1ipa-server-install(1) IPA Manual Pages ipa-server-install(1)
2
3
4
6 ipa-server-install - Configure an IPA server
7
9 ipa-server-install [OPTION]...
10
12 Configures the services needed by an IPA server. This includes setting
13 up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14 LDAP back-end, configuring Apache, configuring NTP and optionally con‐
15 figuring and starting an LDAP-backed DNS server. By default a dog‐
16 tag-based CA will be configured to issue server certificates.
17
18
20 BASIC OPTIONS
21 -r REALM_NAME, --realm=REALM_NAME
22 The Kerberos realm name for the new IPA deployment.
23
24 It is strongly recommended to use an upper-cased name of the
25 primary DNS domain name of your IPA deployment. You will not be
26 able to establish trust with Active Directory unless the realm
27 name is the upper-cased domain name.
28
29 The realm name cannot be changed after the installation.
30
31 -n DOMAIN_NAME, --domain=DOMAIN_NAME
32 The primary DNS domain of the IPA deployment, e.g. example.com.
33 This DNS domain should contain the SRV records generated by the
34 IPA server installer. The specified DNS domain must not contain
35 DNS records of any other LDAP or Kerberos based management sys‐
36 tem (like Active Directory or MIT Kerberos).
37
38 It is strongly recommended to use a lower-cased name of the IPA
39 Kerberos realm name.
40
41 The primary DNS domain name cannot be changed after the instal‐
42 lation.
43
44 -p DM_PASSWORD, --ds-password=DM_PASSWORD
45 The password to be used by the Directory Server for the Direc‐
46 tory Manager user.
47
48 -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49 The password for the IPA admin user.
50
51 --mkhomedir
52 Create home directories for users on their first login.
53
54 --hostname=HOST_NAME
55 The fully-qualified DNS name of this server.
56
57 --ip-address=IP_ADDRESS
58 The IP address of this server. If this address does not match
59 the address the host resolves to and --setup-dns is not se‐
60 lected, the installation will fail. If the server hostname is
61 not resolvable, a record for the hostname and IP_ADDRESS is
62 added to /etc/hosts. This option can be used multiple times to
63 specify more IP addresses of the server (e.g. multihomed and/or
64 dualstacked server).
65
66 Configure chronyd to use this NTP server. This option can be used mul‐
67 tiple times and it is used to specify exactly one time server.
68
69 --ntp-server=NTP_SERVER
70 Configure chronyd to use this NTP server. This option can be
71 used multiple times and it is used to specify exactly one time
72 server.
73
74 --ntp-pool=NTP_SERVER_POOL
75 Configure chronyd to use this NTP server pool. This option is
76 meant to be pool of multiple servers resolved as one host name.
77 This pool's servers may vary but pool address will be still same
78 and chrony will choose only one server from this pool.
79
80 -N, --no-ntp
81 Do not configure NTP client (chronyd).
82
83 --idstart=IDSTART
84 The starting user and group id number (default random).
85
86 --idmax=IDMAX
87 The maximum user and group id number (default: idstart+199999).
88 If set to zero, the default value will be used.
89
90 --no-hbac-allow
91 Don't install allow_all HBAC rule. This rule lets any user from
92 any host access any service on any other host. It is expected
93 that users will remove this rule before moving to production.
94
95 --ignore-topology-disconnect
96 Ignore errors reported when IPA server uninstall would lead to
97 disconnected topology.
98
99 --ignore-last-of-role
100 Ignore errors reported when IPA server uninstall would lead to
101 removal of last CA/DNS server or DNSSec master.
102
103 --no-ui-redirect
104 Do not automatically redirect to the Web UI.
105
106 --ssh-trust-dns
107 Configure OpenSSH client to trust DNS SSHFP records.
108
109 --no-ssh
110 Do not configure OpenSSH client.
111
112 --no-sshd
113 Do not configure OpenSSH server.
114
115 -d, --debug
116 Enable debug logging when more verbose output is needed.
117
118 -U, --unattended
119 An unattended installation that will never prompt for user in‐
120 put.
121
122 --dirsrv-config-file
123 The path to LDIF file that will be used to modify configuration
124 of dse.ldif during installation of the directory server in‐
125 stance.
126
127
128 CERTIFICATE SYSTEM OPTIONS
129 --external-ca
130 Generate a CSR for the IPA CA certificate to be signed by an ex‐
131 ternal CA.
132
133 --external-ca-type=TYPE
134 Type of the external CA. Possible values are "generic", "ms-cs".
135 Default value is "generic". Use "ms-cs" to include the template
136 name required by Microsoft Certificate Services (MS CS) in the
137 generated CSR (see --external-ca-profile for full details).
138
139
140 --external-ca-profile=PROFILE_SPEC
141 Specify the certificate profile or template to use at the exter‐
142 nal CA.
143
144 When --external-ca-type is "ms-cs" the following specifiers may
145 be used:
146
147
148 <oid>:<majorVersion>[:<minorVersion>]
149 Specify a certificate template by OID and major version,
150 optionally also specifying minor version.
151
152 <name> Specify a certificate template by name. The name cannot
153 contain any : characters and cannot be an OID (otherwise
154 the OID-based template specifier syntax takes prece‐
155 dence).
156
157 default
158 If no template is specified, the template name "SubCA" is
159 used.
160
161
162 --external-cert-file=FILE
163 File containing the IPA CA certificate and the external CA cer‐
164 tificate chain. The file is accepted in PEM and DER certificate
165 and PKCS#7 certificate chain formats. This option may be used
166 multiple times.
167
168 --no-pkinit
169 Disables pkinit setup steps.
170
171 --dirsrv-cert-file=FILE
172 File containing the Directory Server SSL certificate and private
173 key. The files are accepted in PEM and DER certificate, PKCS#7
174 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
175 mats. This option may be used multiple times.
176
177 --http-cert-file=FILE
178 File containing the Apache Server SSL certificate and private
179 key. The files are accepted in PEM and DER certificate, PKCS#7
180 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
181 mats. This option may be used multiple times.
182
183 --pkinit-cert-file=FILE
184 File containing the Kerberos KDC SSL certificate and private
185 key. The files are accepted in PEM and DER certificate, PKCS#7
186 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
187 mats. This option may be used multiple times.
188
189 --dirsrv-pin=PIN
190 The password to unlock the Directory Server private key.
191
192 --http-pin=PIN
193 The password to unlock the Apache Server private key.
194
195 --pkinit-pin=PIN
196 The password to unlock the Kerberos KDC private key.
197
198 --dirsrv-cert-name=NAME
199 Name of the Directory Server SSL certificate to install.
200
201 --http-cert-name=NAME
202 Name of the Apache Server SSL certificate to install.
203
204 --pkinit-cert-name=NAME
205 Name of the Kerberos KDC SSL certificate to install.
206
207 --ca-cert-file=FILE
208 File containing the CA certificate of the CA which issued the
209 Directory Server, Apache Server and Kerberos KDC certificates.
210 The file is accepted in PEM and DER certificate and PKCS#7 cer‐
211 tificate chain formats. This option may be used multiple times.
212 Use this option if the CA certificate is not present in the cer‐
213 tificate files.
214
215 --pki-config-override=FILE
216 File containing overrides for CA and KRA installation.
217
218 --ca-subject=SUBJECT
219 The CA certificate subject DN (default CN=Certificate Author‐
220 ity,O=REALM.NAME). RDNs are in LDAP order (most specific RDN
221 first).
222
223 --subject-base=SUBJECT
224 The subject base for certificates issued by IPA (default
225 O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
226
227 --ca-signing-algorithm=ALGORITHM
228 Signing algorithm of the IPA CA certificate. Possible values are
229 SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. De‐
230 fault value is SHA256withRSA. Use this option with --external-ca
231 if the external CA does not support the default signing algo‐
232 rithm.
233
234
235 SECRET MANAGEMENT OPTIONS
236 --setup-kra
237 Install and configure a KRA on this server.
238
239
240 DNS OPTIONS
241 IPA provides an integrated DNS server which can be used to simplify IPA
242 deployment. If you decide to use it, IPA will automatically maintain
243 SRV and other service records when you change your topology.
244
245 The DNS component in IPA is optional and you may choose to manage all
246 your DNS records manually on another third party DNS server. IPA DNS is
247 not a general-purpose DNS server. If you need advanced features like
248 DNS views, do not deploy IPA DNS.
249
250
251 --setup-dns
252 Configure an integrated DNS server, create DNS zone specified by
253 --domain, and fill it with service records necessary for IPA de‐
254 ployment. In cases where the IPA server name does not belong to
255 the primary DNS domain and is not resolvable using DNS, create a
256 DNS zone containing the IPA server name as well.
257
258 This option requires that you either specify at least one DNS
259 forwarder through the --forwarder option or use the --no-for‐
260 warders option.
261
262 Note that you can set up a DNS at any time after the initial IPA
263 server install by running ipa-dns-install (see ipa-dns-in‐
264 stall(1)). IPA DNS cannot be uninstalled.
265
266
267 --forwarder=IP_ADDRESS
268 Add a DNS forwarder to the DNS configuration. You can use this
269 option multiple times to specify more forwarders, but at least
270 one must be provided, unless the --no-forwarders option is spec‐
271 ified.
272
273 --no-forwarders
274 Do not add any DNS forwarders. Root DNS servers will be used in‐
275 stead.
276
277 --auto-forwarders
278 Add DNS forwarders configured in /etc/resolv.conf to the list of
279 forwarders used by IPA DNS.
280
281 --forward-policy=first|only
282 DNS forwarding policy for global forwarders specified using
283 other options. Defaults to first if no IP address belonging to
284 a private or reserved ranges is detected on local interfaces
285 (RFC 6303). Defaults to only if a private IP address is de‐
286 tected.
287
288 --reverse-zone=REVERSE_ZONE
289 The reverse DNS zone to use. This option can be used multiple
290 times to specify multiple reverse zones.
291
292 --no-reverse
293 Do not create reverse DNS zone.
294
295 --auto-reverse
296 Try to resolve reverse records and reverse zones for server IP
297 addresses. If neither is resolvable, creates the reverse zones.
298
299 --zonemgr
300 The e-mail address of the DNS zone manager. Defaults to hostmas‐
301 ter@DOMAIN
302
303 --no-host-dns
304 Do not use DNS for hostname lookup during installation.
305
306 --no-dns-sshfp
307 Do not automatically create DNS SSHFP records.
308
309 --no-dnssec-validation
310 Disable DNSSEC validation on this server.
311
312 --allow-zone-overlap
313 Allow creation of (reverse) zone even if the zone is already re‐
314 solvable. Using this option is discouraged as it result in later
315 problems with domain name resolution.
316
317
318 SID GENERATION OPTIONS
319 --netbios-name=NETBIOS_NAME
320 The NetBIOS name for the IPA domain. If not provided, this is
321 determined based on the leading component of the DNS domain
322 name. Running ipa-adtrust-install for a second time with a dif‐
323 ferent NetBIOS name will change the name. Please note that
324 changing the NetBIOS name might break existing trust relation‐
325 ships to other domains.
326
327 --rid-base=RID_BASE
328 First RID value of the local domain. The first POSIX ID of the
329 local domain will be assigned to this RID, the second to RID+1
330 etc. See the online help of the idrange CLI for details.
331
332 --secondary-rid-base=SECONDARY_RID_BASE
333 Start value of the secondary RID range, which is only used in
334 the case a user and a group share numerically the same POSIX ID.
335 See the online help of the idrange CLI for details.
336
337
338 AD TRUST OPTIONS
339 --setup-adtrust
340 Configure AD Trust capability.
341
342 --enable-compat
343 Enables support for trusted domains users for old clients
344 through Schema Compatibility plugin. SSSD supports trusted do‐
345 mains natively starting with version 1.9. For platforms that
346 lack SSSD or run older SSSD version one needs to use this op‐
347 tion. When enabled, slapi-nis package needs to be installed and
348 schema-compat-plugin will be configured to provide lookup of
349 users and groups from trusted domains via SSSD on IPA server.
350 These users and groups will be available under cn=users,cn=com‐
351 pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
352 normalize names of users and groups to lower case.
353
354 In addition to providing these users and groups through the com‐
355 pat tree, this option enables authentication over LDAP for
356 trusted domain users with DN under compat tree, i.e. using bind
357 DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
358
359 LDAP authentication performed by the compat tree is done via PAM
360 'system-auth' service. This service exists by default on Linux
361 systems and is provided by pam package as /etc/pam.d/sys‐
362 tem-auth. If your IPA install does not have default HBAC rule
363 'allow_all' enabled, then make sure to define in IPA special
364 service called 'system-auth' and create an HBAC rule to allow
365 access to anyone to this rule on IPA masters.
366
367 As 'system-auth' PAM service is not used directly by any other
368 application, it is safe to use it for trusted domain users via
369 compatibility path.
370
371
372 UNINSTALL OPTIONS
373 --uninstall
374 Uninstall an existing IPA installation.
375
376 -U, --unattended
377 An unattended uninstallation that will never prompt for user in‐
378 put.
379
380
382 -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
383 The kerberos master password (normally autogenerated).
384
385
387 0 if the (un)installation was successful
388
389 1 if an error occurred
390
391
393 ipa-dns-install(1) ipa-adtrust-install(1)
394
395
396
397IPA Feb 17 2017 ipa-server-install(1)