1ADCLI(8) System Commands ADCLI(8)
2
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10 adcli join domain.example.com
12 adcli update
14 adcli testjoin
16 adcli create-user [--domain=domain.example.com] user
18 adcli delete-user [--domain=domain.example.com] user
20 adcli create-group [--domain=domain.example.com] user
22 adcli delete-group [--domain=domain.example.com] user
24 adcli add-member [--domain=domain.example.com] group user...
26 adcli remove-member [--domain=domain.example.com] group user...
28 adcli preset-computer [--domain=domain.example.com] computer...
30 adcli reset-computer [--domain=domain.example.com] computer
32 adcli delete-computer [--domain=domain.example.com] computer
34 adcli show-computer [--domain=domain.example.com] computer
36
38 adcli is a command line tool that can perform actions in an Active
39 Directory domain. Among other things it can be used to join a computer
40 to a domain.
41 See the various sub commands below. The following global options can be
43 used:
44 -D, --domain=domain
46 The domain to connect to. If a domain is not specified, then the
47 domain part of the local computer's host name is used.
48 -R, --domain-realm=REALM
50 Kerberos realm for the domain. If not specified, then the upper
51 cased domain name is used.
52 -S, --domain-controller=server
54 Connect to a specific domain controller. If not specified, then an
55 appropriate domain controller is automatically discovered.
56 --use-ldaps
58 Connect to the domain controller with LDAPS. By default the LDAP
59 port is used and SASL GSS-SPNEGO or GSSAPI is used for
60 authentication and to establish encryption. This should satisfy all
61 requirements set on the server side and LDAPS should only be used
62 if the LDAP port is not accessible due to firewalls or other
63 reasons.
64 Please note that the place where CA certificates can be found to
66 validate the AD DC certificates must be configured in the OpenLDAP
67 configuration file, e.g. /etc/openldap/ldap.conf. As an
68 alternative it can be specified with the help of an environment
69 variable, e.g.
70 $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
72 ...
73 Please see ldap.conf(5) for details.
75 -C, --login-ccache=ccache_name
77 Use the specified kerberos credential cache to authenticate with
78 the domain. If no credential cache is specified, the default
79 kerberos credential cache will be used. Credential caches of type
80 FILE can be given with the path to the file. For other credential
81 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
82 explicitly together with a suitable identifier.
83 -U, --login-user=User
85 Use the specified user account to authenticate with the domain. If
86 not specified, then the name 'Administrator' will be used.
87 --no-password
89 Don't show prompts for or read a password from input.
90 -W, --prompt-password
92 Prompt for a password if necessary. This is the default.
93 --stdin-password
95 Read a password from stdin input instead of prompting for a
96 password.
97 -v, --verbose
99 Run in verbose mode with debug output.
100
102 adcli info displays discovered information about an Active Directory
103 domain or an Active Directory domain controller.
104 $ adcli info domain.example.com
106 ...
107 $ adcli info --domain-controller=dc.domain.example.com
109 ...
110 adcli info will output as much information as it can about the domain.
112 The information is designed to be both machine and human readable. The
113 command will exit with a non-zero exit code if the domain does not
114 exist or cannot be reached.
115 To show domain info for a specific domain controller use the
117 --domain-controller option to specify which domain controller to query.
118 Use the --verbose option to show details of how the domain is
120 discovered and queried. Many of the global options, in particular
121 authentication options, are not usable with the adcli info command.
122
124 adcli join creates a computer account in the domain for the local
125 machine, and sets up a keytab for the machine. It does not configure an
126 authentication service (such as sssd).
127 $ adcli join domain.example.com
129 Password for Administrator:
130 In addition to the global options, you can specify the following
132 options to control how this operation is done.
133 -N, --computer-name=computer
135 The short non-dotted name of the computer account that will be
136 created in the domain. If not specified, then the first portion of
137 the --host-fqdn is used.
138 -O, --domain-ou=OU=xxx
140 The full distinguished name of the OU in which to create the
141 computer account. If not specified, then the computer account will
142 be created in a default location.
143 -H, --host-fqdn=host
145 Override the local machine's fully qualified domain name. If not
146 specified, the local machine's hostname will be retrieved via
147 gethostname(). If gethostname() only returns a short name
148 getaddrinfo() with the AI_CANONNAME hint is called to expand the
149 name to a fully qualified domain name.
150 -K, --host-keytab=/path/to/keytab
152 Specify the path to the host keytab where host credentials will be
153 written after a successful join operation. If not specified, the
154 default location will be used, usually /etc/krb5.keytab.
155 --login-type={computer|user}
157 Specify the type of authentication that will be performed before
158 creating the machine account in the domain. If set to 'computer',
159 then the computer must already have a preset account in the domain.
160 If not specified and none of the other --login-xxx arguments have
161 been specified, then will try both 'computer' and 'user'
162 authentication.
163 --os-name=name
165 Set the operating system name on the computer account. The default
166 depends on where adcli was built, but is usually something like
167 'linux-gnu'.
168 --os-service-pack=pack
170 Set the operating system service pack on the computer account. Not
171 set by default.
172 --os-version=version
174 Set the operating system version on the computer account. Not set
175 by default.
176 --description=description
178 Set the description attribute on the computer account. Not set by
179 default.
180 --service-name=service
182 Additional service name for a kerberos principal to be created on
183 the computer account. This option may be specified multiple times.
184 --user-principal=host/name@REALM
186 Set the userPrincipalName field of the computer account to this
187 kerberos principal. If you omit the value for this option, then a
188 principal will be set in the form of host/host.example.com@REALM
189 --one-time-password
191 Specify a one time password for a preset computer account. This is
192 equivalent to using --login-type=computer and providing a password
193 as input.
194 --trusted-for-delegation=yes|no|true|false
196 Set or unset the TRUSTED_FOR_DELEGATION flag in the
197 userAccountControl attribute to allow or not allow that Kerberos
198 tickets can be forwarded to the host.
199 --add-service-principal=service/hostname
201 Add a service principal name. In contrast to the --service-name the
202 hostname part can be specified as well in case the service should
203 be accessible with a different host name as well.
204 --show-details
206 After a successful join print out information about join operation.
207 This is output in a format that should be both human and machine
208 readable.
209 --show-password
211 After a successful join print out the computer machine account
212 password. This is output in a format that should be both human and
213 machine readable.
214 --add-samba-data
216 After a successful join add the domain SID and the machine account
217 password to the Samba specific databases by calling Samba's net
218 utility.
219 Please note that Samba's net requires some settings in smb.conf to
221 create the database entries correctly. Most important here is
222 currently the workgroup option, see smb.conf(5) for details.
223 --samba-data-tool=/path/to/net
225 If Samba's net cannot be found at /usr/bin/net, this option can be
226 used to specific an alternative location with the help of an
227 absolute path.
228 If supported on the AD side the msDS-supportedEncryptionTypes attribute
230 will be set as well. Either the current value or the default list of
231 AD's supported encryption types filtered by the permitted encryption
232 types of the client's Kerberos configuration are written.
233
235 adcli update updates the password of the computer account on the domain
236 controller for the local machine, write the new keys to the keytab and
237 removes older keys. It keeps the previous key on purpose because AD
238 will need some time to replicate the new key to all DCs hence the
239 previous key might still be used.
240 $ adcli update
242 If used with a credential cache, other attributes of the computer
244 account can be changed as well if the principal has sufficient
245 privileges.
246 $ kinit Administrator
248 $ adcli update --login-ccache=/tmp/krbcc_123
249 In addition to the global options, you can specify the following
251 options to control how this operation is done.
252 -N, --computer-name=computer
254 The short non-dotted name of the computer account that will be
255 created in the domain. If not specified, it will be retrieved from
256 the keytab entries.
257 -H, --host-fqdn=host
259 The local machine's fully qualified domain name. If not specified,
260 the local machine's hostname will be retrieved from the keytab
261 entries.
262 -K, --host-keytab=/path/to/keytab
264 Specify the path to the host keytab where current host credentials
265 are stored and the new ones will be written to. If not specified,
266 the default location will be used, usually /etc/krb5.keytab.
267 --os-name=name
269 Set the operating system name on the computer account. Not set by
270 default.
271 --os-service-pack=pack
273 Set the operating system service pack on the computer account. Not
274 set by default.
275 --os-version=version
277 Set the operating system version on the computer account. Not set
278 by default.
279 --description=description
281 Set the description attribute on the computer account. Not set by
282 default.
283 --service-name=service
285 Additional service name for a Kerberos principal to be created on
286 the computer account. This option may be specified multiple times.
287 --user-principal=host/name@REALM
289 Set the userPrincipalName field of the computer account to this
290 Kerberos principal.
291 --computer-password-lifetime=lifetime
293 Only update the password of the computer account if it is older
294 than the lifetime given in days. By default the password is updated
295 if it is older than 30 days.
296 --trusted-for-delegation=yes|no|true|false
298 Set or unset the TRUSTED_FOR_DELEGATION flag in the
299 userAccountControl attribute to allow or not allow that Kerberos
300 tickets can be forwarded to the host.
301 --add-service-principal=service/hostname
303 Add a service principal name. In contrast to the --service-name the
304 hostname part can be specified as well in case the service should
305 be accessible with a different host name as well.
306 --remove-service-principal=service/hostname
308 Remove a service principal name from the keytab and the AD host
309 object.
310 --show-details
312 After a successful join print out information about join operation.
313 This is output in a format that should be both human and machine
314 readable.
315 --add-samba-data
317 After a successful join add the domain SID and the machine account
318 password to the Samba specific databases by calling Samba's net
319 utility.
320 Please note that Samba's net requires some settings in smb.conf to
322 create the database entries correctly. Most important here is
323 currently the workgroup option, see smb.conf(5) for details.
324 Note that if the machine account password is not older than 30
326 days, you have to pass --computer-password-lifetime=0 to force the
327 update.
328 --samba-data-tool=/path/to/net
330 If Samba's net cannot be found at /usr/bin/net, this option can be
331 used to specific an alternative location with the help of an
332 absolute path.
333 If supported on the AD side the msDS-supportedEncryptionTypes attribute
335 will be set as well. Either the current value or the default list of
336 AD's supported encryption types filtered by the permitted encryption
337 types of the client's Kerberos configuration are written.
338
340 adcli testjoin uses the current credentials in the keytab and tries to
341 authenticate with the machine account to the AD domain. If this works
342 the machine account password and the join are still valid. If it fails
343 the machine account password or the whole machine account have to be
344 refreshed with adcli join or adcli update.
345 $ adcli testjoin
347 Only the global options not related to authentication are available,
349 additionally you can specify the following options to control how this
350 operation is done.
351 -K, --host-keytab=/path/to/keytab
353 Specify the path to the host keytab where current host credentials
354 are stored and the new ones will be written to. If not specified,
355 the default location will be used, usually /etc/krb5.keytab.
356
358 adcli create-user creates a new user account in the domain.
359 $ adcli create-user Fry --domain=domain.example.com \
361 --display-name="Philip J. Fry" --mail=fry@domain.example.com
362 In addition to the global options, you can specify the following
364 options to control how the user is created.
365 --display-name="Name"
367 Set the displayName attribute of the new created user account.
368 -O, --domain-ou=OU=xxx
370 The full distinguished name of the OU in which to create the user
371 account. If not specified, then the computer account will be
372 created in a default location.
373 --mail=email@domain.com
375 Set the mail attribute of the new created user account. This
376 attribute may be specified multiple times.
377 --unix-home=/home/user
379 Set the unixHomeDirectory attribute of the new created user
380 account, which should be an absolute path to the user's home
381 directory.
382 --unix-gid=111
384 Set the gidNumber attribute of the new created user account, which
385 should be the user's numeric primary group id.
386 --unix-shell=/bin/shell
388 Set the loginShell attribute of the new created user account, which
389 should be a path to a valid shell.
390 --unix-uid=111
392 Set the uidNumber attribute of the new created user account, which
393 should be the user's numeric primary user id.
394 --nis-domain=nis_domain
396 Set the msSFU30NisDomain attribute of the new created user account,
397 which should be the user's NIS domain is the NIS/YP service of
398 Active Directory's Services for Unix (SFU) are used. This is needed
399 to let the 'UNIX attributes' tab of older Active Directoy versions
400 show the set UNIX specific attributes. If not specified adcli will
401 try to determine the NIS domain automatically if needed.
402
404 adcli delete-user deletes a user account from the domain.
405 $ adcli delete-user Fry --domain=domain.example.com
407 The various global options can be used.
409
411 adcli create-group creates a new group in the domain.
412 $ adcli create-group Pilots --domain=domain.example.com \
414 --description="Group for all pilots"
415 In addition to the global options, you can specify the following
417 options to control how the group is created.
418 --description="text"
420 Set the description attribute of the new created group.
421 -O, --domain-ou=OU=xxx
423 The full distinguished name of the OU in which to create the group.
424 If not specified, then the group will be created in a default
425 location.
426
428 adcli delete-group deletes a group from the domain.
429 $ adcli delete-group Pilots --domain=domain.example.com
431 The various global options can be used.
433
435 adcli add-member adds one or more users to a group in the domain. The
436 group is specified first, and then the various users to be added.
437 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
439 The various global options can be used.
441
443 adcli remove-member removes a user from a group in the domain. The
444 group is specified first, and then the various users to be removed.
445 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
447 The various global options can be used.
449
451 adcli preset-computer pre-creates one or more computer accounts in the
452 domain for machines to later use when joining the domain. By doing this
453 machines can join using a one time password or automatically without a
454 password.
455 $ adcli preset-computer --domain=domain.example.com \
457 host1.example.com host2
458 Password for Administrator:
459 If the computer names specified contain dots, then they are treated as
461 fully qualified host names, otherwise they are treated as short
462 computer names. The computer accounts must not already exist.
463 In addition to the global options, you can specify the following
465 options to control how this operation is done.
466 -O, --domain-ou=OU=xxx
468 The full distinguished name of the OU in which to create the
469 computer accounts. If not specified, then the computer account will
470 be created in a default location.
471 --one-time-password
473 Specify a one time password to use when presetting the computer
474 accounts. If not specified, then a default password will be used,
475 which allows for later automatic joins.
476 --os-name=name
478 Set the operating system name on the computer account. The default
479 depends on where adcli was built, but is usually something like
480 'linux-gnu'.
481 --os-service-pack=pack
483 Set the operating system service pack on the computer account. Not
484 set by default.
485 --os-version=version
487 Set the operating system version on the computer account. Not set
488 by default.
489 --service-name=service
491 Additional service name for a kerberos principal to be created on
492 the computer account. This option may be specified multiple times.
493 --user-principal
495 Set the userPrincipalName field of the computer account to this
496 kerberos principal in the form of host/host.example.com@REALM
497
499 adcli reset-computer resets a computer account in the domain. If the
500 appropriate machine is currently joined to the domain, then its
501 membership will be broken. The account must already exist.
502 $ adcli reset-computer --domain=domain.example.com host2
504 If the computer names specified contain dots, then they are treated as
506 fully qualified host names, otherwise they are treated as short
507 computer names.
508 In addition to the global options, you can specify the following
510 options to control how this operation is done.
511 --login-type={computer|user}
513 Specify the type of authentication that will be performed before
514 creating the machine account in the domain. If set to 'computer',
515 then the computer must already have a preset account in the domain.
516 If not specified and none of the other --login-xxx arguments have
517 been specified, then will try both 'computer' and 'user'
518 authentication.
519
521 adcli delete-computer deletes a computer account in the domain. The
522 account must already exist.
523 $ adcli delete-computer --domain=domain.example.com host2
525 Password for Administrator:
526 If the computer name contains a dot, then it is treated as fully
528 qualified host name, otherwise it is treated as short computer name.
529 If no computer name is specified, then the host name of the computer
531 adcli is running on is used, as returned by gethostname().
532 The various global options can be used.
534
536 adcli show-computer show the computer account attributes stored in AD.
537 The account must already exist.
538 $ adcli show-computer --domain=domain.example.com host2
540 Password for Administrator:
541 If the computer name contains a dot, then it is treated as fully
543 qualified host name, otherwise it is treated as short computer name.
544 If no computer name is specified, then the host name of the computer
546 adcli is running on is used, as returned by gethostname().
547 The various global options can be used.
549
551 Please send bug reports to either the distribution bug tracker or the
552 upstream bug tracker at
553 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
554
556 realmd(8), net(8), sssd(8)
557 Further details available in the realmd online documentation at
559 http://www.freedesktop.org/software/realmd/
560realmd ADCLI(8)