1ipa-adtrust-install(1)         IPA Manual Pages         ipa-adtrust-install(1)
2
3
4

NAME

6       ipa-adtrust-install  -  Prepare  an  IPA server to be able to establish
7       trust relationships with AD domains
8

SYNOPSIS

10       ipa-adtrust-install [OPTION]...
11

DESCRIPTION

13       Adds all necessary objects and configuration to allow an IPA server  to
14       create  a  trust  to an Active Directory domain. This requires that the
15       IPA server is already installed and configured.
16
17       Please note you will not be able to establish  a  trust  to  an  Active
18       Directory  domain  unless  the realm name of the IPA server matches its
19       domain name.
20
21       ipa-adtrust-install can be run  multiple  times  to  reinstall  deleted
22       objects or broken configuration files. E.g. a fresh samba configuration
23       (smb.conf) file and registry based configuration can be created.  Other
24       items  like e.g. the configuration of the local range cannot be changed
25       by running ipa-adtrust-install a second time because with changes  here
26       other objects might be affected as well.
27
28
29   Firewall Requirements
30       In    addition    to    the    IPA    server   firewall   requirements,
31       ipa-adtrust-install requires the following ports to be  open  to  allow
32       IPA and Active Directory to communicate together:
33
34       TCP Ports
35
36              · 135/tcp EPMAP
37
38              · 138/tcp NetBIOS-DGM
39
40              · 139/tcp NetBIOS-SSN
41
42              · 445/tcp Microsoft-DS
43
44              ·  1024/tcp  through  1300/tcp to allow EPMAP on port 135/tcp to
45              create a TCP listener based on an incoming request.
46
47              · 3268/tcp Microsoft-GC
48
49       UDP Ports
50
51              · 138/udp NetBIOS-DGM
52
53              · 139/udp NetBIOS-SSN
54
55              · 389/udp LDAP
56
57

OPTIONS

59       -d, --debug
60              Enable debug logging when more verbose output is needed.
61
62       --netbios-name=NETBIOS_NAME
63              The NetBIOS name for the IPA domain. If not provided  then  this
64              is  determined  based on the leading component of the DNS domain
65              name. Running ipa-adtrust-install for a second time with a  dif‐
66              ferent  NetBIOS  name  will  change  the  name. Please note that
67              changing the NetBIOS name might break existing  trust  relation‐
68              ships to other domains.
69
70       --add-sids
71              Add  SIDs to existing users and groups as one of the final steps
72              of the ipa-adtrust-install run. If there a many  existing  users
73              and  groups  and  a  couple  of replicas in the environment this
74              operation might lead to a high replication traffic and a perfor‐
75              mance  degradation  of  all  IPA  servers in the environment. To
76              avoid   this   the   SID   generation   can   be    run    after
77              ipa-adtrust-install is run and scheduled independently. To start
78              this task you have to load an edited version of ipa-sidgen-task-
79              run.ldif with the ldapmodify command info the directory server.
80
81       --add-agents
82              Add  IPA  masters  to  the list that allows to serve information
83              about users from trusted forests. Starting with IPA 4.2, a regu‐
84              lar IPA master can provide this information to SSSD clients. IPA
85              masters aren't added to the list automatically as restart of the
86              LDAP  service  on  each  of  them  is  required.  The host where
87              ipa-adtrust-install is being run is added automatically.
88
89              Note that IPA masters where ipa-adtrust-install wasn't run,  can
90              serve  information about users from trusted forests only if they
91              are enabled via ipa-adtrust-install run on any other IPA master.
92              At  least SSSD version 1.13 on IPA master is required to be able
93              to perform as a trust agent.
94
95       -U, --unattended
96              An unattended installation  that  will  never  prompt  for  user
97              input.
98
99       --rid-base=RID_BASE
100              First  RID  value of the local domain. The first POSIX ID of the
101              local domain will be assigned to this RID, the second  to  RID+1
102              etc. See the online help of the idrange CLI for details.
103
104       --secondary-rid-base=SECONDARY_RID_BASE
105              Start  value  of  the secondary RID range, which is only used in
106              the case a user and a group share numerically the same POSIX ID.
107              See the online help of the idrange CLI for details.
108
109       -A, --admin-name=ADMIN_NAME
110              The name of the user with administrative privileges for this IPA
111              server. Defaults to 'admin'.
112
113       -a, --admin-password=password
114              The password of the user with administrative privileges for this
115              IPA server. Will be asked interactively if -U is not specified.
116
117       The  credentials  of  the  admin  user  will be used to obtain Kerberos
118       ticket before configuring cross-realm trusts support and afterwards, to
119       ensure that the ticket contains MS-PAC information required to actually
120       add a trust with Active Directory domain via 'ipa trust-add  --type=ad'
121       command.
122
123       --enable-compat
124              Enables  support  for  trusted  domains  users  for  old clients
125              through Schema  Compatibility  plugin.   SSSD  supports  trusted
126              domains  natively  starting with version 1.9. For platforms that
127              lack SSSD or run older  SSSD  version  one  needs  to  use  this
128              option.  When  enabled,  slapi-nis package needs to be installed
129              and schema-compat-plugin will be configured to provide lookup of
130              users  and  groups  from trusted domains via SSSD on IPA server.
131              These users and groups will be available under  cn=users,cn=com‐
132              pat,$SUFFIX  and  cn=groups,cn=compat,$SUFFIX  trees.  SSSD will
133              normalize names of users and groups to lower case.
134
135              In addition to providing these users and groups through the com‐
136              pat  tree,  this  option  enables  authentication  over LDAP for
137              trusted domain users with DN under compat tree, i.e. using  bind
138              DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
139
140              LDAP authentication performed by the compat tree is done via PAM
141              'system-auth' service.  This service exists by default on  Linux
142              systems  and  is  provided  by  pam  package  as /etc/pam.d/sys‐
143              tem-auth.  If your IPA install does not have default  HBAC  rule
144              'allow_all'  enabled,  then  make  sure to define in IPA special
145              service called 'system-auth' and create an HBAC  rule  to  allow
146              access to anyone to this rule on IPA masters.
147
148              As  'system-auth'  PAM service is not used directly by any other
149              application, it is safe to use it for trusted domain  users  via
150              compatibility path.
151
152
153       EXIT STATUS
154              0 if the installation was successful
155
156              1 if an error occurred
157
158
159
160IPA                              April 11 2017          ipa-adtrust-install(1)
Impressum