Logins using Domain Accounts

Once the computer is joined to a FreeIPA domain, the machine will automatically follow the domain settings for whether users are able to log into the machine or not.

To override this behavior and permit any domain account to log in, use the following command.

$ realm permit --realm domain.example.com --all

To permit only specific accounts from the domain to log in use the following command. The first time this command is run it will change the mode to only allow logins by specific accounts, and then add the specified accounts to the list of accounts to permit.

$ realm permit --realm domain.example.com user1@ipa.example.com user2@ipa.example.com

To deny logins from any domain account, use the following command.

$ realm deny --realm domain.example.com --all