Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

3.4. Discovering and Joining Identity Domains

The realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.
The realm join command then sets up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The process run by realm join follows these steps:
  1. Running a discovery scan for the specified domain.
  2. Automatic installation of the packages required to join the system to the domain.
    This includes SSSD and the PAM home directory job packages. Note that the automatic installation of packages requires the PackageKit suite to be running.

    Note

    If PackageKit is disabled, the system prompts you for the missing packages, and you will be required to install them manually using the yum utility.
  3. Joining the domain by creating an account entry for the system in the directory.
  4. Creating the /etc/krb5.keytab host keytab file.
  5. Configuring the domain in SSSD and restarting the service.
  6. Enabling domain users for the system services in PAM configuration and the /etc/nsswitch.conf file.

Discovering Domains

When run without any options, the realm discover command displays information about the default DNS domain, which is the domain assigned through the Dynamic Host Configuration Protocol (DHCP):
# realm discover
ad.example.com
  type: kerberos
  realm-name: AD.EXAMPLE.COM
  domain-name: ad.example.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
It is also possible to run a discovery for a specific domain. To do this, run realm discover and add the name of the domain you want to discover:
# realm discover ad.example.com
The realmd system will then use DNS SRV lookups to find the domain controllers in this domain automatically.

Note

The realm discover command requires NetworkManager to be running; in particular, it depends on the D-Bus interface of NetworkManager. If your system does not use NetworkManager, always specify the domain name in the realm discover command.
The realmd system can discover both Active Directory and Identity Management domains. If both domains exist in your environment, you can limit the discovery results to a specific type of server using the --server-software option. For example:
# realm discover --server-software=active-directory
One of the attributes returned in the discovery search is login-policy, which shows if domain users are allowed to log in as soon as the join is complete. If logins are not allowed by default, you can allow them manually by using the realm permit command. For details, see Section 3.7, “Managing Login Permissions for Domain Users”.
For more information about the realm discover command, see the realm(8) man page.

Joining a Domain

Important

Note that Active Directory domains require unique computer names to be used. Both NetBIOS computer name and its DNS host name should be uniquely defined and correspond to each other.
To join the system to an identity domain, use the realm join command and specify the domain name:
# realm join ad.example.com
realm: Joined ad.example.com domain
By default, the join is performed as the domain administrator. For AD, the administrator account is called Administrator; for IdM, it is called admin. To connect as a different user, use the -U option:
# realm join ad.example.com -U user
The command first attempts to connect without credentials, but it prompts for a password if required.
If Kerberos is properly configured on a Linux system, joining can also be performed with a Kerberos ticket for authentication. To select a Kerberos principal, use the -U option.
# kinit user 
  # realm join ad.example.com -U user
The realm join command accepts several other configuration options. For more information about the realm join command, see the realm(8) man page.

Example 3.1. Example Procedure for Enrolling a System into a Domain

  1. Run the realm discover command to display information about the domain.
    # realm discover ad.example.com
    ad.example.com
      type: kerberos
      realm-name: AD.EXAMPLE.COM
      domain-name: ad.example.com
      configured: no
      server-software: active-directory
      client-software: sssd
    
  2. Run the realm join command and pass the domain name to the command. Provide the administrator password if the system prompts for it.
      # realm join ad.example.com
    Password for Administrator: password
Note that when discovering or joining a domain, realmd checks for the DNS SRV record:
  • _ldap._tcp.domain.example.com. for Identity Management records
  • _ldap._tcp.dc._msdcs.domain.example.com. for Active Directory records
The record is created by default when AD is configured, which enables it to be found by the service discovery.

Testing the System Configuration after Joining a Domain

To test whether the system was successfully enrolled into a domain, verify that you can log in as a user from the domain and that the user information is displayed correctly:
  1. Run the id user@domain_name command to display information about a user from the domain.
    # id user@ad.example.com
    uid=1348601103(user@ad.example.com) gid=1348600513(domain group@ad.example.com) groups=1348600513(domain group@ad.example.com)
    
  2. Using the ssh utility, log in as the same user.
    # ssh -l user@ad.example.com linux-client.ad.example.com
    user@ad.example.com@linux-client.ad.example.com's password:
    Creating home directory for user@ad.example.com.
    
  3. Verify that the pwd utility prints the user's home directory.
    $ pwd
    /home/ad.example.com/user
    
  4. Verify that the id utility prints the same information as the id user@domain_name command from the first step.
    $ id
    uid=1348601103(user@ad.example.com) gid=1348600513(domain group@ad.example.com) groups=1348600513(domain group@ad.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    
The kinit utility is also useful when testing whether the domain join was successful. Note that to use the utility, the krb5-workstation package must be installed.