Configure the local machine for use with a realm.
$ realm join domain.example.com
$ realm join --user=admin --computer-ou=OU=Special domain.example.com
The realm is first discovered, as we would with the discover command. If no domain is specified, then the
domain assigned through DHCP is used as a default.
After a successful join, the computer will be in a state where it is able to resolve remote user and
group names from the realm. For kerberos realms, a computer account and host keytab is created.
Joining arbitrary kerberos realms is not supported. The realm must have a supported mechanism for joining
from a client machine, such as Active Directory or IPA.
If the domain has been preconfigured, and unless --user is explicitly specified, an automatic join is
attempted first.
Note that the --user, --no-password, and --one-time-password options are mutually exclusive. At most one
of them can be specified.
It is generally possible to use kerberos credentials to perform a join operation. Use the kinit command
to acquire credentials prior to starting the join. Do not specify the --user argument, the user will be
selected automatically from the credential cache. The realm respects the KRB5_CCACHE environment
variable, but uses the default kerberos credential cache if it's not present. Not all types of servers
can be joined using kerberos credentials, some (like IPA) insist on prompting for a password.
The following options can be used:
--automatic-id-mapping=no
Do not perform UID/GID mapping for users and groups, but expect these identifiers to be present in
the domain already.
--client-software=xxx
Only join realms for which we can use the given client software. Possible values include sssd or
winbind. Not all values are supported for all realms. By default the client software is automatically
selected.
--computer-ou=OU=xxx
The distinguished name of an organizational unit to create the computer account. The exact format of
the distinguished name depends on the client software and membership software. You can usually omit
the root DSE portion of distinguished name. This is an Active Directory specific option.
--membership-software=xxx
The software to use when joining to the realm. Possible values include samba or adcli. Not all values
are supported for all realms. By default the membership software is automatically selected.
--computer-name=xxx
This option only applies to Active Directory realms. Specify this option to override the default name
used when creating the computer account. The system's FQDN will still be saved in the dNSHostName
attribute.
Specify the name as a string of 15 or fewer characters that is a valid NetBIOS computer name.
--no-password
Perform the join automatically without a password.
--one-time-password=xxxx
Perform the join using a one time password specified on the command line. This is not possible with
all types of realms.
--os-name=xxx
The name of the operation system of the client. When joining an AD domain the value is store in the
matching AD attribute.
--os-version=xxx
The version of the operation system of the client. When joining an AD domain the value is store in
the matching AD attribute.
--server-software=xxx
Only join realms for run the given server software. Possible values include active-directory or ipa.
-U, --user=xxx
The user name to be used to authenticate with when joining the machine to the realm. You will be
prompted for a password.
--user-principal=host/name@REALM
Set the userPrincipalName field of the computer account to this kerberos principal. If you omit the
value for this option, then a principal will be set based on the defaults of the membership software.
AD makes a distinction between user and service principals. Only with user principals you can request
a Kerberos Ticket-Granting-Ticket (TGT), i.e. only user principals can be used with the kinit
command. By default the user principal and the canonical principal name of an AD computer account is
shortname$@AD.DOMAIN, where shortname is the NetBIOS name which is limited to 15 characters.
If there are applications which are not aware of the AD default and are using a hard-coded default
principal the --user-principal can be used to make AD aware of this principal. Please note that
userPrincipalName is a single value LDAP attribute, i.e. only one alternative user principal besides
the AD default user principal can be set.
--use-ldaps
Use the ldaps port when connecting to AD where possible. In general this option is not needed because
realmd itself only read public information from the Active Directory domain controller which is
available anonymously. The supported membership software products will use encrypted connections
protected with GSS-SPNEGO/GSSAPI which offers a comparable level of security than ldaps. This option
is only needed if the standard LDAP port (389/tcp) is blocked by a firewall and only the LDAPS port
(636/tcp) is available. Given that and to lower the initial effort to discover a remote domain realmd
does not require a strict certificate check. If the validation of the LDAP server certificate fails
realmd will continue to setup the encrypted connection to the LDAP server.
If this option is set to yesrealmd will use the ldaps port when reading the rootDSE and call the
adcli membership software with the option --use-ldaps. The Samba base membership currently offers
only deprecated ways to enable ldaps. Support will be added in realmd when a new way is available.
--do-not-touch-config
Run the join operation but do not touch the local configuration of the client except adding new
Kerberos keys to the keytab. The purpose of this option is to synchronize the keytab entries with the
ones stored in AD or recreate the computer object in AD without changing the local configuration
which might contain changes which would get overwritten by a fully leave/join cycle.
If running realmjoin with this options does not help to fix issues it is recommended to call realmleave followed by realmjoin to enforce a fresh configuration with default settings. Since this might
overwrite manual changes to the related configuration files it is recommend to save those change
before running the commands.
This options is only available when joining AD domains.
Install Now
PNG Icons
Emojis