Blame doc/adcli.xml

Packit Service 6d40f9
Packit Service 6d40f9
Packit Service bff25d
	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"
Packit Service bff25d
[
Packit Service bff25d
	
Packit Service bff25d
]>
Packit Service 6d40f9
Packit Service 6d40f9
<refentry id="adcli">
Packit Service 6d40f9
Packit Service 6d40f9
<refentryinfo>
Packit Service 6d40f9
	<title>adcli</title>
Packit Service 6d40f9
	<productname>realmd</productname>
Packit Service 6d40f9
	<authorgroup>
Packit Service 6d40f9
		<author>
Packit Service 6d40f9
			<contrib>Maintainer</contrib>
Packit Service 6d40f9
			<firstname>Stef</firstname>
Packit Service 6d40f9
			<surname>Walter</surname>
Packit Service 6d40f9
			<email>stefw@redhat.com</email>
Packit Service 6d40f9
		</author>
Packit Service 6d40f9
	</authorgroup>
Packit Service 6d40f9
</refentryinfo>
Packit Service 6d40f9
Packit Service 6d40f9
<refmeta>
Packit Service 6d40f9
	<refentrytitle>adcli</refentrytitle>
Packit Service 6d40f9
	<manvolnum>8</manvolnum>
Packit Service 6d40f9
	<refmiscinfo class="manual">System Commands</refmiscinfo>
Packit Service 6d40f9
</refmeta>
Packit Service 6d40f9
Packit Service 6d40f9
<refnamediv>
Packit Service 6d40f9
	<refname>adcli</refname>
Packit Service 6d40f9
	<refpurpose>Tool for performing actions on an Active Directory domain</refpurpose>
Packit Service 6d40f9
</refnamediv>
Packit Service 6d40f9
Packit Service 6d40f9
<refsynopsisdiv>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli info</command>
Packit Service 6d40f9
		<arg choice="plain">domain.example.com</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli join</command>
Packit Service 6d40f9
		<arg choice="plain">domain.example.com</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli update</command>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli create-user</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain">user</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli delete-user</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain">user</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli create-group</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain">user</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli delete-group</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain">user</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli add-member</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain">group</arg>
Packit Service 6d40f9
		<arg choice="plain" rep="repeat">user</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli remove-member</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain">group</arg>
Packit Service 6d40f9
		<arg choice="plain" rep="repeat">user</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli preset-computer</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain" rep="repeat">computer</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli reset-computer</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain">computer</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
	<cmdsynopsis>
Packit Service 6d40f9
		<command>adcli delete-computer</command>
Packit Service 6d40f9
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9
		<arg choice="plain">computer</arg>
Packit Service 6d40f9
	</cmdsynopsis>
Packit Service 6d40f9
</refsynopsisdiv>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='general_overview'>
Packit Service 6d40f9
	<title>General Overview</title>
Packit Service 6d40f9
	<para><command>adcli</command> is a command line tool that
Packit Service 6d40f9
	can perform actions in an Active Directory domain. Among other things
Packit Service 6d40f9
	it can be used to join a computer to a domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>See the various sub commands below. The following global options
Packit Service 6d40f9
	can be used:</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<variablelist>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-D, --domain=<parameter>domain</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>The domain to connect to. If a domain is
Packit Service f43384
			not specified, then the domain part of the local computer's
Packit Service 6d40f9
			host name is used.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-R, --domain-realm=<parameter>REALM</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Kerberos realm for the domain. If not
Packit Service f43384
			specified, then the upper cased domain name is
Packit Service 6d40f9
			used.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-S, --domain-controller=<parameter>server</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Connect to a specific domain controller.
Packit Service f43384
			If not specified, then an appropriate domain controller
Packit Service 6d40f9
			is automatically discovered.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service f78674
			<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
Packit Service bc2650
			<listitem><para>Use the specified kerberos credential
Packit Service f78674
                        cache to authenticate with the domain. If no credential
Packit Service f78674
                        cache is specified, the default kerberos credential
Packit Service f78674
                        cache will be used. Credential caches of type FILE can
Packit Service f78674
                        be given with the path to the file. For other
Packit Service f78674
                        credential cache types, e.g. DIR, KEYRING or KCM, the
Packit Service f78674
                        type must be specified explicitly together with a
Packit Service f78674
                        suitable identifier.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-U, --login-user=<parameter>User</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Use the specified user account to
Packit Service f43384
			authenticate with the domain. If not specified, then
Packit Service 6d40f9
			the name 'Administrator' will be used.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--no-password</option></term>
Packit Service 6d40f9
			<listitem><para>Don't show prompts for or read a
Packit Service 6d40f9
			password from input.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-W, --prompt-password</option></term>
Packit Service 6d40f9
			<listitem><para>Prompt for a password if necessary.
Packit Service 6d40f9
			This is the default.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--stdin-password</option></term>
Packit Service 6d40f9
			<listitem><para>Read a password from stdin input instead
Packit Service 6d40f9
			of prompting for a password.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-v, --verbose</option></term>
Packit Service 6d40f9
			<listitem><para>Run in verbose mode with debug
Packit Service 6d40f9
			output.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='querying'>
Packit Service 6d40f9
	<title>Querying Domain Information</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli info</command> displays discovered information
Packit Service 6d40f9
	about an Active Directory domain or an Active Directory domain
Packit Service 6d40f9
	controller.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli info domain.example.com
Packit Service 6d40f9
...
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli info --domain-controller=dc.domain.example.com
Packit Service 6d40f9
...
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli info</command> will output as much information as
Packit Service 6d40f9
	it can about the domain. The information is designed to be both machine
Packit Service 6d40f9
	and human readable. The command will exit with a non-zero exit code
Packit Service f43384
	if the domain does not exist or cannot be reached.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>To show domain info for a specific domain controller use the
Packit Service 6d40f9
	<option>--domain-controller</option> option to specify which domain
Packit Service 6d40f9
	controller to query.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>Use the <option>--verbose</option> option to show details of how
Packit Service 6d40f9
	the domain is discovered and queried. Many of the global options, in
Packit Service 6d40f9
	particular authentication options, are not usable with the
Packit Service 6d40f9
	<command>adcli info</command> command.</para>
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='joining'>
Packit Service 6d40f9
	<title>Joining the Local Machine to a Domain</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli join</command> creates a computer account in the
Packit Service 6d40f9
	domain for the local machine, and sets up a keytab for the machine.
Packit Service 6d40f9
	It does not configure an authentication service (such as
Packit Service 6d40f9
	<command>sssd</command>).</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli join domain.example.com
Packit Service 6d40f9
Password for Administrator:
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9
	options to control how this operation is done.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<variablelist>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>The short non-dotted name of the computer
Packit Service f43384
			account that will be created in the domain. If not specified,
Packit Service 6d40f9
			then the first portion of the <option>--host-fqdn</option>
Packit Service 6d40f9
			is used.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>The full distinguished name of the OU in
Packit Service f43384
			which to create the computer account. If not specified,
Packit Service 6d40f9
			then the computer account will be created in a default
Packit Service 6d40f9
			location.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Override the local machine's fully qualified
Packit Service f43384
			domain name. If not specified, the local machine's hostname
Packit Service c68da5
			will be retrieved via <function>gethostname()</function>.
Packit Service c68da5
			If <function>gethostname()</function> only returns a short name
Packit Service c68da5
			<function>getaddrinfo()</function> with the AI_CANONNAME hint
Packit Service c68da5
			is called to expand the name to a fully qualified domain
Packit Service c68da5
			name.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Specify the path to the host keytab where
Packit Service 6d40f9
			host credentials will be written after a successful join
Packit Service f43384
			operation. If not specified, the default location will be
Packit Service 6d40f9
			used, usually <filename>/etc/krb5.keytab</filename>.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--login-type=<parameter>{computer|user}</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Specify the type of authentication that
Packit Service 6d40f9
			will be performed before creating the machine account in
Packit Service f43384
			the domain. If set to 'computer', then the computer must
Packit Service 6d40f9
			already have a preset account in the domain. If not
Packit Service 6d40f9
			specified and none of the other <option>--login-xxx</option>
Packit Service 6d40f9
			arguments have been specified, then will try both
Packit Service 6d40f9
			'computer' and 'user' authentication.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-name=<parameter>name</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system name on the computer
Packit Service 6d40f9
			account. The default depends on where adcli was  built, but
Packit Service 6d40f9
			is usually something like 'linux-gnu'.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system service pack on the computer
Packit Service 6d40f9
			account. Not set by default.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-version=<parameter>version</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system version on the computer
Packit Service 6d40f9
			account. Not set by default.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--service-name=<parameter>service</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Additional service name for a kerberos
Packit Service 6d40f9
			principal to be created on the computer account. This
Packit Service 6d40f9
			option may be specified multiple times.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the userPrincipalName field of the
Packit Service 6d40f9
			computer account to this kerberos principal. If you omit
Packit Service 6d40f9
			the value for this option, then a principal will be set
Packit Service 6d40f9
			in the form of host/host.example.com@REALM</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--one-time-password</option></term>
Packit Service 6d40f9
			<listitem><para>Specify a one time password for a preset
Packit Service 6d40f9
			computer account. This is equivalent to using
Packit Service 6d40f9
			<option>--login-type=computer</option> and providing a
Packit Service 6d40f9
			password as input.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 9b2c4a
			<term><option>--trusted-for-delegation=<parameter>yes|no|true|false</parameter></option></term>
Packit Service 9b2c4a
			<listitem><para>Set or unset the TRUSTED_FOR_DELEGATION
Packit Service 9b2c4a
			flag in the userAccountControl attribute to allow or
Packit Service 9b2c4a
			not allow that Kerberos tickets can be forwarded to the
Packit Service 9b2c4a
			host.</para></listitem>
Packit Service 9b2c4a
		</varlistentry>
Packit Service 9b2c4a
		<varlistentry>
Packit Service 69847a
			<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
Packit Service 69847a
			<listitem><para>Add a service principal name. In
Packit Service 69847a
			contrast to the <option>--service-name</option> the
Packit Service 69847a
			hostname part can be specified as well in case the
Packit Service 69847a
			service should be accessible with a different host
Packit Service 69847a
			name as well.</para></listitem>
Packit Service 69847a
		</varlistentry>
Packit Service 69847a
		<varlistentry>
Packit Service 6d40f9
			<term><option>--show-details</option></term>
Packit Service 6d40f9
			<listitem><para>After a successful join print out information
Packit Service 6d40f9
			about join operation. This is output in a format that should
Packit Service 6d40f9
			be both human and machine readable.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--show-password</option></term>
Packit Service 6d40f9
			<listitem><para>After a successful join print out the computer
Packit Service 6d40f9
			machine account password. This is output in a format that should
Packit Service 6d40f9
			be both human and machine readable.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 2e2783
		<varlistentry>
Packit Service 2e2783
			<term><option>--add-samba-data</option></term>
Packit Service 2e2783
			<listitem><para>After a successful join add the domain
Packit Service 2e2783
			SID and the machine account password to the Samba
Packit Service 2e2783
			specific databases by calling Samba's
Packit Service 2e2783
			<command>net</command> utility.</para>
Packit Service 2e2783
Packit Service 2e2783
			<para>Please note that Samba's <command>net</command>
Packit Service 2e2783
			requires some settings in <filename>smb.conf</filename>
Packit Service 2e2783
			to create the database entries correctly. Most
Packit Service 2e2783
			important here is currently the
Packit Service 2e2783
			<option>workgroup</option> option, see
Packit Service 2e2783
			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
Packit Service 2e2783
			for details.</para></listitem>
Packit Service 2e2783
		</varlistentry>
Packit Service bff25d
		<varlistentry>
Packit Service bff25d
			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
Packit Service bff25d
			<listitem><para>If Samba's <command>net</command>
Packit Service bff25d
			cannot be found at
Packit Service f43384
			<filename>&samba_data_tool;</filename>, this option can
Packit Service bff25d
			be used to specific an alternative location with the
Packit Service bff25d
			help of an absolute path.</para></listitem>
Packit Service bff25d
		</varlistentry>
Packit Service 6d40f9
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='updating'>
Packit Service 6d40f9
	<title>Updating the machine account password and other attributes</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli update</command> updates the password of the computer
Packit Service 6d40f9
	account on the domain controller for the local machine, write the new
Packit Service 6d40f9
	keys to the keytab and removes older keys. It keeps the previous key on purpose
Packit Service 6d40f9
	because AD will need some time to replicate the new key to all DCs hence the
Packit Service 6d40f9
	previous key might still be used.
Packit Service 6d40f9
	</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli update
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service f43384
	<para>If used with a credential cache, other attributes of the computer
Packit Service 6d40f9
	account can be changed as well if the principal has sufficient
Packit Service 6d40f9
	privileges.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ kinit Administrator
Packit Service 6d40f9
$ adcli update --login-ccache=/tmp/krbcc_123
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9
	options to control how this operation is done.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<variablelist>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>The short non-dotted name of the computer
Packit Service f43384
			account that will be created in the domain. If not specified,
Packit Service 6d40f9
			it will be retrieved from the keytab entries.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>The local machine's fully qualified
Packit Service f43384
			domain name. If not specified, the local machine's hostname
Packit Service 6d40f9
			will be retrieved from the keytab entries.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Specify the path to the host keytab where
Packit Service 6d40f9
			current host credentials are stored and the new ones
Packit Service f43384
			will be written to.  If not specified, the default
Packit Service 6d40f9
			location will be used, usually
Packit Service 6d40f9
			<filename>/etc/krb5.keytab</filename>.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-name=<parameter>name</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system name on the computer
Packit Service 6d40f9
			account. Not set by default.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system service pack on the computer
Packit Service 6d40f9
			account. Not set by default.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-version=<parameter>version</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system version on the computer
Packit Service 6d40f9
			account. Not set by default.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--service-name=<parameter>service</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Additional service name for a Kerberos
Packit Service 6d40f9
			principal to be created on the computer account. This
Packit Service 6d40f9
			option may be specified multiple times.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the userPrincipalName field of the
Packit Service 6d40f9
			computer account to this Kerberos principal.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--computer-password-lifetime=<parameter>lifetime</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Only update the password of the
Packit Service 6d40f9
			computer account if it is older than the lifetime given
Packit Service 6d40f9
			in days. By default the password is updated if it is
Packit Service 6d40f9
			older than 30 days.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 9b2c4a
			<term><option>--trusted-for-delegation=<parameter>yes|no|true|false</parameter></option></term>
Packit Service 9b2c4a
			<listitem><para>Set or unset the TRUSTED_FOR_DELEGATION
Packit Service 9b2c4a
			flag in the userAccountControl attribute to allow or
Packit Service 9b2c4a
			not allow that Kerberos tickets can be forwarded to the
Packit Service 9b2c4a
			host.</para></listitem>
Packit Service 9b2c4a
		</varlistentry>
Packit Service 9b2c4a
		<varlistentry>
Packit Service 69847a
			<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
Packit Service 69847a
			<listitem><para>Add a service principal name. In
Packit Service 69847a
			contrast to the <option>--service-name</option> the
Packit Service 69847a
			hostname part can be specified as well in case the
Packit Service 69847a
			service should be accessible with a different host
Packit Service 69847a
			name as well.</para></listitem>
Packit Service 69847a
		</varlistentry>
Packit Service 69847a
		<varlistentry>
Packit Service 69847a
			<term><option>--remove-service-principal=<parameter>service/hostname</parameter></option></term>
Packit Service 69847a
			<listitem><para>Remove a service principal name from
Packit Service 69847a
			the keytab and the AD host object.</para></listitem>
Packit Service 69847a
		</varlistentry>
Packit Service 69847a
		<varlistentry>
Packit Service 6d40f9
			<term><option>--show-details</option></term>
Packit Service 6d40f9
			<listitem><para>After a successful join print out information
Packit Service 6d40f9
			about join operation. This is output in a format that should
Packit Service 6d40f9
			be both human and machine readable.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 2e2783
		<varlistentry>
Packit Service 2e2783
			<term><option>--add-samba-data</option></term>
Packit Service 2e2783
			<listitem><para>After a successful join add the domain
Packit Service 2e2783
			SID and the machine account password to the Samba
Packit Service 2e2783
			specific databases by calling Samba's
Packit Service 2e2783
			<command>net</command> utility.</para>
Packit Service 2e2783
Packit Service 2e2783
			<para>Please note that Samba's <command>net</command>
Packit Service 2e2783
			requires some settings in <filename>smb.conf</filename>
Packit Service 2e2783
			to create the database entries correctly. Most
Packit Service 2e2783
			important here is currently the
Packit Service 2e2783
			<option>workgroup</option> option, see
Packit Service 2e2783
			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
Packit Service 2e2783
			for details.</para></listitem>
Packit Service 2e2783
		</varlistentry>
Packit Service bff25d
		<varlistentry>
Packit Service bff25d
			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
Packit Service bff25d
			<listitem><para>If Samba's <command>net</command>
Packit Service bff25d
			cannot be found at
Packit Service f43384
			<filename>&samba_data_tool;</filename>, this option can
Packit Service bff25d
			be used to specific an alternative location with the
Packit Service bff25d
			help of an absolute path.</para></listitem>
Packit Service bff25d
		</varlistentry>
Packit Service 6d40f9
	</variablelist>
Packit Service 6d40f9
Packit Service 76a35c
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='create_user'>
Packit Service 6d40f9
	<title>Creating a User</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli create-user</command> creates a new user account
Packit Service 6d40f9
	in the domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli create-user Fry --domain=domain.example.com \
Packit Service 6d40f9
	--display-name="Philip J. Fry" --mail=fry@domain.example.com
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9
	options to control how the user is created.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<variablelist>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--display-name=<parameter>"Name"</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the displayName attribute
Packit Service 6d40f9
			of the new created user account.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>The full distinguished name of the OU in
Packit Service f43384
			which to create the user account. If not specified,
Packit Service 6d40f9
			then the computer account will be created in a default
Packit Service 6d40f9
			location.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--mail=<parameter>email@domain.com</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the mail attribute of
Packit Service 6d40f9
			the new created user account. This attribute may be
Packit Service 6d40f9
			specified multiple times.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--unix-home=<parameter>/home/user</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the unixHomeDirectory attribute of
Packit Service 6d40f9
			the new created user account, which should be an absolute
Packit Service 6d40f9
			path to the user's home directory.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--unix-gid=<parameter>111</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the gidNumber attribute of
Packit Service 6d40f9
			the new created user account, which should be the user's
Packit Service 6d40f9
			numeric primary group id.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--unix-shell=<parameter>/bin/shell</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the loginShell attribute of
Packit Service 6d40f9
			the new created user account, which should be a path to
Packit Service 6d40f9
			a valid shell.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--unix-uid=<parameter>111</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the uidNumber attribute of
Packit Service 6d40f9
			the new created user account, which should be the user's
Packit Service 6d40f9
			numeric primary user id.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 371c62
		<varlistentry>
Packit Service 371c62
			<term><option>--nis-domain=<parameter>nis_domain</parameter></option></term>
Packit Service 371c62
			<listitem><para>Set the msSFU30NisDomain attribute of
Packit Service 371c62
			the new created user account, which should be the user's
Packit Service 371c62
			NIS domain is the NIS/YP service of Active Directory's Services for Unix (SFU)
Packit Service 371c62
			are used. This is needed to let the 'UNIX attributes' tab of older Active
Packit Service 371c62
			Directoy versions show the set UNIX specific attributes.</para></listitem>
Packit Service 371c62
		</varlistentry>
Packit Service 6d40f9
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='delete_user'>
Packit Service 6d40f9
	<title>Deleting a User</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli delete-user</command> deletes a user account from
Packit Service 6d40f9
	the domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli delete-user Fry --domain=domain.example.com
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>The various global options can be used.</para>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='create_group'>
Packit Service 6d40f9
	<title>Creating a Group</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli create-group</command> creates a new group in the
Packit Service 6d40f9
	domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli create-group Pilots --domain=domain.example.com \
Packit Service 6d40f9
	--description="Group for all pilots"
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9
	options to control how the group is created.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<variablelist>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--description=<parameter>"text"</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the description attribute
Packit Service 6d40f9
			of the new created group.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>The full distinguished name of the OU in
Packit Service f43384
			which to create the group. If not specified,
Packit Service 6d40f9
			then the group will be created in a default
Packit Service 6d40f9
			location.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='delete_group'>
Packit Service 6d40f9
	<title>Deleting a Group</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli delete-group</command> deletes a group from
Packit Service 6d40f9
	the domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli delete-group Pilots --domain=domain.example.com
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>The various global options can be used.</para>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='add_group_member'>
Packit Service 6d40f9
	<title>Adding a Member to a Group</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli add-member</command> adds one or more users to a
Packit Service 6d40f9
	group in the domain. The group is specified first, and then the various
Packit Service 6d40f9
	users to be added.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>The various global options can be used.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<para></para>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='remove_group_member'>
Packit Service 6d40f9
	<title>Removing a Member from a Group</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli remove-member</command> removes a user from  a group
Packit Service 6d40f9
	in the domain. The group is specified first, and then the various users
Packit Service 6d40f9
	to be removed.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli remove-member --domain=domain.example.com Pilots Scruffy
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>The various global options can be used.</para>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='preset_computer_account'>
Packit Service 6d40f9
	<title>Preset Computer Accounts</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli preset-computer</command> pre-creates one or more
Packit Service 6d40f9
	computer accounts in the domain for machines to later use when joining
Packit Service 6d40f9
	the domain. By doing this machines can join using a one time password
Packit Service 6d40f9
	or automatically without a password.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli preset-computer --domain=domain.example.com \
Packit Service 6d40f9
	host1.example.com host2
Packit Service 6d40f9
Password for Administrator:
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>If the computer names specified contain dots, then they are
Packit Service 6d40f9
	treated as fully qualified host names, otherwise they are treated
Packit Service 6d40f9
	as short computer names. The computer accounts must not already
Packit Service 6d40f9
	exist.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9
	options to control how this operation is done.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<variablelist>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>The full distinguished name of the OU in
Packit Service f43384
			which to create the computer accounts. If not specified,
Packit Service 6d40f9
			then the computer account will be created in a default
Packit Service 6d40f9
			location.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--one-time-password</option></term>
Packit Service 6d40f9
			<listitem><para>Specify a one time password to use when
Packit Service f43384
			presetting the computer accounts. If not specified, then
Packit Service 6d40f9
			a default password will be used, which allows for later
Packit Service 6d40f9
			automatic joins.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-name=<parameter>name</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system name on the computer
Packit Service 6d40f9
			account. The default depends on where adcli was  built, but
Packit Service 6d40f9
			is usually something like 'linux-gnu'.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system service pack on the computer
Packit Service 6d40f9
			account. Not set by default.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--os-version=<parameter>version</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Set the operating system version on the computer
Packit Service 6d40f9
			account. Not set by default.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--service-name=<parameter>service</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Additional service name for a kerberos
Packit Service 6d40f9
			principal to be created on the computer account. This
Packit Service 6d40f9
			option may be specified multiple times.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--user-principal</option></term>
Packit Service 6d40f9
			<listitem><para>Set the userPrincipalName field of the
Packit Service 6d40f9
			computer account to this kerberos principal in the form
Packit Service 6d40f9
			of host/host.example.com@REALM</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='reset_computer_account'>
Packit Service 6d40f9
	<title>Reset Computer Account</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli reset-computer</command> resets a computer account
Packit Service f43384
	in the domain. If the appropriate machine is currently joined to the
Packit Service 6d40f9
	domain, then its membership will be broken. The account must already
Packit Service 6d40f9
	exist.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli reset-computer --domain=domain.example.com host2
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>If the computer names specified contain dots, then they are
Packit Service 6d40f9
	treated as fully qualified host names, otherwise they are treated
Packit Service 6d40f9
	as short computer names.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9
	options to control how this operation is done.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<variablelist>
Packit Service 6d40f9
		<varlistentry>
Packit Service 6d40f9
			<term><option>--login-type=<parameter>{computer|user}</parameter></option></term>
Packit Service 6d40f9
			<listitem><para>Specify the type of authentication that
Packit Service 6d40f9
			will be performed before creating the machine account in
Packit Service f43384
			the domain. If set to 'computer', then the computer must
Packit Service 6d40f9
			already have a preset account in the domain. If not
Packit Service 6d40f9
			specified and none of the other <option>--login-xxx</option>
Packit Service 6d40f9
			arguments have been specified, then will try both
Packit Service 6d40f9
			'computer' and 'user' authentication.</para></listitem>
Packit Service 6d40f9
		</varlistentry>
Packit Service 6d40f9
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='delete_computer_account'>
Packit Service 6d40f9
	<title>Delete Computer Account</title>
Packit Service 6d40f9
Packit Service 6d40f9
	<para><command>adcli delete-computer</command> deletes a computer account
Packit Service 6d40f9
	in the domain. The account must already exist.</para>
Packit Service 6d40f9
Packit Service 6d40f9
<programlisting>
Packit Service 6d40f9
$ adcli delete-computer --domain=domain.example.com host2
Packit Service 6d40f9
Password for Administrator:
Packit Service 6d40f9
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>If the computer name contains a dot, then it is
Packit Service 6d40f9
	treated as fully qualified host name, otherwise it is treated
Packit Service 6d40f9
	as short computer name.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>If no computer name is specified, then the host name of the
Packit Service 6d40f9
	computer adcli is running on is used, as returned by
Packit Service 6d40f9
	<literal>gethostname()</literal>.</para>
Packit Service 6d40f9
Packit Service 6d40f9
	<para>The various global options can be used.</para>
Packit Service 362609
Packit Service 362609
</refsect1>
Packit Service 362609
Packit Service 6d40f9
<refsect1 id='bugs'>
Packit Service 6d40f9
	<title>Bugs</title>
Packit Service 6d40f9
	<para>
Packit Service 6d40f9
		Please send bug reports to either the distribution bug tracker
Packit Service 6d40f9
		or the upstream bug tracker at
Packit Service 6d40f9
		<ulink url="https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli">https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli</ulink>
Packit Service 6d40f9
	</para>
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
<refsect1 id='see_also'>
Packit Service 6d40f9
	<title>See also</title>
Packit Service 6d40f9
	<simplelist type="inline">
Packit Service 6d40f9
		<member><citerefentry><refentrytitle>realmd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
Packit Service 6d40f9
		<member><citerefentry><refentrytitle>net</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
Packit Service 6d40f9
		<member><citerefentry><refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
Packit Service 6d40f9
	</simplelist>
Packit Service 6d40f9
	<para>
Packit Service 6d40f9
		Further details available in the realmd online documentation at
Packit Service 6d40f9
		<ulink url="http://www.freedesktop.org/software/realmd/">http://www.freedesktop.org/software/realmd/</ulink>
Packit Service 6d40f9
	</para>
Packit Service 6d40f9
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
</refentry>