1ipa-server-install(1) IPA Manual Pages ipa-server-install(1)
2
6 ipa-server-install - Configure an IPA server
7
9 ipa-server-install [OPTION]...
10
12 Configures the services needed by an IPA server. This includes setting
13 up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14 LDAP back-end, configuring Apache, configuring NTP and optionally con‐
15 figuring and starting an LDAP-backed DNS server. By default a dog‐
16 tag-based CA will be configured to issue server certificates.
17
20 BASIC OPTIONS
21 -r REALM_NAME, --realm=REALM_NAME
22 The Kerberos realm name for the new IPA deployment.
23 It is strongly recommended to use an upper-cased name of the
25 primary DNS domain name of your IPA deployment. You will not be
26 able to establish trust with Active Directory unless the realm
27 name is the upper-cased domain name.
28 The realm name cannot be changed after the installation.
30 -n DOMAIN_NAME, --domain=DOMAIN_NAME
32 The primary DNS domain of the IPA deployment, e.g. example.com.
33 This DNS domain should contain the SRV records generated by the
34 IPA server installer. The specified DNS domain must not contain
35 DNS records of any other LDAP or Kerberos based management sys‐
36 tem (like Active Directory or MIT Kerberos).
37 It is strongly recommended to use a lower-cased name of the IPA
39 Kerberos realm name.
40 The primary DNS domain name cannot be changed after the instal‐
42 lation.
43 -p DM_PASSWORD, --ds-password=DM_PASSWORD
45 The password to be used by the Directory Server for the Direc‐
46 tory Manager user.
47 -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49 The password for the IPA admin user.
50 --mkhomedir
52 Create home directories for users on their first login.
53 --hostname=HOST_NAME
55 The fully-qualified DNS name of this server.
56 --ip-address=IP_ADDRESS
58 The IP address of this server. If this address does not match
59 the address the host resolves to and --setup-dns is not se‐
60 lected, the installation will fail. If the server hostname is
61 not resolvable, a record for the hostname and IP_ADDRESS is
62 added to /etc/hosts. This option can be used multiple times to
63 specify more IP addresses of the server (e.g. multihomed and/or
64 dualstacked server).
65 Configure chronyd to use this NTP server. This option can be used mul‐
67 tiple times and it is used to specify exactly one time server.
68 --ntp-server=NTP_SERVER
70 Configure chronyd to use this NTP server. This option can be
71 used multiple times and it is used to specify exactly one time
72 server.
73 --ntp-pool=NTP_SERVER_POOL
75 Configure chronyd to use this NTP server pool. This option is
76 meant to be pool of multiple servers resolved as one host name.
77 This pool's servers may vary but pool address will be still same
78 and chrony will choose only one server from this pool.
79 -N, --no-ntp
81 Do not configure NTP client (chronyd).
82 --idstart=IDSTART
84 The starting user and group id number (default random).
85 --idmax=IDMAX
87 The maximum user and group id number (default: idstart+199999).
88 If set to zero, the default value will be used.
89 --no-hbac-allow
91 Don't install allow_all HBAC rule. This rule lets any user from
92 any host access any service on any other host. It is expected
93 that users will remove this rule before moving to production.
94 --ignore-topology-disconnect
96 Ignore errors reported when IPA server uninstall would lead to
97 disconnected topology.
98 --ignore-last-of-role
100 Ignore errors reported when IPA server uninstall would lead to
101 removal of last CA/DNS server or DNSSec master.
102 --no-ui-redirect
104 Do not automatically redirect to the Web UI.
105 --ssh-trust-dns
107 Configure OpenSSH client to trust DNS SSHFP records.
108 --no-ssh
110 Do not configure OpenSSH client.
111 --no-sshd
113 Do not configure OpenSSH server.
114 --subid
116 Configure SSSD as data source for subid.
117 -d, --debug
119 Enable debug logging when more verbose output is needed.
120 -U, --unattended
122 An unattended installation that will never prompt for user in‐
123 put.
124 --dirsrv-config-file
126 The path to LDIF file that will be used to modify configuration
127 of dse.ldif during installation of the directory server in‐
128 stance.
129 CERTIFICATE SYSTEM OPTIONS
132 --external-ca
133 Generate a CSR for the IPA CA certificate to be signed by an ex‐
134 ternal CA.
135 --external-ca-type=TYPE
137 Type of the external CA. Possible values are "generic", "ms-cs".
138 Default value is "generic". Use "ms-cs" to include the template
139 name required by Microsoft Certificate Services (MS CS) in the
140 generated CSR (see --external-ca-profile for full details).
141 --external-ca-profile=PROFILE_SPEC
144 Specify the certificate profile or template to use at the exter‐
145 nal CA.
146 When --external-ca-type is "ms-cs" the following specifiers may
148 be used:
149 <oid>:<majorVersion>[:<minorVersion>]
152 Specify a certificate template by OID and major version,
153 optionally also specifying minor version.
154 <name> Specify a certificate template by name. The name cannot
156 contain any : characters and cannot be an OID (otherwise
157 the OID-based template specifier syntax takes prece‐
158 dence).
159 default
161 If no template is specified, the template name "SubCA" is
162 used.
163 --external-cert-file=FILE
166 File containing the IPA CA certificate and the external CA cer‐
167 tificate chain. The file is accepted in PEM and DER certificate
168 and PKCS#7 certificate chain formats. This option may be used
169 multiple times.
170 --no-pkinit
172 Disables pkinit setup steps.
173 --dirsrv-cert-file=FILE
175 File containing the Directory Server SSL certificate and private
176 key. The files are accepted in PEM and DER certificate, PKCS#7
177 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
178 mats. This option may be used multiple times.
179 --http-cert-file=FILE
181 File containing the Apache Server SSL certificate and private
182 key. The files are accepted in PEM and DER certificate, PKCS#7
183 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
184 mats. This option may be used multiple times.
185 --pkinit-cert-file=FILE
187 File containing the Kerberos KDC SSL certificate and private
188 key. The files are accepted in PEM and DER certificate, PKCS#7
189 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
190 mats. This option may be used multiple times.
191 --dirsrv-pin=PIN
193 The password to unlock the Directory Server private key.
194 --http-pin=PIN
196 The password to unlock the Apache Server private key.
197 --pkinit-pin=PIN
199 The password to unlock the Kerberos KDC private key.
200 --dirsrv-cert-name=NAME
202 Name of the Directory Server SSL certificate to install.
203 --http-cert-name=NAME
205 Name of the Apache Server SSL certificate to install.
206 --pkinit-cert-name=NAME
208 Name of the Kerberos KDC SSL certificate to install.
209 --ca-cert-file=FILE
211 File containing the CA certificate of the CA which issued the
212 Directory Server, Apache Server and Kerberos KDC certificates.
213 The file is accepted in PEM and DER certificate and PKCS#7 cer‐
214 tificate chain formats. This option may be used multiple times.
215 Use this option if the CA certificate is not present in the cer‐
216 tificate files.
217 --pki-config-override=FILE
219 File containing overrides for CA and KRA installation.
220 --ca-subject=SUBJECT
222 The CA certificate subject DN (default CN=Certificate Author‐
223 ity,O=REALM.NAME). RDNs are in LDAP order (most specific RDN
224 first).
225 --subject-base=SUBJECT
227 The subject base for certificates issued by IPA (default
228 O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
229 --ca-signing-algorithm=ALGORITHM
231 Signing algorithm of the IPA CA certificate. Possible values are
232 SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. De‐
233 fault value is SHA256withRSA. Use this option with --external-ca
234 if the external CA does not support the default signing algo‐
235 rithm.
236 SECRET MANAGEMENT OPTIONS
239 --setup-kra
240 Install and configure a KRA on this server.
241 DNS OPTIONS
244 IPA provides an integrated DNS server which can be used to simplify IPA
245 deployment. If you decide to use it, IPA will automatically maintain
246 SRV and other service records when you change your topology.
247 The DNS component in IPA is optional and you may choose to manage all
249 your DNS records manually on another third party DNS server. IPA DNS is
250 not a general-purpose DNS server. If you need advanced features like
251 DNS views, do not deploy IPA DNS.
252 --setup-dns
255 Configure an integrated DNS server, create DNS zone specified by
256 --domain, and fill it with service records necessary for IPA de‐
257 ployment. In cases where the IPA server name does not belong to
258 the primary DNS domain and is not resolvable using DNS, create a
259 DNS zone containing the IPA server name as well.
260 This option requires that you either specify at least one DNS
262 forwarder through the --forwarder option or use the --no-for‐
263 warders option.
264 Note that you can set up a DNS at any time after the initial IPA
266 server install by running ipa-dns-install (see ipa-dns-in‐
267 stall(1)). IPA DNS cannot be uninstalled.
268 --forwarder=IP_ADDRESS
271 Add a DNS forwarder to the DNS configuration. You can use this
272 option multiple times to specify more forwarders, but at least
273 one must be provided, unless the --no-forwarders option is spec‐
274 ified.
275 --no-forwarders
277 Do not add any DNS forwarders. Root DNS servers will be used in‐
278 stead.
279 --auto-forwarders
281 Add DNS forwarders configured in /etc/resolv.conf to the list of
282 forwarders used by IPA DNS.
283 --forward-policy=first|only
285 DNS forwarding policy for global forwarders specified using
286 other options. Defaults to first if no IP address belonging to
287 a private or reserved ranges is detected on local interfaces
288 (RFC 6303). Defaults to only if a private IP address is de‐
289 tected.
290 --reverse-zone=REVERSE_ZONE
292 The reverse DNS zone to use. This option can be used multiple
293 times to specify multiple reverse zones.
294 --no-reverse
296 Do not create reverse DNS zone.
297 --auto-reverse
299 Try to resolve reverse records and reverse zones for server IP
300 addresses. If neither is resolvable, creates the reverse zones.
301 --zonemgr
303 The e-mail address of the DNS zone manager. Defaults to hostmas‐
304 ter@DOMAIN
305 --no-host-dns
307 Do not use DNS for hostname lookup during installation.
308 --no-dns-sshfp
310 Do not automatically create DNS SSHFP records.
311 --no-dnssec-validation
313 Disable DNSSEC validation on this server.
314 --allow-zone-overlap
316 Allow creation of (reverse) zone even if the zone is already re‐
317 solvable. Using this option is discouraged as it result in later
318 problems with domain name resolution.
319 SID GENERATION OPTIONS
322 --netbios-name=NETBIOS_NAME
323 The NetBIOS name for the IPA domain. If not provided, this is
324 determined based on the leading component of the DNS domain
325 name. Running ipa-adtrust-install for a second time with a dif‐
326 ferent NetBIOS name will change the name. Please note that
327 changing the NetBIOS name might break existing trust relation‐
328 ships to other domains.
329 --rid-base=RID_BASE
331 First RID value of the local domain. The first POSIX ID of the
332 local domain will be assigned to this RID, the second to RID+1
333 etc. See the online help of the idrange CLI for details.
334 --secondary-rid-base=SECONDARY_RID_BASE
336 Start value of the secondary RID range, which is only used in
337 the case a user and a group share numerically the same POSIX ID.
338 See the online help of the idrange CLI for details.
339 AD TRUST OPTIONS
342 --setup-adtrust
343 Configure AD Trust capability.
344 --enable-compat
346 Enables support for trusted domains users for old clients
347 through Schema Compatibility plugin. SSSD supports trusted do‐
348 mains natively starting with version 1.9. For platforms that
349 lack SSSD or run older SSSD version one needs to use this op‐
350 tion. When enabled, slapi-nis package needs to be installed and
351 schema-compat-plugin will be configured to provide lookup of
352 users and groups from trusted domains via SSSD on IPA server.
353 These users and groups will be available under cn=users,cn=com‐
354 pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
355 normalize names of users and groups to lower case.
356 In addition to providing these users and groups through the com‐
358 pat tree, this option enables authentication over LDAP for
359 trusted domain users with DN under compat tree, i.e. using bind
360 DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
361 LDAP authentication performed by the compat tree is done via PAM
363 'system-auth' service. This service exists by default on Linux
364 systems and is provided by pam package as /etc/pam.d/sys‐
365 tem-auth. If your IPA install does not have default HBAC rule
366 'allow_all' enabled, then make sure to define in IPA special
367 service called 'system-auth' and create an HBAC rule to allow
368 access to anyone to this rule on IPA masters.
369 As 'system-auth' PAM service is not used directly by any other
371 application, it is safe to use it for trusted domain users via
372 compatibility path.
373 UNINSTALL OPTIONS
376 --uninstall
377 Uninstall an existing IPA installation.
378 -U, --unattended
380 An unattended uninstallation that will never prompt for user in‐
381 put.
382
385 -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
386 The kerberos master password (normally autogenerated).
387
390 0 if the (un)installation was successful
391 1 if an error occurred
393
396 ipa-dns-install(1) ipa-adtrust-install(1)
397IPA Feb 17 2017 ipa-server-install(1)