1REALM(8) User Commands REALM(8)
2
6 realm - Manage enrollment in realms
7
9 realm discover [realm-name]
10 realm join [-U user] [realm-name]
12 realm leave [-U user] [realm-name]
14 realm list
16 realm permit [-ax] [-R realm] {user@domain...}
18 realm deny -a [-R realm]
20
22 realm is a command line tool that can be used to manage enrollment in
23 kerberos realms, like Active Directory domains or IPA domains.
24 See the various sub commands below. The following global options can be
26 used:
27 -i, --install=/path
29 Run in install mode. This makes realmd chroot into the directory
30 specified by an absolute path and place files in appropriate
31 locations for use during an installer. No packages will be
32 installed or services will be started when running in this mode.
33 --unattended
35 Run in unattended mode without prompting for input.
36 -v, --verbose
38 Display verbose diagnostics while doing running commands.
39
41 Discover a realm and its capabilities.
42 $ realm discover
44 $ realm discover domain.example.com
46 After discovering a realm, its name, type and capabilities are
48 displayed.
49 If no domain is specified, then the domain assigned through DHCP is
51 used as a default.
52 The following options can be used:
54 -a, --all
56 Show all discovered realms (in various configurations).
57 --client-software=xxx
59 Only discover realms for which we can use the given client
60 software. Possible values include sssd or winbind.
61 -n, --name
63 Only show the names of the discovered realms.
64 --server-software=xxx
66 Only discover realms which run the given server software. Possible
67 values include active-directory or ipa.
68 --membership-software=xxx
70 Only discover realms for which the given membership software can be
71 used to subsequently perform enrollment. Possible values include
72 samba or adcli.
73 --use-ldaps
75 See option description in the section called “JOIN”.
76
78 Configure the local machine for use with a realm.
79 $ realm join domain.example.com
81 $ realm join --user=admin --computer-ou=OU=Special domain.example.com
83 The realm is first discovered, as we would with the discover command.
85 If no domain is specified, then the domain assigned through DHCP is
86 used as a default.
87 After a successful join, the computer will be in a state where it is
89 able to resolve remote user and group names from the realm. For
90 kerberos realms, a computer account and host keytab is created.
91 Joining arbitrary kerberos realms is not supported. The realm must have
93 a supported mechanism for joining from a client machine, such as Active
94 Directory or IPA.
95 If the domain has been preconfigured, and unless --user is explicitly
97 specified, an automatic join is attempted first.
98 Note that the --user, --no-password, and --one-time-password options
100 are mutually exclusive. At most one of them can be specified.
101 It is generally possible to use kerberos credentials to perform a join
103 operation. Use the kinit command to acquire credentials prior to
104 starting the join. Do not specify the --user argument, the user will be
105 selected automatically from the credential cache. The realm respects
106 the KRB5_CCACHE environment variable, but uses the default kerberos
107 credential cache if it's not present. Not all types of servers can be
108 joined using kerberos credentials, some (like IPA) insist on prompting
109 for a password.
110 The following options can be used:
112 --automatic-id-mapping=no
114 Do not perform UID/GID mapping for users and groups, but expect
115 these identifiers to be present in the domain already.
116 --client-software=xxx
118 Only join realms for which we can use the given client software.
119 Possible values include sssd or winbind. Not all values are
120 supported for all realms. By default the client software is
121 automatically selected.
122 --computer-ou=OU=xxx
124 The distinguished name of an organizational unit to create the
125 computer account. The exact format of the distinguished name
126 depends on the client software and membership software. You can
127 usually omit the root DSE portion of distinguished name. This is an
128 Active Directory specific option.
129 --membership-software=xxx
131 The software to use when joining to the realm. Possible values
132 include samba or adcli. Not all values are supported for all
133 realms. By default the membership software is automatically
134 selected.
135 --no-password
137 Perform the join automatically without a password.
138 --one-time-password=xxxx
140 Perform the join using a one time password specified on the command
141 line. This is not possible with all types of realms.
142 --os-name=xxx
144 The name of the operation system of the client. When joining an AD
145 domain the value is store in the matching AD attribute.
146 --os-version=xxx
148 The version of the operation system of the client. When joining an
149 AD domain the value is store in the matching AD attribute.
150 --server-software=xxx
152 Only join realms for run the given server software. Possible values
153 include active-directory or ipa.
154 -U, --user=xxx
156 The user name to be used to authenticate with when joining the
157 machine to the realm. You will be prompted for a password.
158 --user-principal=host/name@REALM
160 Set the userPrincipalName field of the computer account to this
161 kerberos principal. If you omit the value for this option, then a
162 principal will be set based on the defaults of the membership
163 software.
164 AD makes a distinction between user and service principals. Only
166 with user principals you can request a Kerberos
167 Ticket-Granting-Ticket (TGT), i.e. only user principals can be used
168 with the kinit command. By default the user principal and the
169 canonical principal name of an AD computer account is
170 shortname$@AD.DOMAIN, where shortname is the NetBIOS name which is
171 limited to 15 characters.
172 If there are applications which are not aware of the AD default and
174 are using a hard-coded default principal the --user-principal can
175 be used to make AD aware of this principal. Please note that
176 userPrincipalName is a single value LDAP attribute, i.e. only one
177 alternative user principal besides the AD default user principal
178 can be set.
179 --use-ldaps
181 Use the ldaps port when connecting to AD where possible. In general
182 this option is not needed because realmd itself only read public
183 information from the Active Directory domain controller which is
184 available anonymously. The supported membership software products
185 will use encrypted connections protected with GSS-SPNEGO/GSSAPI
186 which offers a comparable level of security than ldaps. This option
187 is only needed if the standard LDAP port (389/tcp) is blocked by a
188 firewall and only the LDAPS port (636/tcp) is available. Given that
189 and to lower the initial effort to discover a remote domain realmd
190 does not require a strict certificate check. If the validation of
191 the LDAP server certificate fails realmd will continue to setup the
192 encrypted connection to the LDAP server.
193 If this option is set to yes realmd will use the ldaps port when
195 reading the rootDSE and call the adcli membership software with the
196 option --use-ldaps. The Samba base membership currently offers only
197 deprecated ways to enable ldaps. Support will be added in realmd
198 when a new way is available.
199
201 Deconfigure the local machine for use with a realm.
202 $ realm leave
204 $ realm leave domain.example.com
206 If no realm name is specified, then the first configured realm will be
208 used.
209 The following options can be used:
211 --client-software=xxx
213 Only leave the realm which is using the given client software.
214 Possible values include sssd or winbind.
215 --server-software=xxx
217 Only leave the realm which is using the given server software.
218 Possible values include active-directory or ipa.
219 --remove
221 Remove or disable computer account from the directory while leaving
222 the realm. This will usually prompt for a pasword.
223 -U, --user
225 The user name to be used to authenticate with when leaving the
226 realm. You will be prompted for a password. Implies --remove.
227 --use-ldaps
229 See option description in the section called “JOIN”.
230
232 List all the discovered and configured realms.
233 $ realm list
235 By default, realms that have been discovered, but not configured (using
237 the join command), are not displayed. Also, by default, the list of
238 realm details displayed is verbose. The options below can be used to
239 change this default behavior
240 The following options can be used:
242 --all
244 Show all discovered realms (whether or not they have been
245 configured).
246 --name-only
248 Display only realm names (as opposed to verbose output).
249
251 Permit local login by users of the realm.
252 $ realm permit --all
254 $ realm permit user@example.com
255 $ realm permit DOMAIN\\User2
256 $ realm permit --withdraw user@example.com
257 The current login policy and format of the user names can be seen by
259 using the realm list command.
260 The following options can be used:
262 --all, -a
264 Permit logins using realm accounts on the local machine according
265 to the realm policy.This usually defaults to allowing any realm
266 user to log in.
267 --groups, -g
269 Treat the specified names as groups rather than user login names.
270 Permit login by users in the specified groups.
271 --realm, -R
273 Specify the of the realm to change login policy for.
274 --withdraw, -x
276 Remove a login from the list of realm accounts permitted to log
277 into the machine.
278
280 Deny local login by realm accounts.
281 $ realm deny --all
283 This command prevents realm accounts from logging into the local
285 machine. Use realm permit to restrict logins to specific accounts.
286 The following options can be used:
288 --all, -a
290 This option should be specified
291 --realm, -R
293 Specify the name of the realm to deny users login to.
294
296 realmd.conf(5)
297
299 Stef Walter <stef@thewalter.net>
300 Maintainer
301realmd 04/06/2021 REALM(8)