1REALM(8) User Commands REALM(8)
2
6 realm - Manage enrollment in realms
7
9 realm discover [realm-name]
10 realm join [-U user] [realm-name]
12 realm leave [-U user] [realm-name]
14 realm list
16 realm permit [-ax] [-R realm] {user@domain...}
18 realm deny -a [-R realm]
20
22 realm is a command line tool that can be used to manage enrollment in
23 kerberos realms, like Active Directory domains or IPA domains.
24 See the various sub commands below. The following global options can be
26 used:
27 --install=/path
29 Run in install mode. This makes realmd chroot into the specified
30 directory and place files in appropriate locations for use during
31 an installer. No packages will be installed or services will be
32 started when running in this mode.
33 --unattended
35 Run in unattended mode without prompting for input.
36 --verbose, -v
38 Display verbose diagnostics while doing running commands.
39
41 Discover a realm and its capabilities.
42 $ realm discover
44 $ realm discover domain.example.com
46 After discovering a realm, its name, type and capabilities are
48 displayed.
49 If no domain is specified, then the domain assigned through DHCP is
51 used as a default.
52 The following options can be used:
54 --all
56 Show all discovered realms (in various configurations).
57 --client-software=xxx
59 Only discover realms for which we can use the given client
60 software. Possible values include sssd or winbind.
61 --server-software=xxx
63 Only discover realms which run the given server software. Possible
64 values include active-directory or ipa.
65 --membership-software=xxx
67 Only discover realms for which the given membership software can be
68 used to subsequently perform enrollment. Possible values include
69 samba or adcli.
70
72 Configure the local machine for use with a realm.
73 $ realm join domain.example.com
75 $ realm join --user=admin --computer-ou=OU=Special domain.example.com
77 The realm is first discovered, as we would with the discover command.
79 If no domain is specified, then the domain assigned through DHCP is
80 used as a default.
81 After a successful join, the computer will be in a state where it is
83 able to resolve remote user and group names from the realm. For
84 kerberos realms, a computer account and host keytab is created.
85 Joining arbitrary kerberos realms is not supported. The realm must have
87 a supported mechanism for joining from a client machine, such as Active
88 Directory or IPA.
89 If the domain has been preconfigured, and unless --user is explicitly
91 specified, an automatic join is attempted first.
92 Note that the --user, --no-password, and --one-time-password options
94 are mutually exclusive. At most one of them can be specified.
95 It is generally possible to use kerberos credentials to perform a join
97 operation. Use the kinit command to acquire credentials prior to
98 starting the join. Do not specify the --user argument, the user will be
99 selected automatically from the credential cache. The realm respects
100 the KRB5_CCACHE environment variable, but uses the default kerberos
101 credential cache if it's not present. Not all types of servers can be
102 joined using kerberos credentials, some (like IPA) insist on prompting
103 for a password.
104 The following options can be used:
106 --automatic-id-mapping=no
108 Do not perform UID/GID mapping for users and groups, but expect
109 these identifiers to be present in the domain already.
110 --user=xxx
112 The user name to be used to authenticate with when joining the
113 machine to the realm. You will be prompted for a password.
114 --computer-ou=OU=xxx
116 The distinguished name of an organizational unit to create the
117 computer account. The exact format of the distinguished name
118 depends on the client software and membership software. You can
119 usually omit the root DSE portion of distinguished name. This is an
120 Active Directory specific option.
121 --no-password
123 Perform the join automatically without a password.
124 --one-time-password=xxxx
126 Perform the join using a one time password specified on the command
127 line. This is not possible with all types of realms.
128 --client-software=xxx
130 Only join realms for which we can use the given client software.
131 Possible values include sssd or winbind. Not all values are
132 supported for all realms. By default the client software is
133 automatically selected.
134 --server-software=xxx
136 Only join realms for run the given server software. Possible values
137 include active-directory or ipa.
138 --membership-software=xxx
140 The software to use when joining to the realm. Possible values
141 include samba or adcli. Not all values are supported for all
142 realms. By default the membership software is automatically
143 selected.
144 --user-principal=host/name@REALM
146 Set the userPrincipalName field of the computer account to this
147 kerberos principal. If you omit the value for this option, then a
148 principal will be set based on the defaults of the membership
149 software.
150 AD makes a distinction between user and service principals. Only
152 with user principals you can request a Kerberos
153 Ticket-Granting-Ticket (TGT), i.e. only user principals can be used
154 with the kinit command. By default the user principal and the
155 canonical principal name of an AD computer account is
156 shortname$@AD.DOMAIN, where shortname is the NetBIOS name which is
157 limited to 15 characters.
158 If there are applications which are not aware of the AD default and
160 are using a hard-coded default principal the --user-principal can
161 be used to make AD aware of this principal. Please note that
162 userPrincipalName is a single value LDAP attribute, i.e. only one
163 alternative user principal besides the AD default user principal
164 can be set.
165 --os-name=xxx
167 The name of the operation system of the client. When joining an AD
168 domain the value is store in the matching AD attribute.
169 --os-version=xxx
171 The version of the operation system of the client. When joining an
172 AD domain the value is store in the matching AD attribute.
173
175 Deconfigure the local machine for use with a realm.
176 $ realm leave
178 $ realm leave domain.example.com
180 If no realm name is specified, then the first configured realm will be
182 used.
183 The following options can be used:
185 --client-software=xxx
187 Only leave the realm which is using the given client software.
188 Possible values include sssd or winbind.
189 --server-software=xxx
191 Only leave the realm which is using the given server software.
192 Possible values include active-directory or ipa.
193 --remove
195 Remove or disable computer account from the directory while leaving
196 the realm. This will usually prompt for a pasword.
197 --user
199 The user name to be used to authenticate with when leaving the
200 realm. You will be prompted for a password. Implies --remove.
201
203 List all the discovered and configured realms.
204 $ realm list
206 By default, realms that have been discovered, but not configured (using
208 the join command), are not displayed. Also, by default, the list of
209 realm details displayed is verbose. The options below can be used to
210 change this default behavior
211 The following options can be used:
213 --all
215 Show all discovered realms (whether or not they have been
216 configured).
217 --name-only
219 Display only realm names (as opposed to verbose output).
220
222 Permit local login by users of the realm.
223 $ realm permit --all
225 $ realm permit user@example.com
226 $ realm permit DOMAIN\\User2
227 $ realm permit --withdraw user@example.com
228 The current login policy and format of the user names can be seen by
230 using the realm list command.
231 The following options can be used:
233 --all, -a
235 Permit logins using realm accounts on the local machine according
236 to the realm policy.This usually defaults to allowing any realm
237 user to log in.
238 --groups, -g
240 Treat the specified names as groups rather than user login names.
241 Permit login by users in the specified groups.
242 --realm, -R
244 Specify the of the realm to change login policy for.
245 --withdraw, -x
247 Remove a login from the list of realm accounts permitted to log
248 into the machine.
249
251 Deny local login by realm accounts.
252 $ realm deny --all
254 This command prevents realm accounts from logging into the local
256 machine. Use realm permit to restrict logins to specific accounts.
257 The following options can be used:
259 --all, -a
261 This option should be specified
262 --realm, -R
264 Specify the name of the realm to deny users login to.
265
267 realmd.conf(5)
268
270 Stef Walter <stef@thewalter.net>
271 Maintainer
272realmd 08/01/2020 REALM(8)