Bug 967565
| Summary: | The realm man page should reflect all limitations against IPA server | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | ||||
| Component: | realmd | Assignee: | Stef Walter <stefw> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Patrik Kis <pkis> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | stefw | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | realmd-0.14.3-1 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 12:06:38 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Patrik Kis
2013-05-27 13:15:42 UTC
(In reply to Patrik Kis from comment #0) > Description of problem: > > There are a couple of options/features mentioned by realm and realmd.comf > man page that does not work against IPA servers. It would be really nice to > indicate there that they work only with AD (or don't work with IPA). This is about Active Directory specific features. Many such notes are already in the documentation. Adding the missing ones... > The list of already figured out limitations: > * IPA does join with kerberos credentials This is already in 'man realm'. > * IPA does not support automatic joins Requires preconfiguration, so it's not only IPA that doesn't support it. In fact it's any domain that isn't preconfigured for it. Added mention about this. > * IPA does not support/require ID mapping Expanded explanation for this in 'man realmd.conf' > * IPA has no user principal names for computer accounts - to be checked > with IPA development Yes, needs to be checked. > * IPA does not support customizing computer OS name/version, at least > ipa-client-install does not support this. Added clarification to 'man realmd.conf' > * IPA does not support --computer-ou Already mentioned in 'man realmd.conf'. Added to 'man realm'. Created attachment 776903 [details]
Add some clarification on Active Directory specific options
Attachment 776903 [details] pushed as e588faf - Add some clarification on Active Directory specific options
I went through quickly the path and I believe there is a type there (realmd.conf): <para>These is an Active Directory specific option.</para> Otherwise it looks ok to me. (In reply to Patrik Kis from comment #4) > I went through quickly the path and I believe there is a type there > (realmd.conf): > > <para>These is an Active Directory specific option.</para> > > Otherwise it looks ok to me. Thanks. Pushed this additional fix to git master. diff -c <(less realmd.conf.0.14.2-3.el7.man) <(less realmd.conf.0.14.3-1.el7.man)
***************
*** 70,75 ****
--- 70,77 ----
Specify the os-name and/or os-version settings to control the values that are placed
in the computer account operatingSystem and operatingSystemVersion attributes.
+ These is an Active Directory specific option.
+
[active-directory]
os-name = Gentoo Linux
os-version = 9.9.9.9.9
***************
*** 98,110 ****
# default-home = /nfs/home/%D-%U
The default setting for this is /home/%D/%U. The %D format is replaced by the domain
! name. In the case of Active Directory this is the short domain name. The %U format is
! replaced by the user name.
You can verify the home directory for a user by running the following command.
$ getent passwd 'DOMAIN/User'
DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
default-shell
Specify the default-shell setting in order to control how to set the Unix shell for
--- 100,114 ----
# default-home = /nfs/home/%D-%U
The default setting for this is /home/%D/%U. The %D format is replaced by the domain
! name. The %U format is replaced by the user name.
You can verify the home directory for a user by running the following command.
$ getent passwd 'DOMAIN/User'
DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
+ Note that in the case of IPA domains, most users already have a home directory
+ configured in the domain. Therefore this configuration setting may rarely show
+ through.
default-shell
Specify the default-shell setting in order to control how to set the Unix shell for
***************
*** 122,127 ****
--- 126,133 ----
$ getent passwd 'DOMAIN/User'
DOMAIN\user:*:13445:13446:Name:/home/DOMAIN/user:/bin/bash
+ Note that in the case of IPA domains, most users already have a shell configured in
+ the domain. Therefore this configuration setting may rarely show through.
REALM SPECIFIC SETTINGS
These options should go in an section with the same name as the realm in the
***************
*** 161,166 ****
--- 167,174 ----
GID information stored in the directory (as-per RFC2307) rather than automatically
generating UID and GID numbers.
+ This option only makes sense for Active Directory realms.
+
[domain.example.com]
automatic-id-mapping = no
# automatic-id-mapping = yes
***************
*** 173,178 ****
--- 181,189 ----
[domain.example.com]
manage-system = no
# manage-system = yes
+ When this option is turned on realmd defaults to using domain policy to control who
+ can log into this machine. Further adjustments to login policy can be made with the
+ realm permit command.
fully-qualified-names
This option is on by default. If turned off then realm user and group names are not
***************
*** 193,196 ****
2. Samba Winbind
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
! realmd 06/17/2013 REALMD.CONF(5)
--- 204,207 ----
2. Samba Winbind
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
! realmd 07/22/2013 REALMD.CONF(5)
############################################
diff -c <(less realm.0.14.2-3.el7.man) <(less realm.0.14.3-1.el7.man)
***************
*** 52,58 ****
--server-software=xxx
Only discover realms which run the given server software. Possible values include
! active-directory or freeipa.
--membership-software=xxx
Only discover realms for which the given membership software can be used to
--- 52,58 ----
--server-software=xxx
Only discover realms which run the given server software. Possible values include
! active-directory or ipa.
--membership-software=xxx
Only discover realms for which the given membership software can be used to
***************
*** 73,81 ****
host keytab is created.
Joining arbitrary kerberos realms is not supported. The realm must have a supported
! mechanism for joining from a client machine, such as Active Directory or FreeIPA.
! Unless a --user is explicitly specified, an automatic join is attempted first.
Note that the --user, --no-password, and --one-time-password options are mutually
exclusive. At most one of them can be specified.
--- 73,83 ----
host keytab is created.
Joining arbitrary kerberos realms is not supported. The realm must have a supported
! mechanism for joining from a client machine, such as Active Directory or IPA.
! Unless a --user is explicitly specified, an automatic join is attempted first. Automatic
! joins require pre-configuration on the domain side, and may not be supported by all
! domains.
Note that the --user, --no-password, and --one-time-password options are mutually
exclusive. At most one of them can be specified.
***************
*** 85,91 ****
argument, the user will be selected automatically from the credential cache. The realm
respects the KRB5_CCACHE environment variable, but uses the default kerberos credential
cache if it's not present. Not all types of servers can be joined using kerberos
! credentials, some (like FreeIPA) insist on prompting for a password.
The following options can be used:
--- 87,93 ----
argument, the user will be selected automatically from the credential cache. The realm
respects the KRB5_CCACHE environment variable, but uses the default kerberos credential
cache if it's not present. Not all types of servers can be joined using kerberos
! credentials, some (like IPA) insist on prompting for a password.
The following options can be used:
***************
*** 96,102 ****
--computer-ou=OU=xxx
The distinguished name of an organizational unit to create the computer account. The
exact format of the distinguished name depends on the client software and membership
! software. You can usually omit the root DSE portion of distinguished name.
--no-password
Perform the join automatically without a password.
--- 98,105 ----
--computer-ou=OU=xxx
The distinguished name of an organizational unit to create the computer account. The
exact format of the distinguished name depends on the client software and membership
! software. You can usually omit the root DSE portion of distinguished name. This is an
! Active Directory specific option.
--no-password
Perform the join automatically without a password.
***************
*** 112,118 ****
--server-software=xxx
Only join realms for run the given server software. Possible values include
! active-directory or freeipa.
--membership-software=xxx
The software to use when joining to the realm. Possible values include samba or adcli.
--- 115,121 ----
--server-software=xxx
Only join realms for run the given server software. Possible values include
! active-directory or ipa.
--membership-software=xxx
The software to use when joining to the realm. Possible values include samba or adcli.
***************
*** 141,147 ****
--server-software=xxx
Only leave the realm which is using the given server software. Possible values include
! active-directory or freeipa.
--remove
Remove or disable computer account from the directory while leaving the realm. This
--- 144,150 ----
--server-software=xxx
Only leave the realm which is using the given server software. Possible values include
! active-directory or ipa.
--remove
Remove or disable computer account from the directory while leaving the realm. This
***************
*** 219,222 ****
Stef Walter <stef>
Maintainer
! realmd 06/17/2013 REALM(8)
--- 222,225 ----
Stef Walter <stef>
Maintainer
! realmd 07/22/2013 REALM(8)
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |