'\" t
.\"     Title: adcli
.\"    Author: Stef Walter <stefw@redhat.com>
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\"      Date: 12/31/2013
.\"    Manual: System Commands
.\"    Source: realmd
.\"  Language: English
.\"
.TH "ADCLI" "8" "" "realmd" "System Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
adcli \- Tool for performing actions on an Active Directory domain
.SH "SYNOPSIS"
.HP \w'\fBadcli\ info\fR\ 'u
\fBadcli info\fR domain\&.example\&.com
.HP \w'\fBadcli\ join\fR\ 'u
\fBadcli join\fR domain\&.example\&.com
.HP \w'\fBadcli\ create\-user\fR\ 'u
\fBadcli create\-user\fR [\-\-domain=domain\&.example\&.com] user
.HP \w'\fBadcli\ delete\-user\fR\ 'u
\fBadcli delete\-user\fR [\-\-domain=domain\&.example\&.com] user
.HP \w'\fBadcli\ create\-group\fR\ 'u
\fBadcli create\-group\fR [\-\-domain=domain\&.example\&.com] user
.HP \w'\fBadcli\ delete\-group\fR\ 'u
\fBadcli delete\-group\fR [\-\-domain=domain\&.example\&.com] user
.HP \w'\fBadcli\ add\-member\fR\ 'u
\fBadcli add\-member\fR [\-\-domain=domain\&.example\&.com] group user...
.HP \w'\fBadcli\ remove\-member\fR\ 'u
\fBadcli remove\-member\fR [\-\-domain=domain\&.example\&.com] group user...
.HP \w'\fBadcli\ preset\-computer\fR\ 'u
\fBadcli preset\-computer\fR [\-\-domain=domain\&.example\&.com] computer...
.HP \w'\fBadcli\ reset\-computer\fR\ 'u
\fBadcli reset\-computer\fR [\-\-domain=domain\&.example\&.com] computer
.HP \w'\fBadcli\ delete\-computer\fR\ 'u
\fBadcli delete\-computer\fR [\-\-domain=domain\&.example\&.com] computer
.SH "GENERAL OVERVIEW"
.PP
\fBadcli\fR
is a command line tool that can perform actions in an Active Directory domain\&. Among other things it can be used to join a computer to a domain\&.
.PP
See the various sub commands below\&. The following global options can be used:
.PP
\fB\-D, \-\-domain=\fR\fB\fIdomain\fR\fR
.RS 4
The domain to connect to\&. If a domain is not specified then the domain part of the local computer\*(Aqs host name is used\&.
.RE
.PP
\fB\-R, \-\-domain\-realm=\fR\fB\fIREALM\fR\fR
.RS 4
Kerberos realm for the domain\&. If not specified then the upper cased domain name is used\&.
.RE
.PP
\fB\-S, \-\-domain\-controller=\fR\fB\fIserver\fR\fR
.RS 4
Connect to a specific domain controller\&. If not specified then an appropriate domain controller is automatically discovered\&.
.RE
.PP
\fB\-C, \-\-login\-ccache=\fR\fB\fI/path/to/file\fR\fR
.RS 4
Use the specified kerberos credential cache to authenticate with the domain\&.
.RE
.PP
\fB\-U, \-\-login\-user=\fR\fB\fIUser\fR\fR
.RS 4
Use the specified user account to authenticate with the domain\&. If not specified then the name \*(AqAdministrator\*(Aq will be used\&.
.RE
.PP
\fB\-\-no\-password\fR
.RS 4
Don\*(Aqt show prompts for or read a password from input\&.
.RE
.PP
\fB\-W, \-\-prompt\-password\fR
.RS 4
Prompt for a password if necessary\&. This is the default\&.
.RE
.PP
\fB\-\-stdin\-password\fR
.RS 4
Read a password from stdin input instead of prompting for a password\&.
.RE
.PP
\fB\-v, \-\-verbose\fR
.RS 4
Run in verbose mode with debug output\&.
.RE
.SH "QUERYING DOMAIN INFORMATION"
.PP
\fBadcli info\fR
displays discovered information about an Active Directory domain or an Active Directory domain controller\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli info domain\&.example\&.com
\&.\&.\&.
.fi
.if n \{\
.RE
.\}
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli info \-\-domain\-controller=dc\&.domain\&.example\&.com
\&.\&.\&.
.fi
.if n \{\
.RE
.\}
.PP
\fBadcli info\fR
will output as much information as it can about the domain\&. The information is designed to be both machine and human readable\&. The command will exit with a non\-zero exit code if the domain does note exist or cannot be reached\&.
.PP
To show domain info for a specific domain controller use the
\fB\-\-domain\-controller\fR
option to specify which domain controller to query\&.
.PP
Use the
\fB\-\-verbose\fR
option to show details of how the domain is discovered and queried\&. Many of the global options, in particular authentication options, are not usable with the
\fBadcli info\fR
command\&.
.SH "JOINING THE LOCAL MACHINE TO A DOMAIN"
.PP
\fBadcli join\fR
creates a computer account in the domain for the local machine, and sets up a keytab for the machine\&. It does not configure an authentication service (such as
\fBsssd\fR)\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli join domain\&.example\&.com
Password for Administrator:
.fi
.if n \{\
.RE
.\}
.PP
In addition to the global options, you can specify the following options to control how this operation is done\&.
.PP
\fB\-N, \-\-computer\-name=\fR\fB\fIcomputer\fR\fR
.RS 4
The short non\-dotted name of the computer account that will be created in the domain\&. If not specified then the first portion of the
\fB\-\-host\-fqdn\fR
is used\&.
.RE
.PP
\fB\-O, \-\-domain\-ou=\fR\fB\fIOU=xxx\fR\fR
.RS 4
The full distinguished name of the OU in which to create the computer account\&. If not specified then the computer account will be created in a default location\&.
.RE
.PP
\fB\-H, \-\-host\-fqdn=\fR\fB\fIhost\fR\fR
.RS 4
Override the local machine\*(Aqs fully qualified domain name\&. If not specified the local machine\*(Aqs hostname will be retrieved via
\fBgethostname()\fR\&.
.RE
.PP
\fB\-K, \-\-host\-keytab=\fR\fB\fI/path/to/keytab\fR\fR
.RS 4
Specify the path to the host keytab where host credentials will be written after a successful join operation\&. If not specified the default location will be used, usually
/etc/krb5\&.keytab\&.
.RE
.PP
\fB\-\-login\-type=\fR\fB\fI{computer|user}\fR\fR
.RS 4
Specify the type of authentication that will be performed before creating the machine account in the domain\&. If set to \*(Aqcomputer\*(Aq then the computer must already have a preset account in the domain\&. If not specified and none of the other
\fB\-\-login\-xxx\fR
arguments have been specified, then will try both \*(Aqcomputer\*(Aq and \*(Aquser\*(Aq authentication\&.
.RE
.PP
\fB\-\-os\-name=\fR\fB\fIname\fR\fR
.RS 4
Set the operating system name on the computer account\&. The default depends on where adcli was built, but is usually something like \*(Aqlinux\-gnu\*(Aq\&.
.RE
.PP
\fB\-\-os\-service\-pack=\fR\fB\fIpack\fR\fR
.RS 4
Set the operating system service pack on the computer account\&. Not set by default\&.
.RE
.PP
\fB\-\-os\-version=\fR\fB\fIversion\fR\fR
.RS 4
Set the operating system version on the computer account\&. Not set by default\&.
.RE
.PP
\fB\-\-service\-name=\fR\fB\fIservice\fR\fR
.RS 4
Additional service name for a kerberos principal to be created on the computer account\&. This option may be specified multiple times\&.
.RE
.PP
\fB\-\-user\-principal=\fR\fB\fIhost/name@REALM\fR\fR
.RS 4
Set the userPrincipalName field of the computer account to this kerberos principal\&. If you omit the value for this option, then a principal will be set in the form of
host/host\&.example\&.com@REALM
.RE
.PP
\fB\-\-one\-time\-password\fR
.RS 4
Specify a one time password for a preset computer account\&. This is equivalent to using
\fB\-\-login\-type=computer\fR
and providing a password as input\&.
.RE
.PP
\fB\-\-show\-details\fR
.RS 4
After a successful join print out information about join operation\&. This is output in a format that should be both human and machine readable\&.
.RE
.PP
\fB\-\-show\-password\fR
.RS 4
After a successful join print out the computer machine account password\&. This is output in a format that should be both human and machine readable\&.
.RE
.SH "CREATING A USER"
.PP
\fBadcli create\-user\fR
creates a new user account in the domain\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli create\-user Fry \-\-domain=domain\&.example\&.com \e
	\-\-display\-name="Philip J\&. Fry" \-\-mail=fry@domain\&.example\&.com
.fi
.if n \{\
.RE
.\}
.PP
In addition to the global options, you can specify the following options to control how the user is created\&.
.PP
\fB\-\-display\-name=\fR\fB\fI"Name"\fR\fR
.RS 4
Set the
displayName
attribute of the new created user account\&.
.RE
.PP
\fB\-O, \-\-domain\-ou=\fR\fB\fIOU=xxx\fR\fR
.RS 4
The full distinguished name of the OU in which to create the user account\&. If not specified then the computer account will be created in a default location\&.
.RE
.PP
\fB\-\-mail=\fR\fB\fIemail@domain\&.com\fR\fR
.RS 4
Set the
mail
attribute of the new created user account\&. This attribute may be specified multiple times\&.
.RE
.PP
\fB\-\-unix\-home=\fR\fB\fI/home/user\fR\fR
.RS 4
Set the
unixHomeDirectory
attribute of the new created user account, which should be an absolute path to the user\*(Aqs home directory\&.
.RE
.PP
\fB\-\-unix\-gid=\fR\fB\fI111\fR\fR
.RS 4
Set the
gidNumber
attribute of the new created user account, which should be the user\*(Aqs numeric primary group id\&.
.RE
.PP
\fB\-\-unix\-shell=\fR\fB\fI/bin/shell\fR\fR
.RS 4
Set the
pos
attribute of the new created user account, which should be the user\*(Aqs numeric primary user id\&.
.RE
.PP
\fB\-\-unix\-uid=\fR\fB\fI111\fR\fR
.RS 4
Set the
loginShell
attribute of the new created user account, which should be a path to a valid shell\&.
.RE
.SH "DELETING A USER"
.PP
\fBadcli delete\-user\fR
deletes a user account from the domain\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli delete\-user Fry \-\-domain=domain\&.example\&.com
.fi
.if n \{\
.RE
.\}
.PP
The various global options can be used\&.
.SH "CREATING A GROUP"
.PP
\fBadcli create\-group\fR
creates a new group in the domain\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli create\-group Pilots \-\-domain=domain\&.example\&.com \e
	\-\-description="Group for all pilots"
.fi
.if n \{\
.RE
.\}
.PP
In addition to the global options, you can specify the following options to control how the group is created\&.
.PP
\fB\-\-description=\fR\fB\fI"text"\fR\fR
.RS 4
Set the
description
attribute of the new created group\&.
.RE
.PP
\fB\-O, \-\-domain\-ou=\fR\fB\fIOU=xxx\fR\fR
.RS 4
The full distinguished name of the OU in which to create the group\&. If not specified then the computer account will be created in a default location\&.
.RE
.SH "DELETING A GROUP"
.PP
\fBadcli delete\-group\fR
deletes a group from the domain\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli delete\-group Pilots \-\-domain=domain\&.example\&.com
.fi
.if n \{\
.RE
.\}
.PP
The various global options can be used\&.
.SH "ADDING A MEMBER TO A GROUP"
.PP
\fBadcli add\-member\fR
adds one or more users to a group in the domain\&. The group is specified first, and then the various users to be added\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli add\-member \-\-domain=domain\&.example\&.com Pilots Leela Scruffy
.fi
.if n \{\
.RE
.\}
.PP
The various global options can be used\&.
.PP
.SH "REMOVING A MEMBER FROM A GROUP"
.PP
\fBadcli remove\-member\fR
removes a user from a group in the domain\&. The group is specified first, and then the various users to be removed\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli remove\-member \-\-domain=domain\&.example\&.com Pilots Scruffy
.fi
.if n \{\
.RE
.\}
.PP
The various global options can be used\&.
.SH "PRESET COMPUTER ACCOUNTS"
.PP
\fBadcli preset\-computer\fR
pre\-creates one or more computer accounts in the domain for machines to later use when joining the domain\&. By doing this machines can join using a one time password or automatically without a password\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli preset\-computer \-\-domain=domain\&.example\&.com \e
	host1\&.example\&.com host2
Password for Administrator:
.fi
.if n \{\
.RE
.\}
.PP
If the computer names specified contain dots, then they are treated as fully qualified host names, otherwise they are treated as short computer names\&. The computer accounts must not already exist\&.
.PP
In addition to the global options, you can specify the following options to control how this operation is done\&.
.PP
\fB\-O, \-\-domain\-ou=\fR\fB\fIOU=xxx\fR\fR
.RS 4
The full distinguished name of the OU in which to create the computer accounts\&. If not specified then the computer account will be created in a default location\&.
.RE
.PP
\fB\-\-one\-time\-password\fR
.RS 4
Specify a one time password to use when presetting the computer accounts\&. If not specified then a default password will be used, which allows for later automatic joins\&.
.RE
.PP
\fB\-\-os\-name=\fR\fB\fIname\fR\fR
.RS 4
Set the operating system name on the computer account\&. The default depends on where adcli was built, but is usually something like \*(Aqlinux\-gnu\*(Aq\&.
.RE
.PP
\fB\-\-os\-service\-pack=\fR\fB\fIpack\fR\fR
.RS 4
Set the operating system service pack on the computer account\&. Not set by default\&.
.RE
.PP
\fB\-\-os\-version=\fR\fB\fIversion\fR\fR
.RS 4
Set the operating system version on the computer account\&. Not set by default\&.
.RE
.PP
\fB\-\-service\-name=\fR\fB\fIservice\fR\fR
.RS 4
Additional service name for a kerberos principal to be created on the computer account\&. This option may be specified multiple times\&.
.RE
.PP
\fB\-\-user\-principal\fR
.RS 4
Set the userPrincipalName field of the computer account to this kerberos principal in the form of
host/host\&.example\&.com@REALM
.RE
.SH "RESET COMPUTER ACCOUNT"
.PP
\fBadcli reset\-computer\fR
resets a computer account in the domain\&. If a the appropriate machien is currently joined to the domain, then it\*(Aqs membership will be broken\&. The account must already exist\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli reset\-computer \-\-domain=domain\&.example\&.com host2
.fi
.if n \{\
.RE
.\}
.PP
If the computer names specified contain dots, then they are treated as fully qualified host names, otherwise they are treated as short computer names\&.
.PP
In addition to the global options, you can specify the following options to control how this operation is done\&.
.PP
\fB\-\-login\-type=\fR\fB\fI{computer|user}\fR\fR
.RS 4
Specify the type of authentication that will be performed before creating the machine account in the domain\&. If set to \*(Aqcomputer\*(Aq then the computer must already have a preset account in the domain\&. If not specified and none of the other
\fB\-\-login\-xxx\fR
arguments have been specified, then will try both \*(Aqcomputer\*(Aq and \*(Aquser\*(Aq authentication\&.
.RE
.SH "DELETE COMPUTER ACCOUNT"
.PP
\fBadcli delete\-computer\fR
deletes a computer account in the domain\&. The account must already exist\&.
.sp
.if n \{\
.RS 4
.\}
.nf
$ adcli delete\-computer \-\-domain=domain\&.example\&.com host2
Password for Administrator:
.fi
.if n \{\
.RE
.\}
.PP
If the computer name contains a dot, then it is treated as fully qualified host name, otherwise it is treated as short computer name\&.
.PP
If no computer name is specified, then the host name of the computer adcli is running on is used, as returned by
gethostname()\&.
.PP
The various global options can be used\&.
.SH "BUGS"
.PP
Please send bug reports to either the distribution bug tracker or the upstream bug tracker at
\m[blue]\fBhttps://bugs\&.freedesktop\&.org/enter_bug\&.cgi?product=realmd&component=adcli\fR\m[]
.SH "SEE ALSO"
\fBrealmd\fR(8), \fBnet\fR(8), \fBsssd\fR(8)
.PP
Further details available in the realmd online documentation at
\m[blue]\fBhttp://www\&.freedesktop\&.org/software/realmd/\fR\m[]