adcli
See the various sub commands below. The following global options can be used:
-D, --domain=domain
-R, --domain-realm=REALM
-S, --domain-controller=server
--use-ldaps
Please note that the place where CA certificates can be found to validate the AD DC certificates must be configured in the OpenLDAP configuration file, e.g. /etc/openldap/ldap.conf. As an alternative it can be specified with the help of an environment variable, e.g.
$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com ...
Please see ldap.conf(5) for details.
-C
--login-ccache[=ccache_name]
Please note that since the ccache_name is optional the =(equal) sign is mandatory. If = is missing the parameter is treated as optionless extra argument. How this is handled depends on the specific sub-command.
-U, --login-user=User
--no-password
-W, --prompt-password
--stdin-password
-v, --verbose
adcli info displays discovered information about an Active Directory domain or an Active Directory domain controller.
$ adcli info domain.example.com ...
$ adcli info --domain-controller=dc.domain.example.com ...
adcli info will output as much information as it can about the domain. The information is designed to be both machine and human readable. The command will exit with a non-zero exit code if the domain does not exist or cannot be reached.
To show domain info for a specific domain controller use the --domain-controller option to specify which domain controller to query.
Use the --verbose option to show details of how the domain is discovered and queried. Many of the global options, in particular authentication options, are not usable with the adcli info command.
adcli join creates a computer account in the domain for the local machine, and sets up a keytab for the machine. It does not configure an authentication service (such as sssd).
$ adcli join domain.example.com Password for Administrator:
In addition to the global options, you can specify the following options to control how this operation is done.
-N, --computer-name=computer
-O, --domain-ou=OU=xxx
-H, --host-fqdn=host
-K, --host-keytab=/path/to/keytab
--login-type={computer|user}
--os-name=name
--os-service-pack=pack
--os-version=version
--description=description
--service-name=service
--user-principal=host/name@REALM
--one-time-password
--trusted-for-delegation=yes|no|true|false
--add-service-principal=service/hostname
--show-details
--show-password
--add-samba-data
Please note that Samba's net requires some settings in smb.conf to create the database entries correctly. Most important here is currently the workgroup option, see smb.conf(5) for details.
--samba-data-tool=/path/to/net
If supported on the AD side the msDS-supportedEncryptionTypes attribute will be set as well. Either the current value or the default list of AD's supported encryption types filtered by the permitted encryption types of the client's Kerberos configuration are written.
adcli update updates the password of the computer account on the domain controller for the local machine, write the new keys to the keytab and removes older keys. It keeps the previous key on purpose because AD will need some time to replicate the new key to all DCs hence the previous key might still be used.
$ adcli update
If used with a credential cache, other attributes of the computer account can be changed as well if the principal has sufficient privileges.
$ kinit Administrator $ adcli update --login-ccache=/tmp/krbcc_123
In addition to the global options, you can specify the following options to control how this operation is done.
-N, --computer-name=computer
-H, --host-fqdn=host
-K, --host-keytab=/path/to/keytab
--os-name=name
--os-service-pack=pack
--os-version=version
--description=description
--service-name=service
--user-principal=host/name@REALM
--computer-password-lifetime=lifetime
--trusted-for-delegation=yes|no|true|false
--account-disable=yes|no|true|false
--add-service-principal=service/hostname
--remove-service-principal=service/hostname
--show-details
--add-samba-data
Please note that Samba's net requires some settings in smb.conf to create the database entries correctly. Most important here is currently the workgroup option, see smb.conf(5) for details.
Note that if the machine account password is not older than 30 days, you have to pass --computer-password-lifetime=0 to force the update.
--samba-data-tool=/path/to/net
If supported on the AD side the msDS-supportedEncryptionTypes attribute will be set as well. Either the current value or the default list of AD's supported encryption types filtered by the permitted encryption types of the client's Kerberos configuration are written.
adcli testjoin uses the current credentials in the keytab and tries to authenticate with the machine account to the AD domain. If this works the machine account password and the join are still valid. If it fails the machine account password or the whole machine account have to be refreshed with adcli join or adcli update.
$ adcli testjoin
Only the global options not related to authentication are available, additionally you can specify the following options to control how this operation is done.
-K, --host-keytab=/path/to/keytab
adcli create-user creates a new user account in the domain.
$ adcli create-user Fry --domain=domain.example.com \ --display-name="Philip J. Fry" --mail=fry@domain.example.com
In addition to the global options, you can specify the following options to control how the user is created.
--display-name="Name"
-O, --domain-ou=OU=xxx
--mail=email@domain.com
--unix-home=/home/user
--unix-gid=111
--unix-shell=/bin/shell
--unix-uid=111
--nis-domain=nis_domain
adcli delete-user deletes a user account from the domain.
$ adcli delete-user Fry --domain=domain.example.com
The various global options can be used.
adcli create-group creates a new group in the domain.
$ adcli create-group Pilots --domain=domain.example.com \ --description="Group for all pilots"
In addition to the global options, you can specify the following options to control how the group is created.
--description="text"
-O, --domain-ou=OU=xxx
adcli delete-group deletes a group from the domain.
$ adcli delete-group Pilots --domain=domain.example.com
The various global options can be used.
adcli add-member adds one or more users to a group in the domain. The group is specified first, and then the various users to be added.
$ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
The various global options can be used.
adcli remove-member removes a user from a group in the domain. The group is specified first, and then the various users to be removed.
$ adcli remove-member --domain=domain.example.com Pilots Scruffy
The various global options can be used.
adcli preset-computer pre-creates one or more computer accounts in the domain for machines to later use when joining the domain. By doing this machines can join using a one time password or automatically without a password.
$ adcli preset-computer --domain=domain.example.com \ host1.example.com host2 Password for Administrator:
If the computer names specified contain dots, then they are treated as fully qualified host names, otherwise they are treated as short computer names. The computer accounts must not already exist.
In addition to the global options, you can specify the following options to control how this operation is done.
-O, --domain-ou=OU=xxx
--one-time-password
--os-name=name
--os-service-pack=pack
--os-version=version
--service-name=service
--user-principal
adcli reset-computer resets a computer account in the domain. If the appropriate machine is currently joined to the domain, then its membership will be broken. The account must already exist.
$ adcli reset-computer --domain=domain.example.com host2
If the computer names specified contain dots, then they are treated as fully qualified host names, otherwise they are treated as short computer names.
In addition to the global options, you can specify the following options to control how this operation is done.
--login-type={computer|user}
adcli delete-computer deletes a computer account in the domain. The account must already exist.
$ adcli delete-computer --domain=domain.example.com host2 Password for Administrator:
If the computer name contains a dot, then it is treated as fully qualified host name, otherwise it is treated as short computer name.
If no computer name is specified, then the host name of the computer adcli is running on is used, as returned by gethostname().
The various global options can be used.
adcli show-computer show the computer account attributes stored in AD. The account must already exist.
$ adcli show-computer --domain=domain.example.com host2 Password for Administrator:
If the computer name contains a dot, then it is treated as fully qualified host name, otherwise it is treated as short computer name.
If no computer name is specified, then the host name of the computer adcli is running on is used, as returned by gethostname().
The various global options can be used.
adcli create-msa creates a managed service account (MSA) in the given Active Directory domain. This is useful if a computer should not fully join the Active Directory domain but LDAP access is needed. A typical use case is that the computer is already joined an Active Directory domain and needs access to another Active Directory domain in the same or a trusted forest where the host credentials from the joined Active Directory domain are not valid, e.g. there is only a one-way trust.
$ adcli create-msa --domain=domain.example.com Password for Administrator:
The managed service account, as maintained by adcli, cannot have additional service principals names (SPNs) associated with it. An SPN is defined within the context of a Kerberos service which is tied to a machine account in Active Directory. Since a machine can be joined to a single Active Directory domain, managed service account in a different Active Directory domain will not have the SPNs that otherwise are part of another Active Directory domain's machine.
Since it is expected that a client will most probably join to the Active Directory domain matching its DNS domain the managed service account will be needed for a different Active directory domain and as a result the Active Directory domain name is a mandatory option. If called with no other options adcli create-msa will use the short hostname with an additional random suffix as computer name to avoid name collisions.
LDAP attribute sAMAccountName has a limit of 20 characters. However, machine account's NetBIOS name must be at most 16 characters long, including a trailing '$' sign. Since it is not expected that the managed service accounts created by adcli will be used on the NetBIOS level the remaining 4 characters can be used to add uniqueness. Managed service account names will have a suffix of 3 random characters from number and upper- and lowercase ASCII ranges appended to the chosen short host name, using '!' as a separator. For a host with the shortname 'myhost', a managed service account will have a common name (CN attribute) 'myhost!A2c' and a NetBIOS name (sAMAccountName attribute) will be 'myhost!A2c$'. A corresponding Kerberos principal in the Active Directory domain where the managed service account was created would be 'myhost!A2c$@DOMAIN.EXAMPLE.COM'.
A keytab for the managed service account is stored into a file specified with -K option. If it is not specified, the file is named after the default keytab file, with lowercase Active Directory domain of the managed service account as a suffix. On most systems it would be /etc/krb5.keytab with a suffix of 'domain.example.com', e.g. /etc/krb5.keytab.domain.example.com.
adcli create-msa can be called multiple times to reset the password of the managed service account. To identify the right account with the random component in the name the corresponding principal is read from the keytab. If the keytab got deleted adcli will try to identify an existing managed service account with the help of the fully-qualified name, if this fails a new managed service account will be created.
The managed service account password can be updated with
$ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
and the managed service account can be deleted with
$ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
In addition to the global options, you can specify the following options to control how this operation is done.
-N, --computer-name=computer
-O, --domain-ou=OU=xxx
-H, --host-fqdn=host
-K, --host-keytab=/path/to/keytab
--show-details
--show-password
It is common practice in AD to not use an account from the Domain Administrators group to join a machine to a domain but use a dedicated account which only has permissions to join a machine to one or more OUs in the Active Directory tree. Giving the needed permissions to a single account or a group in Active Directory is called Delegation. A typical example on how to configured Delegation can be found in the Delegation section of the blog post m[blue]Who can add workstation to the domainm[][1].
When using an account with delegated permissions with adcli basically the same applies as well. However some aspects are explained here in a bit more details to better illustrate different concepts of Active Directory and to make it more easy to debug permissions issues during the join. Please note that the following is not specific to adcli but applies to all applications which would like to modify certain properties or objects in Active Directory with an account with limited permissions.
First, as said in the blog post it is sufficient to have "Create computer object" permissions to join a computer to a domain. But this would only work as expected if the computer object does not exist in Active Directory before the join. Because only when a new object is created Active Directory does not apply additional permission checks on the attributes of the new computer object. This means the delegated user can add any kind of attribute with any value to a new computer object also long as they meet general constraints like e.g. that the attribute must be defined in the schema and is allowed in a objectclass of the object, the value must match the syntax defined in the schema or that the sAMAccountName must be unique in the domain.
If you want to use the account with delegated permission to remove computer objects in Active Directory (adcli delete-computer) you should of course make sure that the account has "Delete computer object" permissions.
If the computer object already exists the "Create computer object" permission does not apply anymore since now an existing object must be modified. Now permissions on the individual attributes are needed. e.g. "Read and write Account Restrictions" or "Reset Password". For some attributes Active Directory has two types of permissions the plain "Read and Write" permissions and the "Validated Write" permissions. For the latter case there are two specific permissions relevant for adcli, namely
Details about the validation of the values can be found in the "Validated Writes" section of [MS-ADTS], especially m[blue]dNSHostNamem[][2] and m[blue]servicePrincipalNamem[][3]. To cut it short for "Validated write to DNS host name" the domain part of the fully-qualified hostname must either match the domain name of the domain you want to join to or must be listed in the msDS-AllowedDNSSuffixes attribute. And for "Validated write to service principal name" the hostname part of the service principal name must match the name stored in dNSHostName or some other attributes which are not handled by adcli. This also means that dNSHostName cannot be empty or only contain a short name if the service principal name should contain a fully-qualified name.
To summarize, if you only have validated write permissions you should make sure the domain part of the hostname matches the domain you want to join or use the --host-fqdn with a matching name.
The plain read write permissions do not run additional validations but the attribute values must still be in agreement with the general constraints mentioned above. If the computer object already exists adcli might need the following permissions which are also needed by Windows clients to modify existing attributes:
additionally adcli needs
This is added for security reasons to avoid that Active Directory stores Kerberos keys with (potentially weaker) encryption types than the client supports since Active Directory is often configured to still support older (weaker) encryption types for compatibility reasons.
All other attributes are only set or modified on demand, i.e. adcli must be called with an option the would set or modify the given attribute. In the following the attributes adcli can modify together with the required permissions are listed:
For the management of users and groups (adcli create-user, adcli delete-user, adcli create-group, adcli delete-group) the same applies only for different types of objects, i.e. users and groups. Since currently adcli only supports the creation and the removal of user and group objects it is sufficient to have the "Create/Delete User objects" and "Create/Delete Group objects" permissions.
If you want to manage group members as well (adcli add-member, adcli remove-member) "Read/Write Members" permissions are needed as well.
Depending on the version of Active Directory the "Delegation of Control Wizard" might offer some shortcuts for common task like e.g.
The first 2 shortcuts will provided full access to user and group objects which, as explained above, is more than currently is needed. After using those shortcut it is a good idea to verify in the "Security" tab in the "Properties" of the related Active Directory container that the assigned permissions meet the expectations.
Please send bug reports to either the distribution bug tracker or the upstream bug tracker at m[blue]https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adclim[]
Further details available in the realmd online documentation at m[blue]http://www.freedesktop.org/software/realmd/m[]