1ADCLI(8) System Commands ADCLI(8)
2
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10 adcli join domain.example.com
12 adcli update
14 adcli testjoin
16 adcli create-user [--domain=domain.example.com] user
18 adcli delete-user [--domain=domain.example.com] user
20 adcli passwd-user [--domain=domain.example.com] user
22 adcli create-group [--domain=domain.example.com] user
24 adcli delete-group [--domain=domain.example.com] user
26 adcli add-member [--domain=domain.example.com] group user...
28 adcli remove-member [--domain=domain.example.com] group user...
30 adcli preset-computer [--domain=domain.example.com] computer...
32 adcli reset-computer [--domain=domain.example.com] computer
34 adcli delete-computer [--domain=domain.example.com] computer
36 adcli show-computer [--domain=domain.example.com] computer
38 adcli create-msa [--domain=domain.example.com]
40
42 adcli is a command line tool that can perform actions in an Active
43 Directory domain. Among other things it can be used to join a computer
44 to a domain.
45 See the various sub commands below. The following global options can be
47 used:
48 -D, --domain=domain
50 The domain to connect to. If a domain is not specified, then the
51 domain part of the local computer's host name is used.
52 -R, --domain-realm=REALM
54 Kerberos realm for the domain. If not specified, then the upper
55 cased domain name is used.
56 -S, --domain-controller=server
58 Connect to a specific domain controller. If not specified, then an
59 appropriate domain controller is automatically discovered.
60 --use-ldaps
62 Connect to the domain controller with LDAPS. By default the LDAP
63 port is used and SASL GSS-SPNEGO or GSSAPI is used for
64 authentication and to establish encryption. This should satisfy all
65 requirements set on the server side and LDAPS should only be used
66 if the LDAP port is not accessible due to firewalls or other
67 reasons.
68 Please note that the place where CA certificates can be found to
70 validate the AD DC certificates must be configured in the OpenLDAP
71 configuration file, e.g. /etc/openldap/ldap.conf. As an
72 alternative it can be specified with the help of an environment
73 variable, e.g.
74 $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
76 ...
77 Please see ldap.conf(5) for details.
79 -C
81 Use the default Kerberos credential cache to authenticate with the
82 domain.
83 --login-ccache[=ccache_name]
85 Use the specified Kerberos credential cache to authenticate with
86 the domain. If no credential cache is specified, the default
87 Kerberos credential cache will be used. Credential caches of type
88 FILE can be given with the path to the file. For other credential
89 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
90 explicitly together with a suitable identifier.
91 Please note that since the ccache_name is optional the =(equal)
93 sign is mandatory. If = is missing the parameter is treated as
94 optionless extra argument. How this is handled depends on the
95 specific sub-command.
96 -U, --login-user=User
98 Use the specified user account to authenticate with the domain. If
99 not specified, then the name 'Administrator' will be used.
100 --no-password
102 Don't show prompts for or read a password from input.
103 -W, --prompt-password
105 Prompt for a password if necessary. This is the default.
106 --stdin-password
108 Read a password from stdin input instead of prompting for a
109 password.
110 -v, --verbose
112 Run in verbose mode with debug output.
113
115 adcli info displays discovered information about an Active Directory
116 domain or an Active Directory domain controller.
117 $ adcli info domain.example.com
119 ...
120 $ adcli info --domain-controller=dc.domain.example.com
122 ...
123 adcli info will output as much information as it can about the domain.
125 The information is designed to be both machine and human readable. The
126 command will exit with a non-zero exit code if the domain does not
127 exist or cannot be reached.
128 To show domain info for a specific domain controller use the
130 --domain-controller option to specify which domain controller to query.
131 Use the --verbose option to show details of how the domain is
133 discovered and queried. Many of the global options, in particular
134 authentication options, are not usable with the adcli info command.
135
137 adcli join creates a computer account in the domain for the local
138 machine, and sets up a keytab for the machine. It does not configure an
139 authentication service (such as sssd).
140 $ adcli join domain.example.com
142 Password for Administrator:
143 In addition to the global options, you can specify the following
145 options to control how this operation is done.
146 -N, --computer-name=computer
148 The short non-dotted name of the computer account that will be
149 created in the domain. If not specified, then the first portion of
150 the --host-fqdn is used.
151 -O, --domain-ou=OU=xxx
153 The full distinguished name of the OU in which to create the
154 computer account. If not specified, then the computer account will
155 be created in a default location.
156 -H, --host-fqdn=host
158 Override the local machine's fully qualified domain name. If not
159 specified, the local machine's hostname will be retrieved via
160 gethostname(). If gethostname() only returns a short name
161 getaddrinfo() with the AI_CANONNAME hint is called to expand the
162 name to a fully qualified domain name.
163 -K, --host-keytab=/path/to/keytab
165 Specify the path to the host keytab where host credentials will be
166 written after a successful join operation. If not specified, the
167 default location will be used, usually /etc/krb5.keytab.
168 --login-type={computer|user}
170 Specify the type of authentication that will be performed before
171 creating the machine account in the domain. If set to 'computer',
172 then the computer must already have a preset account in the domain.
173 If not specified and none of the other --login-xxx arguments have
174 been specified, then will try both 'computer' and 'user'
175 authentication.
176 --os-name=name
178 Set the operating system name on the computer account. The default
179 depends on where adcli was built, but is usually something like
180 'linux-gnu'.
181 --os-service-pack=pack
183 Set the operating system service pack on the computer account. Not
184 set by default.
185 --os-version=version
187 Set the operating system version on the computer account. Not set
188 by default.
189 --description=description
191 Set the description attribute on the computer account. Not set by
192 default.
193 --service-name=service
195 Additional service name for a kerberos principal to be created on
196 the computer account. This option may be specified multiple times.
197 --user-principal=host/name@REALM
199 Set the userPrincipalName field of the computer account to this
200 kerberos principal. If you omit the value for this option, then a
201 principal will be set in the form of host/host.example.com@REALM
202 --one-time-password
204 Specify a one time password for a preset computer account. This is
205 equivalent to using --login-type=computer and providing a password
206 as input.
207 --trusted-for-delegation=yes|no|true|false
209 Set or unset the TRUSTED_FOR_DELEGATION flag in the
210 userAccountControl attribute to allow or not allow that Kerberos
211 tickets can be forwarded to the host.
212 --dont-expire-password=yes|no|true|false
214 Set or unset the DONT_EXPIRE_PASSWORD flag in the
215 userAccountControl attribute to indicate if the machine account
216 password should expire or not. By default adcli will set this flag
217 while joining the domain which corresponds to the default behavior
218 of Windows clients.
219 Please note that if the password will expire
221 (--dont-expire-password=false) a renewal mechanism has to be
222 enabled on the client to not loose the connectivity to AD if the
223 password expires.
224 --add-service-principal=service/hostname
226 Add a service principal name. In contrast to the --service-name the
227 hostname part can be specified as well in case the service should
228 be accessible with a different host name as well.
229 --setattr=name=value
231 Add the LDAP attribute name with the given value to the new LDAP
232 host object. This option can be used multiple times to add multiple
233 different attributes. Multi-value attributes are currently not
234 supported.
235 Please note that the account used to join the domain must have the
237 required privileges to add the given attributes. Some attributes
238 might have constraints with respect to syntax and allowed values
239 which must be met as well. Attributes managed by other adcli
240 options cannot be set with this option.
241 --show-details
243 After a successful join print out information about join operation.
244 This is output in a format that should be both human and machine
245 readable.
246 --show-password
248 After a successful join print out the computer machine account
249 password. This is output in a format that should be both human and
250 machine readable.
251 --add-samba-data
253 After a successful join add the domain SID and the machine account
254 password to the Samba specific databases by calling Samba's net
255 utility.
256 Please note that Samba's net requires some settings in smb.conf to
258 create the database entries correctly. Most important here is
259 currently the workgroup option, see smb.conf(5) for details.
260 --samba-data-tool=/path/to/net
262 If Samba's net cannot be found at /usr/bin/net, this option can be
263 used to specific an alternative location with the help of an
264 absolute path.
265 If supported on the AD side the msDS-supportedEncryptionTypes attribute
267 will be set as well. Either the current value or the default list of
268 AD's supported encryption types filtered by the permitted encryption
269 types of the client's Kerberos configuration are written.
270
272 adcli update updates the password of the computer account on the domain
273 controller for the local machine, write the new keys to the keytab and
274 removes older keys. It keeps the previous key on purpose because AD
275 will need some time to replicate the new key to all DCs hence the
276 previous key might still be used.
277 $ adcli update
279 If used with a credential cache, other attributes of the computer
281 account can be changed as well if the principal has sufficient
282 privileges.
283 $ kinit Administrator
285 $ adcli update --login-ccache=/tmp/krbcc_123
286 In addition to the global options, you can specify the following
288 options to control how this operation is done.
289 -N, --computer-name=computer
291 The short non-dotted name of the computer account that will be
292 created in the domain. If not specified, it will be retrieved from
293 the keytab entries.
294 -H, --host-fqdn=host
296 The local machine's fully qualified domain name. If not specified,
297 the local machine's hostname will be retrieved from the keytab
298 entries.
299 -K, --host-keytab=/path/to/keytab
301 Specify the path to the host keytab where current host credentials
302 are stored and the new ones will be written to. If not specified,
303 the default location will be used, usually /etc/krb5.keytab.
304 --os-name=name
306 Set the operating system name on the computer account. Not set by
307 default.
308 --os-service-pack=pack
310 Set the operating system service pack on the computer account. Not
311 set by default.
312 --os-version=version
314 Set the operating system version on the computer account. Not set
315 by default.
316 --description=description
318 Set the description attribute on the computer account. Not set by
319 default.
320 --service-name=service
322 Additional service name for a Kerberos principal to be created on
323 the computer account. This option may be specified multiple times.
324 --user-principal=host/name@REALM
326 Set the userPrincipalName field of the computer account to this
327 Kerberos principal.
328 --computer-password-lifetime=lifetime
330 Only update the password of the computer account if it is older
331 than the lifetime given in days. By default the password is updated
332 if it is older than 30 days.
333 --trusted-for-delegation=yes|no|true|false
335 Set or unset the TRUSTED_FOR_DELEGATION flag in the
336 userAccountControl attribute to allow or not allow that Kerberos
337 tickets can be forwarded to the host.
338 --dont-expire-password=yes|no|true|false
340 Set or unset the DONT_EXPIRE_PASSWORD flag in the
341 userAccountControl attribute to indicate if the machine account
342 password should expire or not. By default adcli will set this flag
343 while joining the domain which corresponds to the default behavior
344 of Windows clients.
345 Please note that if the password will expire
347 (--dont-expire-password=false) a renewal mechanism has to be
348 enabled on the client to not loose the connectivity to AD if the
349 password expires.
350 --account-disable=yes|no|true|false
352 Set or unset the ACCOUNTDISABLE flag in the userAccountControl
353 attribute to disable or enable the computer account.
354 --add-service-principal=service/hostname
356 Add a service principal name. In contrast to the --service-name the
357 hostname part can be specified as well in case the service should
358 be accessible with a different host name as well.
359 --remove-service-principal=service/hostname
361 Remove a service principal name from the keytab and the AD host
362 object.
363 --setattr=name=value
365 Add the LDAP attribute name with the given value to the LDAP host
366 object. This option can be used multiple times to add multiple
367 different attributes. Multi-value attributes are currently not
368 supported.
369 Please note that the account used to update the host object must
371 have the required privileges to modify the given attributes. Some
372 attributes might have constraints with respect to syntax and
373 allowed values which must be met as well. Attributes managed by
374 other adcli options cannot be set with this option.
375 --delattr=name
377 Remove the LDAP attribute name from the LDAP host object. This
378 option can be used multiple times to remove multiple different
379 attributes.
380 Please note that the account used to update the host object must
382 have the required privileges to delete the given attributes.
383 Attributes managed by other adcli options cannot be removed.
384 --show-details
386 After a successful join print out information about join operation.
387 This is output in a format that should be both human and machine
388 readable.
389 --add-samba-data
391 After a successful join add the domain SID and the machine account
392 password to the Samba specific databases by calling Samba's net
393 utility.
394 Please note that Samba's net requires some settings in smb.conf to
396 create the database entries correctly. Most important here is
397 currently the workgroup option, see smb.conf(5) for details.
398 Note that if the machine account password is not older than 30
400 days, you have to pass --computer-password-lifetime=0 to force the
401 update.
402 --samba-data-tool=/path/to/net
404 If Samba's net cannot be found at /usr/bin/net, this option can be
405 used to specific an alternative location with the help of an
406 absolute path.
407 If supported on the AD side the msDS-supportedEncryptionTypes attribute
409 will be set as well. Either the current value or the default list of
410 AD's supported encryption types filtered by the permitted encryption
411 types of the client's Kerberos configuration are written.
412
414 adcli testjoin uses the current credentials in the keytab and tries to
415 authenticate with the machine account to the AD domain. If this works
416 the machine account password and the join are still valid. If it fails
417 the machine account password or the whole machine account have to be
418 refreshed with adcli join or adcli update.
419 $ adcli testjoin
421 Only the global options not related to authentication are available,
423 additionally you can specify the following options to control how this
424 operation is done.
425 -K, --host-keytab=/path/to/keytab
427 Specify the path to the host keytab where current host credentials
428 are stored and the new ones will be written to. If not specified,
429 the default location will be used, usually /etc/krb5.keytab.
430
432 adcli create-user creates a new user account in the domain.
433 $ adcli create-user Fry --domain=domain.example.com \
435 --display-name="Philip J. Fry" --mail=fry@domain.example.com
436 In addition to the global options, you can specify the following
438 options to control how the user is created.
439 --display-name="Name"
441 Set the displayName attribute of the new created user account.
442 -O, --domain-ou=OU=xxx
444 The full distinguished name of the OU in which to create the user
445 account. If not specified, then the computer account will be
446 created in a default location.
447 --mail=email@domain.com
449 Set the mail attribute of the new created user account. This
450 attribute may be specified multiple times.
451 --unix-home=/home/user
453 Set the unixHomeDirectory attribute of the new created user
454 account, which should be an absolute path to the user's home
455 directory.
456 --unix-gid=111
458 Set the gidNumber attribute of the new created user account, which
459 should be the user's numeric primary group id.
460 --unix-shell=/bin/shell
462 Set the loginShell attribute of the new created user account, which
463 should be a path to a valid shell.
464 --unix-uid=111
466 Set the uidNumber attribute of the new created user account, which
467 should be the user's numeric primary user id.
468 --nis-domain=nis_domain
470 Set the msSFU30NisDomain attribute of the new created user account,
471 which should be the user's NIS domain is the NIS/YP service of
472 Active Directory's Services for Unix (SFU) are used. This is needed
473 to let the 'UNIX attributes' tab of older Active Directoy versions
474 show the set UNIX specific attributes. If not specified adcli will
475 try to determine the NIS domain automatically if needed.
476
478 adcli delete-user deletes a user account from the domain.
479 $ adcli delete-user Fry --domain=domain.example.com
481 The various global options can be used.
483
485 adcli passwd-user sets or resets the password of user account. The
486 administrative account used for this operation must have privileges to
487 set a password.
488 $ adcli passwd-user Fry --domain=domain.example.com
490 The various global options can be used.
492
494 adcli create-group creates a new group in the domain.
495 $ adcli create-group Pilots --domain=domain.example.com \
497 --description="Group for all pilots"
498 In addition to the global options, you can specify the following
500 options to control how the group is created.
501 --description="text"
503 Set the description attribute of the new created group.
504 -O, --domain-ou=OU=xxx
506 The full distinguished name of the OU in which to create the group.
507 If not specified, then the group will be created in a default
508 location.
509
511 adcli delete-group deletes a group from the domain.
512 $ adcli delete-group Pilots --domain=domain.example.com
514 The various global options can be used.
516
518 adcli add-member adds one or more users to a group in the domain. The
519 group is specified first, and then the various users to be added.
520 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
522 The various global options can be used.
524
526 adcli remove-member removes a user from a group in the domain. The
527 group is specified first, and then the various users to be removed.
528 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
530 The various global options can be used.
532
534 adcli preset-computer pre-creates one or more computer accounts in the
535 domain for machines to later use when joining the domain. By doing this
536 machines can join using a one time password or automatically without a
537 password.
538 $ adcli preset-computer --domain=domain.example.com \
540 host1.example.com host2
541 Password for Administrator:
542 If the computer names specified contain dots, then they are treated as
544 fully qualified host names, otherwise they are treated as short
545 computer names. The computer accounts must not already exist.
546 In addition to the global options, you can specify the following
548 options to control how this operation is done.
549 -O, --domain-ou=OU=xxx
551 The full distinguished name of the OU in which to create the
552 computer accounts. If not specified, then the computer account will
553 be created in a default location.
554 --one-time-password
556 Specify a one time password to use when presetting the computer
557 accounts. If not specified, then a default password will be used,
558 which allows for later automatic joins.
559 --os-name=name
561 Set the operating system name on the computer account. The default
562 depends on where adcli was built, but is usually something like
563 'linux-gnu'.
564 --os-service-pack=pack
566 Set the operating system service pack on the computer account. Not
567 set by default.
568 --os-version=version
570 Set the operating system version on the computer account. Not set
571 by default.
572 --service-name=service
574 Additional service name for a kerberos principal to be created on
575 the computer account. This option may be specified multiple times.
576 --user-principal
578 Set the userPrincipalName field of the computer account to this
579 kerberos principal in the form of host/host.example.com@REALM
580
582 adcli reset-computer resets a computer account in the domain. If the
583 appropriate machine is currently joined to the domain, then its
584 membership will be broken. The account must already exist.
585 $ adcli reset-computer --domain=domain.example.com host2
587 If the computer names specified contain dots, then they are treated as
589 fully qualified host names, otherwise they are treated as short
590 computer names.
591 In addition to the global options, you can specify the following
593 options to control how this operation is done.
594 --login-type={computer|user}
596 Specify the type of authentication that will be performed before
597 creating the machine account in the domain. If set to 'computer',
598 then the computer must already have a preset account in the domain.
599 If not specified and none of the other --login-xxx arguments have
600 been specified, then will try both 'computer' and 'user'
601 authentication.
602
604 adcli delete-computer deletes a computer account in the domain. The
605 account must already exist.
606 $ adcli delete-computer --domain=domain.example.com host2
608 Password for Administrator:
609 If the computer name contains a dot, then it is treated as fully
611 qualified host name, otherwise it is treated as short computer name.
612 If no computer name is specified, then the host name of the computer
614 adcli is running on is used, as returned by gethostname().
615 The various global options can be used.
617
619 adcli show-computer show the computer account attributes stored in AD.
620 The account must already exist.
621 $ adcli show-computer --domain=domain.example.com host2
623 Password for Administrator:
624 If the computer name contains a dot, then it is treated as fully
626 qualified host name, otherwise it is treated as short computer name.
627 If no computer name is specified, then the host name of the computer
629 adcli is running on is used, as returned by gethostname().
630 The various global options can be used.
632
634 adcli create-msa creates a managed service account (MSA) in the given
635 Active Directory domain. This is useful if a computer should not fully
636 join the Active Directory domain but LDAP access is needed. A typical
637 use case is that the computer is already joined an Active Directory
638 domain and needs access to another Active Directory domain in the same
639 or a trusted forest where the host credentials from the joined Active
640 Directory domain are not valid, e.g. there is only a one-way trust.
641 $ adcli create-msa --domain=domain.example.com
643 Password for Administrator:
644 The managed service account, as maintained by adcli, cannot have
646 additional service principals names (SPNs) associated with it. An SPN
647 is defined within the context of a Kerberos service which is tied to a
648 machine account in Active Directory. Since a machine can be joined to a
649 single Active Directory domain, managed service account in a different
650 Active Directory domain will not have the SPNs that otherwise are part
651 of another Active Directory domain's machine.
652 Since it is expected that a client will most probably join to the
654 Active Directory domain matching its DNS domain the managed service
655 account will be needed for a different Active directory domain and as a
656 result the Active Directory domain name is a mandatory option. If
657 called with no other options adcli create-msa will use the short
658 hostname with an additional random suffix as computer name to avoid
659 name collisions.
660 LDAP attribute sAMAccountName has a limit of 20 characters. However,
662 machine account's NetBIOS name must be at most 16 characters long,
663 including a trailing '$' sign. Since it is not expected that the
664 managed service accounts created by adcli will be used on the NetBIOS
665 level the remaining 4 characters can be used to add uniqueness. Managed
666 service account names will have a suffix of 3 random characters from
667 number and upper- and lowercase ASCII ranges appended to the chosen
668 short host name, using '!' as a separator. For a host with the
669 shortname 'myhost', a managed service account will have a common name
670 (CN attribute) 'myhost!A2c' and a NetBIOS name (sAMAccountName
671 attribute) will be 'myhost!A2c$'. A corresponding Kerberos principal in
672 the Active Directory domain where the managed service account was
673 created would be 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.
674 A keytab for the managed service account is stored into a file
676 specified with -K option. If it is not specified, the file is named
677 after the default keytab file, with lowercase Active Directory domain
678 of the managed service account as a suffix. On most systems it would be
679 /etc/krb5.keytab with a suffix of 'domain.example.com', e.g.
680 /etc/krb5.keytab.domain.example.com.
681 adcli create-msa can be called multiple times to reset the password of
683 the managed service account. To identify the right account with the
684 random component in the name the corresponding principal is read from
685 the keytab. If the keytab got deleted adcli will try to identify an
686 existing managed service account with the help of the fully-qualified
687 name, if this fails a new managed service account will be created.
688 The managed service account password can be updated with
690 $ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
692 and the managed service account can be deleted with
694 $ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
696 In addition to the global options, you can specify the following
698 options to control how this operation is done.
699 -N, --computer-name=computer
701 The short non-dotted name of the managed service account that will
702 be created in the Active Directory domain. The long option name
703 --computer-name is kept to underline the similarity with the same
704 option of the other sub-commands. If not specified, then the first
705 portion of the --host-fqdn or its default is used with a random
706 suffix.
707 -O, --domain-ou=OU=xxx
709 The full distinguished name of the OU in which to create the
710 managed service account. If not specified, then the managed service
711 account will be created in a default location.
712 -H, --host-fqdn=host
714 Override the local machine's fully qualified DNS domain name. If
715 not specified, the local machine's hostname will be retrieved via
716 gethostname(). If gethostname() only returns a short name
717 getaddrinfo() with the AI_CANONNAME hint is called to expand the
718 name to a fully qualified DNS domain name.
719 -K, --host-keytab=/path/to/keytab
721 Specify the path to the host keytab where credentials of the
722 managed service account will be written after a successful
723 creation. If not specified, the default location will be used,
724 usually /etc/krb5.keytab with the lower-cased Active Directory
725 domain name added as a suffix e.g.
726 /etc/krb5.keytab.domain.example.com.
727 --show-details
729 After a successful creation print out information about the created
730 object. This is output in a format that should be both human and
731 machine readable.
732 --show-password
734 After a successful creation print out the managed service account
735 password. This is output in a format that should be both human and
736 machine readable.
737
739 It is common practice in AD to not use an account from the Domain
740 Administrators group to join a machine to a domain but use a dedicated
741 account which only has permissions to join a machine to one or more OUs
742 in the Active Directory tree. Giving the needed permissions to a single
743 account or a group in Active Directory is called Delegation. A typical
744 example on how to configured Delegation can be found in the Delegation
745 section of the blog post Who can add workstation to the domain[1].
746 When using an account with delegated permissions with adcli basically
748 the same applies as well. However some aspects are explained here in a
749 bit more details to better illustrate different concepts of Active
750 Directory and to make it more easy to debug permissions issues during
751 the join. Please note that the following is not specific to adcli but
752 applies to all applications which would like to modify certain
753 properties or objects in Active Directory with an account with limited
754 permissions.
755 First, as said in the blog post it is sufficient to have "Create
757 computer object" permissions to join a computer to a domain. But this
758 would only work as expected if the computer object does not exist in
759 Active Directory before the join. Because only when a new object is
760 created Active Directory does not apply additional permission checks on
761 the attributes of the new computer object. This means the delegated
762 user can add any kind of attribute with any value to a new computer
763 object also long as they meet general constraints like e.g. that the
764 attribute must be defined in the schema and is allowed in a objectclass
765 of the object, the value must match the syntax defined in the schema or
766 that the sAMAccountName must be unique in the domain.
767 If you want to use the account with delegated permission to remove
769 computer objects in Active Directory (adcli delete-computer) you should
770 of course make sure that the account has "Delete computer object"
771 permissions.
772 If the computer object already exists the "Create computer object"
774 permission does not apply anymore since now an existing object must be
775 modified. Now permissions on the individual attributes are needed. e.g.
776 "Read and write Account Restrictions" or "Reset Password". For some
777 attributes Active Directory has two types of permissions the plain
778 "Read and Write" permissions and the "Validated Write" permissions. For
779 the latter case there are two specific permissions relevant for adcli,
780 namely
781 • Validated write to DNS host name
783 • Validated write to service principal name
785 Details about the validation of the values can be found in the
787 "Validated Writes" section of [MS-ADTS], especially dNSHostName[2] and
788 servicePrincipalName[3]. To cut it short for "Validated write to DNS
789 host name" the domain part of the fully-qualified hostname must either
790 match the domain name of the domain you want to join to or must be
791 listed in the msDS-AllowedDNSSuffixes attribute. And for "Validated
792 write to service principal name" the hostname part of the service
793 principal name must match the name stored in dNSHostName or some other
794 attributes which are not handled by adcli. This also means that
795 dNSHostName cannot be empty or only contain a short name if the service
796 principal name should contain a fully-qualified name.
797 To summarize, if you only have validated write permissions you should
799 make sure the domain part of the hostname matches the domain you want
800 to join or use the --host-fqdn with a matching name.
801 The plain read write permissions do not run additional validations but
803 the attribute values must still be in agreement with the general
804 constraints mentioned above. If the computer object already exists
805 adcli might need the following permissions which are also needed by
806 Windows clients to modify existing attributes:
807 • Reset Password
809 • Read and write Account Restrictions
811 • Read and (validated) write to DNS host name
813 • Read and (validated) write to service principal name
815 additionally adcli needs
817 • Read and write msDS-supportedEncryptionTypes
819 This is added for security reasons to avoid that Active Directory
821 stores Kerberos keys with (potentially weaker) encryption types than
822 the client supports since Active Directory is often configured to still
823 support older (weaker) encryption types for compatibility reasons.
824 All other attributes are only set or modified on demand, i.e. adcli
826 must be called with an option the would set or modify the given
827 attribute. In the following the attributes adcli can modify together
828 with the required permissions are listed:
829 • userPrincipalName
831 • Read/Write userPrincipal Name
833 • msDS-supportedEncryptionTypes
835 • Read/Write msDS-SupportedEncryptionTypes
837 • dNSHostName
839 • Read/Write dNSHostName
841 • Read and write DNS host name attributes
843 • Validated write to DNS host name
845 • servicePrincipalName
847 • Read/Write servicePrincipalName
849 • Validated write to service principal name
851 • operatingSystem
853 • Read/Write Operating System
855 • operatingSystemVersion
857 • Read/Write Operating System Version
859 • operatingSystemServicePack
861 • Read/Write operatingSystemServicePack
863 • userAccountControl
865 • Read/Write userAccountControl
867 • description
869 • Read/Write Description
871 For the management of users and groups (adcli create-user, adcli
873 delete-user, adcli create-group, adcli delete-group) the same applies
874 only for different types of objects, i.e. users and groups. Since
875 currently adcli only supports the creation and the removal of user and
876 group objects it is sufficient to have the "Create/Delete User objects"
877 and "Create/Delete Group objects" permissions.
878 If you want to manage group members as well (adcli add-member, adcli
880 remove-member) "Read/Write Members" permissions are needed as well.
881 Depending on the version of Active Directory the "Delegation of Control
883 Wizard" might offer some shortcuts for common task like e.g.
884 • Create, delete and manage user accounts
886 • Create, delete and manage groups
888 • Modify the membership of a group
890 The first 2 shortcuts will provided full access to user and group
892 objects which, as explained above, is more than currently is needed.
893 After using those shortcut it is a good idea to verify in the
894 "Security" tab in the "Properties" of the related Active Directory
895 container that the assigned permissions meet the expectations.
896
898 Please send bug reports to either the distribution bug tracker or the
899 upstream bug tracker at
900 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
901
903 realmd(8), net(8), sssd(8)
904 Further details available in the realmd online documentation at
906 http://www.freedesktop.org/software/realmd/
907
909 1. Who can add workstation to the domain
910 https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain
911 2. dNSHostName
913 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1
914 3. servicePrincipalName
916 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada
917realmd ADCLI(8)