REALM(8) | User Commands | REALM(8) |
NAME¶
realm - Manage enrollment in realms
SYNOPSIS¶
realm discover [realm-name]
realm join [-U user] [realm-name]
realm leave [-U user] [realm-name]
realm list
realm permit [-ax] [-R realm] {user@domain...}
realm deny -a [-R realm]
DESCRIPTION¶
realm is a command line tool that can be used to manage enrollment in kerberos realms, like Active Directory domains or IPA domains.
See the various sub commands below. The following global options can be used:
-i, --install=/path
--unattended
-v, --verbose
DISCOVER¶
Discover a realm and its capabilities.
$ realm discover
$ realm discover domain.example.com
After discovering a realm, its name, type and capabilities are displayed.
If no domain is specified, then the domain assigned through DHCP is used as a default.
The following options can be used:
-a, --all
--client-software=xxx
-n, --name
--server-software=xxx
--membership-software=xxx
--use-ldaps
JOIN¶
Configure the local machine for use with a realm.
$ realm join domain.example.com
$ realm join --user=admin --computer-ou=OU=Special domain.example.com
The realm is first discovered, as we would with the discover command. If no domain is specified, then the domain assigned through DHCP is used as a default.
After a successful join, the computer will be in a state where it is able to resolve remote user and group names from the realm. For kerberos realms, a computer account and host keytab is created.
Joining arbitrary kerberos realms is not supported. The realm must have a supported mechanism for joining from a client machine, such as Active Directory or IPA.
If the domain has been preconfigured, and unless --user is explicitly specified, an automatic join is attempted first.
Note that the --user, --no-password, and --one-time-password options are mutually exclusive. At most one of them can be specified.
It is generally possible to use kerberos credentials to perform a join operation. Use the kinit command to acquire credentials prior to starting the join. Do not specify the --user argument, the user will be selected automatically from the credential cache. The realm respects the KRB5_CCACHE environment variable, but uses the default kerberos credential cache if it's not present. Not all types of servers can be joined using kerberos credentials, some (like IPA) insist on prompting for a password.
The following options can be used:
--automatic-id-mapping=no
--client-software=xxx
--computer-ou=OU=xxx
--membership-software=xxx
--computer-name=xxx
Specify the name as a string of 15 or fewer characters that is a valid NetBIOS computer name.
--no-password
--one-time-password=xxxx
--os-name=xxx
--os-version=xxx
--server-software=xxx
-U, --user=xxx
--user-principal=host/name@REALM
AD makes a distinction between user and service principals. Only with user principals you can request a Kerberos Ticket-Granting-Ticket (TGT), i.e. only user principals can be used with the kinit command. By default the user principal and the canonical principal name of an AD computer account is shortname$@AD.DOMAIN, where shortname is the NetBIOS name which is limited to 15 characters.
If there are applications which are not aware of the AD default and are using a hard-coded default principal the --user-principal can be used to make AD aware of this principal. Please note that userPrincipalName is a single value LDAP attribute, i.e. only one alternative user principal besides the AD default user principal can be set.
--use-ldaps
If this option is set to yes realmd will use the ldaps port when reading the rootDSE and call the adcli membership software with the option --use-ldaps. The Samba base membership currently offers only deprecated ways to enable ldaps. Support will be added in realmd when a new way is available.
--do-not-touch-config
If running realm join with this options does not help to fix issues it is recommended to call realm leave followed by realm join to enforce a fresh configuration with default settings. Since this might overwrite manual changes to the related configuration files it is recommend to save those change before running the commands.
This options is only available when joining AD domains.
LEAVE¶
Deconfigure the local machine for use with a realm.
$ realm leave
$ realm leave domain.example.com
If no realm name is specified, then the first configured realm will be used.
The following options can be used:
--client-software=xxx
--server-software=xxx
--remove
-U, --user
--use-ldaps
LIST¶
List all the discovered and configured realms.
$ realm list
By default, realms that have been discovered, but not configured (using the join command), are not displayed. Also, by default, the list of realm details displayed is verbose. The options below can be used to change this default behavior
The following options can be used:
--all
--name-only
PERMIT¶
Permit local login by users of the realm.
$ realm permit --all $ realm permit user@example.com $ realm permit DOMAIN\\User2 $ realm permit --withdraw user@example.com
The current login policy and format of the user names can be seen by using the realm list command.
The following options can be used:
--all, -a
--groups, -g
--realm, -R
--withdraw, -x
DENY¶
Deny local login by realm accounts.
$ realm deny --all
This command prevents realm accounts from logging into the local machine. Use realm permit to restrict logins to specific accounts.
The following options can be used:
--all, -a
--realm, -R
SEE ALSO¶
AUTHOR¶
Stef Walter <stef@thewalter.net>
02/20/2024 | realmd |