mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
2b2c5d6c93
Mention the new option in the man pages for CA, KRA, replica, and server installation. The documentation must be improved once we have figured out which options are going to be supported. Fixes: pagure.io/freeipa/issue/5608 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
281 lines
12 KiB
Groff
281 lines
12 KiB
Groff
.\" A man page for ipa-replica-install
|
|
.\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license
|
|
.\"
|
|
.TH "ipa-replica-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
|
|
.SH "NAME"
|
|
ipa\-replica\-install \- Create an IPA replica
|
|
.SH "SYNOPSIS"
|
|
.TP
|
|
ipa\-replica\-install [\fIOPTION\fR]...
|
|
.SH "DESCRIPTION"
|
|
Configures a new IPA server that is a replica of the server. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters.
|
|
|
|
Domain level 0 is not supported anymore.
|
|
|
|
To create a replica, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
|
|
|
|
If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. The NTP configuration cannot be updated during client promotion.
|
|
|
|
To promote a blank machine into a replica, you have two options, you can either run ipa\-client\-install in a separate step, or pass the enrollment related options to the ipa\-replica\-install (see CLIENT ENROLLMENT OPTIONS). In the latter case, ipa\-replica\-install will join the machine to the IPA realm automatically and will proceed with the promotion step.
|
|
|
|
If the installation fails you may need to run ipa\-server\-install \-\-uninstall and ipa\-client\-install before running ipa\-replica\-install again.
|
|
|
|
The installation will fail if the host you are installing the replica on exists as a host in IPA or an existing replication agreement exists (for example, from a previously failed installation).
|
|
|
|
A replica should only be installed on the same or higher version of IPA on the remote system.
|
|
.SH "OPTIONS"
|
|
.SS "OPTIONS"
|
|
.TP
|
|
\fB\-P\fR, \fB\-\-principal\fR
|
|
The user principal which will be used to promote the client to the replica and enroll the client itself, if necessary.
|
|
.TP
|
|
\fB\-w\fR, \fB\-\-admin\-password\fR
|
|
The Kerberos password for the given principal.
|
|
|
|
.SS "CLIENT ENROLLMENT OPTIONS"
|
|
To install client and promote it to replica using a host keytab or One Time Password, the host needs to be a member of ipaservers group. This requires to create a host entry and add it to the host group prior replica installation.
|
|
|
|
\-\-server, \-\-domain, \-\-realm options are autodiscovered via DNS records by default. See manual page
|
|
.BR ipa\-client\-install (1)
|
|
for further details about these options.
|
|
|
|
.TP
|
|
\fB\-p\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
|
|
One Time Password for joining a machine to the IPA realm.
|
|
.TP
|
|
\fB\-k\fR, \fB\-\-keytab\fR
|
|
Path to host keytab.
|
|
.TP
|
|
\fB\-\-server\fR
|
|
The fully qualified domain name of the IPA server to enroll to.
|
|
.TP
|
|
\fB\-n\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
|
|
The primary DNS domain of an existing IPA deployment, e.g. example.com.
|
|
This DNS domain should contain the SRV records generated by the IPA server installer.
|
|
.TP
|
|
\fB\-r\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
|
|
The Kerberos realm of an existing IPA deployment.
|
|
.TP
|
|
\fB\-\-hostname\fR
|
|
The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot.
|
|
.TP
|
|
\fB\-\-force\-join\fR
|
|
Join the host even if it is already enrolled.
|
|
|
|
.SS "BASIC OPTIONS"
|
|
.TP
|
|
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
|
|
The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
|
|
This option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).
|
|
.TP
|
|
\fB\-\-mkhomedir\fR
|
|
Create home directories for users on their first login
|
|
.TP
|
|
\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR
|
|
Configure chronyd to use this NTP server. This option can be used multiple times and it is used to specify exactly one time server.
|
|
.TP
|
|
\fB\-\-ntp\-pool\fR=\fINTP_SERVER_POOL\fR
|
|
Configure chronyd to use this NTP server pool. This option is meant to be pool of multiple servers resolved as one host name. This pool's servers may vary but pool address will be still same and chrony will choose only one server from this pool.
|
|
.TP
|
|
\fB\-N\fR, \fB\-\-no\-ntp\fR
|
|
Do not configure NTP client (chronyd).
|
|
.TP
|
|
\fB\-\-no\-ui\-redirect\fR
|
|
Do not automatically redirect to the Web UI.
|
|
.TP
|
|
\fB\-\-ssh\-trust\-dns\fR
|
|
Configure OpenSSH client to trust DNS SSHFP records.
|
|
.TP
|
|
\fB\-\-no\-ssh\fR
|
|
Do not configure OpenSSH client.
|
|
.TP
|
|
\fB\-\-no\-sshd\fR
|
|
Do not configure OpenSSH server.
|
|
.TP
|
|
\fB\-\-skip\-conncheck\fR
|
|
Skip connection check to remote master
|
|
.TP
|
|
\fB\-d\fR, \fB\-\-debug
|
|
Enable debug logging when more verbose output is needed
|
|
.TP
|
|
\fB\-U\fR, \fB\-\-unattended\fR
|
|
An unattended installation that will never prompt for user input
|
|
.TP
|
|
\fB\-\-dirsrv\-config\-file\fR
|
|
The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance
|
|
|
|
.SS "CERTIFICATE SYSTEM OPTIONS"
|
|
.TP
|
|
\fB\-\-setup\-ca\fR
|
|
Install and configure a CA on this replica. If a CA is not configured then
|
|
certificate operations will be forwarded to a master with a CA installed.
|
|
.TP
|
|
\fB\-\-no\-pkinit\fR
|
|
Disables pkinit setup steps.
|
|
.TP
|
|
\fB\-\-dirsrv\-cert\-file\fR=FILE
|
|
File containing the Directory Server SSL certificate and private key
|
|
.TP
|
|
\fB\-\-http\-cert\-file\fR=FILE
|
|
File containing the Apache Server SSL certificate and private key
|
|
.TP
|
|
\fB\-\-pkinit\-cert\-file\fR=FILE
|
|
File containing the Kerberos KDC SSL certificate and private key
|
|
.TP
|
|
\fB\-\-dirsrv\-pin\fR=PIN
|
|
The password to unlock the Directory Server private key
|
|
.TP
|
|
\fB\-\-http\-pin\fR=PIN
|
|
The password to unlock the Apache Server private key
|
|
.TP
|
|
\fB\-\-pkinit\-pin\fR=PIN
|
|
The password to unlock the Kerberos KDC private key
|
|
.TP
|
|
\fB\-\-dirsrv\-cert\-name\fR=NAME
|
|
Name of the Directory Server SSL certificate to install
|
|
.TP
|
|
\fB\-\-http\-cert\-name\fR=NAME
|
|
Name of the Apache Server SSL certificate to install
|
|
.TP
|
|
\fB\-\-pkinit\-cert\-name\fR=NAME
|
|
Name of the Kerberos KDC SSL certificate to install
|
|
.TP
|
|
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
|
|
File containing overrides for CA and KRA installation.
|
|
.TP
|
|
\fB\-\-skip\-schema\-check\fR
|
|
Skip check for updated CA DS schema on the remote master
|
|
|
|
.SS "SECRET MANAGEMENT OPTIONS"
|
|
.TP
|
|
\fB\-\-setup\-kra\fR
|
|
Install and configure a KRA on this replica. If a KRA is not configured then
|
|
vault operations will be forwarded to a master with a KRA installed.
|
|
|
|
.SS "DNS OPTIONS"
|
|
.TP
|
|
\fB\-\-setup\-dns\fR
|
|
Configure an integrated DNS server, create a primary DNS zone (name specified by \-\-domain or taken from an existing deployment), and fill it with service records necessary for IPA deployment.
|
|
In cases where the IPA server name does not belong to the primary DNS domain and is not resolvable using DNS, create a DNS zone containing the IPA server name as well.
|
|
|
|
This option requires that you either specify at least one DNS forwarder through
|
|
the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option.
|
|
|
|
Note that you can set up a DNS at any time after the initial IPA server install by running
|
|
.B ipa-dns-install
|
|
(see
|
|
.BR ipa-dns-install (1)).
|
|
IPA DNS cannot be uninstalled.
|
|
.TP
|
|
\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR
|
|
Add a DNS forwarder to the DNS configuration. You can use this option multiple
|
|
times to specify more forwarders, but at least one must be provided, unless
|
|
the \fB\-\-no\-forwarders\fR option is specified.
|
|
.TP
|
|
\fB\-\-no\-forwarders\fR
|
|
Do not add any DNS forwarders. Root DNS servers will be used instead.
|
|
.TP
|
|
\fB\-\-auto\-forwarders\fR
|
|
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
|
|
.TP
|
|
\fB\-\-forward\-policy\fR=\fIfirst|only\fR
|
|
DNS forwarding policy for global forwarders specified using other options.
|
|
Defaults to first if no IP address belonging to a private or reserved ranges is
|
|
detected on local interfaces (RFC 6303). Defaults to only if a private
|
|
IP address is detected.
|
|
.TP
|
|
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
|
|
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
|
|
.TP
|
|
\fB\-\-no\-reverse\fR
|
|
Do not create new reverse DNS zone. If a reverse DNS zone already exists for the subnet, it will be used.
|
|
.TP
|
|
\fB\-\-auto-reverse\fR
|
|
Create necessary reverse zones
|
|
.TP
|
|
\fB\-\-allow-zone-overlap\fR
|
|
Create DNS zone even if it already exists
|
|
.TP
|
|
\fB\-\-no\-host\-dns\fR
|
|
Do not use DNS for hostname lookup during installation
|
|
.TP
|
|
\fB\-\-no\-dns\-sshfp\fR
|
|
Do not automatically create DNS SSHFP records.
|
|
.TP
|
|
\fB\-\-no\-dnssec\-validation\fR
|
|
Disable DNSSEC validation on this server.
|
|
|
|
.SS "AD TRUST OPTIONS"
|
|
.TP
|
|
\fB\-\-setup\-adtrust\fR
|
|
Configure AD Trust capability on a replica.
|
|
.TP
|
|
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
|
|
The NetBIOS name for the IPA domain. If not provided then this is determined
|
|
based on the leading component of the DNS domain name. Running
|
|
ipa\-adtrust\-install for a second time with a different NetBIOS name will
|
|
change the name. Please note that changing the NetBIOS name might break
|
|
existing trust relationships to other domains.
|
|
.TP
|
|
\fB\-\-add\-sids\fR
|
|
Add SIDs to existing users and groups as on of final steps of the
|
|
ipa\-adtrust\-install run. If there a many existing users and groups and a
|
|
couple of replicas in the environment this operation might lead to a high
|
|
replication traffic and a performance degradation of all IPA servers in the
|
|
environment. To avoid this the SID generation can be run after
|
|
ipa\-adtrust\-install is run and scheduled independently. To start this task
|
|
you have to load an edited version of ipa-sidgen-task-run.ldif with the
|
|
ldapmodify command info the directory server.
|
|
.TP
|
|
\fB\-\-add\-agents\fR
|
|
Add IPA masters to the list that allows to serve information about
|
|
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
|
|
can provide this information to SSSD clients. IPA masters aren't added
|
|
to the list automatically as restart of the LDAP service on each of them
|
|
is required. The host where ipa\-adtrust\-install is being run is added
|
|
automatically.
|
|
.IP
|
|
Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
|
|
information about users from trusted forests only if they are enabled
|
|
via \ipa-adtrust\-install run on any other IPA master. At least SSSD
|
|
version 1.13 on IPA master is required to be able to perform as a trust agent.
|
|
.TP
|
|
\fB\-\-rid-base\fR=\fIRID_BASE\fR
|
|
First RID value of the local domain. The first Posix ID of the local domain will
|
|
be assigned to this RID, the second to RID+1 etc. See the online help of the
|
|
idrange CLI for details.
|
|
.TP
|
|
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
|
|
Start value of the secondary RID range, which is only used in the case a user
|
|
and a group share numerically the same Posix ID. See the online help of the
|
|
idrange CLI for details.
|
|
.TP
|
|
\fB\-\-enable\-compat\fR
|
|
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
|
|
SSSD supports trusted domains natively starting with version 1.9. For platforms that
|
|
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
|
|
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
|
|
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
|
|
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
|
|
SSSD will normalize names of users and groups to lower case.
|
|
.IP
|
|
In addition to providing these users and groups through the compat tree, this option enables
|
|
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
|
|
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
|
|
.IP
|
|
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
|
|
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
|
|
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
|
|
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
|
|
rule to allow access to anyone to this rule on IPA masters.
|
|
.IP
|
|
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
|
|
application, it is safe to use it for trusted domain users via compatibility
|
|
path.
|
|
.SH "EXIT STATUS"
|
|
0 if the command was successful
|
|
|
|
1 if an error occurred
|
|
|
|
3 if the host exists in the IPA server or a replication agreement to the remote master already exists
|