1ADCLI(8) System Commands ADCLI(8)
2
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10 adcli join domain.example.com
12 adcli update
14 adcli create-user [--domain=domain.example.com] user
16 adcli delete-user [--domain=domain.example.com] user
18 adcli create-group [--domain=domain.example.com] user
20 adcli delete-group [--domain=domain.example.com] user
22 adcli add-member [--domain=domain.example.com] group user...
24 adcli remove-member [--domain=domain.example.com] group user...
26 adcli preset-computer [--domain=domain.example.com] computer...
28 adcli reset-computer [--domain=domain.example.com] computer
30 adcli delete-computer [--domain=domain.example.com] computer
32
34 adcli is a command line tool that can perform actions in an Active
35 Directory domain. Among other things it can be used to join a computer
36 to a domain.
37 See the various sub commands below. The following global options can be
39 used:
40 -D, --domain=domain
42 The domain to connect to. If a domain is not specified then the
43 domain part of the local computer´s host name is used.
44 -R, --domain-realm=REALM
46 Kerberos realm for the domain. If not specified then the upper
47 cased domain name is used.
48 -S, --domain-controller=server
50 Connect to a specific domain controller. If not specified then an
51 appropriate domain controller is automatically discovered.
52 -C, --login-ccache=/path/to/file
54 Use the specified kerberos credential cache to authenticate with
55 the domain.
56 -U, --login-user=User
58 Use the specified user account to authenticate with the domain. If
59 not specified then the name ´Administrator´ will be used.
60 --no-password
62 Don´t show prompts for or read a password from input.
63 -W, --prompt-password
65 Prompt for a password if necessary. This is the default.
66 --stdin-password
68 Read a password from stdin input instead of prompting for a
69 password.
70 -v, --verbose
72 Run in verbose mode with debug output.
73
75 adcli info displays discovered information about an Active Directory
76 domain or an Active Directory domain controller.
77 $ adcli info domain.example.com
79 ...
80 $ adcli info --domain-controller=dc.domain.example.com
82 ...
83 adcli info will output as much information as it can about the domain.
85 The information is designed to be both machine and human readable. The
86 command will exit with a non-zero exit code if the domain does note
87 exist or cannot be reached.
88 To show domain info for a specific domain controller use the
90 --domain-controller option to specify which domain controller to query.
91 Use the --verbose option to show details of how the domain is
93 discovered and queried. Many of the global options, in particular
94 authentication options, are not usable with the adcli info command.
95
97 adcli join creates a computer account in the domain for the local
98 machine, and sets up a keytab for the machine. It does not configure an
99 authentication service (such as sssd).
100 $ adcli join domain.example.com
102 Password for Administrator:
103 In addition to the global options, you can specify the following
105 options to control how this operation is done.
106 -N, --computer-name=computer
108 The short non-dotted name of the computer account that will be
109 created in the domain. If not specified then the first portion of
110 the --host-fqdn is used.
111 -O, --domain-ou=OU=xxx
113 The full distinguished name of the OU in which to create the
114 computer account. If not specified then the computer account will
115 be created in a default location.
116 -H, --host-fqdn=host
118 Override the local machine´s fully qualified domain name. If not
119 specified the local machine´s hostname will be retrieved via
120 gethostname().
121 -K, --host-keytab=/path/to/keytab
123 Specify the path to the host keytab where host credentials will be
124 written after a successful join operation. If not specified the
125 default location will be used, usually /etc/krb5.keytab.
126 --login-type={computer|user}
128 Specify the type of authentication that will be performed before
129 creating the machine account in the domain. If set to ´computer´
130 then the computer must already have a preset account in the domain.
131 If not specified and none of the other --login-xxx arguments have
132 been specified, then will try both ´computer´ and ´user´
133 authentication.
134 --os-name=name
136 Set the operating system name on the computer account. The default
137 depends on where adcli was built, but is usually something like
138 ´linux-gnu´.
139 --os-service-pack=pack
141 Set the operating system service pack on the computer account. Not
142 set by default.
143 --os-version=version
145 Set the operating system version on the computer account. Not set
146 by default.
147 --service-name=service
149 Additional service name for a kerberos principal to be created on
150 the computer account. This option may be specified multiple times.
151 --user-principal=host/name@REALM
153 Set the userPrincipalName field of the computer account to this
154 kerberos principal. If you omit the value for this option, then a
155 principal will be set in the form of host/host.example.com@REALM
156 --one-time-password
158 Specify a one time password for a preset computer account. This is
159 equivalent to using --login-type=computer and providing a password
160 as input.
161 --show-details
163 After a successful join print out information about join operation.
164 This is output in a format that should be both human and machine
165 readable.
166 --show-password
168 After a successful join print out the computer machine account
169 password. This is output in a format that should be both human and
170 machine readable.
171 --add-samba-data
173 After a successful join add the domain SID and the machine account
174 password to the Samba specific databases by calling Samba´s net
175 utility.
176 Please note that Samba´s net requires some settings in smb.conf to
178 create the database entries correctly. Most important here is
179 currently the workgroup option, see smb.conf(5) for details.
180 --samba-data-tool=/path/to/net
182 If Samba´s net cannot be found at /usr/bin/net this option can be
183 used to specific an alternative location with the help of an
184 absolute path.
185
187 adcli update updates the password of the computer account on the domain
188 controller for the local machine, write the new keys to the keytab and
189 removes older keys. It keeps the previous key on purpose because AD
190 will need some time to replicate the new key to all DCs hence the
191 previous key might still be used.
192 $ adcli update
194 If used with a credential cache other attributes of the computer
196 account can be changed as well if the principal has sufficient
197 privileges.
198 $ kinit Administrator
200 $ adcli update --login-ccache=/tmp/krbcc_123
201 In addition to the global options, you can specify the following
203 options to control how this operation is done.
204 -N, --computer-name=computer
206 The short non-dotted name of the computer account that will be
207 created in the domain. If not specified it will be retrieved from
208 the keytab entries.
209 -H, --host-fqdn=host
211 The local machine´s fully qualified domain name. If not specified
212 the local machine´s hostname will be retrieved from the keytab
213 entries.
214 -K, --host-keytab=/path/to/keytab
216 Specify the path to the host keytab where current host credentials
217 are stored and the new ones will be written to. If not specified
218 the default location will be used, usually /etc/krb5.keytab.
219 --os-name=name
221 Set the operating system name on the computer account. Not set by
222 default.
223 --os-service-pack=pack
225 Set the operating system service pack on the computer account. Not
226 set by default.
227 --os-version=version
229 Set the operating system version on the computer account. Not set
230 by default.
231 --service-name=service
233 Additional service name for a Kerberos principal to be created on
234 the computer account. This option may be specified multiple times.
235 --user-principal=host/name@REALM
237 Set the userPrincipalName field of the computer account to this
238 Kerberos principal.
239 --computer-password-lifetime=lifetime
241 Only update the password of the computer account if it is older
242 than the lifetime given in days. By default the password is updated
243 if it is older than 30 days.
244 --show-details
246 After a successful join print out information about join operation.
247 This is output in a format that should be both human and machine
248 readable.
249 --add-samba-data
251 After a successful join add the domain SID and the machine account
252 password to the Samba specific databases by calling Samba´s net
253 utility.
254 Please note that Samba´s net requires some settings in smb.conf to
256 create the database entries correctly. Most important here is
257 currently the workgroup option, see smb.conf(5) for details.
258 --samba-data-tool=/path/to/net
260 If Samba´s net cannot be found at /usr/bin/net this option can be
261 used to specific an alternative location with the help of an
262 absolute path.
263
265 adcli create-user creates a new user account in the domain.
266 $ adcli create-user Fry --domain=domain.example.com \
268 --display-name="Philip J. Fry" --mail=fry@domain.example.com
269 In addition to the global options, you can specify the following
271 options to control how the user is created.
272 --display-name="Name"
274 Set the displayName attribute of the new created user account.
275 -O, --domain-ou=OU=xxx
277 The full distinguished name of the OU in which to create the user
278 account. If not specified then the computer account will be created
279 in a default location.
280 --mail=email@domain.com
282 Set the mail attribute of the new created user account. This
283 attribute may be specified multiple times.
284 --unix-home=/home/user
286 Set the unixHomeDirectory attribute of the new created user
287 account, which should be an absolute path to the user´s home
288 directory.
289 --unix-gid=111
291 Set the gidNumber attribute of the new created user account, which
292 should be the user´s numeric primary group id.
293 --unix-shell=/bin/shell
295 Set the loginShell attribute of the new created user account, which
296 should be the user´s numeric primary user id.
297 --unix-uid=111
299 Set the uidNumber attribute of the new created user account, which
300 should be a path to a valid shell.
301
303 adcli delete-user deletes a user account from the domain.
304 $ adcli delete-user Fry --domain=domain.example.com
306 The various global options can be used.
308
310 adcli create-group creates a new group in the domain.
311 $ adcli create-group Pilots --domain=domain.example.com \
313 --description="Group for all pilots"
314 In addition to the global options, you can specify the following
316 options to control how the group is created.
317 --description="text"
319 Set the description attribute of the new created group.
320 -O, --domain-ou=OU=xxx
322 The full distinguished name of the OU in which to create the group.
323 If not specified then the group will be created in a default
324 location.
325
327 adcli delete-group deletes a group from the domain.
328 $ adcli delete-group Pilots --domain=domain.example.com
330 The various global options can be used.
332
334 adcli add-member adds one or more users to a group in the domain. The
335 group is specified first, and then the various users to be added.
336 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
338 The various global options can be used.
340
342 adcli remove-member removes a user from a group in the domain. The
343 group is specified first, and then the various users to be removed.
344 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
346 The various global options can be used.
348
350 adcli preset-computer pre-creates one or more computer accounts in the
351 domain for machines to later use when joining the domain. By doing this
352 machines can join using a one time password or automatically without a
353 password.
354 $ adcli preset-computer --domain=domain.example.com \
356 host1.example.com host2
357 Password for Administrator:
358 If the computer names specified contain dots, then they are treated as
360 fully qualified host names, otherwise they are treated as short
361 computer names. The computer accounts must not already exist.
362 In addition to the global options, you can specify the following
364 options to control how this operation is done.
365 -O, --domain-ou=OU=xxx
367 The full distinguished name of the OU in which to create the
368 computer accounts. If not specified then the computer account will
369 be created in a default location.
370 --one-time-password
372 Specify a one time password to use when presetting the computer
373 accounts. If not specified then a default password will be used,
374 which allows for later automatic joins.
375 --os-name=name
377 Set the operating system name on the computer account. The default
378 depends on where adcli was built, but is usually something like
379 ´linux-gnu´.
380 --os-service-pack=pack
382 Set the operating system service pack on the computer account. Not
383 set by default.
384 --os-version=version
386 Set the operating system version on the computer account. Not set
387 by default.
388 --service-name=service
390 Additional service name for a kerberos principal to be created on
391 the computer account. This option may be specified multiple times.
392 --user-principal
394 Set the userPrincipalName field of the computer account to this
395 kerberos principal in the form of host/host.example.com@REALM
396
398 adcli reset-computer resets a computer account in the domain. If a the
399 appropriate machine is currently joined to the domain, then its
400 membership will be broken. The account must already exist.
401 $ adcli reset-computer --domain=domain.example.com host2
403 If the computer names specified contain dots, then they are treated as
405 fully qualified host names, otherwise they are treated as short
406 computer names.
407 In addition to the global options, you can specify the following
409 options to control how this operation is done.
410 --login-type={computer|user}
412 Specify the type of authentication that will be performed before
413 creating the machine account in the domain. If set to ´computer´
414 then the computer must already have a preset account in the domain.
415 If not specified and none of the other --login-xxx arguments have
416 been specified, then will try both ´computer´ and ´user´
417 authentication.
418
420 adcli delete-computer deletes a computer account in the domain. The
421 account must already exist.
422 $ adcli delete-computer --domain=domain.example.com host2
424 Password for Administrator:
425 If the computer name contains a dot, then it is treated as fully
427 qualified host name, otherwise it is treated as short computer name.
428 If no computer name is specified, then the host name of the computer
430 adcli is running on is used, as returned by gethostname().
431 The various global options can be used.
433
435 Please send bug reports to either the distribution bug tracker or the
436 upstream bug tracker at
437 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
438
440 realmd(8), net(8), sssd(8)
441 Further details available in the realmd online documentation at
443 http://www.freedesktop.org/software/realmd/
444realmd ADCLI(8)