Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
3.9. Additional Configuration for the Active Directory Domain Entry
Custom settings for each individual domain can be defined in the
/etc/realmd.conf file. Each domain can have its own configuration section; the name of the section must match the domain name. For example:
[ad.example.com] attribute = value attribute = value
Important
Changing the configuration as described in this section only works if the
realm join command has not been run yet. If a system is already joined, changing these settings does not have any effect. In such situations, you must leave the domain, as described in Section 3.5, “Removing a System from an Identity Domain”, and then join again, as described in the section called “Joining a Domain”. Note that joining requires the domain administrator's credentials.
To change the configuration for a domain, edit the corresponding section in
/etc/realmd.conf. The following example disables ID mapping for the ad.example.com domain, sets the host principal, and adds the system to the specified subtree:
[ad.example.com] computer-ou = ou=Linux Computers,DC=domain,DC=example,DC=com user-principal = host/linux-client@AD.EXAMPLE.COM automatic-id-mapping = no
Note that the same configuration can also be set when originally joining the system to the domain using the
realm join command, described in the section called “Joining a Domain”:
# realm join --computer-ou="ou=Linux Computers,dc=domain,dc=com" --automatic-id-mapping=no --user-principal=host/linux-client@AD.EXAMPLE.COM
Table 3.2, “Realm Configuration Options” lists the most notable options that can be set in the domain default section in
/etc/realmd.conf. For complete information about the available configuration options, see the realmd.conf(5) man page.
Table 3.2. Realm Configuration Options
| Option | Description |
|---|---|
computer-ou | Sets the directory location for adding computer accounts to the domain. This can be the full DN or an RDN, relative to the root entry. The subtree must already exist. |
user-principal | Sets the userPrincipalName attribute value of the computer account to the provided Kerberos principal. |
automatic-id-mapping | Sets whether to enable dynamic ID mapping or disable the mapping and use POSIX attributes configured in Active Directory. |
