Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

3.3. Installing a Client

The ipa-client-install utility installs and configures an IdM client. The installation process requires you to provide credentials that can be used to enroll the client. The following authentication methods are supported:
Credentials of a user authorized to enroll clients, such as admin
By default, ipa-client-install expects this option. See Section 3.3.1, “Installing a Client Interactively” for an example.
To provide the user credentials directly to ipa-client-install, use the --principal and --password options.
A random, one-time password pre-generated on the server
To use this authentication method, add the --random option to ipa-client-install option. See Example 3.1, “Installing a Client Non-interactively Using a Random Password”.
A principal from a previous enrollment
To use this authentication method, add the --keytab option to ipa-client-install. See Section 3.8, “Re-enrolling a Client into the IdM Domain” for details.
See the ipa-client-install(1) man page for details.
The following sections document basic installation scenarios. For more details on using ipa-client-install and a complete list of the accepted options, see the ipa-client-install(1) man page.

3.3.1. Installing a Client Interactively

The following procedure installs a client while prompting the user for input when required. The user provides credentials of a user authorized to enroll clients into the domain, such as the admin user.
  1. Run the ipa-client-install utility.
    Add the --enable-dns-updates option to update the DNS records with the client machine's IP address if one of the following applies:
    • the IdM server the client will be enrolled with was installed with integrated DNS
    • the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol
    Add the --no-krb5-offline-passwords option to disable storing Kerberos passwords in the SSSD cache.
  2. The installation script attempts to obtain all the required settings automatically.
    1. If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the required values and prints them. Enter yes to confirm.
      Client hostname: client.example.com
      Realm: EXAMPLE.COM
      DNS Domain: example.com
      IPA Server: server.example.com
      BaseDN: dc=example,dc=com
      
      Continue to configure the system with these values? [no]: yes
      If you want to install the system with different values, cancel the current installation. Then run ipa-client-install again, and specify the required values using command-line options.
      For details, see the DNS Autodiscovery section in the ipa-client-install(1) man page.
    2. If the script fails to obtain some settings automatically, it prompts you for the values.
      Important
      Do not use single-label domain names, for example .company: the IdM domain must be composed of one or more subdomains and a top level domain, for example example.com or company.example.com.
      The fully qualified domain name must meet the following conditions:
      • It is a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, such as underscores (_), in the host name cause DNS failures.
      • It is all lower-case. No capital letters are allowed.
      • The fully qualified domain name must not resolve to the loopback address. It must resolve to the machine's public IP address, not to 127.0.0.1.
      For other recommended naming practices, see the Recommended Naming Practices in the Red Hat Enterprise Linux Security Guide.
  3. The script prompts for a user whose identity will be used to enroll the client. By default, this is the admin user:
    User authorized to enroll computers: admin
    Password for admin@EXAMPLE.COM
  4. The installation script now configures the client. Wait for the operation to complete.
    Client configuration complete.
  5. Run the ipa-client-automount utility, which automatically configures NFS for IdM. See Section 34.2.1, “Configuring NFS Automatically” for details.

3.3.2. Installing a Client Non-interactively

For a non-interactive installation, provide all required information to the ipa-client-install utility using command-line options. The minimum required options for a non-interactive installation are:
  • options for specifying the credentials that will be used to enroll the client; see Section 3.3, “Installing a Client” for details
  • --unattended to let the installation run without requiring user confirmation
If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the other required values. If the script cannot discover the values automatically, provide them using command-line options.
  • --hostname to specify a static host name for the client machine
    Important
    Do not use single-label domain names, for example .company: the IdM domain must be composed of one or more subdomains and a top level domain, for example example.com or company.example.com.
    The fully qualified domain name must meet the following conditions:
    • It is a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, such as underscores (_), in the host name cause DNS failures.
    • It is all lower-case. No capital letters are allowed.
    • The fully qualified domain name must not resolve to the loopback address. It must resolve to the machine's public IP address, not to 127.0.0.1.
    For other recommended naming practices, see the Recommended Naming Practices in the Red Hat Enterprise Linux Security Guide.
  • --server to specify the host name of the IdM server the client will be enrolled with
  • --domain to specify the DNS domain name of the IdM server the client will be enrolled with
  • --realm to specify the Kerberos realm name
Add the --enable-dns-updates option to update the DNS records with the client machine's IP address if one of the following applies:
  • the IdM server the client will be enrolled with was installed with integrated DNS
  • the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol
Add the --no-krb5-offline-passwords option to disable storing Kerberos passwords in the SSSD cache.
For a complete list of options accepted by ipa-client-install, see the ipa-client-install(1) man page.

Example 3.1. Installing a Client Non-interactively Using a Random Password

This procedure installs a client without prompting the user for any input. The process includes pre-generating a random one-time password on the server that is used to authorize the enrollment.
  1. On an existing server:
    1. Log in as the administrator:
      $ kinit admin
    2. Add the new machine as an IdM host. Use the --random option with the ipa host-add command to generate the random password.
      $ ipa host-add client.example.com --random
      --------------------------------------------------
      Added host "client.example.com"
      --------------------------------------------------
        Host name: client.example.com
        Random password: W5YpARl=7M.n
        Password: True
        Keytab: False
        Managed by: server.example.com
      The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.
  2. On the machine where you want to install the client, run ipa-client-install, and use these options:
    • --password for the random password from the ipa host-add output
      Note
      The password often contains special characters. Therefore, enclose it in single quotes (').
    • --unattended to let the installation run without requiring user confirmation
    If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the other required values. If the script cannot discover the values automatically, provide them using command-line options.
    For example:
    # ipa-client-install --password 'W5YpARl=7M.n' --domain example.com --server server.example.com --unattended
  3. Run the ipa-client-automount utility, which automatically configures NFS for IdM. See Section 34.2.1, “Configuring NFS Automatically” for details.