1REALMD.CONF(5) File Formats REALMD.CONF(5)
2
6 realmd.conf - Tweak behavior of realmd
7
9 realmd can be tweaked by network administrators to act in specific
10 ways. This is done by placing settings in a /etc/realmd.conf. This file
11 does not exist by default. The syntax of this file is the same as an
12 INI file or Desktop Entry file. If the file is changed and realmd is
13 running realmd must be restarted to read the new values.
14 In general, settings in this file only apply at the point of joining a
16 domain or realm. Once the realm has been setup the settings have no
17 effect. You may choose to configure SSSD[1] or Winbind[2] directly.
18 Only specify the settings you wish to override in the /etc/realmd.conf
20 file. Settings not specified will be loaded from their packaged
21 defaults which can be found in /usr/lib/realmd/realmd-defaults.conf and
22 /usr/lib/realmd/realmd-distro.conf. Only override the settings below.
23 You may find other settings if you look through the realmd source code.
24 However these are not guaranteed to remain stable.
25 There are various sections in the config file. Some sections are global
27 topic sections, and are listed below. Other sections are specific to a
28 given realm. These realm specific sections should always contain the
29 domain name in lower case as their section header.
30 Examples of each setting is found below, including the header of the
32 section it should be placed in. However in the resulting file only
33 include each section once, and combine the various section setting
34 together as lines underneath the section. For example
35 [users]
37 default-home = /home/%U
38 default-shell = /bin/bash
39
41 These options should go in an [active-directory] section of the
42 /etc/realmd.conf file. Only specify the settings you wish to override.
43 default-client
45 Specify the default-client setting in order to control which client
46 software is the preferred default for use with Active Directory.
47 [active-directory]
49 default-client = sssd
50 # default-client = winbind
51 The default setting for this is sssd which uses SSSD[1] as the
53 Active Directory client. You can also specify winbind to use Samba
54 Winbind[2].
55 Some callers of realmd such as the realm command line tool allow
57 specifying which client software should be used. Others, such as
58 GNOME Control Center, simplify choose the default.
59 You can verify the preferred default client softawre by running the
61 following command. The realm with the preferred client software
62 will be listed first.
63 $ realm discover domain.example.com
65 domain.example.com
66 configured: no
67 server-software: active-directory
68 client-software: sssd
69 type: kerberos
70 realm-name: AD.THEWALTER.LAN
71 domain-name: ad.thewalter.lan
72 domain.example.com
73 configured: no
74 server-software: active-directory
75 client-software: winbind
76 type: kerberos
77 realm-name: AD.THEWALTER.LAN
78 domain-name: ad.thewalter.lan
79 os-name
81 (see below)
82 os-version
84 Specify the os-name and/or os-version settings to control the
85 values that are placed in the computer account operatingSystem and
86 operatingSystemVersion attributes.
87 This is an Active Directory specific option.
89 It is also possible to use the --os-name or --os-version argument
91 of the realm command to override the default values.
92 [active-directory]
94 os-name = Gentoo Linux
95 os-version = 9.9.9.9.9
96
98 These options should go in an [service] section of the /etc/realmd.conf
99 file. Only specify the settings you wish to override.
100 automatic-install
102 Set this to no to disable automatic installation of packages via
103 package-kit.
104 [service]
106 automatic-install = no
107 # automatic-install = yes
108 legacy-samba-config
110 Set this to yes to create a Samba configuration file with
111 id-mapping options used by Samba-3.5 and earlier version.
112 [service]
114 legacy-samba-config = no
115 # legacy-samba-config = yes
116
118 These options should go in an [users] section of the /etc/realmd.conf
119 file. Only specify the settings you wish to override.
120 default-home
122 Specify the default-home setting in order to control how to set the
123 home directory for accounts that have no home directory explicitly
124 set.
125 [users]
127 default-home = /home/%U@%D
128 # default-home = /nfs/home/%D-%U
129 # default-home = /home/%D/%U
130 The default setting for this is /home/%U@%D. The %D format is
132 replaced by the domain name. The %U format is replaced by the user
133 name.
134 You can verify the home directory for a user by running the
136 following command.
137 $ getent passwd 'DOMAIN/User'
139 DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
140 Note that in the case of IPA domains, most users already have a
141 home directory configured in the domain. Therefore this
142 configuration setting may rarely show through.
143 default-shell
145 Specify the default-shell setting in order to control how to set
146 the Unix shell for accounts that have no shell explicitly set.
147 [users]
149 default-shell = /bin/bash
150 # default-shell = /bin/sh
151 The default setting for this is /bin/bash shell. The shell should
153 be a valid shell if you expect the domain users be able to log in.
154 For example it should exist in the /etc/shells file.
155 You can verify the shell for a user by running the following
157 command.
158 $ getent passwd 'DOMAIN/User'
160 DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
161 Note that in the case of IPA domains, most users already have a
162 shell configured in the domain. Therefore this configuration
163 setting may rarely show through.
164
166 These options should go in an section with the same name as the realm
167 in the /etc/realmd.conf file. For example for the domain.example.com
168 domain the section would be called [domain.example.com]. To figure out
169 the canonical name for a realm use the realm command:
170 $ realm discover --name-only DOMAIN.example.com
172 domain.example.com
173 ...
174 Only specify the settings you wish to override.
176 computer-ou
178 Specify this option to create directory computer accounts in a
179 location other than the default. This currently only works with
180 Active Directory domains.
181 [domain.example.com]
183 computer-ou = OU=Linux Computers,DC=domain,DC=example,DC=com
184 # computer-ou = OU=Linux Computers,
185 Specify the OU as an LDAP DN. It can be relative to the Root DSE,
187 or a complete LDAP DN. Obviously the OU must exist in the
188 directory.
189 It is also possible to use the --computer-ou argument of the realm
191 command to create a computer account at a specific OU.
192 computer-name
194 This option only applied to Active Directory realms. Specify this
195 option to override the default name used when creating the computer
196 account. The system's FQDN will still be saved in the dNSHostName
197 attribute.
198 [domain.example.com]
200 computer-name = SERVER01
201 Specify the name as a string of 15 or fewer characters that is a
202 valid NetBIOS computer name.
203 It is also possible to use the --computer-name argument of the
205 realm command to override the default computer account name.
206 user-principal
208 Set the user-principal to yes to create userPrincipalName attribute
209 for the computer accounts in the realm. The exact value depends on
210 the defaults of the used membership software. To have full control
211 over the value please use the --user-principal option of the realm
212 command, see realm(8) for details.
213 [domain.example.com]
215 user-principal = yes
216 automatic-join
218 This option only applies to Active Directory realms. This option is
219 off by default. In Active Directory domains, a computer account can
220 be preset with a known computer account password. This can be used
221 for automatic joins without authentication.
222 When automatic joins are used there is no mutual authentication
224 between the machine and the domain during the join process.
225 [domain.example.com]
227 automatic-join = yes
228 automatic-id-mapping
230 This option is on by default for Active Directory realms. Turn it
231 off to use UID and GID information stored in the directory (as-per
232 RFC2307) rather than automatically generating UID and GID numbers.
233 This option only makes sense for Active Directory realms.
235 [domain.example.com]
237 automatic-id-mapping = no
238 # automatic-id-mapping = yes
239 manage-system
241 This option is on by default. Normally joining a realm affects many
242 aspects of the configuration and management of the system. Turning
243 this off limits the interaction with the realm or domain to
244 authentication and identity.
245 [domain.example.com]
247 manage-system = no
248 # manage-system = yes
249 When this option is turned on realmd defaults to using domain
251 policy to control who can log into this machine. Further
252 adjustments to login policy can be made with the realm permit
253 command.
254 fully-qualified-names
256 This option is on by default. If turned off then realm user and
257 group names are not qualified their name. This may cause them to
258 conflict with local user and group names.
259 [domain.example.com]
261 fully-qualified-names = no
262 # fully-qualified-names = yes
263
265 realm(8)
266
268 Stef Walter <stef@thewalter.net>
269 Maintainer
270
272 1. SSSD
273 https://fedorahosted.org/sssd/
274 2. Winbind
276 http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
277realmd 08/01/2020 REALMD.CONF(5)