1ipa-server-install(1) IPA Manual Pages ipa-server-install(1)
2
6 ipa-server-install - Configure an IPA server
7
9 ipa-server-install [OPTION]...
10
12 Configures the services needed by an IPA server. This includes setting
13 up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14 LDAP back-end, configuring Apache, configuring NTP and optionally con‐
15 figuring and starting an LDAP-backed DNS server. By default a dog‐
16 tag-based CA will be configured to issue server certificates.
17
20 BASIC OPTIONS
21 -r REALM_NAME, --realm=REALM_NAME
22 The Kerberos realm name for the new IPA deployment.
23 It is strongly recommended to use an upper-cased name of the
25 primary DNS domain name of your IPA deployment. You will not be
26 able to establish trust with Active Directory unless the realm
27 name is the upper-cased domain name.
28 The realm name cannot be changed after the installation.
30 -n DOMAIN_NAME, --domain=DOMAIN_NAME
32 The primary DNS domain of the IPA deployment, e.g. example.com.
33 This DNS domain should contain the SRV records generated by the
34 IPA server installer. The specified DNS domain must not contain
35 DNS records of any other LDAP or Kerberos based management sys‐
36 tem (like Active Directory or MIT Kerberos).
37 It is strongly recommended to use a lower-cased name of the IPA
39 Kerberos realm name.
40 The primary DNS domain name cannot be changed after the instal‐
42 lation.
43 -p DM_PASSWORD, --ds-password=DM_PASSWORD
45 The password to be used by the Directory Server for the Direc‐
46 tory Manager user.
47 -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49 The password for the IPA admin user.
50 --mkhomedir
52 Create home directories for users on their first login.
53 --hostname=HOST_NAME
55 The fully-qualified DNS name of this server.
56 --ip-address=IP_ADDRESS
58 The IP address of this server. If this address does not match
59 the address the host resolves to and --setup-dns is not se‐
60 lected, the installation will fail. If the server hostname is
61 not resolvable, a record for the hostname and IP_ADDRESS is
62 added to /etc/hosts. This option can be used multiple times to
63 specify more IP addresses of the server (e.g. multihomed and/or
64 dualstacked server).
65 Configure chronyd to use this NTP server. This option can be used mul‐
67 tiple times and it is used to specify exactly one time server.
68 --ntp-server=NTP_SERVER
70 Configure chronyd to use this NTP server. This option can be
71 used multiple times and it is used to specify exactly one time
72 server.
73 --ntp-pool=NTP_SERVER_POOL
75 Configure chronyd to use this NTP server pool. This option is
76 meant to be pool of multiple servers resolved as one host name.
77 This pool's servers may vary but pool address will be still same
78 and chrony will choose only one server from this pool.
79 -N, --no-ntp
81 Do not configure NTP client (chronyd).
82 --idstart=IDSTART
84 The starting user and group id number (default random).
85 --idmax=IDMAX
87 The maximum user and group id number (default: idstart+199999).
88 If set to zero, the default value will be used.
89 --no-hbac-allow
91 Don't install allow_all HBAC rule. This rule lets any user from
92 any host access any service on any other host. It is expected
93 that users will remove this rule before moving to production.
94 --ignore-topology-disconnect
96 Ignore errors reported when IPA server uninstall would lead to
97 disconnected topology.
98 --ignore-last-of-role
100 Ignore errors reported when IPA server uninstall would lead to
101 removal of last CA/DNS server or DNSSec master.
102 --no-ui-redirect
104 Do not automatically redirect to the Web UI.
105 --ssh-trust-dns
107 Configure OpenSSH client to trust DNS SSHFP records.
108 --no-ssh
110 Do not configure OpenSSH client.
111 --no-sshd
113 Do not configure OpenSSH server.
114 --subid
116 Configure SSSD as data source for subid.
117 --skip-mem-check
119 Skip checking for minimum required memory
120 -d, --debug
122 Enable debug logging when more verbose output is needed.
123 -U, --unattended
125 An unattended installation that will never prompt for user in‐
126 put.
127 --dirsrv-config-file
129 The path to LDIF file that will be used to modify configuration
130 of dse.ldif during installation of the directory server in‐
131 stance.
132 CERTIFICATE SYSTEM OPTIONS
135 --external-ca
136 Generate a CSR for the IPA CA certificate to be signed by an ex‐
137 ternal CA.
138 --external-ca-type=TYPE
140 Type of the external CA. Possible values are "generic", "ms-cs".
141 Default value is "generic". Use "ms-cs" to include the template
142 name required by Microsoft Certificate Services (MS CS) in the
143 generated CSR (see --external-ca-profile for full details).
144 --external-ca-profile=PROFILE_SPEC
147 Specify the certificate profile or template to use at the exter‐
148 nal CA.
149 When --external-ca-type is "ms-cs" the following specifiers may
151 be used:
152 <oid>:<majorVersion>[:<minorVersion>]
155 Specify a certificate template by OID and major version,
156 optionally also specifying minor version.
157 <name> Specify a certificate template by name. The name cannot
159 contain any : characters and cannot be an OID (otherwise
160 the OID-based template specifier syntax takes prece‐
161 dence).
162 default
164 If no template is specified, the template name "SubCA" is
165 used.
166 --external-cert-file=FILE
169 File containing the IPA CA certificate and the external CA cer‐
170 tificate chain. The file is accepted in PEM and DER certificate
171 and PKCS#7 certificate chain formats. This option may be used
172 multiple times.
173 --random-serial-numbers
175 Enable Random Serial Numbers. Random serial numbers cannot be
176 used in a mixed environment. Either all CA's have it enabled or
177 none do.
178 --no-pkinit
180 Disables pkinit setup steps.
181 --dirsrv-cert-file=FILE
183 File containing the Directory Server SSL certificate and private
184 key. The files are accepted in PEM and DER certificate, PKCS#7
185 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
186 mats. This option may be used multiple times.
187 --http-cert-file=FILE
189 File containing the Apache Server SSL certificate and private
190 key. The files are accepted in PEM and DER certificate, PKCS#7
191 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
192 mats. This option may be used multiple times.
193 --pkinit-cert-file=FILE
195 File containing the Kerberos KDC SSL certificate and private
196 key. The files are accepted in PEM and DER certificate, PKCS#7
197 certificate chain, PKCS#8 and raw private key and PKCS#12 for‐
198 mats. This option may be used multiple times.
199 --dirsrv-pin=PIN
201 The password to unlock the Directory Server private key.
202 --http-pin=PIN
204 The password to unlock the Apache Server private key.
205 --pkinit-pin=PIN
207 The password to unlock the Kerberos KDC private key.
208 --dirsrv-cert-name=NAME
210 Name of the Directory Server SSL certificate to install.
211 --http-cert-name=NAME
213 Name of the Apache Server SSL certificate to install.
214 --pkinit-cert-name=NAME
216 Name of the Kerberos KDC SSL certificate to install.
217 --ca-cert-file=FILE
219 File containing the CA certificate of the CA which issued the
220 Directory Server, Apache Server and Kerberos KDC certificates.
221 The file is accepted in PEM and DER certificate and PKCS#7 cer‐
222 tificate chain formats. This option may be used multiple times.
223 Use this option if the CA certificate is not present in the cer‐
224 tificate files.
225 --pki-config-override=FILE
227 File containing overrides for CA and KRA installation.
228 --ca-subject=SUBJECT
230 The CA certificate subject DN (default CN=Certificate Author‐
231 ity,O=REALM.NAME). RDNs are in LDAP order (most specific RDN
232 first).
233 --subject-base=SUBJECT
235 The subject base for certificates issued by IPA (default
236 O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
237 --ca-signing-algorithm=ALGORITHM
239 Signing algorithm of the IPA CA certificate. Possible values are
240 SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. De‐
241 fault value is SHA256withRSA. Use this option with --external-ca
242 if the external CA does not support the default signing algo‐
243 rithm.
244 SECRET MANAGEMENT OPTIONS
247 --setup-kra
248 Install and configure a KRA on this server.
249 DNS OPTIONS
252 IPA provides an integrated DNS server which can be used to simplify IPA
253 deployment. If you decide to use it, IPA will automatically maintain
254 SRV and other service records when you change your topology.
255 The DNS component in IPA is optional and you may choose to manage all
257 your DNS records manually on another third party DNS server. IPA DNS is
258 not a general-purpose DNS server. If you need advanced features like
259 DNS views, do not deploy IPA DNS.
260 --setup-dns
263 Configure an integrated DNS server, create DNS zone specified by
264 --domain, and fill it with service records necessary for IPA de‐
265 ployment. In cases where the IPA server name does not belong to
266 the primary DNS domain and is not resolvable using DNS, create a
267 DNS zone containing the IPA server name as well.
268 This option requires that you either specify at least one DNS
270 forwarder through the --forwarder option or use the --no-for‐
271 warders option.
272 Note that you can set up a DNS at any time after the initial IPA
274 server install by running ipa-dns-install (see ipa-dns-in‐
275 stall(1)). IPA DNS cannot be uninstalled.
276 --forwarder=IP_ADDRESS
279 Add a DNS forwarder to the DNS configuration. You can use this
280 option multiple times to specify more forwarders, but at least
281 one must be provided, unless the --no-forwarders option is spec‐
282 ified.
283 --no-forwarders
285 Do not add any DNS forwarders. Root DNS servers will be used in‐
286 stead.
287 --auto-forwarders
289 Add DNS forwarders configured in /etc/resolv.conf to the list of
290 forwarders used by IPA DNS.
291 --forward-policy=first|only
293 DNS forwarding policy for global forwarders specified using
294 other options. Defaults to first if no IP address belonging to
295 a private or reserved ranges is detected on local interfaces
296 (RFC 6303). Defaults to only if a private IP address is de‐
297 tected.
298 --reverse-zone=REVERSE_ZONE
300 The reverse DNS zone to use. This option can be used multiple
301 times to specify multiple reverse zones.
302 --no-reverse
304 Do not create reverse DNS zone.
305 --auto-reverse
307 Try to resolve reverse records and reverse zones for server IP
308 addresses. If neither is resolvable, creates the reverse zones.
309 --zonemgr
311 The e-mail address of the DNS zone manager. Defaults to hostmas‐
312 ter@DOMAIN
313 --no-host-dns
315 Do not use DNS for hostname lookup during installation.
316 --no-dns-sshfp
318 Do not automatically create DNS SSHFP records.
319 --no-dnssec-validation
321 Disable DNSSEC validation on this server.
322 --allow-zone-overlap
324 Allow creation of (reverse) zone even if the zone is already re‐
325 solvable. Using this option is discouraged as it result in later
326 problems with domain name resolution.
327 SID GENERATION OPTIONS
330 --netbios-name=NETBIOS_NAME
331 The NetBIOS name for the IPA domain. If not provided, this is
332 determined based on the leading component of the DNS domain
333 name. Running ipa-adtrust-install for a second time with a dif‐
334 ferent NetBIOS name will change the name. Please note that
335 changing the NetBIOS name might break existing trust relation‐
336 ships to other domains.
337 --rid-base=RID_BASE
339 First RID value of the local domain. The first POSIX ID of the
340 local domain will be assigned to this RID, the second to RID+1
341 etc. See the online help of the idrange CLI for details.
342 --secondary-rid-base=SECONDARY_RID_BASE
344 Start value of the secondary RID range, which is only used in
345 the case a user and a group share numerically the same POSIX ID.
346 See the online help of the idrange CLI for details.
347 AD TRUST OPTIONS
350 --setup-adtrust
351 Configure AD Trust capability.
352 --enable-compat
354 Enables support for trusted domains users for old clients
355 through Schema Compatibility plugin. SSSD supports trusted do‐
356 mains natively starting with version 1.9. For platforms that
357 lack SSSD or run older SSSD version one needs to use this op‐
358 tion. When enabled, slapi-nis package needs to be installed and
359 schema-compat-plugin will be configured to provide lookup of
360 users and groups from trusted domains via SSSD on IPA server.
361 These users and groups will be available under cn=users,cn=com‐
362 pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
363 normalize names of users and groups to lower case.
364 In addition to providing these users and groups through the com‐
366 pat tree, this option enables authentication over LDAP for
367 trusted domain users with DN under compat tree, i.e. using bind
368 DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
369 LDAP authentication performed by the compat tree is done via PAM
371 'system-auth' service. This service exists by default on Linux
372 systems and is provided by pam package as /etc/pam.d/sys‐
373 tem-auth. If your IPA install does not have default HBAC rule
374 'allow_all' enabled, then make sure to define in IPA special
375 service called 'system-auth' and create an HBAC rule to allow
376 access to anyone to this rule on IPA masters.
377 As 'system-auth' PAM service is not used directly by any other
379 application, it is safe to use it for trusted domain users via
380 compatibility path.
381 UNINSTALL OPTIONS
384 --uninstall
385 Uninstall an existing IPA installation.
386 -U, --unattended
388 An unattended uninstallation that will never prompt for user in‐
389 put.
390
393 -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
394 The kerberos master password (normally autogenerated).
395
398 0 if the (un)installation was successful
399 1 if an error occurred
401
404 ipa-dns-install(1) ipa-adtrust-install(1)
405IPA Feb 17 2017 ipa-server-install(1)