1ipa-replica-install(1) IPA Manual Pages ipa-replica-install(1)
2
3
4
6 ipa-replica-install - Create an IPA replica
7
9 ipa-replica-install [OPTION]...
10
12 Configures a new IPA server that is a replica of the server. Once it
13 has been created it is an exact copy of the original IPA server and is
14 an equal master. Changes made to any master are automatically repli‐
15 cated to other masters.
16
17 Domain level 0 is not supported anymore.
18
19 To create a replica, the machine only needs to be enrolled in the IPA
20 domain first. This process of turning the IPA client into a replica is
21 also referred to as replica promotion.
22
23 If you're starting with an existing IPA client, simply run
24 ipa-replica-install to have it promoted into a replica. The NTP config‐
25 uration cannot be updated during client promotion.
26
27 To promote a blank machine into a replica, you have two options, you
28 can either run ipa-client-install in a separate step, or pass the en‐
29 rollment related options to the ipa-replica-install (see CLIENT ENROLL‐
30 MENT OPTIONS). In the latter case, ipa-replica-install will join the
31 machine to the IPA realm automatically and will proceed with the promo‐
32 tion step.
33
34 If the installation fails you may need to run ipa-server-install
35 --uninstall and ipa-client-install before running ipa-replica-install
36 again.
37
38 The installation will fail if the host you are installing the replica
39 on exists as a host in IPA or an existing replication agreement exists
40 (for example, from a previously failed installation).
41
42 A replica should only be installed on the same or higher version of IPA
43 on the remote system.
44
46 OPTIONS
47 -P, --principal
48 The user principal which will be used to promote the client to
49 the replica and enroll the client itself, if necessary.
50
51 -w, --admin-password
52 The Kerberos password for the given principal.
53
54
55 CLIENT ENROLLMENT OPTIONS
56 To install client and promote it to replica using a host keytab or One
57 Time Password, the host needs to be a member of ipaservers group. This
58 requires to create a host entry and add it to the host group prior
59 replica installation.
60
61 --server, --domain, --realm options are autodiscovered via DNS records
62 by default. See manual page ipa-client-install(1) for further details
63 about these options.
64
65
66 -p PASSWORD, --password=PASSWORD
67 One Time Password for joining a machine to the IPA realm.
68
69 -k, --keytab
70 Path to host keytab.
71
72 --server
73 The fully qualified domain name of the IPA server to enroll to.
74 The IPA server must provide the CA role if --setup-ca option is
75 specified, and the KRA role if --setup-kra option is specified.
76
77 -n, --domain=DOMAIN
78 The primary DNS domain of an existing IPA deployment, e.g. exam‐
79 ple.com. This DNS domain should contain the SRV records gener‐
80 ated by the IPA server installer.
81
82 -r, --realm=REALM_NAME
83 The Kerberos realm of an existing IPA deployment.
84
85 --hostname
86 The hostname of this machine (FQDN). If specified, the hostname
87 will be set and the system configuration will be updated to per‐
88 sist over reboot.
89
90 --force-join
91 Join the host even if it is already enrolled.
92
93
94 BASIC OPTIONS
95 --ip-address=IP_ADDRESS
96 The IP address of this server. If this address does not match
97 the address the host resolves to and --setup-dns is not selected
98 the installation will fail. If the server hostname is not re‐
99 solvable, a record for the hostname and IP_ADDRESS is added to
100 /etc/hosts. This option can be used multiple times to specify
101 more IP addresses of the server (e.g. multihomed and/or dual‐
102 stacked server).
103
104 --mkhomedir
105 Create home directories for users on their first login
106
107 --ntp-server=NTP_SERVER
108 Configure chronyd to use this NTP server. This option can be
109 used multiple times and it is used to specify exactly one time
110 server.
111
112 --ntp-pool=NTP_SERVER_POOL
113 Configure chronyd to use this NTP server pool. This option is
114 meant to be pool of multiple servers resolved as one host name.
115 This pool's servers may vary but pool address will be still same
116 and chrony will choose only one server from this pool.
117
118 -N, --no-ntp
119 Do not configure NTP client (chronyd).
120
121 --no-ui-redirect
122 Do not automatically redirect to the Web UI.
123
124 --ssh-trust-dns
125 Configure OpenSSH client to trust DNS SSHFP records.
126
127 --no-ssh
128 Do not configure OpenSSH client.
129
130 --no-sshd
131 Do not configure OpenSSH server.
132
133 --subid
134 Configure SSSD as data source for subid.
135
136 --skip-conncheck
137 Skip connection check to remote master
138
139 --skip-mem-check
140 Skip checking for minimum required memory
141
142 -d, --debug
143 Enable debug logging when more verbose output is needed
144
145 -U, --unattended
146 An unattended installation that will never prompt for user input
147
148 --dirsrv-config-file
149 The path to LDIF file that will be used to modify configuration
150 of dse.ldif during installation of the directory server instance
151
152
153 CERTIFICATE SYSTEM OPTIONS
154 --setup-ca
155 Install and configure a CA on this replica. If a CA is not con‐
156 figured then certificate operations will be forwarded to a mas‐
157 ter with a CA installed.
158
159 --no-pkinit
160 Disables pkinit setup steps.
161
162 --dirsrv-cert-file=FILE
163 File containing the Directory Server SSL certificate and private
164 key
165
166 --http-cert-file=FILE
167 File containing the Apache Server SSL certificate and private
168 key
169
170 --pkinit-cert-file=FILE
171 File containing the Kerberos KDC SSL certificate and private key
172
173 --dirsrv-pin=PIN
174 The password to unlock the Directory Server private key
175
176 --http-pin=PIN
177 The password to unlock the Apache Server private key
178
179 --pkinit-pin=PIN
180 The password to unlock the Kerberos KDC private key
181
182 --dirsrv-cert-name=NAME
183 Name of the Directory Server SSL certificate to install
184
185 --http-cert-name=NAME
186 Name of the Apache Server SSL certificate to install
187
188 --pkinit-cert-name=NAME
189 Name of the Kerberos KDC SSL certificate to install
190
191 --pki-config-override=FILE
192 File containing overrides for CA and KRA installation.
193
194 --skip-schema-check
195 Skip check for updated CA DS schema on the remote master
196
197
198 SECRET MANAGEMENT OPTIONS
199 --setup-kra
200 Install and configure a KRA on this replica. If a KRA is not
201 configured then vault operations will be forwarded to a master
202 with a KRA installed.
203
204
205 DNS OPTIONS
206 --setup-dns
207 Configure an integrated DNS server, create a primary DNS zone
208 (name specified by --domain or taken from an existing deploy‐
209 ment), and fill it with service records necessary for IPA de‐
210 ployment. In cases where the IPA server name does not belong to
211 the primary DNS domain and is not resolvable using DNS, create a
212 DNS zone containing the IPA server name as well.
213
214 This option requires that you either specify at least one DNS
215 forwarder through the --forwarder option or use the --no-for‐
216 warders option.
217
218 Note that you can set up a DNS at any time after the initial IPA
219 server install by running ipa-dns-install (see ipa-dns-in‐
220 stall(1)). IPA DNS cannot be uninstalled.
221
222 --forwarder=IP_ADDRESS
223 Add a DNS forwarder to the DNS configuration. You can use this
224 option multiple times to specify more forwarders, but at least
225 one must be provided, unless the --no-forwarders option is spec‐
226 ified.
227
228 --no-forwarders
229 Do not add any DNS forwarders. Root DNS servers will be used in‐
230 stead.
231
232 --auto-forwarders
233 Add DNS forwarders configured in /etc/resolv.conf to the list of
234 forwarders used by IPA DNS.
235
236 --forward-policy=first|only
237 DNS forwarding policy for global forwarders specified using
238 other options. Defaults to first if no IP address belonging to
239 a private or reserved ranges is detected on local interfaces
240 (RFC 6303). Defaults to only if a private IP address is de‐
241 tected.
242
243 --reverse-zone=REVERSE_ZONE
244 The reverse DNS zone to use. This option can be used multiple
245 times to specify multiple reverse zones.
246
247 --no-reverse
248 Do not create new reverse DNS zone. If a reverse DNS zone al‐
249 ready exists for the subnet, it will be used.
250
251 --auto-reverse
252 Create necessary reverse zones
253
254 --allow-zone-overlap
255 Create DNS zone even if it already exists
256
257 --no-host-dns
258 Do not use DNS for hostname lookup during installation
259
260 --no-dns-sshfp
261 Do not automatically create DNS SSHFP records.
262
263 --no-dnssec-validation
264 Disable DNSSEC validation on this server.
265
266
267 SID GENERATION OPTIONS
268 --netbios-name=NETBIOS_NAME
269 The NetBIOS name for the IPA domain. If not provided then this
270 is determined based on the leading component of the DNS domain
271 name. Running ipa-adtrust-install for a second time with a dif‐
272 ferent NetBIOS name will change the name. Please note that
273 changing the NetBIOS name might break existing trust relation‐
274 ships to other domains.
275
276 --add-sids
277 Add SIDs to existing users and groups as on of final steps of
278 the ipa-adtrust-install run. If there a many existing users and
279 groups and a couple of replicas in the environment this opera‐
280 tion might lead to a high replication traffic and a performance
281 degradation of all IPA servers in the environment. To avoid this
282 the SID generation can be run after ipa-adtrust-install is run
283 and scheduled independently. To start this task you have to load
284 an edited version of ipa-sidgen-task-run.ldif with the ldapmod‐
285 ify command info the directory server.
286
287 --rid-base=RID_BASE
288 First RID value of the local domain. The first Posix ID of the
289 local domain will be assigned to this RID, the second to RID+1
290 etc. See the online help of the idrange CLI for details.
291
292 --secondary-rid-base=SECONDARY_RID_BASE
293 Start value of the secondary RID range, which is only used in
294 the case a user and a group share numerically the same Posix ID.
295 See the online help of the idrange CLI for details.
296
297
298 AD TRUST OPTIONS
299 --setup-adtrust
300 Configure AD Trust capability on a replica.
301
302 --add-agents
303 Add IPA masters to the list that allows to serve information
304 about users from trusted forests. Starting with IPA 4.2, a regu‐
305 lar IPA master can provide this information to SSSD clients. IPA
306 masters aren't added to the list automatically as restart of the
307 LDAP service on each of them is required. The host where
308 ipa-adtrust-install is being run is added automatically.
309
310 Note that IPA masters where ipa-adtrust-install wasn't run, can
311 serve information about users from trusted forests only if they
312 are enabled via ipa-adtrust-install run on any other IPA master.
313 At least SSSD version 1.13 on IPA master is required to be able
314 to perform as a trust agent.
315
316 --enable-compat
317 Enables support for trusted domains users for old clients
318 through Schema Compatibility plugin. SSSD supports trusted do‐
319 mains natively starting with version 1.9. For platforms that
320 lack SSSD or run older SSSD version one needs to use this op‐
321 tion. When enabled, slapi-nis package needs to be installed and
322 schema-compat-plugin will be configured to provide lookup of
323 users and groups from trusted domains via SSSD on IPA server.
324 These users and groups will be available under cn=users,cn=com‐
325 pat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
326 normalize names of users and groups to lower case.
327
328 In addition to providing these users and groups through the com‐
329 pat tree, this option enables authentication over LDAP for
330 trusted domain users with DN under compat tree, i.e. using bind
331 DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
332
333 LDAP authentication performed by the compat tree is done via PAM
334 'system-auth' service. This service exists by default on Linux
335 systems and is provided by pam package as /etc/pam.d/sys‐
336 tem-auth. If your IPA install does not have default HBAC rule
337 'allow_all' enabled, then make sure to define in IPA special
338 service called 'system-auth' and create an HBAC rule to allow
339 access to anyone to this rule on IPA masters.
340
341 As 'system-auth' PAM service is not used directly by any other
342 application, it is safe to use it for trusted domain users via
343 compatibility path.
344
346 0 if the command was successful
347
348 1 if an error occurred
349
350 3 if the host exists in the IPA server or a replication agreement to
351 the remote master already exists
352
353 4 if the remote master specified for enrollment does not provide re‐
354 quired services such as CA or KRA
355
356
357
358IPA Dec 19 2016 ipa-replica-install(1)