FreeBSD Manual Pages

home | help
ipa-client-install(1)	       IPA Manual Pages		 ipa-client-install(1)

NAME
       ipa-client-install - Configure an IPA client

SYNOPSIS
       ipa-client-install [OPTION]...

DESCRIPTION
       Configures  a client machine to use IPA for authentication and identity
       services.

       By default this configures SSSD to connect to an	IPA server for authen-
       tication	and authorization. Optionally one can  instead	configure  PAM
       and  NSS	 (Name Switching Service) to work with an IPA server over Ker-
       beros and LDAP.

       An authorized account is	required to join a client machine to IPA. This
       can take	the form of a kerberos principal, a one-time password  associ-
       ated with the machine, or PKINIT	identity associated with the machine.

       This  same  tool	 is used to unconfigure	IPA and	attempts to return the
       machine to its previous state. Part of this process is to unenroll  the
       host  from the IPA server. Unenrollment consists	of disabling the prin-
       cipal key on the	IPA server so that it may be re-enrolled. The  machine
       principal  in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenti-
       cate to the IPA server to unenroll itself. If this principal  does  not
       exist  then  unenrollment  will	fail and an administrator will need to
       disable the host	principal (ipa host-disable <fqdn>).

   Assumptions
       The ipa-client-install script assumes that the machine has already gen-
       erated SSH keys.	It will	not generate SSH keys of its  own  accord.  If
       SSH keys	are not	present	(e.g. when running the ipa-client-install in a
       kickstart,  before ever running sshd), they will	not be uploaded	to the
       client host entry on the	server.

   Hostname Requirements
       Client must use a static	hostname. If the machine hostname changes  for
       example	due  to	a dynamic hostname assignment by a DHCP	server,	client
       enrollment to IPA server	breaks and user	then would not be able to per-
       form Kerberos authentication.

       --hostname option may be	used to	specify	a static  hostname  that  per-
       sists over reboot.

   DNS Autodiscovery
       Client  installer  by default tries to search for _ldap._tcp.DOMAIN DNS
       SRV records for all domains that	are parent to its hostname. For	 exam-
       ple,  if	a client machine has a hostname	'client1.lab.example.com', the
       installer  will	try  to	 retrieve  an	IPA   server   hostname	  from
       _ldap._tcp.lab.example.com,  _ldap._tcp.example.com  and	_ldap._tcp.com
       DNS SRV records,	respectively. The discovered domain is	then  used  to
       configure client	components (e.g. SSSD and Kerberos 5 configuration) on
       the machine.

       When  the  client  machine  hostname  is	 not  in a subdomain of	an IPA
       server, its domain can be passed	with --domain option.  In  that	 case,
       both SSSD and Kerberos components have the domain set in	the configura-
       tion files and will use it to autodiscover IPA servers.

       Client  machine	can  also be configured	without	a DNS autodiscovery at
       all. When both --server and --domain options are	used, client installer
       will use	the specified server and domain	directly. --server option  ac-
       cepts  multiple	server hostnames which can be used for failover	mecha-
       nism. Without DNS autodiscovery,	Kerberos is configured	with  a	 fixed
       list  of	KDC and	 Admin servers.	SSSD is	still configured to either try
       to read domain's	SRV records or the specified fixed  list  of  servers.
       When --fixed-primary option is specified, SSSD will not try to read DNS
       SRV record at all (see sssd-ipa(5) for details).

   The Failover	Mechanism
       When  some  of  the IPA servers is not available, client	components are
       able to fallback	to other IPA replica and thus preserving  a  continued
       service.	 When  client  machine is configured to	use DNS	SRV record au-
       todiscovery (no fixed server was	passed to the installer), client  com-
       ponents	do  the	 fallback automatically, based on the IPA server host-
       names and priorities discovered from the	DNS SRV	records.

       If DNS autodiscovery is not available, clients should be	configured  at
       least  with  a  fixed list of IPA servers that can be used in case of a
       failure.	When only one IPA server is configured,	 IPA  client  services
       will  not  be  available	in case	of a failure of	the IPA	server.	Please
       note, that in case of a fixed list of IPA  servers,  the	 fixed	server
       lists  in client	components need	to be updated when a new IPA server is
       enrolled	or a current IPA server	is decommissioned.

   Coexistence With Other Directory Servers
       Other directory servers deployed	in the network (e.g. Microsoft	Active
       Directory)  may use the same DNS	SRV records to denote hosts with a di-
       rectory service (_ldap._tcp.DOMAIN). Such DNS SRV records may break the
       installation if the installer discovers these  DNS  records  before  it
       finds DNS SRV records pointing to IPA servers. The installer would then
       fail to discover	the IPA	server and exit	with error.

       In  order  to  avoid  the  aforementioned DNS autodiscovery issues, the
       client machine hostname should be in a domain with properly defined DNS
       SRV records pointing to IPA servers, either manually with a custom  DNS
       server  or with IPA DNS integrated solution. A second approach would be
       to avoid	autodiscovery and configure the	installer to use a fixed  list
       of   IPA	 server	 hostnames  using  the	--server  option  and  with  a
       --fixed-primary option disabling	DNS SRV	record autodiscovery in	SSSD.

   Re-enrollment of the	host
       Requirements:

       1. Host has not been un-enrolled	 (the  ipa-client-install  --uninstall
       command has not been run).
       2.  The	host entry has not been	disabled via the ipa host-disable com-
       mand.

       If this has been	the case, host can  be	re-enrolled  using  the	 usual
       methods.

       There are two method of authenticating a	re-enrollment:

       1.  You	can  use  --force-join option with ipa-client-install command.
       This authenticates the re-enrollment using the admin's credentials pro-
       vided via the -w/--password option.
       2. If providing the admin's password via	the command line is not	an op-
       tion (e.g. you want to create a script to re-enroll a host and keep the
       admin's password	secure), you can use backed up keytab from the	previ-
       ous enrollment of this host to authenticate. See	--keytab option.

       Consequences of the re-enrollment on the	host entry:

       1. A new	host certificate is issued
       2. The old host certificate is revoked
       3. New SSH keys are generated
       4. ipaUniqueID is preserved

OPTIONS
   BASIC OPTIONS
       --domain=DOMAIN
	      The primary DNS domain of	an existing IPA	deployment, e.g. exam-
	      ple.com.	This  DNS domain should	contain	the SRV	records	gener-
	      ated by the IPA server installer.	Usually	the name is  a	lower-
	      cased name of an IPA Kerberos realm name.

	      When  no	--server option	is specified, this domain will be used
	      by the installer to discover all available servers via  DNS  SRV
	      record  autodiscovery  (see  DNS	Autodiscovery  section for de-
	      tails).

	      The default value	used by	the installer is the  domain  part  of
	      the  hostname.  This option needs	to be specified	if the primary
	      IPA DNS domain is	different from the default value.

       --server=SERVER
	      Set the FQDN of the IPA server to	connect	to. May	 be  specified
	      multiple	times  to  add multiple	servers	to ipa_server value in
	      sssd.conf	or krb5.conf. Only the first value is considered  when
	      used with	--no-sssd. When	this option is used, DNS autodiscovery
	      for  Kerberos  is	 disabled  and	a  fixed list of KDC and Admin
	      servers is configured.

	      Under normal circumstances, this option is  not  needed  as  the
	      list of servers is retrieved from	the primary IPA	DNS domain.

       --realm=REALM_NAME
	      The  Kerberos realm of an	existing IPA deployment. Usually it is
	      an upper-cased name of the primary DNS domain used  by  the  IPA
	      installation.

	      Under  normal  circumstances,  this  option is not needed	as the
	      realm name is retrieved from the IPA server.

       --fixed-primary
	      Configure	SSSD to	use a fixed server as the primary IPA  server.
	      The  default  is to use DNS SRV records to determine the primary
	      server to	use and	fall back to the server	the client is enrolled
	      with. When used in conjunction with --server then	no _srv_ value
	      is set in	the ipa_server option in sssd.conf.

       -p, --principal
	      Authorized kerberos principal to use to join the IPA realm.

       -w PASSWORD, --password=PASSWORD
	      Password for joining a machine to	the IPA	 realm.	 Assumes  bulk
	      password unless principal	is also	set.

       -W     Prompt for the password for joining a machine to the IPA realm.

       -k, --keytab
	      Path  to	backed	up host	keytab from previous enrollment. Joins
	      the host even if it is already enrolled.

       --mkhomedir
	      Configure	PAM to create a	users home directory if	 it  does  not
	      exist.

       --hostname
	      The  hostname of this machine (FQDN). If specified, the hostname
	      will be set and the system configuration will be updated to per-
	      sist over	reboot.	By default the result of getfqdn()  call  from
	      Python's socket module is	used.

       --force-join
	      Join the host even if it is already enrolled.

       --ntp-server=NTP_SERVER
	      Configure	 chronyd  to  use  this	NTP server. This option	can be
	      used multiple times and it is used to specify exactly  one  time
	      server.

       --ntp-pool=NTP_SERVER_POOL
	      Configure	 chronyd  to  use this NTP server pool.	This option is
	      meant to be pool of multiple servers resolved as one host	 name.
	      This pool's servers may vary but pool address will be still same
	      and chrony will choose only one server from this pool.

       -N, --no-ntp
	      Do not configure NTP client (chronyd).

       --nisdomain=NIS_DOMAIN
	      Set the NIS domain name as specified. By default,	this is	set to
	      the IPA domain name.

       --no-nisdomain
	      Do not configure NIS domain name.

       --ssh-trust-dns
	      Configure	OpenSSH	client to trust	DNS SSHFP records.

       --no-ssh
	      Do not configure OpenSSH client.

       --no-sshd
	      Do not configure OpenSSH server.

       --no-sudo
	      Do not configure SSSD as a data source for sudo.

       --subid
	      Configure	SSSD as	data source for	subid.

       --no-dns-sshfp
	      Do not automatically create DNS SSHFP records.

       --noac Do  not  use Authconfig to modify	the nsswitch.conf and PAM con-
	      figuration.

       -f, --force
	      Force the	settings even if errors	occur

       --kinit-attempts=KINIT_ATTEMPTS
	      In case of unresponsive KDC (e.g.	when enrolling multiple	 hosts
	      at once in a heavy load environment) repeat the request for host
	      Kerberos ticket up to a total number of KINIT_ATTEMPTS times be-
	      fore  giving up and aborting client installation.	Default	number
	      of attempts is 5.	The request is not repeated when  there	 is  a
	      problem with host	credentials themselves (e.g. wrong keytab for-
	      mat  or invalid principal) so using this option will not lead to
	      account lockouts.

       -d, --debug
	      Print debugging information to stdout

       -U, --unattended
	      Unattended installation. The user	will not be prompted.

       --ca-cert-file=CA_FILE
	      Do not attempt to	acquire	the IPA	CA certificate	via  automated
	      means,  instead  use  the	 CA  certificate  found	 locally in in
	      CA_FILE.	The CA_FILE must be an absolute	path to	a PEM  format-
	      ted  certificate	file.  The  CA certificate found in CA_FILE is
	      considered authoritative and will	be installed without  checking
	      to see if	it's valid for the IPA domain.

       --request-cert
	      DEPRECATED:  The	option	is deprecated and will be removed in a
	      future release.

	      Request certificate for the machine.  The	 certificate  will  be
	      stored in	/etc/ipa/nssdb under the nickname "Local IPA host".

	      Using  this option requires that D-Bus is	properly configured or
	      not configured at	all. In	environment where  this	 condition  is
	      not  met	(e.g.  anaconda	 kickstart chroot environment) set the
	      system bus address to /dev/null to  enable  workaround  in  ipa-
	      client-install.

		  #   env   DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null	  ipa-
	      client-install --request-cert

	      Note that	requesting the certificate when	certmonger is not run-
	      ning only	creates	tracking request and  the  certmonger  service
	      must be started to be able to track certificates.

       --automount-location=LOCATION
	      Configure	 automount by running ipa-client-automount(1) with LO-
	      CATION as	automount location.

       --configure-firefox
	      Configure	Firefox	to use IPA domain credentials.

       --firefox-dir=DIR
	      Specify	Firefox	  installation	 directory.    For    example:
	      '/usr/lib/firefox'

       --ip-address=IP_ADDRESS
	      Use IP_ADDRESS in	DNS A/AAAA record for this host. May be	speci-
	      fied multiple times to add multiple DNS records.

       --all-ip-addresses
	      Create DNS A/AAAA	record for each	IP address on this host.

   SSSD	OPTIONS
       --permit
	      Configure	 SSSD to permit	all access. Otherwise the machine will
	      be controlled by the Host-based Access Controls  (HBAC)  on  the
	      IPA server.

       --enable-dns-updates
	      This  option  tells SSSD to automatically	update DNS with	the IP
	      address of this client.  The default is to  use  GSS-TSIG.  How-
	      ever,  if	 using	GSS-TSIG fails for any reason at install time,
	      ipa-client-install will configure	SSSD  to  use  unauthenticated
	      nsupdates	instead.

       --no-krb5-offline-passwords
	      Configure	SSSD not to store user password	when the server	is of-
	      fline.

       -S, --no-sssd
	      Do  not configure	the client to use SSSD for authentication, use
	      nss_ldap instead.

       --preserve-sssd
	      Disabled by default. When	enabled, preserves old SSSD configura-
	      tion if it is not	possible to merge it with a  new  one.	Effec-
	      tively,  if  the	merge is not possible due to SSSDConfig	reader
	      encountering unsupported options,	 ipa-client-install  will  not
	      run  further  and	ask to fix SSSD	config first. When this	option
	      is not specified,	ipa-client-install will	back  up  SSSD	config
	      and  create new one. The back up version will be restored	during
	      uninstall.

   PKINIT OPTIONS
       --pkinit-identity=DENTITY
	      Identity string for PKINIT authentication	to use to join the IPA
	      realm,  for  example  'FILE:/path/to/cert.pem,/path/to/key.pem'.
	      See  krb5.conf(5)	 for  more information.	The option is mutually
	      exclusive	with --password	and --keytab.

       --pkinit-anchor=FILEDIR
	      Trust anchors (root  and	intermediate  CA  certs)  for  PKINIT.
	      FILEDIR is either	the absolute path to a PEM bundle (for example
	      requires the full	trust chain of the Kerberos KDC	server as well
	      as the full trust	chain of the identity certificate.

   UNINSTALL OPTIONS
       --uninstall
	      Remove  the IPA client software and restore the configuration to
	      the pre-IPA state.

       -U, --unattended
	      Unattended uninstallation. The user will not be prompted.

DISABLED SERVICES
       ipa-client-install will automatically disable the Name Service Caching
       Daemon (nscd) when configuring the SSSD client. These are competing
       services	and cannot co-exist.

       If there	are other similar services providing nss capabilities they
       will need to be manually	disabled by the	user. An example is unscd, a
       complete	replacement for	nscd.

FILES
       Files that will be replaced if SSSD is configured (default):

	      /etc/sssd/sssd.conf

       Files that will be replaced if they exist and SSSD is not configured
       (--no-sssd):

	      /etc/ldap.conf
	      /etc/nss_ldap.conf
	      /etc/libnss-ldap.conf
	      /etc/pam_ldap.conf
	      /etc/nslcd.conf

       Files replaced if NTP client (chronyd) configuration is enabled:

	      /etc/chrony.conf

       Files always created (replacing existing	content):

	      /etc/krb5.conf
	      /etc/ipa/ca.crt
	      /etc/ipa/default.conf
	      /etc/ipa/nssdb
	      /etc/openldap/ldap.conf
	      /etc/pki/ca-trust/source/ipa.p11-kit

       Files updated, existing content is maintained:

	      /etc/nsswitch.conf
	      /etc/krb5.keytab
	      /etc/sysconfig/network

       File updated, existing content is maintained if ssh is configured (de-
       fault):

	      /etc/ssh/ssh_config

       File updated, existing content is maintained if sshd is configured (de-
       fault):

	      /etc/ssh/sshd_config

DEPRECATED OPTIONS
       --request-cert

EXIT STATUS
       0 if the	installation was successful

       1 if an error occurred

       2 if uninstalling and the client	is not configured

       3 if installing and the client is already configured

       4 if an uninstall error occurred

SEE ALSO
       ipa-client-automount(1),	krb5.conf(5), sssd.conf(5)

IPA				  Dec 19 2016		 ipa-client-install(1)
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ipa-client-install&sektion=1&manpath=FreeBSD+Ports+15.0>
home | help
Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages
