Product SiteDocumentation Site

B.6. Client Scripts

These tools are used to manage client machines.

B.6.1. ipa-client-install

Configures a client machine. This script uses the local SSSD service to connect to the FreeIPA server during the setup process. It is also possible to connect to the server through PAM/NSS using LDAP.
This script is also used to uninstall clients, which removes them from the FreeIPA domain and removes all FreeIPA-related configuration.
This script is only available for Fedora platforms.

B.6.1.1. Location

Description Location
Tool directory /usr/sbin/
Package ipa-client

B.6.1.2. Syntax

ipa-client-install [ -d | --debug ] [ --domain=domainName ] [ --enable-dns-updates ] [ -f, --force ] [ --hostname=clientHostname ] [ --mkhomedir ] [ -N, --no-ntp ] [ --no-krb5-offline-passwords ] [ -ntp-server=NTP_server ] [ --on-master ] [ -p | --principal ] [ --permit ] [ --realm=realmName ] [ -S | --no-sssd ] [ --server=IPA_server_fqdn ] [ -U | --unattended ] [ --uninstall ] [ -w password | --password=password | -W ]

B.6.1.3. Options

Parameter Alternate Parameter Description
--domain=domainName Gives the domain name for the FreeIPA domain.
--enable-dns-updates Tells SSSD to update DNS with the IP address of this client.
-f --force Forces the script to apply the settings even if errors occur.
--hostname=clientHostname Sets the fully-qualified domain name of the client server. If this is not given, the script uses the nodename given in uname.

IMPORTANT

This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
--mkhomedir Configures PAM to create a user's home directory if it does not exist.
-N --no-ntp Does not configure or enable NTP.
--no-krb5-offline-passwords Prevents the SSSD services from storing Kerberos passwords in the SSSD cache. The cache is useful because a user may log into a system when a machine is offline and then attempt to access domain services after the machine is brought online. Using the cache stores the password, which can be referenced when the domain is accessed.
--ntp-server=NTP_server Configures the local ntpd service to use the FreeIPA NTP server.
--on-master Indicates the client is being configured on a FreeIPA server. This is not for a normal invocation of the setup script; this option is used by ipa-server-install when a server is configured.
-p --principal Passes an authorized Kerberos principal to use to join the FreeIPA realm. This is used during an automated deployment, such as a kickstart process.
--permit Configures SSSD to permit all access. If this is not set, then access to the client is controlled by the host-based access controls on the FreeIPA server.
--realm=realmName Gives the FreeIPA realm name.
-S --no-sssd Tells the client to use nss_ldap for authentication instead of SSSD.
--server=IPA_server_fqdn Gives the name of the FreeIPA server to connect to. This must be a fully-qualified domain name.

IMPORTANT

This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
-U --unattended Performs an unattended installation, with no user prompts.
--uninstall Removes the FreeIPA client software and configuration to restore the machine to a pre-FreeIPA state.
-w password --password=password Gives the Kerberos password to use to access the FreeIPA realm and join the machine. If only the password parameter is used, the script assumes this is a bulk enrollment and uses the machine name as the Kerberos principal. If the principal is given, the script binds as an FreeIPA user.
-W Prompts for the password.