1REALMD.CONF(5) File Formats REALMD.CONF(5)
2
3
4
6 realmd.conf - Tweak behavior of realmd
7
9 realmd can be tweaked by network administrators to act in specific
10 ways. This is done by placing settings in a /etc/realmd.conf. This file
11 does not exist by default. The syntax of this file is the same as an
12 INI file or Desktop Entry file.
13
14 In general, settings in this file only apply at the point of joining a
15 domain or realm. Once the realm has been setup the settings have no
16 effect. You may choose to configure SSSD[1] or Winbind[2] directly.
17
18 Only specify the settings you wish to override in the /etc/realmd.conf
19 file. Settings not specified will be loaded from their packaged
20 defaults. Only override the settings below. You may find other settings
21 if you look through the realmd source code. However these are not
22 guaranteed to remain stable.
23
24 There are various sections in the config file. Some sections are global
25 topic sections, and are listed below. Other sections are specific to a
26 given realm. These realm specific sections should always contain the
27 domain name in lower case as their section header.
28
29 Examples of each setting is found below, including the header of the
30 section it should be placed in. However in the resulting file only
31 include each section once, and combine the various section setting
32 together as lines underneath the section. For example
33
34 [users]
35 default-home = /home/%U
36 default-shell = /bin/bash
37
39 These options should go in an [active-directory] section of the
40 /etc/realmd.conf file. Only specify the settings you wish to override.
41
42 default-client
43 Specify the default-client setting in order to control which client
44 software is the preferred default for use with Active Directory.
45
46 [active-directory]
47 default-client = sssd
48 # default-client = winbind
49
50 The default setting for this is sssd which uses SSSD[1] as the
51 Active Directory client. You can also specify winbind to use Samba
52 Winbind[2].
53
54 Some callers of realmd such as the realm command line tool allow
55 specifying which client software should be used. Others, such as
56 GNOME Control Center, simplify choose the default.
57
58 You can verify the preferred default client softawre by running the
59 following command. The realm with the preferred client software
60 will be listed first.
61
62 $ realm discover domain.example.com
63 domain.example.com
64 configured: no
65 server-software: active-directory
66 client-software: sssd
67 type: kerberos
68 realm-name: AD.THEWALTER.LAN
69 domain-name: ad.thewalter.lan
70 domain.example.com
71 configured: no
72 server-software: active-directory
73 client-software: winbind
74 type: kerberos
75 realm-name: AD.THEWALTER.LAN
76 domain-name: ad.thewalter.lan
77
78 os-name
79 (see below)
80
81 os-version
82 Specify the os-name and/or os-version settings to control the
83 values that are placed in the computer account operatingSystem and
84 operatingSystemVersion attributes.
85
86 This is an Active Directory specific option.
87
88 It is also possible to use the --os-name or --os-version argument
89 of the realm command to override the default values.
90
91 [active-directory]
92 os-name = Gentoo Linux
93 os-version = 9.9.9.9.9
94
96 These options should go in an [service] section of the /etc/realmd.conf
97 file. Only specify the settings you wish to override.
98
99 automatic-install
100 Set this to no to disable automatic installation of packages via
101 package-kit.
102
103 [service]
104 automatic-install = no
105 # automatic-install = yes
106
107 legacy-samba-config
108 Set this to yes to create a Samba configuration file with
109 id-mapping options used by Samba-3.5 and earlier version.
110
111 [service]
112 legacy-samba-config = no
113 # legacy-samba-config = yes
114
116 These options should go in an [users] section of the /etc/realmd.conf
117 file. Only specify the settings you wish to override.
118
119 default-home
120 Specify the default-home setting in order to control how to set the
121 home directory for accounts that have no home directory explicitly
122 set.
123
124 [users]
125 default-home = /home/%U@%D
126 # default-home = /nfs/home/%D-%U
127 # default-home = /home/%D/%U
128
129 The default setting for this is /home/%U@%D. The %D format is
130 replaced by the domain name. The %U format is replaced by the user
131 name.
132
133 You can verify the home directory for a user by running the
134 following command.
135
136 $ getent passwd 'DOMAIN/User'
137 DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
138 Note that in the case of IPA domains, most users already have a
139 home directory configured in the domain. Therefore this
140 configuration setting may rarely show through.
141
142 default-shell
143 Specify the default-shell setting in order to control how to set
144 the Unix shell for accounts that have no shell explicitly set.
145
146 [users]
147 default-shell = /bin/bash
148 # default-shell = /bin/sh
149
150 The default setting for this is /bin/bash shell. The shell should
151 be a valid shell if you expect the domain users be able to log in.
152 For example it should exist in the /etc/shells file.
153
154 You can verify the shell for a user by running the following
155 command.
156
157 $ getent passwd 'DOMAIN/User'
158 DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
159 Note that in the case of IPA domains, most users already have a
160 shell configured in the domain. Therefore this configuration
161 setting may rarely show through.
162
164 These options should go in an section with the same name as the realm
165 in the /etc/realmd.conf file. For example for the domain.example.com
166 domain the section would be called [domain.example.com]. To figure out
167 the canonical name for a realm use the realm command:
168
169 $ realm discover --name DOMAIN.example.com
170 domain.example.com
171 ...
172
173 Only specify the settings you wish to override.
174
175 computer-ou
176 Specify this option to create directory computer accounts in a
177 location other than the default. This currently only works with
178 Active Directory domains.
179
180 [domain.example.com]
181 computer-ou = OU=Linux Computers,DC=domain,DC=example,DC=com
182 # computer-ou = OU=Linux Computers,
183
184 Specify the OU as an LDAP DN. It can be relative to the Root DSE,
185 or a complete LDAP DN. Obviously the OU must exist in the
186 directory.
187
188 It is also possible to use the --computer-ou argument of the realm
189 command to create a computer account at a specific OU.
190
191 computer-name
192 This option only applied to Active Directory realms. Specify this
193 option to override the default name used when creating the computer
194 account. The system's FQDN will still be saved in the dNSHostName
195 attribute.
196
197 [domain.example.com]
198 computer-name = SERVER01
199 Specify the name as a string of 15 or fewer characters that is a
200 valid NetBIOS computer name.
201
202 It is also possible to use the --computer-name argument of the
203 realm command to override the default computer account name.
204
205 user-prinicpal
206 Set the user-prinicpal to yes to create userPrincipalName
207 attributes for the computer account in the realm, in the form
208 host/computer@REALM
209
210 [domain.example.com]
211 user-principal = yes
212
213 automatic-join
214 This option only applies to Active Directory realms. This option is
215 off by default. In Active Directory domains, a computer account can
216 be preset with a known computer account password. This can be used
217 for automatic joins without authentication.
218
219 When automatic joins are used there is no mutual authentication
220 between the machine and the domain during the join process.
221
222 [domain.example.com]
223 automatic-join = yes
224
225 automatic-id-mapping
226 This option is on by default for Active Directory realms. Turn it
227 off to use UID and GID information stored in the directory (as-per
228 RFC2307) rather than automatically generating UID and GID numbers.
229
230 This option only makes sense for Active Directory realms.
231
232 [domain.example.com]
233 automatic-id-mapping = no
234 # automatic-id-mapping = yes
235
236 manage-system
237 This option is on by default. Normally joining a realm affects many
238 aspects of the configuration and management of the system. Turning
239 this off limits the interaction with the realm or domain to
240 authentication and identity.
241
242 [domain.example.com]
243 manage-system = no
244 # manage-system = yes
245
246 When this option is turned on realmd defaults to using domain
247 policy to control who can log into this machine. Further
248 adjustments to login policy can be made with the realm permit
249 command.
250
251 fully-qualified-names
252 This option is on by default. If turned off then realm user and
253 group names are not qualified their name. This may cause them to
254 conflict with local user and group names.
255
256 [domain.example.com]
257 fully-qualified-names = no
258 # fully-qualified-names = yes
259
261 Stef Walter <stef@thewalter.net>
262 Maintainer
263
265 1. SSSD
266 https://fedorahosted.org/sssd/
267
268 2. Winbind
269 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
270
271
272
273realmd 05/11/2019 REALMD.CONF(5)