1ipa-client-install(1) IPA Manual Pages ipa-client-install(1)
2
6 ipa-client-install - Configure an IPA client
7
9 ipa-client-install [OPTION]...
10
12 Configures a client machine to use IPA for authentication and identity
13 services.
14 By default this configures SSSD to connect to an IPA server for authen‐
16 tication and authorization. Optionally one can instead configure PAM
17 and NSS (Name Switching Service) to work with an IPA server over Ker‐
18 beros and LDAP.
19 An authorized account is required to join a client machine to IPA. This
21 can take the form of a kerberos principal, a one-time password associ‐
22 ated with the machine, or PKINIT identity associated with the machine.
23 This same tool is used to unconfigure IPA and attempts to return the
25 machine to its previous state. Part of this process is to unenroll the
26 host from the IPA server. Unenrollment consists of disabling the prin‐
27 cipal key on the IPA server so that it may be re-enrolled. The machine
28 principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenti‐
29 cate to the IPA server to unenroll itself. If this principal does not
30 exist then unenrollment will fail and an administrator will need to
31 disable the host principal (ipa host-disable <fqdn>).
32 Assumptions
35 The ipa-client-install script assumes that the machine has already gen‐
36 erated SSH keys. It will not generate SSH keys of its own accord. If
37 SSH keys are not present (e.g. when running the ipa-client-install in a
38 kickstart, before ever running sshd), they will not be uploaded to the
39 client host entry on the server.
40 Hostname Requirements
43 Client must use a static hostname. If the machine hostname changes for
44 example due to a dynamic hostname assignment by a DHCP server, client
45 enrollment to IPA server breaks and user then would not be able to per‐
46 form Kerberos authentication.
47 --hostname option may be used to specify a static hostname that per‐
49 sists over reboot.
50 DNS Autodiscovery
53 Client installer by default tries to search for _ldap._tcp.DOMAIN DNS
54 SRV records for all domains that are parent to its hostname. For exam‐
55 ple, if a client machine has a hostname 'client1.lab.example.com', the
56 installer will try to retrieve an IPA server hostname from
57 _ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com
58 DNS SRV records, respectively. The discovered domain is then used to
59 configure client components (e.g. SSSD and Kerberos 5 configuration) on
60 the machine.
61 When the client machine hostname is not in a subdomain of an IPA
63 server, its domain can be passed with --domain option. In that case,
64 both SSSD and Kerberos components have the domain set in the configura‐
65 tion files and will use it to autodiscover IPA servers.
66 Client machine can also be configured without a DNS autodiscovery at
68 all. When both --server and --domain options are used, client installer
69 will use the specified server and domain directly. --server option ac‐
70 cepts multiple server hostnames which can be used for failover mecha‐
71 nism. Without DNS autodiscovery, Kerberos is configured with a fixed
72 list of KDC and Admin servers. SSSD is still configured to either try
73 to read domain's SRV records or the specified fixed list of servers.
74 When --fixed-primary option is specified, SSSD will not try to read DNS
75 SRV record at all (see sssd-ipa(5) for details).
76 The Failover Mechanism
79 When some of the IPA servers is not available, client components are
80 able to fallback to other IPA replica and thus preserving a continued
81 service. When client machine is configured to use DNS SRV record au‐
82 todiscovery (no fixed server was passed to the installer), client com‐
83 ponents do the fallback automatically, based on the IPA server host‐
84 names and priorities discovered from the DNS SRV records.
85 If DNS autodiscovery is not available, clients should be configured at
87 least with a fixed list of IPA servers that can be used in case of a
88 failure. When only one IPA server is configured, IPA client services
89 will not be available in case of a failure of the IPA server. Please
90 note, that in case of a fixed list of IPA servers, the fixed server
91 lists in client components need to be updated when a new IPA server is
92 enrolled or a current IPA server is decommissioned.
93 Coexistence With Other Directory Servers
96 Other directory servers deployed in the network (e.g. Microsoft Active
97 Directory) may use the same DNS SRV records to denote hosts with a di‐
98 rectory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the
99 installation if the installer discovers these DNS records before it
100 finds DNS SRV records pointing to IPA servers. The installer would then
101 fail to discover the IPA server and exit with error.
102 In order to avoid the aforementioned DNS autodiscovery issues, the
104 client machine hostname should be in a domain with properly defined DNS
105 SRV records pointing to IPA servers, either manually with a custom DNS
106 server or with IPA DNS integrated solution. A second approach would be
107 to avoid autodiscovery and configure the installer to use a fixed list
108 of IPA server hostnames using the --server option and with a
109 --fixed-primary option disabling DNS SRV record autodiscovery in SSSD.
110 Re-enrollment of the host
113 Requirements:
114 1. Host has not been un-enrolled (the ipa-client-install --uninstall
116 command has not been run).
117 2. The host entry has not been disabled via the ipa host-disable com‐
118 mand.
119 If this has been the case, host can be re-enrolled using the usual
121 methods.
122 There are two method of authenticating a re-enrollment:
124 1. You can use --force-join option with ipa-client-install command.
126 This authenticates the re-enrollment using the admin's credentials pro‐
127 vided via the -w/--password option.
128 2. If providing the admin's password via the command line is not an op‐
129 tion (e.g. you want to create a script to re-enroll a host and keep the
130 admin's password secure), you can use backed up keytab from the previ‐
131 ous enrollment of this host to authenticate. See --keytab option.
132 Consequences of the re-enrollment on the host entry:
134 1. A new host certificate is issued
136 2. The old host certificate is revoked
137 3. New SSH keys are generated
138 4. ipaUniqueID is preserved
139
142 BASIC OPTIONS
143 --domain=DOMAIN
144 The primary DNS domain of an existing IPA deployment, e.g. exam‐
145 ple.com. This DNS domain should contain the SRV records gener‐
146 ated by the IPA server installer. Usually the name is a lower-
147 cased name of an IPA Kerberos realm name.
148 When no --server option is specified, this domain will be used
150 by the installer to discover all available servers via DNS SRV
151 record autodiscovery (see DNS Autodiscovery section for de‐
152 tails).
153 The default value used by the installer is the domain part of
155 the hostname. This option needs to be specified if the primary
156 IPA DNS domain is different from the default value.
157 --server=SERVER
159 Set the FQDN of the IPA server to connect to. May be specified
160 multiple times to add multiple servers to ipa_server value in
161 sssd.conf or krb5.conf. Only the first value is considered when
162 used with --no-sssd. When this option is used, DNS autodiscovery
163 for Kerberos is disabled and a fixed list of KDC and Admin
164 servers is configured.
165 Under normal circumstances, this option is not needed as the
167 list of servers is retrieved from the primary IPA DNS domain.
168 --realm=REALM_NAME
170 The Kerberos realm of an existing IPA deployment. Usually it is
171 an upper-cased name of the primary DNS domain used by the IPA
172 installation.
173 Under normal circumstances, this option is not needed as the
175 realm name is retrieved from the IPA server.
176 --fixed-primary
178 Configure SSSD to use a fixed server as the primary IPA server.
179 The default is to use DNS SRV records to determine the primary
180 server to use and fall back to the server the client is enrolled
181 with. When used in conjunction with --server then no _srv_ value
182 is set in the ipa_server option in sssd.conf.
183 -p, --principal
185 Authorized kerberos principal to use to join the IPA realm.
186 -w PASSWORD, --password=PASSWORD
188 Password for joining a machine to the IPA realm. Assumes bulk
189 password unless principal is also set.
190 -W Prompt for the password for joining a machine to the IPA realm.
192 -k, --keytab
194 Path to backed up host keytab from previous enrollment. Joins
195 the host even if it is already enrolled.
196 --mkhomedir
198 Configure PAM to create a users home directory if it does not
199 exist.
200 --hostname
202 The hostname of this machine (FQDN). If specified, the hostname
203 will be set and the system configuration will be updated to per‐
204 sist over reboot. By default the result of getfqdn() call from
205 Python's socket module is used.
206 --force-join
208 Join the host even if it is already enrolled.
209 --ntp-server=NTP_SERVER
211 Configure chronyd to use this NTP server. This option can be
212 used multiple times and it is used to specify exactly one time
213 server.
214 --ntp-pool=NTP_SERVER_POOL
216 Configure chronyd to use this NTP server pool. This option is
217 meant to be pool of multiple servers resolved as one host name.
218 This pool's servers may vary but pool address will be still same
219 and chrony will choose only one server from this pool.
220 -N, --no-ntp
222 Do not configure NTP client (chronyd).
223 --nisdomain=NIS_DOMAIN
225 Set the NIS domain name as specified. By default, this is set to
226 the IPA domain name.
227 --no-nisdomain
229 Do not configure NIS domain name.
230 --ssh-trust-dns
232 Configure OpenSSH client to trust DNS SSHFP records.
233 --no-ssh
235 Do not configure OpenSSH client.
236 --no-sshd
238 Do not configure OpenSSH server.
239 --no-sudo
241 Do not configure SSSD as a data source for sudo.
242 --subid
244 Configure SSSD as data source for subid.
245 --no-dns-sshfp
247 Do not automatically create DNS SSHFP records.
248 --noac Do not use Authconfig to modify the nsswitch.conf and PAM con‐
250 figuration.
251 -f, --force
253 Force the settings even if errors occur
254 --kinit-attempts=KINIT_ATTEMPTS
256 In case of unresponsive KDC (e.g. when enrolling multiple hosts
257 at once in a heavy load environment) repeat the request for host
258 Kerberos ticket up to a total number of KINIT_ATTEMPTS times be‐
259 fore giving up and aborting client installation. Default number
260 of attempts is 5. The request is not repeated when there is a
261 problem with host credentials themselves (e.g. wrong keytab for‐
262 mat or invalid principal) so using this option will not lead to
263 account lockouts.
264 -d, --debug
266 Print debugging information to stdout
267 -U, --unattended
269 Unattended installation. The user will not be prompted.
270 --ca-cert-file=CA_FILE
272 Do not attempt to acquire the IPA CA certificate via automated
273 means, instead use the CA certificate found locally in in
274 CA_FILE. The CA_FILE must be an absolute path to a PEM format‐
275 ted certificate file. The CA certificate found in CA_FILE is
276 considered authoritative and will be installed without checking
277 to see if it's valid for the IPA domain.
278 --request-cert
280 DEPRECATED: The option is deprecated and will be removed in a
281 future release.
282 Request certificate for the machine. The certificate will be
284 stored in /etc/ipa/nssdb under the nickname "Local IPA host".
285 Using this option requires that D-Bus is properly configured or
287 not configured at all. In environment where this condition is
288 not met (e.g. anaconda kickstart chroot environment) set the
289 system bus address to /dev/null to enable workaround in ipa-
290 client-install.
291 # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-
293 client-install --request-cert
294 Note that requesting the certificate when certmonger is not run‐
296 ning only creates tracking request and the certmonger service
297 must be started to be able to track certificates.
298 --automount-location=LOCATION
300 Configure automount by running ipa-client-automount(1) with LO‐
301 CATION as automount location.
302 --configure-firefox
304 Configure Firefox to use IPA domain credentials.
305 --firefox-dir=DIR
307 Specify Firefox installation directory. For example:
308 '/usr/lib/firefox'
309 --ip-address=IP_ADDRESS
311 Use IP_ADDRESS in DNS A/AAAA record for this host. May be speci‐
312 fied multiple times to add multiple DNS records.
313 --all-ip-addresses
315 Create DNS A/AAAA record for each IP address on this host.
316 SSSD OPTIONS
319 --permit
320 Configure SSSD to permit all access. Otherwise the machine will
321 be controlled by the Host-based Access Controls (HBAC) on the
322 IPA server.
323 --enable-dns-updates
325 This option tells SSSD to automatically update DNS with the IP
326 address of this client. The default is to use GSS-TSIG. How‐
327 ever, if using GSS-TSIG fails for any reason at install time,
328 ipa-client-install will configure SSSD to use unauthenticated
329 nsupdates instead.
330 --no-krb5-offline-passwords
332 Configure SSSD not to store user password when the server is
333 offline.
334 -S, --no-sssd
336 Do not configure the client to use SSSD for authentication, use
337 nss_ldap instead.
338 --preserve-sssd
340 Disabled by default. When enabled, preserves old SSSD configura‐
341 tion if it is not possible to merge it with a new one. Effec‐
342 tively, if the merge is not possible due to SSSDConfig reader
343 encountering unsupported options, ipa-client-install will not
344 run further and ask to fix SSSD config first. When this option
345 is not specified, ipa-client-install will back up SSSD config
346 and create new one. The back up version will be restored during
347 uninstall.
348 PKINIT OPTIONS
351 --pkinit-identity=DENTITY
352 Identity string for PKINIT authentication to use to join the IPA
353 realm, for example 'FILE:/path/to/cert.pem,/path/to/key.pem'.
354 See krb5.conf(5) for more information. The option is mutually
355 exclusive with --password and --keytab.
356 --pkinit-anchor=FILEDIR
358 Trust anchors (root and intermediate CA certs) for PKINIT.
359 FILEDIR is either the absolute path to a PEM bundle (for example
360 requires the full trust chain of the Kerberos KDC server as well
361 as the full trust chain of the identity certificate.
362 UNINSTALL OPTIONS
365 --uninstall
366 Remove the IPA client software and restore the configuration to
367 the pre-IPA state.
368 -U, --unattended
370 Unattended uninstallation. The user will not be prompted.
371
374 Files that will be replaced if SSSD is configured (default):
375 /etc/sssd/sssd.conf
377 Files that will be replaced if they exist and SSSD is not configured
379 (--no-sssd):
380 /etc/ldap.conf
382 /etc/nss_ldap.conf
383 /etc/libnss-ldap.conf
384 /etc/pam_ldap.conf
385 /etc/nslcd.conf
386 Files replaced if NTP client (chronyd) configuration is enabled:
388 /etc/chrony.conf
390 Files always created (replacing existing content):
392 /etc/krb5.conf
394 /etc/ipa/ca.crt
395 /etc/ipa/default.conf
396 /etc/ipa/nssdb
397 /etc/openldap/ldap.conf
398 /etc/pki/ca-trust/source/ipa.p11-kit
399 Files updated, existing content is maintained:
401 /etc/nsswitch.conf
403 /etc/krb5.keytab
404 /etc/sysconfig/network
405 File updated, existing content is maintained if ssh is configured (de‐
408 fault):
409 /etc/ssh/ssh_config
411 File updated, existing content is maintained if sshd is configured (de‐
413 fault):
414 /etc/ssh/sshd_config
416
419 --request-cert
420
423 0 if the installation was successful
424 1 if an error occurred
426 2 if uninstalling and the client is not configured
428 3 if installing and the client is already configured
430 4 if an uninstall error occurred
432
435 ipa-client-automount(1), krb5.conf(5), sssd.conf(5)
436IPA Dec 19 2016 ipa-client-install(1)