1ipa-server-install(1)          IPA Manual Pages          ipa-server-install(1)
2
3
4

NAME

6       ipa-server-install - Configure an IPA server
7

SYNOPSIS

9       ipa-server-install [OPTION]...
10

DESCRIPTION

12       Configures  the services needed by an IPA server. This includes setting
13       up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14       LDAP  back-end, configuring Apache, configuring NTP and optionally con‐
15       figuring and starting an LDAP-backed DNS  server.  By  default  a  dog‐
16       tag-based CA will be configured to issue server certificates.
17
18

OPTIONS

20   BASIC OPTIONS
21       -r REALM_NAME, --realm=REALM_NAME
22              The Kerberos realm name for the new IPA deployment.
23
24              It  is  strongly  recommended  to use an upper-cased name of the
25              primary DNS domain name of your IPA deployment. You will not  be
26              able  to  establish trust with Active Directory unless the realm
27              name is the upper-cased domain name.
28
29              The realm name cannot be changed after the installation.
30
31       -n DOMAIN_NAME, --domain=DOMAIN_NAME
32              The primary DNS domain of the IPA deployment, e.g.  example.com.
33              This  DNS domain should contain the SRV records generated by the
34              IPA server installer. The specified DNS domain must not  contain
35              DNS  records of any other LDAP or Kerberos based management sys‐
36              tem (like Active Directory or MIT Kerberos).
37
38              It is strongly recommended to use a lower-cased name of the  IPA
39              Kerberos realm name.
40
41              The  primary DNS domain name cannot be changed after the instal‐
42              lation.
43
44       -p DM_PASSWORD, --ds-password=DM_PASSWORD
45              The password to be used by the Directory Server for  the  Direc‐
46              tory Manager user.
47
48       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49              The password for the IPA admin user.
50
51       --mkhomedir
52              Create home directories for users on their first login.
53
54       --hostname=HOST_NAME
55              The fully-qualified DNS name of this server.
56
57       --ip-address=IP_ADDRESS
58              The  IP  address  of this server. If this address does not match
59              the address the host resolves to  and  --setup-dns  is  not  se‐
60              lected,  the  installation  will fail. If the server hostname is
61              not resolvable, a record for  the  hostname  and  IP_ADDRESS  is
62              added  to /etc/hosts.  This option can be used multiple times to
63              specify more IP addresses of the server (e.g. multihomed  and/or
64              dualstacked server).
65
66       Configure  chronyd to use this NTP server. This option can be used mul‐
67       tiple times and it is used to specify exactly one time server.
68
69       --ntp-server=NTP_SERVER
70              Configure chronyd to use this NTP server.  This  option  can  be
71              used  multiple  times and it is used to specify exactly one time
72              server.
73
74       --ntp-pool=NTP_SERVER_POOL
75              Configure chronyd to use this NTP server pool.  This  option  is
76              meant  to be pool of multiple servers resolved as one host name.
77              This pool's servers may vary but pool address will be still same
78              and chrony will choose only one server from this pool.
79
80       -N, --no-ntp
81              Do not configure NTP client (chronyd).
82
83       --idstart=IDSTART
84              The starting user and group id number (default random).
85
86       --idmax=IDMAX
87              The  maximum user and group id number (default: idstart+199999).
88              If set to zero, the default value will be used.
89
90       --no-hbac-allow
91              Don't install allow_all HBAC rule. This rule lets any user  from
92              any  host  access  any service on any other host. It is expected
93              that users will remove this rule before moving to production.
94
95       --ignore-topology-disconnect
96              Ignore errors reported when IPA server uninstall would  lead  to
97              disconnected topology.
98
99       --ignore-last-of-role
100              Ignore  errors  reported when IPA server uninstall would lead to
101              removal of last CA/DNS server or DNSSec master.
102
103       --no-ui-redirect
104              Do not automatically redirect to the Web UI.
105
106       --ssh-trust-dns
107              Configure OpenSSH client to trust DNS SSHFP records.
108
109       --no-ssh
110              Do not configure OpenSSH client.
111
112       --no-sshd
113              Do not configure OpenSSH server.
114
115       --subid
116              Configure SSSD as data source for subid.
117
118       -d, --debug
119              Enable debug logging when more verbose output is needed.
120
121       -U, --unattended
122              An unattended installation that will never prompt for  user  in‐
123              put.
124
125       --dirsrv-config-file
126              The  path to LDIF file that will be used to modify configuration
127              of dse.ldif during installation  of  the  directory  server  in‐
128              stance.
129
130
131   CERTIFICATE SYSTEM OPTIONS
132       --external-ca
133              Generate a CSR for the IPA CA certificate to be signed by an ex‐
134              ternal CA.
135
136       --external-ca-type=TYPE
137              Type of the external CA. Possible values are "generic", "ms-cs".
138              Default  value is "generic". Use "ms-cs" to include the template
139              name required by Microsoft Certificate Services (MS CS)  in  the
140              generated CSR (see --external-ca-profile for full details).
141
142
143       --external-ca-profile=PROFILE_SPEC
144              Specify the certificate profile or template to use at the exter‐
145              nal CA.
146
147              When --external-ca-type is "ms-cs" the following specifiers  may
148              be used:
149
150
151              <oid>:<majorVersion>[:<minorVersion>]
152                     Specify  a certificate template by OID and major version,
153                     optionally also specifying minor version.
154
155              <name> Specify a certificate template by name. The  name  cannot
156                     contain  any : characters and cannot be an OID (otherwise
157                     the OID-based  template  specifier  syntax  takes  prece‐
158                     dence).
159
160              default
161                     If no template is specified, the template name "SubCA" is
162                     used.
163
164
165       --external-cert-file=FILE
166              File containing the IPA CA certificate and the external CA  cer‐
167              tificate  chain. The file is accepted in PEM and DER certificate
168              and PKCS#7 certificate chain formats. This option  may  be  used
169              multiple times.
170
171       --no-pkinit
172              Disables pkinit setup steps.
173
174       --dirsrv-cert-file=FILE
175              File containing the Directory Server SSL certificate and private
176              key. The files are accepted in PEM and DER  certificate,  PKCS#7
177              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
178              mats. This option may be used multiple times.
179
180       --http-cert-file=FILE
181              File containing the Apache Server SSL  certificate  and  private
182              key.  The  files are accepted in PEM and DER certificate, PKCS#7
183              certificate chain, PKCS#8 and raw private key and  PKCS#12  for‐
184              mats. This option may be used multiple times.
185
186       --pkinit-cert-file=FILE
187              File  containing  the  Kerberos  KDC SSL certificate and private
188              key. The files are accepted in PEM and DER  certificate,  PKCS#7
189              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
190              mats. This option may be used multiple times.
191
192       --dirsrv-pin=PIN
193              The password to unlock the Directory Server private key.
194
195       --http-pin=PIN
196              The password to unlock the Apache Server private key.
197
198       --pkinit-pin=PIN
199              The password to unlock the Kerberos KDC private key.
200
201       --dirsrv-cert-name=NAME
202              Name of the Directory Server SSL certificate to install.
203
204       --http-cert-name=NAME
205              Name of the Apache Server SSL certificate to install.
206
207       --pkinit-cert-name=NAME
208              Name of the Kerberos KDC SSL certificate to install.
209
210       --ca-cert-file=FILE
211              File containing the CA certificate of the CA  which  issued  the
212              Directory  Server,  Apache Server and Kerberos KDC certificates.
213              The file is accepted in PEM and DER certificate and PKCS#7  cer‐
214              tificate  chain formats. This option may be used multiple times.
215              Use this option if the CA certificate is not present in the cer‐
216              tificate files.
217
218       --pki-config-override=FILE
219              File containing overrides for CA and KRA installation.
220
221       --ca-subject=SUBJECT
222              The  CA  certificate  subject DN (default CN=Certificate Author‐
223              ity,O=REALM.NAME). RDNs are in LDAP  order  (most  specific  RDN
224              first).
225
226       --subject-base=SUBJECT
227              The  subject  base  for  certificates  issued  by  IPA  (default
228              O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
229
230       --ca-signing-algorithm=ALGORITHM
231              Signing algorithm of the IPA CA certificate. Possible values are
232              SHA1withRSA,  SHA256withRSA,  SHA384withRSA,  SHA512withRSA. De‐
233              fault value is SHA256withRSA. Use this option with --external-ca
234              if  the  external  CA does not support the default signing algo‐
235              rithm.
236
237
238   SECRET MANAGEMENT OPTIONS
239       --setup-kra
240              Install and configure a KRA on this server.
241
242
243   DNS OPTIONS
244       IPA provides an integrated DNS server which can be used to simplify IPA
245       deployment.  If  you  decide to use it, IPA will automatically maintain
246       SRV and other service records when you change your topology.
247
248       The DNS component in IPA is optional and you may choose to  manage  all
249       your DNS records manually on another third party DNS server. IPA DNS is
250       not a general-purpose DNS server. If you need  advanced  features  like
251       DNS views, do not deploy IPA DNS.
252
253
254       --setup-dns
255              Configure an integrated DNS server, create DNS zone specified by
256              --domain, and fill it with service records necessary for IPA de‐
257              ployment.  In cases where the IPA server name does not belong to
258              the primary DNS domain and is not resolvable using DNS, create a
259              DNS zone containing the IPA server name as well.
260
261              This  option  requires  that you either specify at least one DNS
262              forwarder through the --forwarder option or  use  the  --no-for‐
263              warders option.
264
265              Note that you can set up a DNS at any time after the initial IPA
266              server  install  by  running  ipa-dns-install  (see  ipa-dns-in‐
267              stall(1)).  IPA DNS cannot be uninstalled.
268
269
270       --forwarder=IP_ADDRESS
271              Add  a  DNS forwarder to the DNS configuration. You can use this
272              option multiple times to specify more forwarders, but  at  least
273              one must be provided, unless the --no-forwarders option is spec‐
274              ified.
275
276       --no-forwarders
277              Do not add any DNS forwarders. Root DNS servers will be used in‐
278              stead.
279
280       --auto-forwarders
281              Add DNS forwarders configured in /etc/resolv.conf to the list of
282              forwarders used by IPA DNS.
283
284       --forward-policy=first|only
285              DNS forwarding policy  for  global  forwarders  specified  using
286              other  options.  Defaults to first if no IP address belonging to
287              a private or reserved ranges is  detected  on  local  interfaces
288              (RFC  6303).  Defaults  to  only  if a private IP address is de‐
289              tected.
290
291       --reverse-zone=REVERSE_ZONE
292              The reverse DNS zone to use. This option can  be  used  multiple
293              times to specify multiple reverse zones.
294
295       --no-reverse
296              Do not create reverse DNS zone.
297
298       --auto-reverse
299              Try  to  resolve reverse records and reverse zones for server IP
300              addresses. If neither is resolvable, creates the reverse zones.
301
302       --zonemgr
303              The e-mail address of the DNS zone manager. Defaults to hostmas‐
304              ter@DOMAIN
305
306       --no-host-dns
307              Do not use DNS for hostname lookup during installation.
308
309       --no-dns-sshfp
310              Do not automatically create DNS SSHFP records.
311
312       --no-dnssec-validation
313              Disable DNSSEC validation on this server.
314
315       --allow-zone-overlap
316              Allow creation of (reverse) zone even if the zone is already re‐
317              solvable. Using this option is discouraged as it result in later
318              problems with domain name resolution.
319
320
321   SID GENERATION OPTIONS
322       --netbios-name=NETBIOS_NAME
323              The  NetBIOS  name  for the IPA domain. If not provided, this is
324              determined based on the leading  component  of  the  DNS  domain
325              name.  Running ipa-adtrust-install for a second time with a dif‐
326              ferent NetBIOS name will  change  the  name.  Please  note  that
327              changing  the  NetBIOS name might break existing trust relation‐
328              ships to other domains.
329
330       --rid-base=RID_BASE
331              First RID value of the local domain. The first POSIX ID  of  the
332              local  domain  will be assigned to this RID, the second to RID+1
333              etc. See the online help of the idrange CLI for details.
334
335       --secondary-rid-base=SECONDARY_RID_BASE
336              Start value of the secondary RID range, which is  only  used  in
337              the case a user and a group share numerically the same POSIX ID.
338              See the online help of the idrange CLI for details.
339
340
341   AD TRUST OPTIONS
342       --setup-adtrust
343              Configure AD Trust capability.
344
345       --enable-compat
346              Enables support  for  trusted  domains  users  for  old  clients
347              through  Schema Compatibility plugin.  SSSD supports trusted do‐
348              mains natively starting with version  1.9.  For  platforms  that
349              lack  SSSD  or  run older SSSD version one needs to use this op‐
350              tion. When enabled, slapi-nis package needs to be installed  and
351              schema-compat-plugin  will  be  configured  to provide lookup of
352              users and groups from trusted domains via SSSD  on  IPA  server.
353              These  users and groups will be available under cn=users,cn=com‐
354              pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX  trees.   SSSD  will
355              normalize names of users and groups to lower case.
356
357              In addition to providing these users and groups through the com‐
358              pat tree, this  option  enables  authentication  over  LDAP  for
359              trusted  domain users with DN under compat tree, i.e. using bind
360              DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
361
362              LDAP authentication performed by the compat tree is done via PAM
363              'system-auth'  service.  This service exists by default on Linux
364              systems and  is  provided  by  pam  package  as  /etc/pam.d/sys‐
365              tem-auth.   If  your IPA install does not have default HBAC rule
366              'allow_all' enabled, then make sure to  define  in  IPA  special
367              service  called  'system-auth'  and create an HBAC rule to allow
368              access to anyone to this rule on IPA masters.
369
370              As 'system-auth' PAM service is not used directly by  any  other
371              application,  it  is safe to use it for trusted domain users via
372              compatibility path.
373
374
375   UNINSTALL OPTIONS
376       --uninstall
377              Uninstall an existing IPA installation.
378
379       -U, --unattended
380              An unattended uninstallation that will never prompt for user in‐
381              put.
382
383

DEPRECATED OPTIONS

385       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
386              The kerberos master password (normally autogenerated).
387
388

EXIT STATUS

390       0 if the (un)installation was successful
391
392       1 if an error occurred
393
394

SEE ALSO

396       ipa-dns-install(1) ipa-adtrust-install(1)
397
398
399
400IPA                               Feb 17 2017            ipa-server-install(1)
Impressum