Imported Upstream version 4.6.2
This commit is contained in:
Mario Fetka
148
install/tools/man/ipa-adtrust-install.1
Normal file
148
install/tools/man/ipa-adtrust-install.1
Normal file
@@ -0,0 +1,148 @@
|
||||
.\" A man page for ipa-adtrust-install
|
||||
.\" Copyright (C) 2011 Red Hat, Inc.
|
||||
.\"
|
||||
.\" This program is free software; you can redistribute it and/or modify
|
||||
.\" it under the terms of the GNU General Public License as published by
|
||||
.\" the Free Software Foundation, either version 3 of the License, or
|
||||
.\" (at your option) any later version.
|
||||
.\"
|
||||
.\" This program is distributed in the hope that it will be useful, but
|
||||
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
.\" General Public License for more details.
|
||||
.\"
|
||||
.\" You should have received a copy of the GNU General Public License
|
||||
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
.\"
|
||||
.\" Author: Sumit Bose <sbose@redhat.com>
|
||||
.\"
|
||||
.TH "ipa-adtrust-install" "1" "April 11 2017" "FreeIPA" "FreeIPA Manual Pages"
|
||||
.SH "NAME"
|
||||
ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains
|
||||
.SH "SYNOPSIS"
|
||||
ipa\-adtrust\-install [\fIOPTION\fR]...
|
||||
.SH "DESCRIPTION"
|
||||
Adds all necessary objects and configuration to allow an IPA server to create a
|
||||
trust to an Active Directory domain. This requires that the IPA server is
|
||||
already installed and configured.
|
||||
|
||||
Please note you will not be able to establish a trust to an Active Directory
|
||||
domain unless the realm name of the IPA server matches its domain name.
|
||||
|
||||
ipa\-adtrust\-install can be run multiple times to reinstall deleted objects or
|
||||
broken configuration files. E.g. a fresh samba configuration (smb.conf) file and
|
||||
registry based configuration can be created. Other items like e.g. the
|
||||
configuration of the local range cannot be changed by running
|
||||
ipa\-adtrust\-install a second time because with changes here other objects
|
||||
might be affected as well.
|
||||
|
||||
.SS "Firewall Requirements"
|
||||
In addition to the IPA server firewall requirements, ipa\-adtrust\-install requires
|
||||
the following ports to be open to allow IPA and Active Directory to communicate together:
|
||||
|
||||
\fBTCP Ports\fR
|
||||
.IP
|
||||
\(bu 135/tcp EPMAP
|
||||
.IP
|
||||
\(bu 138/tcp NetBIOS-DGM
|
||||
.IP
|
||||
\(bu 139/tcp NetBIOS-SSN
|
||||
.IP
|
||||
\(bu 445/tcp Microsoft-DS
|
||||
.IP
|
||||
\(bu 1024/tcp through 1300/tcp to allow EPMAP on port 135/tcp to create a TCP listener based
|
||||
on an incoming request.
|
||||
.IP
|
||||
\(bu 3268/tcp Microsoft-GC
|
||||
.TP
|
||||
\fBUDP Ports\fR
|
||||
.IP
|
||||
\(bu 138/udp NetBIOS-DGM
|
||||
.IP
|
||||
\(bu 139/udp NetBIOS-SSN
|
||||
.IP
|
||||
\(bu 389/udp LDAP
|
||||
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
\fB\-d\fR, \fB\-\-debug\fR
|
||||
Enable debug logging when more verbose output is needed.
|
||||
.TP
|
||||
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
|
||||
The NetBIOS name for the IPA domain. If not provided then this is determined
|
||||
based on the leading component of the DNS domain name. Running
|
||||
ipa\-adtrust\-install for a second time with a different NetBIOS name will
|
||||
change the name. Please note that changing the NetBIOS name might break
|
||||
existing trust relationships to other domains.
|
||||
.TP
|
||||
\fB\-\-add\-sids\fR
|
||||
Add SIDs to existing users and groups as one of the final steps of the
|
||||
ipa\-adtrust\-install run. If there a many existing users and groups and a
|
||||
couple of replicas in the environment this operation might lead to a high
|
||||
replication traffic and a performance degradation of all IPA servers in the
|
||||
environment. To avoid this the SID generation can be run after
|
||||
ipa\-adtrust\-install is run and scheduled independently. To start this task
|
||||
you have to load an edited version of ipa-sidgen-task-run.ldif with the
|
||||
ldapmodify command info the directory server.
|
||||
.TP
|
||||
\fB\-\-add\-agents\fR
|
||||
Add IPA masters to the list that allows to serve information about
|
||||
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
|
||||
can provide this information to SSSD clients. IPA masters aren't added
|
||||
to the list automatically as restart of the LDAP service on each of them
|
||||
is required. The host where ipa\-adtrust\-install is being run is added
|
||||
automatically.
|
||||
.IP
|
||||
Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
|
||||
information about users from trusted forests only if they are enabled
|
||||
via \ipa-adtrust\-install run on any other IPA master. At least SSSD
|
||||
version 1.13 on IPA master is required to be able to perform as a trust agent.
|
||||
.TP
|
||||
\fB\-U\fR, \fB\-\-unattended\fR
|
||||
An unattended installation that will never prompt for user input.
|
||||
.TP
|
||||
\fB\-\-rid-base\fR=\fIRID_BASE\fR
|
||||
First RID value of the local domain. The first POSIX ID of the local domain will
|
||||
be assigned to this RID, the second to RID+1 etc. See the online help of the
|
||||
idrange CLI for details.
|
||||
.TP
|
||||
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
|
||||
Start value of the secondary RID range, which is only used in the case a user
|
||||
and a group share numerically the same POSIX ID. See the online help of the
|
||||
idrange CLI for details.
|
||||
.TP
|
||||
\fB\-A\fR, \fB\-\-admin\-name\fR=\fIADMIN_NAME\fR
|
||||
The name of the user with administrative privileges for this IPA server. Defaults to 'admin'.
|
||||
.TP
|
||||
\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
|
||||
The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
|
||||
.TP
|
||||
The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command.
|
||||
.TP
|
||||
\fB\-\-enable\-compat\fR
|
||||
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
|
||||
SSSD supports trusted domains natively starting with version 1.9. For platforms that
|
||||
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
|
||||
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
|
||||
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
|
||||
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
|
||||
SSSD will normalize names of users and groups to lower case.
|
||||
.IP
|
||||
In addition to providing these users and groups through the compat tree, this option enables
|
||||
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
|
||||
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
|
||||
.IP
|
||||
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
|
||||
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
|
||||
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
|
||||
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
|
||||
rule to allow access to anyone to this rule on IPA masters.
|
||||
.IP
|
||||
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
|
||||
application, it is safe to use it for trusted domain users via compatibility
|
||||
path.
|
||||
.TP
|
||||
.SH "EXIT STATUS"
|
||||
0 if the installation was successful
|
||||
|
||||
1 if an error occurred
|
||||
Reference in New Issue
Block a user