table of contents
- NAME
- SYNOPSIS
- GENERAL OVERVIEW
- QUERYING DOMAIN INFORMATION
- JOINING THE LOCAL MACHINE TO A DOMAIN
- CREATING A USER
- DELETING A USER
- CREATING A GROUP
- DELETING A GROUP
- ADDING A MEMBER TO A GROUP
- REMOVING A MEMBER FROM A GROUP
- PRESET COMPUTER ACCOUNTS
- RESET COMPUTER ACCOUNT
- DELETE COMPUTER ACCOUNT
- BUGS
- SEE ALSO
ADCLI(8) | System Commands | ADCLI(8) |
NAME¶
adcli - Tool for performing actions on an Active Directory domainSYNOPSIS¶
adcli info domain.example.com
adcli join domain.example.com
adcli create-user [--domain=domain.example.com]
user
adcli delete-user [--domain=domain.example.com]
user
adcli create-group [--domain=domain.example.com]
user
adcli delete-group [--domain=domain.example.com]
user
adcli add-member [--domain=domain.example.com] group
user...
adcli remove-member [--domain=domain.example.com] group
user...
adcli preset-computer [--domain=domain.example.com]
computer...
adcli reset-computer [--domain=domain.example.com]
computer
adcli delete-computer [--domain=domain.example.com]
computer
GENERAL OVERVIEW¶
adcli is a command line tool that can perform actions in an Active Directory domain. Among other things it can be used to join a computer to a domain. See the various sub commands below. The following global options can be used: -D, --domain=domainThe domain to connect to. If a domain is not specified
then the domain part of the local computer's host name is used.
-R, --domain-realm=REALM
Kerberos realm for the domain. If not specified then the
upper cased domain name is used.
-S, --domain-controller=server
Connect to a specific domain controller. If not specified
then an appropriate domain controller is automatically discovered.
-C, --login-ccache=/path/to/file
Use the specified kerberos credential cache to
authenticate with the domain.
-U, --login-user=User
Use the specified user account to authenticate with the
domain. If not specified then the name 'Administrator' will be used.
--no-password
Don't show prompts for or read a password from
input.
-W, --prompt-password
Prompt for a password if necessary. This is the
default.
--stdin-password
Read a password from stdin input instead of prompting for
a password.
-v, --verbose
Run in verbose mode with debug output.
QUERYING DOMAIN INFORMATION¶
adcli info displays discovered information about an Active Directory domain or an Active Directory domain controller.$ adcli info domain.example.com ...
$ adcli info --domain-controller=dc.domain.example.com ...
JOINING THE LOCAL MACHINE TO A DOMAIN¶
adcli join creates a computer account in the domain for the local machine, and sets up a keytab for the machine. It does not configure an authentication service (such as sssd).$ adcli join domain.example.com Password for Administrator:
The short non-dotted name of the computer account that
will be created in the domain. If not specified then the first portion of the
--host-fqdn is used.
-O, --domain-ou=OU=xxx
The full distinguished name of the OU in which to create
the computer account. If not specified then the computer account will be
created in a default location.
-H, --host-fqdn=host
Override the local machine's fully qualified domain name.
If not specified the local machine's hostname will be retrieved via
gethostname().
-K, --host-keytab=/path/to/keytab
Specify the path to the host keytab where host
credentials will be written after a successful join operation. If not
specified the default location will be used, usually /etc/krb5.keytab.
--login-type={computer|user}
Specify the type of authentication that will be performed
before creating the machine account in the domain. If set to 'computer' then
the computer must already have a preset account in the domain. If not
specified and none of the other --login-xxx arguments have been
specified, then will try both 'computer' and 'user' authentication.
--os-name=name
Set the operating system name on the computer account.
The default depends on where adcli was built, but is usually something like
'linux-gnu'.
--os-service-pack=pack
Set the operating system service pack on the computer
account. Not set by default.
--os-version=version
Set the operating system version on the computer account.
Not set by default.
--service-name=service
Additional service name for a kerberos principal to be
created on the computer account. This option may be specified multiple
times.
--user-principal=host/name@REALM
Set the userPrincipalName field of the computer account
to this kerberos principal. If you omit the value for this option, then a
principal will be set in the form of host/host.example.com@REALM
--one-time-password
Specify a one time password for a preset computer
account. This is equivalent to using --login-type=computer and
providing a password as input.
--show-details
After a successful join print out information about join
operation. This is output in a format that should be both human and machine
readable.
--show-password
After a successful join print out the computer machine
account password. This is output in a format that should be both human and
machine readable.
CREATING A USER¶
adcli create-user creates a new user account in the domain.$ adcli create-user Fry --domain=domain.example.com \ --display-name="Philip J. Fry" --mail=fry@domain.example.com
Set the displayName attribute of the new created user
account.
-O, --domain-ou=OU=xxx
The full distinguished name of the OU in which to create
the user account. If not specified then the computer account will be created
in a default location.
--mail=email@domain.com
Set the mail attribute of the new created user account.
This attribute may be specified multiple times.
--unix-home=/home/user
Set the unixHomeDirectory attribute of the new created
user account, which should be an absolute path to the user's home
directory.
--unix-gid=111
Set the gidNumber attribute of the new created user
account, which should be the user's numeric primary group id.
--unix-shell=/bin/shell
Set the pos attribute of the new created user account,
which should be the user's numeric primary user id.
--unix-uid=111
Set the loginShell attribute of the new created user
account, which should be a path to a valid shell.
DELETING A USER¶
adcli delete-user deletes a user account from the domain.$ adcli delete-user Fry --domain=domain.example.com
CREATING A GROUP¶
adcli create-group creates a new group in the domain.$ adcli create-group Pilots --domain=domain.example.com \ --description="Group for all pilots"
Set the description attribute of the new created
group.
-O, --domain-ou=OU=xxx
The full distinguished name of the OU in which to create
the group. If not specified then the computer account will be created in a
default location.
DELETING A GROUP¶
adcli delete-group deletes a group from the domain.$ adcli delete-group Pilots --domain=domain.example.com
ADDING A MEMBER TO A GROUP¶
adcli add-member adds one or more users to a group in the domain. The group is specified first, and then the various users to be added.$ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
REMOVING A MEMBER FROM A GROUP¶
adcli remove-member removes a user from a group in the domain. The group is specified first, and then the various users to be removed.$ adcli remove-member --domain=domain.example.com Pilots Scruffy
PRESET COMPUTER ACCOUNTS¶
adcli preset-computer pre-creates one or more computer accounts in the domain for machines to later use when joining the domain. By doing this machines can join using a one time password or automatically without a password.$ adcli preset-computer --domain=domain.example.com \ host1.example.com host2 Password for Administrator:
The full distinguished name of the OU in which to create
the computer accounts. If not specified then the computer account will be
created in a default location.
--one-time-password
Specify a one time password to use when presetting the
computer accounts. If not specified then a default password will be used,
which allows for later automatic joins.
--os-name=name
Set the operating system name on the computer account.
The default depends on where adcli was built, but is usually something like
'linux-gnu'.
--os-service-pack=pack
Set the operating system service pack on the computer
account. Not set by default.
--os-version=version
Set the operating system version on the computer account.
Not set by default.
--service-name=service
Additional service name for a kerberos principal to be
created on the computer account. This option may be specified multiple
times.
--user-principal
Set the userPrincipalName field of the computer account
to this kerberos principal in the form of host/host.example.com@REALM
RESET COMPUTER ACCOUNT¶
adcli reset-computer resets a computer account in the domain. If a the appropriate machien is currently joined to the domain, then it's membership will be broken. The account must already exist.$ adcli reset-computer --domain=domain.example.com host2
Specify the type of authentication that will be performed
before creating the machine account in the domain. If set to 'computer' then
the computer must already have a preset account in the domain. If not
specified and none of the other --login-xxx arguments have been
specified, then will try both 'computer' and 'user' authentication.
DELETE COMPUTER ACCOUNT¶
adcli delete-computer deletes a computer account in the domain. The account must already exist.$ adcli delete-computer --domain=domain.example.com host2 Password for Administrator:
BUGS¶
Please send bug reports to either the distribution bug tracker or the upstream bug tracker at https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcliSEE ALSO¶
realmd(8), net(8), sssd(8) Further details available in the realmd online documentation at http://www.freedesktop.org/software/realmd/realmd |