1ipa-client-install(1)          IPA Manual Pages          ipa-client-install(1)
2
3
4

NAME

6       ipa-client-install - Configure an IPA client
7

SYNOPSIS

9       ipa-client-install [OPTION]...
10

DESCRIPTION

12       Configures  a client machine to use IPA for authentication and identity
13       services.
14
15       By default this configures SSSD to connect to an IPA server for authen‐
16       tication  and  authorization.  Optionally one can instead configure PAM
17       and NSS (Name Switching Service) to work with an IPA server  over  Ker‐
18       beros and LDAP.
19
20       An  authorized  user  is required to join a client machine to IPA. This
21       can take the form of a kerberos principal or a one-time password  asso‐
22       ciated with the machine.
23
24       This  same  tool  is used to unconfigure IPA and attempts to return the
25       machine to its previous state. Part of this process is to unenroll  the
26       host  from the IPA server. Unenrollment consists of disabling the prin‐
27       cipal key on the IPA server so that it may be re-enrolled. The  machine
28       principal  in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenti‐
29       cate to the IPA server to unenroll itself. If this principal  does  not
30       exist  then  unenrollment  will  fail and an administrator will need to
31       disable the host principal (ipa host-disable <fqdn>).
32
33
34   Assumptions
35       The ipa-client-install script assumes that the machine has already gen‐
36       erated  SSH  keys.  It will not generate SSH keys of its own accord. If
37       SSH keys are not present (e.g. when running the ipa-client-install in a
38       kickstart,  before ever running sshd), they will not be uploaded to the
39       client host entry on the server.
40
41
42   Hostname Requirements
43       Client must use a static hostname. If the machine hostname changes  for
44       example  due  to a dynamic hostname assignment by a DHCP server, client
45       enrollment to IPA server breaks and user then would not be able to per‐
46       form Kerberos authentication.
47
48       --hostname  option  may  be used to specify a static hostname that per‐
49       sists over reboot.
50
51
52   DNS Autodiscovery
53       Client installer by default tries to search for  _ldap._tcp.DOMAIN  DNS
54       SRV  records for all domains that are parent to its hostname. For exam‐
55       ple, if a client machine has a hostname 'client1.lab.example.com',  the
56       installer   will   try   to   retrieve  an  IPA  server  hostname  from
57       _ldap._tcp.lab.example.com, _ldap._tcp.example.com  and  _ldap._tcp.com
58       DNS  SRV  records,  respectively. The discovered domain is then used to
59       configure client components (e.g. SSSD and Kerberos 5 configuration) on
60       the machine.
61
62       When  the  client  machine  hostname  is  not  in a subdomain of an IPA
63       server, its domain can be passed with --domain option.  In  that  case,
64       both SSSD and Kerberos components have the domain set in the configura‐
65       tion files and will use it to autodiscover IPA servers.
66
67       Client machine can also be configured without a  DNS  autodiscovery  at
68       all. When both --server and --domain options are used, client installer
69       will use the specified server and domain directly. --server option  ac‐
70       cepts  multiple  server hostnames which can be used for failover mecha‐
71       nism. Without DNS autodiscovery, Kerberos is configured  with  a  fixed
72       list  of KDC and  Admin servers. SSSD is still configured to either try
73       to read domain's SRV records or the specified fixed  list  of  servers.
74       When --fixed-primary option is specified, SSSD will not try to read DNS
75       SRV record at all (see sssd-ipa(5) for details).
76
77
78   The Failover Mechanism
79       When some of the IPA servers is not available,  client  components  are
80       able  to  fallback to other IPA replica and thus preserving a continued
81       service. When client machine is configured to use DNS  SRV  record  au‐
82       todiscovery  (no fixed server was passed to the installer), client com‐
83       ponents do the fallback automatically, based on the  IPA  server  host‐
84       names and priorities discovered from the DNS SRV records.
85
86       If  DNS autodiscovery is not available, clients should be configured at
87       least with a fixed list of IPA servers that can be used in  case  of  a
88       failure.  When  only  one IPA server is configured, IPA client services
89       will not be available in case of a failure of the  IPA  server.  Please
90       note,  that  in  case  of a fixed list of IPA servers, the fixed server
91       lists in client components need to be updated when a new IPA server  is
92       enrolled or a current IPA server is decommissioned.
93
94
95   Coexistence With Other Directory Servers
96       Other  directory servers deployed in the network (e.g. Microsoft Active
97       Directory) may use the same DNS SRV records to denote hosts with a  di‐
98       rectory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the
99       installation if the installer discovers these  DNS  records  before  it
100       finds DNS SRV records pointing to IPA servers. The installer would then
101       fail to discover the IPA server and exit with error.
102
103       In order to avoid the  aforementioned  DNS  autodiscovery  issues,  the
104       client machine hostname should be in a domain with properly defined DNS
105       SRV records pointing to IPA servers, either manually with a custom  DNS
106       server  or with IPA DNS integrated solution. A second approach would be
107       to avoid autodiscovery and configure the installer to use a fixed  list
108       of   IPA  server  hostnames  using  the  --server  option  and  with  a
109       --fixed-primary option disabling DNS SRV record autodiscovery in SSSD.
110
111
112   Re-enrollment of the host
113       Requirements:
114
115       1. Host has not been un-enrolled  (the  ipa-client-install  --uninstall
116       command has not been run).
117       2.  The  host entry has not been disabled via the ipa host-disable com‐
118       mand.
119
120       If this has been the case, host can  be  re-enrolled  using  the  usual
121       methods.
122
123       There are two method of authenticating a re-enrollment:
124
125       1.  You  can  use  --force-join option with ipa-client-install command.
126       This authenticates the re-enrollment using the admin's credentials pro‐
127       vided via the -w/--password option.
128       2. If providing the admin's password via the command line is not an op‐
129       tion (e.g. you want to create a script to re-enroll a host and keep the
130       admin's  password secure), you can use backed up keytab from the previ‐
131       ous enrollment of this host to authenticate. See --keytab option.
132
133       Consequences of the re-enrollment on the host entry:
134
135       1. A new host certificate is issued
136       2. The old host certificate is revoked
137       3. New SSH keys are generated
138       4. ipaUniqueID is preserved
139
140

OPTIONS

142   BASIC OPTIONS
143       --domain=DOMAIN
144              The primary DNS domain of an existing IPA deployment, e.g. exam‐
145              ple.com.  This  DNS domain should contain the SRV records gener‐
146              ated by the IPA server installer. Usually the name is  a  lower-
147              cased name of an IPA Kerberos realm name.
148
149              When  no  --server option is specified, this domain will be used
150              by the installer to discover all available servers via  DNS  SRV
151              record  autodiscovery  (see  DNS  Autodiscovery  section for de‐
152              tails).
153
154              The default value used by the installer is the  domain  part  of
155              the  hostname.  This option needs to be specified if the primary
156              IPA DNS domain is different from the default value.
157
158       --server=SERVER
159              Set the FQDN of the IPA server to connect to. May  be  specified
160              multiple  times  to  add multiple servers to ipa_server value in
161              sssd.conf or krb5.conf. Only the first value is considered  when
162              used with --no-sssd. When this option is used, DNS autodiscovery
163              for Kerberos is disabled and a  fixed  list  of  KDC  and  Admin
164              servers is configured.
165
166              Under  normal  circumstances,  this  option is not needed as the
167              list of servers is retrieved from the primary IPA DNS domain.
168
169       --realm=REALM_NAME
170              The Kerberos realm of an existing IPA deployment. Usually it  is
171              an  upper-cased  name  of the primary DNS domain used by the IPA
172              installation.
173
174              Under normal circumstances, this option is  not  needed  as  the
175              realm name is retrieved from the IPA server.
176
177       --fixed-primary
178              Configure  SSSD to use a fixed server as the primary IPA server.
179              The default is to use DNS SRV records to determine  the  primary
180              server to use and fall back to the server the client is enrolled
181              with. When used in conjunction with --server then no _srv_ value
182              is set in the ipa_server option in sssd.conf.
183
184       -p, --principal
185              Authorized kerberos principal to use to join the IPA realm.
186
187       -w PASSWORD, --password=PASSWORD
188              Password  for  joining  a machine to the IPA realm. Assumes bulk
189              password unless principal is also set.
190
191       -W     Prompt for the password for joining a machine to the IPA realm.
192
193       -k, --keytab
194              Path to backed up host keytab from  previous  enrollment.  Joins
195              the host even if it is already enrolled.
196
197       --mkhomedir
198              Configure  PAM  to  create a users home directory if it does not
199              exist.
200
201       --hostname
202              The hostname of this machine (FQDN). If specified, the  hostname
203              will be set and the system configuration will be updated to per‐
204              sist over reboot. By default the result of getfqdn()  call  from
205              Python's socket module is used.
206
207       --force-join
208              Join the host even if it is already enrolled.
209
210       --ntp-server=NTP_SERVER
211              Configure  chronyd  to  use  this NTP server. This option can be
212              used multiple times and it is used to specify exactly  one  time
213              server.
214
215       --ntp-pool=NTP_SERVER_POOL
216              Configure  chronyd  to  use this NTP server pool. This option is
217              meant to be pool of multiple servers resolved as one host  name.
218              This pool's servers may vary but pool address will be still same
219              and chrony will choose only one server from this pool.
220
221       -N, --no-ntp
222              Do not configure NTP client (chronyd).
223
224       --nisdomain=NIS_DOMAIN
225              Set the NIS domain name as specified. By default, this is set to
226              the IPA domain name.
227
228       --no-nisdomain
229              Do not configure NIS domain name.
230
231       --ssh-trust-dns
232              Configure OpenSSH client to trust DNS SSHFP records.
233
234       --no-ssh
235              Do not configure OpenSSH client.
236
237       --no-sshd
238              Do not configure OpenSSH server.
239
240       --no-sudo
241              Do not configure SSSD as a data source for sudo.
242
243       --no-dns-sshfp
244              Do not automatically create DNS SSHFP records.
245
246       --noac Do  not  use Authconfig to modify the nsswitch.conf and PAM con‐
247              figuration.
248
249       -f, --force
250              Force the settings even if errors occur
251
252       --kinit-attempts=KINIT_ATTEMPTS
253              In case of unresponsive KDC (e.g. when enrolling multiple  hosts
254              at once in a heavy load environment) repeat the request for host
255              Kerberos ticket up to a total number of KINIT_ATTEMPTS times be‐
256              fore  giving up and aborting client installation. Default number
257              of attempts is 5. The request is not repeated when  there  is  a
258              problem with host credentials themselves (e.g. wrong keytab for‐
259              mat or invalid principal) so using this option will not lead  to
260              account lockouts.
261
262       -d, --debug
263              Print debugging information to stdout
264
265       -U, --unattended
266              Unattended installation. The user will not be prompted.
267
268       --ca-cert-file=CA_FILE
269              Do  not  attempt to acquire the IPA CA certificate via automated
270              means, instead use  the  CA  certificate  found  locally  in  in
271              CA_FILE.   The CA_FILE must be an absolute path to a PEM format‐
272              ted certificate file. The CA certificate  found  in  CA_FILE  is
273              considered  authoritative and will be installed without checking
274              to see if it's valid for the IPA domain.
275
276       --request-cert
277              DEPRECATED: The option is deprecated and will be  removed  in  a
278              future release.
279
280              Request  certificate  for  the  machine. The certificate will be
281              stored in /etc/ipa/nssdb under the nickname "Local IPA host".
282
283              Using this option requires that D-Bus is properly configured  or
284              not  configured  at  all. In environment where this condition is
285              not met (e.g. anaconda kickstart  chroot  environment)  set  the
286              system  bus  address  to  /dev/null to enable workaround in ipa-
287              client-install.
288
289                  #   env   DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null   ipa-
290              client-install --request-cert
291
292              Note that requesting the certificate when certmonger is not run‐
293              ning only creates tracking request and  the  certmonger  service
294              must be started to be able to track certificates.
295
296       --automount-location=LOCATION
297              Configure  automount by running ipa-client-automount(1) with LO‐
298              CATION as automount location.
299
300       --configure-firefox
301              Configure Firefox to use IPA domain credentials.
302
303       --firefox-dir=DIR
304              Specify   Firefox   installation   directory.    For    example:
305              '/usr/lib/firefox'
306
307       --ip-address=IP_ADDRESS
308              Use IP_ADDRESS in DNS A/AAAA record for this host. May be speci‐
309              fied multiple times to add multiple DNS records.
310
311       --all-ip-addresses
312              Create DNS A/AAAA record for each IP address on this host.
313
314
315   SSSD OPTIONS
316       --permit
317              Configure SSSD to permit all access. Otherwise the machine  will
318              be  controlled  by  the Host-based Access Controls (HBAC) on the
319              IPA server.
320
321       --enable-dns-updates
322              This option tells SSSD to automatically update DNS with  the  IP
323              address  of  this  client.  The default is to use GSS-TSIG. How‐
324              ever, if using GSS-TSIG fails for any reason  at  install  time,
325              ipa-client-install  will  configure  SSSD to use unauthenticated
326              nsupdates instead.
327
328       --no-krb5-offline-passwords
329              Configure SSSD not to store user password  when  the  server  is
330              offline.
331
332       -S, --no-sssd
333              Do  not configure the client to use SSSD for authentication, use
334              nss_ldap instead.
335
336       --preserve-sssd
337              Disabled by default. When enabled, preserves old SSSD configura‐
338              tion  if  it  is not possible to merge it with a new one. Effec‐
339              tively, if the merge is not possible due  to  SSSDConfig  reader
340              encountering  unsupported  options,  ipa-client-install will not
341              run further and ask to fix SSSD config first. When  this  option
342              is  not  specified,  ipa-client-install will back up SSSD config
343              and create new one. The back up version will be restored  during
344              uninstall.
345
346
347   UNINSTALL OPTIONS
348       --uninstall
349              Remove  the IPA client software and restore the configuration to
350              the pre-IPA state.
351
352       -U, --unattended
353              Unattended uninstallation. The user will not be prompted.
354
355

FILES

357       Files that will be replaced if SSSD is configured (default):
358
359              /etc/sssd/sssd.conf
360
361       Files that will be replaced if they exist and SSSD  is  not  configured
362       (--no-sssd):
363
364              /etc/ldap.conf
365              /etc/nss_ldap.conf
366              /etc/libnss-ldap.conf
367              /etc/pam_ldap.conf
368              /etc/nslcd.conf
369
370       Files replaced if NTP client (chronyd) configuration is enabled:
371
372              /etc/chrony.conf
373
374       Files always created (replacing existing content):
375
376              /etc/krb5.conf
377              /etc/ipa/ca.crt
378              /etc/ipa/default.conf
379              /etc/ipa/nssdb
380              /etc/openldap/ldap.conf
381              /etc/pki/ca-trust/source/ipa.p11-kit
382
383       Files updated, existing content is maintained:
384
385              /etc/nsswitch.conf
386              /etc/krb5.keytab
387              /etc/sysconfig/network
388
389
390       File  updated, existing content is maintained if ssh is configured (de‐
391       fault):
392
393              /etc/ssh/ssh_config
394
395       File updated, existing content is maintained if sshd is configured (de‐
396       fault):
397
398              /etc/ssh/sshd_config
399
400

DEPRECATED OPTIONS

402       --request-cert
403
404

EXIT STATUS

406       0 if the installation was successful
407
408       1 if an error occurred
409
410       2 if uninstalling and the client is not configured
411
412       3 if installing and the client is already configured
413
414       4 if an uninstall error occurred
415
416

SEE ALSO

418       ipa-client-automount(1), krb5.conf(5), sssd.conf(5)
419
420
421
422IPA                               Dec 19 2016            ipa-client-install(1)
Impressum