diff options
| -rw-r--r-- | ipa-client/man/ipa-client-install.1 | 27 | ||||
| -rw-r--r-- | ipa-client/man/ipa-join.1 | 28 | ||||
| -rw-r--r-- | ipa-client/man/ipa-rmkeytab.1 | 9 |
3 files changed, 50 insertions, 14 deletions
diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 49595a06..d5efb63b 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -24,7 +24,9 @@ ipa\-client\-install [\fIOPTION\fR]... .SH "DESCRIPTION" Configures a client machine to use IPA for authentication and identity services. -This configures PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP. +By default this configures SSSD to connect to an IPA server for authentication and authorization. Optionally one can instead configure PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP. + +An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one-time password associated with the machine. .SH "OPTIONS" .TP \fB\-\-domain\fR=\fIDOMAIN\fR @@ -46,9 +48,28 @@ Print debugging information to stdout Unattended installation. The user will not be prompted. .TP \fB\-N\fR, \fB\-\-no\-ntp\fR -Do not configure or enable NTP +Do not configure or enable NTP. +.TP +\fB\-S\fR, \fB\-\-no\-sssd\fR +Do not configure the client to use SSSD for authentication, use nss_ldap instead. +.TP \fB\-\-on\-master\fB -The client is being configured on an IPA server +The client is being configured on an IPA server. +.TP +\fB\-w\fR, \fB\-\-password\fR +Password for joining a machine to the IPA realm. +.TP +\fB\-W\fR +Prompt for the password for joining a machine to the IPA realm. +.TP +\fB\-p\fR, \fB\-\-principal\fR +Principal to use to join the IPA realm. +.TP +\fB\-\-permit\fR +Set the SSSD access rules to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls on the IPA server. +.TP +\fB\-\-uninstall\fR +Remove the IPA client software and restore the configuration to the pre-IPA state. .SH "EXIT STATUS" 0 if the installation was successful diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 index d4a14337..672cd6ba 100644 --- a/ipa-client/man/ipa-join.1 +++ b/ipa-client/man/ipa-join.1 @@ -20,7 +20,7 @@ .SH "NAME" ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal .SH "SYNOPSIS" -ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-w\fR bulk\-bind\-password ] [ \fB\-d\fR ] [ \fB\-q\fR ] +ipa\-join [ \fB\-h\fR hostname ] [ \fB\-k\fR keytab\-file ] [ \fB\-s\fR server ] [ \fB\-w\fR bulk\-bind\-password ] [ \fB\-d\fR ] [ \fB\-q\fR ] .SH "DESCRIPTION" Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal. @@ -29,19 +29,35 @@ Kerberos keytabs are used for services (like sshd) to perform kerberos authentic The ipa\-join command will create and retrieve a service principal for host/foo.example.com@EXAMPLE.COM and place it by default into /etc/krb5.keytab. The location can be overridden with the \-k option. -The IPA server to contact is set in /etc/ipa/default.conf +The IPA server to contact is set in /etc/ipa/default.conf by default and can be overridden using the -s,--server option. + +In order to join the machine needs to be authenticated. This can happen in one of two ways: + +* Authenticate using the current kerberos principal + +* Provide a password to authenticate with + +If a client host has already been joined to the IPA realm the ipa-join command will fail. The host will need to be removed from the server using `ipa host-del FQDN` in order to join the client to the realm. + +This command is normally executed by the ipa-client-install command as part of the enrollment process. .SH "OPTIONS" .TP -\fB\-h hostname\fR +\fB\-h,--hostname hostname\fR +The hostname of this server (FQDN). By default of nodename from uname(2) is used. +.TP +\fB\-s,--server server\fR The hostname of this server (FQDN). By default of nodename from uname(2) is used. .TP -\fB\-k keytab\-file\fR +\fB\-k,--keytab keytab\-file\fR The keytab file where to append the new key (will be created if it does not exist). Default: /etc/krb5.keytab .TP -\fB\-q\fR +\fB\-w,--bindpw password\fR +The password to use if not using kerberos to authenticate +.TP +\fB\-q,--quiet\fR Quiet mode. Only errors are displayed. .TP -\fB\-d\fR +\fB\-d,--debug\fR Debug mode. .SH "EXAMPLES" Join IPA domain and retrieve a keytab with kerberos credentials. diff --git a/ipa-client/man/ipa-rmkeytab.1 b/ipa-client/man/ipa-rmkeytab.1 index a60f45cf..0b2251c8 100644 --- a/ipa-client/man/ipa-rmkeytab.1 +++ b/ipa-client/man/ipa-rmkeytab.1 @@ -54,8 +54,7 @@ the entry from the local keytab. The non\-realm part of the full principal name. .TP \fB\-k keytab\-file\fR -The keytab file where to append the new key (will be -created if it does not exist). +The keytab file to append the principal(s) from. .TP \fB\-r realm\fR A realm to remove all principals for. @@ -67,13 +66,13 @@ Remove the NFS service principal on the host foo.example.com from /tmp/nfs.keyta # ipa\-rmkeytab \-p nfs/foo.example.com \-k /tmp/nfs.keytab -Remove the ldap service principal onthe host foo.example.com from /etc/krb5.keytab. +Remove the ldap service principal on the host foo.example.com from /etc/krb5.keytab. - # ipa\-rmkeytab \-p ldap/foo.example.com \-k /tmp/ldap.keytab + # ipa\-rmkeytab \-p ldap/foo.example.com \-k /etc/krb5.keytab Remove all principals for the realm EXAMPLE.COM. - # ipa\-rmkeytab \-r EXAMPLE.COM \-k /tmp/ldap.keytab + # ipa\-rmkeytab \-r EXAMPLE.COM \-k /etc/krb5.keytab .SH "EXIT STATUS" The exit status is 0 on success, nonzero on error. |