1ipa-server-install(1)          IPA Manual Pages          ipa-server-install(1)
2
3
4

NAME

6       ipa-server-install - Configure an IPA server
7

SYNOPSIS

9       ipa-server-install [OPTION]...
10

DESCRIPTION

12       Configures  the services needed by an IPA server. This includes setting
13       up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
14       LDAP  back-end, configuring Apache, configuring NTP and optionally con‐
15       figuring and starting an LDAP-backed DNS  server.  By  default  a  dog‐
16       tag-based CA will be configured to issue server certificates.
17
18

OPTIONS

20   BASIC OPTIONS
21       -r REALM_NAME, --realm=REALM_NAME
22              The Kerberos realm name for the new IPA deployment.
23
24              It  is  strongly  recommended  to use an upper-cased name of the
25              primary DNS domain name of your IPA deployment. You will not  be
26              able  to  establish trust with Active Directory unless the realm
27              name is the upper-cased domain name.
28
29              The realm name cannot be changed after the installation.
30
31       -n DOMAIN_NAME, --domain=DOMAIN_NAME
32              The primary DNS domain of the IPA deployment, e.g.  example.com.
33              This  DNS domain should contain the SRV records generated by the
34              IPA server installer. The specified DNS domain must not  contain
35              DNS  records of any other LDAP or Kerberos based management sys‐
36              tem (like Active Directory or MIT Kerberos).
37
38              It is strongly recommended to use a lower-cased name of the  IPA
39              Kerberos realm name.
40
41              The  primary DNS domain name cannot be changed after the instal‐
42              lation.
43
44       -p DM_PASSWORD, --ds-password=DM_PASSWORD
45              The password to be used by the Directory Server for  the  Direc‐
46              tory Manager user.
47
48       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
49              The password for the IPA admin user.
50
51       --mkhomedir
52              Create home directories for users on their first login.
53
54       --hostname=HOST_NAME
55              The fully-qualified DNS name of this server.
56
57       --ip-address=IP_ADDRESS
58              The  IP  address  of this server. If this address does not match
59              the address the host resolves to  and  --setup-dns  is  not  se‐
60              lected,  the  installation  will fail. If the server hostname is
61              not resolvable, a record for  the  hostname  and  IP_ADDRESS  is
62              added  to /etc/hosts.  This option can be used multiple times to
63              specify more IP addresses of the server (e.g. multihomed  and/or
64              dualstacked server).
65
66       Configure  chronyd to use this NTP server. This option can be used mul‐
67       tiple times and it is used to specify exactly one time server.
68
69       --ntp-server=NTP_SERVER
70              Configure chronyd to use this NTP server.  This  option  can  be
71              used  multiple  times and it is used to specify exactly one time
72              server.
73
74       --ntp-pool=NTP_SERVER_POOL
75              Configure chronyd to use this NTP server pool.  This  option  is
76              meant  to be pool of multiple servers resolved as one host name.
77              This pool's servers may vary but pool address will be still same
78              and chrony will choose only one server from this pool.
79
80       -N, --no-ntp
81              Do not configure NTP client (chronyd).
82
83       --idstart=IDSTART
84              The starting user and group id number (default random).
85
86       --idmax=IDMAX
87              The  maximum user and group id number (default: idstart+199999).
88              If set to zero, the default value will be used.
89
90       --no-hbac-allow
91              Don't install allow_all HBAC rule. This rule lets any user  from
92              any  host  access  any service on any other host. It is expected
93              that users will remove this rule before moving to production.
94
95       --ignore-topology-disconnect
96              Ignore errors reported when IPA server uninstall would  lead  to
97              disconnected topology.
98
99       --ignore-last-of-role
100              Ignore  errors  reported when IPA server uninstall would lead to
101              removal of last CA/DNS server or DNSSec master.
102
103       --no-ui-redirect
104              Do not automatically redirect to the Web UI.
105
106       --ssh-trust-dns
107              Configure OpenSSH client to trust DNS SSHFP records.
108
109       --no-ssh
110              Do not configure OpenSSH client.
111
112       --no-sshd
113              Do not configure OpenSSH server.
114
115       --subid
116              Configure SSSD as data source for subid.
117
118       --skip-mem-check
119              Skip checking for minimum required memory
120
121       -d, --debug
122              Enable debug logging when more verbose output is needed.
123
124       -U, --unattended
125              An unattended installation that will never prompt for  user  in‐
126              put.
127
128       --dirsrv-config-file
129              The  path to LDIF file that will be used to modify configuration
130              of dse.ldif during installation  of  the  directory  server  in‐
131              stance.
132
133
134   CERTIFICATE SYSTEM OPTIONS
135       --external-ca
136              Generate a CSR for the IPA CA certificate to be signed by an ex‐
137              ternal CA.
138
139       --external-ca-type=TYPE
140              Type of the external CA. Possible values are "generic", "ms-cs".
141              Default  value is "generic". Use "ms-cs" to include the template
142              name required by Microsoft Certificate Services (MS CS)  in  the
143              generated CSR (see --external-ca-profile for full details).
144
145
146       --external-ca-profile=PROFILE_SPEC
147              Specify the certificate profile or template to use at the exter‐
148              nal CA.
149
150              When --external-ca-type is "ms-cs" the following specifiers  may
151              be used:
152
153
154              <oid>:<majorVersion>[:<minorVersion>]
155                     Specify  a certificate template by OID and major version,
156                     optionally also specifying minor version.
157
158              <name> Specify a certificate template by name. The  name  cannot
159                     contain  any : characters and cannot be an OID (otherwise
160                     the OID-based  template  specifier  syntax  takes  prece‐
161                     dence).
162
163              default
164                     If no template is specified, the template name "SubCA" is
165                     used.
166
167
168       --external-cert-file=FILE
169              File containing the IPA CA certificate and the external CA  cer‐
170              tificate  chain. The file is accepted in PEM and DER certificate
171              and PKCS#7 certificate chain formats. This option  may  be  used
172              multiple times.
173
174       --random-serial-numbers
175              Enable  Random  Serial  Numbers. Random serial numbers cannot be
176              used in a mixed environment. Either all CA's have it enabled  or
177              none do.
178
179       --no-pkinit
180              Disables pkinit setup steps.
181
182       --dirsrv-cert-file=FILE
183              File containing the Directory Server SSL certificate and private
184              key. The files are accepted in PEM and DER  certificate,  PKCS#7
185              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
186              mats. This option may be used multiple times.
187
188       --http-cert-file=FILE
189              File containing the Apache Server SSL  certificate  and  private
190              key.  The  files are accepted in PEM and DER certificate, PKCS#7
191              certificate chain, PKCS#8 and raw private key and  PKCS#12  for‐
192              mats. This option may be used multiple times.
193
194       --pkinit-cert-file=FILE
195              File  containing  the  Kerberos  KDC SSL certificate and private
196              key. The files are accepted in PEM and DER  certificate,  PKCS#7
197              certificate  chain,  PKCS#8 and raw private key and PKCS#12 for‐
198              mats. This option may be used multiple times.
199
200       --dirsrv-pin=PIN
201              The password to unlock the Directory Server private key.
202
203       --http-pin=PIN
204              The password to unlock the Apache Server private key.
205
206       --pkinit-pin=PIN
207              The password to unlock the Kerberos KDC private key.
208
209       --dirsrv-cert-name=NAME
210              Name of the Directory Server SSL certificate to install.
211
212       --http-cert-name=NAME
213              Name of the Apache Server SSL certificate to install.
214
215       --pkinit-cert-name=NAME
216              Name of the Kerberos KDC SSL certificate to install.
217
218       --ca-cert-file=FILE
219              File containing the CA certificate of the CA  which  issued  the
220              Directory  Server,  Apache Server and Kerberos KDC certificates.
221              The file is accepted in PEM and DER certificate and PKCS#7  cer‐
222              tificate  chain formats. This option may be used multiple times.
223              Use this option if the CA certificate is not present in the cer‐
224              tificate files.
225
226       --pki-config-override=FILE
227              File containing overrides for CA and KRA installation.
228
229       --ca-subject=SUBJECT
230              The  CA  certificate  subject DN (default CN=Certificate Author‐
231              ity,O=REALM.NAME). RDNs are in LDAP  order  (most  specific  RDN
232              first).
233
234       --subject-base=SUBJECT
235              The  subject  base  for  certificates  issued  by  IPA  (default
236              O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
237
238       --ca-signing-algorithm=ALGORITHM
239              Signing algorithm of the IPA CA certificate. Possible values are
240              SHA1withRSA,  SHA256withRSA,  SHA384withRSA,  SHA512withRSA. De‐
241              fault value is SHA256withRSA. Use this option with --external-ca
242              if  the  external  CA does not support the default signing algo‐
243              rithm.
244
245
246   SECRET MANAGEMENT OPTIONS
247       --setup-kra
248              Install and configure a KRA on this server.
249
250
251   DNS OPTIONS
252       IPA provides an integrated DNS server which can be used to simplify IPA
253       deployment.  If  you  decide to use it, IPA will automatically maintain
254       SRV and other service records when you change your topology.
255
256       The DNS component in IPA is optional and you may choose to  manage  all
257       your DNS records manually on another third party DNS server. IPA DNS is
258       not a general-purpose DNS server. If you need  advanced  features  like
259       DNS views, do not deploy IPA DNS.
260
261
262       --setup-dns
263              Configure an integrated DNS server, create DNS zone specified by
264              --domain, and fill it with service records necessary for IPA de‐
265              ployment.  In cases where the IPA server name does not belong to
266              the primary DNS domain and is not resolvable using DNS, create a
267              DNS zone containing the IPA server name as well.
268
269              This  option  requires  that you either specify at least one DNS
270              forwarder through the --forwarder option or  use  the  --no-for‐
271              warders option.
272
273              Note that you can set up a DNS at any time after the initial IPA
274              server  install  by  running  ipa-dns-install  (see  ipa-dns-in‐
275              stall(1)).  IPA DNS cannot be uninstalled.
276
277
278       --forwarder=IP_ADDRESS
279              Add  a  DNS forwarder to the DNS configuration. You can use this
280              option multiple times to specify more forwarders, but  at  least
281              one must be provided, unless the --no-forwarders option is spec‐
282              ified.
283
284       --no-forwarders
285              Do not add any DNS forwarders. Root DNS servers will be used in‐
286              stead.
287
288       --auto-forwarders
289              Add DNS forwarders configured in /etc/resolv.conf to the list of
290              forwarders used by IPA DNS.
291
292       --forward-policy=first|only
293              DNS forwarding policy  for  global  forwarders  specified  using
294              other  options.  Defaults to first if no IP address belonging to
295              a private or reserved ranges is  detected  on  local  interfaces
296              (RFC  6303).  Defaults  to  only  if a private IP address is de‐
297              tected.
298
299       --reverse-zone=REVERSE_ZONE
300              The reverse DNS zone to use. This option can  be  used  multiple
301              times to specify multiple reverse zones.
302
303       --no-reverse
304              Do not create reverse DNS zone.
305
306       --auto-reverse
307              Try  to  resolve reverse records and reverse zones for server IP
308              addresses. If neither is resolvable, creates the reverse zones.
309
310       --zonemgr
311              The e-mail address of the DNS zone manager. Defaults to hostmas‐
312              ter@DOMAIN
313
314       --no-host-dns
315              Do not use DNS for hostname lookup during installation.
316
317       --no-dns-sshfp
318              Do not automatically create DNS SSHFP records.
319
320       --no-dnssec-validation
321              Disable DNSSEC validation on this server.
322
323       --allow-zone-overlap
324              Allow creation of (reverse) zone even if the zone is already re‐
325              solvable. Using this option is discouraged as it result in later
326              problems with domain name resolution.
327
328
329   SID GENERATION OPTIONS
330       --netbios-name=NETBIOS_NAME
331              The  NetBIOS  name  for the IPA domain. If not provided, this is
332              determined based on the leading  component  of  the  DNS  domain
333              name.  Running ipa-adtrust-install for a second time with a dif‐
334              ferent NetBIOS name will  change  the  name.  Please  note  that
335              changing  the  NetBIOS name might break existing trust relation‐
336              ships to other domains.
337
338       --rid-base=RID_BASE
339              First RID value of the local domain. The first POSIX ID  of  the
340              local  domain  will be assigned to this RID, the second to RID+1
341              etc. See the online help of the idrange CLI for details.
342
343       --secondary-rid-base=SECONDARY_RID_BASE
344              Start value of the secondary RID range, which is  only  used  in
345              the case a user and a group share numerically the same POSIX ID.
346              See the online help of the idrange CLI for details.
347
348
349   AD TRUST OPTIONS
350       --setup-adtrust
351              Configure AD Trust capability.
352
353       --enable-compat
354              Enables support  for  trusted  domains  users  for  old  clients
355              through  Schema Compatibility plugin.  SSSD supports trusted do‐
356              mains natively starting with version  1.9.  For  platforms  that
357              lack  SSSD  or  run older SSSD version one needs to use this op‐
358              tion. When enabled, slapi-nis package needs to be installed  and
359              schema-compat-plugin  will  be  configured  to provide lookup of
360              users and groups from trusted domains via SSSD  on  IPA  server.
361              These  users and groups will be available under cn=users,cn=com‐
362              pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX  trees.   SSSD  will
363              normalize names of users and groups to lower case.
364
365              In addition to providing these users and groups through the com‐
366              pat tree, this  option  enables  authentication  over  LDAP  for
367              trusted  domain users with DN under compat tree, i.e. using bind
368              DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
369
370              LDAP authentication performed by the compat tree is done via PAM
371              'system-auth'  service.  This service exists by default on Linux
372              systems and  is  provided  by  pam  package  as  /etc/pam.d/sys‐
373              tem-auth.   If  your IPA install does not have default HBAC rule
374              'allow_all' enabled, then make sure to  define  in  IPA  special
375              service  called  'system-auth'  and create an HBAC rule to allow
376              access to anyone to this rule on IPA masters.
377
378              As 'system-auth' PAM service is not used directly by  any  other
379              application,  it  is safe to use it for trusted domain users via
380              compatibility path.
381
382
383   UNINSTALL OPTIONS
384       --uninstall
385              Uninstall an existing IPA installation.
386
387       -U, --unattended
388              An unattended uninstallation that will never prompt for user in‐
389              put.
390
391

DEPRECATED OPTIONS

393       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
394              The kerberos master password (normally autogenerated).
395
396

EXIT STATUS

398       0 if the (un)installation was successful
399
400       1 if an error occurred
401
402

SEE ALSO

404       ipa-dns-install(1) ipa-adtrust-install(1)
405
406
407
408IPA                               Feb 17 2017            ipa-server-install(1)
Impressum