1ADCLI(8) System Commands ADCLI(8)
2
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10 adcli join domain.example.com
12 adcli update
14 adcli testjoin
16 adcli create-user [--domain=domain.example.com] user
18 adcli delete-user [--domain=domain.example.com] user
20 adcli create-group [--domain=domain.example.com] user
22 adcli delete-group [--domain=domain.example.com] user
24 adcli add-member [--domain=domain.example.com] group user...
26 adcli remove-member [--domain=domain.example.com] group user...
28 adcli preset-computer [--domain=domain.example.com] computer...
30 adcli reset-computer [--domain=domain.example.com] computer
32 adcli delete-computer [--domain=domain.example.com] computer
34
36 adcli is a command line tool that can perform actions in an Active
37 Directory domain. Among other things it can be used to join a computer
38 to a domain.
39 See the various sub commands below. The following global options can be
41 used:
42 -D, --domain=domain
44 The domain to connect to. If a domain is not specified, then the
45 domain part of the local computer's host name is used.
46 -R, --domain-realm=REALM
48 Kerberos realm for the domain. If not specified, then the upper
49 cased domain name is used.
50 -S, --domain-controller=server
52 Connect to a specific domain controller. If not specified, then an
53 appropriate domain controller is automatically discovered.
54 -C, --login-ccache=ccache_name
56 Use the specified kerberos credential cache to authenticate with
57 the domain. If no credential cache is specified, the default
58 kerberos credential cache will be used. Credential caches of type
59 FILE can be given with the path to the file. For other credential
60 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
61 explicitly together with a suitable identifier.
62 -U, --login-user=User
64 Use the specified user account to authenticate with the domain. If
65 not specified, then the name 'Administrator' will be used.
66 --no-password
68 Don't show prompts for or read a password from input.
69 -W, --prompt-password
71 Prompt for a password if necessary. This is the default.
72 --stdin-password
74 Read a password from stdin input instead of prompting for a
75 password.
76 -v, --verbose
78 Run in verbose mode with debug output.
79
81 adcli info displays discovered information about an Active Directory
82 domain or an Active Directory domain controller.
83 $ adcli info domain.example.com
85 ...
86 $ adcli info --domain-controller=dc.domain.example.com
88 ...
89 adcli info will output as much information as it can about the domain.
91 The information is designed to be both machine and human readable. The
92 command will exit with a non-zero exit code if the domain does not
93 exist or cannot be reached.
94 To show domain info for a specific domain controller use the
96 --domain-controller option to specify which domain controller to query.
97 Use the --verbose option to show details of how the domain is
99 discovered and queried. Many of the global options, in particular
100 authentication options, are not usable with the adcli info command.
101
103 adcli join creates a computer account in the domain for the local
104 machine, and sets up a keytab for the machine. It does not configure an
105 authentication service (such as sssd).
106 $ adcli join domain.example.com
108 Password for Administrator:
109 In addition to the global options, you can specify the following
111 options to control how this operation is done.
112 -N, --computer-name=computer
114 The short non-dotted name of the computer account that will be
115 created in the domain. If not specified, then the first portion of
116 the --host-fqdn is used.
117 -O, --domain-ou=OU=xxx
119 The full distinguished name of the OU in which to create the
120 computer account. If not specified, then the computer account will
121 be created in a default location.
122 -H, --host-fqdn=host
124 Override the local machine's fully qualified domain name. If not
125 specified, the local machine's hostname will be retrieved via
126 gethostname(). If gethostname() only returns a short name
127 getaddrinfo() with the AI_CANONNAME hint is called to expand the
128 name to a fully qualified domain name.
129 -K, --host-keytab=/path/to/keytab
131 Specify the path to the host keytab where host credentials will be
132 written after a successful join operation. If not specified, the
133 default location will be used, usually /etc/krb5.keytab.
134 --login-type={computer|user}
136 Specify the type of authentication that will be performed before
137 creating the machine account in the domain. If set to 'computer',
138 then the computer must already have a preset account in the domain.
139 If not specified and none of the other --login-xxx arguments have
140 been specified, then will try both 'computer' and 'user'
141 authentication.
142 --os-name=name
144 Set the operating system name on the computer account. The default
145 depends on where adcli was built, but is usually something like
146 'linux-gnu'.
147 --os-service-pack=pack
149 Set the operating system service pack on the computer account. Not
150 set by default.
151 --os-version=version
153 Set the operating system version on the computer account. Not set
154 by default.
155 --service-name=service
157 Additional service name for a kerberos principal to be created on
158 the computer account. This option may be specified multiple times.
159 --user-principal=host/name@REALM
161 Set the userPrincipalName field of the computer account to this
162 kerberos principal. If you omit the value for this option, then a
163 principal will be set in the form of host/host.example.com@REALM
164 --one-time-password
166 Specify a one time password for a preset computer account. This is
167 equivalent to using --login-type=computer and providing a password
168 as input.
169 --trusted-for-delegation=yes|no|true|false
171 Set or unset the TRUSTED_FOR_DELEGATION flag in the
172 userAccountControl attribute to allow or not allow that Kerberos
173 tickets can be forwarded to the host.
174 --add-service-principal=service/hostname
176 Add a service principal name. In contrast to the --service-name the
177 hostname part can be specified as well in case the service should
178 be accessible with a different host name as well.
179 --show-details
181 After a successful join print out information about join operation.
182 This is output in a format that should be both human and machine
183 readable.
184 --show-password
186 After a successful join print out the computer machine account
187 password. This is output in a format that should be both human and
188 machine readable.
189 --add-samba-data
191 After a successful join add the domain SID and the machine account
192 password to the Samba specific databases by calling Samba's net
193 utility.
194 Please note that Samba's net requires some settings in smb.conf to
196 create the database entries correctly. Most important here is
197 currently the workgroup option, see smb.conf(5) for details.
198 --samba-data-tool=/path/to/net
200 If Samba's net cannot be found at /usr/bin/net, this option can be
201 used to specific an alternative location with the help of an
202 absolute path.
203 If supported on the AD side the msDS-supportedEncryptionTypes attribute
205 will be set as well. Either the current value or the default list of
206 AD's supported encryption types filtered by the permitted encryption
207 types of the client's Kerberos configuration are written.
208
210 adcli update updates the password of the computer account on the domain
211 controller for the local machine, write the new keys to the keytab and
212 removes older keys. It keeps the previous key on purpose because AD
213 will need some time to replicate the new key to all DCs hence the
214 previous key might still be used.
215 $ adcli update
217 If used with a credential cache, other attributes of the computer
219 account can be changed as well if the principal has sufficient
220 privileges.
221 $ kinit Administrator
223 $ adcli update --login-ccache=/tmp/krbcc_123
224 In addition to the global options, you can specify the following
226 options to control how this operation is done.
227 -N, --computer-name=computer
229 The short non-dotted name of the computer account that will be
230 created in the domain. If not specified, it will be retrieved from
231 the keytab entries.
232 -H, --host-fqdn=host
234 The local machine's fully qualified domain name. If not specified,
235 the local machine's hostname will be retrieved from the keytab
236 entries.
237 -K, --host-keytab=/path/to/keytab
239 Specify the path to the host keytab where current host credentials
240 are stored and the new ones will be written to. If not specified,
241 the default location will be used, usually /etc/krb5.keytab.
242 --os-name=name
244 Set the operating system name on the computer account. Not set by
245 default.
246 --os-service-pack=pack
248 Set the operating system service pack on the computer account. Not
249 set by default.
250 --os-version=version
252 Set the operating system version on the computer account. Not set
253 by default.
254 --service-name=service
256 Additional service name for a Kerberos principal to be created on
257 the computer account. This option may be specified multiple times.
258 --user-principal=host/name@REALM
260 Set the userPrincipalName field of the computer account to this
261 Kerberos principal.
262 --computer-password-lifetime=lifetime
264 Only update the password of the computer account if it is older
265 than the lifetime given in days. By default the password is updated
266 if it is older than 30 days.
267 --trusted-for-delegation=yes|no|true|false
269 Set or unset the TRUSTED_FOR_DELEGATION flag in the
270 userAccountControl attribute to allow or not allow that Kerberos
271 tickets can be forwarded to the host.
272 --add-service-principal=service/hostname
274 Add a service principal name. In contrast to the --service-name the
275 hostname part can be specified as well in case the service should
276 be accessible with a different host name as well.
277 --remove-service-principal=service/hostname
279 Remove a service principal name from the keytab and the AD host
280 object.
281 --show-details
283 After a successful join print out information about join operation.
284 This is output in a format that should be both human and machine
285 readable.
286 --add-samba-data
288 After a successful join add the domain SID and the machine account
289 password to the Samba specific databases by calling Samba's net
290 utility.
291 Please note that Samba's net requires some settings in smb.conf to
293 create the database entries correctly. Most important here is
294 currently the workgroup option, see smb.conf(5) for details.
295 --samba-data-tool=/path/to/net
297 If Samba's net cannot be found at /usr/bin/net, this option can be
298 used to specific an alternative location with the help of an
299 absolute path.
300 If supported on the AD side the msDS-supportedEncryptionTypes attribute
302 will be set as well. Either the current value or the default list of
303 AD's supported encryption types filtered by the permitted encryption
304 types of the client's Kerberos configuration are written.
305
307 adcli testjoin uses the current credentials in the keytab and tries to
308 authenticate with the machine account to the AD domain. If this works
309 the machine account password and the join are still valid. If it fails
310 the machine account password or the whole machine account have to be
311 refreshed with adcli join or adcli update.
312 $ adcli testjoin
314 Only the global options not related to authentication are available,
316 additionally you can specify the following options to control how this
317 operation is done.
318 -K, --host-keytab=/path/to/keytab
320 Specify the path to the host keytab where current host credentials
321 are stored and the new ones will be written to. If not specified,
322 the default location will be used, usually /etc/krb5.keytab.
323
325 adcli create-user creates a new user account in the domain.
326 $ adcli create-user Fry --domain=domain.example.com \
328 --display-name="Philip J. Fry" --mail=fry@domain.example.com
329 In addition to the global options, you can specify the following
331 options to control how the user is created.
332 --display-name="Name"
334 Set the displayName attribute of the new created user account.
335 -O, --domain-ou=OU=xxx
337 The full distinguished name of the OU in which to create the user
338 account. If not specified, then the computer account will be
339 created in a default location.
340 --mail=email@domain.com
342 Set the mail attribute of the new created user account. This
343 attribute may be specified multiple times.
344 --unix-home=/home/user
346 Set the unixHomeDirectory attribute of the new created user
347 account, which should be an absolute path to the user's home
348 directory.
349 --unix-gid=111
351 Set the gidNumber attribute of the new created user account, which
352 should be the user's numeric primary group id.
353 --unix-shell=/bin/shell
355 Set the loginShell attribute of the new created user account, which
356 should be a path to a valid shell.
357 --unix-uid=111
359 Set the uidNumber attribute of the new created user account, which
360 should be the user's numeric primary user id.
361 --nis-domain=nis_domain
363 Set the msSFU30NisDomain attribute of the new created user account,
364 which should be the user's NIS domain is the NIS/YP service of
365 Active Directory's Services for Unix (SFU) are used. This is needed
366 to let the 'UNIX attributes' tab of older Active Directoy versions
367 show the set UNIX specific attributes. If not specified adcli will
368 try to determine the NIS domain automatically if needed.
369
371 adcli delete-user deletes a user account from the domain.
372 $ adcli delete-user Fry --domain=domain.example.com
374 The various global options can be used.
376
378 adcli create-group creates a new group in the domain.
379 $ adcli create-group Pilots --domain=domain.example.com \
381 --description="Group for all pilots"
382 In addition to the global options, you can specify the following
384 options to control how the group is created.
385 --description="text"
387 Set the description attribute of the new created group.
388 -O, --domain-ou=OU=xxx
390 The full distinguished name of the OU in which to create the group.
391 If not specified, then the group will be created in a default
392 location.
393
395 adcli delete-group deletes a group from the domain.
396 $ adcli delete-group Pilots --domain=domain.example.com
398 The various global options can be used.
400
402 adcli add-member adds one or more users to a group in the domain. The
403 group is specified first, and then the various users to be added.
404 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
406 The various global options can be used.
408
410 adcli remove-member removes a user from a group in the domain. The
411 group is specified first, and then the various users to be removed.
412 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
414 The various global options can be used.
416
418 adcli preset-computer pre-creates one or more computer accounts in the
419 domain for machines to later use when joining the domain. By doing this
420 machines can join using a one time password or automatically without a
421 password.
422 $ adcli preset-computer --domain=domain.example.com \
424 host1.example.com host2
425 Password for Administrator:
426 If the computer names specified contain dots, then they are treated as
428 fully qualified host names, otherwise they are treated as short
429 computer names. The computer accounts must not already exist.
430 In addition to the global options, you can specify the following
432 options to control how this operation is done.
433 -O, --domain-ou=OU=xxx
435 The full distinguished name of the OU in which to create the
436 computer accounts. If not specified, then the computer account will
437 be created in a default location.
438 --one-time-password
440 Specify a one time password to use when presetting the computer
441 accounts. If not specified, then a default password will be used,
442 which allows for later automatic joins.
443 --os-name=name
445 Set the operating system name on the computer account. The default
446 depends on where adcli was built, but is usually something like
447 'linux-gnu'.
448 --os-service-pack=pack
450 Set the operating system service pack on the computer account. Not
451 set by default.
452 --os-version=version
454 Set the operating system version on the computer account. Not set
455 by default.
456 --service-name=service
458 Additional service name for a kerberos principal to be created on
459 the computer account. This option may be specified multiple times.
460 --user-principal
462 Set the userPrincipalName field of the computer account to this
463 kerberos principal in the form of host/host.example.com@REALM
464
466 adcli reset-computer resets a computer account in the domain. If the
467 appropriate machine is currently joined to the domain, then its
468 membership will be broken. The account must already exist.
469 $ adcli reset-computer --domain=domain.example.com host2
471 If the computer names specified contain dots, then they are treated as
473 fully qualified host names, otherwise they are treated as short
474 computer names.
475 In addition to the global options, you can specify the following
477 options to control how this operation is done.
478 --login-type={computer|user}
480 Specify the type of authentication that will be performed before
481 creating the machine account in the domain. If set to 'computer',
482 then the computer must already have a preset account in the domain.
483 If not specified and none of the other --login-xxx arguments have
484 been specified, then will try both 'computer' and 'user'
485 authentication.
486
488 adcli delete-computer deletes a computer account in the domain. The
489 account must already exist.
490 $ adcli delete-computer --domain=domain.example.com host2
492 Password for Administrator:
493 If the computer name contains a dot, then it is treated as fully
495 qualified host name, otherwise it is treated as short computer name.
496 If no computer name is specified, then the host name of the computer
498 adcli is running on is used, as returned by gethostname().
499 The various global options can be used.
501
503 Please send bug reports to either the distribution bug tracker or the
504 upstream bug tracker at
505 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
506
508 realmd(8), net(8), sssd(8)
509 Further details available in the realmd online documentation at
511 http://www.freedesktop.org/software/realmd/
512realmd ADCLI(8)