1ipa-server-install(1) IPA Manual Pages ipa-server-install(1)
2
6 ipa-server-install - Configure an IPA server
7
9 ipa-server-install [OPTION]...
10
12 Configures the services needed by an IPA server. This includes setting
13 up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14 LDAP back-end, configuring Apache, configuring NTP and optionally con‐
15 figuring and starting an LDAP-backed DNS server. By default a dog‐
16 tag-based CA will be configured to issue server certificates.
17
20 BASIC OPTIONS
21 -r REALM_NAME, --realm=REALM_NAME
22 The Kerberos realm name for the new IPA deployment.
23 It is strongly recommended to use an upper-cased name of the
25 primary DNS domain name of your IPA deployment. You will not be
26 able to establish trust with Active Directory unless the realm
27 name is the upper-cased domain name.
28 The realm name cannot be changed after the installation.
30 -n DOMAIN_NAME, --domain=DOMAIN_NAME
32 The primary DNS domain of the IPA deployment, e.g. example.com.
33 This DNS domain should contain the SRV records generated by the
34 IPA server installer. The specified DNS domain must not contain
35 DNS records of any other LDAP or Kerberos based management sys‐
36 tem (like Active Directory or MIT Kerberos).
37 It is strongly recommended to use a lower-cased name of the IPA
39 Kerberos realm name.
40 The primary DNS domain name cannot be changed after the instal‐
42 lation.
43 -p DM_PASSWORD, --ds-password=DM_PASSWORD
45 The password to be used by the Directory Server for the Direc‐
46 tory Manager user.
47 -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49 The password for the IPA admin user.
50 --mkhomedir
52 Create home directories for users on their first login.
53 --hostname=HOST_NAME
55 The fully-qualified DNS name of this server.
56 --ip-address=IP_ADDRESS
58 The IP address of this server. If this address does not match
59 the address the host resolves to and --setup-dns is not
60 selected, the installation will fail. If the server hostname is
61 not resolvable, a record for the hostname and IP_ADDRESS is
62 added to /etc/hosts. This option can be used multiple times to
63 specify more IP addresses of the server (e.g. multihomed and/or
64 dualstacked server).
65 -N, --no-ntp
67 Do not configure NTP.
68 --idstart=IDSTART
70 The starting user and group id number (default random).
71 --idmax=IDMAX
73 The maximum user and group id number (default: idstart+199999).
74 If set to zero, the default value will be used.
75 --no-hbac-allow
77 Don't install allow_all HBAC rule. This rule lets any user from
78 any host access any service on any other host. It is expected
79 that users will remove this rule before moving to production.
80 --ignore-topology-disconnect
82 Ignore errors reported when IPA server uninstall would lead to
83 disconnected topology. This option can be used only when domain
84 level is 1 or more.
85 --ignore-last-of-role
87 Ignore errors reported when IPA server uninstall would lead to
88 removal of last CA/DNS server or DNSSec master. This option can
89 be used only when domain level is 1 or more.
90 --no-ui-redirect
92 Do not automatically redirect to the Web UI.
93 --ssh-trust-dns
95 Configure OpenSSH client to trust DNS SSHFP records.
96 --no-ssh
98 Do not configure OpenSSH client.
99 --no-sshd
101 Do not configure OpenSSH server.
102 -d, --debug
104 Enable debug logging when more verbose output is needed.
105 -U, --unattended
107 An unattended installation that will never prompt for user
108 input.
109 --dirsrv-config-file
111 The path to LDIF file that will be used to modify configuration
112 of dse.ldif during installation of the directory server
113 instance.
114 CERTIFICATE SYSTEM OPTIONS
117 --external-ca
118 Generate a CSR for the IPA CA certificate to be signed by an
119 external CA.
120 --external-ca-type=TYPE
122 Type of the external CA. Possible values are "generic", "ms-cs".
123 Default value is "generic". Use "ms-cs" to include the template
124 name required by Microsoft Certificate Services (MS CS) in the
125 generated CSR (see --external-ca-profile for full details).
126 --external-ca-profile=PROFILE_SPEC
129 Specify the certificate profile or template to use at the exter‐
130 nal CA.
131 When --external-ca-type is "ms-cs" the following specifiers may
133 be used:
134 <oid>:<majorVersion>[:<minorVersion>]
137 Specify a certificate template by OID and major version,
138 optionally also specifying minor version.
139 <name> Specify a certificate template by name. The name cannot
141 contain any : characters and cannot be an OID (otherwise
142 the OID-based template specifier syntax takes prece‐
143 dence).
144 default
146 If no template is specified, the template name "SubCA" is
147 used.
148 --external-cert-file=FILE
151 File containing the IPA CA certificate and the external CA cer‐
152 tificate chain. The file is accepted in PEM and DER certificate
153 and PKCS#7 certificate chain formats. This option may be used
154 multiple times.
155 --no-pkinit
157 Disables pkinit setup steps. This is the default and only
158 allowed behavior on domain level 0.
159 --dirsrv-cert-file=FILE
161 File containing the Directory Server SSL certificate and private
162 key. The files are accepted in PEM and DER certificate, PKCS#7
163 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
164 mats. This option may be used multiple times.
165 --http-cert-file=FILE
167 File containing the Apache Server SSL certificate and private
168 key. The files are accepted in PEM and DER certificate, PKCS#7
169 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
170 mats. This option may be used multiple times.
171 --pkinit-cert-file=FILE
173 File containing the Kerberos KDC SSL certificate and private
174 key. The files are accepted in PEM and DER certificate, PKCS#7
175 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
176 mats. This option may be used multiple times.
177 --dirsrv-pin=PIN
179 The password to unlock the Directory Server private key.
180 --http-pin=PIN
182 The password to unlock the Apache Server private key.
183 --pkinit-pin=PIN
185 The password to unlock the Kerberos KDC private key.
186 --dirsrv-cert-name=NAME
188 Name of the Directory Server SSL certificate to install.
189 --http-cert-name=NAME
191 Name of the Apache Server SSL certificate to install.
192 --pkinit-cert-name=NAME
194 Name of the Kerberos KDC SSL certificate to install.
195 --ca-cert-file=FILE
197 File containing the CA certificate of the CA which issued the
198 Directory Server, Apache Server and Kerberos KDC certificates.
199 The file is accepted in PEM and DER certificate and PKCS#7 cer‐
200 tificate chain formats. This option may be used multiple times.
201 Use this option if the CA certificate is not present in the cer‐
202 tificate files.
203 --ca-subject=SUBJECT
205 The CA certificate subject DN (default CN=Certificate Author‐
206 ity,O=REALM.NAME). RDNs are in LDAP order (most specific RDN
207 first).
208 --subject-base=SUBJECT
210 The subject base for certificates issued by IPA (default
211 O=REALM.NAME). RDNs are in LDAP order (most specific RDN
212 first).
213 --ca-signing-algorithm=ALGORITHM
215 Signing algorithm of the IPA CA certificate. Possible values are
216 SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is
217 SHA256withRSA. Use this option with --external-ca if the exter‐
218 nal CA does not support the default signing algorithm.
219 SECRET MANAGEMENT OPTIONS
222 --setup-kra
223 Install and configure a KRA on this server.
224 DNS OPTIONS
227 IPA provides an integrated DNS server which can be used to simplify IPA
228 deployment. If you decide to use it, IPA will automatically maintain
229 SRV and other service records when you change your topology.
230 The DNS component in IPA is optional and you may choose to manage all
232 your DNS records manually on another third party DNS server. IPA DNS is
233 not a general-purpose DNS server. If you need advanced features like
234 DNS views, do not deploy IPA DNS.
235 --setup-dns
238 Configure an integrated DNS server, create DNS zone specified by
239 --domain, and fill it with service records necessary for IPA
240 deployment. In cases where the IPA server name does not belong
241 to the primary DNS domain and is not resolvable using DNS, cre‐
242 ate a DNS zone containing the IPA server name as well.
243 This option requires that you either specify at least one DNS
245 forwarder through the --forwarder option or use the --no-for‐
246 warders option.
247 Note that you can set up a DNS at any time after the initial IPA
249 server install by running ipa-dns-install (see ipa-dns-
250 install(1)). IPA DNS cannot be uninstalled.
251 --forwarder=IP_ADDRESS
254 Add a DNS forwarder to the DNS configuration. You can use this
255 option multiple times to specify more forwarders, but at least
256 one must be provided, unless the --no-forwarders option is spec‐
257 ified.
258 --no-forwarders
260 Do not add any DNS forwarders. Root DNS servers will be used
261 instead.
262 --auto-forwarders
264 Add DNS forwarders configured in /etc/resolv.conf to the list of
265 forwarders used by IPA DNS.
266 --forward-policy=first|only
268 DNS forwarding policy for global forwarders specified using
269 other options. Defaults to first if no IP address belonging to
270 a private or reserved ranges is detected on local interfaces
271 (RFC 6303). Defaults to only if a private IP address is
272 detected.
273 --reverse-zone=REVERSE_ZONE
275 The reverse DNS zone to use. This option can be used multiple
276 times to specify multiple reverse zones.
277 --no-reverse
279 Do not create reverse DNS zone.
280 --auto-reverse
282 Try to resolve reverse records and reverse zones for server IP
283 addresses. If neither is resolvable, creates the reverse zones.
284 --zonemgr
286 The e-mail address of the DNS zone manager. Defaults to hostmas‐
287 ter@DOMAIN
288 --no-host-dns
290 Do not use DNS for hostname lookup during installation.
291 --no-dns-sshfp
293 Do not automatically create DNS SSHFP records.
294 --no-dnssec-validation
296 Disable DNSSEC validation on this server.
297 --allow-zone-overlap
299 Allow creation of (reverse) zone even if the zone is already
300 resolvable. Using this option is discouraged as it result in
301 later problems with domain name resolution.
302 AD TRUST OPTIONS
305 --setup-adtrust
306 Configure AD Trust capability.
307 --netbios-name=NETBIOS_NAME
309 The NetBIOS name for the IPA domain. If not provided, this is
310 determined based on the leading component of the DNS domain
311 name. Running ipa-adtrust-install for a second time with a dif‐
312 ferent NetBIOS name will change the name. Please note that
313 changing the NetBIOS name might break existing trust relation‐
314 ships to other domains.
315 --rid-base=RID_BASE
317 First RID value of the local domain. The first POSIX ID of the
318 local domain will be assigned to this RID, the second to RID+1
319 etc. See the online help of the idrange CLI for details.
320 --secondary-rid-base=SECONDARY_RID_BASE
322 Start value of the secondary RID range, which is only used in
323 the case a user and a group share numerically the same POSIX ID.
324 See the online help of the idrange CLI for details.
325 --enable-compat
327 Enables support for trusted domains users for old clients
328 through Schema Compatibility plugin. SSSD supports trusted
329 domains natively starting with version 1.9. For platforms that
330 lack SSSD or run older SSSD version one needs to use this
331 option. When enabled, slapi-nis package needs to be installed
332 and schema-compat-plugin will be configured to provide lookup of
333 users and groups from trusted domains via SSSD on IPA server.
334 These users and groups will be available under cn=users,cn=com‐
335 pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
336 normalize names of users and groups to lower case.
337 In addition to providing these users and groups through the com‐
339 pat tree, this option enables authentication over LDAP for
340 trusted domain users with DN under compat tree, i.e. using bind
341 DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
342 LDAP authentication performed by the compat tree is done via PAM
344 'system-auth' service. This service exists by default on Linux
345 systems and is provided by pam package as /etc/pam.d/sys‐
346 tem-auth. If your IPA install does not have default HBAC rule
347 'allow_all' enabled, then make sure to define in IPA special
348 service called 'system-auth' and create an HBAC rule to allow
349 access to anyone to this rule on IPA masters.
350 As 'system-auth' PAM service is not used directly by any other
352 application, it is safe to use it for trusted domain users via
353 compatibility path.
354 UNINSTALL OPTIONS
357 --uninstall
358 Uninstall an existing IPA installation.
359 -U, --unattended
361 An unattended uninstallation that will never prompt for user
362 input.
363
366 -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
367 The kerberos master password (normally autogenerated).
368
371 0 if the (un)installation was successful
372 1 if an error occurred
374
377 ipa-dns-install(1) ipa-adtrust-install(1)
378IPA Feb 17 2017 ipa-server-install(1)