1ipa-client-install(1) FreeIPA Manual Pages ipa-client-install(1)
2
6 ipa-client-install - Configure an IPA client
7
9 ipa-client-install [OPTION]...
10
12 Configures a client machine to use IPA for authentication and identity
13 services.
14 By default this configures SSSD to connect to an IPA server for authen‐
16 tication and authorization. Optionally one can instead configure PAM
17 and NSS (Name Switching Service) to work with an IPA server over Ker‐
18 beros and LDAP.
19 An authorized user is required to join a client machine to IPA. This
21 can take the form of a kerberos principal or a one-time password asso‐
22 ciated with the machine.
23 This same tool is used to unconfigure IPA and attempts to return the
25 machine to its previous state. Part of this process is to unenroll the
26 host from the IPA server. Unenrollment consists of disabling the
27 prinicipal key on the IPA server so that it may be re-enrolled. The
28 machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to
29 authenticate to the IPA server to unenroll itself. If this principal
30 does not exist then unenrollment will fail and an administrator will
31 need to disable the host principal (ipa host-disable <fqdn>).
32 HOSTNAME REQUIREMENTS
35 Client must use a static hostname. If the machine hostname changes for
36 example due to a dynamic hostname assignment by a DHCP server, client
37 enrollment to IPA server breaks and user then would not be able to per‐
38 form Kerberos authentication.
39 --hostname option may be used to specify a static hostname that per‐
41 sists over reboot.
42
45 BASIC OPTIONS
46 --domain=DOMAIN
47 Set the domain name to DOMAIN
48 --server=SERVER
50 Set the IPA server to connect to. May be specified multiple
51 times to add multiple servers to ipa_server value in sssd.conf.
52 Only the first value is considered when used with --no-sssd.
53 --realm=REALM_NAME
55 Set the IPA realm name to REALM_NAME
56 --fixed-primary
58 Configure sssd to use a fixed server as the primary IPA server.
59 The default is to use DNS SRV records to determine the primary
60 server to use and fall back to the server the client is enrolled
61 with. When used in conjunction with --server then no _srv_ value
62 is set in the ipa_server option in sssd.conf.
63 -p, --principal
65 Authorized kerberos principal to use to join the IPA realm.
66 -w PASSWORD, --password=PASSWORD
68 Password for joining a machine to the IPA realm. Assumes bulk
69 password unless principal is also set.
70 -W Prompt for the password for joining a machine to the IPA realm.
72 --mkhomedir
74 Configure PAM to create a users home directory if it does not
75 exist.
76 --hostname
78 The hostname of this machine (FQDN). If specified, the hostname
79 will be set and the system configuration will be updated to per‐
80 sist over reboot. By default a nodename result from uname(2) is
81 used.
82 --force-join
84 Join the host even if it is already enrolled.
85 --ntp-server=NTP_SERVER
87 Configure ntpd to use this NTP server.
88 -N, --no-ntp
90 Do not configure or enable NTP.
91 --nisdomain=NIS_DOMAIN
93 Set the NIS domain name as specified. By default, this is set to
94 the IPA domain name.
95 --no-nisdomain
97 Do not configure NIS domain name.
98 --ssh-trust-dns
100 Configure OpenSSH client to trust DNS SSHFP records.
101 --no-ssh
103 Do not configure OpenSSH client.
104 --no-sshd
106 Do not configure OpenSSH server.
107 --no-sudo
109 Do not configure SSSD as a data source for sudo.
110 --no-dns-sshfp
112 Do not automatically create DNS SSHFP records.
113 --noac Do not use Authconfig to modify the nsswitch.conf and PAM con‐
115 figuration.
116 -f, --force
118 Force the settings even if errors occur
119 --kinit-attempts=KINIT_ATTEMPTS
121 Number of unsuccessful attempts to obtain host TGT that will be
122 performed before aborting client installation. KINIT_ATTEMPTS
123 should be a number greater than zero. By default 5 attempts to
124 get TGT are performed.
125 -d, --debug
127 Print debugging information to stdout
128 -U, --unattended
130 Unattended installation. The user will not be prompted.
131 --ca-cert-file=CA_FILE
133 Do not attempt to acquire the IPA CA certificate via automated
134 means, instead use the CA certificate found locally in in
135 CA_FILE. The CA_FILE must be an absolute path to a PEM format‐
136 ted certificate file. The CA certificate found in CA_FILE is
137 considered authoritative and will be installed without checking
138 to see if it's valid for the IPA domain.
139 SSSD OPTIONS
142 --permit
143 Configure SSSD to permit all access. Otherwise the machine will
144 be controlled by the Host-based Access Controls (HBAC) on the
145 IPA server.
146 --enable-dns-updates
148 This option tells SSSD to automatically update DNS with the IP
149 address of this client.
150 --no-krb5-offline-passwords
152 Configure SSSD not to store user password when the server is
153 offline.
154 -S, --no-sssd
156 Do not configure the client to use SSSD for authentication, use
157 nss_ldap instead.
158 --preserve-sssd
160 Disabled by default. When enabled, preserves old SSSD configura‐
161 tion if it is not possible to merge it with a new one. Effec‐
162 tively, if the merge is not possible due to SSSDConfig reader
163 encountering unsupported options, ipa-client-install will not
164 run further and ask to fix SSSD config first. When this option
165 is not specified, ipa-client-install will back up SSSD config
166 and create new one. The back up version will be restored during
167 uninstall.
168 UNINSTALL OPTIONS
171 --uninstall
172 Remove the IPA client software and restore the configuration to
173 the pre-IPA state.
174 -U, --unattended
176 Unattended uninstallation. The user will not be prompted.
177
180 Files that will be replaced if SSSD is configured (default):
181 /etc/sssd/sssd.conf
183 Files that will be replaced if they exist and SSSD is not configured
185 (--no-sssd):
186 /etc/ldap.conf
188 /etc/nss_ldap.conf
189 /etc/libnss-ldap.conf
190 /etc/pam_ldap.conf
191 /etc/nslcd.conf
192 Files replaced if NTP is enabled:
194 /etc/ntp.conf
196 /etc/sysconfig/ntpd
197 /etc/ntp/step-tickers
198 Files always created (replacing existing content):
200 /etc/krb5.conf
202 /etc/ipa/ca.crt
203 /etc/ipa/default.conf
204 /etc/openldap/ldap.conf
205 Files updated, existing content is maintained:
207 /etc/pki/nssdb
209 /etc/krb5.keytab
210 /etc/sysconfig/network
211
213 0 if the installation was successful
214 1 if an error occurred
216 2 if uninstalling and the client is not configured
218 3 if installing and the client is already configured
220 4 if an uninstall error occurred
222FreeIPA Sep 5 2011 ipa-client-install(1)