Product SiteDocumentation Site

6.3. Enrolling Clients Manually

Enrolling machines as clients in the FreeIPA domain is a two-part process. A host entry is created for the client (and stored in the 389 Directory Server instance), and then a keytab is created to provision the client.
Both parts are performed automatically by the ipa-client-install command. It is also possible to perform those steps separately; this allows for administrators to prepare machines and FreeIPA in advance of actually configuring the clients. This allows more flexible setup scenarios, including bulk deployments.
When performing a manual enrollment, the host entry is created separately, and then enrollment is completed when the client script is run, which creates the requisite keytab.


There are two ways to set the password. You can either supply your own or have FreeIPA generate a random one.

6.3.1. Performing a Split Enrollment

There may be a situation where an administrator in one group is prohibited from creating a host entry and, therefore, from simply running the ipa-client-install command and allowing it to create the host. However, that administrator may have the right to run the command after a host entry exists. In that case, one administrator can create the host entry manually, then the second administrator can complete the enrollment by running the ipa-client-install command.
  1. An administrator creates the host entry, as described in Section 6.2, “Adding Host Entries”.
  2. The second administrator installs the FreeIPA client packages on the machine, as in Section 3.3, “Configuring a Fedora System as a FreeIPA Client”.
  3. When the second administrator runs the setup script, he must pass his Kerberos password and username (principal) with the ipa-client-install command. For example:
    $ ipa-client-install -w secret -p admin2
  4. The keytab is generated on the server and provisioned to the client machine, so that the client machine is not able to connect to the FreeIPA domain. The keytab is saved with root:root ownership and 0600 permissions.

6.3.2. Performing a Bulk or Kickstart Enrollment

Two variations of a split enrollment are a bulk enrollment and a kickstart enrollment. Combined, that allows automatic provisioning of multiple hosts or virtual machines. This requires pre-creating the hosts on the FreeIPA server, with a predefined password that can be used to authenticate to complete the enrollment operation.
  1. An administrator creates the host entry, as described in Section 6.2, “Adding Host Entries”. Set a password to use for the bulk or automatic enrollment. For example:
    $ ipa host-add --password=secret
    The password is set to expire after the first authentication attempt. After enrollment completes, the password expires and the host is authenticated using its keytab.
  2. Run the kickstart script, using the given bulk password. The kickstart script performs all of the tasks performed manually by the second administrator in Section 6.3.1, “Performing a Split Enrollment”:
    1. Kickstart installs the FreeIPA packages.
    2. Kickstart runs the enrollment script, passing in the password.
    3. The enrollment script connects to the FreeIPA server using the provided password and a bind DN derived from the machine name. It then authenticates using a simple bind over SSL.