3.9. Additional Configuration for the Active Directory Domain Entry
Custom settings for each individual domain can be defined in the
/etc/realmd.conf file. Each domain can have its own configuration section; the name of the section must match the domain name. For example:
[ad.example.com] attribute = value attribute = value
Changing the configuration as described in this section only works if the
realm join command has not been run yet. If a system is already joined, changing these settings does not have any effect. In such situations, you must leave the domain, as described in Section 3.5, “Removing a System from an Identity Domain”, and then join again, as described in the section called “Joining a Domain”. Note that joining requires the domain administrator's credentials.
To change the configuration for a domain, edit the corresponding section in
/etc/realmd.conf. The following example disables ID mapping for the
ad.example.com domain, sets the host principal, and adds the system to the specified subtree:
[ad.example.com] computer-ou = ou=Linux Computers,DC=domain,DC=example,DC=com user-principal = host/linux-client@AD.EXAMPLE.COM automatic-id-mapping = no
Note that the same configuration can also be set when originally joining the system to the domain using the
realm join command, described in the section called “Joining a Domain”:
# realm join --computer-ou="ou=Linux Computers,dc=domain,dc=com" --automatic-id-mapping=no --user-principal=host/linux-client@AD.EXAMPLE.COM
Table 3.2, “Realm Configuration Options” lists the most notable options that can be set in the domain default section in
/etc/realmd.conf. For complete information about the available configuration options, see the realmd.conf(5) man page.
Table 3.2. Realm Configuration Options
|Sets the directory location for adding computer accounts to the domain. This can be the full DN or an RDN, relative to the root entry. The subtree must already exist.
| Sets the
userPrincipalName attribute value of the computer account to the provided Kerberos principal.
|Sets whether to enable dynamic ID mapping or disable the mapping and use POSIX attributes configured in Active Directory.