1ipa-client-install(1) IPA Manual Pages ipa-client-install(1)
2
3
4
6 ipa-client-install - Configure an IPA client
7
9 ipa-client-install [OPTION]...
10
12 Configures a client machine to use IPA for authentication and identity
13 services.
14
15 By default this configures SSSD to connect to an IPA server for authen‐
16 tication and authorization. Optionally one can instead configure PAM
17 and NSS (Name Switching Service) to work with an IPA server over Ker‐
18 beros and LDAP.
19
20 An authorized account is required to join a client machine to IPA. This
21 can take the form of a kerberos principal, a one-time password associ‐
22 ated with the machine, or PKINIT identity associated with the machine.
23
24 This same tool is used to unconfigure IPA and attempts to return the
25 machine to its previous state. Part of this process is to unenroll the
26 host from the IPA server. Unenrollment consists of disabling the prin‐
27 cipal key on the IPA server so that it may be re-enrolled. The machine
28 principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenti‐
29 cate to the IPA server to unenroll itself. If this principal does not
30 exist then unenrollment will fail and an administrator will need to
31 disable the host principal (ipa host-disable <fqdn>).
32
33
34 Assumptions
35 The ipa-client-install script assumes that the machine has already gen‐
36 erated SSH keys. It will not generate SSH keys of its own accord. If
37 SSH keys are not present (e.g. when running the ipa-client-install in a
38 kickstart, before ever running sshd), they will not be uploaded to the
39 client host entry on the server.
40
41
42 Hostname Requirements
43 Client must use a static hostname. If the machine hostname changes for
44 example due to a dynamic hostname assignment by a DHCP server, client
45 enrollment to IPA server breaks and user then would not be able to per‐
46 form Kerberos authentication.
47
48 --hostname option may be used to specify a static hostname that per‐
49 sists over reboot.
50
51
52 DNS Autodiscovery
53 Client installer by default tries to search for _ldap._tcp.DOMAIN DNS
54 SRV records for all domains that are parent to its hostname. For exam‐
55 ple, if a client machine has a hostname 'client1.lab.example.com', the
56 installer will try to retrieve an IPA server hostname from
57 _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com
58 DNS SRV records, respectively. The discovered domain is then used to
59 configure client components (e.g. SSSD and Kerberos 5 configuration) on
60 the machine.
61
62 When the client machine hostname is not in a subdomain of an IPA
63 server, its domain can be passed with --domain option. In that case,
64 both SSSD and Kerberos components have the domain set in the configura‐
65 tion files and will use it to autodiscover IPA servers.
66
67 Client machine can also be configured without a DNS autodiscovery at
68 all. When both --server and --domain options are used, client installer
69 will use the specified server and domain directly. --server option ac‐
70 cepts multiple server hostnames which can be used for failover mecha‐
71 nism. Without DNS autodiscovery, Kerberos is configured with a fixed
72 list of KDC and Admin servers. SSSD is still configured to either try
73 to read domain's SRV records or the specified fixed list of servers.
74 When --fixed-primary option is specified, SSSD will not try to read DNS
75 SRV record at all (see sssd-ipa(5) for details).
76
77
78 The Failover Mechanism
79 When some of the IPA servers is not available, client components are
80 able to fallback to other IPA replica and thus preserving a continued
81 service. When client machine is configured to use DNS SRV record au‐
82 todiscovery (no fixed server was passed to the installer), client com‐
83 ponents do the fallback automatically, based on the IPA server host‐
84 names and priorities discovered from the DNS SRV records.
85
86 If DNS autodiscovery is not available, clients should be configured at
87 least with a fixed list of IPA servers that can be used in case of a
88 failure. When only one IPA server is configured, IPA client services
89 will not be available in case of a failure of the IPA server. Please
90 note, that in case of a fixed list of IPA servers, the fixed server
91 lists in client components need to be updated when a new IPA server is
92 enrolled or a current IPA server is decommissioned.
93
94
95 Coexistence With Other Directory Servers
96 Other directory servers deployed in the network (e.g. Microsoft Active
97 Directory) may use the same DNS SRV records to denote hosts with a di‐
98 rectory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the
99 installation if the installer discovers these DNS records before it
100 finds DNS SRV records pointing to IPA servers. The installer would then
101 fail to discover the IPA server and exit with error.
102
103 In order to avoid the aforementioned DNS autodiscovery issues, the
104 client machine hostname should be in a domain with properly defined DNS
105 SRV records pointing to IPA servers, either manually with a custom DNS
106 server or with IPA DNS integrated solution. A second approach would be
107 to avoid autodiscovery and configure the installer to use a fixed list
108 of IPA server hostnames using the --server option and with a
109 --fixed-primary option disabling DNS SRV record autodiscovery in SSSD.
110
111
112 Re-enrollment of the host
113 Requirements:
114
115 1. Host has not been un-enrolled (the ipa-client-install --uninstall
116 command has not been run).
117 2. The host entry has not been disabled via the ipa host-disable com‐
118 mand.
119
120 If this has been the case, host can be re-enrolled using the usual
121 methods.
122
123 There are two method of authenticating a re-enrollment:
124
125 1. You can use --force-join option with ipa-client-install command.
126 This authenticates the re-enrollment using the admin's credentials pro‐
127 vided via the -w/--password option.
128 2. If providing the admin's password via the command line is not an op‐
129 tion (e.g. you want to create a script to re-enroll a host and keep the
130 admin's password secure), you can use backed up keytab from the previ‐
131 ous enrollment of this host to authenticate. See --keytab option.
132
133 Consequences of the re-enrollment on the host entry:
134
135 1. A new host certificate is issued
136 2. The old host certificate is revoked
137 3. New SSH keys are generated
138 4. ipaUniqueID is preserved
139
140
142 BASIC OPTIONS
143 --domain=DOMAIN
144 The primary DNS domain of an existing IPA deployment, e.g. exam‐
145 ple.com. This DNS domain should contain the SRV records gener‐
146 ated by the IPA server installer. Usually the name is a lower-
147 cased name of an IPA Kerberos realm name.
148
149 When no --server option is specified, this domain will be used
150 by the installer to discover all available servers via DNS SRV
151 record autodiscovery (see DNS Autodiscovery section for de‐
152 tails).
153
154 The default value used by the installer is the domain part of
155 the hostname. This option needs to be specified if the primary
156 IPA DNS domain is different from the default value.
157
158 --server=SERVER
159 Set the FQDN of the IPA server to connect to. May be specified
160 multiple times to add multiple servers to ipa_server value in
161 sssd.conf or krb5.conf. Only the first value is considered when
162 used with --no-sssd. When this option is used, DNS autodiscovery
163 for Kerberos is disabled and a fixed list of KDC and Admin
164 servers is configured.
165
166 Under normal circumstances, this option is not needed as the
167 list of servers is retrieved from the primary IPA DNS domain.
168
169 --realm=REALM_NAME
170 The Kerberos realm of an existing IPA deployment. Usually it is
171 an upper-cased name of the primary DNS domain used by the IPA
172 installation.
173
174 Under normal circumstances, this option is not needed as the
175 realm name is retrieved from the IPA server.
176
177 --fixed-primary
178 Configure SSSD to use a fixed server as the primary IPA server.
179 The default is to use DNS SRV records to determine the primary
180 server to use and fall back to the server the client is enrolled
181 with. When used in conjunction with --server then no _srv_ value
182 is set in the ipa_server option in sssd.conf.
183
184 -p, --principal
185 Authorized kerberos principal to use to join the IPA realm.
186
187 -w PASSWORD, --password=PASSWORD
188 Password for joining a machine to the IPA realm. Assumes bulk
189 password unless principal is also set.
190
191 -W Prompt for the password for joining a machine to the IPA realm.
192
193 -k, --keytab
194 Path to backed up host keytab from previous enrollment. Joins
195 the host even if it is already enrolled.
196
197 --mkhomedir
198 Configure PAM to create a users home directory if it does not
199 exist.
200
201 --hostname
202 The hostname of this machine (FQDN). If specified, the hostname
203 will be set and the system configuration will be updated to per‐
204 sist over reboot. By default the result of getfqdn() call from
205 Python's socket module is used.
206
207 --force-join
208 Join the host even if it is already enrolled.
209
210 --ntp-server=NTP_SERVER
211 Configure chronyd to use this NTP server. This option can be
212 used multiple times and it is used to specify exactly one time
213 server.
214
215 --ntp-pool=NTP_SERVER_POOL
216 Configure chronyd to use this NTP server pool. This option is
217 meant to be pool of multiple servers resolved as one host name.
218 This pool's servers may vary but pool address will be still same
219 and chrony will choose only one server from this pool.
220
221 -N, --no-ntp
222 Do not configure NTP client (chronyd).
223
224 --nisdomain=NIS_DOMAIN
225 Set the NIS domain name as specified. By default, this is set to
226 the IPA domain name.
227
228 --no-nisdomain
229 Do not configure NIS domain name.
230
231 --ssh-trust-dns
232 Configure OpenSSH client to trust DNS SSHFP records.
233
234 --no-ssh
235 Do not configure OpenSSH client.
236
237 --no-sshd
238 Do not configure OpenSSH server.
239
240 --no-sudo
241 Do not configure SSSD as a data source for sudo.
242
243 --subid
244 Configure SSSD as data source for subid.
245
246 --no-dns-sshfp
247 Do not automatically create DNS SSHFP records.
248
249 --noac Do not use Authconfig to modify the nsswitch.conf and PAM con‐
250 figuration.
251
252 -f, --force
253 Force the settings even if errors occur
254
255 --kinit-attempts=KINIT_ATTEMPTS
256 In case of unresponsive KDC (e.g. when enrolling multiple hosts
257 at once in a heavy load environment) repeat the request for host
258 Kerberos ticket up to a total number of KINIT_ATTEMPTS times be‐
259 fore giving up and aborting client installation. Default number
260 of attempts is 5. The request is not repeated when there is a
261 problem with host credentials themselves (e.g. wrong keytab for‐
262 mat or invalid principal) so using this option will not lead to
263 account lockouts.
264
265 -d, --debug
266 Print debugging information to stdout
267
268 -U, --unattended
269 Unattended installation. The user will not be prompted.
270
271 --ca-cert-file=CA_FILE
272 Do not attempt to acquire the IPA CA certificate via automated
273 means, instead use the CA certificate found locally in in
274 CA_FILE. The CA_FILE must be an absolute path to a PEM format‐
275 ted certificate file. The CA certificate found in CA_FILE is
276 considered authoritative and will be installed without checking
277 to see if it's valid for the IPA domain.
278
279 --request-cert
280 DEPRECATED: The option is deprecated and will be removed in a
281 future release.
282
283 Request certificate for the machine. The certificate will be
284 stored in /etc/ipa/nssdb under the nickname "Local IPA host".
285
286 Using this option requires that D-Bus is properly configured or
287 not configured at all. In environment where this condition is
288 not met (e.g. anaconda kickstart chroot environment) set the
289 system bus address to /dev/null to enable workaround in ipa-
290 client-install.
291
292 # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-
293 client-install --request-cert
294
295 Note that requesting the certificate when certmonger is not run‐
296 ning only creates tracking request and the certmonger service
297 must be started to be able to track certificates.
298
299 --automount-location=LOCATION
300 Configure automount by running ipa-client-automount(1) with LO‐
301 CATION as automount location.
302
303 --configure-firefox
304 Configure Firefox to use IPA domain credentials.
305
306 --firefox-dir=DIR
307 Specify Firefox installation directory. For example:
308 '/usr/lib/firefox'
309
310 --ip-address=IP_ADDRESS
311 Use IP_ADDRESS in DNS A/AAAA record for this host. May be speci‐
312 fied multiple times to add multiple DNS records.
313
314 --all-ip-addresses
315 Create DNS A/AAAA record for each IP address on this host.
316
317
318 SSSD OPTIONS
319 --permit
320 Configure SSSD to permit all access. Otherwise the machine will
321 be controlled by the Host-based Access Controls (HBAC) on the
322 IPA server.
323
324 --enable-dns-updates
325 This option tells SSSD to automatically update DNS with the IP
326 address of this client. The default is to use GSS-TSIG. How‐
327 ever, if using GSS-TSIG fails for any reason at install time,
328 ipa-client-install will configure SSSD to use unauthenticated
329 nsupdates instead.
330
331 --no-krb5-offline-passwords
332 Configure SSSD not to store user password when the server is
333 offline.
334
335 -S, --no-sssd
336 Do not configure the client to use SSSD for authentication, use
337 nss_ldap instead.
338
339 --preserve-sssd
340 Disabled by default. When enabled, preserves old SSSD configura‐
341 tion if it is not possible to merge it with a new one. Effec‐
342 tively, if the merge is not possible due to SSSDConfig reader
343 encountering unsupported options, ipa-client-install will not
344 run further and ask to fix SSSD config first. When this option
345 is not specified, ipa-client-install will back up SSSD config
346 and create new one. The back up version will be restored during
347 uninstall.
348
349
350 PKINIT OPTIONS
351 --pkinit-identity=DENTITY
352 Identity string for PKINIT authentication to use to join the IPA
353 realm, for example 'FILE:/path/to/cert.pem,/path/to/key.pem'.
354 See krb5.conf(5) for more information. The option is mutually
355 exclusive with --password and --keytab.
356
357 --pkinit-anchor=FILEDIR
358 Trust anchors (root and intermediate CA certs) for PKINIT.
359 FILEDIR is either the absolute path to a PEM bundle (for example
360 requires the full trust chain of the Kerberos KDC server as well
361 as the full trust chain of the identity certificate.
362
363
364 UNINSTALL OPTIONS
365 --uninstall
366 Remove the IPA client software and restore the configuration to
367 the pre-IPA state.
368
369 -U, --unattended
370 Unattended uninstallation. The user will not be prompted.
371
372
374 ipa-client-install will automatically disable the Name Service Caching
375 Daemon (nscd) when configuring the SSSD client. These are competing
376 services and cannot co-exist.
377
378 If there are other similar services providing nss capabilities they
379 will need to be manually disabled by the user. An example is unscd, a
380 complete replacement for nscd.
381
382
384 Files that will be replaced if SSSD is configured (default):
385
386 /etc/sssd/sssd.conf
387
388 Files that will be replaced if they exist and SSSD is not configured
389 (--no-sssd):
390
391 /etc/ldap.conf
392 /etc/nss_ldap.conf
393 /etc/libnss-ldap.conf
394 /etc/pam_ldap.conf
395 /etc/nslcd.conf
396
397 Files replaced if NTP client (chronyd) configuration is enabled:
398
399 /etc/chrony.conf
400
401 Files always created (replacing existing content):
402
403 /etc/krb5.conf
404 /etc/ipa/ca.crt
405 /etc/ipa/default.conf
406 /etc/ipa/nssdb
407 /etc/openldap/ldap.conf
408 /etc/pki/ca-trust/source/ipa.p11-kit
409
410 Files updated, existing content is maintained:
411
412 /etc/nsswitch.conf
413 /etc/krb5.keytab
414 /etc/sysconfig/network
415
416
417 File updated, existing content is maintained if ssh is configured (de‐
418 fault):
419
420 /etc/ssh/ssh_config
421
422 File updated, existing content is maintained if sshd is configured (de‐
423 fault):
424
425 /etc/ssh/sshd_config
426
427
429 --request-cert
430
431
433 0 if the installation was successful
434
435 1 if an error occurred
436
437 2 if uninstalling and the client is not configured
438
439 3 if installing and the client is already configured
440
441 4 if an uninstall error occurred
442
443
445 ipa-client-automount(1), krb5.conf(5), sssd.conf(5)
446
447
448
449IPA Dec 19 2016 ipa-client-install(1)