1ipa-adtrust-install(1) FreeIPA Manual Pages ipa-adtrust-install(1)
2
3
4
6 ipa-adtrust-install - Prepare an IPA server to be able to establish
7 trust relationships with AD domains
8
10 ipa-adtrust-install [OPTION]...
11
13 Adds all necessary objects and configuration to allow an IPA server to
14 create a trust to an Active Directory domain. This requires that the
15 IPA server is already installed and configured.
16
17 Please note you will not be able to establish a trust to an Active
18 Directory domain unless the realm name of the IPA server matches its
19 domain name.
20
21 ipa-adtrust-install can be run multiple times to reinstall deleted
22 objects or broken configuration files. E.g. a fresh samba configuration
23 (smb.conf) file and registry based configuration can be created. Other
24 items like e.g. the configuration of the local range cannot be changed
25 by running ipa-adtrust-install a second time because with changes here
26 other objects might be affected as well.
27
28
29 Firewall Requirements
30 In addition to the IPA server firewall requirements,
31 ipa-adtrust-install requires the following ports to be open to allow
32 IPA and Active Directory to communicate together:
33
34 TCP Ports
35
36 · 135/tcp EPMAP
37
38 · 138/tcp NetBIOS-DGM
39
40 · 139/tcp NetBIOS-SSN
41
42 · 445/tcp Microsoft-DS
43
44 · 1024/tcp through 1300/tcp to allow EPMAP on port 135/tcp to
45 create a TCP listener based on an incoming request.
46
47 · 3268/tcp Microsoft-GC
48
49 UDP Ports
50
51 · 138/udp NetBIOS-DGM
52
53 · 139/udp NetBIOS-SSN
54
55 · 389/udp LDAP
56
57
59 -d, --debug
60 Enable debug logging when more verbose output is needed.
61
62 --netbios-name=NETBIOS_NAME
63 The NetBIOS name for the IPA domain. If not provided then this
64 is determined based on the leading component of the DNS domain
65 name. Running ipa-adtrust-install for a second time with a dif‐
66 ferent NetBIOS name will change the name. Please note that
67 changing the NetBIOS name might break existing trust relation‐
68 ships to other domains.
69
70 --add-sids
71 Add SIDs to existing users and groups as one of the final steps
72 of the ipa-adtrust-install run. If there a many existing users
73 and groups and a couple of replicas in the environment this
74 operation might lead to a high replication traffic and a perfor‐
75 mance degradation of all IPA servers in the environment. To
76 avoid this the SID generation can be run after
77 ipa-adtrust-install is run and scheduled independently. To start
78 this task you have to load an edited version of ipa-sidgen-task-
79 run.ldif with the ldapmodify command info the directory server.
80
81 --add-agents
82 Add IPA masters to the list that allows to serve information
83 about users from trusted forests. Starting with FreeIPA 4.2, a
84 regular IPA master can provide this information to SSSD clients.
85 IPA masters aren't added to the list automatically as restart of
86 the LDAP service on each of them is required. The host where
87 ipa-adtrust-install is being run is added automatically.
88
89 Note that IPA masters where ipa-adtrust-install wasn't run, can
90 serve information about users from trusted forests only if they
91 are enabled via ipa-adtrust-install run on any other IPA master.
92 At least SSSD version 1.13 on IPA master is required to be able
93 to perform as a trust agent.
94
95 -U, --unattended
96 An unattended installation that will never prompt for user
97 input.
98
99 --rid-base=RID_BASE
100 First RID value of the local domain. The first POSIX ID of the
101 local domain will be assigned to this RID, the second to RID+1
102 etc. See the online help of the idrange CLI for details.
103
104 --secondary-rid-base=SECONDARY_RID_BASE
105 Start value of the secondary RID range, which is only used in
106 the case a user and a group share numerically the same POSIX ID.
107 See the online help of the idrange CLI for details.
108
109 -A, --admin-name=ADMIN_NAME
110 The name of the user with administrative privileges for this IPA
111 server. Defaults to 'admin'.
112
113 -a, --admin-password=password
114 The password of the user with administrative privileges for this
115 IPA server. Will be asked interactively if -U is not specified.
116
117 The credentials of the admin user will be used to obtain Kerberos
118 ticket before configuring cross-realm trusts support and afterwards, to
119 ensure that the ticket contains MS-PAC information required to actually
120 add a trust with Active Directory domain via 'ipa trust-add --type=ad'
121 command.
122
123 --enable-compat
124 Enables support for trusted domains users for old clients
125 through Schema Compatibility plugin. SSSD supports trusted
126 domains natively starting with version 1.9. For platforms that
127 lack SSSD or run older SSSD version one needs to use this
128 option. When enabled, slapi-nis package needs to be installed
129 and schema-compat-plugin will be configured to provide lookup of
130 users and groups from trusted domains via SSSD on IPA server.
131 These users and groups will be available under cn=users,cn=com‐
132 pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
133 normalize names of users and groups to lower case.
134
135 In addition to providing these users and groups through the com‐
136 pat tree, this option enables authentication over LDAP for
137 trusted domain users with DN under compat tree, i.e. using bind
138 DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
139
140 LDAP authentication performed by the compat tree is done via PAM
141 'system-auth' service. This service exists by default on Linux
142 systems and is provided by pam package as /etc/pam.d/sys‐
143 tem-auth. If your IPA install does not have default HBAC rule
144 'allow_all' enabled, then make sure to define in IPA special
145 service called 'system-auth' and create an HBAC rule to allow
146 access to anyone to this rule on IPA masters.
147
148 As 'system-auth' PAM service is not used directly by any other
149 application, it is safe to use it for trusted domain users via
150 compatibility path.
151
152
153 EXIT STATUS
154 0 if the installation was successful
155
156 1 if an error occurred
157
158
159
160FreeIPA April 11 2017 ipa-adtrust-install(1)