Provided by: freeipa-client_4.10.2-1_amd64 bug

NAME

       ipa-client-install - Configure an IPA client

SYNOPSIS

       ipa-client-install [OPTION]...

DESCRIPTION

       Configures a client machine to use IPA for authentication and identity services.

       By  default  this  configures  SSSD  to  connect  to  an IPA server for authentication and
       authorization. Optionally one can instead configure PAM and NSS (Name  Switching  Service)
       to work with an IPA server over Kerberos and LDAP.

       An  authorized account is required to join a client machine to IPA. This can take the form
       of a kerberos principal, a one-time  password  associated  with  the  machine,  or  PKINIT
       identity associated with the machine.

       This  same  tool  is  used  to  unconfigure  IPA and attempts to return the machine to its
       previous state. Part of this process  is  to  unenroll  the  host  from  the  IPA  server.
       Unenrollment  consists  of disabling the principal key on the IPA server so that it may be
       re-enrolled. The machine principal in  /etc/krb5.keytab  (host/<fqdn>@REALM)  is  used  to
       authenticate  to  the IPA server to unenroll itself. If this principal does not exist then
       unenrollment will fail and an administrator will need to disable the host  principal  (ipa
       host-disable <fqdn>).

   Assumptions
       The  ipa-client-install script assumes that the machine has already generated SSH keys. It
       will not generate SSH keys of its own accord. If SSH  keys  are  not  present  (e.g.  when
       running the ipa-client-install in a kickstart, before ever running sshd), they will not be
       uploaded to the client host entry on the server.

   Hostname Requirements
       Client must use a static hostname. If the machine hostname changes for example  due  to  a
       dynamic  hostname  assignment by a DHCP server, client enrollment to IPA server breaks and
       user then would not be able to perform Kerberos authentication.

       --hostname option may be used to specify a static hostname that persists over reboot.

   DNS Autodiscovery
       Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for  all
       domains  that  are parent to its hostname. For example, if a client machine has a hostname
       'client1.lab.example.com', the installer will try to retrieve an IPA server hostname  from
       _ldap._tcp.lab.example.com,  _ldap._tcp.example.com  and  _ldap._tcp.com  DNS SRV records,
       respectively. The discovered domain is then used to configure client components (e.g. SSSD
       and Kerberos 5 configuration) on the machine.

       When the client machine hostname is not in a subdomain of an IPA server, its domain can be
       passed with --domain option. In that case, both SSSD  and  Kerberos  components  have  the
       domain set in the configuration files and will use it to autodiscover IPA servers.

       Client  machine  can  also  be  configured  without  a DNS autodiscovery at all. When both
       --server and --domain options are used, client installer will use the specified server and
       domain  directly.  --server option accepts multiple server hostnames which can be used for
       failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of
       KDC  and   Admin  servers.  SSSD  is  still  configured to either try to read domain's SRV
       records or the specified fixed list of servers. When --fixed-primary option is  specified,
       SSSD will not try to read DNS SRV record at all (see sssd-ipa(5) for details).

   The Failover Mechanism
       When  some  of the IPA servers is not available, client components are able to fallback to
       other IPA replica and  thus  preserving  a  continued  service.  When  client  machine  is
       configured  to  use  DNS  SRV  record  autodiscovery  (no  fixed  server was passed to the
       installer), client components do the fallback  automatically,  based  on  the  IPA  server
       hostnames and priorities discovered from the DNS SRV records.

       If  DNS autodiscovery is not available, clients should be configured at least with a fixed
       list of IPA servers that can be used in case of a failure. When only  one  IPA  server  is
       configured,  IPA  client  services  will  not be available in case of a failure of the IPA
       server. Please note, that in case of a fixed list of IPA servers, the fixed  server  lists
       in client components need to be updated when a new IPA server is enrolled or a current IPA
       server is decommissioned.

   Coexistence With Other Directory Servers
       Other directory servers deployed in the network (e.g. Microsoft Active Directory) may  use
       the  same  DNS  SRV  records to denote hosts with a directory service (_ldap._tcp.DOMAIN).
       Such DNS SRV records may break the installation  if  the  installer  discovers  these  DNS
       records  before it finds DNS SRV records pointing to IPA servers. The installer would then
       fail to discover the IPA server and exit with error.

       In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname
       should  be  in  a  domain  with  properly defined DNS SRV records pointing to IPA servers,
       either manually with a custom DNS server or with IPA DNS  integrated  solution.  A  second
       approach  would  be to avoid autodiscovery and configure the installer to use a fixed list
       of IPA server hostnames using the  --server  option  and  with  a  --fixed-primary  option
       disabling DNS SRV record autodiscovery in SSSD.

   Re-enrollment of the host
       Requirements:

       1.  Host has not been un-enrolled (the ipa-client-install --uninstall command has not been
       run).
       2. The host entry has not been disabled via the ipa host-disable command.

       If this has been the case, host can be re-enrolled using the usual methods.

       There are two method of authenticating a re-enrollment:

       1. You can use --force-join option with ipa-client-install command. This authenticates the
       re-enrollment using the admin's credentials provided via the -w/--password option.
       2.  If providing the admin's password via the command line is not an option (e.g. you want
       to create a script to re-enroll a host and keep the admin's password secure), you can  use
       backed  up  keytab from the previous enrollment of this host to authenticate. See --keytab
       option.

       Consequences of the re-enrollment on the host entry:

       1. A new host certificate is issued
       2. The old host certificate is revoked
       3. New SSH keys are generated
       4. ipaUniqueID is preserved

OPTIONS

   BASIC OPTIONS
       --domain=DOMAIN
              The primary DNS domain of an existing IPA deployment, e.g.  example.com.  This  DNS
              domain  should  contain  the  SRV  records  generated  by the IPA server installer.
              Usually the name is a lower-cased name of an IPA Kerberos realm name.

              When no --server option is specified, this domain will be used by the installer  to
              discover   all  available  servers  via  DNS  SRV  record  autodiscovery  (see  DNS
              Autodiscovery section for details).

              The default value used by the installer is the domain part of  the  hostname.  This
              option  needs  to  be specified if the primary IPA DNS domain is different from the
              default value.

       --server=SERVER
              Set the FQDN of the IPA server to connect to. May be specified  multiple  times  to
              add  multiple servers to ipa_server value in sssd.conf or krb5.conf. Only the first
              value is considered when used  with  --no-sssd.  When  this  option  is  used,  DNS
              autodiscovery for Kerberos is disabled and a fixed list of KDC and Admin servers is
              configured.

              Under normal circumstances, this option is not needed as the  list  of  servers  is
              retrieved from the primary IPA DNS domain.

       --realm=REALM_NAME
              The Kerberos realm of an existing IPA deployment. Usually it is an upper-cased name
              of the primary DNS domain used by the IPA installation.

              Under normal circumstances, this  option  is  not  needed  as  the  realm  name  is
              retrieved from the IPA server.

       --fixed-primary
              Configure  SSSD  to use a fixed server as the primary IPA server. The default is to
              use DNS SRV records to determine the primary server to use and  fall  back  to  the
              server  the client is enrolled with. When used in conjunction with --server then no
              _srv_ value is set in the ipa_server option in sssd.conf.

       -p, --principal
              Authorized kerberos principal to use to join the IPA realm.

       -w PASSWORD, --password=PASSWORD
              Password for joining a machine to the  IPA  realm.  Assumes  bulk  password  unless
              principal is also set.

       -W     Prompt for the password for joining a machine to the IPA realm.

       -k, --keytab
              Path  to  backed up host keytab from previous enrollment. Joins the host even if it
              is already enrolled.

       --mkhomedir
              Configure PAM to create a users home directory if it does not exist.

       --hostname
              The hostname of this machine (FQDN). If specified, the hostname will be set and the
              system  configuration will be updated to persist over reboot. By default the result
              of getfqdn() call from Python's socket module is used.

       --force-join
              Join the host even if it is already enrolled.

       --ntp-server=NTP_SERVER
              Configure chronyd to use this NTP server. This option can be  used  multiple  times
              and it is used to specify exactly one time server.

       --ntp-pool=NTP_SERVER_POOL
              Configure  chronyd  to use this NTP server pool. This option is meant to be pool of
              multiple servers resolved as one host name. This pool's servers may vary  but  pool
              address will be still same and chrony will choose only one server from this pool.

       -N, --no-ntp
              Do not configure NTP client (chronyd).

       --nisdomain=NIS_DOMAIN
              Set  the  NIS  domain  name as specified. By default, this is set to the IPA domain
              name.

       --no-nisdomain
              Do not configure NIS domain name.

       --ssh-trust-dns
              Configure OpenSSH client to trust DNS SSHFP records.

       --no-ssh
              Do not configure OpenSSH client.

       --no-sshd
              Do not configure OpenSSH server.

       --no-sudo
              Do not configure SSSD as a data source for sudo.

       --subid
              Configure SSSD as data source for subid.

       --no-dns-sshfp
              Do not automatically create DNS SSHFP records.

       --noac Do not use Authconfig to modify the nsswitch.conf and PAM configuration.

       -f, --force
              Force the settings even if errors occur

       --kinit-attempts=KINIT_ATTEMPTS
              In case of unresponsive KDC (e.g. when enrolling multiple hosts at once in a  heavy
              load  environment) repeat the request for host Kerberos ticket up to a total number
              of KINIT_ATTEMPTS times before giving up and aborting client installation.  Default
              number  of  attempts is 5. The request is not repeated when there is a problem with
              host credentials themselves (e.g. wrong keytab  format  or  invalid  principal)  so
              using this option will not lead to account lockouts.

       -d, --debug
              Print debugging information to stdout

       -U, --unattended
              Unattended installation. The user will not be prompted.

       --ca-cert-file=CA_FILE
              Do  not  attempt to acquire the IPA CA certificate via automated means, instead use
              the CA certificate found locally in in CA_FILE.  The CA_FILE must  be  an  absolute
              path  to  a  PEM formatted certificate file. The CA certificate found in CA_FILE is
              considered authoritative and will be installed without  checking  to  see  if  it's
              valid for the IPA domain.

       --request-cert
              DEPRECATED: The option is deprecated and will be removed in a future release.

              Request   certificate   for   the  machine.  The  certificate  will  be  stored  in
              /etc/ipa/nssdb under the nickname "Local IPA host".

              Using this option requires that D-Bus is properly configured or not  configured  at
              all. In environment where this condition is not met (e.g. anaconda kickstart chroot
              environment) set the system bus address to /dev/null to enable workaround  in  ipa-
              client-install.

                  # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install --request-
              cert

              Note that requesting the certificate when certmonger is not  running  only  creates
              tracking  request  and  the  certmonger service must be started to be able to track
              certificates.

       --automount-location=LOCATION
              Configure automount by running ipa-client-automount(1) with LOCATION  as  automount
              location.

       --configure-firefox
              Configure Firefox to use IPA domain credentials.

       --firefox-dir=DIR
              Specify Firefox installation directory. For example: '/usr/lib/firefox'

       --ip-address=IP_ADDRESS
              Use  IP_ADDRESS in DNS A/AAAA record for this host. May be specified multiple times
              to add multiple DNS records.

       --all-ip-addresses
              Create DNS A/AAAA record for each IP address on this host.

   SSSD OPTIONS
       --permit
              Configure SSSD to permit all access. Otherwise the machine will  be  controlled  by
              the Host-based Access Controls (HBAC) on the IPA server.

       --enable-dns-updates
              This  option  tells  SSSD  to  automatically update DNS with the IP address of this
              client.  The default is to use GSS-TSIG. However, if using GSS-TSIG fails  for  any
              reason   at   install   time,   ipa-client-install   will  configure  SSSD  to  use
              unauthenticated nsupdates instead.

       --no-krb5-offline-passwords
              Configure SSSD not to store user password when the server is offline.

       -S, --no-sssd
              Do not configure the client to use SSSD for authentication, use nss_ldap instead.

       --preserve-sssd
              Disabled by default. When enabled, preserves old SSSD configuration if  it  is  not
              possible  to merge it with a new one. Effectively, if the merge is not possible due
              to SSSDConfig reader encountering unsupported options, ipa-client-install will  not
              run  further  and  ask to fix SSSD config first. When this option is not specified,
              ipa-client-install will back up SSSD config and create new one. The back up version
              will be restored during uninstall.

   PKINIT OPTIONS
       --pkinit-identity=DENTITY
              Identity string for PKINIT authentication to use to join the IPA realm, for example
              'FILE:/path/to/cert.pem,/path/to/key.pem'. See krb5.conf(5) for  more  information.
              The option is mutually exclusive with --password and --keytab.

       --pkinit-anchor=FILEDIR
              Trust  anchors  (root  and intermediate CA certs) for PKINIT. FILEDIR is either the
              absolute path to a PEM bundle (for example requires the full  trust  chain  of  the
              Kerberos KDC server as well as the full trust chain of the identity certificate.

   UNINSTALL OPTIONS
       --uninstall
              Remove the IPA client software and restore the configuration to the pre-IPA state.

       -U, --unattended
              Unattended uninstallation. The user will not be prompted.

DISABLED SERVICES

       ipa-client-install  will automatically disable the Name Service Caching Daemon (nscd) when
       configuring the SSSD client. These are competing services and cannot co-exist.

       If there are other similar services providing  nss  capabilities  they  will  need  to  be
       manually disabled by the user. An example is unscd, a complete replacement for nscd.

FILES

       Files that will be replaced if SSSD is configured (default):

              /etc/sssd/sssd.conf

       Files that will be replaced if they exist and SSSD is not configured (--no-sssd):

              /etc/ldap.conf
              /etc/nss_ldap.conf
              /etc/libnss-ldap.conf
              /etc/pam_ldap.conf
              /etc/nslcd.conf

       Files replaced if NTP client (chronyd) configuration is enabled:

              /etc/chrony.conf

       Files always created (replacing existing content):

              /etc/krb5.conf
              /etc/ipa/ca.crt
              /etc/ipa/default.conf
              /etc/ipa/nssdb
              /etc/openldap/ldap.conf
              /etc/pki/ca-trust/source/ipa.p11-kit

       Files updated, existing content is maintained:

              /etc/nsswitch.conf
              /etc/krb5.keytab
              /etc/sysconfig/network

       File updated, existing content is maintained if ssh is configured (default):

              /etc/ssh/ssh_config

       File updated, existing content is maintained if sshd is configured (default):

              /etc/ssh/sshd_config

DEPRECATED OPTIONS

       --request-cert

EXIT STATUS

       0 if the installation was successful

       1 if an error occurred

       2 if uninstalling and the client is not configured

       3 if installing and the client is already configured

       4 if an uninstall error occurred

SEE ALSO

       ipa-client-automount(1), krb5.conf(5), sssd.conf(5)