Show Table of Contents
3.3. Installing a Client
The
ipa-client-install
utility installs and configures an IdM client. The installation process requires you to provide credentials that can be used to enroll the client. The following authentication methods are supported:
- Credentials of a user authorized to enroll clients, such as
admin
- By default,
ipa-client-install
expects this option. See Section 3.3.1, “Installing a Client Interactively” for an example.To provide the user credentials directly toipa-client-install
, use the--principal
and--password
options. - A random, one-time password pre-generated on the server
- To use this authentication method, add the
--random
option toipa-client-install
option. See Example 3.1, “Installing a Client Non-interactively Using a Random Password”. - A principal from a previous enrollment
- To use this authentication method, add the
--keytab
option toipa-client-install
. See Section 3.8, “Re-enrolling a Client into the IdM Domain” for details.
See the ipa-client-install(1) man page for details.
The following sections document basic installation scenarios. For more details on using
ipa-client-install
and a complete list of the accepted options, see the ipa-client-install(1) man page.
3.3.1. Installing a Client Interactively
The following procedure installs a client while prompting the user for input when required. The user provides credentials of a user authorized to enroll clients into the domain, such as the
admin
user.
- Run the
ipa-client-install
utility.Add the--enable-dns-updates
option to update the DNS records with the client machine's IP address if one of the following applies:- the IdM server the client will be enrolled with was installed with integrated DNS
- the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol
Add the--no-krb5-offline-passwords
option to disable storing Kerberos passwords in the SSSD cache. - The installation script attempts to obtain all the required settings automatically.
- If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the required values and prints them. Enter
yes
to confirm.Client hostname: client.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]:
yes
If you want to install the system with different values, cancel the current installation. Then runipa-client-install
again, and specify the required values using command-line options.For details, see theDNS Autodiscovery
section in the ipa-client-install(1) man page. - If the script fails to obtain some settings automatically, it prompts you for the values.
Important
The fully qualified domain name must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the host name cause DNS failures. Additionally, the host name must be all lower-case; no capital letters are allowed.For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide.
- The script prompts for a user whose identity will be used to enroll the client. By default, this is the
admin
user:User authorized to enroll computers:
admin
Password for admin@EXAMPLE.COM - The installation script now configures the client. Wait for the operation to complete.
Client configuration complete.
- Run the
ipa-client-automount
utility, which automatically configures NFS for IdM. See Section 34.2.1, “Configuring NFS Automatically” for details.
3.3.2. Installing a Client Non-interactively
For a non-interactive installation, provide all required information to the
ipa-client-install
utility using command-line options. The minimum required options for a non-interactive installation are:
- options for specifying the credentials that will be used to enroll the client; see Section 3.3, “Installing a Client” for details
--unattended
to let the installation run without requiring user confirmation
If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the other required values. If the script cannot discover the values automatically, provide them using command-line options.
--hostname
to specify a static host name for the client machineImportant
The fully qualified domain name must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the host name cause DNS failures. Additionally, the host name must be all lower-case; no capital letters are allowed.For other recommended naming practices, see the Red Hat Enterprise Linux Security Guide.--server
to specify the host name of the IdM server the client will be enrolled with--domain
to specify the DNS domain name of the IdM server the client will be enrolled with--realm
to specify the Kerberos realm name
Add the
--enable-dns-updates
option to update the DNS records with the client machine's IP address if one of the following applies:
- the IdM server the client will be enrolled with was installed with integrated DNS
- the DNS server on the network accepts DNS entry updates with the GSS-TSIG protocol
Add the
--no-krb5-offline-passwords
option to disable storing Kerberos passwords in the SSSD cache.
For a complete list of options accepted by
ipa-client-install
, see the ipa-client-install(1) man page.
Example 3.1. Installing a Client Non-interactively Using a Random Password
This procedure installs a client without prompting the user for any input. The process includes pre-generating a random one-time password on the server that is used to authorize the enrollment.
- On an existing server:
- Log in as the administrator:
$ kinit admin
- Add the new machine as an IdM host. Use the
--random
option with theipa host-add
command to generate the random password.$ ipa host-add client.example.com --random -------------------------------------------------- Added host "client.example.com" -------------------------------------------------- Host name: client.example.com Random password: W5YpARl=7M.n Password: True Keytab: False Managed by: server.example.com
The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.
- On the machine where you want to install the client, run
ipa-client-install
, and use these options:--password
for the random password from theipa host-add
outputNote
The password often contains special characters. Therefore, enclose it in single quotes (').--unattended
to let the installation run without requiring user confirmation
If your DNS zone and SRV records are set properly on your system, the script automatically discovers all the other required values. If the script cannot discover the values automatically, provide them using command-line options.For example:# ipa-client-install --password 'W5YpARl=7M.n' --domain example.com --server server.example.com --unattended
- Run the
ipa-client-automount
utility, which automatically configures NFS for IdM. See Section 34.2.1, “Configuring NFS Automatically” for details.