1ADCLI(8) System Commands ADCLI(8)
2
6 adcli - Tool for performing actions on an Active Directory domain
7
9 adcli info domain.example.com
10 adcli join domain.example.com
12 adcli update
14 adcli testjoin
16 adcli create-user [--domain=domain.example.com] user
18 adcli delete-user [--domain=domain.example.com] user
20 adcli passwd-user [--domain=domain.example.com] user
22 adcli create-group [--domain=domain.example.com] user
24 adcli delete-group [--domain=domain.example.com] user
26 adcli add-member [--domain=domain.example.com] group
28 user or computer...
29 adcli remove-member [--domain=domain.example.com] group user...
31 adcli preset-computer [--domain=domain.example.com] computer...
33 adcli reset-computer [--domain=domain.example.com] computer
35 adcli delete-computer [--domain=domain.example.com] computer
37 adcli show-computer [--domain=domain.example.com] computer
39 adcli create-msa [--domain=domain.example.com]
41
43 adcli is a command line tool that can perform actions in an Active
44 Directory domain. Among other things it can be used to join a computer
45 to a domain.
46 See the various sub commands below. The following global options can be
48 used:
49 -D, --domain=domain
51 The domain to connect to. If a domain is not specified, then the
52 domain part of the local computer's host name is used.
53 -R, --domain-realm=REALM
55 Kerberos realm for the domain. If not specified, then the upper
56 cased domain name is used.
57 -S, --domain-controller=server
59 Connect to a specific domain controller. If not specified, then an
60 appropriate domain controller is automatically discovered.
61 --use-ldaps
63 Connect to the domain controller with LDAPS. By default the LDAP
64 port is used and SASL GSS-SPNEGO or GSSAPI is used for
65 authentication and to establish encryption. This should satisfy all
66 requirements set on the server side and LDAPS should only be used
67 if the LDAP port is not accessible due to firewalls or other
68 reasons.
69 Please note that the place where CA certificates can be found to
71 validate the AD DC certificates must be configured in the OpenLDAP
72 configuration file, e.g. /etc/openldap/ldap.conf. As an
73 alternative it can be specified with the help of an environment
74 variable, e.g.
75 $ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
77 ...
78 Please see ldap.conf(5) for details.
80 -C
82 Use the default Kerberos credential cache to authenticate with the
83 domain.
84 --login-ccache[=ccache_name]
86 Use the specified Kerberos credential cache to authenticate with
87 the domain. If no credential cache is specified, the default
88 Kerberos credential cache will be used. Credential caches of type
89 FILE can be given with the path to the file. For other credential
90 cache types, e.g. DIR, KEYRING or KCM, the type must be specified
91 explicitly together with a suitable identifier.
92 Please note that since the ccache_name is optional the =(equal)
94 sign is mandatory. If = is missing the parameter is treated as
95 optionless extra argument. How this is handled depends on the
96 specific sub-command.
97 -U, --login-user=User
99 Use the specified user account to authenticate with the domain. If
100 not specified, then the name 'Administrator' will be used.
101 --no-password
103 Don't show prompts for or read a password from input.
104 -W, --prompt-password
106 Prompt for a password if necessary. This is the default.
107 --stdin-password
109 Read a password from stdin input instead of prompting for a
110 password.
111 -v, --verbose
113 Run in verbose mode with debug output.
114
116 adcli info displays discovered information about an Active Directory
117 domain or an Active Directory domain controller.
118 $ adcli info domain.example.com
120 ...
121 $ adcli info --domain-controller=dc.domain.example.com
123 ...
124 adcli info will output as much information as it can about the domain.
126 The information is designed to be both machine and human readable. The
127 command will exit with a non-zero exit code if the domain does not
128 exist or cannot be reached.
129 To show domain info for a specific domain controller use the
131 --domain-controller option to specify which domain controller to query.
132 Use the --verbose option to show details of how the domain is
134 discovered and queried. Many of the global options, in particular
135 authentication options, are not usable with the adcli info command.
136
138 adcli join creates a computer account in the domain for the local
139 machine, and sets up a keytab for the machine. It does not configure an
140 authentication service (such as sssd).
141 $ adcli join domain.example.com
143 Password for Administrator:
144 In addition to the global options, you can specify the following
146 options to control how this operation is done.
147 -N, --computer-name=computer
149 The short non-dotted name of the computer account that will be
150 created in the domain. If not specified, then the first portion of
151 the --host-fqdn is used.
152 -O, --domain-ou=OU=xxx
154 The full distinguished name of the OU in which to create the
155 computer account. If not specified, then the computer account will
156 be created in a default location.
157 -H, --host-fqdn=host
159 Override the local machine's fully qualified domain name. If not
160 specified, the local machine's hostname will be retrieved via
161 gethostname(). If gethostname() only returns a short name
162 getaddrinfo() with the AI_CANONNAME hint is called to expand the
163 name to a fully qualified domain name.
164 -K, --host-keytab=/path/to/keytab
166 Specify the path to the host keytab where host credentials will be
167 written after a successful join operation. If not specified, the
168 default location will be used, usually /etc/krb5.keytab.
169 --login-type={computer|user}
171 Specify the type of authentication that will be performed before
172 creating the machine account in the domain. If set to 'computer',
173 then the computer must already have a preset account in the domain.
174 If not specified and none of the other --login-xxx arguments have
175 been specified, then will try both 'computer' and 'user'
176 authentication.
177 --os-name=name
179 Set the operating system name on the computer account. The default
180 depends on where adcli was built, but is usually something like
181 'linux-gnu'.
182 --os-service-pack=pack
184 Set the operating system service pack on the computer account. Not
185 set by default.
186 --os-version=version
188 Set the operating system version on the computer account. Not set
189 by default.
190 --description=description
192 Set the description attribute on the computer account. Not set by
193 default.
194 --service-name=service
196 Additional service name for a Kerberos principal to be created on
197 the computer account. This option may be specified multiple times.
198 --user-principal=host/name@REALM
200 Set the userPrincipalName field of the computer account to this
201 Kerberos principal. If you omit the value for this option, then a
202 principal will be set in the form of host/host.example.com@REALM
203 --one-time-password
205 Specify a one time password for a preset computer account. This is
206 equivalent to using --login-type=computer and providing a password
207 as input.
208 --trusted-for-delegation=yes|no|true|false
210 Set or unset the TRUSTED_FOR_DELEGATION flag in the
211 userAccountControl attribute to allow or not allow that Kerberos
212 tickets can be forwarded to the host.
213 --dont-expire-password=yes|no|true|false
215 Set or unset the DONT_EXPIRE_PASSWORD flag in the
216 userAccountControl attribute to indicate if the machine account
217 password should expire or not. By default adcli will set this flag
218 while joining the domain which corresponds to the default behavior
219 of Windows clients.
220 Please note that if the password will expire
222 (--dont-expire-password=false) a renewal mechanism has to be
223 enabled on the client to not loose the connectivity to AD if the
224 password expires.
225 --add-service-principal=service/hostname
227 Add a service principal name. In contrast to the --service-name the
228 hostname part can be specified as well in case the service should
229 be accessible with a different host name as well.
230 --setattr=name=value
232 Add the LDAP attribute name with the given value to the new LDAP
233 host object. This option can be used multiple times to add multiple
234 different attributes. Multi-value attributes are currently not
235 supported.
236 Please note that the account used to join the domain must have the
238 required privileges to add the given attributes. Some attributes
239 might have constraints with respect to syntax and allowed values
240 which must be met as well. Attributes managed by other adcli
241 options cannot be set with this option.
242 --show-details
244 After a successful join print out information about join operation.
245 This is output in a format that should be both human and machine
246 readable.
247 --show-password
249 After a successful join print out the computer machine account
250 password. This is output in a format that should be both human and
251 machine readable.
252 --add-samba-data
254 After a successful join add the domain SID and the machine account
255 password to the Samba specific databases by calling Samba's net
256 utility.
257 Please note that Samba's net requires some settings in smb.conf to
259 create the database entries correctly. Most important here is
260 currently the workgroup option, see smb.conf(5) for details.
261 --samba-data-tool=/path/to/net
263 If Samba's net cannot be found at /usr/bin/net, this option can be
264 used to specific an alternative location with the help of an
265 absolute path.
266 --ldap-passwd
268 Use LDAP add/mod operations to set the machine account password
269 instead of Kerberos. This might help in some situations where
270 Kerberos fails or is unreliable. But please note that 'Change
271 password' or 'Reset password' permissions or similar might be
272 needed to make the LDAP operation work. Additionally there will be
273 no read-only domain controller (RODC) support as there is with
274 Kerberos.
275 If supported on the AD side the msDS-supportedEncryptionTypes attribute
277 will be set as well. Either the current value or the default list of
278 AD's supported encryption types filtered by the permitted encryption
279 types of the client's Kerberos configuration are written.
280
282 adcli update updates the password of the computer account on the domain
283 controller for the local machine, write the new keys to the keytab and
284 removes older keys. It keeps the previous key on purpose because AD
285 will need some time to replicate the new key to all DCs hence the
286 previous key might still be used.
287 $ adcli update
289 If used with a credential cache, other attributes of the computer
291 account can be changed as well if the principal has sufficient
292 privileges.
293 $ kinit Administrator
295 $ adcli update --login-ccache=/tmp/krbcc_123
296 In addition to the global options, you can specify the following
298 options to control how this operation is done.
299 -N, --computer-name=computer
301 The short non-dotted name of the computer account that will be
302 created in the domain. If not specified, it will be retrieved from
303 the keytab entries.
304 -H, --host-fqdn=host
306 The local machine's fully qualified domain name. If not specified,
307 the local machine's hostname will be retrieved from the keytab
308 entries.
309 -K, --host-keytab=/path/to/keytab
311 Specify the path to the host keytab where current host credentials
312 are stored and the new ones will be written to. If not specified,
313 the default location will be used, usually /etc/krb5.keytab.
314 --os-name=name
316 Set the operating system name on the computer account. Not set by
317 default.
318 --os-service-pack=pack
320 Set the operating system service pack on the computer account. Not
321 set by default.
322 --os-version=version
324 Set the operating system version on the computer account. Not set
325 by default.
326 --description=description
328 Set the description attribute on the computer account. Not set by
329 default.
330 --service-name=service
332 Additional service name for a Kerberos principal to be created on
333 the computer account. This option may be specified multiple times.
334 --user-principal=host/name@REALM
336 Set the userPrincipalName field of the computer account to this
337 Kerberos principal.
338 --computer-password-lifetime=lifetime
340 Only update the password of the computer account if it is older
341 than the lifetime given in days. By default the password is updated
342 if it is older than 30 days.
343 --trusted-for-delegation=yes|no|true|false
345 Set or unset the TRUSTED_FOR_DELEGATION flag in the
346 userAccountControl attribute to allow or not allow that Kerberos
347 tickets can be forwarded to the host.
348 --dont-expire-password=yes|no|true|false
350 Set or unset the DONT_EXPIRE_PASSWORD flag in the
351 userAccountControl attribute to indicate if the machine account
352 password should expire or not. By default adcli will set this flag
353 while joining the domain which corresponds to the default behavior
354 of Windows clients.
355 Please note that if the password will expire
357 (--dont-expire-password=false) a renewal mechanism has to be
358 enabled on the client to not loose the connectivity to AD if the
359 password expires.
360 --account-disable=yes|no|true|false
362 Set or unset the ACCOUNTDISABLE flag in the userAccountControl
363 attribute to disable or enable the computer account.
364 --add-service-principal=service/hostname
366 Add a service principal name. In contrast to the --service-name the
367 hostname part can be specified as well in case the service should
368 be accessible with a different host name as well.
369 --remove-service-principal=service/hostname
371 Remove a service principal name from the keytab and the AD host
372 object.
373 --setattr=name=value
375 Add the LDAP attribute name with the given value to the LDAP host
376 object. This option can be used multiple times to add multiple
377 different attributes. Multi-value attributes are currently not
378 supported.
379 Please note that the account used to update the host object must
381 have the required privileges to modify the given attributes. Some
382 attributes might have constraints with respect to syntax and
383 allowed values which must be met as well. Attributes managed by
384 other adcli options cannot be set with this option.
385 --delattr=name
387 Remove the LDAP attribute name from the LDAP host object. This
388 option can be used multiple times to remove multiple different
389 attributes.
390 Please note that the account used to update the host object must
392 have the required privileges to delete the given attributes.
393 Attributes managed by other adcli options cannot be removed.
394 --show-details
396 After a successful join print out information about join operation.
397 This is output in a format that should be both human and machine
398 readable.
399 --add-samba-data
401 After a successful join add the domain SID and the machine account
402 password to the Samba specific databases by calling Samba's net
403 utility.
404 Please note that Samba's net requires some settings in smb.conf to
406 create the database entries correctly. Most important here is
407 currently the workgroup option, see smb.conf(5) for details.
408 Note that if the machine account password is not older than 30
410 days, you have to pass --computer-password-lifetime=0 to force the
411 update.
412 --samba-data-tool=/path/to/net
414 If Samba's net cannot be found at /usr/bin/net, this option can be
415 used to specific an alternative location with the help of an
416 absolute path.
417 --ldap-passwd
419 Use LDAP add/mod operations to set the machine account password
420 instead of Kerberos. This might help in some situations where
421 Kerberos fails or is unreliable. But please note that 'Change
422 password' or 'Rest password' permissions or similar might be needed
423 to make the LDAP operation work. Additionally there will be no
424 read-only domain controller (RODC) support as there is with
425 Kerberos.
426 If supported on the AD side the msDS-supportedEncryptionTypes attribute
428 will be set as well. Either the current value or the default list of
429 AD's supported encryption types filtered by the permitted encryption
430 types of the client's Kerberos configuration are written.
431
433 adcli testjoin uses the current credentials in the keytab and tries to
434 authenticate with the machine account to the AD domain. If this works
435 the machine account password and the join are still valid. If it fails
436 the machine account password or the whole machine account have to be
437 refreshed with adcli join or adcli update.
438 $ adcli testjoin
440 Only the global options not related to authentication are available,
442 additionally you can specify the following options to control how this
443 operation is done.
444 -K, --host-keytab=/path/to/keytab
446 Specify the path to the host keytab where current host credentials
447 are stored and the new ones will be written to. If not specified,
448 the default location will be used, usually /etc/krb5.keytab.
449
451 adcli create-user creates a new user account in the domain.
452 $ adcli create-user Fry --domain=domain.example.com \
454 --display-name="Philip J. Fry" --mail=fry@domain.example.com
455 In addition to the global options, you can specify the following
457 options to control how the user is created.
458 --display-name="Name"
460 Set the displayName attribute of the new created user account.
461 -O, --domain-ou=OU=xxx
463 The full distinguished name of the OU in which to create the user
464 account. If not specified, then the computer account will be
465 created in a default location.
466 --mail=email@domain.com
468 Set the mail attribute of the new created user account. This
469 attribute may be specified multiple times.
470 --unix-home=/home/user
472 Set the unixHomeDirectory attribute of the new created user
473 account, which should be an absolute path to the user's home
474 directory.
475 --unix-gid=111
477 Set the gidNumber attribute of the new created user account, which
478 should be the user's numeric primary group id.
479 --unix-shell=/bin/shell
481 Set the loginShell attribute of the new created user account, which
482 should be a path to a valid shell.
483 --unix-uid=111
485 Set the uidNumber attribute of the new created user account, which
486 should be the user's numeric primary user id.
487 --nis-domain=nis_domain
489 Set the msSFU30NisDomain attribute of the new created user account,
490 which should be the user's NIS domain is the NIS/YP service of
491 Active Directory's Services for Unix (SFU) are used. This is needed
492 to let the 'UNIX attributes' tab of older Active Directory versions
493 show the set UNIX specific attributes. If not specified adcli will
494 try to determine the NIS domain automatically if needed.
495
497 adcli delete-user deletes a user account from the domain.
498 $ adcli delete-user Fry --domain=domain.example.com
500 The various global options can be used.
502
504 adcli passwd-user sets or resets the password of user account. The
505 administrative account used for this operation must have privileges to
506 set a password.
507 $ adcli passwd-user Fry --domain=domain.example.com
509 The various global options can be used.
511
513 adcli create-group creates a new group in the domain.
514 $ adcli create-group Pilots --domain=domain.example.com \
516 --description="Group for all pilots"
517 In addition to the global options, you can specify the following
519 options to control how the group is created.
520 --description="text"
522 Set the description attribute of the new created group.
523 -O, --domain-ou=OU=xxx
525 The full distinguished name of the OU in which to create the group.
526 If not specified, then the group will be created in a default
527 location.
528
530 adcli delete-group deletes a group from the domain.
531 $ adcli delete-group Pilots --domain=domain.example.com
533 The various global options can be used.
535
537 adcli add-member adds one or more users to a group in the domain. The
538 group is specified first, and then the various users or computers to be
539 added. You must use dollar sign for computer account (computername$)
540 $ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
542 $ adcli add-member --domain=domain.example.com servers srv-smb$
543 The various global options can be used.
545
547 adcli remove-member removes a user from a group in the domain. The
548 group is specified first, and then the various users to be removed.
549 $ adcli remove-member --domain=domain.example.com Pilots Scruffy
551 The various global options can be used.
553
555 adcli preset-computer pre-creates one or more computer accounts in the
556 domain for machines to later use when joining the domain. By doing this
557 machines can join using a one time password or automatically without a
558 password.
559 $ adcli preset-computer --domain=domain.example.com \
561 host1.example.com host2
562 Password for Administrator:
563 If the computer names specified contain dots, then they are treated as
565 fully qualified host names, otherwise they are treated as short
566 computer names. The computer accounts must not already exist.
567 In addition to the global options, you can specify the following
569 options to control how this operation is done.
570 -O, --domain-ou=OU=xxx
572 The full distinguished name of the OU in which to create the
573 computer accounts. If not specified, then the computer account will
574 be created in a default location.
575 --one-time-password
577 Specify a one time password to use when presetting the computer
578 accounts. If not specified, then a default password will be used,
579 which allows for later automatic joins.
580 --os-name=name
582 Set the operating system name on the computer account. The default
583 depends on where adcli was built, but is usually something like
584 'linux-gnu'.
585 --os-service-pack=pack
587 Set the operating system service pack on the computer account. Not
588 set by default.
589 --os-version=version
591 Set the operating system version on the computer account. Not set
592 by default.
593 --service-name=service
595 Additional service name for a Kerberos principal to be created on
596 the computer account. This option may be specified multiple times.
597 --user-principal
599 Set the userPrincipalName field of the computer account to this
600 Kerberos principal in the form of host/host.example.com@REALM
601
603 adcli reset-computer resets a computer account in the domain. If the
604 appropriate machine is currently joined to the domain, then its
605 membership will be broken. The account must already exist.
606 $ adcli reset-computer --domain=domain.example.com host2
608 If the computer names specified contain dots, then they are treated as
610 fully qualified host names, otherwise they are treated as short
611 computer names.
612 In addition to the global options, you can specify the following
614 options to control how this operation is done.
615 --login-type={computer|user}
617 Specify the type of authentication that will be performed before
618 creating the machine account in the domain. If set to 'computer',
619 then the computer must already have a preset account in the domain.
620 If not specified and none of the other --login-xxx arguments have
621 been specified, then will try both 'computer' and 'user'
622 authentication.
623
625 adcli delete-computer deletes a computer account in the domain. The
626 account must already exist.
627 $ adcli delete-computer --domain=domain.example.com host2
629 Password for Administrator:
630 If the computer name contains a dot, then it is treated as fully
632 qualified host name, otherwise it is treated as short computer name.
633 If no computer name is specified, then the host name of the computer
635 adcli is running on is used, as returned by gethostname().
636 The various global options can be used.
638
640 adcli show-computer show the computer account attributes stored in AD.
641 The account must already exist.
642 $ adcli show-computer --domain=domain.example.com host2
644 Password for Administrator:
645 If the computer name contains a dot, then it is treated as fully
647 qualified host name, otherwise it is treated as short computer name.
648 If no computer name is specified, then the host name of the computer
650 adcli is running on is used, as returned by gethostname().
651 The various global options can be used.
653
655 adcli create-msa creates a managed service account (MSA) in the given
656 Active Directory domain. This is useful if a computer should not fully
657 join the Active Directory domain but LDAP access is needed. A typical
658 use case is that the computer is already joined an Active Directory
659 domain and needs access to another Active Directory domain in the same
660 or a trusted forest where the host credentials from the joined Active
661 Directory domain are not valid, e.g. there is only a one-way trust.
662 $ adcli create-msa --domain=domain.example.com
664 Password for Administrator:
665 The managed service account, as maintained by adcli, cannot have
667 additional service principals names (SPNs) associated with it. An SPN
668 is defined within the context of a Kerberos service which is tied to a
669 machine account in Active Directory. Since a machine can be joined to a
670 single Active Directory domain, managed service account in a different
671 Active Directory domain will not have the SPNs that otherwise are part
672 of another Active Directory domain's machine.
673 Since it is expected that a client will most probably join to the
675 Active Directory domain matching its DNS domain the managed service
676 account will be needed for a different Active Directory domain and as a
677 result the Active Directory domain name is a mandatory option. If
678 called with no other options adcli create-msa will use the short
679 hostname with an additional random suffix as computer name to avoid
680 name collisions.
681 LDAP attribute sAMAccountName has a limit of 20 characters. However,
683 machine account's NetBIOS name must be at most 16 characters long,
684 including a trailing '$' sign. Since it is not expected that the
685 managed service accounts created by adcli will be used on the NetBIOS
686 level the remaining 4 characters can be used to add uniqueness. Managed
687 service account names will have a suffix of 3 random characters from
688 number and upper- and lowercase ASCII ranges appended to the chosen
689 short host name, using '!' as a separator. For a host with the
690 shortname 'myhost', a managed service account will have a common name
691 (CN attribute) 'myhost!A2c' and a NetBIOS name (sAMAccountName
692 attribute) will be 'myhost!A2c$'. A corresponding Kerberos principal in
693 the Active Directory domain where the managed service account was
694 created would be 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.
695 A keytab for the managed service account is stored into a file
697 specified with -K option. If it is not specified, the file is named
698 after the default keytab file, with lowercase Active Directory domain
699 of the managed service account as a suffix. On most systems it would be
700 /etc/krb5.keytab with a suffix of 'domain.example.com', e.g.
701 /etc/krb5.keytab.domain.example.com.
702 adcli create-msa can be called multiple times to reset the password of
704 the managed service account. To identify the right account with the
705 random component in the name the corresponding principal is read from
706 the keytab. If the keytab got deleted adcli will try to identify an
707 existing managed service account with the help of the fully-qualified
708 name, if this fails a new managed service account will be created.
709 The managed service account password can be updated with
711 $ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
713 and the managed service account can be deleted with
715 $ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
717 In addition to the global options, you can specify the following
719 options to control how this operation is done.
720 -N, --computer-name=computer
722 The short non-dotted name of the managed service account that will
723 be created in the Active Directory domain. The long option name
724 --computer-name is kept to underline the similarity with the same
725 option of the other sub-commands. If not specified, then the first
726 portion of the --host-fqdn or its default is used with a random
727 suffix.
728 -O, --domain-ou=OU=xxx
730 The full distinguished name of the OU in which to create the
731 managed service account. If not specified, then the managed service
732 account will be created in a default location.
733 -H, --host-fqdn=host
735 Override the local machine's fully qualified DNS domain name. If
736 not specified, the local machine's hostname will be retrieved via
737 gethostname(). If gethostname() only returns a short name
738 getaddrinfo() with the AI_CANONNAME hint is called to expand the
739 name to a fully qualified DNS domain name.
740 -K, --host-keytab=/path/to/keytab
742 Specify the path to the host keytab where credentials of the
743 managed service account will be written after a successful
744 creation. If not specified, the default location will be used,
745 usually /etc/krb5.keytab with the lower-cased Active Directory
746 domain name added as a suffix e.g.
747 /etc/krb5.keytab.domain.example.com.
748 --show-details
750 After a successful creation print out information about the created
751 object. This is output in a format that should be both human and
752 machine readable.
753 --show-password
755 After a successful creation print out the managed service account
756 password. This is output in a format that should be both human and
757 machine readable.
758
760 It is common practice in AD to not use an account from the Domain
761 Administrators group to join a machine to a domain but use a dedicated
762 account which only has permissions to join a machine to one or more OUs
763 in the Active Directory tree. Giving the needed permissions to a single
764 account or a group in Active Directory is called Delegation. A typical
765 example on how to configured Delegation can be found in the Delegation
766 section of the blog post Who can add workstation to the domain[1].
767 When using an account with delegated permissions with adcli basically
769 the same applies as well. However some aspects are explained here in a
770 bit more details to better illustrate different concepts of Active
771 Directory and to make it more easy to debug permissions issues during
772 the join. Please note that the following is not specific to adcli but
773 applies to all applications which would like to modify certain
774 properties or objects in Active Directory with an account with limited
775 permissions.
776 First, as said in the blog post it is sufficient to have "Create
778 computer object" permissions to join a computer to a domain. But this
779 would only work as expected if the computer object does not exist in
780 Active Directory before the join. Because only when a new object is
781 created Active Directory does not apply additional permission checks on
782 the attributes of the new computer object. This means the delegated
783 user can add any kind of attribute with any value to a new computer
784 object also long as they meet general constraints like e.g. that the
785 attribute must be defined in the schema and is allowed in a objectclass
786 of the object, the value must match the syntax defined in the schema or
787 that the sAMAccountName must be unique in the domain.
788 If you want to use the account with delegated permission to remove
790 computer objects in Active Directory (adcli delete-computer) you should
791 of course make sure that the account has "Delete computer object"
792 permissions.
793 If the computer object already exists the "Create computer object"
795 permission does not apply anymore since now an existing object must be
796 modified. Now permissions on the individual attributes are needed. e.g.
797 "Read and write Account Restrictions" or "Reset Password". For some
798 attributes Active Directory has two types of permissions the plain
799 "Read and Write" permissions and the "Validated Write" permissions. For
800 the latter case there are two specific permissions relevant for adcli,
801 namely
802 • Validated write to DNS host name
804 • Validated write to service principal name
806 Details about the validation of the values can be found in the
808 "Validated Writes" section of [MS-ADTS], especially dNSHostName[2] and
809 servicePrincipalName[3]. To cut it short for "Validated write to DNS
810 host name" the domain part of the fully-qualified hostname must either
811 match the domain name of the domain you want to join to or must be
812 listed in the msDS-AllowedDNSSuffixes attribute. And for "Validated
813 write to service principal name" the hostname part of the service
814 principal name must match the name stored in dNSHostName or some other
815 attributes which are not handled by adcli. This also means that
816 dNSHostName cannot be empty or only contain a short name if the service
817 principal name should contain a fully-qualified name.
818 To summarize, if you only have validated write permissions you should
820 make sure the domain part of the hostname matches the domain you want
821 to join or use the --host-fqdn with a matching name.
822 The plain read write permissions do not run additional validations but
824 the attribute values must still be in agreement with the general
825 constraints mentioned above. If the computer object already exists
826 adcli might need the following permissions which are also needed by
827 Windows clients to modify existing attributes:
828 • Reset Password
830 • Read and write Account Restrictions
832 • Read and (validated) write to DNS host name
834 • Read and (validated) write to service principal name
836 additionally adcli needs
838 • Read and write msDS-supportedEncryptionTypes
840 This is added for security reasons to avoid that Active Directory
842 stores Kerberos keys with (potentially weaker) encryption types than
843 the client supports since Active Directory is often configured to still
844 support older (weaker) encryption types for compatibility reasons.
845 All other attributes are only set or modified on demand, i.e. adcli
847 must be called with an option the would set or modify the given
848 attribute. In the following the attributes adcli can modify together
849 with the required permissions are listed:
850 • userPrincipalName
852 • Read/Write userPrincipal Name
854 • msDS-supportedEncryptionTypes
856 • Read/Write msDS-SupportedEncryptionTypes
858 • dNSHostName
860 • Read/Write dNSHostName
862 • Read and write DNS host name attributes
864 • Validated write to DNS host name
866 • servicePrincipalName
868 • Read/Write servicePrincipalName
870 • Validated write to service principal name
872 • operatingSystem
874 • Read/Write Operating System
876 • operatingSystemVersion
878 • Read/Write Operating System Version
880 • operatingSystemServicePack
882 • Read/Write operatingSystemServicePack
884 • userAccountControl
886 • Read/Write userAccountControl
888 • description
890 • Read/Write Description
892 For the management of users and groups (adcli create-user, adcli
894 delete-user, adcli create-group, adcli delete-group) the same applies
895 only for different types of objects, i.e. users and groups. Since
896 currently adcli only supports the creation and the removal of user and
897 group objects it is sufficient to have the "Create/Delete User objects"
898 and "Create/Delete Group objects" permissions.
899 If you want to manage group members as well (adcli add-member, adcli
901 remove-member) "Read/Write Members" permissions are needed as well.
902 Depending on the version of Active Directory the "Delegation of Control
904 Wizard" might offer some shortcuts for common task like e.g.
905 • Create, delete and manage user accounts
907 • Create, delete and manage groups
909 • Modify the membership of a group
911 The first 2 shortcuts will provided full access to user and group
913 objects which, as explained above, is more than currently is needed.
914 After using those shortcut it is a good idea to verify in the
915 "Security" tab in the "Properties" of the related Active Directory
916 container that the assigned permissions meet the expectations.
917
919 Please send bug reports to either the distribution bug tracker or the
920 upstream bug tracker at
921 https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli
922
924 realmd(8), net(8), sssd(8)
925 Further details available in the realmd online documentation at
927 http://www.freedesktop.org/software/realmd/
928
930 1. Who can add workstation to the domain
931 https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain
932 2. dNSHostName
934 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1
935 3. servicePrincipalName
937 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada
938realmd ADCLI(8)