1ADCLI(8)                        System Commands                       ADCLI(8)
2
3
4

NAME

6       adcli - Tool for performing actions on an Active Directory domain
7

SYNOPSIS

9       adcli info domain.example.com
10
11       adcli join domain.example.com
12
13       adcli update
14
15       adcli testjoin
16
17       adcli create-user [--domain=domain.example.com] user
18
19       adcli delete-user [--domain=domain.example.com] user
20
21       adcli passwd-user [--domain=domain.example.com] user
22
23       adcli create-group [--domain=domain.example.com] user
24
25       adcli delete-group [--domain=domain.example.com] user
26
27       adcli add-member [--domain=domain.example.com] group user...
28
29       adcli remove-member [--domain=domain.example.com] group user...
30
31       adcli preset-computer [--domain=domain.example.com] computer...
32
33       adcli reset-computer [--domain=domain.example.com] computer
34
35       adcli delete-computer [--domain=domain.example.com] computer
36
37       adcli show-computer [--domain=domain.example.com] computer
38
39       adcli create-msa [--domain=domain.example.com]
40

GENERAL OVERVIEW

42       adcli is a command line tool that can perform actions in an Active
43       Directory domain. Among other things it can be used to join a computer
44       to a domain.
45
46       See the various sub commands below. The following global options can be
47       used:
48
49       -D, --domain=domain
50           The domain to connect to. If a domain is not specified, then the
51           domain part of the local computer's host name is used.
52
53       -R, --domain-realm=REALM
54           Kerberos realm for the domain. If not specified, then the upper
55           cased domain name is used.
56
57       -S, --domain-controller=server
58           Connect to a specific domain controller. If not specified, then an
59           appropriate domain controller is automatically discovered.
60
61       --use-ldaps
62           Connect to the domain controller with LDAPS. By default the LDAP
63           port is used and SASL GSS-SPNEGO or GSSAPI is used for
64           authentication and to establish encryption. This should satisfy all
65           requirements set on the server side and LDAPS should only be used
66           if the LDAP port is not accessible due to firewalls or other
67           reasons.
68
69           Please note that the place where CA certificates can be found to
70           validate the AD DC certificates must be configured in the OpenLDAP
71           configuration file, e.g.  /etc/openldap/ldap.conf. As an
72           alternative it can be specified with the help of an environment
73           variable, e.g.
74
75               $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
76               ...
77
78           Please see ldap.conf(5) for details.
79
80       -C
81           Use the default Kerberos credential cache to authenticate with the
82           domain.
83
84       --login-ccache[=ccache_name]
85           Use the specified Kerberos credential cache to authenticate with
86           the domain. If no credential cache is specified, the default
87           Kerberos credential cache will be used. Credential caches of type
88           FILE can be given with the path to the file. For other credential
89           cache types, e.g. DIR, KEYRING or KCM, the type must be specified
90           explicitly together with a suitable identifier.
91
92           Please note that since the ccache_name is optional the =(equal)
93           sign is mandatory. If = is missing the parameter is treated as
94           optionless extra argument. How this is handled depends on the
95           specific sub-command.
96
97       -U, --login-user=User
98           Use the specified user account to authenticate with the domain. If
99           not specified, then the name 'Administrator' will be used.
100
101       --no-password
102           Don't show prompts for or read a password from input.
103
104       -W, --prompt-password
105           Prompt for a password if necessary. This is the default.
106
107       --stdin-password
108           Read a password from stdin input instead of prompting for a
109           password.
110
111       -v, --verbose
112           Run in verbose mode with debug output.
113

QUERYING DOMAIN INFORMATION

115       adcli info displays discovered information about an Active Directory
116       domain or an Active Directory domain controller.
117
118           $ adcli info domain.example.com
119           ...
120
121           $ adcli info --domain-controller=dc.domain.example.com
122           ...
123
124       adcli info will output as much information as it can about the domain.
125       The information is designed to be both machine and human readable. The
126       command will exit with a non-zero exit code if the domain does not
127       exist or cannot be reached.
128
129       To show domain info for a specific domain controller use the
130       --domain-controller option to specify which domain controller to query.
131
132       Use the --verbose option to show details of how the domain is
133       discovered and queried. Many of the global options, in particular
134       authentication options, are not usable with the adcli info command.
135

JOINING THE LOCAL MACHINE TO A DOMAIN

137       adcli join creates a computer account in the domain for the local
138       machine, and sets up a keytab for the machine. It does not configure an
139       authentication service (such as sssd).
140
141           $ adcli join domain.example.com
142           Password for Administrator:
143
144       In addition to the global options, you can specify the following
145       options to control how this operation is done.
146
147       -N, --computer-name=computer
148           The short non-dotted name of the computer account that will be
149           created in the domain. If not specified, then the first portion of
150           the --host-fqdn is used.
151
152       -O, --domain-ou=OU=xxx
153           The full distinguished name of the OU in which to create the
154           computer account. If not specified, then the computer account will
155           be created in a default location.
156
157       -H, --host-fqdn=host
158           Override the local machine's fully qualified domain name. If not
159           specified, the local machine's hostname will be retrieved via
160           gethostname(). If gethostname() only returns a short name
161           getaddrinfo() with the AI_CANONNAME hint is called to expand the
162           name to a fully qualified domain name.
163
164       -K, --host-keytab=/path/to/keytab
165           Specify the path to the host keytab where host credentials will be
166           written after a successful join operation. If not specified, the
167           default location will be used, usually /etc/krb5.keytab.
168
169       --login-type={computer|user}
170           Specify the type of authentication that will be performed before
171           creating the machine account in the domain. If set to 'computer',
172           then the computer must already have a preset account in the domain.
173           If not specified and none of the other --login-xxx arguments have
174           been specified, then will try both 'computer' and 'user'
175           authentication.
176
177       --os-name=name
178           Set the operating system name on the computer account. The default
179           depends on where adcli was built, but is usually something like
180           'linux-gnu'.
181
182       --os-service-pack=pack
183           Set the operating system service pack on the computer account. Not
184           set by default.
185
186       --os-version=version
187           Set the operating system version on the computer account. Not set
188           by default.
189
190       --description=description
191           Set the description attribute on the computer account. Not set by
192           default.
193
194       --service-name=service
195           Additional service name for a kerberos principal to be created on
196           the computer account. This option may be specified multiple times.
197
198       --user-principal=host/name@REALM
199           Set the userPrincipalName field of the computer account to this
200           kerberos principal. If you omit the value for this option, then a
201           principal will be set in the form of host/host.example.com@REALM
202
203       --one-time-password
204           Specify a one time password for a preset computer account. This is
205           equivalent to using --login-type=computer and providing a password
206           as input.
207
208       --trusted-for-delegation=yes|no|true|false
209           Set or unset the TRUSTED_FOR_DELEGATION flag in the
210           userAccountControl attribute to allow or not allow that Kerberos
211           tickets can be forwarded to the host.
212
213       --dont-expire-password=yes|no|true|false
214           Set or unset the DONT_EXPIRE_PASSWORD flag in the
215           userAccountControl attribute to indicate if the machine account
216           password should expire or not. By default adcli will set this flag
217           while joining the domain which corresponds to the default behavior
218           of Windows clients.
219
220           Please note that if the password will expire
221           (--dont-expire-password=false) a renewal mechanism has to be
222           enabled on the client to not loose the connectivity to AD if the
223           password expires.
224
225       --add-service-principal=service/hostname
226           Add a service principal name. In contrast to the --service-name the
227           hostname part can be specified as well in case the service should
228           be accessible with a different host name as well.
229
230       --setattr=name=value
231           Add the LDAP attribute name with the given value to the new LDAP
232           host object. This option can be used multiple times to add multiple
233           different attributes. Multi-value attributes are currently not
234           supported.
235
236           Please note that the account used to join the domain must have the
237           required privileges to add the given attributes. Some attributes
238           might have constraints with respect to syntax and allowed values
239           which must be met as well. Attributes managed by other adcli
240           options cannot be set with this option.
241
242       --show-details
243           After a successful join print out information about join operation.
244           This is output in a format that should be both human and machine
245           readable.
246
247       --show-password
248           After a successful join print out the computer machine account
249           password. This is output in a format that should be both human and
250           machine readable.
251
252       --add-samba-data
253           After a successful join add the domain SID and the machine account
254           password to the Samba specific databases by calling Samba's net
255           utility.
256
257           Please note that Samba's net requires some settings in smb.conf to
258           create the database entries correctly. Most important here is
259           currently the workgroup option, see smb.conf(5) for details.
260
261       --samba-data-tool=/path/to/net
262           If Samba's net cannot be found at /usr/bin/net, this option can be
263           used to specific an alternative location with the help of an
264           absolute path.
265
266       If supported on the AD side the msDS-supportedEncryptionTypes attribute
267       will be set as well. Either the current value or the default list of
268       AD's supported encryption types filtered by the permitted encryption
269       types of the client's Kerberos configuration are written.
270

UPDATING THE MACHINE ACCOUNT PASSWORD AND OTHER ATTRIBUTES

272       adcli update updates the password of the computer account on the domain
273       controller for the local machine, write the new keys to the keytab and
274       removes older keys. It keeps the previous key on purpose because AD
275       will need some time to replicate the new key to all DCs hence the
276       previous key might still be used.
277
278           $ adcli update
279
280       If used with a credential cache, other attributes of the computer
281       account can be changed as well if the principal has sufficient
282       privileges.
283
284           $ kinit Administrator
285           $ adcli update --login-ccache=/tmp/krbcc_123
286
287       In addition to the global options, you can specify the following
288       options to control how this operation is done.
289
290       -N, --computer-name=computer
291           The short non-dotted name of the computer account that will be
292           created in the domain. If not specified, it will be retrieved from
293           the keytab entries.
294
295       -H, --host-fqdn=host
296           The local machine's fully qualified domain name. If not specified,
297           the local machine's hostname will be retrieved from the keytab
298           entries.
299
300       -K, --host-keytab=/path/to/keytab
301           Specify the path to the host keytab where current host credentials
302           are stored and the new ones will be written to. If not specified,
303           the default location will be used, usually /etc/krb5.keytab.
304
305       --os-name=name
306           Set the operating system name on the computer account. Not set by
307           default.
308
309       --os-service-pack=pack
310           Set the operating system service pack on the computer account. Not
311           set by default.
312
313       --os-version=version
314           Set the operating system version on the computer account. Not set
315           by default.
316
317       --description=description
318           Set the description attribute on the computer account. Not set by
319           default.
320
321       --service-name=service
322           Additional service name for a Kerberos principal to be created on
323           the computer account. This option may be specified multiple times.
324
325       --user-principal=host/name@REALM
326           Set the userPrincipalName field of the computer account to this
327           Kerberos principal.
328
329       --computer-password-lifetime=lifetime
330           Only update the password of the computer account if it is older
331           than the lifetime given in days. By default the password is updated
332           if it is older than 30 days.
333
334       --trusted-for-delegation=yes|no|true|false
335           Set or unset the TRUSTED_FOR_DELEGATION flag in the
336           userAccountControl attribute to allow or not allow that Kerberos
337           tickets can be forwarded to the host.
338
339       --dont-expire-password=yes|no|true|false
340           Set or unset the DONT_EXPIRE_PASSWORD flag in the
341           userAccountControl attribute to indicate if the machine account
342           password should expire or not. By default adcli will set this flag
343           while joining the domain which corresponds to the default behavior
344           of Windows clients.
345
346           Please note that if the password will expire
347           (--dont-expire-password=false) a renewal mechanism has to be
348           enabled on the client to not loose the connectivity to AD if the
349           password expires.
350
351       --account-disable=yes|no|true|false
352           Set or unset the ACCOUNTDISABLE flag in the userAccountControl
353           attribute to disable or enable the computer account.
354
355       --add-service-principal=service/hostname
356           Add a service principal name. In contrast to the --service-name the
357           hostname part can be specified as well in case the service should
358           be accessible with a different host name as well.
359
360       --remove-service-principal=service/hostname
361           Remove a service principal name from the keytab and the AD host
362           object.
363
364       --setattr=name=value
365           Add the LDAP attribute name with the given value to the LDAP host
366           object. This option can be used multiple times to add multiple
367           different attributes. Multi-value attributes are currently not
368           supported.
369
370           Please note that the account used to update the host object must
371           have the required privileges to modify the given attributes. Some
372           attributes might have constraints with respect to syntax and
373           allowed values which must be met as well. Attributes managed by
374           other adcli options cannot be set with this option.
375
376       --delattr=name
377           Remove the LDAP attribute name from the LDAP host object. This
378           option can be used multiple times to remove multiple different
379           attributes.
380
381           Please note that the account used to update the host object must
382           have the required privileges to delete the given attributes.
383           Attributes managed by other adcli options cannot be removed.
384
385       --show-details
386           After a successful join print out information about join operation.
387           This is output in a format that should be both human and machine
388           readable.
389
390       --add-samba-data
391           After a successful join add the domain SID and the machine account
392           password to the Samba specific databases by calling Samba's net
393           utility.
394
395           Please note that Samba's net requires some settings in smb.conf to
396           create the database entries correctly. Most important here is
397           currently the workgroup option, see smb.conf(5) for details.
398
399           Note that if the machine account password is not older than 30
400           days, you have to pass --computer-password-lifetime=0 to force the
401           update.
402
403       --samba-data-tool=/path/to/net
404           If Samba's net cannot be found at /usr/bin/net, this option can be
405           used to specific an alternative location with the help of an
406           absolute path.
407
408       If supported on the AD side the msDS-supportedEncryptionTypes attribute
409       will be set as well. Either the current value or the default list of
410       AD's supported encryption types filtered by the permitted encryption
411       types of the client's Kerberos configuration are written.
412

TESTING IF THE MACHINE ACCOUNT PASSWORD IS VALID

414       adcli testjoin uses the current credentials in the keytab and tries to
415       authenticate with the machine account to the AD domain. If this works
416       the machine account password and the join are still valid. If it fails
417       the machine account password or the whole machine account have to be
418       refreshed with adcli join or adcli update.
419
420           $ adcli testjoin
421
422       Only the global options not related to authentication are available,
423       additionally you can specify the following options to control how this
424       operation is done.
425
426       -K, --host-keytab=/path/to/keytab
427           Specify the path to the host keytab where current host credentials
428           are stored and the new ones will be written to. If not specified,
429           the default location will be used, usually /etc/krb5.keytab.
430

CREATING A USER

432       adcli create-user creates a new user account in the domain.
433
434           $ adcli create-user Fry --domain=domain.example.com \
435                --display-name="Philip J. Fry" --mail=fry@domain.example.com
436
437       In addition to the global options, you can specify the following
438       options to control how the user is created.
439
440       --display-name="Name"
441           Set the displayName attribute of the new created user account.
442
443       -O, --domain-ou=OU=xxx
444           The full distinguished name of the OU in which to create the user
445           account. If not specified, then the computer account will be
446           created in a default location.
447
448       --mail=email@domain.com
449           Set the mail attribute of the new created user account. This
450           attribute may be specified multiple times.
451
452       --unix-home=/home/user
453           Set the unixHomeDirectory attribute of the new created user
454           account, which should be an absolute path to the user's home
455           directory.
456
457       --unix-gid=111
458           Set the gidNumber attribute of the new created user account, which
459           should be the user's numeric primary group id.
460
461       --unix-shell=/bin/shell
462           Set the loginShell attribute of the new created user account, which
463           should be a path to a valid shell.
464
465       --unix-uid=111
466           Set the uidNumber attribute of the new created user account, which
467           should be the user's numeric primary user id.
468
469       --nis-domain=nis_domain
470           Set the msSFU30NisDomain attribute of the new created user account,
471           which should be the user's NIS domain is the NIS/YP service of
472           Active Directory's Services for Unix (SFU) are used. This is needed
473           to let the 'UNIX attributes' tab of older Active Directoy versions
474           show the set UNIX specific attributes. If not specified adcli will
475           try to determine the NIS domain automatically if needed.
476

DELETING A USER

478       adcli delete-user deletes a user account from the domain.
479
480           $ adcli delete-user Fry --domain=domain.example.com
481
482       The various global options can be used.
483

(RE)SETTING THE PASSWORD OF A USER WITH AN ADMINISTRATIVE ACCOUNT

485       adcli passwd-user sets or resets the password of user account. The
486       administrative account used for this operation must have privileges to
487       set a password.
488
489           $ adcli passwd-user Fry --domain=domain.example.com
490
491       The various global options can be used.
492

CREATING A GROUP

494       adcli create-group creates a new group in the domain.
495
496           $ adcli create-group Pilots --domain=domain.example.com \
497                --description="Group for all pilots"
498
499       In addition to the global options, you can specify the following
500       options to control how the group is created.
501
502       --description="text"
503           Set the description attribute of the new created group.
504
505       -O, --domain-ou=OU=xxx
506           The full distinguished name of the OU in which to create the group.
507           If not specified, then the group will be created in a default
508           location.
509

DELETING A GROUP

511       adcli delete-group deletes a group from the domain.
512
513           $ adcli delete-group Pilots --domain=domain.example.com
514
515       The various global options can be used.
516

ADDING A MEMBER TO A GROUP

518       adcli add-member adds one or more users to a group in the domain. The
519       group is specified first, and then the various users to be added.
520
521           $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
522
523       The various global options can be used.
524

REMOVING A MEMBER FROM A GROUP

526       adcli remove-member removes a user from a group in the domain. The
527       group is specified first, and then the various users to be removed.
528
529           $ adcli remove-member --domain=domain.example.com Pilots Scruffy
530
531       The various global options can be used.
532

PRESET COMPUTER ACCOUNTS

534       adcli preset-computer pre-creates one or more computer accounts in the
535       domain for machines to later use when joining the domain. By doing this
536       machines can join using a one time password or automatically without a
537       password.
538
539           $ adcli preset-computer --domain=domain.example.com \
540                host1.example.com host2
541           Password for Administrator:
542
543       If the computer names specified contain dots, then they are treated as
544       fully qualified host names, otherwise they are treated as short
545       computer names. The computer accounts must not already exist.
546
547       In addition to the global options, you can specify the following
548       options to control how this operation is done.
549
550       -O, --domain-ou=OU=xxx
551           The full distinguished name of the OU in which to create the
552           computer accounts. If not specified, then the computer account will
553           be created in a default location.
554
555       --one-time-password
556           Specify a one time password to use when presetting the computer
557           accounts. If not specified, then a default password will be used,
558           which allows for later automatic joins.
559
560       --os-name=name
561           Set the operating system name on the computer account. The default
562           depends on where adcli was built, but is usually something like
563           'linux-gnu'.
564
565       --os-service-pack=pack
566           Set the operating system service pack on the computer account. Not
567           set by default.
568
569       --os-version=version
570           Set the operating system version on the computer account. Not set
571           by default.
572
573       --service-name=service
574           Additional service name for a kerberos principal to be created on
575           the computer account. This option may be specified multiple times.
576
577       --user-principal
578           Set the userPrincipalName field of the computer account to this
579           kerberos principal in the form of host/host.example.com@REALM
580

RESET COMPUTER ACCOUNT

582       adcli reset-computer resets a computer account in the domain. If the
583       appropriate machine is currently joined to the domain, then its
584       membership will be broken. The account must already exist.
585
586           $ adcli reset-computer --domain=domain.example.com host2
587
588       If the computer names specified contain dots, then they are treated as
589       fully qualified host names, otherwise they are treated as short
590       computer names.
591
592       In addition to the global options, you can specify the following
593       options to control how this operation is done.
594
595       --login-type={computer|user}
596           Specify the type of authentication that will be performed before
597           creating the machine account in the domain. If set to 'computer',
598           then the computer must already have a preset account in the domain.
599           If not specified and none of the other --login-xxx arguments have
600           been specified, then will try both 'computer' and 'user'
601           authentication.
602

DELETE COMPUTER ACCOUNT

604       adcli delete-computer deletes a computer account in the domain. The
605       account must already exist.
606
607           $ adcli delete-computer --domain=domain.example.com host2
608           Password for Administrator:
609
610       If the computer name contains a dot, then it is treated as fully
611       qualified host name, otherwise it is treated as short computer name.
612
613       If no computer name is specified, then the host name of the computer
614       adcli is running on is used, as returned by gethostname().
615
616       The various global options can be used.
617

SHOW COMPUTER ACCOUNT ATTRIBUTES

619       adcli show-computer show the computer account attributes stored in AD.
620       The account must already exist.
621
622           $ adcli show-computer --domain=domain.example.com host2
623           Password for Administrator:
624
625       If the computer name contains a dot, then it is treated as fully
626       qualified host name, otherwise it is treated as short computer name.
627
628       If no computer name is specified, then the host name of the computer
629       adcli is running on is used, as returned by gethostname().
630
631       The various global options can be used.
632

CREATE A MANAGED SERVICE ACCOUNT

634       adcli create-msa creates a managed service account (MSA) in the given
635       Active Directory domain. This is useful if a computer should not fully
636       join the Active Directory domain but LDAP access is needed. A typical
637       use case is that the computer is already joined an Active Directory
638       domain and needs access to another Active Directory domain in the same
639       or a trusted forest where the host credentials from the joined Active
640       Directory domain are not valid, e.g. there is only a one-way trust.
641
642           $ adcli create-msa --domain=domain.example.com
643           Password for Administrator:
644
645       The managed service account, as maintained by adcli, cannot have
646       additional service principals names (SPNs) associated with it. An SPN
647       is defined within the context of a Kerberos service which is tied to a
648       machine account in Active Directory. Since a machine can be joined to a
649       single Active Directory domain, managed service account in a different
650       Active Directory domain will not have the SPNs that otherwise are part
651       of another Active Directory domain's machine.
652
653       Since it is expected that a client will most probably join to the
654       Active Directory domain matching its DNS domain the managed service
655       account will be needed for a different Active directory domain and as a
656       result the Active Directory domain name is a mandatory option. If
657       called with no other options adcli create-msa will use the short
658       hostname with an additional random suffix as computer name to avoid
659       name collisions.
660
661       LDAP attribute sAMAccountName has a limit of 20 characters. However,
662       machine account's NetBIOS name must be at most 16 characters long,
663       including a trailing '$' sign. Since it is not expected that the
664       managed service accounts created by adcli will be used on the NetBIOS
665       level the remaining 4 characters can be used to add uniqueness. Managed
666       service account names will have a suffix of 3 random characters from
667       number and upper- and lowercase ASCII ranges appended to the chosen
668       short host name, using '!' as a separator. For a host with the
669       shortname 'myhost', a managed service account will have a common name
670       (CN attribute) 'myhost!A2c' and a NetBIOS name (sAMAccountName
671       attribute) will be 'myhost!A2c$'. A corresponding Kerberos principal in
672       the Active Directory domain where the managed service account was
673       created would be 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.
674
675       A keytab for the managed service account is stored into a file
676       specified with -K option. If it is not specified, the file is named
677       after the default keytab file, with lowercase Active Directory domain
678       of the managed service account as a suffix. On most systems it would be
679       /etc/krb5.keytab with a suffix of 'domain.example.com', e.g.
680       /etc/krb5.keytab.domain.example.com.
681
682       adcli create-msa can be called multiple times to reset the password of
683       the managed service account. To identify the right account with the
684       random component in the name the corresponding principal is read from
685       the keytab. If the keytab got deleted adcli will try to identify an
686       existing managed service account with the help of the fully-qualified
687       name, if this fails a new managed service account will be created.
688
689       The managed service account password can be updated with
690
691           $ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
692
693       and the managed service account can be deleted with
694
695           $ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
696
697       In addition to the global options, you can specify the following
698       options to control how this operation is done.
699
700       -N, --computer-name=computer
701           The short non-dotted name of the managed service account that will
702           be created in the Active Directory domain. The long option name
703           --computer-name is kept to underline the similarity with the same
704           option of the other sub-commands. If not specified, then the first
705           portion of the --host-fqdn or its default is used with a random
706           suffix.
707
708       -O, --domain-ou=OU=xxx
709           The full distinguished name of the OU in which to create the
710           managed service account. If not specified, then the managed service
711           account will be created in a default location.
712
713       -H, --host-fqdn=host
714           Override the local machine's fully qualified DNS domain name. If
715           not specified, the local machine's hostname will be retrieved via
716           gethostname(). If gethostname() only returns a short name
717           getaddrinfo() with the AI_CANONNAME hint is called to expand the
718           name to a fully qualified DNS domain name.
719
720       -K, --host-keytab=/path/to/keytab
721           Specify the path to the host keytab where credentials of the
722           managed service account will be written after a successful
723           creation. If not specified, the default location will be used,
724           usually /etc/krb5.keytab with the lower-cased Active Directory
725           domain name added as a suffix e.g.
726           /etc/krb5.keytab.domain.example.com.
727
728       --show-details
729           After a successful creation print out information about the created
730           object. This is output in a format that should be both human and
731           machine readable.
732
733       --show-password
734           After a successful creation print out the managed service account
735           password. This is output in a format that should be both human and
736           machine readable.
737

DELEGATED PERMISSIONS

739       It is common practice in AD to not use an account from the Domain
740       Administrators group to join a machine to a domain but use a dedicated
741       account which only has permissions to join a machine to one or more OUs
742       in the Active Directory tree. Giving the needed permissions to a single
743       account or a group in Active Directory is called Delegation. A typical
744       example on how to configured Delegation can be found in the Delegation
745       section of the blog post Who can add workstation to the domain[1].
746
747       When using an account with delegated permissions with adcli basically
748       the same applies as well. However some aspects are explained here in a
749       bit more details to better illustrate different concepts of Active
750       Directory and to make it more easy to debug permissions issues during
751       the join. Please note that the following is not specific to adcli but
752       applies to all applications which would like to modify certain
753       properties or objects in Active Directory with an account with limited
754       permissions.
755
756       First, as said in the blog post it is sufficient to have "Create
757       computer object" permissions to join a computer to a domain. But this
758       would only work as expected if the computer object does not exist in
759       Active Directory before the join. Because only when a new object is
760       created Active Directory does not apply additional permission checks on
761       the attributes of the new computer object. This means the delegated
762       user can add any kind of attribute with any value to a new computer
763       object also long as they meet general constraints like e.g. that the
764       attribute must be defined in the schema and is allowed in a objectclass
765       of the object, the value must match the syntax defined in the schema or
766       that the sAMAccountName must be unique in the domain.
767
768       If you want to use the account with delegated permission to remove
769       computer objects in Active Directory (adcli delete-computer) you should
770       of course make sure that the account has "Delete computer object"
771       permissions.
772
773       If the computer object already exists the "Create computer object"
774       permission does not apply anymore since now an existing object must be
775       modified. Now permissions on the individual attributes are needed. e.g.
776       "Read and write Account Restrictions" or "Reset Password". For some
777       attributes Active Directory has two types of permissions the plain
778       "Read and Write" permissions and the "Validated Write" permissions. For
779       the latter case there are two specific permissions relevant for adcli,
780       namely
781
782       •   Validated write to DNS host name
783
784       •   Validated write to service principal name
785
786       Details about the validation of the values can be found in the
787       "Validated Writes" section of [MS-ADTS], especially dNSHostName[2] and
788       servicePrincipalName[3]. To cut it short for "Validated write to DNS
789       host name" the domain part of the fully-qualified hostname must either
790       match the domain name of the domain you want to join to or must be
791       listed in the msDS-AllowedDNSSuffixes attribute. And for "Validated
792       write to service principal name" the hostname part of the service
793       principal name must match the name stored in dNSHostName or some other
794       attributes which are not handled by adcli. This also means that
795       dNSHostName cannot be empty or only contain a short name if the service
796       principal name should contain a fully-qualified name.
797
798       To summarize, if you only have validated write permissions you should
799       make sure the domain part of the hostname matches the domain you want
800       to join or use the --host-fqdn with a matching name.
801
802       The plain read write permissions do not run additional validations but
803       the attribute values must still be in agreement with the general
804       constraints mentioned above. If the computer object already exists
805       adcli might need the following permissions which are also needed by
806       Windows clients to modify existing attributes:
807
808       •   Reset Password
809
810       •   Read and write Account Restrictions
811
812       •   Read and (validated) write to DNS host name
813
814       •   Read and (validated) write to service principal name
815
816       additionally adcli needs
817
818       •   Read and write msDS-supportedEncryptionTypes
819
820       This is added for security reasons to avoid that Active Directory
821       stores Kerberos keys with (potentially weaker) encryption types than
822       the client supports since Active Directory is often configured to still
823       support older (weaker) encryption types for compatibility reasons.
824
825       All other attributes are only set or modified on demand, i.e. adcli
826       must be called with an option the would set or modify the given
827       attribute. In the following the attributes adcli can modify together
828       with the required permissions are listed:
829
830       •   userPrincipalName
831
832           •   Read/Write userPrincipal Name
833
834       •   msDS-supportedEncryptionTypes
835
836           •   Read/Write msDS-SupportedEncryptionTypes
837
838       •   dNSHostName
839
840           •   Read/Write dNSHostName
841
842           •   Read and write DNS host name attributes
843
844           •   Validated write to DNS host name
845
846       •   servicePrincipalName
847
848           •   Read/Write servicePrincipalName
849
850           •   Validated write to service principal name
851
852       •   operatingSystem
853
854           •   Read/Write Operating System
855
856       •   operatingSystemVersion
857
858           •   Read/Write Operating System Version
859
860       •   operatingSystemServicePack
861
862           •   Read/Write operatingSystemServicePack
863
864       •   userAccountControl
865
866           •   Read/Write userAccountControl
867
868       •   description
869
870           •   Read/Write Description
871
872       For the management of users and groups (adcli create-user, adcli
873       delete-user, adcli create-group, adcli delete-group) the same applies
874       only for different types of objects, i.e. users and groups. Since
875       currently adcli only supports the creation and the removal of user and
876       group objects it is sufficient to have the "Create/Delete User objects"
877       and "Create/Delete Group objects" permissions.
878
879       If you want to manage group members as well (adcli add-member, adcli
880       remove-member) "Read/Write Members" permissions are needed as well.
881
882       Depending on the version of Active Directory the "Delegation of Control
883       Wizard" might offer some shortcuts for common task like e.g.
884
885       •   Create, delete and manage user accounts
886
887       •   Create, delete and manage groups
888
889       •   Modify the membership of a group
890
891       The first 2 shortcuts will provided full access to user and group
892       objects which, as explained above, is more than currently is needed.
893       After using those shortcut it is a good idea to verify in the
894       "Security" tab in the "Properties" of the related Active Directory
895       container that the assigned permissions meet the expectations.
896

BUGS

898       Please send bug reports to either the distribution bug tracker or the
899       upstream bug tracker at
900       https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
901

SEE ALSO

903       realmd(8), net(8), sssd(8)
904
905       Further details available in the realmd online documentation at
906       http://www.freedesktop.org/software/realmd/
907

NOTES

909        1. Who can add workstation to the domain
910           https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain
911
912        2. dNSHostName
913           https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1
914
915        3. servicePrincipalName
916           https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada
917
918
919
920realmd                                                                ADCLI(8)
Impressum