1REALMD.CONF(5)                   File Formats                   REALMD.CONF(5)
2
3
4

NAME

6       realmd.conf - Tweak behavior of realmd
7

CONFIGURATION FILE

9       realmd can be tweaked by network administrators to act in specific
10       ways. This is done by placing settings in a /etc/realmd.conf. This file
11       does not exist by default. The syntax of this file is the same as an
12       INI file or Desktop Entry file. If the file is changed and realmd is
13       running realmd must be restarted to read the new values.
14
15       In general, settings in this file only apply at the point of joining a
16       domain or realm. Once the realm has been setup the settings have no
17       effect. You may choose to configure SSSD[1] or Winbind[2] directly.
18
19       Only specify the settings you wish to override in the /etc/realmd.conf
20       file. Settings not specified will be loaded from their packaged
21       defaults which can be found in /usr/lib/realmd/realmd-defaults.conf and
22       /usr/lib/realmd/realmd-distro.conf. Only override the settings below.
23       You may find other settings if you look through the realmd source code.
24       However these are not guaranteed to remain stable.
25
26       There are various sections in the config file. Some sections are global
27       topic sections, and are listed below. Other sections are specific to a
28       given realm. These realm specific sections should always contain the
29       domain name in lower case as their section header.
30
31       Examples of each setting is found below, including the header of the
32       section it should be placed in. However in the resulting file only
33       include each section once, and combine the various section setting
34       together as lines underneath the section. For example
35
36           [users]
37           default-home = /home/%U
38           default-shell = /bin/bash
39

ACTIVE-DIRECTORY

41       These options should go in an [active-directory] section of the
42       /etc/realmd.conf file. Only specify the settings you wish to override.
43
44       default-client
45           Specify the default-client setting in order to control which client
46           software is the preferred default for use with Active Directory.
47
48               [active-directory]
49               default-client = sssd
50               # default-client = winbind
51
52           The default setting for this is sssd which uses SSSD[1] as the
53           Active Directory client. You can also specify winbind to use Samba
54           Winbind[2].
55
56           Some callers of realmd such as the realm command line tool allow
57           specifying which client software should be used. Others, such as
58           GNOME Control Center, simplify choose the default.
59
60           You can verify the preferred default client softawre by running the
61           following command. The realm with the preferred client software
62           will be listed first.
63
64               $ realm discover domain.example.com
65               domain.example.com
66                 configured: no
67                 server-software: active-directory
68                 client-software: sssd
69                 type: kerberos
70                 realm-name: AD.THEWALTER.LAN
71                 domain-name: ad.thewalter.lan
72               domain.example.com
73                 configured: no
74                 server-software: active-directory
75                 client-software: winbind
76                 type: kerberos
77                 realm-name: AD.THEWALTER.LAN
78                 domain-name: ad.thewalter.lan
79
80       use-ldaps
81           Use the ldaps port when connecting to AD where possible. In general
82           this option is not needed because realmd itself only read public
83           information from the Active Directory domain controller which is
84           available anonymously. The supported membership software products
85           will use encrypted connections protected with GSS-SPNEGO/GSSAPI
86           which offers a comparable level of security than ldaps. This option
87           is only needed if the standard LDAP port (389/tcp) is blocked by a
88           firewall and only the LDAPS port (636/tcp) is available.
89
90           If this option is set to yes realmd will use the ldaps port when
91           reading the rootDSE and call the adcli membership software with the
92           option --use-ldaps. The Samba base membership currently offers only
93           deprecated ways to enable ldaps. Support will be added in realmd
94           when a new way is available.
95
96       os-name
97           (see below)
98
99       os-version
100           Specify the os-name and/or os-version settings to control the
101           values that are placed in the computer account operatingSystem and
102           operatingSystemVersion attributes.
103
104           This is an Active Directory specific option.
105
106           It is also possible to use the --os-name or --os-version argument
107           of the realm command to override the default values.
108
109               [active-directory]
110               os-name = Gentoo Linux
111               os-version = 9.9.9.9.9
112

SERVICE

114       These options should go in an [service] section of the /etc/realmd.conf
115       file. Only specify the settings you wish to override.
116
117       automatic-install
118           Set this to no to disable automatic installation of packages via
119           package-kit.
120
121               [service]
122               automatic-install = no
123               # automatic-install = yes
124
125       legacy-samba-config
126           Set this to yes to create a Samba configuration file with
127           id-mapping options used by Samba-3.5 and earlier version.
128
129               [service]
130               legacy-samba-config = no
131               # legacy-samba-config = yes
132

USERS

134       These options should go in an [users] section of the /etc/realmd.conf
135       file. Only specify the settings you wish to override.
136
137       default-home
138           Specify the default-home setting in order to control how to set the
139           home directory for accounts that have no home directory explicitly
140           set.
141
142               [users]
143               default-home = /home/%U@%D
144               # default-home = /nfs/home/%D-%U
145               # default-home = /home/%D/%U
146
147           The default setting for this is /home/%U@%D. The %D format is
148           replaced by the domain name. The %U format is replaced by the user
149           name.
150
151           You can verify the home directory for a user by running the
152           following command.
153
154               $ getent passwd 'DOMAIN/User'
155               DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
156           Note that in the case of IPA domains, most users already have a
157           home directory configured in the domain. Therefore this
158           configuration setting may rarely show through.
159
160       default-shell
161           Specify the default-shell setting in order to control how to set
162           the Unix shell for accounts that have no shell explicitly set.
163
164               [users]
165               default-shell = /bin/bash
166               # default-shell = /bin/sh
167
168           The default setting for this is /bin/bash shell. The shell should
169           be a valid shell if you expect the domain users be able to log in.
170           For example it should exist in the /etc/shells file.
171
172           You can verify the shell for a user by running the following
173           command.
174
175               $ getent passwd 'DOMAIN/User'
176               DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
177           Note that in the case of IPA domains, most users already have a
178           shell configured in the domain. Therefore this configuration
179           setting may rarely show through.
180

PATHS

182       These options should go in an [paths] section of the /etc/realmd.conf
183       file. Only specify the settings you wish to override.
184
185       krb5.conf
186           Path to the Kerberos configuration file, typically /etc/krb5.conf.
187           It can also be the path of a file included by /etc/krb5.conf, e.g.
188           /etc/krb5.conf.d/realmd_settings, if the file does not exist if
189           will be created.
190
191               [paths]
192               krb5.conf = /etc/krb5.conf.d/realmd_settings
193
194           When joining an Active Directory domain realmd will set the
195           default_realm and udp_preference_limit options in the Kerberos
196           configuration:
197
198               default_realm = DOMAIN.EXAMPLE.COM
199               udp_preference_limit = 0
200
201           The default_realm option is e.g. needed when trying to resolve
202           enterprise principals and makes it more convenient to request
203           Kerberos tickets for users of the default realm. Instead of
204           specifying the whole principal just kinit username can be used.
205
206           With udp_preference_limit = 0 always TCP will be used to send
207           Kerberos request to domain controller. This is useful in Active
208           Directory environments because Kerberos will typically switch to
209           TCP after initially starting with UDP because AD Kerberos tickets
210           are often larger than UDP can handle. Using TCP by default will
211           avoid those extra UDP round trips. Additionally it helps to avoid
212           issues with password changes when the DC does not reply soon enough
213           and the client will send a second UDP request. The DC might reply
214           with a reply error to the second request although the original
215           password change request was successful and the client will no know
216           if the request was successful or not. When using TCP this cannot
217           happen because the client will never send a second request but
218           waits on the connection until the server replies.
219
220           Please note that realmd will not remove those options while leaving
221           the domain since they are useful in general. When joining a new
222           domain realmd will of course overwrite default_realm.
223

REALM SPECIFIC SETTINGS

225       These options should go in an section with the same name as the realm
226       in the /etc/realmd.conf file. For example for the domain.example.com
227       domain the section would be called [domain.example.com]. To figure out
228       the canonical name for a realm use the realm command:
229
230           $ realm discover --name-only DOMAIN.example.com
231           domain.example.com
232           ...
233
234       Only specify the settings you wish to override.
235
236       computer-ou
237           Specify this option to create directory computer accounts in a
238           location other than the default. This currently only works with
239           Active Directory domains.
240
241               [domain.example.com]
242               computer-ou = OU=Linux Computers,DC=domain,DC=example,DC=com
243               # computer-ou = OU=Linux Computers,
244
245           Specify the OU as an LDAP DN. It can be relative to the Root DSE,
246           or a complete LDAP DN. Obviously the OU must exist in the
247           directory.
248
249           It is also possible to use the --computer-ou argument of the realm
250           command to create a computer account at a specific OU.
251
252       computer-name
253           This option only applied to Active Directory realms. Specify this
254           option to override the default name used when creating the computer
255           account. The system's FQDN will still be saved in the dNSHostName
256           attribute.
257
258               [domain.example.com]
259               computer-name = SERVER01
260           Specify the name as a string of 15 or fewer characters that is a
261           valid NetBIOS computer name.
262
263           It is also possible to use the --computer-name argument of the
264           realm command to override the default computer account name.
265
266       user-principal
267           Set the user-principal to yes to create userPrincipalName attribute
268           for the computer accounts in the realm. The exact value depends on
269           the defaults of the used membership software. To have full control
270           over the value please use the --user-principal option of the realm
271           command, see realm(8) for details.
272
273               [domain.example.com]
274               user-principal = yes
275
276       automatic-join
277           This option only applies to Active Directory realms. This option is
278           off by default. In Active Directory domains, a computer account can
279           be preset with a known computer account password. This can be used
280           for automatic joins without authentication.
281
282           When automatic joins are used there is no mutual authentication
283           between the machine and the domain during the join process.
284
285               [domain.example.com]
286               automatic-join = yes
287
288       automatic-id-mapping
289           This option is on by default for Active Directory realms. Turn it
290           off to use UID and GID information stored in the directory (as-per
291           RFC2307) rather than automatically generating UID and GID numbers.
292
293           This option only makes sense for Active Directory realms.
294
295               [domain.example.com]
296               automatic-id-mapping = no
297               # automatic-id-mapping = yes
298
299       manage-system
300           This option is on by default. Normally joining a realm affects many
301           aspects of the configuration and management of the system. Turning
302           this off limits the interaction with the realm or domain to
303           authentication and identity.
304
305               [domain.example.com]
306               manage-system = no
307               # manage-system = yes
308
309           When this option is turned on realmd defaults to using domain
310           policy to control who can log into this machine. Further
311           adjustments to login policy can be made with the realm permit
312           command.
313
314       fully-qualified-names
315           This option is on by default. If turned off then realm user and
316           group names are not qualified their name. This may cause them to
317           conflict with local user and group names.
318
319               [domain.example.com]
320               fully-qualified-names = no
321               # fully-qualified-names = yes
322

SEE ALSO

324       realm(8)
325

AUTHOR

327       Stef Walter <stef@thewalter.net>
328           Maintainer
329

NOTES

331        1. SSSD
332           https://fedorahosted.org/sssd/
333
334        2. Winbind
335           http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
336
337
338
339realmd                            07/23/2021                    REALMD.CONF(5)
Impressum