1REALMD.CONF(5)                   File Formats                   REALMD.CONF(5)
2
3
4

NAME

6       realmd.conf - Tweak behavior of realmd
7

CONFIGURATION FILE

9       realmd can be tweaked by network administrators to act in specific
10       ways. This is done by placing settings in a /etc/realmd.conf. This file
11       does not exist by default. The syntax of this file is the same as an
12       INI file or Desktop Entry file. If the file is changed and realmd is
13       running realmd must be restarted to read the new values.
14
15       In general, settings in this file only apply at the point of joining a
16       domain or realm. Once the realm has been setup the settings have no
17       effect. You may choose to configure SSSD[1] or Winbind[2] directly.
18
19       Only specify the settings you wish to override in the /etc/realmd.conf
20       file. Settings not specified will be loaded from their packaged
21       defaults which can be found in /usr/lib/realmd/realmd-defaults.conf and
22       /usr/lib/realmd/realmd-distro.conf. Only override the settings below.
23       You may find other settings if you look through the realmd source code.
24       However these are not guaranteed to remain stable.
25
26       There are various sections in the config file. Some sections are global
27       topic sections, and are listed below. Other sections are specific to a
28       given realm. These realm specific sections should always contain the
29       domain name in lower case as their section header.
30
31       Examples of each setting is found below, including the header of the
32       section it should be placed in. However in the resulting file only
33       include each section once, and combine the various section setting
34       together as lines underneath the section. For example
35
36           [users]
37           default-home = /home/%U
38           default-shell = /bin/bash
39

ACTIVE-DIRECTORY

41       These options should go in an [active-directory] section of the
42       /etc/realmd.conf file. Only specify the settings you wish to override.
43
44       default-client
45           Specify the default-client setting in order to control which client
46           software is the preferred default for use with Active Directory.
47
48               [active-directory]
49               default-client = sssd
50               # default-client = winbind
51
52           The default setting for this is sssd which uses SSSD[1] as the
53           Active Directory client. You can also specify winbind to use Samba
54           Winbind[2].
55
56           Some callers of realmd such as the realm command line tool allow
57           specifying which client software should be used. Others, such as
58           GNOME Control Center, simplify choose the default.
59
60           You can verify the preferred default client softawre by running the
61           following command. The realm with the preferred client software
62           will be listed first.
63
64               $ realm discover domain.example.com
65               domain.example.com
66                 configured: no
67                 server-software: active-directory
68                 client-software: sssd
69                 type: kerberos
70                 realm-name: AD.THEWALTER.LAN
71                 domain-name: ad.thewalter.lan
72               domain.example.com
73                 configured: no
74                 server-software: active-directory
75                 client-software: winbind
76                 type: kerberos
77                 realm-name: AD.THEWALTER.LAN
78                 domain-name: ad.thewalter.lan
79
80       os-name
81           (see below)
82
83       os-version
84           Specify the os-name and/or os-version settings to control the
85           values that are placed in the computer account operatingSystem and
86           operatingSystemVersion attributes.
87
88           This is an Active Directory specific option.
89
90           It is also possible to use the --os-name or --os-version argument
91           of the realm command to override the default values.
92
93               [active-directory]
94               os-name = Gentoo Linux
95               os-version = 9.9.9.9.9
96

SERVICE

98       These options should go in an [service] section of the /etc/realmd.conf
99       file. Only specify the settings you wish to override.
100
101       automatic-install
102           Set this to no to disable automatic installation of packages via
103           package-kit.
104
105               [service]
106               automatic-install = no
107               # automatic-install = yes
108
109       legacy-samba-config
110           Set this to yes to create a Samba configuration file with
111           id-mapping options used by Samba-3.5 and earlier version.
112
113               [service]
114               legacy-samba-config = no
115               # legacy-samba-config = yes
116

USERS

118       These options should go in an [users] section of the /etc/realmd.conf
119       file. Only specify the settings you wish to override.
120
121       default-home
122           Specify the default-home setting in order to control how to set the
123           home directory for accounts that have no home directory explicitly
124           set.
125
126               [users]
127               default-home = /home/%U@%D
128               # default-home = /nfs/home/%D-%U
129               # default-home = /home/%D/%U
130
131           The default setting for this is /home/%U@%D. The %D format is
132           replaced by the domain name. The %U format is replaced by the user
133           name.
134
135           You can verify the home directory for a user by running the
136           following command.
137
138               $ getent passwd 'DOMAIN/User'
139               DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
140           Note that in the case of IPA domains, most users already have a
141           home directory configured in the domain. Therefore this
142           configuration setting may rarely show through.
143
144       default-shell
145           Specify the default-shell setting in order to control how to set
146           the Unix shell for accounts that have no shell explicitly set.
147
148               [users]
149               default-shell = /bin/bash
150               # default-shell = /bin/sh
151
152           The default setting for this is /bin/bash shell. The shell should
153           be a valid shell if you expect the domain users be able to log in.
154           For example it should exist in the /etc/shells file.
155
156           You can verify the shell for a user by running the following
157           command.
158
159               $ getent passwd 'DOMAIN/User'
160               DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
161           Note that in the case of IPA domains, most users already have a
162           shell configured in the domain. Therefore this configuration
163           setting may rarely show through.
164

REALM SPECIFIC SETTINGS

166       These options should go in an section with the same name as the realm
167       in the /etc/realmd.conf file. For example for the domain.example.com
168       domain the section would be called [domain.example.com]. To figure out
169       the canonical name for a realm use the realm command:
170
171           $ realm discover --name-only DOMAIN.example.com
172           domain.example.com
173           ...
174
175       Only specify the settings you wish to override.
176
177       computer-ou
178           Specify this option to create directory computer accounts in a
179           location other than the default. This currently only works with
180           Active Directory domains.
181
182               [domain.example.com]
183               computer-ou = OU=Linux Computers,DC=domain,DC=example,DC=com
184               # computer-ou = OU=Linux Computers,
185
186           Specify the OU as an LDAP DN. It can be relative to the Root DSE,
187           or a complete LDAP DN. Obviously the OU must exist in the
188           directory.
189
190           It is also possible to use the --computer-ou argument of the realm
191           command to create a computer account at a specific OU.
192
193       computer-name
194           This option only applied to Active Directory realms. Specify this
195           option to override the default name used when creating the computer
196           account. The system's FQDN will still be saved in the dNSHostName
197           attribute.
198
199               [domain.example.com]
200               computer-name = SERVER01
201           Specify the name as a string of 15 or fewer characters that is a
202           valid NetBIOS computer name.
203
204           It is also possible to use the --computer-name argument of the
205           realm command to override the default computer account name.
206
207       user-principal
208           Set the user-principal to yes to create userPrincipalName attribute
209           for the computer accounts in the realm. The exact value depends on
210           the defaults of the used membership software. To have full control
211           over the value please use the --user-principal option of the realm
212           command, see realm(8) for details.
213
214               [domain.example.com]
215               user-principal = yes
216
217       automatic-join
218           This option only applies to Active Directory realms. This option is
219           off by default. In Active Directory domains, a computer account can
220           be preset with a known computer account password. This can be used
221           for automatic joins without authentication.
222
223           When automatic joins are used there is no mutual authentication
224           between the machine and the domain during the join process.
225
226               [domain.example.com]
227               automatic-join = yes
228
229       automatic-id-mapping
230           This option is on by default for Active Directory realms. Turn it
231           off to use UID and GID information stored in the directory (as-per
232           RFC2307) rather than automatically generating UID and GID numbers.
233
234           This option only makes sense for Active Directory realms.
235
236               [domain.example.com]
237               automatic-id-mapping = no
238               # automatic-id-mapping = yes
239
240       manage-system
241           This option is on by default. Normally joining a realm affects many
242           aspects of the configuration and management of the system. Turning
243           this off limits the interaction with the realm or domain to
244           authentication and identity.
245
246               [domain.example.com]
247               manage-system = no
248               # manage-system = yes
249
250           When this option is turned on realmd defaults to using domain
251           policy to control who can log into this machine. Further
252           adjustments to login policy can be made with the realm permit
253           command.
254
255       fully-qualified-names
256           This option is on by default. If turned off then realm user and
257           group names are not qualified their name. This may cause them to
258           conflict with local user and group names.
259
260               [domain.example.com]
261               fully-qualified-names = no
262               # fully-qualified-names = yes
263

SEE ALSO

265       realm(8)
266

AUTHOR

268       Stef Walter <stef@thewalter.net>
269           Maintainer
270

NOTES

272        1. SSSD
273           https://fedorahosted.org/sssd/
274
275        2. Winbind
276           http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
277
278
279
280realmd                            08/01/2020                    REALMD.CONF(5)
Impressum