Only the first value is considered  when
162              used with --no-sssd. When this option is used, DNS autodiscovery
163              for Kerberos is disabled and a  fixed  list  of  KDC  and  Admin
164              servers is configured.
165
166              Under  normal  circumstances,  this  option is not needed as the
167              list of servers is retrieved from the primary IPA DNS domain.
168
169       --realm=REALM_NAME
170              The Kerberos realm of an existing IPA deployment. Usually it  is
171              an  upper-cased  name  of the primary DNS domain used by the IPA
172              installation.
173
174              Under normal circumstances, this option is  not  needed  as  the
175              realm name is retrieved from the IPA server.
176
177       --fixed-primary
178              Configure  SSSD to use a fixed server as the primary IPA server.
179              The default is to use DNS SRV records to determine  the  primary
180              server to use and fall back to the server the client is enrolled
181              with. When used in conjunction with --server then no _srv_ value
182              is set in the ipa_server option in sssd.conf.
183
184       -p, --principal
185              Authorized kerberos principal to use to join the IPA realm.
186
187       -w PASSWORD, --password=PASSWORD
188              Password  for  joining  a machine to the IPA realm. Assumes bulk
189              password unless principal is also set.
190
191       -W     Prompt for the password for joining a machine to the IPA realm.
192
193       -k, --keytab
194              Path to backed up host keytab from  previous  enrollment.  Joins
195              the host even if it is already enrolled.
196
197       --mkhomedir
198              Configure  PAM  to  create a users home directory if it does not
199              exist.
200
201       --hostname
202              The hostname of this machine (FQDN). If specified, the  hostname
203              will be set and the system configuration will be updated to per‐
204              sist over reboot. By default the result of getfqdn()  call  from
205              Python's socket module is used.
206
207       --force-join
208              Join the host even if it is already enrolled.
209
210       --ntp-server=NTP_SERVER
211              Configure  chronyd  to  use  this NTP server. This option can be
212              used multiple times and it is used to specify exactly  one  time
213              server.
214
215       --ntp-pool=NTP_SERVER_POOL
216              Configure  chronyd  to  use this NTP server pool. This option is
217              meant to be pool of multiple servers resolved as one host  name.
218              This pool's servers may vary but pool address will be still same
219              and chrony will choose only one server from this pool.
220
221       -N, --no-ntp
222              Do not configure NTP client (chronyd).
223
224       --nisdomain=NIS_DOMAIN
225              Set the NIS domain name as specified. By default, this is set to
226              the IPA domain name.
227
228       --no-nisdomain
229              Do not configure NIS domain name.
230
231       --ssh-trust-dns
232              Configure OpenSSH client to trust DNS SSHFP records.
233
234       --no-ssh
235              Do not configure OpenSSH client.
236
237       --no-sshd
238              Do not configure OpenSSH server.
239
240       --no-sudo
241              Do not configure SSSD as a data source for sudo.
242
243       --subid
244              Configure SSSD as data source for subid.
245
246       --no-dns-sshfp
247              Do not automatically create DNS SSHFP records.
248
249       --noac Do  not  use Authconfig to modify the nsswitch.conf and PAM con‐
250              figuration.
251
252       -f, --force
253              Force the settings even if errors occur
254
255       --kinit-attempts=KINIT_ATTEMPTS
256              In case of unresponsive KDC (e.g. when enrolling multiple  hosts
257              at once in a heavy load environment) repeat the request for host
258              Kerberos ticket up to a total number of KINIT_ATTEMPTS times be‐
259              fore  giving up and aborting client installation. Default number
260              of attempts is 5. The request is not repeated when  there  is  a
261              problem with host credentials themselves (e.g. wrong keytab for‐
262              mat or invalid principal) so using this option will not lead  to
263              account lockouts.
264
265       -d, --debug
266              Print debugging information to stdout
267
268       -U, --unattended
269              Unattended installation. The user will not be prompted.
270
271       --ca-cert-file=CA_FILE
272              Do  not  attempt to acquire the IPA CA certificate via automated
273              means, instead use  the  CA  certificate  found  locally  in  in
274              CA_FILE.   The CA_FILE must be an absolute path to a PEM format‐
275              ted certificate file. The CA certificate  found  in  CA_FILE  is
276              considered  authoritative and will be installed without checking
277              to see if it's valid for the IPA domain.
278
279       --request-cert
280              DEPRECATED: The option is deprecated and will be  removed  in  a
281              future release.
282
283              Request  certificate  for  the  machine. The certificate will be
284              stored in /etc/ipa/nssdb under the nickname "Local IPA host".
285
286              Using this option requires that D-Bus is properly configured  or
287              not  configured  at  all. In environment where this condition is
288              not met (e.g. anaconda kickstart  chroot  environment)  set  the
289              system  bus  address  to  /dev/null to enable workaround in ipa-
290              client-install.
291
292                  #   env   DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null   ipa-
293              client-install --request-cert
294
295              Note that requesting the certificate when certmonger is not run‐
296              ning only creates tracking request and  the  certmonger  service
297              must be started to be able to track certificates.
298
299       --automount-location=LOCATION
300              Configure  automount by running ipa-client-automount(1) with LO‐
301              CATION as automount location.
302
303       --configure-firefox
304              Configure Firefox to use IPA domain credentials.
305
306       --firefox-dir=DIR
307              Specify   Firefox   installation   directory.    For    example:
308              '/usr/lib/firefox'
309
310       --ip-address=IP_ADDRESS
311              Use IP_ADDRESS in DNS A/AAAA record for this host. May be speci‐
312              fied multiple times to add multiple DNS records.
313
314       --all-ip-addresses
315              Create DNS A/AAAA record for each IP address on this host.
316
317
318   SSSD OPTIONS
319       --permit
320              Configure SSSD to permit all access. Otherwise the machine  will
321              be  controlled  by  the Host-based Access Controls (HBAC) on the
322              IPA server.
323
324       --enable-dns-updates
325              This option tells SSSD to automatically update DNS with  the  IP
326              address  of  this  client.  The default is to use GSS-TSIG. How‐
327              ever, if using GSS-TSIG fails for any reason  at  install  time,
328              ipa-client-install  will  configure  SSSD to use unauthenticated
329              nsupdates instead.
330
331       --no-krb5-offline-passwords
332              Configure SSSD not to store user password  when  the  server  is
333              offline.
334
335       -S, --no-sssd
336              Do  not configure the client to use SSSD for authentication, use
337              nss_ldap instead.
338
339       --preserve-sssd
340              Disabled by default. When enabled, preserves old SSSD configura‐
341              tion  if  it  is not possible to merge it with a new one. Effec‐
342              tively, if the merge is not possible due  to  SSSDConfig  reader
343              encountering  unsupported  options,  ipa-client-install will not
344              run further and ask to fix SSSD config first. When  this  option
345              is  not  specified,  ipa-client-install will back up SSSD config
346              and create new one. The back up version will be restored  during
347              uninstall.
348
349
350   PKINIT OPTIONS
351       --pkinit-identity=DENTITY
352              Identity string for PKINIT authentication to use to join the IPA
353              realm,  for  example  'FILE:/path/to/cert.pem,/path/to/key.pem'.
354              See  krb5.conf(5)  for  more information. The option is mutually
355              exclusive with --password and --keytab.
356
357       --pkinit-anchor=FILEDIR
358              Trust anchors (root  and  intermediate  CA  certs)  for  PKINIT.
359              FILEDIR is either the absolute path to a PEM bundle (for example
360              requires the full trust chain of the Kerberos KDC server as well
361              as the full trust chain of the identity certificate.
362
363
364   UNINSTALL OPTIONS
365       --uninstall
366              Remove  the IPA client software and restore the configuration to
367              the pre-IPA state.
368
369       -U, --unattended
370              Unattended uninstallation. The user will not be prompted.
371
372

DISABLED SERVICES

374       ipa-client-install will automatically disable the Name Service  Caching
375       Daemon  (nscd)  when  configuring  the SSSD client. These are competing
376       services and cannot co-exist.
377
378       If there are other similar services  providing  nss  capabilities  they
379       will  need  to be manually disabled by the user. An example is unscd, a
380       complete replacement for nscd.
381
382

FILES

384       Files that will be replaced if SSSD is configured (default):
385
386              /etc/sssd/sssd.conf
387
388       Files that will be replaced if they exist and SSSD  is  not  configured
389       (--no-sssd):
390
391              /etc/ldap.conf
392              /etc/nss_ldap.conf
393              /etc/libnss-ldap.conf
394              /etc/pam_ldap.conf
395              /etc/nslcd.conf
396
397       Files replaced if NTP client (chronyd) configuration is enabled:
398
399              /etc/chrony.conf
400
401       Files always created (replacing existing content):
402
403              /etc/krb5.conf
404              /etc/ipa/ca.crt
405              /etc/ipa/default.conf
406              /etc/ipa/nssdb
407              /etc/openldap/ldap.conf
408              /etc/pki/ca-trust/source/ipa.p11-kit
409
410       Files updated, existing content is maintained:
411
412              /etc/nsswitch.conf
413              /etc/krb5.keytab
414              /etc/sysconfig/network
415
416
417       File  updated, existing content is maintained if ssh is configured (de‐
418       fault):
419
420              /etc/ssh/ssh_config
421
422       File updated, existing content is maintained if sshd is configured (de‐
423       fault):
424
425              /etc/ssh/sshd_config
426
427

DEPRECATED OPTIONS

429       --request-cert
430
431

EXIT STATUS

433       0 if the installation was successful
434
435       1 if an error occurred
436
437       2 if uninstalling and the client is not configured
438
439       3 if installing and the client is already configured
440
441       4 if an uninstall error occurred
442
443

SEE ALSO

445       ipa-client-automount(1), krb5.conf(5), sssd.conf(5)
446
447
448
449IPA                               Dec 19 2016            ipa-client-install(1)
Impressum