1ADCLI(8)                        System Commands                       ADCLI(8)
2
3
4

NAME

6       adcli - Tool for performing actions on an Active Directory domain
7

SYNOPSIS

9       adcli info domain.example.com
10
11       adcli join domain.example.com
12
13       adcli update
14
15       adcli testjoin
16
17       adcli create-user [--domain=domain.example.com] user
18
19       adcli delete-user [--domain=domain.example.com] user
20
21       adcli create-group [--domain=domain.example.com] user
22
23       adcli delete-group [--domain=domain.example.com] user
24
25       adcli add-member [--domain=domain.example.com] group user...
26
27       adcli remove-member [--domain=domain.example.com] group user...
28
29       adcli preset-computer [--domain=domain.example.com] computer...
30
31       adcli reset-computer [--domain=domain.example.com] computer
32
33       adcli delete-computer [--domain=domain.example.com] computer
34
35       adcli show-computer [--domain=domain.example.com] computer
36
37       adcli create-msa [--domain=domain.example.com]
38

GENERAL OVERVIEW

40       adcli is a command line tool that can perform actions in an Active
41       Directory domain. Among other things it can be used to join a computer
42       to a domain.
43
44       See the various sub commands below. The following global options can be
45       used:
46
47       -D, --domain=domain
48           The domain to connect to. If a domain is not specified, then the
49           domain part of the local computer's host name is used.
50
51       -R, --domain-realm=REALM
52           Kerberos realm for the domain. If not specified, then the upper
53           cased domain name is used.
54
55       -S, --domain-controller=server
56           Connect to a specific domain controller. If not specified, then an
57           appropriate domain controller is automatically discovered.
58
59       --use-ldaps
60           Connect to the domain controller with LDAPS. By default the LDAP
61           port is used and SASL GSS-SPNEGO or GSSAPI is used for
62           authentication and to establish encryption. This should satisfy all
63           requirements set on the server side and LDAPS should only be used
64           if the LDAP port is not accessible due to firewalls or other
65           reasons.
66
67           Please note that the place where CA certificates can be found to
68           validate the AD DC certificates must be configured in the OpenLDAP
69           configuration file, e.g.  /etc/openldap/ldap.conf. As an
70           alternative it can be specified with the help of an environment
71           variable, e.g.
72
73               $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
74               ...
75
76           Please see ldap.conf(5) for details.
77
78       -C
79           Use the default Kerberos credential cache to authenticate with the
80           domain.
81
82       --login-ccache[=ccache_name]
83           Use the specified Kerberos credential cache to authenticate with
84           the domain. If no credential cache is specified, the default
85           Kerberos credential cache will be used. Credential caches of type
86           FILE can be given with the path to the file. For other credential
87           cache types, e.g. DIR, KEYRING or KCM, the type must be specified
88           explicitly together with a suitable identifier.
89
90           Please note that since the ccache_name is optional the =(equal)
91           sign is mandatory. If = is missing the parameter is treated as
92           optionless extra argument. How this is handled depends on the
93           specific sub-command.
94
95       -U, --login-user=User
96           Use the specified user account to authenticate with the domain. If
97           not specified, then the name 'Administrator' will be used.
98
99       --no-password
100           Don't show prompts for or read a password from input.
101
102       -W, --prompt-password
103           Prompt for a password if necessary. This is the default.
104
105       --stdin-password
106           Read a password from stdin input instead of prompting for a
107           password.
108
109       -v, --verbose
110           Run in verbose mode with debug output.
111

QUERYING DOMAIN INFORMATION

113       adcli info displays discovered information about an Active Directory
114       domain or an Active Directory domain controller.
115
116           $ adcli info domain.example.com
117           ...
118
119           $ adcli info --domain-controller=dc.domain.example.com
120           ...
121
122       adcli info will output as much information as it can about the domain.
123       The information is designed to be both machine and human readable. The
124       command will exit with a non-zero exit code if the domain does not
125       exist or cannot be reached.
126
127       To show domain info for a specific domain controller use the
128       --domain-controller option to specify which domain controller to query.
129
130       Use the --verbose option to show details of how the domain is
131       discovered and queried. Many of the global options, in particular
132       authentication options, are not usable with the adcli info command.
133

JOINING THE LOCAL MACHINE TO A DOMAIN

135       adcli join creates a computer account in the domain for the local
136       machine, and sets up a keytab for the machine. It does not configure an
137       authentication service (such as sssd).
138
139           $ adcli join domain.example.com
140           Password for Administrator:
141
142       In addition to the global options, you can specify the following
143       options to control how this operation is done.
144
145       -N, --computer-name=computer
146           The short non-dotted name of the computer account that will be
147           created in the domain. If not specified, then the first portion of
148           the --host-fqdn is used.
149
150       -O, --domain-ou=OU=xxx
151           The full distinguished name of the OU in which to create the
152           computer account. If not specified, then the computer account will
153           be created in a default location.
154
155       -H, --host-fqdn=host
156           Override the local machine's fully qualified domain name. If not
157           specified, the local machine's hostname will be retrieved via
158           gethostname(). If gethostname() only returns a short name
159           getaddrinfo() with the AI_CANONNAME hint is called to expand the
160           name to a fully qualified domain name.
161
162       -K, --host-keytab=/path/to/keytab
163           Specify the path to the host keytab where host credentials will be
164           written after a successful join operation. If not specified, the
165           default location will be used, usually /etc/krb5.keytab.
166
167       --login-type={computer|user}
168           Specify the type of authentication that will be performed before
169           creating the machine account in the domain. If set to 'computer',
170           then the computer must already have a preset account in the domain.
171           If not specified and none of the other --login-xxx arguments have
172           been specified, then will try both 'computer' and 'user'
173           authentication.
174
175       --os-name=name
176           Set the operating system name on the computer account. The default
177           depends on where adcli was built, but is usually something like
178           'linux-gnu'.
179
180       --os-service-pack=pack
181           Set the operating system service pack on the computer account. Not
182           set by default.
183
184       --os-version=version
185           Set the operating system version on the computer account. Not set
186           by default.
187
188       --description=description
189           Set the description attribute on the computer account. Not set by
190           default.
191
192       --service-name=service
193           Additional service name for a kerberos principal to be created on
194           the computer account. This option may be specified multiple times.
195
196       --user-principal=host/name@REALM
197           Set the userPrincipalName field of the computer account to this
198           kerberos principal. If you omit the value for this option, then a
199           principal will be set in the form of host/host.example.com@REALM
200
201       --one-time-password
202           Specify a one time password for a preset computer account. This is
203           equivalent to using --login-type=computer and providing a password
204           as input.
205
206       --trusted-for-delegation=yes|no|true|false
207           Set or unset the TRUSTED_FOR_DELEGATION flag in the
208           userAccountControl attribute to allow or not allow that Kerberos
209           tickets can be forwarded to the host.
210
211       --add-service-principal=service/hostname
212           Add a service principal name. In contrast to the --service-name the
213           hostname part can be specified as well in case the service should
214           be accessible with a different host name as well.
215
216       --show-details
217           After a successful join print out information about join operation.
218           This is output in a format that should be both human and machine
219           readable.
220
221       --show-password
222           After a successful join print out the computer machine account
223           password. This is output in a format that should be both human and
224           machine readable.
225
226       --add-samba-data
227           After a successful join add the domain SID and the machine account
228           password to the Samba specific databases by calling Samba's net
229           utility.
230
231           Please note that Samba's net requires some settings in smb.conf to
232           create the database entries correctly. Most important here is
233           currently the workgroup option, see smb.conf(5) for details.
234
235       --samba-data-tool=/path/to/net
236           If Samba's net cannot be found at /usr/bin/net, this option can be
237           used to specific an alternative location with the help of an
238           absolute path.
239
240       If supported on the AD side the msDS-supportedEncryptionTypes attribute
241       will be set as well. Either the current value or the default list of
242       AD's supported encryption types filtered by the permitted encryption
243       types of the client's Kerberos configuration are written.
244

UPDATING THE MACHINE ACCOUNT PASSWORD AND OTHER ATTRIBUTES

246       adcli update updates the password of the computer account on the domain
247       controller for the local machine, write the new keys to the keytab and
248       removes older keys. It keeps the previous key on purpose because AD
249       will need some time to replicate the new key to all DCs hence the
250       previous key might still be used.
251
252           $ adcli update
253
254       If used with a credential cache, other attributes of the computer
255       account can be changed as well if the principal has sufficient
256       privileges.
257
258           $ kinit Administrator
259           $ adcli update --login-ccache=/tmp/krbcc_123
260
261       In addition to the global options, you can specify the following
262       options to control how this operation is done.
263
264       -N, --computer-name=computer
265           The short non-dotted name of the computer account that will be
266           created in the domain. If not specified, it will be retrieved from
267           the keytab entries.
268
269       -H, --host-fqdn=host
270           The local machine's fully qualified domain name. If not specified,
271           the local machine's hostname will be retrieved from the keytab
272           entries.
273
274       -K, --host-keytab=/path/to/keytab
275           Specify the path to the host keytab where current host credentials
276           are stored and the new ones will be written to. If not specified,
277           the default location will be used, usually /etc/krb5.keytab.
278
279       --os-name=name
280           Set the operating system name on the computer account. Not set by
281           default.
282
283       --os-service-pack=pack
284           Set the operating system service pack on the computer account. Not
285           set by default.
286
287       --os-version=version
288           Set the operating system version on the computer account. Not set
289           by default.
290
291       --description=description
292           Set the description attribute on the computer account. Not set by
293           default.
294
295       --service-name=service
296           Additional service name for a Kerberos principal to be created on
297           the computer account. This option may be specified multiple times.
298
299       --user-principal=host/name@REALM
300           Set the userPrincipalName field of the computer account to this
301           Kerberos principal.
302
303       --computer-password-lifetime=lifetime
304           Only update the password of the computer account if it is older
305           than the lifetime given in days. By default the password is updated
306           if it is older than 30 days.
307
308       --trusted-for-delegation=yes|no|true|false
309           Set or unset the TRUSTED_FOR_DELEGATION flag in the
310           userAccountControl attribute to allow or not allow that Kerberos
311           tickets can be forwarded to the host.
312
313       --account-disable=yes|no|true|false
314           Set or unset the ACCOUNTDISABLE flag in the userAccountControl
315           attribute to disable or enable the computer account.
316
317       --add-service-principal=service/hostname
318           Add a service principal name. In contrast to the --service-name the
319           hostname part can be specified as well in case the service should
320           be accessible with a different host name as well.
321
322       --remove-service-principal=service/hostname
323           Remove a service principal name from the keytab and the AD host
324           object.
325
326       --show-details
327           After a successful join print out information about join operation.
328           This is output in a format that should be both human and machine
329           readable.
330
331       --add-samba-data
332           After a successful join add the domain SID and the machine account
333           password to the Samba specific databases by calling Samba's net
334           utility.
335
336           Please note that Samba's net requires some settings in smb.conf to
337           create the database entries correctly. Most important here is
338           currently the workgroup option, see smb.conf(5) for details.
339
340           Note that if the machine account password is not older than 30
341           days, you have to pass --computer-password-lifetime=0 to force the
342           update.
343
344       --samba-data-tool=/path/to/net
345           If Samba's net cannot be found at /usr/bin/net, this option can be
346           used to specific an alternative location with the help of an
347           absolute path.
348
349       If supported on the AD side the msDS-supportedEncryptionTypes attribute
350       will be set as well. Either the current value or the default list of
351       AD's supported encryption types filtered by the permitted encryption
352       types of the client's Kerberos configuration are written.
353

TESTING IF THE MACHINE ACCOUNT PASSWORD IS VALID

355       adcli testjoin uses the current credentials in the keytab and tries to
356       authenticate with the machine account to the AD domain. If this works
357       the machine account password and the join are still valid. If it fails
358       the machine account password or the whole machine account have to be
359       refreshed with adcli join or adcli update.
360
361           $ adcli testjoin
362
363       Only the global options not related to authentication are available,
364       additionally you can specify the following options to control how this
365       operation is done.
366
367       -K, --host-keytab=/path/to/keytab
368           Specify the path to the host keytab where current host credentials
369           are stored and the new ones will be written to. If not specified,
370           the default location will be used, usually /etc/krb5.keytab.
371

CREATING A USER

373       adcli create-user creates a new user account in the domain.
374
375           $ adcli create-user Fry --domain=domain.example.com \
376                --display-name="Philip J. Fry" --mail=fry@domain.example.com
377
378       In addition to the global options, you can specify the following
379       options to control how the user is created.
380
381       --display-name="Name"
382           Set the displayName attribute of the new created user account.
383
384       -O, --domain-ou=OU=xxx
385           The full distinguished name of the OU in which to create the user
386           account. If not specified, then the computer account will be
387           created in a default location.
388
389       --mail=email@domain.com
390           Set the mail attribute of the new created user account. This
391           attribute may be specified multiple times.
392
393       --unix-home=/home/user
394           Set the unixHomeDirectory attribute of the new created user
395           account, which should be an absolute path to the user's home
396           directory.
397
398       --unix-gid=111
399           Set the gidNumber attribute of the new created user account, which
400           should be the user's numeric primary group id.
401
402       --unix-shell=/bin/shell
403           Set the loginShell attribute of the new created user account, which
404           should be a path to a valid shell.
405
406       --unix-uid=111
407           Set the uidNumber attribute of the new created user account, which
408           should be the user's numeric primary user id.
409
410       --nis-domain=nis_domain
411           Set the msSFU30NisDomain attribute of the new created user account,
412           which should be the user's NIS domain is the NIS/YP service of
413           Active Directory's Services for Unix (SFU) are used. This is needed
414           to let the 'UNIX attributes' tab of older Active Directoy versions
415           show the set UNIX specific attributes. If not specified adcli will
416           try to determine the NIS domain automatically if needed.
417

DELETING A USER

419       adcli delete-user deletes a user account from the domain.
420
421           $ adcli delete-user Fry --domain=domain.example.com
422
423       The various global options can be used.
424

CREATING A GROUP

426       adcli create-group creates a new group in the domain.
427
428           $ adcli create-group Pilots --domain=domain.example.com \
429                --description="Group for all pilots"
430
431       In addition to the global options, you can specify the following
432       options to control how the group is created.
433
434       --description="text"
435           Set the description attribute of the new created group.
436
437       -O, --domain-ou=OU=xxx
438           The full distinguished name of the OU in which to create the group.
439           If not specified, then the group will be created in a default
440           location.
441

DELETING A GROUP

443       adcli delete-group deletes a group from the domain.
444
445           $ adcli delete-group Pilots --domain=domain.example.com
446
447       The various global options can be used.
448

ADDING A MEMBER TO A GROUP

450       adcli add-member adds one or more users to a group in the domain. The
451       group is specified first, and then the various users to be added.
452
453           $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
454
455       The various global options can be used.
456

REMOVING A MEMBER FROM A GROUP

458       adcli remove-member removes a user from a group in the domain. The
459       group is specified first, and then the various users to be removed.
460
461           $ adcli remove-member --domain=domain.example.com Pilots Scruffy
462
463       The various global options can be used.
464

PRESET COMPUTER ACCOUNTS

466       adcli preset-computer pre-creates one or more computer accounts in the
467       domain for machines to later use when joining the domain. By doing this
468       machines can join using a one time password or automatically without a
469       password.
470
471           $ adcli preset-computer --domain=domain.example.com \
472                host1.example.com host2
473           Password for Administrator:
474
475       If the computer names specified contain dots, then they are treated as
476       fully qualified host names, otherwise they are treated as short
477       computer names. The computer accounts must not already exist.
478
479       In addition to the global options, you can specify the following
480       options to control how this operation is done.
481
482       -O, --domain-ou=OU=xxx
483           The full distinguished name of the OU in which to create the
484           computer accounts. If not specified, then the computer account will
485           be created in a default location.
486
487       --one-time-password
488           Specify a one time password to use when presetting the computer
489           accounts. If not specified, then a default password will be used,
490           which allows for later automatic joins.
491
492       --os-name=name
493           Set the operating system name on the computer account. The default
494           depends on where adcli was built, but is usually something like
495           'linux-gnu'.
496
497       --os-service-pack=pack
498           Set the operating system service pack on the computer account. Not
499           set by default.
500
501       --os-version=version
502           Set the operating system version on the computer account. Not set
503           by default.
504
505       --service-name=service
506           Additional service name for a kerberos principal to be created on
507           the computer account. This option may be specified multiple times.
508
509       --user-principal
510           Set the userPrincipalName field of the computer account to this
511           kerberos principal in the form of host/host.example.com@REALM
512

RESET COMPUTER ACCOUNT

514       adcli reset-computer resets a computer account in the domain. If the
515       appropriate machine is currently joined to the domain, then its
516       membership will be broken. The account must already exist.
517
518           $ adcli reset-computer --domain=domain.example.com host2
519
520       If the computer names specified contain dots, then they are treated as
521       fully qualified host names, otherwise they are treated as short
522       computer names.
523
524       In addition to the global options, you can specify the following
525       options to control how this operation is done.
526
527       --login-type={computer|user}
528           Specify the type of authentication that will be performed before
529           creating the machine account in the domain. If set to 'computer',
530           then the computer must already have a preset account in the domain.
531           If not specified and none of the other --login-xxx arguments have
532           been specified, then will try both 'computer' and 'user'
533           authentication.
534

DELETE COMPUTER ACCOUNT

536       adcli delete-computer deletes a computer account in the domain. The
537       account must already exist.
538
539           $ adcli delete-computer --domain=domain.example.com host2
540           Password for Administrator:
541
542       If the computer name contains a dot, then it is treated as fully
543       qualified host name, otherwise it is treated as short computer name.
544
545       If no computer name is specified, then the host name of the computer
546       adcli is running on is used, as returned by gethostname().
547
548       The various global options can be used.
549

SHOW COMPUTER ACCOUNT ATTRIBUTES

551       adcli show-computer show the computer account attributes stored in AD.
552       The account must already exist.
553
554           $ adcli show-computer --domain=domain.example.com host2
555           Password for Administrator:
556
557       If the computer name contains a dot, then it is treated as fully
558       qualified host name, otherwise it is treated as short computer name.
559
560       If no computer name is specified, then the host name of the computer
561       adcli is running on is used, as returned by gethostname().
562
563       The various global options can be used.
564

CREATE A MANAGED SERVICE ACCOUNT

566       adcli create-msa creates a managed service account (MSA) in the given
567       Active Directory domain. This is useful if a computer should not fully
568       join the Active Directory domain but LDAP access is needed. A typical
569       use case is that the computer is already joined an Active Directory
570       domain and needs access to another Active Directory domain in the same
571       or a trusted forest where the host credentials from the joined Active
572       Directory domain are not valid, e.g. there is only a one-way trust.
573
574           $ adcli create-msa --domain=domain.example.com
575           Password for Administrator:
576
577       The managed service account, as maintained by adcli, cannot have
578       additional service principals names (SPNs) associated with it. An SPN
579       is defined within the context of a Kerberos service which is tied to a
580       machine account in Active Directory. Since a machine can be joined to a
581       single Active Directory domain, managed service account in a different
582       Active Directory domain will not have the SPNs that otherwise are part
583       of another Active Directory domain's machine.
584
585       Since it is expected that a client will most probably join to the
586       Active Directory domain matching its DNS domain the managed service
587       account will be needed for a different Active directory domain and as a
588       result the Active Directory domain name is a mandatory option. If
589       called with no other options adcli create-msa will use the short
590       hostname with an additional random suffix as computer name to avoid
591       name collisions.
592
593       LDAP attribute sAMAccountName has a limit of 20 characters. However,
594       machine account's NetBIOS name must be at most 16 characters long,
595       including a trailing '$' sign. Since it is not expected that the
596       managed service accounts created by adcli will be used on the NetBIOS
597       level the remaining 4 characters can be used to add uniqueness. Managed
598       service account names will have a suffix of 3 random characters from
599       number and upper- and lowercase ASCII ranges appended to the chosen
600       short host name, using '!' as a separator. For a host with the
601       shortname 'myhost', a managed service account will have a common name
602       (CN attribute) 'myhost!A2c' and a NetBIOS name (sAMAccountName
603       attribute) will be 'myhost!A2c$'. A corresponding Kerberos principal in
604       the Active Directory domain where the managed service account was
605       created would be 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.
606
607       A keytab for the managed service account is stored into a file
608       specified with -K option. If it is not specified, the file is named
609       after the default keytab file, with lowercase Active Directory domain
610       of the managed service account as a suffix. On most systems it would be
611       /etc/krb5.keytab with a suffix of 'domain.example.com', e.g.
612       /etc/krb5.keytab.domain.example.com.
613
614       adcli create-msa can be called multiple times to reset the password of
615       the managed service account. To identify the right account with the
616       random component in the name the corresponding principal is read from
617       the keytab. If the keytab got deleted adcli will try to identify an
618       existing managed service account with the help of the fully-qualified
619       name, if this fails a new managed service account will be created.
620
621       The managed service account password can be updated with
622
623           $ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
624
625       and the managed service account can be deleted with
626
627           $ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
628
629       In addition to the global options, you can specify the following
630       options to control how this operation is done.
631
632       -N, --computer-name=computer
633           The short non-dotted name of the managed service account that will
634           be created in the Active Directory domain. The long option name
635           --computer-name is kept to underline the similarity with the same
636           option of the other sub-commands. If not specified, then the first
637           portion of the --host-fqdn or its default is used with a random
638           suffix.
639
640       -O, --domain-ou=OU=xxx
641           The full distinguished name of the OU in which to create the
642           managed service account. If not specified, then the managed service
643           account will be created in a default location.
644
645       -H, --host-fqdn=host
646           Override the local machine's fully qualified DNS domain name. If
647           not specified, the local machine's hostname will be retrieved via
648           gethostname(). If gethostname() only returns a short name
649           getaddrinfo() with the AI_CANONNAME hint is called to expand the
650           name to a fully qualified DNS domain name.
651
652       -K, --host-keytab=/path/to/keytab
653           Specify the path to the host keytab where credentials of the
654           managed service account will be written after a successful
655           creation. If not specified, the default location will be used,
656           usually /etc/krb5.keytab with the lower-cased Active Directory
657           domain name added as a suffix e.g.
658           /etc/krb5.keytab.domain.example.com.
659
660       --show-details
661           After a successful creation print out information about the created
662           object. This is output in a format that should be both human and
663           machine readable.
664
665       --show-password
666           After a successful creation print out the managed service account
667           password. This is output in a format that should be both human and
668           machine readable.
669

DELEGATED PERMISSIONS

671       It is common practice in AD to not use an account from the Domain
672       Administrators group to join a machine to a domain but use a dedicated
673       account which only has permissions to join a machine to one or more OUs
674       in the Active Directory tree. Giving the needed permissions to a single
675       account or a group in Active Directory is called Delegation. A typical
676       example on how to configured Delegation can be found in the Delegation
677       section of the blog post Who can add workstation to the domain[1].
678
679       When using an account with delegated permissions with adcli basically
680       the same applies as well. However some aspects are explained here in a
681       bit more details to better illustrate different concepts of Active
682       Directory and to make it more easy to debug permissions issues during
683       the join. Please note that the following is not specific to adcli but
684       applies to all applications which would like to modify certain
685       properties or objects in Active Directory with an account with limited
686       permissions.
687
688       First, as said in the blog post it is sufficient to have "Create
689       computer object" permissions to join a computer to a domain. But this
690       would only work as expected if the computer object does not exist in
691       Active Directory before the join. Because only when a new object is
692       created Active Directory does not apply additional permission checks on
693       the attributes of the new computer object. This means the delegated
694       user can add any kind of attribute with any value to a new computer
695       object also long as they meet general constraints like e.g. that the
696       attribute must be defined in the schema and is allowed in a objectclass
697       of the object, the value must match the syntax defined in the schema or
698       that the sAMAccountName must be unique in the domain.
699
700       If you want to use the account with delegated permission to remove
701       computer objects in Active Directory (adcli delete-computer) you should
702       of course make sure that the account has "Delete computer object"
703       permissions.
704
705       If the computer object already exists the "Create computer object"
706       permission does not apply anymore since now an existing object must be
707       modified. Now permissions on the individual attributes are needed. e.g.
708       "Read and write Account Restrictions" or "Reset Password". For some
709       attributes Active Directory has two types of permissions the plain
710       "Read and Write" permissions and the "Validated Write" permissions. For
711       the latter case there are two specific permissions relevant for adcli,
712       namely
713
714       •   Validated write to DNS host name
715
716       •   Validated write to service principal name
717
718       Details about the validation of the values can be found in the
719       "Validated Writes" section of [MS-ADTS], especially dNSHostName[2] and
720       servicePrincipalName[3]. To cut it short for "Validated write to DNS
721       host name" the domain part of the fully-qualified hostname must either
722       match the domain name of the domain you want to join to or must be
723       listed in the msDS-AllowedDNSSuffixes attribute. And for "Validated
724       write to service principal name" the hostname part of the service
725       principal name must match the name stored in dNSHostName or some other
726       attributes which are not handled by adcli. This also means that
727       dNSHostName cannot be empty or only contain a short name if the service
728       principal name should contain a fully-qualified name.
729
730       To summarize, if you only have validated write permissions you should
731       make sure the domain part of the hostname matches the domain you want
732       to join or use the --host-fqdn with a matching name.
733
734       The plain read write permissions do not run additional validations but
735       the attribute values must still be in agreement with the general
736       constraints mentioned above. If the computer object already exists
737       adcli might need the following permissions which are also needed by
738       Windows clients to modify existing attributes:
739
740       •   Reset Password
741
742       •   Read and write Account Restrictions
743
744       •   Read and (validated) write to DNS host name
745
746       •   Read and (validated) write to service principal name
747
748       additionally adcli needs
749
750       •   Read and write msDS-supportedEncryptionTypes
751
752       This is added for security reasons to avoid that Active Directory
753       stores Kerberos keys with (potentially weaker) encryption types than
754       the client supports since Active Directory is often configured to still
755       support older (weaker) encryption types for compatibility reasons.
756
757       All other attributes are only set or modified on demand, i.e. adcli
758       must be called with an option the would set or modify the given
759       attribute. In the following the attributes adcli can modify together
760       with the required permissions are listed:
761
762       •   userPrincipalName
763
764           •   Read/Write userPrincipal Name
765
766       •   msDS-supportedEncryptionTypes
767
768           •   Read/Write msDS-SupportedEncryptionTypes
769
770       •   dNSHostName
771
772           •   Read/Write dNSHostName
773
774           •   Read and write DNS host name attributes
775
776           •   Validated write to DNS host name
777
778       •   servicePrincipalName
779
780           •   Read/Write servicePrincipalName
781
782           •   Validated write to service principal name
783
784       •   operatingSystem
785
786           •   Read/Write Operating System
787
788       •   operatingSystemVersion
789
790           •   Read/Write Operating System Version
791
792       •   operatingSystemServicePack
793
794           •   Read/Write operatingSystemServicePack
795
796       •   userAccountControl
797
798           •   Read/Write userAccountControl
799
800       •   description
801
802           •   Read/Write Description
803
804       For the management of users and groups (adcli create-user, adcli
805       delete-user, adcli create-group, adcli delete-group) the same applies
806       only for different types of objects, i.e. users and groups. Since
807       currently adcli only supports the creation and the removal of user and
808       group objects it is sufficient to have the "Create/Delete User objects"
809       and "Create/Delete Group objects" permissions.
810
811       If you want to manage group members as well (adcli add-member, adcli
812       remove-member) "Read/Write Members" permissions are needed as well.
813
814       Depending on the version of Active Directory the "Delegation of Control
815       Wizard" might offer some shortcuts for common task like e.g.
816
817       •   Create, delete and manage user accounts
818
819       •   Create, delete and manage groups
820
821       •   Modify the membership of a group
822
823       The first 2 shortcuts will provided full access to user and group
824       objects which, as explained above, is more than currently is needed.
825       After using those shortcut it is a good idea to verify in the
826       "Security" tab in the "Properties" of the related Active Directory
827       container that the assigned permissions meet the expectations.
828

BUGS

830       Please send bug reports to either the distribution bug tracker or the
831       upstream bug tracker at
832       https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
833

SEE ALSO

835       realmd(8), net(8), sssd(8)
836
837       Further details available in the realmd online documentation at
838       http://www.freedesktop.org/software/realmd/
839

NOTES

841        1. Who can add workstation to the domain
842           https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain
843
844        2. dNSHostName
845           https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1
846
847        3. servicePrincipalName
848           https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada
849
850
851
852realmd                                                                ADCLI(8)
Impressum