1ipa-server-install(1)          IPA Manual Pages          ipa-server-install(1)
2
3
4

NAME

6       ipa-server-install - Configure an IPA server
7

SYNOPSIS

9       ipa-server-install [OPTION]...
10

DESCRIPTION

12       Configures  the services needed by an IPA server. This includes setting
13       up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14       LDAP  back-end, configuring Apache, configuring NTP and optionally con‐
15       figuring and starting an LDAP-backed DNS  server.  By  default  a  dog‐
16       tag-based CA will be configured to issue server certificates.
17
18

OPTIONS

20   BASIC OPTIONS
21       -r REALM_NAME, --realm=REALM_NAME
22              The Kerberos realm name for the new IPA deployment.
23
24              It  is  strongly  recommended  to use an upper-cased name of the
25              primary DNS domain name of your IPA deployment. You will not  be
26              able  to  establish trust with Active Directory unless the realm
27              name is the upper-cased domain name.
28
29              The realm name cannot be changed after the installation.
30
31       -n DOMAIN_NAME, --domain=DOMAIN_NAME
32              The primary DNS domain of the IPA deployment, e.g.  example.com.
33              This  DNS domain should contain the SRV records generated by the
34              IPA server installer. The specified DNS domain must not  contain
35              DNS  records of any other LDAP or Kerberos based management sys‐
36              tem (like Active Directory or MIT Kerberos).
37
38              It is strongly recommended to use a lower-cased name of the  IPA
39              Kerberos realm name.
40
41              The  primary DNS domain name cannot be changed after the instal‐
42              lation.
43
44       -p DM_PASSWORD, --ds-password=DM_PASSWORD
45              The password to be used by the Directory Server for  the  Direc‐
46              tory Manager user.
47
48       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49              The password for the IPA admin user.
50
51       --mkhomedir
52              Create home directories for users on their first login.
53
54       --hostname=HOST_NAME
55              The fully-qualified DNS name of this server.
56
57       --ip-address=IP_ADDRESS
58              The  IP  address  of this server. If this address does not match
59              the  address  the  host  resolves  to  and  --setup-dns  is  not
60              selected,  the installation will fail. If the server hostname is
61              not resolvable, a record for  the  hostname  and  IP_ADDRESS  is
62              added  to /etc/hosts.  This option can be used multiple times to
63              specify more IP addresses of the server (e.g. multihomed  and/or
64              dualstacked server).
65
66       Configure  chronyd to use this NTP server. This option can be used mul‐
67       tiple times and it is used to specify exactly one time server.
68
69       --ntp-server=NTP_SERVER
70              Configure chronyd to use this NTP server.  This  option  can  be
71              used  multiple  times and it is used to specify exactly one time
72              server.
73
74       --ntp-pool=NTP_SERVER_POOL
75              Configure chronyd to use this NTP server pool.  This  option  is
76              meant  to be pool of multiple servers resolved as one host name.
77              This pool's servers may vary but pool address will be still same
78              and chrony will choose only one server from this pool.
79
80       -N, --no-ntp
81              Do not configure NTP client (chronyd).
82
83       --idstart=IDSTART
84              The starting user and group id number (default random).
85
86       --idmax=IDMAX
87              The  maximum user and group id number (default: idstart+199999).
88              If set to zero, the default value will be used.
89
90       --no-hbac-allow
91              Don't install allow_all HBAC rule. This rule lets any user  from
92              any  host  access  any service on any other host. It is expected
93              that users will remove this rule before moving to production.
94
95       --ignore-topology-disconnect
96              Ignore errors reported when IPA server uninstall would  lead  to
97              disconnected topology.
98
99       --ignore-last-of-role
100              Ignore  errors  reported when IPA server uninstall would lead to
101              removal of last CA/DNS server or DNSSec master.
102
103       --no-ui-redirect
104              Do not automatically redirect to the Web UI.
105
106       --ssh-trust-dns
107              Configure OpenSSH client to trust DNS SSHFP records.
108
109       --no-ssh
110              Do not configure OpenSSH client.
111
112       --no-sshd
113              Do not configure OpenSSH server.
114
115       -d, --debug
116              Enable debug logging when more verbose output is needed.
117
118       -U, --unattended
119              An unattended installation  that  will  never  prompt  for  user
120              input.
121
122       --dirsrv-config-file
123              The  path to LDIF file that will be used to modify configuration
124              of  dse.ldif  during  installation  of  the   directory   server
125              instance.
126
127
128   CERTIFICATE SYSTEM OPTIONS
129       --external-ca
130              Generate  a  CSR  for  the IPA CA certificate to be signed by an
131              external CA.
132
133       --external-ca-type=TYPE
134              Type of the external CA. Possible values are "generic", "ms-cs".
135              Default  value is "generic". Use "ms-cs" to include the template
136              name required by Microsoft Certificate Services (MS CS)  in  the
137              generated CSR (see --external-ca-profile for full details).
138
139
140       --external-ca-profile=PROFILE_SPEC
141              Specify the certificate profile or template to use at the exter‐
142              nal CA.
143
144              When --external-ca-type is "ms-cs" the following specifiers  may
145              be used:
146
147
148              <oid>:<majorVersion>[:<minorVersion>]
149                     Specify  a certificate template by OID and major version,
150                     optionally also specifying minor version.
151
152              <name> Specify a certificate template by name. The  name  cannot
153                     contain  any : characters and cannot be an OID (otherwise
154                     the OID-based  template  specifier  syntax  takes  prece‐
155                     dence).
156
157              default
158                     If no template is specified, the template name "SubCA" is
159                     used.
160
161
162       --external-cert-file=FILE
163              File containing the IPA CA certificate and the external CA  cer‐
164              tificate  chain. The file is accepted in PEM and DER certificate
165              and PKCS#7 certificate chain formats. This option  may  be  used
166              multiple times.
167
168       --no-pkinit
169              Disables pkinit setup steps.
170
171       --dirsrv-cert-file=FILE
172              File containing the Directory Server SSL certificate and private
173              key. The files are accepted in PEM and DER  certificate,  PKCS#7
174              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
175              mats. This option may be used multiple times.
176
177       --http-cert-file=FILE
178              File containing the Apache Server SSL  certificate  and  private
179              key.  The  files are accepted in PEM and DER certificate, PKCS#7
180              certificate chain, PKCS#8 and raw private key and  PKCS#12  for‐
181              mats. This option may be used multiple times.
182
183       --pkinit-cert-file=FILE
184              File  containing  the  Kerberos  KDC SSL certificate and private
185              key. The files are accepted in PEM and DER  certificate,  PKCS#7
186              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
187              mats. This option may be used multiple times.
188
189       --dirsrv-pin=PIN
190              The password to unlock the Directory Server private key.
191
192       --http-pin=PIN
193              The password to unlock the Apache Server private key.
194
195       --pkinit-pin=PIN
196              The password to unlock the Kerberos KDC private key.
197
198       --dirsrv-cert-name=NAME
199              Name of the Directory Server SSL certificate to install.
200
201       --http-cert-name=NAME
202              Name of the Apache Server SSL certificate to install.
203
204       --pkinit-cert-name=NAME
205              Name of the Kerberos KDC SSL certificate to install.
206
207       --ca-cert-file=FILE
208              File containing the CA certificate of the CA  which  issued  the
209              Directory  Server,  Apache Server and Kerberos KDC certificates.
210              The file is accepted in PEM and DER certificate and PKCS#7  cer‐
211              tificate  chain formats. This option may be used multiple times.
212              Use this option if the CA certificate is not present in the cer‐
213              tificate files.
214
215       --pki-config-override=FILE
216              File containing overrides for CA and KRA installation.
217
218       --ca-subject=SUBJECT
219              The  CA  certificate  subject DN (default CN=Certificate Author‐
220              ity,O=REALM.NAME). RDNs are in LDAP  order  (most  specific  RDN
221              first).
222
223       --subject-base=SUBJECT
224              The  subject  base  for  certificates  issued  by  IPA  (default
225              O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
226
227       --ca-signing-algorithm=ALGORITHM
228              Signing algorithm of the IPA CA certificate. Possible values are
229              SHA1withRSA,  SHA256withRSA,  SHA512withRSA.  Default  value  is
230              SHA256withRSA. Use this option with --external-ca if the  exter‐
231              nal CA does not support the default signing algorithm.
232
233
234   SECRET MANAGEMENT OPTIONS
235       --setup-kra
236              Install and configure a KRA on this server.
237
238
239   DNS OPTIONS
240       IPA provides an integrated DNS server which can be used to simplify IPA
241       deployment. If you decide to use it, IPA  will  automatically  maintain
242       SRV and other service records when you change your topology.
243
244       The  DNS  component in IPA is optional and you may choose to manage all
245       your DNS records manually on another third party DNS server. IPA DNS is
246       not  a  general-purpose  DNS server. If you need advanced features like
247       DNS views, do not deploy IPA DNS.
248
249
250       --setup-dns
251              Configure an integrated DNS server, create DNS zone specified by
252              --domain,  and  fill  it  with service records necessary for IPA
253              deployment.  In cases where the IPA server name does not  belong
254              to  the primary DNS domain and is not resolvable using DNS, cre‐
255              ate a DNS zone containing the IPA server name as well.
256
257              This option requires that you either specify at  least  one  DNS
258              forwarder  through  the  --forwarder option or use the --no-for‐
259              warders option.
260
261              Note that you can set up a DNS at any time after the initial IPA
262              server   install   by   running  ipa-dns-install  (see  ipa-dns-
263              install(1)).  IPA DNS cannot be uninstalled.
264
265
266       --forwarder=IP_ADDRESS
267              Add a DNS forwarder to the DNS configuration. You can  use  this
268              option  multiple  times to specify more forwarders, but at least
269              one must be provided, unless the --no-forwarders option is spec‐
270              ified.
271
272       --no-forwarders
273              Do  not  add  any  DNS forwarders. Root DNS servers will be used
274              instead.
275
276       --auto-forwarders
277              Add DNS forwarders configured in /etc/resolv.conf to the list of
278              forwarders used by IPA DNS.
279
280       --forward-policy=first|only
281              DNS  forwarding  policy  for  global  forwarders specified using
282              other options.  Defaults to first if no IP address belonging  to
283              a  private  or  reserved  ranges is detected on local interfaces
284              (RFC 6303).  Defaults  to  only  if  a  private  IP  address  is
285              detected.
286
287       --reverse-zone=REVERSE_ZONE
288              The  reverse  DNS  zone to use. This option can be used multiple
289              times to specify multiple reverse zones.
290
291       --no-reverse
292              Do not create reverse DNS zone.
293
294       --auto-reverse
295              Try to resolve reverse records and reverse zones for  server  IP
296              addresses. If neither is resolvable, creates the reverse zones.
297
298       --zonemgr
299              The e-mail address of the DNS zone manager. Defaults to hostmas‐
300              ter@DOMAIN
301
302       --no-host-dns
303              Do not use DNS for hostname lookup during installation.
304
305       --no-dns-sshfp
306              Do not automatically create DNS SSHFP records.
307
308       --no-dnssec-validation
309              Disable DNSSEC validation on this server.
310
311       --allow-zone-overlap
312              Allow creation of (reverse) zone even if  the  zone  is  already
313              resolvable.  Using  this  option  is discouraged as it result in
314              later problems with domain name resolution.
315
316
317   AD TRUST OPTIONS
318       --setup-adtrust
319              Configure AD Trust capability.
320
321       --netbios-name=NETBIOS_NAME
322              The NetBIOS name for the IPA domain. If not  provided,  this  is
323              determined  based  on  the  leading  component of the DNS domain
324              name. Running ipa-adtrust-install for a second time with a  dif‐
325              ferent  NetBIOS  name  will  change  the  name. Please note that
326              changing the NetBIOS name might break existing  trust  relation‐
327              ships to other domains.
328
329       --rid-base=RID_BASE
330              First  RID  value of the local domain. The first POSIX ID of the
331              local domain will be assigned to this RID, the second  to  RID+1
332              etc. See the online help of the idrange CLI for details.
333
334       --secondary-rid-base=SECONDARY_RID_BASE
335              Start  value  of  the secondary RID range, which is only used in
336              the case a user and a group share numerically the same POSIX ID.
337              See the online help of the idrange CLI for details.
338
339       --enable-compat
340              Enables  support  for  trusted  domains  users  for  old clients
341              through Schema  Compatibility  plugin.   SSSD  supports  trusted
342              domains  natively  starting with version 1.9. For platforms that
343              lack SSSD or run older  SSSD  version  one  needs  to  use  this
344              option.  When  enabled,  slapi-nis package needs to be installed
345              and schema-compat-plugin will be configured to provide lookup of
346              users  and  groups  from trusted domains via SSSD on IPA server.
347              These users and groups will be available under  cn=users,cn=com‐
348              pat,$SUFFIX  and  cn=groups,cn=compat,$SUFFIX  trees.  SSSD will
349              normalize names of users and groups to lower case.
350
351              In addition to providing these users and groups through the com‐
352              pat  tree,  this  option  enables  authentication  over LDAP for
353              trusted domain users with DN under compat tree, i.e. using  bind
354              DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
355
356              LDAP authentication performed by the compat tree is done via PAM
357              'system-auth' service.  This service exists by default on  Linux
358              systems  and  is  provided  by  pam  package  as /etc/pam.d/sys‐
359              tem-auth.  If your IPA install does not have default  HBAC  rule
360              'allow_all'  enabled,  then  make  sure to define in IPA special
361              service called 'system-auth' and create an HBAC  rule  to  allow
362              access to anyone to this rule on IPA masters.
363
364              As  'system-auth'  PAM service is not used directly by any other
365              application, it is safe to use it for trusted domain  users  via
366              compatibility path.
367
368
369   UNINSTALL OPTIONS
370       --uninstall
371              Uninstall an existing IPA installation.
372
373       -U, --unattended
374              An  unattended  uninstallation  that  will never prompt for user
375              input.
376
377

DEPRECATED OPTIONS

379       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
380              The kerberos master password (normally autogenerated).
381
382

EXIT STATUS

384       0 if the (un)installation was successful
385
386       1 if an error occurred
387
388

SEE ALSO

390       ipa-dns-install(1) ipa-adtrust-install(1)
391
392
393
394IPA                               Feb 17 2017            ipa-server-install(1)
Impressum