1ipa-server-install(1)          IPA Manual Pages          ipa-server-install(1)
2
3
4

NAME

6       ipa-server-install - Configure an IPA server
7

SYNOPSIS

9       ipa-server-install [OPTION]...
10

DESCRIPTION

12       Configures  the services needed by an IPA server. This includes setting
13       up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14       LDAP  back-end, configuring Apache, configuring NTP and optionally con‐
15       figuring and starting an LDAP-backed DNS  server.  By  default  a  dog‐
16       tag-based CA will be configured to issue server certificates.
17
18

OPTIONS

20   BASIC OPTIONS
21       -r REALM_NAME, --realm=REALM_NAME
22              The Kerberos realm name for the new IPA deployment.
23
24              It  is  strongly  recommended  to use an upper-cased name of the
25              primary DNS domain name of your IPA deployment. You will not  be
26              able  to  establish trust with Active Directory unless the realm
27              name is the upper-cased domain name.
28
29              The realm name cannot be changed after the installation.
30
31       -n DOMAIN_NAME, --domain=DOMAIN_NAME
32              The primary DNS domain of the IPA deployment, e.g.  example.com.
33              This  DNS domain should contain the SRV records generated by the
34              IPA server installer. The specified DNS domain must not  contain
35              DNS  records of any other LDAP or Kerberos based management sys‐
36              tem (like Active Directory or MIT Kerberos).
37
38              It is strongly recommended to use a lower-cased name of the  IPA
39              Kerberos realm name.
40
41              The  primary DNS domain name cannot be changed after the instal‐
42              lation.
43
44       -p DM_PASSWORD, --ds-password=DM_PASSWORD
45              The password to be used by the Directory Server for  the  Direc‐
46              tory Manager user.
47
48       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49              The password for the IPA admin user.
50
51       --mkhomedir
52              Create home directories for users on their first login.
53
54       --hostname=HOST_NAME
55              The fully-qualified DNS name of this server.
56
57       --ip-address=IP_ADDRESS
58              The  IP  address  of this server. If this address does not match
59              the address the host resolves to  and  --setup-dns  is  not  se‐
60              lected,  the  installation  will fail. If the server hostname is
61              not resolvable, a record for  the  hostname  and  IP_ADDRESS  is
62              added  to /etc/hosts.  This option can be used multiple times to
63              specify more IP addresses of the server (e.g. multihomed  and/or
64              dualstacked server).
65
66       Configure  chronyd to use this NTP server. This option can be used mul‐
67       tiple times and it is used to specify exactly one time server.
68
69       --ntp-server=NTP_SERVER
70              Configure chronyd to use this NTP server.  This  option  can  be
71              used  multiple  times and it is used to specify exactly one time
72              server.
73
74       --ntp-pool=NTP_SERVER_POOL
75              Configure chronyd to use this NTP server pool.  This  option  is
76              meant  to be pool of multiple servers resolved as one host name.
77              This pool's servers may vary but pool address will be still same
78              and chrony will choose only one server from this pool.
79
80       -N, --no-ntp
81              Do not configure NTP client (chronyd).
82
83       --idstart=IDSTART
84              The starting user and group id number (default random).
85
86       --idmax=IDMAX
87              The  maximum user and group id number (default: idstart+199999).
88              If set to zero, the default value will be used.
89
90       --no-hbac-allow
91              Don't install allow_all HBAC rule. This rule lets any user  from
92              any  host  access  any service on any other host. It is expected
93              that users will remove this rule before moving to production.
94
95       --ignore-topology-disconnect
96              Ignore errors reported when IPA server uninstall would  lead  to
97              disconnected topology.
98
99       --ignore-last-of-role
100              Ignore  errors  reported when IPA server uninstall would lead to
101              removal of last CA/DNS server or DNSSec master.
102
103       --no-ui-redirect
104              Do not automatically redirect to the Web UI.
105
106       --ssh-trust-dns
107              Configure OpenSSH client to trust DNS SSHFP records.
108
109       --no-ssh
110              Do not configure OpenSSH client.
111
112       --no-sshd
113              Do not configure OpenSSH server.
114
115       -d, --debug
116              Enable debug logging when more verbose output is needed.
117
118       -U, --unattended
119              An unattended installation that will never prompt for  user  in‐
120              put.
121
122       --dirsrv-config-file
123              The  path to LDIF file that will be used to modify configuration
124              of dse.ldif during installation  of  the  directory  server  in‐
125              stance.
126
127
128   CERTIFICATE SYSTEM OPTIONS
129       --external-ca
130              Generate a CSR for the IPA CA certificate to be signed by an ex‐
131              ternal CA.
132
133       --external-ca-type=TYPE
134              Type of the external CA. Possible values are "generic", "ms-cs".
135              Default  value is "generic". Use "ms-cs" to include the template
136              name required by Microsoft Certificate Services (MS CS)  in  the
137              generated CSR (see --external-ca-profile for full details).
138
139
140       --external-ca-profile=PROFILE_SPEC
141              Specify the certificate profile or template to use at the exter‐
142              nal CA.
143
144              When --external-ca-type is "ms-cs" the following specifiers  may
145              be used:
146
147
148              <oid>:<majorVersion>[:<minorVersion>]
149                     Specify  a certificate template by OID and major version,
150                     optionally also specifying minor version.
151
152              <name> Specify a certificate template by name. The  name  cannot
153                     contain  any : characters and cannot be an OID (otherwise
154                     the OID-based  template  specifier  syntax  takes  prece‐
155                     dence).
156
157              default
158                     If no template is specified, the template name "SubCA" is
159                     used.
160
161
162       --external-cert-file=FILE
163              File containing the IPA CA certificate and the external CA  cer‐
164              tificate  chain. The file is accepted in PEM and DER certificate
165              and PKCS#7 certificate chain formats. This option  may  be  used
166              multiple times.
167
168       --no-pkinit
169              Disables pkinit setup steps.
170
171       --dirsrv-cert-file=FILE
172              File containing the Directory Server SSL certificate and private
173              key. The files are accepted in PEM and DER  certificate,  PKCS#7
174              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
175              mats. This option may be used multiple times.
176
177       --http-cert-file=FILE
178              File containing the Apache Server SSL  certificate  and  private
179              key.  The  files are accepted in PEM and DER certificate, PKCS#7
180              certificate chain, PKCS#8 and raw private key and  PKCS#12  for‐
181              mats. This option may be used multiple times.
182
183       --pkinit-cert-file=FILE
184              File  containing  the  Kerberos  KDC SSL certificate and private
185              key. The files are accepted in PEM and DER  certificate,  PKCS#7
186              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
187              mats. This option may be used multiple times.
188
189       --dirsrv-pin=PIN
190              The password to unlock the Directory Server private key.
191
192       --http-pin=PIN
193              The password to unlock the Apache Server private key.
194
195       --pkinit-pin=PIN
196              The password to unlock the Kerberos KDC private key.
197
198       --dirsrv-cert-name=NAME
199              Name of the Directory Server SSL certificate to install.
200
201       --http-cert-name=NAME
202              Name of the Apache Server SSL certificate to install.
203
204       --pkinit-cert-name=NAME
205              Name of the Kerberos KDC SSL certificate to install.
206
207       --ca-cert-file=FILE
208              File containing the CA certificate of the CA  which  issued  the
209              Directory  Server,  Apache Server and Kerberos KDC certificates.
210              The file is accepted in PEM and DER certificate and PKCS#7  cer‐
211              tificate  chain formats. This option may be used multiple times.
212              Use this option if the CA certificate is not present in the cer‐
213              tificate files.
214
215       --pki-config-override=FILE
216              File containing overrides for CA and KRA installation.
217
218       --ca-subject=SUBJECT
219              The  CA  certificate  subject DN (default CN=Certificate Author‐
220              ity,O=REALM.NAME). RDNs are in LDAP  order  (most  specific  RDN
221              first).
222
223       --subject-base=SUBJECT
224              The  subject  base  for  certificates  issued  by  IPA  (default
225              O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
226
227       --ca-signing-algorithm=ALGORITHM
228              Signing algorithm of the IPA CA certificate. Possible values are
229              SHA1withRSA,  SHA256withRSA,  SHA384withRSA,  SHA512withRSA. De‐
230              fault value is SHA256withRSA. Use this option with --external-ca
231              if  the  external  CA does not support the default signing algo‐
232              rithm.
233
234
235   SECRET MANAGEMENT OPTIONS
236       --setup-kra
237              Install and configure a KRA on this server.
238
239
240   DNS OPTIONS
241       IPA provides an integrated DNS server which can be used to simplify IPA
242       deployment.  If  you  decide to use it, IPA will automatically maintain
243       SRV and other service records when you change your topology.
244
245       The DNS component in IPA is optional and you may choose to  manage  all
246       your DNS records manually on another third party DNS server. IPA DNS is
247       not a general-purpose DNS server. If you need  advanced  features  like
248       DNS views, do not deploy IPA DNS.
249
250
251       --setup-dns
252              Configure an integrated DNS server, create DNS zone specified by
253              --domain, and fill it with service records necessary for IPA de‐
254              ployment.  In cases where the IPA server name does not belong to
255              the primary DNS domain and is not resolvable using DNS, create a
256              DNS zone containing the IPA server name as well.
257
258              This  option  requires  that you either specify at least one DNS
259              forwarder through the --forwarder option or  use  the  --no-for‐
260              warders option.
261
262              Note that you can set up a DNS at any time after the initial IPA
263              server  install  by  running  ipa-dns-install  (see  ipa-dns-in‐
264              stall(1)).  IPA DNS cannot be uninstalled.
265
266
267       --forwarder=IP_ADDRESS
268              Add  a  DNS forwarder to the DNS configuration. You can use this
269              option multiple times to specify more forwarders, but  at  least
270              one must be provided, unless the --no-forwarders option is spec‐
271              ified.
272
273       --no-forwarders
274              Do not add any DNS forwarders. Root DNS servers will be used in‐
275              stead.
276
277       --auto-forwarders
278              Add DNS forwarders configured in /etc/resolv.conf to the list of
279              forwarders used by IPA DNS.
280
281       --forward-policy=first|only
282              DNS forwarding policy  for  global  forwarders  specified  using
283              other  options.  Defaults to first if no IP address belonging to
284              a private or reserved ranges is  detected  on  local  interfaces
285              (RFC  6303).  Defaults  to  only  if a private IP address is de‐
286              tected.
287
288       --reverse-zone=REVERSE_ZONE
289              The reverse DNS zone to use. This option can  be  used  multiple
290              times to specify multiple reverse zones.
291
292       --no-reverse
293              Do not create reverse DNS zone.
294
295       --auto-reverse
296              Try  to  resolve reverse records and reverse zones for server IP
297              addresses. If neither is resolvable, creates the reverse zones.
298
299       --zonemgr
300              The e-mail address of the DNS zone manager. Defaults to hostmas‐
301              ter@DOMAIN
302
303       --no-host-dns
304              Do not use DNS for hostname lookup during installation.
305
306       --no-dns-sshfp
307              Do not automatically create DNS SSHFP records.
308
309       --no-dnssec-validation
310              Disable DNSSEC validation on this server.
311
312       --allow-zone-overlap
313              Allow creation of (reverse) zone even if the zone is already re‐
314              solvable. Using this option is discouraged as it result in later
315              problems with domain name resolution.
316
317
318   SID GENERATION OPTIONS
319       --netbios-name=NETBIOS_NAME
320              The  NetBIOS  name  for the IPA domain. If not provided, this is
321              determined based on the leading  component  of  the  DNS  domain
322              name.  Running ipa-adtrust-install for a second time with a dif‐
323              ferent NetBIOS name will  change  the  name.  Please  note  that
324              changing  the  NetBIOS name might break existing trust relation‐
325              ships to other domains.
326
327       --rid-base=RID_BASE
328              First RID value of the local domain. The first POSIX ID  of  the
329              local  domain  will be assigned to this RID, the second to RID+1
330              etc. See the online help of the idrange CLI for details.
331
332       --secondary-rid-base=SECONDARY_RID_BASE
333              Start value of the secondary RID range, which is  only  used  in
334              the case a user and a group share numerically the same POSIX ID.
335              See the online help of the idrange CLI for details.
336
337
338   AD TRUST OPTIONS
339       --setup-adtrust
340              Configure AD Trust capability.
341
342       --enable-compat
343              Enables support  for  trusted  domains  users  for  old  clients
344              through  Schema Compatibility plugin.  SSSD supports trusted do‐
345              mains natively starting with version  1.9.  For  platforms  that
346              lack  SSSD  or  run older SSSD version one needs to use this op‐
347              tion. When enabled, slapi-nis package needs to be installed  and
348              schema-compat-plugin  will  be  configured  to provide lookup of
349              users and groups from trusted domains via SSSD  on  IPA  server.
350              These  users and groups will be available under cn=users,cn=com‐
351              pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX  trees.   SSSD  will
352              normalize names of users and groups to lower case.
353
354              In addition to providing these users and groups through the com‐
355              pat tree, this  option  enables  authentication  over  LDAP  for
356              trusted  domain users with DN under compat tree, i.e. using bind
357              DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
358
359              LDAP authentication performed by the compat tree is done via PAM
360              'system-auth'  service.  This service exists by default on Linux
361              systems and  is  provided  by  pam  package  as  /etc/pam.d/sys‐
362              tem-auth.   If  your IPA install does not have default HBAC rule
363              'allow_all' enabled, then make sure to  define  in  IPA  special
364              service  called  'system-auth'  and create an HBAC rule to allow
365              access to anyone to this rule on IPA masters.
366
367              As 'system-auth' PAM service is not used directly by  any  other
368              application,  it  is safe to use it for trusted domain users via
369              compatibility path.
370
371
372   UNINSTALL OPTIONS
373       --uninstall
374              Uninstall an existing IPA installation.
375
376       -U, --unattended
377              An unattended uninstallation that will never prompt for user in‐
378              put.
379
380

DEPRECATED OPTIONS

382       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
383              The kerberos master password (normally autogenerated).
384
385

EXIT STATUS

387       0 if the (un)installation was successful
388
389       1 if an error occurred
390
391

SEE ALSO

393       ipa-dns-install(1) ipa-adtrust-install(1)
394
395
396
397IPA                               Feb 17 2017            ipa-server-install(1)
Impressum