1ipa-client-install(1) IPA Manual Pages ipa-client-install(1)
2
3
4
6 ipa-client-install - Configure an IPA client
7
9 ipa-client-install [OPTION]...
10
12 Configures a client machine to use IPA for authentication and identity
13 services.
14
15 By default this configures SSSD to connect to an IPA server for authen‐
16 tication and authorization. Optionally one can instead configure PAM
17 and NSS (Name Switching Service) to work with an IPA server over Ker‐
18 beros and LDAP.
19
20 An authorized user is required to join a client machine to IPA. This
21 can take the form of a kerberos principal or a one-time password asso‐
22 ciated with the machine.
23
24 This same tool is used to unconfigure IPA and attempts to return the
25 machine to its previous state. Part of this process is to unenroll the
26 host from the IPA server. Unenrollment consists of disabling the prin‐
27 cipal key on the IPA server so that it may be re-enrolled. The machine
28 principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenti‐
29 cate to the IPA server to unenroll itself. If this principal does not
30 exist then unenrollment will fail and an administrator will need to
31 disable the host principal (ipa host-disable <fqdn>).
32
33
34 Assumptions
35 The ipa-client-install script assumes that the machine has already gen‐
36 erated SSH keys. It will not generate SSH keys of its own accord. If
37 SSH keys are not present (e.g. when running the ipa-client-install in a
38 kickstart, before ever running sshd), they will not be uploaded to the
39 client host entry on the server.
40
41
42 Hostname Requirements
43 Client must use a static hostname. If the machine hostname changes for
44 example due to a dynamic hostname assignment by a DHCP server, client
45 enrollment to IPA server breaks and user then would not be able to per‐
46 form Kerberos authentication.
47
48 --hostname option may be used to specify a static hostname that per‐
49 sists over reboot.
50
51
52 DNS Autodiscovery
53 Client installer by default tries to search for _ldap._tcp.DOMAIN DNS
54 SRV records for all domains that are parent to its hostname. For exam‐
55 ple, if a client machine has a hostname 'client1.lab.example.com', the
56 installer will try to retrieve an IPA server hostname from
57 _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com
58 DNS SRV records, respectively. The discovered domain is then used to
59 configure client components (e.g. SSSD and Kerberos 5 configuration) on
60 the machine.
61
62 When the client machine hostname is not in a subdomain of an IPA
63 server, its domain can be passed with --domain option. In that case,
64 both SSSD and Kerberos components have the domain set in the configura‐
65 tion files and will use it to autodiscover IPA servers.
66
67 Client machine can also be configured without a DNS autodiscovery at
68 all. When both --server and --domain options are used, client installer
69 will use the specified server and domain directly. --server option ac‐
70 cepts multiple server hostnames which can be used for failover mecha‐
71 nism. Without DNS autodiscovery, Kerberos is configured with a fixed
72 list of KDC and Admin servers. SSSD is still configured to either try
73 to read domain's SRV records or the specified fixed list of servers.
74 When --fixed-primary option is specified, SSSD will not try to read DNS
75 SRV record at all (see sssd-ipa(5) for details).
76
77
78 The Failover Mechanism
79 When some of the IPA servers is not available, client components are
80 able to fallback to other IPA replica and thus preserving a continued
81 service. When client machine is configured to use DNS SRV record au‐
82 todiscovery (no fixed server was passed to the installer), client com‐
83 ponents do the fallback automatically, based on the IPA server host‐
84 names and priorities discovered from the DNS SRV records.
85
86 If DNS autodiscovery is not available, clients should be configured at
87 least with a fixed list of IPA servers that can be used in case of a
88 failure. When only one IPA server is configured, IPA client services
89 will not be available in case of a failure of the IPA server. Please
90 note, that in case of a fixed list of IPA servers, the fixed server
91 lists in client components need to be updated when a new IPA server is
92 enrolled or a current IPA server is decommissioned.
93
94
95 Coexistence With Other Directory Servers
96 Other directory servers deployed in the network (e.g. Microsoft Active
97 Directory) may use the same DNS SRV records to denote hosts with a di‐
98 rectory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the
99 installation if the installer discovers these DNS records before it
100 finds DNS SRV records pointing to IPA servers. The installer would then
101 fail to discover the IPA server and exit with error.
102
103 In order to avoid the aforementioned DNS autodiscovery issues, the
104 client machine hostname should be in a domain with properly defined DNS
105 SRV records pointing to IPA servers, either manually with a custom DNS
106 server or with IPA DNS integrated solution. A second approach would be
107 to avoid autodiscovery and configure the installer to use a fixed list
108 of IPA server hostnames using the --server option and with a
109 --fixed-primary option disabling DNS SRV record autodiscovery in SSSD.
110
111
112 Re-enrollment of the host
113 Requirements:
114
115 1. Host has not been un-enrolled (the ipa-client-install --uninstall
116 command has not been run).
117 2. The host entry has not been disabled via the ipa host-disable com‐
118 mand.
119
120 If this has been the case, host can be re-enrolled using the usual
121 methods.
122
123 There are two method of authenticating a re-enrollment:
124
125 1. You can use --force-join option with ipa-client-install command.
126 This authenticates the re-enrollment using the admin's credentials pro‐
127 vided via the -w/--password option.
128 2. If providing the admin's password via the command line is not an op‐
129 tion (e.g. you want to create a script to re-enroll a host and keep the
130 admin's password secure), you can use backed up keytab from the previ‐
131 ous enrollment of this host to authenticate. See --keytab option.
132
133 Consequences of the re-enrollment on the host entry:
134
135 1. A new host certificate is issued
136 2. The old host certificate is revoked
137 3. New SSH keys are generated
138 4. ipaUniqueID is preserved
139
140
142 BASIC OPTIONS
143 --domain=DOMAIN
144 The primary DNS domain of an existing IPA deployment, e.g. exam‐
145 ple.com. This DNS domain should contain the SRV records gener‐
146 ated by the IPA server installer. Usually the name is a lower-
147 cased name of an IPA Kerberos realm name.
148
149 When no --server option is specified, this domain will be used
150 by the installer to discover all available servers via DNS SRV
151 record autodiscovery (see DNS Autodiscovery section for de‐
152 tails).
153
154 The default value used by the installer is the domain part of
155 the hostname. This option needs to be specified if the primary
156 IPA DNS domain is different from the default value.
157
158 --server=SERVER
159 Set the FQDN of the IPA server to connect to. May be specified
160 multiple times to add multiple servers to ipa_server value in
161 sssd.conf or krb5.conf. Only the first value is considered when
162 used with --no-sssd. When this option is used, DNS autodiscovery
163 for Kerberos is disabled and a fixed list of KDC and Admin
164 servers is configured.
165
166 Under normal circumstances, this option is not needed as the
167 list of servers is retrieved from the primary IPA DNS domain.
168
169 --realm=REALM_NAME
170 The Kerberos realm of an existing IPA deployment. Usually it is
171 an upper-cased name of the primary DNS domain used by the IPA
172 installation.
173
174 Under normal circumstances, this option is not needed as the
175 realm name is retrieved from the IPA server.
176
177 --fixed-primary
178 Configure SSSD to use a fixed server as the primary IPA server.
179 The default is to use DNS SRV records to determine the primary
180 server to use and fall back to the server the client is enrolled
181 with. When used in conjunction with --server then no _srv_ value
182 is set in the ipa_server option in sssd.conf.
183
184 -p, --principal
185 Authorized kerberos principal to use to join the IPA realm.
186
187 -w PASSWORD, --password=PASSWORD
188 Password for joining a machine to the IPA realm. Assumes bulk
189 password unless principal is also set.
190
191 -W Prompt for the password for joining a machine to the IPA realm.
192
193 -k, --keytab
194 Path to backed up host keytab from previous enrollment. Joins
195 the host even if it is already enrolled.
196
197 --mkhomedir
198 Configure PAM to create a users home directory if it does not
199 exist.
200
201 --hostname
202 The hostname of this machine (FQDN). If specified, the hostname
203 will be set and the system configuration will be updated to per‐
204 sist over reboot. By default the result of getfqdn() call from
205 Python's socket module is used.
206
207 --force-join
208 Join the host even if it is already enrolled.
209
210 --ntp-server=NTP_SERVER
211 Configure chronyd to use this NTP server. This option can be
212 used multiple times and it is used to specify exactly one time
213 server.
214
215 --ntp-pool=NTP_SERVER_POOL
216 Configure chronyd to use this NTP server pool. This option is
217 meant to be pool of multiple servers resolved as one host name.
218 This pool's servers may vary but pool address will be still same
219 and chrony will choose only one server from this pool.
220
221 -N, --no-ntp
222 Do not configure NTP client (chronyd).
223
224 --nisdomain=NIS_DOMAIN
225 Set the NIS domain name as specified. By default, this is set to
226 the IPA domain name.
227
228 --no-nisdomain
229 Do not configure NIS domain name.
230
231 --ssh-trust-dns
232 Configure OpenSSH client to trust DNS SSHFP records.
233
234 --no-ssh
235 Do not configure OpenSSH client.
236
237 --no-sshd
238 Do not configure OpenSSH server.
239
240 --no-sudo
241 Do not configure SSSD as a data source for sudo.
242
243 --no-dns-sshfp
244 Do not automatically create DNS SSHFP records.
245
246 --noac Do not use Authconfig to modify the nsswitch.conf and PAM con‐
247 figuration.
248
249 -f, --force
250 Force the settings even if errors occur
251
252 --kinit-attempts=KINIT_ATTEMPTS
253 In case of unresponsive KDC (e.g. when enrolling multiple hosts
254 at once in a heavy load environment) repeat the request for host
255 Kerberos ticket up to a total number of KINIT_ATTEMPTS times be‐
256 fore giving up and aborting client installation. Default number
257 of attempts is 5. The request is not repeated when there is a
258 problem with host credentials themselves (e.g. wrong keytab for‐
259 mat or invalid principal) so using this option will not lead to
260 account lockouts.
261
262 -d, --debug
263 Print debugging information to stdout
264
265 -U, --unattended
266 Unattended installation. The user will not be prompted.
267
268 --ca-cert-file=CA_FILE
269 Do not attempt to acquire the IPA CA certificate via automated
270 means, instead use the CA certificate found locally in in
271 CA_FILE. The CA_FILE must be an absolute path to a PEM format‐
272 ted certificate file. The CA certificate found in CA_FILE is
273 considered authoritative and will be installed without checking
274 to see if it's valid for the IPA domain.
275
276 --request-cert
277 DEPRECATED: The option is deprecated and will be removed in a
278 future release.
279
280 Request certificate for the machine. The certificate will be
281 stored in /etc/ipa/nssdb under the nickname "Local IPA host".
282
283 Using this option requires that D-Bus is properly configured or
284 not configured at all. In environment where this condition is
285 not met (e.g. anaconda kickstart chroot environment) set the
286 system bus address to /dev/null to enable workaround in ipa-
287 client-install.
288
289 # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-
290 client-install --request-cert
291
292 Note that requesting the certificate when certmonger is not run‐
293 ning only creates tracking request and the certmonger service
294 must be started to be able to track certificates.
295
296 --automount-location=LOCATION
297 Configure automount by running ipa-client-automount(1) with LO‐
298 CATION as automount location.
299
300 --configure-firefox
301 Configure Firefox to use IPA domain credentials.
302
303 --firefox-dir=DIR
304 Specify Firefox installation directory. For example:
305 '/usr/lib/firefox'
306
307 --ip-address=IP_ADDRESS
308 Use IP_ADDRESS in DNS A/AAAA record for this host. May be speci‐
309 fied multiple times to add multiple DNS records.
310
311 --all-ip-addresses
312 Create DNS A/AAAA record for each IP address on this host.
313
314
315 SSSD OPTIONS
316 --permit
317 Configure SSSD to permit all access. Otherwise the machine will
318 be controlled by the Host-based Access Controls (HBAC) on the
319 IPA server.
320
321 --enable-dns-updates
322 This option tells SSSD to automatically update DNS with the IP
323 address of this client. The default is to use GSS-TSIG. How‐
324 ever, if using GSS-TSIG fails for any reason at install time,
325 ipa-client-install will configure SSSD to use unauthenticated
326 nsupdates instead.
327
328 --no-krb5-offline-passwords
329 Configure SSSD not to store user password when the server is
330 offline.
331
332 -S, --no-sssd
333 Do not configure the client to use SSSD for authentication, use
334 nss_ldap instead.
335
336 --preserve-sssd
337 Disabled by default. When enabled, preserves old SSSD configura‐
338 tion if it is not possible to merge it with a new one. Effec‐
339 tively, if the merge is not possible due to SSSDConfig reader
340 encountering unsupported options, ipa-client-install will not
341 run further and ask to fix SSSD config first. When this option
342 is not specified, ipa-client-install will back up SSSD config
343 and create new one. The back up version will be restored during
344 uninstall.
345
346
347 UNINSTALL OPTIONS
348 --uninstall
349 Remove the IPA client software and restore the configuration to
350 the pre-IPA state.
351
352 -U, --unattended
353 Unattended uninstallation. The user will not be prompted.
354
355
357 Files that will be replaced if SSSD is configured (default):
358
359 /etc/sssd/sssd.conf
360
361 Files that will be replaced if they exist and SSSD is not configured
362 (--no-sssd):
363
364 /etc/ldap.conf
365 /etc/nss_ldap.conf
366 /etc/libnss-ldap.conf
367 /etc/pam_ldap.conf
368 /etc/nslcd.conf
369
370 Files replaced if NTP client (chronyd) configuration is enabled:
371
372 /etc/chrony.conf
373
374 Files always created (replacing existing content):
375
376 /etc/krb5.conf
377 /etc/ipa/ca.crt
378 /etc/ipa/default.conf
379 /etc/ipa/nssdb
380 /etc/openldap/ldap.conf
381 /etc/pki/ca-trust/source/ipa.p11-kit
382
383 Files updated, existing content is maintained:
384
385 /etc/nsswitch.conf
386 /etc/krb5.keytab
387 /etc/sysconfig/network
388
389
390 File updated, existing content is maintained if ssh is configured (de‐
391 fault):
392
393 /etc/ssh/ssh_config
394
395 File updated, existing content is maintained if sshd is configured (de‐
396 fault):
397
398 /etc/ssh/sshd_config
399
400
402 --request-cert
403
404
406 0 if the installation was successful
407
408 1 if an error occurred
409
410 2 if uninstalling and the client is not configured
411
412 3 if installing and the client is already configured
413
414 4 if an uninstall error occurred
415
416
418 ipa-client-automount(1), krb5.conf(5), sssd.conf(5)
419
420
421
422IPA Dec 19 2016 ipa-client-install(1)