3.4. Discovering and Joining Identity Domains
realm discovercommand returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.
realm joincommand then sets up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The process run by
realm joinfollows these steps:
- Running a discovery scan for the specified domain.
- Automatic installation of the packages required to join the system to the domain.This includes SSSD and the PAM home directory job packages. Note that the automatic installation of packages requires the
PackageKitsuite to be running.
PackageKitis disabled, the system prompts you for the missing packages, and you will be required to install them manually using the
- Joining the domain by creating an account entry for the system in the directory.
- Creating the
/etc/krb5.keytabhost keytab file.
- Configuring the domain in SSSD and restarting the service.
- Enabling domain users for the system services in PAM configuration and the
realm discovercommand displays information about the default DNS domain, which is the domain assigned through the Dynamic Host Configuration Protocol (DHCP):
# realm discover ad.example.com type: kerberos realm-name: AD.EXAMPLE.COM domain-name: ad.example.com configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common
realm discoverand add the name of the domain you want to discover:
# realm discover ad.example.com
realmdsystem will then use DNS SRV lookups to find the domain controllers in this domain automatically.
realm discovercommand requires NetworkManager to be running; in particular, it depends on the D-Bus interface of NetworkManager. If your system does not use NetworkManager, always specify the domain name in the
realmdsystem can discover both Active Directory and Identity Management domains. If both domains exist in your environment, you can limit the discovery results to a specific type of server using the
--server-softwareoption. For example:
# realm discover --server-software=active-directory
login-policy, which shows if domain users are allowed to log in as soon as the join is complete. If logins are not allowed by default, you can allow them manually by using the
realm permitcommand. For details, see Section 3.7, “Managing Login Permissions for Domain Users”.
realm discovercommand, see the realm(8) man page.
Joining a Domain
realm joincommand and specify the domain name:
# realm join ad.example.com realm: Joined ad.example.com domain
Administrator; for IdM, it is called
admin. To connect as a different user, use the
# realm join ad.example.com -U user
# kinit user # realm join ad.example.com -U user
realm joincommand accepts several other configuration options. For more information about the
realm joincommand, see the realm(8) man page.
Example 3.1. Example Procedure for Enrolling a System into a Domain
- Run the
realm discovercommand to display information about the domain.
# realm discover ad.example.com ad.example.com type: kerberos realm-name: AD.EXAMPLE.COM domain-name: ad.example.com configured: no server-software: active-directory client-software: sssd
- Run the
realm joincommand and pass the domain name to the command. Provide the administrator password if the system prompts for it.
# realm join ad.example.com Password for Administrator: password
realmdchecks for the DNS SRV record:
_ldap._tcp.domain.example.com.for Identity Management records
_ldap._tcp.dc._msdcs.domain.example.com.for Active Directory records
Testing the System Configuration after Joining a Domain
- Run the
id user@domain_namecommand to display information about a user from the domain.
# id email@example.com uid=1348601103(firstname.lastname@example.org) gid=1348600513(domain email@example.com) groups=1348600513(domain firstname.lastname@example.org)
- Using the
sshutility, log in as the same user.
# ssh -l email@example.com linux-client.ad.example.com firstname.lastname@example.org@linux-client.ad.example.com's password: Creating home directory for email@example.com.
- Verify that the
pwdutility prints the user's home directory.
$ pwd /home/ad.example.com/user
- Verify that the
idutility prints the same information as the
id user@domain_namecommand from the first step.
$ id uid=1348601103(firstname.lastname@example.org) gid=1348600513(domain email@example.com) groups=1348600513(domain firstname.lastname@example.org) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
kinitutility is also useful when testing whether the domain join was successful. Note that to use the utility, the krb5-workstation package must be installed.