1ADCLI(8) System Commands ADCLI(8)
2
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10 adcli join domain.example.com
12 adcli update
14 adcli create-user [--domain=domain.example.com] user
16 adcli delete-user [--domain=domain.example.com] user
18 adcli create-group [--domain=domain.example.com] user
20 adcli delete-group [--domain=domain.example.com] user
22 adcli add-member [--domain=domain.example.com] group user...
24 adcli remove-member [--domain=domain.example.com] group user...
26 adcli preset-computer [--domain=domain.example.com] computer...
28 adcli reset-computer [--domain=domain.example.com] computer
30 adcli delete-computer [--domain=domain.example.com] computer
32
34 adcli is a command line tool that can perform actions in an Active
35 Directory domain. Among other things it can be used to join a computer
36 to a domain.
37 See the various sub commands below. The following global options can be
39 used:
40 -D, --domain=domain
42 The domain to connect to. If a domain is not specified, then the
43 domain part of the local computer's host name is used.
44 -R, --domain-realm=REALM
46 Kerberos realm for the domain. If not specified, then the upper
47 cased domain name is used.
48 -S, --domain-controller=server
50 Connect to a specific domain controller. If not specified, then an
51 appropriate domain controller is automatically discovered.
52 -C, --login-ccache=ccache_name
54 Use the specified kerberos credential cache to authenticate with
55 the domain. If no credential cache is specified, the default
56 kerberos credential cache will be used. Credential caches of type
57 FILE can be given with the path to the file. For other credential
58 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
59 explicitly together with a suitable identifier.
60 -U, --login-user=User
62 Use the specified user account to authenticate with the domain. If
63 not specified, then the name 'Administrator' will be used.
64 --no-password
66 Don't show prompts for or read a password from input.
67 -W, --prompt-password
69 Prompt for a password if necessary. This is the default.
70 --stdin-password
72 Read a password from stdin input instead of prompting for a
73 password.
74 -v, --verbose
76 Run in verbose mode with debug output.
77
79 adcli info displays discovered information about an Active Directory
80 domain or an Active Directory domain controller.
81 $ adcli info domain.example.com
83 ...
84 $ adcli info --domain-controller=dc.domain.example.com
86 ...
87 adcli info will output as much information as it can about the domain.
89 The information is designed to be both machine and human readable. The
90 command will exit with a non-zero exit code if the domain does not
91 exist or cannot be reached.
92 To show domain info for a specific domain controller use the
94 --domain-controller option to specify which domain controller to query.
95 Use the --verbose option to show details of how the domain is
97 discovered and queried. Many of the global options, in particular
98 authentication options, are not usable with the adcli info command.
99
101 adcli join creates a computer account in the domain for the local
102 machine, and sets up a keytab for the machine. It does not configure an
103 authentication service (such as sssd).
104 $ adcli join domain.example.com
106 Password for Administrator:
107 In addition to the global options, you can specify the following
109 options to control how this operation is done.
110 -N, --computer-name=computer
112 The short non-dotted name of the computer account that will be
113 created in the domain. If not specified, then the first portion of
114 the --host-fqdn is used.
115 -O, --domain-ou=OU=xxx
117 The full distinguished name of the OU in which to create the
118 computer account. If not specified, then the computer account will
119 be created in a default location.
120 -H, --host-fqdn=host
122 Override the local machine's fully qualified domain name. If not
123 specified, the local machine's hostname will be retrieved via
124 gethostname().
125 -K, --host-keytab=/path/to/keytab
127 Specify the path to the host keytab where host credentials will be
128 written after a successful join operation. If not specified, the
129 default location will be used, usually /etc/krb5.keytab.
130 --login-type={computer|user}
132 Specify the type of authentication that will be performed before
133 creating the machine account in the domain. If set to 'computer',
134 then the computer must already have a preset account in the domain.
135 If not specified and none of the other --login-xxx arguments have
136 been specified, then will try both 'computer' and 'user'
137 authentication.
138 --os-name=name
140 Set the operating system name on the computer account. The default
141 depends on where adcli was built, but is usually something like
142 'linux-gnu'.
143 --os-service-pack=pack
145 Set the operating system service pack on the computer account. Not
146 set by default.
147 --os-version=version
149 Set the operating system version on the computer account. Not set
150 by default.
151 --service-name=service
153 Additional service name for a kerberos principal to be created on
154 the computer account. This option may be specified multiple times.
155 --user-principal=host/name@REALM
157 Set the userPrincipalName field of the computer account to this
158 kerberos principal. If you omit the value for this option, then a
159 principal will be set in the form of host/host.example.com@REALM
160 --one-time-password
162 Specify a one time password for a preset computer account. This is
163 equivalent to using --login-type=computer and providing a password
164 as input.
165 --trusted-for-delegation=yes|no|true|false
167 Set or unset the TRUSTED_FOR_DELEGATION flag in the
168 userAccountControl attribute to allow or not allow that Kerberos
169 tickets can be forwarded to the host.
170 --add-service-principal=service/hostname
172 Add a service principal name. In contrast to the --service-name the
173 hostname part can be specified as well in case the service should
174 be accessible with a different host name as well.
175 --show-details
177 After a successful join print out information about join operation.
178 This is output in a format that should be both human and machine
179 readable.
180 --show-password
182 After a successful join print out the computer machine account
183 password. This is output in a format that should be both human and
184 machine readable.
185 --add-samba-data
187 After a successful join add the domain SID and the machine account
188 password to the Samba specific databases by calling Samba's net
189 utility.
190 Please note that Samba's net requires some settings in smb.conf to
192 create the database entries correctly. Most important here is
193 currently the workgroup option, see smb.conf(5) for details.
194 --samba-data-tool=/path/to/net
196 If Samba's net cannot be found at /usr/bin/net, this option can be
197 used to specific an alternative location with the help of an
198 absolute path.
199
201 adcli update updates the password of the computer account on the domain
202 controller for the local machine, write the new keys to the keytab and
203 removes older keys. It keeps the previous key on purpose because AD
204 will need some time to replicate the new key to all DCs hence the
205 previous key might still be used.
206 $ adcli update
208 If used with a credential cache, other attributes of the computer
210 account can be changed as well if the principal has sufficient
211 privileges.
212 $ kinit Administrator
214 $ adcli update --login-ccache=/tmp/krbcc_123
215 In addition to the global options, you can specify the following
217 options to control how this operation is done.
218 -N, --computer-name=computer
220 The short non-dotted name of the computer account that will be
221 created in the domain. If not specified, it will be retrieved from
222 the keytab entries.
223 -H, --host-fqdn=host
225 The local machine's fully qualified domain name. If not specified,
226 the local machine's hostname will be retrieved from the keytab
227 entries.
228 -K, --host-keytab=/path/to/keytab
230 Specify the path to the host keytab where current host credentials
231 are stored and the new ones will be written to. If not specified,
232 the default location will be used, usually /etc/krb5.keytab.
233 --os-name=name
235 Set the operating system name on the computer account. Not set by
236 default.
237 --os-service-pack=pack
239 Set the operating system service pack on the computer account. Not
240 set by default.
241 --os-version=version
243 Set the operating system version on the computer account. Not set
244 by default.
245 --service-name=service
247 Additional service name for a Kerberos principal to be created on
248 the computer account. This option may be specified multiple times.
249 --user-principal=host/name@REALM
251 Set the userPrincipalName field of the computer account to this
252 Kerberos principal.
253 --computer-password-lifetime=lifetime
255 Only update the password of the computer account if it is older
256 than the lifetime given in days. By default the password is updated
257 if it is older than 30 days.
258 --trusted-for-delegation=yes|no|true|false
260 Set or unset the TRUSTED_FOR_DELEGATION flag in the
261 userAccountControl attribute to allow or not allow that Kerberos
262 tickets can be forwarded to the host.
263 --add-service-principal=service/hostname
265 Add a service principal name. In contrast to the --service-name the
266 hostname part can be specified as well in case the service should
267 be accessible with a different host name as well.
268 --remove-service-principal=service/hostname
270 Remove a service principal name from the keytab and the AD host
271 object.
272 --show-details
274 After a successful join print out information about join operation.
275 This is output in a format that should be both human and machine
276 readable.
277 --add-samba-data
279 After a successful join add the domain SID and the machine account
280 password to the Samba specific databases by calling Samba's net
281 utility.
282 Please note that Samba's net requires some settings in smb.conf to
284 create the database entries correctly. Most important here is
285 currently the workgroup option, see smb.conf(5) for details.
286 --samba-data-tool=/path/to/net
288 If Samba's net cannot be found at /usr/bin/net, this option can be
289 used to specific an alternative location with the help of an
290 absolute path.
291
293 adcli create-user creates a new user account in the domain.
294 $ adcli create-user Fry --domain=domain.example.com \
296 --display-name="Philip J. Fry" --mail=fry@domain.example.com
297 In addition to the global options, you can specify the following
299 options to control how the user is created.
300 --display-name="Name"
302 Set the displayName attribute of the new created user account.
303 -O, --domain-ou=OU=xxx
305 The full distinguished name of the OU in which to create the user
306 account. If not specified, then the computer account will be
307 created in a default location.
308 --mail=email@domain.com
310 Set the mail attribute of the new created user account. This
311 attribute may be specified multiple times.
312 --unix-home=/home/user
314 Set the unixHomeDirectory attribute of the new created user
315 account, which should be an absolute path to the user's home
316 directory.
317 --unix-gid=111
319 Set the gidNumber attribute of the new created user account, which
320 should be the user's numeric primary group id.
321 --unix-shell=/bin/shell
323 Set the loginShell attribute of the new created user account, which
324 should be a path to a valid shell.
325 --unix-uid=111
327 Set the uidNumber attribute of the new created user account, which
328 should be the user's numeric primary user id.
329
331 adcli delete-user deletes a user account from the domain.
332 $ adcli delete-user Fry --domain=domain.example.com
334 The various global options can be used.
336
338 adcli create-group creates a new group in the domain.
339 $ adcli create-group Pilots --domain=domain.example.com \
341 --description="Group for all pilots"
342 In addition to the global options, you can specify the following
344 options to control how the group is created.
345 --description="text"
347 Set the description attribute of the new created group.
348 -O, --domain-ou=OU=xxx
350 The full distinguished name of the OU in which to create the group.
351 If not specified, then the group will be created in a default
352 location.
353
355 adcli delete-group deletes a group from the domain.
356 $ adcli delete-group Pilots --domain=domain.example.com
358 The various global options can be used.
360
362 adcli add-member adds one or more users to a group in the domain. The
363 group is specified first, and then the various users to be added.
364 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
366 The various global options can be used.
368
370 adcli remove-member removes a user from a group in the domain. The
371 group is specified first, and then the various users to be removed.
372 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
374 The various global options can be used.
376
378 adcli preset-computer pre-creates one or more computer accounts in the
379 domain for machines to later use when joining the domain. By doing this
380 machines can join using a one time password or automatically without a
381 password.
382 $ adcli preset-computer --domain=domain.example.com \
384 host1.example.com host2
385 Password for Administrator:
386 If the computer names specified contain dots, then they are treated as
388 fully qualified host names, otherwise they are treated as short
389 computer names. The computer accounts must not already exist.
390 In addition to the global options, you can specify the following
392 options to control how this operation is done.
393 -O, --domain-ou=OU=xxx
395 The full distinguished name of the OU in which to create the
396 computer accounts. If not specified, then the computer account will
397 be created in a default location.
398 --one-time-password
400 Specify a one time password to use when presetting the computer
401 accounts. If not specified, then a default password will be used,
402 which allows for later automatic joins.
403 --os-name=name
405 Set the operating system name on the computer account. The default
406 depends on where adcli was built, but is usually something like
407 'linux-gnu'.
408 --os-service-pack=pack
410 Set the operating system service pack on the computer account. Not
411 set by default.
412 --os-version=version
414 Set the operating system version on the computer account. Not set
415 by default.
416 --service-name=service
418 Additional service name for a kerberos principal to be created on
419 the computer account. This option may be specified multiple times.
420 --user-principal
422 Set the userPrincipalName field of the computer account to this
423 kerberos principal in the form of host/host.example.com@REALM
424
426 adcli reset-computer resets a computer account in the domain. If the
427 appropriate machine is currently joined to the domain, then its
428 membership will be broken. The account must already exist.
429 $ adcli reset-computer --domain=domain.example.com host2
431 If the computer names specified contain dots, then they are treated as
433 fully qualified host names, otherwise they are treated as short
434 computer names.
435 In addition to the global options, you can specify the following
437 options to control how this operation is done.
438 --login-type={computer|user}
440 Specify the type of authentication that will be performed before
441 creating the machine account in the domain. If set to 'computer',
442 then the computer must already have a preset account in the domain.
443 If not specified and none of the other --login-xxx arguments have
444 been specified, then will try both 'computer' and 'user'
445 authentication.
446
448 adcli delete-computer deletes a computer account in the domain. The
449 account must already exist.
450 $ adcli delete-computer --domain=domain.example.com host2
452 Password for Administrator:
453 If the computer name contains a dot, then it is treated as fully
455 qualified host name, otherwise it is treated as short computer name.
456 If no computer name is specified, then the host name of the computer
458 adcli is running on is used, as returned by gethostname().
459 The various global options can be used.
461
463 Please send bug reports to either the distribution bug tracker or the
464 upstream bug tracker at
465 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
466
468 realmd(8), net(8), sssd(8)
469 Further details available in the realmd online documentation at
471 http://www.freedesktop.org/software/realmd/
472realmd ADCLI(8)