Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

3.4. Setting up an IdM Client Through Kickstart

A Kickstart enrollment automatically adds a new system to the IdM domain at the time Red Hat Enterprise Linux is installed. For details on Kickstart, see Kickstart Installations in the Installation Guide.
Preparing for a Kickstart client installation includes these steps:
  1. Section 3.4.1, “Pre-creating a Client Host Entry on the IdM Server”
  2. Section 3.4.2, “Creating a Kickstart File for the Client”
  1. Log in as admin: 
    $ kinit admin
    Copy to Clipboard Toggle word wrap
  2. Create the host entry on the IdM server, and set a temporary password for the entry: 
    $ ipa host-add client.example.com --password=secret
    Copy to Clipboard Toggle word wrap
    The password is used by Kickstart to authenticate during the client installation and expires after the first authentication attempt. After the client is successfully installed, it authenticates using its keytab.

3.4.2. Creating a Kickstart File for the Client
Copy link

A Kickstart file used to set up an IdM client must include the following:
  • The ipa-client package in the list of packages to be installed: 
    %packages
@ X Window System
@ Desktop
@ Sound and Video
ipa-client
...
    Copy to Clipboard Toggle word wrap
    See Package Selection in the Installation Guide for details.
  • Post-installation instructions that:
    • ensure SSH keys are generated before enrollment
    • runs the ipa-client-install utility, specifying:
      For example: 
      %post --log=/root/ks-post.log

# Generate SSH keys to ensure that ipa-client-install uploads them to the IdM server
/usr/sbin/sshd-keygen

# Run the client install script
/usr/sbin/ipa-client-install --hostname=client.example.com --domain=EXAMPLE.COM --enable-dns-updates --mkhomedir -w secret --realm=EXAMPLE.COM --server=server.example.com
      Copy to Clipboard Toggle word wrap
    For a non-interactive installation, add also the --unattended option.
    To let the client installation script request a certificate for the machine:
    • Add the --request-cert option to ipa-client-install.
    • Set the system bus address to /dev/null for both the getcert and ipa-client-install utility in the kickstart chroot environment. To do this, add these lines to the post-installation instruction file before the ipa-client-install instruction: 
      # env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null getcert list
# env DBUS_SYSTEM_BUS_ADDRESS=unix:path=/dev/null ipa-client-install
      Copy to Clipboard Toggle word wrap
    Note
    Red Hat recommends not to start the sshd service prior to the kickstart enrollment. While starting sshd before enrolling the client generates the SSH keys automatically, using the above script is the preferred solution.
    See Post-installation Script in the Installation Guide for details.
For details on using Kickstart, see How Do You Perform a Kickstart Installation? in the Installation Guide. For examples of Kickstart files, see Sample Kickstart Configurations.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat