1ipa-replica-install(1) IPA Manual Pages ipa-replica-install(1)
2
6 ipa-replica-install - Create an IPA replica
7
9 DOMAIN LEVEL 0
10 ipa-replica-install [OPTION]... [replica_file]
11 DOMAIN LEVEL 1
13 ipa-replica-install [OPTION]...
14
16 Configures a new IPA server that is a replica of the server. Once it
17 has been created it is an exact copy of the original IPA server and is
18 an equal master. Changes made to any master are automatically repli‐
19 cated to other masters.
20 To create a replica in a domain at domain level 0, you need to provide
22 an replica file. The replica_file is created using the ipa-replica-pre‐
23 pare utility.
24 To create a replica in a domain at domain level 1, you don't have to
26 provide a replica file, the machine only needs to be enrolled in the
27 IPA domain first. This process of turning the IPA client into a replica
28 is also referred to as replica promotion.
29 If you're starting with an existing IPA client, simply run
31 ipa-replica-install to have it promoted into a replica.
32 To promote a blank machine into a replica, you have two options, you
34 can either run ipa-client-install in a separate step, or pass the
35 enrollment related options to the ipa-replica-install (see DOMAIN LEVEL
36 1 CLIENT ENROLLMENT OPTIONS). In the latter case, ipa-replica-install
37 will join the machine to the IPA realm automatically and will proceed
38 with the promotion step.
39 If the installation fails you may need to run ipa-server-install
41 --uninstall and ipa-client-install before running ipa-replica-install
42 again.
43 The installation will fail if the host you are installing the replica
45 on exists as a host in IPA or an existing replication agreement exists
46 (for example, from a previously failed installation).
47 A replica should only be installed on the same or higher version of IPA
49 on the remote system.
50
52 DOMAIN LEVEL 1 OPTIONS
53 -P, --principal
54 The user principal which will be used to promote the client to
55 the replica and enroll the client itself, if necessary.
56 -w, --admin-password
58 The Kerberos password for the given principal.
59 DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS
62 To install client and promote it to replica using a host keytab or One
63 Time Password, the host needs to be a member of ipaservers group. This
64 requires to create a host entry and add it to the host group prior
65 replica installation.
66 --server, --domain, --realm options are autodiscovered via DNS records
68 by default. See manual page ipa-client-install(1) for further details
69 about these options.
70 -p PASSWORD, --password=PASSWORD
73 One Time Password for joining a machine to the IPA realm.
74 -k, --keytab
76 Path to host keytab.
77 --server
79 The fully qualified domain name of the IPA server to enroll to.
80 -n, --domain=DOMAIN
82 The primary DNS domain of an existing IPA deployment, e.g. exam‐
83 ple.com. This DNS domain should contain the SRV records gener‐
84 ated by the IPA server installer.
85 -r, --realm=REALM_NAME
87 The Kerberos realm of an existing IPA deployment.
88 --hostname
90 The hostname of this machine (FQDN). If specified, the hostname
91 will be set and the system configuration will be updated to per‐
92 sist over reboot.
93 --force-join
95 Join the host even if it is already enrolled.
96 DOMAIN LEVEL 0 OPTIONS
99 -p PASSWORD, --password=PASSWORD
100 Directory Manager (existing master) password
101 -w, --admin-password
103 Admin user Kerberos password used for connection check
104 BASIC OPTIONS
107 --ip-address=IP_ADDRESS
108 The IP address of this server. If this address does not match
109 the address the host resolves to and --setup-dns is not selected
110 the installation will fail. If the server hostname is not
111 resolvable, a record for the hostname and IP_ADDRESS is added to
112 /etc/hosts. This this option can be used multiple times to
113 specify more IP addresses of the server (e.g. multihomed and/or
114 dualstacked server).
115 --mkhomedir
117 Create home directories for users on their first login
118 -N, --no-ntp
120 Do not configure NTP
121 --no-ui-redirect
123 Do not automatically redirect to the Web UI.
124 --ssh-trust-dns
126 Configure OpenSSH client to trust DNS SSHFP records.
127 --no-ssh
129 Do not configure OpenSSH client.
130 --no-sshd
132 Do not configure OpenSSH server.
133 --skip-conncheck
135 Skip connection check to remote master
136 -d, --debug
138 Enable debug logging when more verbose output is needed
139 -U, --unattended
141 An unattended installation that will never prompt for user input
142 --dirsrv-config-file
144 The path to LDIF file that will be used to modify configuration
145 of dse.ldif during installation of the directory server instance
146 CERTIFICATE SYSTEM OPTIONS
149 --setup-ca
150 Install and configure a CA on this replica. If a CA is not con‐
151 figured then certificate operations will be forwarded to a mas‐
152 ter with a CA installed.
153 --no-pkinit
155 Disables pkinit setup steps. This is the default and only
156 allowed behavior on domain level 0.
157 --dirsrv-cert-file=FILE
159 File containing the Directory Server SSL certificate and private
160 key
161 --http-cert-file=FILE
163 File containing the Apache Server SSL certificate and private
164 key
165 --pkinit-cert-file=FILE
167 File containing the Kerberos KDC SSL certificate and private key
168 --dirsrv-pin=PIN
170 The password to unlock the Directory Server private key
171 --http-pin=PIN
173 The password to unlock the Apache Server private key
174 --pkinit-pin=PIN
176 The password to unlock the Kerberos KDC private key
177 --dirsrv-cert-name=NAME
179 Name of the Directory Server SSL certificate to install
180 --http-cert-name=NAME
182 Name of the Apache Server SSL certificate to install
183 --pkinit-cert-name=NAME
185 Name of the Kerberos KDC SSL certificate to install
186 --skip-schema-check
188 Skip check for updated CA DS schema on the remote master
189 SECRET MANAGEMENT OPTIONS
192 --setup-kra
193 Install and configure a KRA on this replica. If a KRA is not
194 configured then vault operations will be forwarded to a master
195 with a KRA installed.
196 DNS OPTIONS
199 --setup-dns
200 Configure an integrated DNS server, create a primary DNS zone
201 (name specified by --domain or taken from an existing deploy‐
202 ment), and fill it with service records necessary for IPA
203 deployment. In cases where the IPA server name does not belong
204 to the primary DNS domain and is not resolvable using DNS, cre‐
205 ate a DNS zone containing the IPA server name as well.
206 This option requires that you either specify at least one DNS
208 forwarder through the --forwarder option or use the --no-for‐
209 warders option.
210 Note that you can set up a DNS at any time after the initial IPA
212 server install by running ipa-dns-install (see ipa-dns-
213 install(1)). IPA DNS cannot be uninstalled.
214 --forwarder=IP_ADDRESS
216 Add a DNS forwarder to the DNS configuration. You can use this
217 option multiple times to specify more forwarders, but at least
218 one must be provided, unless the --no-forwarders option is spec‐
219 ified.
220 --no-forwarders
222 Do not add any DNS forwarders. Root DNS servers will be used
223 instead.
224 --auto-forwarders
226 Add DNS forwarders configured in /etc/resolv.conf to the list of
227 forwarders used by IPA DNS.
228 --forward-policy=first|only
230 DNS forwarding policy for global forwarders specified using
231 other options. Defaults to first if no IP address belonging to
232 a private or reserved ranges is detected on local interfaces
233 (RFC 6303). Defaults to only if a private IP address is
234 detected.
235 --reverse-zone=REVERSE_ZONE
237 The reverse DNS zone to use. This option can be used multiple
238 times to specify multiple reverse zones.
239 --no-reverse
241 Do not create new reverse DNS zone. If a reverse DNS zone
242 already exists for the subnet, it will be used.
243 --auto-reverse
245 Create necessary reverse zones
246 --allow-zone-overlap
248 Create DNS zone even if it already exists
249 --no-host-dns
251 Do not use DNS for hostname lookup during installation
252 --no-dns-sshfp
254 Do not automatically create DNS SSHFP records.
255 --no-dnssec-validation
257 Disable DNSSEC validation on this server.
258 AD TRUST OPTIONS
261 --setup-adtrust
262 Configure AD Trust capability on a replica.
263 --netbios-name=NETBIOS_NAME
265 The NetBIOS name for the IPA domain. If not provided then this
266 is determined based on the leading component of the DNS domain
267 name. Running ipa-adtrust-install for a second time with a dif‐
268 ferent NetBIOS name will change the name. Please note that
269 changing the NetBIOS name might break existing trust relation‐
270 ships to other domains.
271 --add-sids
273 Add SIDs to existing users and groups as on of final steps of
274 the ipa-adtrust-install run. If there a many existing users and
275 groups and a couple of replicas in the environment this opera‐
276 tion might lead to a high replication traffic and a performance
277 degradation of all IPA servers in the environment. To avoid this
278 the SID generation can be run after ipa-adtrust-install is run
279 and scheduled independently. To start this task you have to load
280 an edited version of ipa-sidgen-task-run.ldif with the ldapmod‐
281 ify command info the directory server.
282 --add-agents
284 Add IPA masters to the list that allows to serve information
285 about users from trusted forests. Starting with IPA 4.2, a regu‐
286 lar IPA master can provide this information to SSSD clients. IPA
287 masters aren't added to the list automatically as restart of the
288 LDAP service on each of them is required. The host where
289 ipa-adtrust-install is being run is added automatically.
290 Note that IPA masters where ipa-adtrust-install wasn't run, can
292 serve information about users from trusted forests only if they
293 are enabled via ipa-adtrust-install run on any other IPA master.
294 At least SSSD version 1.13 on IPA master is required to be able
295 to perform as a trust agent.
296 --rid-base=RID_BASE
298 First RID value of the local domain. The first Posix ID of the
299 local domain will be assigned to this RID, the second to RID+1
300 etc. See the online help of the idrange CLI for details.
301 --secondary-rid-base=SECONDARY_RID_BASE
303 Start value of the secondary RID range, which is only used in
304 the case a user and a group share numerically the same Posix ID.
305 See the online help of the idrange CLI for details.
306 --enable-compat
308 Enables support for trusted domains users for old clients
309 through Schema Compatibility plugin. SSSD supports trusted
310 domains natively starting with version 1.9. For platforms that
311 lack SSSD or run older SSSD version one needs to use this
312 option. When enabled, slapi-nis package needs to be installed
313 and schema-compat-plugin will be configured to provide lookup of
314 users and groups from trusted domains via SSSD on IPA server.
315 These users and groups will be available under cn=users,cn=com‐
316 pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
317 normalize names of users and groups to lower case.
318 In addition to providing these users and groups through the com‐
320 pat tree, this option enables authentication over LDAP for
321 trusted domain users with DN under compat tree, i.e. using bind
322 DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
323 LDAP authentication performed by the compat tree is done via PAM
325 'system-auth' service. This service exists by default on Linux
326 systems and is provided by pam package as /etc/pam.d/sys‐
327 tem-auth. If your IPA install does not have default HBAC rule
328 'allow_all' enabled, then make sure to define in IPA special
329 service called 'system-auth' and create an HBAC rule to allow
330 access to anyone to this rule on IPA masters.
331 As 'system-auth' PAM service is not used directly by any other
333 application, it is safe to use it for trusted domain users via
334 compatibility path.
335
337 0 if the command was successful
338 1 if an error occurred
340 3 if the host exists in the IPA server or a replication agreement to
342 the remote master already exists
343IPA Dec 19 2016 ipa-replica-install(1)