1ipa-client-install(1) IPA Manual Pages ipa-client-install(1)
2
3
4
6 ipa-client-install - Configure an IPA client
7
9 ipa-client-install [OPTION]...
10
12 Configures a client machine to use IPA for authentication and identity
13 services.
14
15 By default this configures SSSD to connect to an IPA server for authen‐
16 tication and authorization. Optionally one can instead configure PAM
17 and NSS (Name Switching Service) to work with an IPA server over Ker‐
18 beros and LDAP.
19
20 An authorized user is required to join a client machine to IPA. This
21 can take the form of a kerberos principal or a one-time password asso‐
22 ciated with the machine.
23
24 This same tool is used to unconfigure IPA and attempts to return the
25 machine to its previous state. Part of this process is to unenroll the
26 host from the IPA server. Unenrollment consists of disabling the prin‐
27 cipal key on the IPA server so that it may be re-enrolled. The machine
28 principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenti‐
29 cate to the IPA server to unenroll itself. If this principal does not
30 exist then unenrollment will fail and an administrator will need to
31 disable the host principal (ipa host-disable <fqdn>).
32
33
34 Assumptions
35 The ipa-client-install script assumes that the machine has already gen‐
36 erated SSH keys. It will not generate SSH keys of its own accord. If
37 SSH keys are not present (e.g. when running the ipa-client-install in a
38 kickstart, before ever running sshd), they will not be uploaded to the
39 client host entry on the server.
40
41
42 Hostname Requirements
43 Client must use a static hostname. If the machine hostname changes for
44 example due to a dynamic hostname assignment by a DHCP server, client
45 enrollment to IPA server breaks and user then would not be able to per‐
46 form Kerberos authentication.
47
48 --hostname option may be used to specify a static hostname that per‐
49 sists over reboot.
50
51
52 DNS Autodiscovery
53 Client installer by default tries to search for _ldap._tcp.DOMAIN DNS
54 SRV records for all domains that are parent to its hostname. For exam‐
55 ple, if a client machine has a hostname 'client1.lab.example.com', the
56 installer will try to retrieve an IPA server hostname from
57 _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com
58 DNS SRV records, respectively. The discovered domain is then used to
59 configure client components (e.g. SSSD and Kerberos 5 configuration) on
60 the machine.
61
62 When the client machine hostname is not in a subdomain of an IPA
63 server, its domain can be passed with --domain option. In that case,
64 both SSSD and Kerberos components have the domain set in the configura‐
65 tion files and will use it to autodiscover IPA servers.
66
67 Client machine can also be configured without a DNS autodiscovery at
68 all. When both --server and --domain options are used, client installer
69 will use the specified server and domain directly. --server option ac‐
70 cepts multiple server hostnames which can be used for failover mecha‐
71 nism. Without DNS autodiscovery, Kerberos is configured with a fixed
72 list of KDC and Admin servers. SSSD is still configured to either try
73 to read domain's SRV records or the specified fixed list of servers.
74 When --fixed-primary option is specified, SSSD will not try to read DNS
75 SRV record at all (see sssd-ipa(5) for details).
76
77
78 The Failover Mechanism
79 When some of the IPA servers is not available, client components are
80 able to fallback to other IPA replica and thus preserving a continued
81 service. When client machine is configured to use DNS SRV record au‐
82 todiscovery (no fixed server was passed to the installer), client com‐
83 ponents do the fallback automatically, based on the IPA server host‐
84 names and priorities discovered from the DNS SRV records.
85
86 If DNS autodiscovery is not available, clients should be configured at
87 least with a fixed list of IPA servers that can be used in case of a
88 failure. When only one IPA server is configured, IPA client services
89 will not be available in case of a failure of the IPA server. Please
90 note, that in case of a fixed list of IPA servers, the fixed server
91 lists in client components need to be updated when a new IPA server is
92 enrolled or a current IPA server is decommissioned.
93
94
95 Coexistence With Other Directory Servers
96 Other directory servers deployed in the network (e.g. Microsoft Active
97 Directory) may use the same DNS SRV records to denote hosts with a di‐
98 rectory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the
99 installation if the installer discovers these DNS records before it
100 finds DNS SRV records pointing to IPA servers. The installer would then
101 fail to discover the IPA server and exit with error.
102
103 In order to avoid the aforementioned DNS autodiscovery issues, the
104 client machine hostname should be in a domain with properly defined DNS
105 SRV records pointing to IPA servers, either manually with a custom DNS
106 server or with IPA DNS integrated solution. A second approach would be
107 to avoid autodiscovery and configure the installer to use a fixed list
108 of IPA server hostnames using the --server option and with a
109 --fixed-primary option disabling DNS SRV record autodiscovery in SSSD.
110
111
112 Re-enrollment of the host
113 Requirements:
114
115 1. Host has not been un-enrolled (the ipa-client-install --uninstall
116 command has not been run).
117 2. The host entry has not been disabled via the ipa host-disable com‐
118 mand.
119
120 If this has been the case, host can be re-enrolled using the usual
121 methods.
122
123 There are two method of authenticating a re-enrollment:
124
125 1. You can use --force-join option with ipa-client-install command.
126 This authenticates the re-enrollment using the admin's credentials pro‐
127 vided via the -w/--password option.
128 2. If providing the admin's password via the command line is not an op‐
129 tion (e.g. you want to create a script to re-enroll a host and keep the
130 admin's password secure), you can use backed up keytab from the previ‐
131 ous enrollment of this host to authenticate. See --keytab option.
132
133 Consequences of the re-enrollment on the host entry:
134
135 1. A new host certificate is issued
136 2. The old host certificate is revoked
137 3. New SSH keys are generated
138 4. ipaUniqueID is preserved
139
140
142 BASIC OPTIONS
143 --domain=DOMAIN
144 The primary DNS domain of an existing IPA deployment, e.g. exam‐
145 ple.com. This DNS domain should contain the SRV records gener‐
146 ated by the IPA server installer. Usually the name is a lower-
147 cased name of an IPA Kerberos realm name.
148
149 When no --server option is specified, this domain will be used
150 by the installer to discover all available servers via DNS SRV
151 record autodiscovery (see DNS Autodiscovery section for de‐
152 tails).
153
154 The default value used by the installer is the domain part of
155 the hostname. This option needs to be specified if the primary
156 IPA DNS domain is different from the default value.
157
158 --server=SERVER
159 Set the FQDN of the IPA server to connect to. May be specified
160 multiple times to add multiple servers to ipa_server value in
161 sssd.conf or krb5.conf. Only the first value is considered when
162 used with --no-sssd. When this option is used, DNS autodiscovery
163 for Kerberos is disabled and a fixed list of KDC and Admin
164 servers is configured.
165
166 Under normal circumstances, this option is not needed as the
167 list of servers is retrieved from the primary IPA DNS domain.
168
169 --realm=REALM_NAME
170 The Kerberos realm of an existing IPA deployment. Usually it is
171 an upper-cased name of the primary DNS domain used by the IPA
172 installation.
173
174 Under normal circumstances, this option is not needed as the
175 realm name is retrieved from the IPA server.
176
177 --fixed-primary
178 Configure SSSD to use a fixed server as the primary IPA server.
179 The default is to use DNS SRV records to determine the primary
180 server to use and fall back to the server the client is enrolled
181 with. When used in conjunction with --server then no _srv_ value
182 is set in the ipa_server option in sssd.conf.
183
184 -p, --principal
185 Authorized kerberos principal to use to join the IPA realm.
186
187 -w PASSWORD, --password=PASSWORD
188 Password for joining a machine to the IPA realm. Assumes bulk
189 password unless principal is also set.
190
191 -W Prompt for the password for joining a machine to the IPA realm.
192
193 -k, --keytab
194 Path to backed up host keytab from previous enrollment. Joins
195 the host even if it is already enrolled.
196
197 --mkhomedir
198 Configure PAM to create a users home directory if it does not
199 exist.
200
201 --hostname
202 The hostname of this machine (FQDN). If specified, the hostname
203 will be set and the system configuration will be updated to per‐
204 sist over reboot. By default the result of getfqdn() call from
205 Python's socket module is used.
206
207 --force-join
208 Join the host even if it is already enrolled.
209
210 --ntp-server=NTP_SERVER
211 Configure chronyd to use this NTP server. This option can be
212 used multiple times and it is used to specify exactly one time
213 server.
214
215 --ntp-pool=NTP_SERVER_POOL
216 Configure chronyd to use this NTP server pool. This option is
217 meant to be pool of multiple servers resolved as one host name.
218 This pool's servers may vary but pool address will be still same
219 and chrony will choose only one server from this pool.
220
221 -N, --no-ntp
222 Do not configure NTP client (chronyd).
223
224 --nisdomain=NIS_DOMAIN
225 Set the NIS domain name as specified. By default, this is set to
226 the IPA domain name.
227
228 --no-nisdomain
229 Do not configure NIS domain name.
230
231 --ssh-trust-dns
232 Configure OpenSSH client to trust DNS SSHFP records.
233
234 --no-ssh
235 Do not configure OpenSSH client.
236
237 --no-sshd
238 Do not configure OpenSSH server.
239
240 --no-sudo
241 Do not configure SSSD as a data source for sudo.
242
243 --subid
244 Configure SSSD as data source for subid.
245
246 --no-dns-sshfp
247 Do not automatically create DNS SSHFP records.
248
249 --noac Do not use Authconfig to modify the nsswitch.conf and PAM con‐
250 figuration.
251
252 -f, --force
253 Force the settings even if errors occur
254
255 --kinit-attempts=KINIT_ATTEMPTS
256 In case of unresponsive KDC (e.g. when enrolling multiple hosts
257 at once in a heavy load environment) repeat the request for host
258 Kerberos ticket up to a total number of KINIT_ATTEMPTS times be‐
259 fore giving up and aborting client installation. Default number
260 of attempts is 5. The request is not repeated when there is a
261 problem with host credentials themselves (e.g. wrong keytab for‐
262 mat or invalid principal) so using this option will not lead to
263 account lockouts.
264
265 -d, --debug
266 Print debugging information to stdout
267
268 -U, --unattended
269 Unattended installation. The user will not be prompted.
270
271 --ca-cert-file=CA_FILE
272 Do not attempt to acquire the IPA CA certificate via automated
273 means, instead use the CA certificate found locally in in
274 CA_FILE. The CA_FILE must be an absolute path to a PEM format‐
275 ted certificate file. The CA certificate found in CA_FILE is
276 considered authoritative and will be installed without checking
277 to see if it's valid for the IPA domain.
278
279 --request-cert
280 DEPRECATED: The option is deprecated and will be removed in a
281 future release.
282
283 Request certificate for the machine. The certificate will be
284 stored in /etc/ipa/nssdb under the nickname "Local IPA host".
285
286 Using this option requires that D-Bus is properly configured or
287 not configured at all. In environment where this condition is
288 not met (e.g. anaconda kickstart chroot environment) set the
289 system bus address to /dev/null to enable workaround in ipa-
290 client-install.
291
292 # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-
293 client-install --request-cert
294
295 Note that requesting the certificate when certmonger is not run‐
296 ning only creates tracking request and the certmonger service
297 must be started to be able to track certificates.
298
299 --automount-location=LOCATION
300 Configure automount by running ipa-client-automount(1) with LO‐
301 CATION as automount location.
302
303 --configure-firefox
304 Configure Firefox to use IPA domain credentials.
305
306 --firefox-dir=DIR
307 Specify Firefox installation directory. For example:
308 '/usr/lib/firefox'
309
310 --ip-address=IP_ADDRESS
311 Use IP_ADDRESS in DNS A/AAAA record for this host. May be speci‐
312 fied multiple times to add multiple DNS records.
313
314 --all-ip-addresses
315 Create DNS A/AAAA record for each IP address on this host.
316
317
318 SSSD OPTIONS
319 --permit
320 Configure SSSD to permit all access. Otherwise the machine will
321 be controlled by the Host-based Access Controls (HBAC) on the
322 IPA server.
323
324 --enable-dns-updates
325 This option tells SSSD to automatically update DNS with the IP
326 address of this client. The default is to use GSS-TSIG. How‐
327 ever, if using GSS-TSIG fails for any reason at install time,
328 ipa-client-install will configure SSSD to use unauthenticated
329 nsupdates instead.
330
331 --no-krb5-offline-passwords
332 Configure SSSD not to store user password when the server is
333 offline.
334
335 -S, --no-sssd
336 Do not configure the client to use SSSD for authentication, use
337 nss_ldap instead.
338
339 --preserve-sssd
340 Disabled by default. When enabled, preserves old SSSD configura‐
341 tion if it is not possible to merge it with a new one. Effec‐
342 tively, if the merge is not possible due to SSSDConfig reader
343 encountering unsupported options, ipa-client-install will not
344 run further and ask to fix SSSD config first. When this option
345 is not specified, ipa-client-install will back up SSSD config
346 and create new one. The back up version will be restored during
347 uninstall.
348
349
350 UNINSTALL OPTIONS
351 --uninstall
352 Remove the IPA client software and restore the configuration to
353 the pre-IPA state.
354
355 -U, --unattended
356 Unattended uninstallation. The user will not be prompted.
357
358
360 Files that will be replaced if SSSD is configured (default):
361
362 /etc/sssd/sssd.conf
363
364 Files that will be replaced if they exist and SSSD is not configured
365 (--no-sssd):
366
367 /etc/ldap.conf
368 /etc/nss_ldap.conf
369 /etc/libnss-ldap.conf
370 /etc/pam_ldap.conf
371 /etc/nslcd.conf
372
373 Files replaced if NTP client (chronyd) configuration is enabled:
374
375 /etc/chrony.conf
376
377 Files always created (replacing existing content):
378
379 /etc/krb5.conf
380 /etc/ipa/ca.crt
381 /etc/ipa/default.conf
382 /etc/ipa/nssdb
383 /etc/openldap/ldap.conf
384 /etc/pki/ca-trust/source/ipa.p11-kit
385
386 Files updated, existing content is maintained:
387
388 /etc/nsswitch.conf
389 /etc/krb5.keytab
390 /etc/sysconfig/network
391
392
393 File updated, existing content is maintained if ssh is configured (de‐
394 fault):
395
396 /etc/ssh/ssh_config
397
398 File updated, existing content is maintained if sshd is configured (de‐
399 fault):
400
401 /etc/ssh/sshd_config
402
403
405 --request-cert
406
407
409 0 if the installation was successful
410
411 1 if an error occurred
412
413 2 if uninstalling and the client is not configured
414
415 3 if installing and the client is already configured
416
417 4 if an uninstall error occurred
418
419
421 ipa-client-automount(1), krb5.conf(5), sssd.conf(5)
422
423
424
425IPA Dec 19 2016 ipa-client-install(1)