1ADCLI(8) System Commands ADCLI(8)
2
3
4
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10
11 adcli join domain.example.com
12
13 adcli update
14
15 adcli testjoin
16
17 adcli create-user [--domain=domain.example.com] user
18
19 adcli delete-user [--domain=domain.example.com] user
20
21 adcli create-group [--domain=domain.example.com] user
22
23 adcli delete-group [--domain=domain.example.com] user
24
25 adcli add-member [--domain=domain.example.com] group user...
26
27 adcli remove-member [--domain=domain.example.com] group user...
28
29 adcli preset-computer [--domain=domain.example.com] computer...
30
31 adcli reset-computer [--domain=domain.example.com] computer
32
33 adcli delete-computer [--domain=domain.example.com] computer
34
35 adcli show-computer [--domain=domain.example.com] computer
36
38 adcli is a command line tool that can perform actions in an Active
39 Directory domain. Among other things it can be used to join a computer
40 to a domain.
41
42 See the various sub commands below. The following global options can be
43 used:
44
45 -D, --domain=domain
46 The domain to connect to. If a domain is not specified, then the
47 domain part of the local computer's host name is used.
48
49 -R, --domain-realm=REALM
50 Kerberos realm for the domain. If not specified, then the upper
51 cased domain name is used.
52
53 -S, --domain-controller=server
54 Connect to a specific domain controller. If not specified, then an
55 appropriate domain controller is automatically discovered.
56
57 --use-ldaps
58 Connect to the domain controller with LDAPS. By default the LDAP
59 port is used and SASL GSS-SPNEGO or GSSAPI is used for
60 authentication and to establish encryption. This should satisfy all
61 requirements set on the server side and LDAPS should only be used
62 if the LDAP port is not accessible due to firewalls or other
63 reasons.
64
65 Please note that the place where CA certificates can be found to
66 validate the AD DC certificates must be configured in the OpenLDAP
67 configuration file, e.g. /etc/openldap/ldap.conf. As an
68 alternative it can be specified with the help of an environment
69 variable, e.g.
70
71 $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
72 ...
73
74 Please see ldap.conf(5) for details.
75
76 -C, --login-ccache=ccache_name
77 Use the specified kerberos credential cache to authenticate with
78 the domain. If no credential cache is specified, the default
79 kerberos credential cache will be used. Credential caches of type
80 FILE can be given with the path to the file. For other credential
81 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
82 explicitly together with a suitable identifier.
83
84 -U, --login-user=User
85 Use the specified user account to authenticate with the domain. If
86 not specified, then the name 'Administrator' will be used.
87
88 --no-password
89 Don't show prompts for or read a password from input.
90
91 -W, --prompt-password
92 Prompt for a password if necessary. This is the default.
93
94 --stdin-password
95 Read a password from stdin input instead of prompting for a
96 password.
97
98 -v, --verbose
99 Run in verbose mode with debug output.
100
102 adcli info displays discovered information about an Active Directory
103 domain or an Active Directory domain controller.
104
105 $ adcli info domain.example.com
106 ...
107
108 $ adcli info --domain-controller=dc.domain.example.com
109 ...
110
111 adcli info will output as much information as it can about the domain.
112 The information is designed to be both machine and human readable. The
113 command will exit with a non-zero exit code if the domain does not
114 exist or cannot be reached.
115
116 To show domain info for a specific domain controller use the
117 --domain-controller option to specify which domain controller to query.
118
119 Use the --verbose option to show details of how the domain is
120 discovered and queried. Many of the global options, in particular
121 authentication options, are not usable with the adcli info command.
122
124 adcli join creates a computer account in the domain for the local
125 machine, and sets up a keytab for the machine. It does not configure an
126 authentication service (such as sssd).
127
128 $ adcli join domain.example.com
129 Password for Administrator:
130
131 In addition to the global options, you can specify the following
132 options to control how this operation is done.
133
134 -N, --computer-name=computer
135 The short non-dotted name of the computer account that will be
136 created in the domain. If not specified, then the first portion of
137 the --host-fqdn is used.
138
139 -O, --domain-ou=OU=xxx
140 The full distinguished name of the OU in which to create the
141 computer account. If not specified, then the computer account will
142 be created in a default location.
143
144 -H, --host-fqdn=host
145 Override the local machine's fully qualified domain name. If not
146 specified, the local machine's hostname will be retrieved via
147 gethostname(). If gethostname() only returns a short name
148 getaddrinfo() with the AI_CANONNAME hint is called to expand the
149 name to a fully qualified domain name.
150
151 -K, --host-keytab=/path/to/keytab
152 Specify the path to the host keytab where host credentials will be
153 written after a successful join operation. If not specified, the
154 default location will be used, usually /etc/krb5.keytab.
155
156 --login-type={computer|user}
157 Specify the type of authentication that will be performed before
158 creating the machine account in the domain. If set to 'computer',
159 then the computer must already have a preset account in the domain.
160 If not specified and none of the other --login-xxx arguments have
161 been specified, then will try both 'computer' and 'user'
162 authentication.
163
164 --os-name=name
165 Set the operating system name on the computer account. The default
166 depends on where adcli was built, but is usually something like
167 'linux-gnu'.
168
169 --os-service-pack=pack
170 Set the operating system service pack on the computer account. Not
171 set by default.
172
173 --os-version=version
174 Set the operating system version on the computer account. Not set
175 by default.
176
177 --description=description
178 Set the description attribute on the computer account. Not set by
179 default.
180
181 --service-name=service
182 Additional service name for a kerberos principal to be created on
183 the computer account. This option may be specified multiple times.
184
185 --user-principal=host/name@REALM
186 Set the userPrincipalName field of the computer account to this
187 kerberos principal. If you omit the value for this option, then a
188 principal will be set in the form of host/host.example.com@REALM
189
190 --one-time-password
191 Specify a one time password for a preset computer account. This is
192 equivalent to using --login-type=computer and providing a password
193 as input.
194
195 --trusted-for-delegation=yes|no|true|false
196 Set or unset the TRUSTED_FOR_DELEGATION flag in the
197 userAccountControl attribute to allow or not allow that Kerberos
198 tickets can be forwarded to the host.
199
200 --add-service-principal=service/hostname
201 Add a service principal name. In contrast to the --service-name the
202 hostname part can be specified as well in case the service should
203 be accessible with a different host name as well.
204
205 --show-details
206 After a successful join print out information about join operation.
207 This is output in a format that should be both human and machine
208 readable.
209
210 --show-password
211 After a successful join print out the computer machine account
212 password. This is output in a format that should be both human and
213 machine readable.
214
215 --add-samba-data
216 After a successful join add the domain SID and the machine account
217 password to the Samba specific databases by calling Samba's net
218 utility.
219
220 Please note that Samba's net requires some settings in smb.conf to
221 create the database entries correctly. Most important here is
222 currently the workgroup option, see smb.conf(5) for details.
223
224 --samba-data-tool=/path/to/net
225 If Samba's net cannot be found at /usr/bin/net, this option can be
226 used to specific an alternative location with the help of an
227 absolute path.
228
229 If supported on the AD side the msDS-supportedEncryptionTypes attribute
230 will be set as well. Either the current value or the default list of
231 AD's supported encryption types filtered by the permitted encryption
232 types of the client's Kerberos configuration are written.
233
235 adcli update updates the password of the computer account on the domain
236 controller for the local machine, write the new keys to the keytab and
237 removes older keys. It keeps the previous key on purpose because AD
238 will need some time to replicate the new key to all DCs hence the
239 previous key might still be used.
240
241 $ adcli update
242
243 If used with a credential cache, other attributes of the computer
244 account can be changed as well if the principal has sufficient
245 privileges.
246
247 $ kinit Administrator
248 $ adcli update --login-ccache=/tmp/krbcc_123
249
250 In addition to the global options, you can specify the following
251 options to control how this operation is done.
252
253 -N, --computer-name=computer
254 The short non-dotted name of the computer account that will be
255 created in the domain. If not specified, it will be retrieved from
256 the keytab entries.
257
258 -H, --host-fqdn=host
259 The local machine's fully qualified domain name. If not specified,
260 the local machine's hostname will be retrieved from the keytab
261 entries.
262
263 -K, --host-keytab=/path/to/keytab
264 Specify the path to the host keytab where current host credentials
265 are stored and the new ones will be written to. If not specified,
266 the default location will be used, usually /etc/krb5.keytab.
267
268 --os-name=name
269 Set the operating system name on the computer account. Not set by
270 default.
271
272 --os-service-pack=pack
273 Set the operating system service pack on the computer account. Not
274 set by default.
275
276 --os-version=version
277 Set the operating system version on the computer account. Not set
278 by default.
279
280 --description=description
281 Set the description attribute on the computer account. Not set by
282 default.
283
284 --service-name=service
285 Additional service name for a Kerberos principal to be created on
286 the computer account. This option may be specified multiple times.
287
288 --user-principal=host/name@REALM
289 Set the userPrincipalName field of the computer account to this
290 Kerberos principal.
291
292 --computer-password-lifetime=lifetime
293 Only update the password of the computer account if it is older
294 than the lifetime given in days. By default the password is updated
295 if it is older than 30 days.
296
297 --trusted-for-delegation=yes|no|true|false
298 Set or unset the TRUSTED_FOR_DELEGATION flag in the
299 userAccountControl attribute to allow or not allow that Kerberos
300 tickets can be forwarded to the host.
301
302 --add-service-principal=service/hostname
303 Add a service principal name. In contrast to the --service-name the
304 hostname part can be specified as well in case the service should
305 be accessible with a different host name as well.
306
307 --remove-service-principal=service/hostname
308 Remove a service principal name from the keytab and the AD host
309 object.
310
311 --show-details
312 After a successful join print out information about join operation.
313 This is output in a format that should be both human and machine
314 readable.
315
316 --add-samba-data
317 After a successful join add the domain SID and the machine account
318 password to the Samba specific databases by calling Samba's net
319 utility.
320
321 Please note that Samba's net requires some settings in smb.conf to
322 create the database entries correctly. Most important here is
323 currently the workgroup option, see smb.conf(5) for details.
324
325 Note that if the machine account password is not older than 30
326 days, you have to pass --computer-password-lifetime=0 to force the
327 update.
328
329 --samba-data-tool=/path/to/net
330 If Samba's net cannot be found at /usr/bin/net, this option can be
331 used to specific an alternative location with the help of an
332 absolute path.
333
334 If supported on the AD side the msDS-supportedEncryptionTypes attribute
335 will be set as well. Either the current value or the default list of
336 AD's supported encryption types filtered by the permitted encryption
337 types of the client's Kerberos configuration are written.
338
340 adcli testjoin uses the current credentials in the keytab and tries to
341 authenticate with the machine account to the AD domain. If this works
342 the machine account password and the join are still valid. If it fails
343 the machine account password or the whole machine account have to be
344 refreshed with adcli join or adcli update.
345
346 $ adcli testjoin
347
348 Only the global options not related to authentication are available,
349 additionally you can specify the following options to control how this
350 operation is done.
351
352 -K, --host-keytab=/path/to/keytab
353 Specify the path to the host keytab where current host credentials
354 are stored and the new ones will be written to. If not specified,
355 the default location will be used, usually /etc/krb5.keytab.
356
358 adcli create-user creates a new user account in the domain.
359
360 $ adcli create-user Fry --domain=domain.example.com \
361 --display-name="Philip J. Fry" --mail=fry@domain.example.com
362
363 In addition to the global options, you can specify the following
364 options to control how the user is created.
365
366 --display-name="Name"
367 Set the displayName attribute of the new created user account.
368
369 -O, --domain-ou=OU=xxx
370 The full distinguished name of the OU in which to create the user
371 account. If not specified, then the computer account will be
372 created in a default location.
373
374 --mail=email@domain.com
375 Set the mail attribute of the new created user account. This
376 attribute may be specified multiple times.
377
378 --unix-home=/home/user
379 Set the unixHomeDirectory attribute of the new created user
380 account, which should be an absolute path to the user's home
381 directory.
382
383 --unix-gid=111
384 Set the gidNumber attribute of the new created user account, which
385 should be the user's numeric primary group id.
386
387 --unix-shell=/bin/shell
388 Set the loginShell attribute of the new created user account, which
389 should be a path to a valid shell.
390
391 --unix-uid=111
392 Set the uidNumber attribute of the new created user account, which
393 should be the user's numeric primary user id.
394
395 --nis-domain=nis_domain
396 Set the msSFU30NisDomain attribute of the new created user account,
397 which should be the user's NIS domain is the NIS/YP service of
398 Active Directory's Services for Unix (SFU) are used. This is needed
399 to let the 'UNIX attributes' tab of older Active Directoy versions
400 show the set UNIX specific attributes. If not specified adcli will
401 try to determine the NIS domain automatically if needed.
402
404 adcli delete-user deletes a user account from the domain.
405
406 $ adcli delete-user Fry --domain=domain.example.com
407
408 The various global options can be used.
409
411 adcli create-group creates a new group in the domain.
412
413 $ adcli create-group Pilots --domain=domain.example.com \
414 --description="Group for all pilots"
415
416 In addition to the global options, you can specify the following
417 options to control how the group is created.
418
419 --description="text"
420 Set the description attribute of the new created group.
421
422 -O, --domain-ou=OU=xxx
423 The full distinguished name of the OU in which to create the group.
424 If not specified, then the group will be created in a default
425 location.
426
428 adcli delete-group deletes a group from the domain.
429
430 $ adcli delete-group Pilots --domain=domain.example.com
431
432 The various global options can be used.
433
435 adcli add-member adds one or more users to a group in the domain. The
436 group is specified first, and then the various users to be added.
437
438 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
439
440 The various global options can be used.
441
443 adcli remove-member removes a user from a group in the domain. The
444 group is specified first, and then the various users to be removed.
445
446 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
447
448 The various global options can be used.
449
451 adcli preset-computer pre-creates one or more computer accounts in the
452 domain for machines to later use when joining the domain. By doing this
453 machines can join using a one time password or automatically without a
454 password.
455
456 $ adcli preset-computer --domain=domain.example.com \
457 host1.example.com host2
458 Password for Administrator:
459
460 If the computer names specified contain dots, then they are treated as
461 fully qualified host names, otherwise they are treated as short
462 computer names. The computer accounts must not already exist.
463
464 In addition to the global options, you can specify the following
465 options to control how this operation is done.
466
467 -O, --domain-ou=OU=xxx
468 The full distinguished name of the OU in which to create the
469 computer accounts. If not specified, then the computer account will
470 be created in a default location.
471
472 --one-time-password
473 Specify a one time password to use when presetting the computer
474 accounts. If not specified, then a default password will be used,
475 which allows for later automatic joins.
476
477 --os-name=name
478 Set the operating system name on the computer account. The default
479 depends on where adcli was built, but is usually something like
480 'linux-gnu'.
481
482 --os-service-pack=pack
483 Set the operating system service pack on the computer account. Not
484 set by default.
485
486 --os-version=version
487 Set the operating system version on the computer account. Not set
488 by default.
489
490 --service-name=service
491 Additional service name for a kerberos principal to be created on
492 the computer account. This option may be specified multiple times.
493
494 --user-principal
495 Set the userPrincipalName field of the computer account to this
496 kerberos principal in the form of host/host.example.com@REALM
497
499 adcli reset-computer resets a computer account in the domain. If the
500 appropriate machine is currently joined to the domain, then its
501 membership will be broken. The account must already exist.
502
503 $ adcli reset-computer --domain=domain.example.com host2
504
505 If the computer names specified contain dots, then they are treated as
506 fully qualified host names, otherwise they are treated as short
507 computer names.
508
509 In addition to the global options, you can specify the following
510 options to control how this operation is done.
511
512 --login-type={computer|user}
513 Specify the type of authentication that will be performed before
514 creating the machine account in the domain. If set to 'computer',
515 then the computer must already have a preset account in the domain.
516 If not specified and none of the other --login-xxx arguments have
517 been specified, then will try both 'computer' and 'user'
518 authentication.
519
521 adcli delete-computer deletes a computer account in the domain. The
522 account must already exist.
523
524 $ adcli delete-computer --domain=domain.example.com host2
525 Password for Administrator:
526
527 If the computer name contains a dot, then it is treated as fully
528 qualified host name, otherwise it is treated as short computer name.
529
530 If no computer name is specified, then the host name of the computer
531 adcli is running on is used, as returned by gethostname().
532
533 The various global options can be used.
534
536 adcli show-computer show the computer account attributes stored in AD.
537 The account must already exist.
538
539 $ adcli show-computer --domain=domain.example.com host2
540 Password for Administrator:
541
542 If the computer name contains a dot, then it is treated as fully
543 qualified host name, otherwise it is treated as short computer name.
544
545 If no computer name is specified, then the host name of the computer
546 adcli is running on is used, as returned by gethostname().
547
548 The various global options can be used.
549
551 Please send bug reports to either the distribution bug tracker or the
552 upstream bug tracker at
553 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
554
556 realmd(8), net(8), sssd(8)
557
558 Further details available in the realmd online documentation at
559 http://www.freedesktop.org/software/realmd/
560
561
562
563realmd ADCLI(8)