1ADCLI(8)                        System Commands                       ADCLI(8)
2
3
4

NAME

6       adcli - Tool for performing actions on an Active Directory domain
7

SYNOPSIS

9       adcli info domain.example.com
10
11       adcli join domain.example.com
12
13       adcli update
14
15       adcli testjoin
16
17       adcli create-user [--domain=domain.example.com] user
18
19       adcli delete-user [--domain=domain.example.com] user
20
21       adcli create-group [--domain=domain.example.com] user
22
23       adcli delete-group [--domain=domain.example.com] user
24
25       adcli add-member [--domain=domain.example.com] group user...
26
27       adcli remove-member [--domain=domain.example.com] group user...
28
29       adcli preset-computer [--domain=domain.example.com] computer...
30
31       adcli reset-computer [--domain=domain.example.com] computer
32
33       adcli delete-computer [--domain=domain.example.com] computer
34
35       adcli show-computer [--domain=domain.example.com] computer
36

GENERAL OVERVIEW

38       adcli is a command line tool that can perform actions in an Active
39       Directory domain. Among other things it can be used to join a computer
40       to a domain.
41
42       See the various sub commands below. The following global options can be
43       used:
44
45       -D, --domain=domain
46           The domain to connect to. If a domain is not specified, then the
47           domain part of the local computer's host name is used.
48
49       -R, --domain-realm=REALM
50           Kerberos realm for the domain. If not specified, then the upper
51           cased domain name is used.
52
53       -S, --domain-controller=server
54           Connect to a specific domain controller. If not specified, then an
55           appropriate domain controller is automatically discovered.
56
57       --use-ldaps
58           Connect to the domain controller with LDAPS. By default the LDAP
59           port is used and SASL GSS-SPNEGO or GSSAPI is used for
60           authentication and to establish encryption. This should satisfy all
61           requirements set on the server side and LDAPS should only be used
62           if the LDAP port is not accessible due to firewalls or other
63           reasons.
64
65           Please note that the place where CA certificates can be found to
66           validate the AD DC certificates must be configured in the OpenLDAP
67           configuration file, e.g.  /etc/openldap/ldap.conf. As an
68           alternative it can be specified with the help of an environment
69           variable, e.g.
70
71               $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
72               ...
73
74           Please see ldap.conf(5) for details.
75
76       -C, --login-ccache=ccache_name
77           Use the specified kerberos credential cache to authenticate with
78           the domain. If no credential cache is specified, the default
79           kerberos credential cache will be used. Credential caches of type
80           FILE can be given with the path to the file. For other credential
81           cache types, e.g. DIR, KEYRING or KCM, the type must be specified
82           explicitly together with a suitable identifier.
83
84       -U, --login-user=User
85           Use the specified user account to authenticate with the domain. If
86           not specified, then the name 'Administrator' will be used.
87
88       --no-password
89           Don't show prompts for or read a password from input.
90
91       -W, --prompt-password
92           Prompt for a password if necessary. This is the default.
93
94       --stdin-password
95           Read a password from stdin input instead of prompting for a
96           password.
97
98       -v, --verbose
99           Run in verbose mode with debug output.
100

QUERYING DOMAIN INFORMATION

102       adcli info displays discovered information about an Active Directory
103       domain or an Active Directory domain controller.
104
105           $ adcli info domain.example.com
106           ...
107
108           $ adcli info --domain-controller=dc.domain.example.com
109           ...
110
111       adcli info will output as much information as it can about the domain.
112       The information is designed to be both machine and human readable. The
113       command will exit with a non-zero exit code if the domain does not
114       exist or cannot be reached.
115
116       To show domain info for a specific domain controller use the
117       --domain-controller option to specify which domain controller to query.
118
119       Use the --verbose option to show details of how the domain is
120       discovered and queried. Many of the global options, in particular
121       authentication options, are not usable with the adcli info command.
122

JOINING THE LOCAL MACHINE TO A DOMAIN

124       adcli join creates a computer account in the domain for the local
125       machine, and sets up a keytab for the machine. It does not configure an
126       authentication service (such as sssd).
127
128           $ adcli join domain.example.com
129           Password for Administrator:
130
131       In addition to the global options, you can specify the following
132       options to control how this operation is done.
133
134       -N, --computer-name=computer
135           The short non-dotted name of the computer account that will be
136           created in the domain. If not specified, then the first portion of
137           the --host-fqdn is used.
138
139       -O, --domain-ou=OU=xxx
140           The full distinguished name of the OU in which to create the
141           computer account. If not specified, then the computer account will
142           be created in a default location.
143
144       -H, --host-fqdn=host
145           Override the local machine's fully qualified domain name. If not
146           specified, the local machine's hostname will be retrieved via
147           gethostname(). If gethostname() only returns a short name
148           getaddrinfo() with the AI_CANONNAME hint is called to expand the
149           name to a fully qualified domain name.
150
151       -K, --host-keytab=/path/to/keytab
152           Specify the path to the host keytab where host credentials will be
153           written after a successful join operation. If not specified, the
154           default location will be used, usually /etc/krb5.keytab.
155
156       --login-type={computer|user}
157           Specify the type of authentication that will be performed before
158           creating the machine account in the domain. If set to 'computer',
159           then the computer must already have a preset account in the domain.
160           If not specified and none of the other --login-xxx arguments have
161           been specified, then will try both 'computer' and 'user'
162           authentication.
163
164       --os-name=name
165           Set the operating system name on the computer account. The default
166           depends on where adcli was built, but is usually something like
167           'linux-gnu'.
168
169       --os-service-pack=pack
170           Set the operating system service pack on the computer account. Not
171           set by default.
172
173       --os-version=version
174           Set the operating system version on the computer account. Not set
175           by default.
176
177       --description=description
178           Set the description attribute on the computer account. Not set by
179           default.
180
181       --service-name=service
182           Additional service name for a kerberos principal to be created on
183           the computer account. This option may be specified multiple times.
184
185       --user-principal=host/name@REALM
186           Set the userPrincipalName field of the computer account to this
187           kerberos principal. If you omit the value for this option, then a
188           principal will be set in the form of host/host.example.com@REALM
189
190       --one-time-password
191           Specify a one time password for a preset computer account. This is
192           equivalent to using --login-type=computer and providing a password
193           as input.
194
195       --trusted-for-delegation=yes|no|true|false
196           Set or unset the TRUSTED_FOR_DELEGATION flag in the
197           userAccountControl attribute to allow or not allow that Kerberos
198           tickets can be forwarded to the host.
199
200       --add-service-principal=service/hostname
201           Add a service principal name. In contrast to the --service-name the
202           hostname part can be specified as well in case the service should
203           be accessible with a different host name as well.
204
205       --show-details
206           After a successful join print out information about join operation.
207           This is output in a format that should be both human and machine
208           readable.
209
210       --show-password
211           After a successful join print out the computer machine account
212           password. This is output in a format that should be both human and
213           machine readable.
214
215       --add-samba-data
216           After a successful join add the domain SID and the machine account
217           password to the Samba specific databases by calling Samba's net
218           utility.
219
220           Please note that Samba's net requires some settings in smb.conf to
221           create the database entries correctly. Most important here is
222           currently the workgroup option, see smb.conf(5) for details.
223
224       --samba-data-tool=/path/to/net
225           If Samba's net cannot be found at /usr/bin/net, this option can be
226           used to specific an alternative location with the help of an
227           absolute path.
228
229       If supported on the AD side the msDS-supportedEncryptionTypes attribute
230       will be set as well. Either the current value or the default list of
231       AD's supported encryption types filtered by the permitted encryption
232       types of the client's Kerberos configuration are written.
233

UPDATING THE MACHINE ACCOUNT PASSWORD AND OTHER ATTRIBUTES

235       adcli update updates the password of the computer account on the domain
236       controller for the local machine, write the new keys to the keytab and
237       removes older keys. It keeps the previous key on purpose because AD
238       will need some time to replicate the new key to all DCs hence the
239       previous key might still be used.
240
241           $ adcli update
242
243       If used with a credential cache, other attributes of the computer
244       account can be changed as well if the principal has sufficient
245       privileges.
246
247           $ kinit Administrator
248           $ adcli update --login-ccache=/tmp/krbcc_123
249
250       In addition to the global options, you can specify the following
251       options to control how this operation is done.
252
253       -N, --computer-name=computer
254           The short non-dotted name of the computer account that will be
255           created in the domain. If not specified, it will be retrieved from
256           the keytab entries.
257
258       -H, --host-fqdn=host
259           The local machine's fully qualified domain name. If not specified,
260           the local machine's hostname will be retrieved from the keytab
261           entries.
262
263       -K, --host-keytab=/path/to/keytab
264           Specify the path to the host keytab where current host credentials
265           are stored and the new ones will be written to. If not specified,
266           the default location will be used, usually /etc/krb5.keytab.
267
268       --os-name=name
269           Set the operating system name on the computer account. Not set by
270           default.
271
272       --os-service-pack=pack
273           Set the operating system service pack on the computer account. Not
274           set by default.
275
276       --os-version=version
277           Set the operating system version on the computer account. Not set
278           by default.
279
280       --description=description
281           Set the description attribute on the computer account. Not set by
282           default.
283
284       --service-name=service
285           Additional service name for a Kerberos principal to be created on
286           the computer account. This option may be specified multiple times.
287
288       --user-principal=host/name@REALM
289           Set the userPrincipalName field of the computer account to this
290           Kerberos principal.
291
292       --computer-password-lifetime=lifetime
293           Only update the password of the computer account if it is older
294           than the lifetime given in days. By default the password is updated
295           if it is older than 30 days.
296
297       --trusted-for-delegation=yes|no|true|false
298           Set or unset the TRUSTED_FOR_DELEGATION flag in the
299           userAccountControl attribute to allow or not allow that Kerberos
300           tickets can be forwarded to the host.
301
302       --add-service-principal=service/hostname
303           Add a service principal name. In contrast to the --service-name the
304           hostname part can be specified as well in case the service should
305           be accessible with a different host name as well.
306
307       --remove-service-principal=service/hostname
308           Remove a service principal name from the keytab and the AD host
309           object.
310
311       --show-details
312           After a successful join print out information about join operation.
313           This is output in a format that should be both human and machine
314           readable.
315
316       --add-samba-data
317           After a successful join add the domain SID and the machine account
318           password to the Samba specific databases by calling Samba's net
319           utility.
320
321           Please note that Samba's net requires some settings in smb.conf to
322           create the database entries correctly. Most important here is
323           currently the workgroup option, see smb.conf(5) for details.
324
325           Note that if the machine account password is not older than 30
326           days, you have to pass --computer-password-lifetime=0 to force the
327           update.
328
329       --samba-data-tool=/path/to/net
330           If Samba's net cannot be found at /usr/bin/net, this option can be
331           used to specific an alternative location with the help of an
332           absolute path.
333
334       If supported on the AD side the msDS-supportedEncryptionTypes attribute
335       will be set as well. Either the current value or the default list of
336       AD's supported encryption types filtered by the permitted encryption
337       types of the client's Kerberos configuration are written.
338

TESTING IF THE MACHINE ACCOUNT PASSWORD IS VALID

340       adcli testjoin uses the current credentials in the keytab and tries to
341       authenticate with the machine account to the AD domain. If this works
342       the machine account password and the join are still valid. If it fails
343       the machine account password or the whole machine account have to be
344       refreshed with adcli join or adcli update.
345
346           $ adcli testjoin
347
348       Only the global options not related to authentication are available,
349       additionally you can specify the following options to control how this
350       operation is done.
351
352       -K, --host-keytab=/path/to/keytab
353           Specify the path to the host keytab where current host credentials
354           are stored and the new ones will be written to. If not specified,
355           the default location will be used, usually /etc/krb5.keytab.
356

CREATING A USER

358       adcli create-user creates a new user account in the domain.
359
360           $ adcli create-user Fry --domain=domain.example.com \
361                --display-name="Philip J. Fry" --mail=fry@domain.example.com
362
363       In addition to the global options, you can specify the following
364       options to control how the user is created.
365
366       --display-name="Name"
367           Set the displayName attribute of the new created user account.
368
369       -O, --domain-ou=OU=xxx
370           The full distinguished name of the OU in which to create the user
371           account. If not specified, then the computer account will be
372           created in a default location.
373
374       --mail=email@domain.com
375           Set the mail attribute of the new created user account. This
376           attribute may be specified multiple times.
377
378       --unix-home=/home/user
379           Set the unixHomeDirectory attribute of the new created user
380           account, which should be an absolute path to the user's home
381           directory.
382
383       --unix-gid=111
384           Set the gidNumber attribute of the new created user account, which
385           should be the user's numeric primary group id.
386
387       --unix-shell=/bin/shell
388           Set the loginShell attribute of the new created user account, which
389           should be a path to a valid shell.
390
391       --unix-uid=111
392           Set the uidNumber attribute of the new created user account, which
393           should be the user's numeric primary user id.
394
395       --nis-domain=nis_domain
396           Set the msSFU30NisDomain attribute of the new created user account,
397           which should be the user's NIS domain is the NIS/YP service of
398           Active Directory's Services for Unix (SFU) are used. This is needed
399           to let the 'UNIX attributes' tab of older Active Directoy versions
400           show the set UNIX specific attributes. If not specified adcli will
401           try to determine the NIS domain automatically if needed.
402

DELETING A USER

404       adcli delete-user deletes a user account from the domain.
405
406           $ adcli delete-user Fry --domain=domain.example.com
407
408       The various global options can be used.
409

CREATING A GROUP

411       adcli create-group creates a new group in the domain.
412
413           $ adcli create-group Pilots --domain=domain.example.com \
414                --description="Group for all pilots"
415
416       In addition to the global options, you can specify the following
417       options to control how the group is created.
418
419       --description="text"
420           Set the description attribute of the new created group.
421
422       -O, --domain-ou=OU=xxx
423           The full distinguished name of the OU in which to create the group.
424           If not specified, then the group will be created in a default
425           location.
426

DELETING A GROUP

428       adcli delete-group deletes a group from the domain.
429
430           $ adcli delete-group Pilots --domain=domain.example.com
431
432       The various global options can be used.
433

ADDING A MEMBER TO A GROUP

435       adcli add-member adds one or more users to a group in the domain. The
436       group is specified first, and then the various users to be added.
437
438           $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
439
440       The various global options can be used.
441

REMOVING A MEMBER FROM A GROUP

443       adcli remove-member removes a user from a group in the domain. The
444       group is specified first, and then the various users to be removed.
445
446           $ adcli remove-member --domain=domain.example.com Pilots Scruffy
447
448       The various global options can be used.
449

PRESET COMPUTER ACCOUNTS

451       adcli preset-computer pre-creates one or more computer accounts in the
452       domain for machines to later use when joining the domain. By doing this
453       machines can join using a one time password or automatically without a
454       password.
455
456           $ adcli preset-computer --domain=domain.example.com \
457                host1.example.com host2
458           Password for Administrator:
459
460       If the computer names specified contain dots, then they are treated as
461       fully qualified host names, otherwise they are treated as short
462       computer names. The computer accounts must not already exist.
463
464       In addition to the global options, you can specify the following
465       options to control how this operation is done.
466
467       -O, --domain-ou=OU=xxx
468           The full distinguished name of the OU in which to create the
469           computer accounts. If not specified, then the computer account will
470           be created in a default location.
471
472       --one-time-password
473           Specify a one time password to use when presetting the computer
474           accounts. If not specified, then a default password will be used,
475           which allows for later automatic joins.
476
477       --os-name=name
478           Set the operating system name on the computer account. The default
479           depends on where adcli was built, but is usually something like
480           'linux-gnu'.
481
482       --os-service-pack=pack
483           Set the operating system service pack on the computer account. Not
484           set by default.
485
486       --os-version=version
487           Set the operating system version on the computer account. Not set
488           by default.
489
490       --service-name=service
491           Additional service name for a kerberos principal to be created on
492           the computer account. This option may be specified multiple times.
493
494       --user-principal
495           Set the userPrincipalName field of the computer account to this
496           kerberos principal in the form of host/host.example.com@REALM
497

RESET COMPUTER ACCOUNT

499       adcli reset-computer resets a computer account in the domain. If the
500       appropriate machine is currently joined to the domain, then its
501       membership will be broken. The account must already exist.
502
503           $ adcli reset-computer --domain=domain.example.com host2
504
505       If the computer names specified contain dots, then they are treated as
506       fully qualified host names, otherwise they are treated as short
507       computer names.
508
509       In addition to the global options, you can specify the following
510       options to control how this operation is done.
511
512       --login-type={computer|user}
513           Specify the type of authentication that will be performed before
514           creating the machine account in the domain. If set to 'computer',
515           then the computer must already have a preset account in the domain.
516           If not specified and none of the other --login-xxx arguments have
517           been specified, then will try both 'computer' and 'user'
518           authentication.
519

DELETE COMPUTER ACCOUNT

521       adcli delete-computer deletes a computer account in the domain. The
522       account must already exist.
523
524           $ adcli delete-computer --domain=domain.example.com host2
525           Password for Administrator:
526
527       If the computer name contains a dot, then it is treated as fully
528       qualified host name, otherwise it is treated as short computer name.
529
530       If no computer name is specified, then the host name of the computer
531       adcli is running on is used, as returned by gethostname().
532
533       The various global options can be used.
534

SHOW COMPUTER ACCOUNT ATTRIBUTES

536       adcli show-computer show the computer account attributes stored in AD.
537       The account must already exist.
538
539           $ adcli show-computer --domain=domain.example.com host2
540           Password for Administrator:
541
542       If the computer name contains a dot, then it is treated as fully
543       qualified host name, otherwise it is treated as short computer name.
544
545       If no computer name is specified, then the host name of the computer
546       adcli is running on is used, as returned by gethostname().
547
548       The various global options can be used.
549

BUGS

551       Please send bug reports to either the distribution bug tracker or the
552       upstream bug tracker at
553       https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
554

SEE ALSO

556       realmd(8), net(8), sssd(8)
557
558       Further details available in the realmd online documentation at
559       http://www.freedesktop.org/software/realmd/
560
561
562
563realmd                                                                ADCLI(8)
Impressum