ipa-client-install - Online Linux Manual PageSection : 1
Updated : Sep 5 2011
Source : FreeIPA
Note : FreeIPA Manual Pages
NAMEipa−client−install − Configure an IPA client
SYNOPSISipa−client−install [OPTION]...
DESCRIPTIONConfigures a client machine to use IPA for authentication and identity services. By default this configures SSSD to connect to an IPA server for authentication and authorization. Optionally one can instead configure PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP. An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one−time password associated with the machine. This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re−enrolled. The machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host−disable <fqdn>).
HOSTNAME REQUIREMENTSClient must use a static hostname. If the machine hostname changes for example due to a dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and user then would not be able to perform Kerberos authentication. −−hostname option may be used to specify a static hostname that persists over reboot.
OPTIONS
BASIC OPTIONS−−domain=DOMAIN Set the domain name to DOMAIN −−server=SERVER Set the IPA server to connect to. May be specified multiple times to add multiple servers to ipa_server value in sssd.conf. Only the first value is considered when used with −−no−sssd. −−realm=REALM_NAME Set the IPA realm name to REALM_NAME −−fixed−primary Configure sssd to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with −−server then no _srv_ value is set in the ipa_server option in sssd.conf. −p, −−principal Authorized kerberos principal to use to join the IPA realm. −w PASSWORD, −−password=PASSWORD Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set. −W Prompt for the password for joining a machine to the IPA realm. −−mkhomedir Configure PAM to create a users home directory if it does not exist. −−hostname The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used. −−force−join Join the host even if it is already enrolled. −−ntp−server=NTP_SERVER Configure ntpd to use this NTP server. −N, −−no−ntp Do not configure or enable NTP. −−nisdomain=NIS_DOMAIN Set the NIS domain name as specified. By default, this is set to the IPA domain name. −−no−nisdomain Do not configure NIS domain name. −−ssh−trust−dns Configure OpenSSH client to trust DNS SSHFP records. −−no−ssh Do not configure OpenSSH client. −−no−sshd Do not configure OpenSSH server. −−no−sudo Do not configure SSSD as a data source for sudo. −−no−dns−sshfp Do not automatically create DNS SSHFP records. −−noac Do not use Authconfig to modify the nsswitch.conf and PAM configuration. −f, −−force Force the settings even if errors occur −−kinit−attempts=KINIT_ATTEMPTS Number of unsuccessful attempts to obtain host TGT that will be performed before aborting client installation. KINIT_ATTEMPTS should be a number greater than zero. By default 5 attempts to get TGT are performed. −d, −−debug Print debugging information to stdout −U, −−unattended Unattended installation. The user will not be prompted. −−ca-cert-file=CA_FILE Do not attempt to acquire the IPA CA certificate via automated means, instead use the CA certificate found locally in in CA_FILE. The CA_FILE must be an absolute path to a PEM formatted certificate file. The CA certificate found in CA_FILE is considered authoritative and will be installed without checking to see if it's valid for the IPA domain.
SSSD OPTIONS−−permit Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host−based Access Controls (HBAC) on the IPA server. −−enable−dns−updates This option tells SSSD to automatically update DNS with the IP address of this client. −−no−krb5−offline−passwords Configure SSSD not to store user password when the server is offline. −S, −−no−sssd Do not configure the client to use SSSD for authentication, use nss_ldap instead. −−preserve−sssd Disabled by default. When enabled, preserves old SSSD configuration if it is not possible to merge it with a new one. Effectively, if the merge is not possible due to SSSDConfig reader encountering unsupported options, ipa−client−install will not run further and ask to fix SSSD config first. When this option is not specified, ipa−client−install will back up SSSD config and create new one. The back up version will be restored during uninstall.
UNINSTALL OPTIONS−−uninstall Remove the IPA client software and restore the configuration to the pre−IPA state. −U, −−unattended Unattended uninstallation. The user will not be prompted.
FILESFiles that will be replaced if SSSD is configured (default): /etc/sssd/sssd.conf\p Files that will be replaced if they exist and SSSD is not configured (−−no−sssd): /etc/ldap.conf\p /etc/nss_ldap.conf\p /etc/libnss−ldap.conf\p /etc/pam_ldap.conf\p /etc/nslcd.conf\p Files replaced if NTP is enabled: /etc/ntp.conf\p /etc/sysconfig/ntpd\p /etc/ntp/step−tickers\p Files always created (replacing existing content): /etc/krb5.conf\p /etc/ipa/ca.crt\p /etc/ipa/default.conf\p /etc/openldap/ldap.conf\p Files updated, existing content is maintained: /etc/pki/nssdb\p /etc/krb5.keytab\p /etc/sysconfig/network\p
EXIT STATUS0 if the installation was successful 1 if an error occurred 2 if uninstalling and the client is not configured 3 if installing and the client is already configured 4 if an uninstall error occurred 0
Johanes Gumabo
Data Size : 22,936 byte
man-ipa-client-install.1Build : 2024-12-05, 20:55 :
Visitor Screen : x
Visitor Counter ( page / site ) : 2 / 198,004
Visitor ID : :
Visitor IP : 3.129.23.110 :
Visitor Provider : AMAZON-02 :
Provider Position ( lat x lon ) : 39.962500 x -83.006100 : x
Provider Accuracy Radius ( km ) : 1000 :
Provider City : Columbus :
Provider Province : Ohio , : ,
Provider Country : United States :
Provider Continent : North America :
Visitor Recorder : Version :
Visitor Recorder : Library :
Online Linux Manual Page : Version : Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page : Library : lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page : Library : lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base : Version : Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base : Library : lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36
Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.
ERROR : Need New Coding : (rof_escape_sequence|91|ipa-client-install.1|158|\p |/etc/sssd/sssd.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|162|\p |/etc/ldap.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|163|\p |/etc/nss_ldap.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|164|\p |/etc/libnss\-ldap.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|165|\p |/etc/pam_ldap.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|166|\p |/etc/nslcd.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|170|\p |/etc/ntp.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|171|\p |/etc/sysconfig/ntpd\p
) (rof_escape_sequence|91|ipa-client-install.1|172|\p |/etc/ntp/step\-tickers\p
) (rof_escape_sequence|91|ipa-client-install.1|176|\p |/etc/krb5.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|177|\p |/etc/ipa/ca.crt\p
) (rof_escape_sequence|91|ipa-client-install.1|178|\p |/etc/ipa/default.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|179|\p |/etc/openldap/ldap.conf\p
) (rof_escape_sequence|91|ipa-client-install.1|183|\p |/etc/pki/nssdb\p
) (rof_escape_sequence|91|ipa-client-install.1|184|\p |/etc/krb5.keytab\p
) (rof_escape_sequence|91|ipa-client-install.1|185|\p |/etc/sysconfig/network\p
)