1ADCLI(8)                        System Commands                       ADCLI(8)
2
3
4

NAME

6       adcli - Tool for performing actions on an Active Directory domain
7

SYNOPSIS

9       adcli info domain.example.com
10
11       adcli join domain.example.com
12
13       adcli update
14
15       adcli create-user [--domain=domain.example.com] user
16
17       adcli delete-user [--domain=domain.example.com] user
18
19       adcli create-group [--domain=domain.example.com] user
20
21       adcli delete-group [--domain=domain.example.com] user
22
23       adcli add-member [--domain=domain.example.com] group user...
24
25       adcli remove-member [--domain=domain.example.com] group user...
26
27       adcli preset-computer [--domain=domain.example.com] computer...
28
29       adcli reset-computer [--domain=domain.example.com] computer
30
31       adcli delete-computer [--domain=domain.example.com] computer
32

GENERAL OVERVIEW

34       adcli is a command line tool that can perform actions in an Active
35       Directory domain. Among other things it can be used to join a computer
36       to a domain.
37
38       See the various sub commands below. The following global options can be
39       used:
40
41       -D, --domain=domain
42           The domain to connect to. If a domain is not specified then the
43           domain part of the local computer's host name is used.
44
45       -R, --domain-realm=REALM
46           Kerberos realm for the domain. If not specified then the upper
47           cased domain name is used.
48
49       -S, --domain-controller=server
50           Connect to a specific domain controller. If not specified then an
51           appropriate domain controller is automatically discovered.
52
53       -C, --login-ccache=ccache_name
54           Use the specified kerberos credential cache to authenticate with
55           the domain. If no credential cache is specified, the default
56           kerberos credential cache will be used. Credential caches of type
57           FILE can be given with the path to the file. For other credential
58           cache types, e.g. DIR, KEYRING or KCM, the type must be specified
59           explicitly together with a suitable identifier.
60
61       -U, --login-user=User
62           Use the specified user account to authenticate with the domain. If
63           not specified then the name 'Administrator' will be used.
64
65       --no-password
66           Don't show prompts for or read a password from input.
67
68       -W, --prompt-password
69           Prompt for a password if necessary. This is the default.
70
71       --stdin-password
72           Read a password from stdin input instead of prompting for a
73           password.
74
75       -v, --verbose
76           Run in verbose mode with debug output.
77

QUERYING DOMAIN INFORMATION

79       adcli info displays discovered information about an Active Directory
80       domain or an Active Directory domain controller.
81
82           $ adcli info domain.example.com
83           ...
84
85           $ adcli info --domain-controller=dc.domain.example.com
86           ...
87
88       adcli info will output as much information as it can about the domain.
89       The information is designed to be both machine and human readable. The
90       command will exit with a non-zero exit code if the domain does note
91       exist or cannot be reached.
92
93       To show domain info for a specific domain controller use the
94       --domain-controller option to specify which domain controller to query.
95
96       Use the --verbose option to show details of how the domain is
97       discovered and queried. Many of the global options, in particular
98       authentication options, are not usable with the adcli info command.
99

JOINING THE LOCAL MACHINE TO A DOMAIN

101       adcli join creates a computer account in the domain for the local
102       machine, and sets up a keytab for the machine. It does not configure an
103       authentication service (such as sssd).
104
105           $ adcli join domain.example.com
106           Password for Administrator:
107
108       In addition to the global options, you can specify the following
109       options to control how this operation is done.
110
111       -N, --computer-name=computer
112           The short non-dotted name of the computer account that will be
113           created in the domain. If not specified then the first portion of
114           the --host-fqdn is used.
115
116       -O, --domain-ou=OU=xxx
117           The full distinguished name of the OU in which to create the
118           computer account. If not specified then the computer account will
119           be created in a default location.
120
121       -H, --host-fqdn=host
122           Override the local machine's fully qualified domain name. If not
123           specified the local machine's hostname will be retrieved via
124           gethostname().
125
126       -K, --host-keytab=/path/to/keytab
127           Specify the path to the host keytab where host credentials will be
128           written after a successful join operation. If not specified the
129           default location will be used, usually /etc/krb5.keytab.
130
131       --login-type={computer|user}
132           Specify the type of authentication that will be performed before
133           creating the machine account in the domain. If set to 'computer'
134           then the computer must already have a preset account in the domain.
135           If not specified and none of the other --login-xxx arguments have
136           been specified, then will try both 'computer' and 'user'
137           authentication.
138
139       --os-name=name
140           Set the operating system name on the computer account. The default
141           depends on where adcli was built, but is usually something like
142           'linux-gnu'.
143
144       --os-service-pack=pack
145           Set the operating system service pack on the computer account. Not
146           set by default.
147
148       --os-version=version
149           Set the operating system version on the computer account. Not set
150           by default.
151
152       --service-name=service
153           Additional service name for a kerberos principal to be created on
154           the computer account. This option may be specified multiple times.
155
156       --user-principal=host/name@REALM
157           Set the userPrincipalName field of the computer account to this
158           kerberos principal. If you omit the value for this option, then a
159           principal will be set in the form of host/host.example.com@REALM
160
161       --one-time-password
162           Specify a one time password for a preset computer account. This is
163           equivalent to using --login-type=computer and providing a password
164           as input.
165
166       --trusted-for-delegation=yes|no|true|false
167           Set or unset the TRUSTED_FOR_DELEGATION flag in the
168           userAccountControl attribute to allow or not allow that Kerberos
169           tickets can be forwarded to the host.
170
171       --add-service-principal=service/hostname
172           Add a service principal name. In contrast to the --service-name the
173           hostname part can be specified as well in case the service should
174           be accessible with a different host name as well.
175
176       --show-details
177           After a successful join print out information about join operation.
178           This is output in a format that should be both human and machine
179           readable.
180
181       --show-password
182           After a successful join print out the computer machine account
183           password. This is output in a format that should be both human and
184           machine readable.
185
186       --add-samba-data
187           After a successful join add the domain SID and the machine account
188           password to the Samba specific databases by calling Samba's net
189           utility.
190
191           Please note that Samba's net requires some settings in smb.conf to
192           create the database entries correctly. Most important here is
193           currently the workgroup option, see smb.conf(5) for details.
194
195       --samba-data-tool=/path/to/net
196           If Samba's net cannot be found at /usr/bin/net this option can be
197           used to specific an alternative location with the help of an
198           absolute path.
199

UPDATING THE MACHINE ACCOUNT PASSWORD AND OTHER ATTRIBUTES

201       adcli update updates the password of the computer account on the domain
202       controller for the local machine, write the new keys to the keytab and
203       removes older keys. It keeps the previous key on purpose because AD
204       will need some time to replicate the new key to all DCs hence the
205       previous key might still be used.
206
207           $ adcli update
208
209       If used with a credential cache other attributes of the computer
210       account can be changed as well if the principal has sufficient
211       privileges.
212
213           $ kinit Administrator
214           $ adcli update --login-ccache=/tmp/krbcc_123
215
216       In addition to the global options, you can specify the following
217       options to control how this operation is done.
218
219       -N, --computer-name=computer
220           The short non-dotted name of the computer account that will be
221           created in the domain. If not specified it will be retrieved from
222           the keytab entries.
223
224       -H, --host-fqdn=host
225           The local machine's fully qualified domain name. If not specified
226           the local machine's hostname will be retrieved from the keytab
227           entries.
228
229       -K, --host-keytab=/path/to/keytab
230           Specify the path to the host keytab where current host credentials
231           are stored and the new ones will be written to. If not specified
232           the default location will be used, usually /etc/krb5.keytab.
233
234       --os-name=name
235           Set the operating system name on the computer account. Not set by
236           default.
237
238       --os-service-pack=pack
239           Set the operating system service pack on the computer account. Not
240           set by default.
241
242       --os-version=version
243           Set the operating system version on the computer account. Not set
244           by default.
245
246       --service-name=service
247           Additional service name for a Kerberos principal to be created on
248           the computer account. This option may be specified multiple times.
249
250       --user-principal=host/name@REALM
251           Set the userPrincipalName field of the computer account to this
252           Kerberos principal.
253
254       --computer-password-lifetime=lifetime
255           Only update the password of the computer account if it is older
256           than the lifetime given in days. By default the password is updated
257           if it is older than 30 days.
258
259       --trusted-for-delegation=yes|no|true|false
260           Set or unset the TRUSTED_FOR_DELEGATION flag in the
261           userAccountControl attribute to allow or not allow that Kerberos
262           tickets can be forwarded to the host.
263
264       --add-service-principal=service/hostname
265           Add a service principal name. In contrast to the --service-name the
266           hostname part can be specified as well in case the service should
267           be accessible with a different host name as well.
268
269       --remove-service-principal=service/hostname
270           Remove a service principal name from the keytab and the AD host
271           object.
272
273       --show-details
274           After a successful join print out information about join operation.
275           This is output in a format that should be both human and machine
276           readable.
277
278       --add-samba-data
279           After a successful join add the domain SID and the machine account
280           password to the Samba specific databases by calling Samba's net
281           utility.
282
283           Please note that Samba's net requires some settings in smb.conf to
284           create the database entries correctly. Most important here is
285           currently the workgroup option, see smb.conf(5) for details.
286
287       --samba-data-tool=/path/to/net
288           If Samba's net cannot be found at /usr/bin/net this option can be
289           used to specific an alternative location with the help of an
290           absolute path.
291

CREATING A USER

293       adcli create-user creates a new user account in the domain.
294
295           $ adcli create-user Fry --domain=domain.example.com \
296                --display-name="Philip J. Fry" --mail=fry@domain.example.com
297
298       In addition to the global options, you can specify the following
299       options to control how the user is created.
300
301       --display-name="Name"
302           Set the displayName attribute of the new created user account.
303
304       -O, --domain-ou=OU=xxx
305           The full distinguished name of the OU in which to create the user
306           account. If not specified then the computer account will be created
307           in a default location.
308
309       --mail=email@domain.com
310           Set the mail attribute of the new created user account. This
311           attribute may be specified multiple times.
312
313       --unix-home=/home/user
314           Set the unixHomeDirectory attribute of the new created user
315           account, which should be an absolute path to the user's home
316           directory.
317
318       --unix-gid=111
319           Set the gidNumber attribute of the new created user account, which
320           should be the user's numeric primary group id.
321
322       --unix-shell=/bin/shell
323           Set the loginShell attribute of the new created user account, which
324           should be a path to a valid shell.
325
326       --unix-uid=111
327           Set the uidNumber attribute of the new created user account, which
328           should be the user's numeric primary user id.
329

DELETING A USER

331       adcli delete-user deletes a user account from the domain.
332
333           $ adcli delete-user Fry --domain=domain.example.com
334
335       The various global options can be used.
336

CREATING A GROUP

338       adcli create-group creates a new group in the domain.
339
340           $ adcli create-group Pilots --domain=domain.example.com \
341                --description="Group for all pilots"
342
343       In addition to the global options, you can specify the following
344       options to control how the group is created.
345
346       --description="text"
347           Set the description attribute of the new created group.
348
349       -O, --domain-ou=OU=xxx
350           The full distinguished name of the OU in which to create the group.
351           If not specified then the group will be created in a default
352           location.
353

DELETING A GROUP

355       adcli delete-group deletes a group from the domain.
356
357           $ adcli delete-group Pilots --domain=domain.example.com
358
359       The various global options can be used.
360

ADDING A MEMBER TO A GROUP

362       adcli add-member adds one or more users to a group in the domain. The
363       group is specified first, and then the various users to be added.
364
365           $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
366
367       The various global options can be used.
368

REMOVING A MEMBER FROM A GROUP

370       adcli remove-member removes a user from a group in the domain. The
371       group is specified first, and then the various users to be removed.
372
373           $ adcli remove-member --domain=domain.example.com Pilots Scruffy
374
375       The various global options can be used.
376

PRESET COMPUTER ACCOUNTS

378       adcli preset-computer pre-creates one or more computer accounts in the
379       domain for machines to later use when joining the domain. By doing this
380       machines can join using a one time password or automatically without a
381       password.
382
383           $ adcli preset-computer --domain=domain.example.com \
384                host1.example.com host2
385           Password for Administrator:
386
387       If the computer names specified contain dots, then they are treated as
388       fully qualified host names, otherwise they are treated as short
389       computer names. The computer accounts must not already exist.
390
391       In addition to the global options, you can specify the following
392       options to control how this operation is done.
393
394       -O, --domain-ou=OU=xxx
395           The full distinguished name of the OU in which to create the
396           computer accounts. If not specified then the computer account will
397           be created in a default location.
398
399       --one-time-password
400           Specify a one time password to use when presetting the computer
401           accounts. If not specified then a default password will be used,
402           which allows for later automatic joins.
403
404       --os-name=name
405           Set the operating system name on the computer account. The default
406           depends on where adcli was built, but is usually something like
407           'linux-gnu'.
408
409       --os-service-pack=pack
410           Set the operating system service pack on the computer account. Not
411           set by default.
412
413       --os-version=version
414           Set the operating system version on the computer account. Not set
415           by default.
416
417       --service-name=service
418           Additional service name for a kerberos principal to be created on
419           the computer account. This option may be specified multiple times.
420
421       --user-principal
422           Set the userPrincipalName field of the computer account to this
423           kerberos principal in the form of host/host.example.com@REALM
424

RESET COMPUTER ACCOUNT

426       adcli reset-computer resets a computer account in the domain. If a the
427       appropriate machine is currently joined to the domain, then its
428       membership will be broken. The account must already exist.
429
430           $ adcli reset-computer --domain=domain.example.com host2
431
432       If the computer names specified contain dots, then they are treated as
433       fully qualified host names, otherwise they are treated as short
434       computer names.
435
436       In addition to the global options, you can specify the following
437       options to control how this operation is done.
438
439       --login-type={computer|user}
440           Specify the type of authentication that will be performed before
441           creating the machine account in the domain. If set to 'computer'
442           then the computer must already have a preset account in the domain.
443           If not specified and none of the other --login-xxx arguments have
444           been specified, then will try both 'computer' and 'user'
445           authentication.
446

DELETE COMPUTER ACCOUNT

448       adcli delete-computer deletes a computer account in the domain. The
449       account must already exist.
450
451           $ adcli delete-computer --domain=domain.example.com host2
452           Password for Administrator:
453
454       If the computer name contains a dot, then it is treated as fully
455       qualified host name, otherwise it is treated as short computer name.
456
457       If no computer name is specified, then the host name of the computer
458       adcli is running on is used, as returned by gethostname().
459
460       The various global options can be used.
461

BUGS

463       Please send bug reports to either the distribution bug tracker or the
464       upstream bug tracker at
465       https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
466

SEE ALSO

468       realmd(8), net(8), sssd(8)
469
470       Further details available in the realmd online documentation at
471       http://www.freedesktop.org/software/realmd/
472
473
474
475realmd                                                                ADCLI(8)
Impressum