2

On clean installed centos-7 host:

realm join -U foo --client-software sssd AD.EXAMPLE.COM

After running realm list output looks initially like this:

AD.EXAMPLE.COM
  type: kerberos
  realm-name: AD.EXAMPLE.COM
  domain-name: ad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U@ad.example.com
  login-policy: allow-realm-logins

Showing me that I joined an active directory with sssd as I had intended.

Later on (not sure what triggers or it ... a system reboot guarantees it, but other things seem to as well -- maybe a samba restart?), the realm list output changes to this

ad.example.com
  type: kerberos
  realm-name: AD.EXAMPLE.COM
  domain-name: ad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: oddjob-mkhomedir
  required-package: oddjob
  required-package: samba-winbind-clients
  required-package: samba-winbind
  required-package: samba-common
  login-formats: AD\%U
  login-policy: allow-any-login
AD.EXAMPLE.COM
  type: kerberos
  realm-name: AD.EXAMPLE.COM
  domain-name: ad.example.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %U@ad.example.com
  login-policy: allow-realm-logins

How did I become joined to the same domain via both mechanisms? Is there a way I can NOT have this happen? Or is this somehow needed behavior?

Ben
  • 391
  • 1
  • 3
  • 11

1 Answers1

1

I know I'm not answering your question per se, but maybe this would be helpful as well -- as long as only sss is configured in nsswitch.conf and only pam_sss.so is configured in the PAM configuration, then only SSSD's entry points would be used..

jhrozek
  • 1,320
  • 6
  • 5
  • Thanks for this -- but i couldn't satisfy myself that realm was sane --- and the project looks kind of dead. So I figured out how to automate domain joining via other means (using adcli) – Ben Apr 07 '15 at 04:00
  • realmd is definitely not dead (I know the maintainer is still around :-)) it's just considered complete. I'm glad you had luck with adcli. Btw adcli comes from the realmd project as well, it's the underlying component realmd uses. – jhrozek Apr 13 '15 at 12:28