1REALM(8) User Commands REALM(8)
2
6 realm - Manage enrollment in realms
7
9 realm discover [realm-name]
10 realm join [-U user] [realm-name]
12 realm leave [-U user] [realm-name]
14 realm list
16 realm permit [-ax] [-R realm] {user@domain...}
18 realm deny -a [-R realm]
20
22 realm is a command line tool that can be used to manage enrollment in
23 kerberos realms, like Active Directory domains or IPA domains.
24 See the various sub commands below. The following global options can be
26 used:
27 --install=/path
29 Run in install mode. This makes realmd chroot into the specified
30 directory and place files in appropriate locations for use during
31 an installer. No packages will be installed or services will be
32 started when running in this mode.
33 --unattended
35 Run in unattended mode without prompting for input.
36 --verbose, -v
38 Display verbose diagnostics while doing running commands.
39
41 Discover a realm and its capabilities.
42 $ realm discover
44 $ realm discover domain.example.com
46 After discovering a realm, its name, type and capabilities are
48 displayed.
49 If no domain is specified, then the domain assigned through DHCP is
51 used as a default.
52 The following options can be used:
54 --all
56 Show all discovered realms (in various configurations).
57 --client-software=xxx
59 Only discover realms for which we can use the given client
60 software. Possible values include sssd or winbind.
61 --server-software=xxx
63 Only discover realms which run the given server software. Possible
64 values include active-directory or ipa.
65 --membership-software=xxx
67 Only discover realms for which the given membership software can be
68 used to subsequently perform enrollment. Possible values include
69 samba or adcli.
70
72 Configure the local machine for use with a realm.
73 $ realm join domain.example.com
75 $ realm join --user=admin --computer-ou=OU=Special domain.example.com
77 The realm is first discovered, as we would with the discover command.
79 If no domain is specified, then the domain assigned through DHCP is
80 used as a default.
81 After a successful join, the computer will be in a state where it is
83 able to resolve remote user and group names from the realm. For
84 kerberos realms, a computer account and host keytab is created.
85 Joining arbitrary kerberos realms is not supported. The realm must have
87 a supported mechanism for joining from a client machine, such as Active
88 Directory or IPA.
89 If the domain has been preconfigured, and unless --user is explicitly
91 specified, an automatic join is attempted first.
92 Note that the --user, --no-password, and --one-time-password options
94 are mutually exclusive. At most one of them can be specified.
95 It is generally possible to use kerberos credentials to perform a join
97 operation. Use the kinit command to acquire credentials prior to
98 starting the join. Do not specify the --user argument, the user will be
99 selected automatically from the credential cache. The realm respects
100 the KRB5_CCACHE environment variable, but uses the default kerberos
101 credential cache if it's not present. Not all types of servers can be
102 joined using kerberos credentials, some (like IPA) insist on prompting
103 for a password.
104 The following options can be used:
106 --automatic-id-mapping=no
108 Do not perform UID/GID mapping for users and groups, but expect
109 these identifiers to be present in the domain already.
110 --user=xxx
112 The user name to be used to authenticate with when joining the
113 machine to the realm. You will be prompted for a password.
114 --computer-ou=OU=xxx
116 The distinguished name of an organizational unit to create the
117 computer account. The exact format of the distinguished name
118 depends on the client software and membership software. You can
119 usually omit the root DSE portion of distinguished name. This is an
120 Active Directory specific option.
121 --computer-name=xxx
123 This option only applies to Active Directory realms. Specify this
124 option to override the default name used when creating the computer
125 account. The system's FQDN will still be saved in the dNSHostName
126 attribute.
127 Specify the name as a string of 15 or fewer characters that is a
129 valid NetBIOS computer name.
130 --no-password
132 Perform the join automatically without a password.
133 --one-time-password=xxxx
135 Perform the join using a one time password specified on the command
136 line. This is not possible with all types of realms.
137 --client-software=xxx
139 Only join realms for which we can use the given client software.
140 Possible values include sssd or winbind. Not all values are
141 supported for all realms. By default the client software is
142 automatically selected.
143 --server-software=xxx
145 Only join realms for run the given server software. Possible values
146 include active-directory or ipa.
147 --membership-software=xxx
149 The software to use when joining to the realm. Possible values
150 include samba or adcli. Not all values are supported for all
151 realms. By default the membership software is automatically
152 selected.
153 --user-principal=host/name@REALM
155 Set the userPrincipalName field of the computer account to this
156 kerberos principal. If you omit the value for this option, then a
157 principal will be set in the form of host/shortname@REALM
158 --os-name=xxx
160 The name of the operation system of the client. When joining an AD
161 domain the value is store in the matching AD attribute.
162 --os-version=xxx
164 The version of the operation system of the client. When joining an
165 AD domain the value is store in the matching AD attribute.
166
168 Deconfigure the local machine for use with a realm.
169 $ realm leave
171 $ realm leave domain.example.com
173 If no realm name is specified, then the first configured realm will be
175 used.
176 The following options can be used:
178 --client-software=xxx
180 Only leave the realm which is using the given client software.
181 Possible values include sssd or winbind.
182 --server-software=xxx
184 Only leave the realm which is using the given server software.
185 Possible values include active-directory or ipa.
186 --remove
188 Remove or disable computer account from the directory while leaving
189 the realm. This will usually prompt for a pasword.
190 --user
192 The user name to be used to authenticate with when leaving the
193 realm. You will be prompted for a password. Implies --remove.
194
196 List all the discovered and configured realms.
197 $ realm list
199 By default, realms that have been discovered, but not configured (using
201 the join command), are not displayed. Also, by default, the list of
202 realm details displayed is verbose. The options below can be used to
203 change this default behavior
204 The following options can be used:
206 --all
208 Show all discovered realms (whether or not they have been
209 configured).
210 --name-only
212 Display only realm names (as opposed to verbose output).
213
215 Permit local login by users of the realm.
216 $ realm permit --all
218 $ realm permit user@example.com
219 $ realm permit DOMAIN\\User2
220 $ realm permit --withdraw user@example.com
221 The current login policy and format of the user names can be seen by
223 using the realm list command.
224 The following options can be used:
226 --all, -a
228 Permit logins using realm accounts on the local machine according
229 to the realm policy.This usually defaults to allowing any realm
230 user to log in.
231 --groups, -g
233 Treat the specified names as groups rather than user login names.
234 Permit login by users in the specified groups.
235 --realm, -R
237 Specify the of the realm to change login policy for.
238 --withdraw, -x
240 Remove a login from the list of realm accounts permitted to log
241 into the machine.
242
244 Deny local login by realm accounts.
245 $ realm deny --all
247 This command prevents realm accounts from logging into the local
249 machine. Use realm permit to restrict logins to specific accounts.
250 The following options can be used:
252 --all, -a
254 This option should be specified
255 --realm, -R
257 Specify the name of the realm to deny users login to.
258
260 Stef Walter <stef@thewalter.net>
261 Maintainer
262realmd 10/30/2018 REALM(8)