ipa-client-install(1) IPA Manual Pages ipa-client-install(1)
ipa-client-install - Configure an IPA client
Configures a client machine to use IPA for authentication and identity services.
By default this configures SSSD to connect to an IPA server for authentication and autho-
rization. Optionally one can instead configure PAM and NSS (Name Switching Service) to
work with an IPA server over Kerberos and LDAP.
An authorized user is required to join a client machine to IPA. This can take the form of
a kerberos principal or a one-time password associated with the machine.
This same tool is used to unconfigure IPA and attempts to return the machine to its previ-
ous state. Part of this process is to unenroll the host from the IPA server. Unenrollment
consists of disabling the prinicipal key on the IPA server so that it may be re-enrolled.
The machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenticate to
the IPA server to unenroll itself. If this principal does not exist then unenrollment will
fail and an administrator will need to disable the host principal (ipa host-disable
Client must use a static hostname. If the machine hostname changes for example due to a
dynamic hostname assignment by a DHCP server, client enrollment to IPA server breaks and
user then would not be able to perform Kerberos authentication.
--hostname option may be used to specify a static hostname that persists over reboot.
Client installer by default tries to search for _ldap._tcp.DOMAIN DNS SRV records for all
domains that are parent to its hostname. For example, if a client machine has a hostname
'client1.lab.example.com', the installer will try to retrieve an IPA server hostname from
_ldap._tcp.lab.example.com, _ldap._tcp.example.com and _ldap._tcp.com DNS SRV records,
respectively. The discovered domain is then used to configure client components (e.g. SSSD
and Kerberos 5 configuration) on the machine.
When the client machine hostname is not in a subdomain of an IPA server, its domain can be
passed with --domain option. In that case, both SSSD and Kerberos components have the
domain set in the configuration files and will use it to autodiscover IPA servers.
Client machine can also be configured without a DNS autodiscovery at all. When both
--server and --domain options are used, client installer will use the specified server and
domain directly. --server option accepts multiple server hostnames which can be used for
failover mechanism. Without DNS autodiscovery, Kerberos is configured with a fixed list of
KDC and Admin servers. SSSD is still configured to either try to read domain's SRV
records or the specified fixed list of servers. When --fixed-primary option is specified,
SSSD will not try to read DNS SRV record at all (see sssd-ipa(5) for details).
The Failover Mechanism
When some of the IPA servers is not available, client components are able to fallback to
other IPA replica and thus preserving a continued service. When client machine is config-
ured to use DNS SRV record autodiscovery (no fixed server was passed to the installer),
client components do the fallback automatically, based on the IPA server hostnames and
priorities discovered from the DNS SRV records.
If DNS autodiscovery is not available, clients should be configured at least with a fixed
list of IPA servers that can be used in case of a failure. When only one IPA server is
configured, IPA client services will not be available in case of a failure of the IPA
server. Please note, that in case of a fixed list of IPA servers, the fixed server lists
in client components need to be updated when a new IPA server is enrolled or a current IPA
server is decommissioned.
Coexistence With Other Directory Servers
Other directory servers deployed in the network (e.g. Microsoft Active Directory) may use
the same DNS SRV records to denote hosts with a directory service (_ldap._tcp.DOMAIN).
Such DNS SRV records may break the installation if the installer discovers these DNS
records before it finds DNS SRV records pointing to IPA servers. The installer would then
fail to discover the IPA server and exit with error.
In order to avoid the aforementioned DNS autodiscovery issues, the client machine hostname
should be in a domain with properly defined DNS SRV records pointing to IPA servers,
either manually with a custom DNS server or with IPA DNS integrated solution. A second
approach would be to avoid autodiscovery and configure the installer to use a fixed list
of IPA server hostnames using the --server option and with a --fixed-primary option dis-
abling DNS SRV record autodiscovery in SSSD.
Re-enrollment of the host
1. Host has not been un-enrolled (the ipa-client-install --uninstall command has not been
2. The host entry has not been disabled via the ipa host-disable command.
If this has been the case, host can be re-enrolled using the usual methods.
There are two method of authenticating a re-enrollment:
1. You can use --force-join option with ipa-client-install command. This authenticates the
re-enrollment using the admin's credetials provided via the -w/--password option.
2. If providing the admin's password via the command line is not an option (e.g you want
to create a script to re-enroll a host and keep the admin's password secure), you can use
backed up keytab from the previous enrollment of this host to authenticate. See --keytab
Consenquences of the re-enrollment on the host entry:
1. A new host certificate is issued
2. The old host certificate is revoked
3. New SSH keys are generated
4. ipaUniqueID is preserved
Set the domain name to DOMAIN. When no --server option is specified, the installer
will try to discover all available servers via DNS SRV record autodiscovery (see
DNS Autodiscovery section for details).
Set the IPA server to connect to. May be specified multiple times to add multiple
servers to ipa_server value in sssd.conf or krb5.conf. Only the first value is con-
sidered when used with --no-sssd. When this option is used, DNS autodiscovery for
Kerberos is disabled and a fixed list of KDC and Admin servers is configured.
Set the IPA realm name to REALM_NAME. Under normal circumstances, this option is
not needed as the realm name is retrieved from the IPA server.
Configure SSSD to use a fixed server as the primary IPA server. The default is to
use DNS SRV records to determine the primary server to use and fall back to the
server the client is enrolled with. When used in conjunction with --server then no
_srv_ value is set in the ipa_server option in sssd.conf.
Authorized kerberos principal to use to join the IPA realm.
-w PASSWORD, --password=PASSWORD
Password for joining a machine to the IPA realm. Assumes bulk password unless prin-
cipal is also set.
-W Prompt for the password for joining a machine to the IPA realm.
Path to backed up host keytab from previous enrollment. Joins the host even if it
is already enrolled.
Configure PAM to create a users home directory if it does not exist.
The hostname of this machine (FQDN). If specified, the hostname will be set and the
system configuration will be updated to persist over reboot. By default a nodename
result from uname(2) is used.
Join the host even if it is already enrolled.
Configure ntpd to use this NTP server.
Do not configure or enable NTP.
Stop and disable any time&date synchronization services besides ntpd.
Configure OpenSSH client to trust DNS SSHFP records.
Do not configure OpenSSH client.
Do not configure OpenSSH server.
Do not automatically create DNS SSHFP records.
--noac Do not use Authconfig to modify the nsswitch.conf and PAM configuration.
Force the settings even if errors occur
Print debugging information to stdout
Unattended installation. The user will not be prompted.
Do not attempt to acquire the IPA CA certificate via automated means, instead use
the CA certificate found locally in in CA_FILE. The CA_FILE must be an absolute
path to a PEM formatted certificate file. The CA certificate found in CA_FILE is
considered authoritative and will be installed without checking to see if it's
valid for the IPA domain.
Configure SSSD to permit all access. Otherwise the machine will be controlled by
the Host-based Access Controls (HBAC) on the IPA server.
This option tells SSSD to automatically update DNS with the IP address of this
Configure SSSD not to store user password when the server is offline.
Do not configure the client to use SSSD for authentication, use nss_ldap instead.
Disabled by default. When enabled, preserves old SSSD configuration if it is not
possible to merge it with a new one. Effectively, if the merge is not possible due
to SSSDConfig reader encountering unsupported options, ipa-client-install will not
run further and ask to fix SSSD config first. When this option is not specified,
ipa-client-install will back up SSSD config and create new one. The back up version
will be restored during uninstall.
Remove the IPA client software and restore the configuration to the pre-IPA state.
Unattended uninstallation. The user will not be prompted.
Files that will be replaced if SSSD is configured (default):
Files that will be replaced if they exist and SSSD is not configured (--no-sssd):
Files replaced if NTP is enabled:
Files always created (replacing existing content):
Files updated, existing content is maintained:
0 if the installation was successful
1 if an error occurred
2 if uninstalling and the client is not configured
3 if installing and the client is already configured
4 if an uninstall error occurred
ipa-client-automount(1), krb5.conf(5), sssd.conf(5)
IPA Jan 31 2013 ipa-client-install(1)