1REALMD.CONF(5)                   File Formats                   REALMD.CONF(5)
2
3
4

NAME

6       realmd.conf - Tweak behavior of realmd
7

CONFIGURATION FILE

9       realmd can be tweaked by network administrators to act in specific
10       ways. This is done by placing settings in a /etc/realmd.conf. This file
11       does not exist by default. The syntax of this file is the same as an
12       INI file or Desktop Entry file.
13
14       In general, settings in this file only apply at the point of joining a
15       domain or realm. Once the realm has been setup the settings have no
16       effect. You may choose to configure SSSD[1] or Winbind[2] directly.
17
18       Only specify the settings you wish to override in the /etc/realmd.conf
19       file. Settings not specified will be loaded from their packaged
20       defaults. Only override the settings below. You may find other settings
21       if you look through the realmd source code. However these are not
22       guaranteed to remain stable.
23
24       There are various sections in the config file. Some sections are global
25       topic sections, and are listed below. Other sections are specific to a
26       given realm. These realm specific sections should always contain the
27       domain name in lower case as their section header.
28
29       Examples of each setting is found below, including the header of the
30       section it should be placed in. However in the resulting file only
31       include each section once, and combine the various section setting
32       together as lines underneath the section. For example
33
34           [users]
35           default-home = /home/%U
36           default-shell = /bin/bash
37

ACTIVE-DIRECTORY

39       These options should go in an [active-directory] section of the
40       /etc/realmd.conf file. Only specify the settings you wish to override.
41
42       default-client
43           Specify the default-client setting in order to control which client
44           software is the preferred default for use with Active Directory.
45
46               [active-directory]
47               default-client = sssd
48               # default-client = winbind
49
50           The default setting for this is sssd which uses SSSD[1] as the
51           Active Directory client. You can also specify winbind to use Samba
52           Winbind[2].
53
54           Some callers of realmd such as the realm command line tool allow
55           specifying which client software should be used. Others, such as
56           GNOME Control Center, simplify choose the default.
57
58           You can verify the preferred default client softawre by running the
59           following command. The realm with the preferred client software
60           will be listed first.
61
62               $ realm discover domain.example.com
63               domain.example.com
64                 configured: no
65                 server-software: active-directory
66                 client-software: sssd
67                 type: kerberos
68                 realm-name: AD.THEWALTER.LAN
69                 domain-name: ad.thewalter.lan
70               domain.example.com
71                 configured: no
72                 server-software: active-directory
73                 client-software: winbind
74                 type: kerberos
75                 realm-name: AD.THEWALTER.LAN
76                 domain-name: ad.thewalter.lan
77
78       os-name
79           (see below)
80
81       os-version
82           Specify the os-name and/or os-version settings to control the
83           values that are placed in the computer account operatingSystem and
84           operatingSystemVersion attributes.
85
86           This is an Active Directory specific option.
87
88           It is also possible to use the --os-name or --os-version argument
89           of the realm command to override the default values.
90
91               [active-directory]
92               os-name = Gentoo Linux
93               os-version = 9.9.9.9.9
94

SERVICE

96       These options should go in an [service] section of the /etc/realmd.conf
97       file. Only specify the settings you wish to override.
98
99       automatic-install
100           Set this to no to disable automatic installation of packages via
101           package-kit.
102
103               [service]
104               automatic-install = no
105               # automatic-install = yes
106
107       legacy-samba-config
108           Set this to yes to create a Samba configuration file with
109           id-mapping options used by Samba-3.5 and earlier version.
110
111               [service]
112               legacy-samba-config = no
113               # legacy-samba-config = yes
114

USERS

116       These options should go in an [users] section of the /etc/realmd.conf
117       file. Only specify the settings you wish to override.
118
119       default-home
120           Specify the default-home setting in order to control how to set the
121           home directory for accounts that have no home directory explicitly
122           set.
123
124               [users]
125               default-home = /home/%U@%D
126               # default-home = /nfs/home/%D-%U
127               # default-home = /home/%D/%U
128
129           The default setting for this is /home/%U@%D. The %D format is
130           replaced by the domain name. The %U format is replaced by the user
131           name.
132
133           You can verify the home directory for a user by running the
134           following command.
135
136               $ getent passwd 'DOMAIN/User'
137               DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
138           Note that in the case of IPA domains, most users already have a
139           home directory configured in the domain. Therefore this
140           configuration setting may rarely show through.
141
142       default-shell
143           Specify the default-shell setting in order to control how to set
144           the Unix shell for accounts that have no shell explicitly set.
145
146               [users]
147               default-shell = /bin/bash
148               # default-shell = /bin/sh
149
150           The default setting for this is /bin/bash shell. The shell should
151           be a valid shell if you expect the domain users be able to log in.
152           For example it should exist in the /etc/shells file.
153
154           You can verify the shell for a user by running the following
155           command.
156
157               $ getent passwd 'DOMAIN/User'
158               DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
159           Note that in the case of IPA domains, most users already have a
160           shell configured in the domain. Therefore this configuration
161           setting may rarely show through.
162

REALM SPECIFIC SETTINGS

164       These options should go in an section with the same name as the realm
165       in the /etc/realmd.conf file. For example for the domain.example.com
166       domain the section would be called [domain.example.com]. To figure out
167       the canonical name for a realm use the realm command:
168
169           $ realm discover --name DOMAIN.example.com
170           domain.example.com
171           ...
172
173       Only specify the settings you wish to override.
174
175       computer-ou
176           Specify this option to create directory computer accounts in a
177           location other than the default. This currently only works with
178           Active Directory domains.
179
180               [domain.example.com]
181               computer-ou = OU=Linux Computers,DC=domain,DC=example,DC=com
182               # computer-ou = OU=Linux Computers,
183
184           Specify the OU as an LDAP DN. It can be relative to the Root DSE,
185           or a complete LDAP DN. Obviously the OU must exist in the
186           directory.
187
188           It is also possible to use the --computer-ou argument of the realm
189           command to create a computer account at a specific OU.
190
191       computer-name
192           This option only applied to Active Directory realms. Specify this
193           option to override the default name used when creating the computer
194           account. The system's FQDN will still be saved in the dNSHostName
195           attribute.
196
197               [domain.example.com]
198               computer-name = SERVER01
199           Specify the name as a string of 15 or fewer characters that is a
200           valid NetBIOS computer name.
201
202           It is also possible to use the --computer-name argument of the
203           realm command to override the default computer account name.
204
205       user-prinicpal
206           Set the user-prinicpal to yes to create userPrincipalName
207           attributes for the computer account in the realm, in the form
208           host/computer@REALM
209
210               [domain.example.com]
211               user-principal = yes
212
213       automatic-join
214           This option only applies to Active Directory realms. This option is
215           off by default. In Active Directory domains, a computer account can
216           be preset with a known computer account password. This can be used
217           for automatic joins without authentication.
218
219           When automatic joins are used there is no mutual authentication
220           between the machine and the domain during the join process.
221
222               [domain.example.com]
223               automatic-join = yes
224
225       automatic-id-mapping
226           This option is on by default for Active Directory realms. Turn it
227           off to use UID and GID information stored in the directory (as-per
228           RFC2307) rather than automatically generating UID and GID numbers.
229
230           This option only makes sense for Active Directory realms.
231
232               [domain.example.com]
233               automatic-id-mapping = no
234               # automatic-id-mapping = yes
235
236       manage-system
237           This option is on by default. Normally joining a realm affects many
238           aspects of the configuration and management of the system. Turning
239           this off limits the interaction with the realm or domain to
240           authentication and identity.
241
242               [domain.example.com]
243               manage-system = no
244               # manage-system = yes
245
246           When this option is turned on realmd defaults to using domain
247           policy to control who can log into this machine. Further
248           adjustments to login policy can be made with the realm permit
249           command.
250
251       fully-qualified-names
252           This option is on by default. If turned off then realm user and
253           group names are not qualified their name. This may cause them to
254           conflict with local user and group names.
255
256               [domain.example.com]
257               fully-qualified-names = no
258               # fully-qualified-names = yes
259

AUTHOR

261       Stef Walter <stef@thewalter.net>
262           Maintainer
263

NOTES

265        1. SSSD
266           https://fedorahosted.org/sssd/
267
268        2. Winbind
269           http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
270
271
272
273realmd                            05/11/2019                    REALMD.CONF(5)
Impressum