1ADCLI(8)                        System Commands                       ADCLI(8)
2
3
4

NAME

6       adcli - Tool for performing actions on an Active Directory domain
7

SYNOPSIS

9       adcli info domain.example.com
10
11       adcli join domain.example.com
12
13       adcli update
14
15       adcli testjoin
16
17       adcli create-user [--domain=domain.example.com] user
18
19       adcli delete-user [--domain=domain.example.com] user
20
21       adcli create-group [--domain=domain.example.com] user
22
23       adcli delete-group [--domain=domain.example.com] user
24
25       adcli add-member [--domain=domain.example.com] group user...
26
27       adcli remove-member [--domain=domain.example.com] group user...
28
29       adcli preset-computer [--domain=domain.example.com] computer...
30
31       adcli reset-computer [--domain=domain.example.com] computer
32
33       adcli delete-computer [--domain=domain.example.com] computer
34

GENERAL OVERVIEW

36       adcli is a command line tool that can perform actions in an Active
37       Directory domain. Among other things it can be used to join a computer
38       to a domain.
39
40       See the various sub commands below. The following global options can be
41       used:
42
43       -D, --domain=domain
44           The domain to connect to. If a domain is not specified, then the
45           domain part of the local computer's host name is used.
46
47       -R, --domain-realm=REALM
48           Kerberos realm for the domain. If not specified, then the upper
49           cased domain name is used.
50
51       -S, --domain-controller=server
52           Connect to a specific domain controller. If not specified, then an
53           appropriate domain controller is automatically discovered.
54
55       -C, --login-ccache=ccache_name
56           Use the specified kerberos credential cache to authenticate with
57           the domain. If no credential cache is specified, the default
58           kerberos credential cache will be used. Credential caches of type
59           FILE can be given with the path to the file. For other credential
60           cache types, e.g. DIR, KEYRING or KCM, the type must be specified
61           explicitly together with a suitable identifier.
62
63       -U, --login-user=User
64           Use the specified user account to authenticate with the domain. If
65           not specified, then the name 'Administrator' will be used.
66
67       --no-password
68           Don't show prompts for or read a password from input.
69
70       -W, --prompt-password
71           Prompt for a password if necessary. This is the default.
72
73       --stdin-password
74           Read a password from stdin input instead of prompting for a
75           password.
76
77       -v, --verbose
78           Run in verbose mode with debug output.
79

QUERYING DOMAIN INFORMATION

81       adcli info displays discovered information about an Active Directory
82       domain or an Active Directory domain controller.
83
84           $ adcli info domain.example.com
85           ...
86
87           $ adcli info --domain-controller=dc.domain.example.com
88           ...
89
90       adcli info will output as much information as it can about the domain.
91       The information is designed to be both machine and human readable. The
92       command will exit with a non-zero exit code if the domain does not
93       exist or cannot be reached.
94
95       To show domain info for a specific domain controller use the
96       --domain-controller option to specify which domain controller to query.
97
98       Use the --verbose option to show details of how the domain is
99       discovered and queried. Many of the global options, in particular
100       authentication options, are not usable with the adcli info command.
101

JOINING THE LOCAL MACHINE TO A DOMAIN

103       adcli join creates a computer account in the domain for the local
104       machine, and sets up a keytab for the machine. It does not configure an
105       authentication service (such as sssd).
106
107           $ adcli join domain.example.com
108           Password for Administrator:
109
110       In addition to the global options, you can specify the following
111       options to control how this operation is done.
112
113       -N, --computer-name=computer
114           The short non-dotted name of the computer account that will be
115           created in the domain. If not specified, then the first portion of
116           the --host-fqdn is used.
117
118       -O, --domain-ou=OU=xxx
119           The full distinguished name of the OU in which to create the
120           computer account. If not specified, then the computer account will
121           be created in a default location.
122
123       -H, --host-fqdn=host
124           Override the local machine's fully qualified domain name. If not
125           specified, the local machine's hostname will be retrieved via
126           gethostname(). If gethostname() only returns a short name
127           getaddrinfo() with the AI_CANONNAME hint is called to expand the
128           name to a fully qualified domain name.
129
130       -K, --host-keytab=/path/to/keytab
131           Specify the path to the host keytab where host credentials will be
132           written after a successful join operation. If not specified, the
133           default location will be used, usually /etc/krb5.keytab.
134
135       --login-type={computer|user}
136           Specify the type of authentication that will be performed before
137           creating the machine account in the domain. If set to 'computer',
138           then the computer must already have a preset account in the domain.
139           If not specified and none of the other --login-xxx arguments have
140           been specified, then will try both 'computer' and 'user'
141           authentication.
142
143       --os-name=name
144           Set the operating system name on the computer account. The default
145           depends on where adcli was built, but is usually something like
146           'linux-gnu'.
147
148       --os-service-pack=pack
149           Set the operating system service pack on the computer account. Not
150           set by default.
151
152       --os-version=version
153           Set the operating system version on the computer account. Not set
154           by default.
155
156       --service-name=service
157           Additional service name for a kerberos principal to be created on
158           the computer account. This option may be specified multiple times.
159
160       --user-principal=host/name@REALM
161           Set the userPrincipalName field of the computer account to this
162           kerberos principal. If you omit the value for this option, then a
163           principal will be set in the form of host/host.example.com@REALM
164
165       --one-time-password
166           Specify a one time password for a preset computer account. This is
167           equivalent to using --login-type=computer and providing a password
168           as input.
169
170       --trusted-for-delegation=yes|no|true|false
171           Set or unset the TRUSTED_FOR_DELEGATION flag in the
172           userAccountControl attribute to allow or not allow that Kerberos
173           tickets can be forwarded to the host.
174
175       --add-service-principal=service/hostname
176           Add a service principal name. In contrast to the --service-name the
177           hostname part can be specified as well in case the service should
178           be accessible with a different host name as well.
179
180       --show-details
181           After a successful join print out information about join operation.
182           This is output in a format that should be both human and machine
183           readable.
184
185       --show-password
186           After a successful join print out the computer machine account
187           password. This is output in a format that should be both human and
188           machine readable.
189
190       --add-samba-data
191           After a successful join add the domain SID and the machine account
192           password to the Samba specific databases by calling Samba's net
193           utility.
194
195           Please note that Samba's net requires some settings in smb.conf to
196           create the database entries correctly. Most important here is
197           currently the workgroup option, see smb.conf(5) for details.
198
199       --samba-data-tool=/path/to/net
200           If Samba's net cannot be found at /usr/bin/net, this option can be
201           used to specific an alternative location with the help of an
202           absolute path.
203
204       If supported on the AD side the msDS-supportedEncryptionTypes attribute
205       will be set as well. Either the current value or the default list of
206       AD's supported encryption types filtered by the permitted encryption
207       types of the client's Kerberos configuration are written.
208

UPDATING THE MACHINE ACCOUNT PASSWORD AND OTHER ATTRIBUTES

210       adcli update updates the password of the computer account on the domain
211       controller for the local machine, write the new keys to the keytab and
212       removes older keys. It keeps the previous key on purpose because AD
213       will need some time to replicate the new key to all DCs hence the
214       previous key might still be used.
215
216           $ adcli update
217
218       If used with a credential cache, other attributes of the computer
219       account can be changed as well if the principal has sufficient
220       privileges.
221
222           $ kinit Administrator
223           $ adcli update --login-ccache=/tmp/krbcc_123
224
225       In addition to the global options, you can specify the following
226       options to control how this operation is done.
227
228       -N, --computer-name=computer
229           The short non-dotted name of the computer account that will be
230           created in the domain. If not specified, it will be retrieved from
231           the keytab entries.
232
233       -H, --host-fqdn=host
234           The local machine's fully qualified domain name. If not specified,
235           the local machine's hostname will be retrieved from the keytab
236           entries.
237
238       -K, --host-keytab=/path/to/keytab
239           Specify the path to the host keytab where current host credentials
240           are stored and the new ones will be written to. If not specified,
241           the default location will be used, usually /etc/krb5.keytab.
242
243       --os-name=name
244           Set the operating system name on the computer account. Not set by
245           default.
246
247       --os-service-pack=pack
248           Set the operating system service pack on the computer account. Not
249           set by default.
250
251       --os-version=version
252           Set the operating system version on the computer account. Not set
253           by default.
254
255       --service-name=service
256           Additional service name for a Kerberos principal to be created on
257           the computer account. This option may be specified multiple times.
258
259       --user-principal=host/name@REALM
260           Set the userPrincipalName field of the computer account to this
261           Kerberos principal.
262
263       --computer-password-lifetime=lifetime
264           Only update the password of the computer account if it is older
265           than the lifetime given in days. By default the password is updated
266           if it is older than 30 days.
267
268       --trusted-for-delegation=yes|no|true|false
269           Set or unset the TRUSTED_FOR_DELEGATION flag in the
270           userAccountControl attribute to allow or not allow that Kerberos
271           tickets can be forwarded to the host.
272
273       --add-service-principal=service/hostname
274           Add a service principal name. In contrast to the --service-name the
275           hostname part can be specified as well in case the service should
276           be accessible with a different host name as well.
277
278       --remove-service-principal=service/hostname
279           Remove a service principal name from the keytab and the AD host
280           object.
281
282       --show-details
283           After a successful join print out information about join operation.
284           This is output in a format that should be both human and machine
285           readable.
286
287       --add-samba-data
288           After a successful join add the domain SID and the machine account
289           password to the Samba specific databases by calling Samba's net
290           utility.
291
292           Please note that Samba's net requires some settings in smb.conf to
293           create the database entries correctly. Most important here is
294           currently the workgroup option, see smb.conf(5) for details.
295
296       --samba-data-tool=/path/to/net
297           If Samba's net cannot be found at /usr/bin/net, this option can be
298           used to specific an alternative location with the help of an
299           absolute path.
300
301       If supported on the AD side the msDS-supportedEncryptionTypes attribute
302       will be set as well. Either the current value or the default list of
303       AD's supported encryption types filtered by the permitted encryption
304       types of the client's Kerberos configuration are written.
305

TESTING IF THE MACHINE ACCOUNT PASSWORD IS VALID

307       adcli testjoin uses the current credentials in the keytab and tries to
308       authenticate with the machine account to the AD domain. If this works
309       the machine account password and the join are still valid. If it fails
310       the machine account password or the whole machine account have to be
311       refreshed with adcli join or adcli update.
312
313           $ adcli testjoin
314
315       Only the global options not related to authentication are available,
316       additionally you can specify the following options to control how this
317       operation is done.
318
319       -K, --host-keytab=/path/to/keytab
320           Specify the path to the host keytab where current host credentials
321           are stored and the new ones will be written to. If not specified,
322           the default location will be used, usually /etc/krb5.keytab.
323

CREATING A USER

325       adcli create-user creates a new user account in the domain.
326
327           $ adcli create-user Fry --domain=domain.example.com \
328                --display-name="Philip J. Fry" --mail=fry@domain.example.com
329
330       In addition to the global options, you can specify the following
331       options to control how the user is created.
332
333       --display-name="Name"
334           Set the displayName attribute of the new created user account.
335
336       -O, --domain-ou=OU=xxx
337           The full distinguished name of the OU in which to create the user
338           account. If not specified, then the computer account will be
339           created in a default location.
340
341       --mail=email@domain.com
342           Set the mail attribute of the new created user account. This
343           attribute may be specified multiple times.
344
345       --unix-home=/home/user
346           Set the unixHomeDirectory attribute of the new created user
347           account, which should be an absolute path to the user's home
348           directory.
349
350       --unix-gid=111
351           Set the gidNumber attribute of the new created user account, which
352           should be the user's numeric primary group id.
353
354       --unix-shell=/bin/shell
355           Set the loginShell attribute of the new created user account, which
356           should be a path to a valid shell.
357
358       --unix-uid=111
359           Set the uidNumber attribute of the new created user account, which
360           should be the user's numeric primary user id.
361
362       --nis-domain=nis_domain
363           Set the msSFU30NisDomain attribute of the new created user account,
364           which should be the user's NIS domain is the NIS/YP service of
365           Active Directory's Services for Unix (SFU) are used. This is needed
366           to let the 'UNIX attributes' tab of older Active Directoy versions
367           show the set UNIX specific attributes. If not specified adcli will
368           try to determine the NIS domain automatically if needed.
369

DELETING A USER

371       adcli delete-user deletes a user account from the domain.
372
373           $ adcli delete-user Fry --domain=domain.example.com
374
375       The various global options can be used.
376

CREATING A GROUP

378       adcli create-group creates a new group in the domain.
379
380           $ adcli create-group Pilots --domain=domain.example.com \
381                --description="Group for all pilots"
382
383       In addition to the global options, you can specify the following
384       options to control how the group is created.
385
386       --description="text"
387           Set the description attribute of the new created group.
388
389       -O, --domain-ou=OU=xxx
390           The full distinguished name of the OU in which to create the group.
391           If not specified, then the group will be created in a default
392           location.
393

DELETING A GROUP

395       adcli delete-group deletes a group from the domain.
396
397           $ adcli delete-group Pilots --domain=domain.example.com
398
399       The various global options can be used.
400

ADDING A MEMBER TO A GROUP

402       adcli add-member adds one or more users to a group in the domain. The
403       group is specified first, and then the various users to be added.
404
405           $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
406
407       The various global options can be used.
408

REMOVING A MEMBER FROM A GROUP

410       adcli remove-member removes a user from a group in the domain. The
411       group is specified first, and then the various users to be removed.
412
413           $ adcli remove-member --domain=domain.example.com Pilots Scruffy
414
415       The various global options can be used.
416

PRESET COMPUTER ACCOUNTS

418       adcli preset-computer pre-creates one or more computer accounts in the
419       domain for machines to later use when joining the domain. By doing this
420       machines can join using a one time password or automatically without a
421       password.
422
423           $ adcli preset-computer --domain=domain.example.com \
424                host1.example.com host2
425           Password for Administrator:
426
427       If the computer names specified contain dots, then they are treated as
428       fully qualified host names, otherwise they are treated as short
429       computer names. The computer accounts must not already exist.
430
431       In addition to the global options, you can specify the following
432       options to control how this operation is done.
433
434       -O, --domain-ou=OU=xxx
435           The full distinguished name of the OU in which to create the
436           computer accounts. If not specified, then the computer account will
437           be created in a default location.
438
439       --one-time-password
440           Specify a one time password to use when presetting the computer
441           accounts. If not specified, then a default password will be used,
442           which allows for later automatic joins.
443
444       --os-name=name
445           Set the operating system name on the computer account. The default
446           depends on where adcli was built, but is usually something like
447           'linux-gnu'.
448
449       --os-service-pack=pack
450           Set the operating system service pack on the computer account. Not
451           set by default.
452
453       --os-version=version
454           Set the operating system version on the computer account. Not set
455           by default.
456
457       --service-name=service
458           Additional service name for a kerberos principal to be created on
459           the computer account. This option may be specified multiple times.
460
461       --user-principal
462           Set the userPrincipalName field of the computer account to this
463           kerberos principal in the form of host/host.example.com@REALM
464

RESET COMPUTER ACCOUNT

466       adcli reset-computer resets a computer account in the domain. If the
467       appropriate machine is currently joined to the domain, then its
468       membership will be broken. The account must already exist.
469
470           $ adcli reset-computer --domain=domain.example.com host2
471
472       If the computer names specified contain dots, then they are treated as
473       fully qualified host names, otherwise they are treated as short
474       computer names.
475
476       In addition to the global options, you can specify the following
477       options to control how this operation is done.
478
479       --login-type={computer|user}
480           Specify the type of authentication that will be performed before
481           creating the machine account in the domain. If set to 'computer',
482           then the computer must already have a preset account in the domain.
483           If not specified and none of the other --login-xxx arguments have
484           been specified, then will try both 'computer' and 'user'
485           authentication.
486

DELETE COMPUTER ACCOUNT

488       adcli delete-computer deletes a computer account in the domain. The
489       account must already exist.
490
491           $ adcli delete-computer --domain=domain.example.com host2
492           Password for Administrator:
493
494       If the computer name contains a dot, then it is treated as fully
495       qualified host name, otherwise it is treated as short computer name.
496
497       If no computer name is specified, then the host name of the computer
498       adcli is running on is used, as returned by gethostname().
499
500       The various global options can be used.
501

BUGS

503       Please send bug reports to either the distribution bug tracker or the
504       upstream bug tracker at
505       https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
506

SEE ALSO

508       realmd(8), net(8), sssd(8)
509
510       Further details available in the realmd online documentation at
511       http://www.freedesktop.org/software/realmd/
512
513
514
515realmd                                                                ADCLI(8)
Impressum