Red Hat Summit3.4. Discovering and Joining Identity Domains
The
realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain.
The
realm join command then sets up the local machine for use with a specified domain by configuring both the local system services and the entries in the identity domain. The process run by realm join follows these steps:
- Running a discovery scan for the specified domain.
- Automatic installation of the packages required to join the system to the domain.This includes SSSD and the PAM home directory job packages. Note that the automatic installation of packages requires the
PackageKitsuite to be running.Note
IfPackageKitis disabled, the system prompts you for the missing packages, and you will be required to install them manually using theyumutility. - Joining the domain by creating an account entry for the system in the directory.
- Creating the
/etc/krb5.keytabhost keytab file. - Configuring the domain in SSSD and restarting the service.
- Enabling domain users for the system services in PAM configuration and the
/etc/nsswitch.conffile.
Discovering Domains
When run without any options, the
realm discover command displays information about the default DNS domain, which is the domain assigned through the Dynamic Host Configuration Protocol (DHCP):
realm discover
# realm discover
ad.example.com
type: kerberos
realm-name: AD.EXAMPLE.COM
domain-name: ad.example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
It is also possible to run a discovery for a specific domain. To do this, run
realm discover and add the name of the domain you want to discover:
realm discover ad.example.com
# realm discover ad.example.com
The
realmd system will then use DNS SRV lookups to find the domain controllers in this domain automatically.
Note
The
realm discover command requires NetworkManager to be running; in particular, it depends on the D-Bus interface of NetworkManager. If your system does not use NetworkManager, always specify the domain name in the realm discover command.
The
realmd system can discover both Active Directory and Identity Management domains. If both domains exist in your environment, you can limit the discovery results to a specific type of server using the --server-software option. For example:
realm discover --server-software=active-directory
# realm discover --server-software=active-directory
One of the attributes returned in the discovery search is
login-policy, which shows if domain users are allowed to log in as soon as the join is complete. If logins are not allowed by default, you can allow them manually by using the realm permit command. For details, see Section 3.7, “Managing Login Permissions for Domain Users”.
For more information about the
realm discover command, see the realm(8) man page.
Joining a Domain
Important
Note that Active Directory domains require unique computer names to be used. Both NetBIOS computer name and its DNS host name should be uniquely defined and correspond to each other.
To join the system to an identity domain, use the
realm join command and specify the domain name:
realm join ad.example.com
# realm join ad.example.com
realm: Joined ad.example.com domain
By default, the join is performed as the domain administrator. For AD, the administrator account is called
Administrator; for IdM, it is called admin. To connect as a different user, use the -U option:
realm join ad.example.com -U user
# realm join ad.example.com -U user
The command first attempts to connect without credentials, but it prompts for a password if required.
If Kerberos is properly configured on a Linux system, joining can also be performed with a Kerberos ticket for authentication. To select a Kerberos principal, use the
-U option.
kinit user
# kinit user
# realm join ad.example.com -U user
The
realm join command accepts several other configuration options. For more information about the realm join command, see the realm(8) man page.
Example 3.1. Example Procedure for Enrolling a System into a Domain
- Run the
realm discovercommand to display information about the domain.Copy to Clipboard Copied! Toggle word wrap Toggle overflow realm discover ad.example.com
# realm discover ad.example.com ad.example.com type: kerberos realm-name: AD.EXAMPLE.COM domain-name: ad.example.com configured: no server-software: active-directory client-software: sssd - Run the
realm joincommand and pass the domain name to the command. Provide the administrator password if the system prompts for it.Copy to Clipboard Copied! Toggle word wrap Toggle overflow realm join ad.example.com
# realm join ad.example.com Password for Administrator: password
Note that when discovering or joining a domain,
realmd checks for the DNS SRV record:
_ldap._tcp.domain.example.com.for Identity Management records_ldap._tcp.dc._msdcs.domain.example.com.for Active Directory records
The record is created by default when AD is configured, which enables it to be found by the service discovery.
Testing the System Configuration after Joining a Domain
To test whether the system was successfully enrolled into a domain, verify that you can log in as a user from the domain and that the user information is displayed correctly:
- Run the
id user@domain_namecommand to display information about a user from the domain.Copy to Clipboard Copied! Toggle word wrap Toggle overflow id user@ad.example.com
# id user@ad.example.com uid=1348601103(user@ad.example.com) gid=1348600513(domain group@ad.example.com) groups=1348600513(domain group@ad.example.com) - Using the
sshutility, log in as the same user.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ssh -l user@ad.example.com linux-client.ad.example.com
# ssh -l user@ad.example.com linux-client.ad.example.com user@ad.example.com@linux-client.ad.example.com's password: Creating home directory for user@ad.example.com. - Verify that the
pwdutility prints the user's home directory.Copy to Clipboard Copied! Toggle word wrap Toggle overflow pwd
$ pwd /home/ad.example.com/user - Verify that the
idutility prints the same information as theid user@domain_namecommand from the first step.Copy to Clipboard Copied! Toggle word wrap Toggle overflow id
$ id uid=1348601103(user@ad.example.com) gid=1348600513(domain group@ad.example.com) groups=1348600513(domain group@ad.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The
kinit utility is also useful when testing whether the domain join was successful. Note that to use the utility, the krb5-workstation package must be installed.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}