1ADCLI(8) System Commands ADCLI(8)
2
3
4
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10
11 adcli join domain.example.com
12
13 adcli update
14
15 adcli testjoin
16
17 adcli create-user [--domain=domain.example.com] user
18
19 adcli delete-user [--domain=domain.example.com] user
20
21 adcli create-group [--domain=domain.example.com] user
22
23 adcli delete-group [--domain=domain.example.com] user
24
25 adcli add-member [--domain=domain.example.com] group user...
26
27 adcli remove-member [--domain=domain.example.com] group user...
28
29 adcli preset-computer [--domain=domain.example.com] computer...
30
31 adcli reset-computer [--domain=domain.example.com] computer
32
33 adcli delete-computer [--domain=domain.example.com] computer
34
35 adcli show-computer [--domain=domain.example.com] computer
36
37 adcli create-msa [--domain=domain.example.com]
38
40 adcli is a command line tool that can perform actions in an Active
41 Directory domain. Among other things it can be used to join a computer
42 to a domain.
43
44 See the various sub commands below. The following global options can be
45 used:
46
47 -D, --domain=domain
48 The domain to connect to. If a domain is not specified, then the
49 domain part of the local computer's host name is used.
50
51 -R, --domain-realm=REALM
52 Kerberos realm for the domain. If not specified, then the upper
53 cased domain name is used.
54
55 -S, --domain-controller=server
56 Connect to a specific domain controller. If not specified, then an
57 appropriate domain controller is automatically discovered.
58
59 --use-ldaps
60 Connect to the domain controller with LDAPS. By default the LDAP
61 port is used and SASL GSS-SPNEGO or GSSAPI is used for
62 authentication and to establish encryption. This should satisfy all
63 requirements set on the server side and LDAPS should only be used
64 if the LDAP port is not accessible due to firewalls or other
65 reasons.
66
67 Please note that the place where CA certificates can be found to
68 validate the AD DC certificates must be configured in the OpenLDAP
69 configuration file, e.g. /etc/openldap/ldap.conf. As an
70 alternative it can be specified with the help of an environment
71 variable, e.g.
72
73 $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
74 ...
75
76 Please see ldap.conf(5) for details.
77
78 -C
79 Use the default Kerberos credential cache to authenticate with the
80 domain.
81
82 --login-ccache[=ccache_name]
83 Use the specified Kerberos credential cache to authenticate with
84 the domain. If no credential cache is specified, the default
85 Kerberos credential cache will be used. Credential caches of type
86 FILE can be given with the path to the file. For other credential
87 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
88 explicitly together with a suitable identifier.
89
90 Please note that since the ccache_name is optional the =(equal)
91 sign is mandatory. If = is missing the parameter is treated as
92 optionless extra argument. How this is handled depends on the
93 specific sub-command.
94
95 -U, --login-user=User
96 Use the specified user account to authenticate with the domain. If
97 not specified, then the name 'Administrator' will be used.
98
99 --no-password
100 Don't show prompts for or read a password from input.
101
102 -W, --prompt-password
103 Prompt for a password if necessary. This is the default.
104
105 --stdin-password
106 Read a password from stdin input instead of prompting for a
107 password.
108
109 -v, --verbose
110 Run in verbose mode with debug output.
111
113 adcli info displays discovered information about an Active Directory
114 domain or an Active Directory domain controller.
115
116 $ adcli info domain.example.com
117 ...
118
119 $ adcli info --domain-controller=dc.domain.example.com
120 ...
121
122 adcli info will output as much information as it can about the domain.
123 The information is designed to be both machine and human readable. The
124 command will exit with a non-zero exit code if the domain does not
125 exist or cannot be reached.
126
127 To show domain info for a specific domain controller use the
128 --domain-controller option to specify which domain controller to query.
129
130 Use the --verbose option to show details of how the domain is
131 discovered and queried. Many of the global options, in particular
132 authentication options, are not usable with the adcli info command.
133
135 adcli join creates a computer account in the domain for the local
136 machine, and sets up a keytab for the machine. It does not configure an
137 authentication service (such as sssd).
138
139 $ adcli join domain.example.com
140 Password for Administrator:
141
142 In addition to the global options, you can specify the following
143 options to control how this operation is done.
144
145 -N, --computer-name=computer
146 The short non-dotted name of the computer account that will be
147 created in the domain. If not specified, then the first portion of
148 the --host-fqdn is used.
149
150 -O, --domain-ou=OU=xxx
151 The full distinguished name of the OU in which to create the
152 computer account. If not specified, then the computer account will
153 be created in a default location.
154
155 -H, --host-fqdn=host
156 Override the local machine's fully qualified domain name. If not
157 specified, the local machine's hostname will be retrieved via
158 gethostname(). If gethostname() only returns a short name
159 getaddrinfo() with the AI_CANONNAME hint is called to expand the
160 name to a fully qualified domain name.
161
162 -K, --host-keytab=/path/to/keytab
163 Specify the path to the host keytab where host credentials will be
164 written after a successful join operation. If not specified, the
165 default location will be used, usually /etc/krb5.keytab.
166
167 --login-type={computer|user}
168 Specify the type of authentication that will be performed before
169 creating the machine account in the domain. If set to 'computer',
170 then the computer must already have a preset account in the domain.
171 If not specified and none of the other --login-xxx arguments have
172 been specified, then will try both 'computer' and 'user'
173 authentication.
174
175 --os-name=name
176 Set the operating system name on the computer account. The default
177 depends on where adcli was built, but is usually something like
178 'linux-gnu'.
179
180 --os-service-pack=pack
181 Set the operating system service pack on the computer account. Not
182 set by default.
183
184 --os-version=version
185 Set the operating system version on the computer account. Not set
186 by default.
187
188 --description=description
189 Set the description attribute on the computer account. Not set by
190 default.
191
192 --service-name=service
193 Additional service name for a kerberos principal to be created on
194 the computer account. This option may be specified multiple times.
195
196 --user-principal=host/name@REALM
197 Set the userPrincipalName field of the computer account to this
198 kerberos principal. If you omit the value for this option, then a
199 principal will be set in the form of host/host.example.com@REALM
200
201 --one-time-password
202 Specify a one time password for a preset computer account. This is
203 equivalent to using --login-type=computer and providing a password
204 as input.
205
206 --trusted-for-delegation=yes|no|true|false
207 Set or unset the TRUSTED_FOR_DELEGATION flag in the
208 userAccountControl attribute to allow or not allow that Kerberos
209 tickets can be forwarded to the host.
210
211 --add-service-principal=service/hostname
212 Add a service principal name. In contrast to the --service-name the
213 hostname part can be specified as well in case the service should
214 be accessible with a different host name as well.
215
216 --show-details
217 After a successful join print out information about join operation.
218 This is output in a format that should be both human and machine
219 readable.
220
221 --show-password
222 After a successful join print out the computer machine account
223 password. This is output in a format that should be both human and
224 machine readable.
225
226 --add-samba-data
227 After a successful join add the domain SID and the machine account
228 password to the Samba specific databases by calling Samba's net
229 utility.
230
231 Please note that Samba's net requires some settings in smb.conf to
232 create the database entries correctly. Most important here is
233 currently the workgroup option, see smb.conf(5) for details.
234
235 --samba-data-tool=/path/to/net
236 If Samba's net cannot be found at /usr/bin/net, this option can be
237 used to specific an alternative location with the help of an
238 absolute path.
239
240 If supported on the AD side the msDS-supportedEncryptionTypes attribute
241 will be set as well. Either the current value or the default list of
242 AD's supported encryption types filtered by the permitted encryption
243 types of the client's Kerberos configuration are written.
244
246 adcli update updates the password of the computer account on the domain
247 controller for the local machine, write the new keys to the keytab and
248 removes older keys. It keeps the previous key on purpose because AD
249 will need some time to replicate the new key to all DCs hence the
250 previous key might still be used.
251
252 $ adcli update
253
254 If used with a credential cache, other attributes of the computer
255 account can be changed as well if the principal has sufficient
256 privileges.
257
258 $ kinit Administrator
259 $ adcli update --login-ccache=/tmp/krbcc_123
260
261 In addition to the global options, you can specify the following
262 options to control how this operation is done.
263
264 -N, --computer-name=computer
265 The short non-dotted name of the computer account that will be
266 created in the domain. If not specified, it will be retrieved from
267 the keytab entries.
268
269 -H, --host-fqdn=host
270 The local machine's fully qualified domain name. If not specified,
271 the local machine's hostname will be retrieved from the keytab
272 entries.
273
274 -K, --host-keytab=/path/to/keytab
275 Specify the path to the host keytab where current host credentials
276 are stored and the new ones will be written to. If not specified,
277 the default location will be used, usually /etc/krb5.keytab.
278
279 --os-name=name
280 Set the operating system name on the computer account. Not set by
281 default.
282
283 --os-service-pack=pack
284 Set the operating system service pack on the computer account. Not
285 set by default.
286
287 --os-version=version
288 Set the operating system version on the computer account. Not set
289 by default.
290
291 --description=description
292 Set the description attribute on the computer account. Not set by
293 default.
294
295 --service-name=service
296 Additional service name for a Kerberos principal to be created on
297 the computer account. This option may be specified multiple times.
298
299 --user-principal=host/name@REALM
300 Set the userPrincipalName field of the computer account to this
301 Kerberos principal.
302
303 --computer-password-lifetime=lifetime
304 Only update the password of the computer account if it is older
305 than the lifetime given in days. By default the password is updated
306 if it is older than 30 days.
307
308 --trusted-for-delegation=yes|no|true|false
309 Set or unset the TRUSTED_FOR_DELEGATION flag in the
310 userAccountControl attribute to allow or not allow that Kerberos
311 tickets can be forwarded to the host.
312
313 --account-disable=yes|no|true|false
314 Set or unset the ACCOUNTDISABLE flag in the userAccountControl
315 attribute to disable or enable the computer account.
316
317 --add-service-principal=service/hostname
318 Add a service principal name. In contrast to the --service-name the
319 hostname part can be specified as well in case the service should
320 be accessible with a different host name as well.
321
322 --remove-service-principal=service/hostname
323 Remove a service principal name from the keytab and the AD host
324 object.
325
326 --show-details
327 After a successful join print out information about join operation.
328 This is output in a format that should be both human and machine
329 readable.
330
331 --add-samba-data
332 After a successful join add the domain SID and the machine account
333 password to the Samba specific databases by calling Samba's net
334 utility.
335
336 Please note that Samba's net requires some settings in smb.conf to
337 create the database entries correctly. Most important here is
338 currently the workgroup option, see smb.conf(5) for details.
339
340 Note that if the machine account password is not older than 30
341 days, you have to pass --computer-password-lifetime=0 to force the
342 update.
343
344 --samba-data-tool=/path/to/net
345 If Samba's net cannot be found at /usr/bin/net, this option can be
346 used to specific an alternative location with the help of an
347 absolute path.
348
349 If supported on the AD side the msDS-supportedEncryptionTypes attribute
350 will be set as well. Either the current value or the default list of
351 AD's supported encryption types filtered by the permitted encryption
352 types of the client's Kerberos configuration are written.
353
355 adcli testjoin uses the current credentials in the keytab and tries to
356 authenticate with the machine account to the AD domain. If this works
357 the machine account password and the join are still valid. If it fails
358 the machine account password or the whole machine account have to be
359 refreshed with adcli join or adcli update.
360
361 $ adcli testjoin
362
363 Only the global options not related to authentication are available,
364 additionally you can specify the following options to control how this
365 operation is done.
366
367 -K, --host-keytab=/path/to/keytab
368 Specify the path to the host keytab where current host credentials
369 are stored and the new ones will be written to. If not specified,
370 the default location will be used, usually /etc/krb5.keytab.
371
373 adcli create-user creates a new user account in the domain.
374
375 $ adcli create-user Fry --domain=domain.example.com \
376 --display-name="Philip J. Fry" --mail=fry@domain.example.com
377
378 In addition to the global options, you can specify the following
379 options to control how the user is created.
380
381 --display-name="Name"
382 Set the displayName attribute of the new created user account.
383
384 -O, --domain-ou=OU=xxx
385 The full distinguished name of the OU in which to create the user
386 account. If not specified, then the computer account will be
387 created in a default location.
388
389 --mail=email@domain.com
390 Set the mail attribute of the new created user account. This
391 attribute may be specified multiple times.
392
393 --unix-home=/home/user
394 Set the unixHomeDirectory attribute of the new created user
395 account, which should be an absolute path to the user's home
396 directory.
397
398 --unix-gid=111
399 Set the gidNumber attribute of the new created user account, which
400 should be the user's numeric primary group id.
401
402 --unix-shell=/bin/shell
403 Set the loginShell attribute of the new created user account, which
404 should be a path to a valid shell.
405
406 --unix-uid=111
407 Set the uidNumber attribute of the new created user account, which
408 should be the user's numeric primary user id.
409
410 --nis-domain=nis_domain
411 Set the msSFU30NisDomain attribute of the new created user account,
412 which should be the user's NIS domain is the NIS/YP service of
413 Active Directory's Services for Unix (SFU) are used. This is needed
414 to let the 'UNIX attributes' tab of older Active Directoy versions
415 show the set UNIX specific attributes. If not specified adcli will
416 try to determine the NIS domain automatically if needed.
417
419 adcli delete-user deletes a user account from the domain.
420
421 $ adcli delete-user Fry --domain=domain.example.com
422
423 The various global options can be used.
424
426 adcli create-group creates a new group in the domain.
427
428 $ adcli create-group Pilots --domain=domain.example.com \
429 --description="Group for all pilots"
430
431 In addition to the global options, you can specify the following
432 options to control how the group is created.
433
434 --description="text"
435 Set the description attribute of the new created group.
436
437 -O, --domain-ou=OU=xxx
438 The full distinguished name of the OU in which to create the group.
439 If not specified, then the group will be created in a default
440 location.
441
443 adcli delete-group deletes a group from the domain.
444
445 $ adcli delete-group Pilots --domain=domain.example.com
446
447 The various global options can be used.
448
450 adcli add-member adds one or more users to a group in the domain. The
451 group is specified first, and then the various users to be added.
452
453 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
454
455 The various global options can be used.
456
458 adcli remove-member removes a user from a group in the domain. The
459 group is specified first, and then the various users to be removed.
460
461 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
462
463 The various global options can be used.
464
466 adcli preset-computer pre-creates one or more computer accounts in the
467 domain for machines to later use when joining the domain. By doing this
468 machines can join using a one time password or automatically without a
469 password.
470
471 $ adcli preset-computer --domain=domain.example.com \
472 host1.example.com host2
473 Password for Administrator:
474
475 If the computer names specified contain dots, then they are treated as
476 fully qualified host names, otherwise they are treated as short
477 computer names. The computer accounts must not already exist.
478
479 In addition to the global options, you can specify the following
480 options to control how this operation is done.
481
482 -O, --domain-ou=OU=xxx
483 The full distinguished name of the OU in which to create the
484 computer accounts. If not specified, then the computer account will
485 be created in a default location.
486
487 --one-time-password
488 Specify a one time password to use when presetting the computer
489 accounts. If not specified, then a default password will be used,
490 which allows for later automatic joins.
491
492 --os-name=name
493 Set the operating system name on the computer account. The default
494 depends on where adcli was built, but is usually something like
495 'linux-gnu'.
496
497 --os-service-pack=pack
498 Set the operating system service pack on the computer account. Not
499 set by default.
500
501 --os-version=version
502 Set the operating system version on the computer account. Not set
503 by default.
504
505 --service-name=service
506 Additional service name for a kerberos principal to be created on
507 the computer account. This option may be specified multiple times.
508
509 --user-principal
510 Set the userPrincipalName field of the computer account to this
511 kerberos principal in the form of host/host.example.com@REALM
512
514 adcli reset-computer resets a computer account in the domain. If the
515 appropriate machine is currently joined to the domain, then its
516 membership will be broken. The account must already exist.
517
518 $ adcli reset-computer --domain=domain.example.com host2
519
520 If the computer names specified contain dots, then they are treated as
521 fully qualified host names, otherwise they are treated as short
522 computer names.
523
524 In addition to the global options, you can specify the following
525 options to control how this operation is done.
526
527 --login-type={computer|user}
528 Specify the type of authentication that will be performed before
529 creating the machine account in the domain. If set to 'computer',
530 then the computer must already have a preset account in the domain.
531 If not specified and none of the other --login-xxx arguments have
532 been specified, then will try both 'computer' and 'user'
533 authentication.
534
536 adcli delete-computer deletes a computer account in the domain. The
537 account must already exist.
538
539 $ adcli delete-computer --domain=domain.example.com host2
540 Password for Administrator:
541
542 If the computer name contains a dot, then it is treated as fully
543 qualified host name, otherwise it is treated as short computer name.
544
545 If no computer name is specified, then the host name of the computer
546 adcli is running on is used, as returned by gethostname().
547
548 The various global options can be used.
549
551 adcli show-computer show the computer account attributes stored in AD.
552 The account must already exist.
553
554 $ adcli show-computer --domain=domain.example.com host2
555 Password for Administrator:
556
557 If the computer name contains a dot, then it is treated as fully
558 qualified host name, otherwise it is treated as short computer name.
559
560 If no computer name is specified, then the host name of the computer
561 adcli is running on is used, as returned by gethostname().
562
563 The various global options can be used.
564
566 adcli create-msa creates a managed service account (MSA) in the given
567 Active Directory domain. This is useful if a computer should not fully
568 join the Active Directory domain but LDAP access is needed. A typical
569 use case is that the computer is already joined an Active Directory
570 domain and needs access to another Active Directory domain in the same
571 or a trusted forest where the host credentials from the joined Active
572 Directory domain are not valid, e.g. there is only a one-way trust.
573
574 $ adcli create-msa --domain=domain.example.com
575 Password for Administrator:
576
577 The managed service account, as maintained by adcli, cannot have
578 additional service principals names (SPNs) associated with it. An SPN
579 is defined within the context of a Kerberos service which is tied to a
580 machine account in Active Directory. Since a machine can be joined to a
581 single Active Directory domain, managed service account in a different
582 Active Directory domain will not have the SPNs that otherwise are part
583 of another Active Directory domain's machine.
584
585 Since it is expected that a client will most probably join to the
586 Active Directory domain matching its DNS domain the managed service
587 account will be needed for a different Active directory domain and as a
588 result the Active Directory domain name is a mandatory option. If
589 called with no other options adcli create-msa will use the short
590 hostname with an additional random suffix as computer name to avoid
591 name collisions.
592
593 LDAP attribute sAMAccountName has a limit of 20 characters. However,
594 machine account's NetBIOS name must be at most 16 characters long,
595 including a trailing '$' sign. Since it is not expected that the
596 managed service accounts created by adcli will be used on the NetBIOS
597 level the remaining 4 characters can be used to add uniqueness. Managed
598 service account names will have a suffix of 3 random characters from
599 number and upper- and lowercase ASCII ranges appended to the chosen
600 short host name, using '!' as a separator. For a host with the
601 shortname 'myhost', a managed service account will have a common name
602 (CN attribute) 'myhost!A2c' and a NetBIOS name (sAMAccountName
603 attribute) will be 'myhost!A2c$'. A corresponding Kerberos principal in
604 the Active Directory domain where the managed service account was
605 created would be 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.
606
607 A keytab for the managed service account is stored into a file
608 specified with -K option. If it is not specified, the file is named
609 after the default keytab file, with lowercase Active Directory domain
610 of the managed service account as a suffix. On most systems it would be
611 /etc/krb5.keytab with a suffix of 'domain.example.com', e.g.
612 /etc/krb5.keytab.domain.example.com.
613
614 adcli create-msa can be called multiple times to reset the password of
615 the managed service account. To identify the right account with the
616 random component in the name the corresponding principal is read from
617 the keytab. If the keytab got deleted adcli will try to identify an
618 existing managed service account with the help of the fully-qualified
619 name, if this fails a new managed service account will be created.
620
621 The managed service account password can be updated with
622
623 $ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
624
625 and the managed service account can be deleted with
626
627 $ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
628
629 In addition to the global options, you can specify the following
630 options to control how this operation is done.
631
632 -N, --computer-name=computer
633 The short non-dotted name of the managed service account that will
634 be created in the Active Directory domain. The long option name
635 --computer-name is kept to underline the similarity with the same
636 option of the other sub-commands. If not specified, then the first
637 portion of the --host-fqdn or its default is used with a random
638 suffix.
639
640 -O, --domain-ou=OU=xxx
641 The full distinguished name of the OU in which to create the
642 managed service account. If not specified, then the managed service
643 account will be created in a default location.
644
645 -H, --host-fqdn=host
646 Override the local machine's fully qualified DNS domain name. If
647 not specified, the local machine's hostname will be retrieved via
648 gethostname(). If gethostname() only returns a short name
649 getaddrinfo() with the AI_CANONNAME hint is called to expand the
650 name to a fully qualified DNS domain name.
651
652 -K, --host-keytab=/path/to/keytab
653 Specify the path to the host keytab where credentials of the
654 managed service account will be written after a successful
655 creation. If not specified, the default location will be used,
656 usually /etc/krb5.keytab with the lower-cased Active Directory
657 domain name added as a suffix e.g.
658 /etc/krb5.keytab.domain.example.com.
659
660 --show-details
661 After a successful creation print out information about the created
662 object. This is output in a format that should be both human and
663 machine readable.
664
665 --show-password
666 After a successful creation print out the managed service account
667 password. This is output in a format that should be both human and
668 machine readable.
669
671 It is common practice in AD to not use an account from the Domain
672 Administrators group to join a machine to a domain but use a dedicated
673 account which only has permissions to join a machine to one or more OUs
674 in the Active Directory tree. Giving the needed permissions to a single
675 account or a group in Active Directory is called Delegation. A typical
676 example on how to configured Delegation can be found in the Delegation
677 section of the blog post Who can add workstation to the domain[1].
678
679 When using an account with delegated permissions with adcli basically
680 the same applies as well. However some aspects are explained here in a
681 bit more details to better illustrate different concepts of Active
682 Directory and to make it more easy to debug permissions issues during
683 the join. Please note that the following is not specific to adcli but
684 applies to all applications which would like to modify certain
685 properties or objects in Active Directory with an account with limited
686 permissions.
687
688 First, as said in the blog post it is sufficient to have "Create
689 computer object" permissions to join a computer to a domain. But this
690 would only work as expected if the computer object does not exist in
691 Active Directory before the join. Because only when a new object is
692 created Active Directory does not apply additional permission checks on
693 the attributes of the new computer object. This means the delegated
694 user can add any kind of attribute with any value to a new computer
695 object also long as they meet general constraints like e.g. that the
696 attribute must be defined in the schema and is allowed in a objectclass
697 of the object, the value must match the syntax defined in the schema or
698 that the sAMAccountName must be unique in the domain.
699
700 If you want to use the account with delegated permission to remove
701 computer objects in Active Directory (adcli delete-computer) you should
702 of course make sure that the account has "Delete computer object"
703 permissions.
704
705 If the computer object already exists the "Create computer object"
706 permission does not apply anymore since now an existing object must be
707 modified. Now permissions on the individual attributes are needed. e.g.
708 "Read and write Account Restrictions" or "Reset Password". For some
709 attributes Active Directory has two types of permissions the plain
710 "Read and Write" permissions and the "Validated Write" permissions. For
711 the latter case there are two specific permissions relevant for adcli,
712 namely
713
714 • Validated write to DNS host name
715
716 • Validated write to service principal name
717
718 Details about the validation of the values can be found in the
719 "Validated Writes" section of [MS-ADTS], especially dNSHostName[2] and
720 servicePrincipalName[3]. To cut it short for "Validated write to DNS
721 host name" the domain part of the fully-qualified hostname must either
722 match the domain name of the domain you want to join to or must be
723 listed in the msDS-AllowedDNSSuffixes attribute. And for "Validated
724 write to service principal name" the hostname part of the service
725 principal name must match the name stored in dNSHostName or some other
726 attributes which are not handled by adcli. This also means that
727 dNSHostName cannot be empty or only contain a short name if the service
728 principal name should contain a fully-qualified name.
729
730 To summarize, if you only have validated write permissions you should
731 make sure the domain part of the hostname matches the domain you want
732 to join or use the --host-fqdn with a matching name.
733
734 The plain read write permissions do not run additional validations but
735 the attribute values must still be in agreement with the general
736 constraints mentioned above. If the computer object already exists
737 adcli might need the following permissions which are also needed by
738 Windows clients to modify existing attributes:
739
740 • Reset Password
741
742 • Read and write Account Restrictions
743
744 • Read and (validated) write to DNS host name
745
746 • Read and (validated) write to service principal name
747
748 additionally adcli needs
749
750 • Read and write msDS-supportedEncryptionTypes
751
752 This is added for security reasons to avoid that Active Directory
753 stores Kerberos keys with (potentially weaker) encryption types than
754 the client supports since Active Directory is often configured to still
755 support older (weaker) encryption types for compatibility reasons.
756
757 All other attributes are only set or modified on demand, i.e. adcli
758 must be called with an option the would set or modify the given
759 attribute. In the following the attributes adcli can modify together
760 with the required permissions are listed:
761
762 • userPrincipalName
763
764 • Read/Write userPrincipal Name
765
766 • msDS-supportedEncryptionTypes
767
768 • Read/Write msDS-SupportedEncryptionTypes
769
770 • dNSHostName
771
772 • Read/Write dNSHostName
773
774 • Read and write DNS host name attributes
775
776 • Validated write to DNS host name
777
778 • servicePrincipalName
779
780 • Read/Write servicePrincipalName
781
782 • Validated write to service principal name
783
784 • operatingSystem
785
786 • Read/Write Operating System
787
788 • operatingSystemVersion
789
790 • Read/Write Operating System Version
791
792 • operatingSystemServicePack
793
794 • Read/Write operatingSystemServicePack
795
796 • userAccountControl
797
798 • Read/Write userAccountControl
799
800 • description
801
802 • Read/Write Description
803
804 For the management of users and groups (adcli create-user, adcli
805 delete-user, adcli create-group, adcli delete-group) the same applies
806 only for different types of objects, i.e. users and groups. Since
807 currently adcli only supports the creation and the removal of user and
808 group objects it is sufficient to have the "Create/Delete User objects"
809 and "Create/Delete Group objects" permissions.
810
811 If you want to manage group members as well (adcli add-member, adcli
812 remove-member) "Read/Write Members" permissions are needed as well.
813
814 Depending on the version of Active Directory the "Delegation of Control
815 Wizard" might offer some shortcuts for common task like e.g.
816
817 • Create, delete and manage user accounts
818
819 • Create, delete and manage groups
820
821 • Modify the membership of a group
822
823 The first 2 shortcuts will provided full access to user and group
824 objects which, as explained above, is more than currently is needed.
825 After using those shortcut it is a good idea to verify in the
826 "Security" tab in the "Properties" of the related Active Directory
827 container that the assigned permissions meet the expectations.
828
830 Please send bug reports to either the distribution bug tracker or the
831 upstream bug tracker at
832 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
833
835 realmd(8), net(8), sssd(8)
836
837 Further details available in the realmd online documentation at
838 http://www.freedesktop.org/software/realmd/
839
841 1. Who can add workstation to the domain
842 https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain
843
844 2. dNSHostName
845 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1
846
847 3. servicePrincipalName
848 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada
849
850
851
852realmd ADCLI(8)