realmd |
---|
To join an Active Directory domain with realmd you can use the realm command line tool:
$ realm join --verbose domain.example.com
By specifying the --verbose
it's easier
to see what went wrong if the join fails.
Other tools also use realmd which can be used to perform the join operation, for example: GNOME Control Center.
The join operation does the following:
Discovers information about the domain.
Installs the necessary software to join the domain, such as SSSD or Winbind.
If administrative credentials are required, a password will be prompted for.
A computer account in the domain will be created, and or updated.
A host keytab file at /etc/krb5.keytab
is created.
Configures the SSSD or Winbind services, and restarts and enables them as appropriate.
Enables domain users in /etc/nsswitch.conf
In addition an Active Directory domain controller's host name or IP address may be specified to join via that domain controller directly.
After the join operation is complete, domain accounts should be usable locally, although logins using domain accounts are not necessarily enabled.
You verify that domain accounts are working with with a command like this:
$ getent passwd DOMAIN\Administrator
The join operation will create or update a computer account
in the domain. If you wish to specify a specific organizational unit
where this account is created, you can use the
computer-ou
setting.
Additonally, you can override the default name for the computer account with the
computer-name
setting.
Specify the --user
to choose a different
user name than the default Administrator
user.
You can use kerberos credentials to perform the join. Use the
kinit command to acquire credentials prior to
starting the join. Do not specify the --user
argument,
the user will be selected automatically from the credential cache.
The realm respects the KRB5_CCACHE
environment variable, but uses the default kerberos credential cache
if it's not present.