1ADCLI(8) System Commands ADCLI(8)
2
3
4
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10
11 adcli join domain.example.com
12
13 adcli update
14
15 adcli testjoin
16
17 adcli create-user [--domain=domain.example.com] user
18
19 adcli delete-user [--domain=domain.example.com] user
20
21 adcli passwd-user [--domain=domain.example.com] user
22
23 adcli create-group [--domain=domain.example.com] user
24
25 adcli delete-group [--domain=domain.example.com] user
26
27 adcli add-member [--domain=domain.example.com] group user...
28
29 adcli remove-member [--domain=domain.example.com] group user...
30
31 adcli preset-computer [--domain=domain.example.com] computer...
32
33 adcli reset-computer [--domain=domain.example.com] computer
34
35 adcli delete-computer [--domain=domain.example.com] computer
36
37 adcli show-computer [--domain=domain.example.com] computer
38
39 adcli create-msa [--domain=domain.example.com]
40
42 adcli is a command line tool that can perform actions in an Active
43 Directory domain. Among other things it can be used to join a computer
44 to a domain.
45
46 See the various sub commands below. The following global options can be
47 used:
48
49 -D, --domain=domain
50 The domain to connect to. If a domain is not specified, then the
51 domain part of the local computer's host name is used.
52
53 -R, --domain-realm=REALM
54 Kerberos realm for the domain. If not specified, then the upper
55 cased domain name is used.
56
57 -S, --domain-controller=server
58 Connect to a specific domain controller. If not specified, then an
59 appropriate domain controller is automatically discovered.
60
61 --use-ldaps
62 Connect to the domain controller with LDAPS. By default the LDAP
63 port is used and SASL GSS-SPNEGO or GSSAPI is used for
64 authentication and to establish encryption. This should satisfy all
65 requirements set on the server side and LDAPS should only be used
66 if the LDAP port is not accessible due to firewalls or other
67 reasons.
68
69 Please note that the place where CA certificates can be found to
70 validate the AD DC certificates must be configured in the OpenLDAP
71 configuration file, e.g. /etc/openldap/ldap.conf. As an
72 alternative it can be specified with the help of an environment
73 variable, e.g.
74
75 $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
76 ...
77
78 Please see ldap.conf(5) for details.
79
80 -C
81 Use the default Kerberos credential cache to authenticate with the
82 domain.
83
84 --login-ccache[=ccache_name]
85 Use the specified Kerberos credential cache to authenticate with
86 the domain. If no credential cache is specified, the default
87 Kerberos credential cache will be used. Credential caches of type
88 FILE can be given with the path to the file. For other credential
89 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
90 explicitly together with a suitable identifier.
91
92 Please note that since the ccache_name is optional the =(equal)
93 sign is mandatory. If = is missing the parameter is treated as
94 optionless extra argument. How this is handled depends on the
95 specific sub-command.
96
97 -U, --login-user=User
98 Use the specified user account to authenticate with the domain. If
99 not specified, then the name 'Administrator' will be used.
100
101 --no-password
102 Don't show prompts for or read a password from input.
103
104 -W, --prompt-password
105 Prompt for a password if necessary. This is the default.
106
107 --stdin-password
108 Read a password from stdin input instead of prompting for a
109 password.
110
111 -v, --verbose
112 Run in verbose mode with debug output.
113
115 adcli info displays discovered information about an Active Directory
116 domain or an Active Directory domain controller.
117
118 $ adcli info domain.example.com
119 ...
120
121 $ adcli info --domain-controller=dc.domain.example.com
122 ...
123
124 adcli info will output as much information as it can about the domain.
125 The information is designed to be both machine and human readable. The
126 command will exit with a non-zero exit code if the domain does not
127 exist or cannot be reached.
128
129 To show domain info for a specific domain controller use the
130 --domain-controller option to specify which domain controller to query.
131
132 Use the --verbose option to show details of how the domain is
133 discovered and queried. Many of the global options, in particular
134 authentication options, are not usable with the adcli info command.
135
137 adcli join creates a computer account in the domain for the local
138 machine, and sets up a keytab for the machine. It does not configure an
139 authentication service (such as sssd).
140
141 $ adcli join domain.example.com
142 Password for Administrator:
143
144 In addition to the global options, you can specify the following
145 options to control how this operation is done.
146
147 -N, --computer-name=computer
148 The short non-dotted name of the computer account that will be
149 created in the domain. If not specified, then the first portion of
150 the --host-fqdn is used.
151
152 -O, --domain-ou=OU=xxx
153 The full distinguished name of the OU in which to create the
154 computer account. If not specified, then the computer account will
155 be created in a default location.
156
157 -H, --host-fqdn=host
158 Override the local machine's fully qualified domain name. If not
159 specified, the local machine's hostname will be retrieved via
160 gethostname(). If gethostname() only returns a short name
161 getaddrinfo() with the AI_CANONNAME hint is called to expand the
162 name to a fully qualified domain name.
163
164 -K, --host-keytab=/path/to/keytab
165 Specify the path to the host keytab where host credentials will be
166 written after a successful join operation. If not specified, the
167 default location will be used, usually /etc/krb5.keytab.
168
169 --login-type={computer|user}
170 Specify the type of authentication that will be performed before
171 creating the machine account in the domain. If set to 'computer',
172 then the computer must already have a preset account in the domain.
173 If not specified and none of the other --login-xxx arguments have
174 been specified, then will try both 'computer' and 'user'
175 authentication.
176
177 --os-name=name
178 Set the operating system name on the computer account. The default
179 depends on where adcli was built, but is usually something like
180 'linux-gnu'.
181
182 --os-service-pack=pack
183 Set the operating system service pack on the computer account. Not
184 set by default.
185
186 --os-version=version
187 Set the operating system version on the computer account. Not set
188 by default.
189
190 --description=description
191 Set the description attribute on the computer account. Not set by
192 default.
193
194 --service-name=service
195 Additional service name for a kerberos principal to be created on
196 the computer account. This option may be specified multiple times.
197
198 --user-principal=host/name@REALM
199 Set the userPrincipalName field of the computer account to this
200 kerberos principal. If you omit the value for this option, then a
201 principal will be set in the form of host/host.example.com@REALM
202
203 --one-time-password
204 Specify a one time password for a preset computer account. This is
205 equivalent to using --login-type=computer and providing a password
206 as input.
207
208 --trusted-for-delegation=yes|no|true|false
209 Set or unset the TRUSTED_FOR_DELEGATION flag in the
210 userAccountControl attribute to allow or not allow that Kerberos
211 tickets can be forwarded to the host.
212
213 --dont-expire-password=yes|no|true|false
214 Set or unset the DONT_EXPIRE_PASSWORD flag in the
215 userAccountControl attribute to indicate if the machine account
216 password should expire or not. By default adcli will set this flag
217 while joining the domain which corresponds to the default behavior
218 of Windows clients.
219
220 Please note that if the password will expire
221 (--dont-expire-password=false) a renewal mechanism has to be
222 enabled on the client to not loose the connectivity to AD if the
223 password expires.
224
225 --add-service-principal=service/hostname
226 Add a service principal name. In contrast to the --service-name the
227 hostname part can be specified as well in case the service should
228 be accessible with a different host name as well.
229
230 --setattr=name=value
231 Add the LDAP attribute name with the given value to the new LDAP
232 host object. This option can be used multiple times to add multiple
233 different attributes. Multi-value attributes are currently not
234 supported.
235
236 Please note that the account used to join the domain must have the
237 required privileges to add the given attributes. Some attributes
238 might have constraints with respect to syntax and allowed values
239 which must be met as well. Attributes managed by other adcli
240 options cannot be set with this option.
241
242 --show-details
243 After a successful join print out information about join operation.
244 This is output in a format that should be both human and machine
245 readable.
246
247 --show-password
248 After a successful join print out the computer machine account
249 password. This is output in a format that should be both human and
250 machine readable.
251
252 --add-samba-data
253 After a successful join add the domain SID and the machine account
254 password to the Samba specific databases by calling Samba's net
255 utility.
256
257 Please note that Samba's net requires some settings in smb.conf to
258 create the database entries correctly. Most important here is
259 currently the workgroup option, see smb.conf(5) for details.
260
261 --samba-data-tool=/path/to/net
262 If Samba's net cannot be found at /usr/bin/net, this option can be
263 used to specific an alternative location with the help of an
264 absolute path.
265
266 If supported on the AD side the msDS-supportedEncryptionTypes attribute
267 will be set as well. Either the current value or the default list of
268 AD's supported encryption types filtered by the permitted encryption
269 types of the client's Kerberos configuration are written.
270
272 adcli update updates the password of the computer account on the domain
273 controller for the local machine, write the new keys to the keytab and
274 removes older keys. It keeps the previous key on purpose because AD
275 will need some time to replicate the new key to all DCs hence the
276 previous key might still be used.
277
278 $ adcli update
279
280 If used with a credential cache, other attributes of the computer
281 account can be changed as well if the principal has sufficient
282 privileges.
283
284 $ kinit Administrator
285 $ adcli update --login-ccache=/tmp/krbcc_123
286
287 In addition to the global options, you can specify the following
288 options to control how this operation is done.
289
290 -N, --computer-name=computer
291 The short non-dotted name of the computer account that will be
292 created in the domain. If not specified, it will be retrieved from
293 the keytab entries.
294
295 -H, --host-fqdn=host
296 The local machine's fully qualified domain name. If not specified,
297 the local machine's hostname will be retrieved from the keytab
298 entries.
299
300 -K, --host-keytab=/path/to/keytab
301 Specify the path to the host keytab where current host credentials
302 are stored and the new ones will be written to. If not specified,
303 the default location will be used, usually /etc/krb5.keytab.
304
305 --os-name=name
306 Set the operating system name on the computer account. Not set by
307 default.
308
309 --os-service-pack=pack
310 Set the operating system service pack on the computer account. Not
311 set by default.
312
313 --os-version=version
314 Set the operating system version on the computer account. Not set
315 by default.
316
317 --description=description
318 Set the description attribute on the computer account. Not set by
319 default.
320
321 --service-name=service
322 Additional service name for a Kerberos principal to be created on
323 the computer account. This option may be specified multiple times.
324
325 --user-principal=host/name@REALM
326 Set the userPrincipalName field of the computer account to this
327 Kerberos principal.
328
329 --computer-password-lifetime=lifetime
330 Only update the password of the computer account if it is older
331 than the lifetime given in days. By default the password is updated
332 if it is older than 30 days.
333
334 --trusted-for-delegation=yes|no|true|false
335 Set or unset the TRUSTED_FOR_DELEGATION flag in the
336 userAccountControl attribute to allow or not allow that Kerberos
337 tickets can be forwarded to the host.
338
339 --dont-expire-password=yes|no|true|false
340 Set or unset the DONT_EXPIRE_PASSWORD flag in the
341 userAccountControl attribute to indicate if the machine account
342 password should expire or not. By default adcli will set this flag
343 while joining the domain which corresponds to the default behavior
344 of Windows clients.
345
346 Please note that if the password will expire
347 (--dont-expire-password=false) a renewal mechanism has to be
348 enabled on the client to not loose the connectivity to AD if the
349 password expires.
350
351 --account-disable=yes|no|true|false
352 Set or unset the ACCOUNTDISABLE flag in the userAccountControl
353 attribute to disable or enable the computer account.
354
355 --add-service-principal=service/hostname
356 Add a service principal name. In contrast to the --service-name the
357 hostname part can be specified as well in case the service should
358 be accessible with a different host name as well.
359
360 --remove-service-principal=service/hostname
361 Remove a service principal name from the keytab and the AD host
362 object.
363
364 --setattr=name=value
365 Add the LDAP attribute name with the given value to the LDAP host
366 object. This option can be used multiple times to add multiple
367 different attributes. Multi-value attributes are currently not
368 supported.
369
370 Please note that the account used to update the host object must
371 have the required privileges to modify the given attributes. Some
372 attributes might have constraints with respect to syntax and
373 allowed values which must be met as well. Attributes managed by
374 other adcli options cannot be set with this option.
375
376 --delattr=name
377 Remove the LDAP attribute name from the LDAP host object. This
378 option can be used multiple times to remove multiple different
379 attributes.
380
381 Please note that the account used to update the host object must
382 have the required privileges to delete the given attributes.
383 Attributes managed by other adcli options cannot be removed.
384
385 --show-details
386 After a successful join print out information about join operation.
387 This is output in a format that should be both human and machine
388 readable.
389
390 --add-samba-data
391 After a successful join add the domain SID and the machine account
392 password to the Samba specific databases by calling Samba's net
393 utility.
394
395 Please note that Samba's net requires some settings in smb.conf to
396 create the database entries correctly. Most important here is
397 currently the workgroup option, see smb.conf(5) for details.
398
399 Note that if the machine account password is not older than 30
400 days, you have to pass --computer-password-lifetime=0 to force the
401 update.
402
403 --samba-data-tool=/path/to/net
404 If Samba's net cannot be found at /usr/bin/net, this option can be
405 used to specific an alternative location with the help of an
406 absolute path.
407
408 If supported on the AD side the msDS-supportedEncryptionTypes attribute
409 will be set as well. Either the current value or the default list of
410 AD's supported encryption types filtered by the permitted encryption
411 types of the client's Kerberos configuration are written.
412
414 adcli testjoin uses the current credentials in the keytab and tries to
415 authenticate with the machine account to the AD domain. If this works
416 the machine account password and the join are still valid. If it fails
417 the machine account password or the whole machine account have to be
418 refreshed with adcli join or adcli update.
419
420 $ adcli testjoin
421
422 Only the global options not related to authentication are available,
423 additionally you can specify the following options to control how this
424 operation is done.
425
426 -K, --host-keytab=/path/to/keytab
427 Specify the path to the host keytab where current host credentials
428 are stored and the new ones will be written to. If not specified,
429 the default location will be used, usually /etc/krb5.keytab.
430
432 adcli create-user creates a new user account in the domain.
433
434 $ adcli create-user Fry --domain=domain.example.com \
435 --display-name="Philip J. Fry" --mail=fry@domain.example.com
436
437 In addition to the global options, you can specify the following
438 options to control how the user is created.
439
440 --display-name="Name"
441 Set the displayName attribute of the new created user account.
442
443 -O, --domain-ou=OU=xxx
444 The full distinguished name of the OU in which to create the user
445 account. If not specified, then the computer account will be
446 created in a default location.
447
448 --mail=email@domain.com
449 Set the mail attribute of the new created user account. This
450 attribute may be specified multiple times.
451
452 --unix-home=/home/user
453 Set the unixHomeDirectory attribute of the new created user
454 account, which should be an absolute path to the user's home
455 directory.
456
457 --unix-gid=111
458 Set the gidNumber attribute of the new created user account, which
459 should be the user's numeric primary group id.
460
461 --unix-shell=/bin/shell
462 Set the loginShell attribute of the new created user account, which
463 should be a path to a valid shell.
464
465 --unix-uid=111
466 Set the uidNumber attribute of the new created user account, which
467 should be the user's numeric primary user id.
468
469 --nis-domain=nis_domain
470 Set the msSFU30NisDomain attribute of the new created user account,
471 which should be the user's NIS domain is the NIS/YP service of
472 Active Directory's Services for Unix (SFU) are used. This is needed
473 to let the 'UNIX attributes' tab of older Active Directoy versions
474 show the set UNIX specific attributes. If not specified adcli will
475 try to determine the NIS domain automatically if needed.
476
478 adcli delete-user deletes a user account from the domain.
479
480 $ adcli delete-user Fry --domain=domain.example.com
481
482 The various global options can be used.
483
485 adcli passwd-user sets or resets the password of user account. The
486 administrative account used for this operation must have privileges to
487 set a password.
488
489 $ adcli passwd-user Fry --domain=domain.example.com
490
491 The various global options can be used.
492
494 adcli create-group creates a new group in the domain.
495
496 $ adcli create-group Pilots --domain=domain.example.com \
497 --description="Group for all pilots"
498
499 In addition to the global options, you can specify the following
500 options to control how the group is created.
501
502 --description="text"
503 Set the description attribute of the new created group.
504
505 -O, --domain-ou=OU=xxx
506 The full distinguished name of the OU in which to create the group.
507 If not specified, then the group will be created in a default
508 location.
509
511 adcli delete-group deletes a group from the domain.
512
513 $ adcli delete-group Pilots --domain=domain.example.com
514
515 The various global options can be used.
516
518 adcli add-member adds one or more users to a group in the domain. The
519 group is specified first, and then the various users to be added.
520
521 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
522
523 The various global options can be used.
524
526 adcli remove-member removes a user from a group in the domain. The
527 group is specified first, and then the various users to be removed.
528
529 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
530
531 The various global options can be used.
532
534 adcli preset-computer pre-creates one or more computer accounts in the
535 domain for machines to later use when joining the domain. By doing this
536 machines can join using a one time password or automatically without a
537 password.
538
539 $ adcli preset-computer --domain=domain.example.com \
540 host1.example.com host2
541 Password for Administrator:
542
543 If the computer names specified contain dots, then they are treated as
544 fully qualified host names, otherwise they are treated as short
545 computer names. The computer accounts must not already exist.
546
547 In addition to the global options, you can specify the following
548 options to control how this operation is done.
549
550 -O, --domain-ou=OU=xxx
551 The full distinguished name of the OU in which to create the
552 computer accounts. If not specified, then the computer account will
553 be created in a default location.
554
555 --one-time-password
556 Specify a one time password to use when presetting the computer
557 accounts. If not specified, then a default password will be used,
558 which allows for later automatic joins.
559
560 --os-name=name
561 Set the operating system name on the computer account. The default
562 depends on where adcli was built, but is usually something like
563 'linux-gnu'.
564
565 --os-service-pack=pack
566 Set the operating system service pack on the computer account. Not
567 set by default.
568
569 --os-version=version
570 Set the operating system version on the computer account. Not set
571 by default.
572
573 --service-name=service
574 Additional service name for a kerberos principal to be created on
575 the computer account. This option may be specified multiple times.
576
577 --user-principal
578 Set the userPrincipalName field of the computer account to this
579 kerberos principal in the form of host/host.example.com@REALM
580
582 adcli reset-computer resets a computer account in the domain. If the
583 appropriate machine is currently joined to the domain, then its
584 membership will be broken. The account must already exist.
585
586 $ adcli reset-computer --domain=domain.example.com host2
587
588 If the computer names specified contain dots, then they are treated as
589 fully qualified host names, otherwise they are treated as short
590 computer names.
591
592 In addition to the global options, you can specify the following
593 options to control how this operation is done.
594
595 --login-type={computer|user}
596 Specify the type of authentication that will be performed before
597 creating the machine account in the domain. If set to 'computer',
598 then the computer must already have a preset account in the domain.
599 If not specified and none of the other --login-xxx arguments have
600 been specified, then will try both 'computer' and 'user'
601 authentication.
602
604 adcli delete-computer deletes a computer account in the domain. The
605 account must already exist.
606
607 $ adcli delete-computer --domain=domain.example.com host2
608 Password for Administrator:
609
610 If the computer name contains a dot, then it is treated as fully
611 qualified host name, otherwise it is treated as short computer name.
612
613 If no computer name is specified, then the host name of the computer
614 adcli is running on is used, as returned by gethostname().
615
616 The various global options can be used.
617
619 adcli show-computer show the computer account attributes stored in AD.
620 The account must already exist.
621
622 $ adcli show-computer --domain=domain.example.com host2
623 Password for Administrator:
624
625 If the computer name contains a dot, then it is treated as fully
626 qualified host name, otherwise it is treated as short computer name.
627
628 If no computer name is specified, then the host name of the computer
629 adcli is running on is used, as returned by gethostname().
630
631 The various global options can be used.
632
634 adcli create-msa creates a managed service account (MSA) in the given
635 Active Directory domain. This is useful if a computer should not fully
636 join the Active Directory domain but LDAP access is needed. A typical
637 use case is that the computer is already joined an Active Directory
638 domain and needs access to another Active Directory domain in the same
639 or a trusted forest where the host credentials from the joined Active
640 Directory domain are not valid, e.g. there is only a one-way trust.
641
642 $ adcli create-msa --domain=domain.example.com
643 Password for Administrator:
644
645 The managed service account, as maintained by adcli, cannot have
646 additional service principals names (SPNs) associated with it. An SPN
647 is defined within the context of a Kerberos service which is tied to a
648 machine account in Active Directory. Since a machine can be joined to a
649 single Active Directory domain, managed service account in a different
650 Active Directory domain will not have the SPNs that otherwise are part
651 of another Active Directory domain's machine.
652
653 Since it is expected that a client will most probably join to the
654 Active Directory domain matching its DNS domain the managed service
655 account will be needed for a different Active directory domain and as a
656 result the Active Directory domain name is a mandatory option. If
657 called with no other options adcli create-msa will use the short
658 hostname with an additional random suffix as computer name to avoid
659 name collisions.
660
661 LDAP attribute sAMAccountName has a limit of 20 characters. However,
662 machine account's NetBIOS name must be at most 16 characters long,
663 including a trailing '$' sign. Since it is not expected that the
664 managed service accounts created by adcli will be used on the NetBIOS
665 level the remaining 4 characters can be used to add uniqueness. Managed
666 service account names will have a suffix of 3 random characters from
667 number and upper- and lowercase ASCII ranges appended to the chosen
668 short host name, using '!' as a separator. For a host with the
669 shortname 'myhost', a managed service account will have a common name
670 (CN attribute) 'myhost!A2c' and a NetBIOS name (sAMAccountName
671 attribute) will be 'myhost!A2c$'. A corresponding Kerberos principal in
672 the Active Directory domain where the managed service account was
673 created would be 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.
674
675 A keytab for the managed service account is stored into a file
676 specified with -K option. If it is not specified, the file is named
677 after the default keytab file, with lowercase Active Directory domain
678 of the managed service account as a suffix. On most systems it would be
679 /etc/krb5.keytab with a suffix of 'domain.example.com', e.g.
680 /etc/krb5.keytab.domain.example.com.
681
682 adcli create-msa can be called multiple times to reset the password of
683 the managed service account. To identify the right account with the
684 random component in the name the corresponding principal is read from
685 the keytab. If the keytab got deleted adcli will try to identify an
686 existing managed service account with the help of the fully-qualified
687 name, if this fails a new managed service account will be created.
688
689 The managed service account password can be updated with
690
691 $ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
692
693 and the managed service account can be deleted with
694
695 $ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
696
697 In addition to the global options, you can specify the following
698 options to control how this operation is done.
699
700 -N, --computer-name=computer
701 The short non-dotted name of the managed service account that will
702 be created in the Active Directory domain. The long option name
703 --computer-name is kept to underline the similarity with the same
704 option of the other sub-commands. If not specified, then the first
705 portion of the --host-fqdn or its default is used with a random
706 suffix.
707
708 -O, --domain-ou=OU=xxx
709 The full distinguished name of the OU in which to create the
710 managed service account. If not specified, then the managed service
711 account will be created in a default location.
712
713 -H, --host-fqdn=host
714 Override the local machine's fully qualified DNS domain name. If
715 not specified, the local machine's hostname will be retrieved via
716 gethostname(). If gethostname() only returns a short name
717 getaddrinfo() with the AI_CANONNAME hint is called to expand the
718 name to a fully qualified DNS domain name.
719
720 -K, --host-keytab=/path/to/keytab
721 Specify the path to the host keytab where credentials of the
722 managed service account will be written after a successful
723 creation. If not specified, the default location will be used,
724 usually /etc/krb5.keytab with the lower-cased Active Directory
725 domain name added as a suffix e.g.
726 /etc/krb5.keytab.domain.example.com.
727
728 --show-details
729 After a successful creation print out information about the created
730 object. This is output in a format that should be both human and
731 machine readable.
732
733 --show-password
734 After a successful creation print out the managed service account
735 password. This is output in a format that should be both human and
736 machine readable.
737
739 It is common practice in AD to not use an account from the Domain
740 Administrators group to join a machine to a domain but use a dedicated
741 account which only has permissions to join a machine to one or more OUs
742 in the Active Directory tree. Giving the needed permissions to a single
743 account or a group in Active Directory is called Delegation. A typical
744 example on how to configured Delegation can be found in the Delegation
745 section of the blog post Who can add workstation to the domain[1].
746
747 When using an account with delegated permissions with adcli basically
748 the same applies as well. However some aspects are explained here in a
749 bit more details to better illustrate different concepts of Active
750 Directory and to make it more easy to debug permissions issues during
751 the join. Please note that the following is not specific to adcli but
752 applies to all applications which would like to modify certain
753 properties or objects in Active Directory with an account with limited
754 permissions.
755
756 First, as said in the blog post it is sufficient to have "Create
757 computer object" permissions to join a computer to a domain. But this
758 would only work as expected if the computer object does not exist in
759 Active Directory before the join. Because only when a new object is
760 created Active Directory does not apply additional permission checks on
761 the attributes of the new computer object. This means the delegated
762 user can add any kind of attribute with any value to a new computer
763 object also long as they meet general constraints like e.g. that the
764 attribute must be defined in the schema and is allowed in a objectclass
765 of the object, the value must match the syntax defined in the schema or
766 that the sAMAccountName must be unique in the domain.
767
768 If you want to use the account with delegated permission to remove
769 computer objects in Active Directory (adcli delete-computer) you should
770 of course make sure that the account has "Delete computer object"
771 permissions.
772
773 If the computer object already exists the "Create computer object"
774 permission does not apply anymore since now an existing object must be
775 modified. Now permissions on the individual attributes are needed. e.g.
776 "Read and write Account Restrictions" or "Reset Password". For some
777 attributes Active Directory has two types of permissions the plain
778 "Read and Write" permissions and the "Validated Write" permissions. For
779 the latter case there are two specific permissions relevant for adcli,
780 namely
781
782 • Validated write to DNS host name
783
784 • Validated write to service principal name
785
786 Details about the validation of the values can be found in the
787 "Validated Writes" section of [MS-ADTS], especially dNSHostName[2] and
788 servicePrincipalName[3]. To cut it short for "Validated write to DNS
789 host name" the domain part of the fully-qualified hostname must either
790 match the domain name of the domain you want to join to or must be
791 listed in the msDS-AllowedDNSSuffixes attribute. And for "Validated
792 write to service principal name" the hostname part of the service
793 principal name must match the name stored in dNSHostName or some other
794 attributes which are not handled by adcli. This also means that
795 dNSHostName cannot be empty or only contain a short name if the service
796 principal name should contain a fully-qualified name.
797
798 To summarize, if you only have validated write permissions you should
799 make sure the domain part of the hostname matches the domain you want
800 to join or use the --host-fqdn with a matching name.
801
802 The plain read write permissions do not run additional validations but
803 the attribute values must still be in agreement with the general
804 constraints mentioned above. If the computer object already exists
805 adcli might need the following permissions which are also needed by
806 Windows clients to modify existing attributes:
807
808 • Reset Password
809
810 • Read and write Account Restrictions
811
812 • Read and (validated) write to DNS host name
813
814 • Read and (validated) write to service principal name
815
816 additionally adcli needs
817
818 • Read and write msDS-supportedEncryptionTypes
819
820 This is added for security reasons to avoid that Active Directory
821 stores Kerberos keys with (potentially weaker) encryption types than
822 the client supports since Active Directory is often configured to still
823 support older (weaker) encryption types for compatibility reasons.
824
825 All other attributes are only set or modified on demand, i.e. adcli
826 must be called with an option the would set or modify the given
827 attribute. In the following the attributes adcli can modify together
828 with the required permissions are listed:
829
830 • userPrincipalName
831
832 • Read/Write userPrincipal Name
833
834 • msDS-supportedEncryptionTypes
835
836 • Read/Write msDS-SupportedEncryptionTypes
837
838 • dNSHostName
839
840 • Read/Write dNSHostName
841
842 • Read and write DNS host name attributes
843
844 • Validated write to DNS host name
845
846 • servicePrincipalName
847
848 • Read/Write servicePrincipalName
849
850 • Validated write to service principal name
851
852 • operatingSystem
853
854 • Read/Write Operating System
855
856 • operatingSystemVersion
857
858 • Read/Write Operating System Version
859
860 • operatingSystemServicePack
861
862 • Read/Write operatingSystemServicePack
863
864 • userAccountControl
865
866 • Read/Write userAccountControl
867
868 • description
869
870 • Read/Write Description
871
872 For the management of users and groups (adcli create-user, adcli
873 delete-user, adcli create-group, adcli delete-group) the same applies
874 only for different types of objects, i.e. users and groups. Since
875 currently adcli only supports the creation and the removal of user and
876 group objects it is sufficient to have the "Create/Delete User objects"
877 and "Create/Delete Group objects" permissions.
878
879 If you want to manage group members as well (adcli add-member, adcli
880 remove-member) "Read/Write Members" permissions are needed as well.
881
882 Depending on the version of Active Directory the "Delegation of Control
883 Wizard" might offer some shortcuts for common task like e.g.
884
885 • Create, delete and manage user accounts
886
887 • Create, delete and manage groups
888
889 • Modify the membership of a group
890
891 The first 2 shortcuts will provided full access to user and group
892 objects which, as explained above, is more than currently is needed.
893 After using those shortcut it is a good idea to verify in the
894 "Security" tab in the "Properties" of the related Active Directory
895 container that the assigned permissions meet the expectations.
896
898 Please send bug reports to either the distribution bug tracker or the
899 upstream bug tracker at
900 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
901
903 realmd(8), net(8), sssd(8)
904
905 Further details available in the realmd online documentation at
906 http://www.freedesktop.org/software/realmd/
907
909 1. Who can add workstation to the domain
910 https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain
911
912 2. dNSHostName
913 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1
914
915 3. servicePrincipalName
916 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada
917
918
919
920realmd ADCLI(8)