3.4. Discovering and Joining Identity Domains
realm discovercommand returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.
realm joincommand then sets up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The process run by
realm joinfollows these steps:
- Running a discovery scan for the specified domain.
- Automatic installation of the packages required to join the system to the domain.This includes SSSD and the PAM home directory job packages. Note that the automatic installation of packages requires the
PackageKitsuite to be running.
PackageKitis disabled, the system prompts you for the missing packages, and you will be required to install them manually using the
- Joining the domain by creating an account entry for the system in the directory.
- Creating the
/etc/krb5.keytabhost keytab file.
- Configuring the domain in SSSD and restarting the service.
- Enabling domain users for the system services in PAM configuration and the
When run without any options, the
realm discovercommand displays information about the default DNS domain, which is the domain assigned through the Dynamic Host Configuration Protocol (DHCP):
# realm discover ad.example.com type: kerberos realm-name: AD.EXAMPLE.COM domain-name: ad.example.com configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common
It is also possible to run a discovery for a specific domain. To do this, run
realm discoverand add the name of the domain you want to discover:
# realm discover ad.example.com
realmdsystem will then use DNS SRV lookups to find the domain controllers in this domain automatically.
realm discovercommand requires NetworkManager to be running; in particular, it depends on the D-Bus interface of NetworkManager. If your system does not use NetworkManager, always specify the domain name in the
realmdsystem can discover both Active Directory and Identity Management domains. If both domains exist in your environment, you can limit the discovery results to a specific type of server using the
--server-softwareoption. For example:
# realm discover --server-software=active-directory
One of the attributes returned in the discovery search is
login-policy, which shows if domain users are allowed to log in as soon as the join is complete. If logins are not allowed by default, you can allow them manually by using the
realm permitcommand. For details, see Section 3.7, “Managing Login Permissions for Domain Users”.
For more information about the
realm discovercommand, see the realm(8) man page.
Joining a Domain
Note that Active Directory domains require unique computer names to be used. Both NetBIOS computer name and its DNS host name should be uniquely defined and correspond to each other.
To join the system to an identity domain, use the
realm joincommand and specify the domain name:
# realm join ad.example.com realm: Joined ad.example.com domain
By default, the join is performed as the domain administrator. For AD, the administrator account is called
Administrator; for IdM, it is called
admin. To connect as a different user, use the
# realm join ad.example.com -U user
The command first attempts to connect without credentials, but it prompts for a password if required.
If Kerberos is properly configured on a Linux system, joining can also be performed with a Kerberos ticket for authentication. To select a Kerberos principal, use the
# kinit user # realm join ad.example.com -U user
realm joincommand accepts several other configuration options. For more information about the
realm joincommand, see the realm(8) man page.
Example 3.1. Example Procedure for Enrolling a System into a Domain
- Run the
realm discovercommand to display information about the domain.
# realm discover ad.example.com ad.example.com type: kerberos realm-name: AD.EXAMPLE.COM domain-name: ad.example.com configured: no server-software: active-directory client-software: sssd
- Run the
realm joincommand and pass the domain name to the command. Provide the administrator password if the system prompts for it.
# realm join ad.example.com Password for Administrator: password
Note that when discovering or joining a domain,
realmdchecks for the DNS SRV record:
_ldap._tcp.domain.example.com.for Identity Management records
_ldap._tcp.dc._msdcs.domain.example.com.for Active Directory records
The record is created by default when AD is configured, which enables it to be found by the service discovery.
Testing the System Configuration after Joining a Domain
To test whether the system was successfully enrolled into a domain, verify that you can log in as a user from the domain and that the user information is displayed correctly:
- Run the
id user@domain_namecommand to display information about a user from the domain.
# id email@example.com uid=1348601103(firstname.lastname@example.org) gid=1348600513(domain email@example.com) groups=1348600513(domain firstname.lastname@example.org)
- Using the
sshutility, log in as the same user.
# ssh -l email@example.com linux-client.ad.example.com firstname.lastname@example.org@linux-client.ad.example.com's password: Creating home directory for email@example.com.
- Verify that the
pwdutility prints the user's home directory.
$ pwd /home/ad.example.com/user
- Verify that the
idutility prints the same information as the
id user@domain_namecommand from the first step.
$ id uid=1348601103(firstname.lastname@example.org) gid=1348600513(domain email@example.com) groups=1348600513(domain firstname.lastname@example.org) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
kinitutility is also useful when testing whether the domain join was successful. Note that to use the utility, the krb5-workstation package must be installed.