|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
bff25d |
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"
|
|
Packit Service |
bff25d |
[
|
|
Packit Service |
bff25d |
|
|
Packit Service |
bff25d |
]>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refentry id="adcli">
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refentryinfo>
|
|
Packit Service |
6d40f9 |
<title>adcli</title>
|
|
Packit Service |
6d40f9 |
<productname>realmd</productname>
|
|
Packit Service |
6d40f9 |
<authorgroup>
|
|
Packit Service |
6d40f9 |
<author>
|
|
Packit Service |
6d40f9 |
<contrib>Maintainer</contrib>
|
|
Packit Service |
6d40f9 |
<firstname>Stef</firstname>
|
|
Packit Service |
6d40f9 |
<surname>Walter</surname>
|
|
Packit Service |
6d40f9 |
<email>stefw@redhat.com</email>
|
|
Packit Service |
6d40f9 |
</author>
|
|
Packit Service |
6d40f9 |
</authorgroup>
|
|
Packit Service |
6d40f9 |
</refentryinfo>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refmeta>
|
|
Packit Service |
6d40f9 |
<refentrytitle>adcli</refentrytitle>
|
|
Packit Service |
6d40f9 |
<manvolnum>8</manvolnum>
|
|
Packit Service |
6d40f9 |
<refmiscinfo class="manual">System Commands</refmiscinfo>
|
|
Packit Service |
6d40f9 |
</refmeta>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refnamediv>
|
|
Packit Service |
6d40f9 |
<refname>adcli</refname>
|
|
Packit Service |
6d40f9 |
<refpurpose>Tool for performing actions on an Active Directory domain</refpurpose>
|
|
Packit Service |
6d40f9 |
</refnamediv>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsynopsisdiv>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli info</command>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli join</command>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli update</command>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
ed710c |
<command>adcli testjoin</command>
|
|
Packit Service |
ed710c |
</cmdsynopsis>
|
|
Packit Service |
ed710c |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli create-user</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli delete-user</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli create-group</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli delete-group</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli add-member</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">group</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain" rep="repeat">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli remove-member</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">group</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain" rep="repeat">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli preset-computer</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain" rep="repeat">computer</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli reset-computer</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">computer</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli delete-computer</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">computer</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
147c59 |
<cmdsynopsis>
|
|
Packit Service |
147c59 |
<command>adcli show-computer</command>
|
|
Packit Service |
147c59 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
147c59 |
<arg choice="plain">computer</arg>
|
|
Packit Service |
147c59 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
</refsynopsisdiv>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='general_overview'>
|
|
Packit Service |
6d40f9 |
<title>General Overview</title>
|
|
Packit Service |
6d40f9 |
<para><command>adcli</command> is a command line tool that
|
|
Packit Service |
6d40f9 |
can perform actions in an Active Directory domain. Among other things
|
|
Packit Service |
6d40f9 |
it can be used to join a computer to a domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>See the various sub commands below. The following global options
|
|
Packit Service |
6d40f9 |
can be used:</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-D, --domain=<parameter>domain</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The domain to connect to. If a domain is
|
|
Packit Service |
f43384 |
not specified, then the domain part of the local computer's
|
|
Packit Service |
6d40f9 |
host name is used.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-R, --domain-realm=<parameter>REALM</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Kerberos realm for the domain. If not
|
|
Packit Service |
f43384 |
specified, then the upper cased domain name is
|
|
Packit Service |
6d40f9 |
used.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-S, --domain-controller=<parameter>server</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Connect to a specific domain controller.
|
|
Packit Service |
f43384 |
If not specified, then an appropriate domain controller
|
|
Packit Service |
6d40f9 |
is automatically discovered.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
aa0613 |
<term><option>--use-ldaps</option></term>
|
|
Packit Service |
aa0613 |
<listitem><para>Connect to the domain controller
|
|
Packit Service |
aa0613 |
with LDAPS. By default the LDAP port is used and SASL
|
|
Packit Service |
aa0613 |
GSS-SPNEGO or GSSAPI is used for authentication and to
|
|
Packit Service |
aa0613 |
establish encryption. This should satisfy all
|
|
Packit Service |
aa0613 |
requirements set on the server side and LDAPS should
|
|
Packit Service |
aa0613 |
only be used if the LDAP port is not accessible due to
|
|
Packit Service |
aa0613 |
firewalls or other reasons.</para>
|
|
Packit Service |
aa0613 |
<para> Please note that the place where CA certificates
|
|
Packit Service |
aa0613 |
can be found to validate the AD DC certificates
|
|
Packit Service |
aa0613 |
must be configured in the OpenLDAP configuration
|
|
Packit Service |
aa0613 |
file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
|
|
Packit Service |
aa0613 |
As an alternative it can be specified with the help of
|
|
Packit Service |
aa0613 |
an environment variable, e.g.
|
|
Packit Service |
aa0613 |
<programlisting>
|
|
Packit Service |
aa0613 |
$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
|
|
Packit Service |
aa0613 |
...
|
|
Packit Service |
aa0613 |
</programlisting>
|
|
Packit Service |
aa0613 |
Please see
|
|
Packit Service |
aa0613 |
<citerefentry><refentrytitle>ldap.conf</refentrytitle>
|
|
Packit Service |
aa0613 |
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
Packit Service |
aa0613 |
</para></listitem>
|
|
Packit Service |
aa0613 |
</varlistentry>
|
|
Packit Service |
aa0613 |
<varlistentry>
|
|
Packit Service |
f78674 |
<term><option>-C, --login-ccache=<parameter>ccache_name</parameter></option></term>
|
|
Packit Service |
bc2650 |
<listitem><para>Use the specified kerberos credential
|
|
Packit Service |
f78674 |
cache to authenticate with the domain. If no credential
|
|
Packit Service |
f78674 |
cache is specified, the default kerberos credential
|
|
Packit Service |
f78674 |
cache will be used. Credential caches of type FILE can
|
|
Packit Service |
f78674 |
be given with the path to the file. For other
|
|
Packit Service |
f78674 |
credential cache types, e.g. DIR, KEYRING or KCM, the
|
|
Packit Service |
f78674 |
type must be specified explicitly together with a
|
|
Packit Service |
f78674 |
suitable identifier.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-U, --login-user=<parameter>User</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Use the specified user account to
|
|
Packit Service |
f43384 |
authenticate with the domain. If not specified, then
|
|
Packit Service |
6d40f9 |
the name 'Administrator' will be used.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--no-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Don't show prompts for or read a
|
|
Packit Service |
6d40f9 |
password from input.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-W, --prompt-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Prompt for a password if necessary.
|
|
Packit Service |
6d40f9 |
This is the default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--stdin-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Read a password from stdin input instead
|
|
Packit Service |
6d40f9 |
of prompting for a password.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-v, --verbose</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Run in verbose mode with debug
|
|
Packit Service |
6d40f9 |
output.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='querying'>
|
|
Packit Service |
6d40f9 |
<title>Querying Domain Information</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli info</command> displays discovered information
|
|
Packit Service |
6d40f9 |
about an Active Directory domain or an Active Directory domain
|
|
Packit Service |
6d40f9 |
controller.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli info domain.example.com
|
|
Packit Service |
6d40f9 |
...
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli info --domain-controller=dc.domain.example.com
|
|
Packit Service |
6d40f9 |
...
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli info</command> will output as much information as
|
|
Packit Service |
6d40f9 |
it can about the domain. The information is designed to be both machine
|
|
Packit Service |
6d40f9 |
and human readable. The command will exit with a non-zero exit code
|
|
Packit Service |
f43384 |
if the domain does not exist or cannot be reached.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>To show domain info for a specific domain controller use the
|
|
Packit Service |
6d40f9 |
<option>--domain-controller</option> option to specify which domain
|
|
Packit Service |
6d40f9 |
controller to query.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>Use the <option>--verbose</option> option to show details of how
|
|
Packit Service |
6d40f9 |
the domain is discovered and queried. Many of the global options, in
|
|
Packit Service |
6d40f9 |
particular authentication options, are not usable with the
|
|
Packit Service |
6d40f9 |
<command>adcli info</command> command.</para>
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='joining'>
|
|
Packit Service |
6d40f9 |
<title>Joining the Local Machine to a Domain</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli join</command> creates a computer account in the
|
|
Packit Service |
6d40f9 |
domain for the local machine, and sets up a keytab for the machine.
|
|
Packit Service |
6d40f9 |
It does not configure an authentication service (such as
|
|
Packit Service |
6d40f9 |
<command>sssd</command>).</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli join domain.example.com
|
|
Packit Service |
6d40f9 |
Password for Administrator:
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how this operation is done.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The short non-dotted name of the computer
|
|
Packit Service |
f43384 |
account that will be created in the domain. If not specified,
|
|
Packit Service |
6d40f9 |
then the first portion of the <option>--host-fqdn</option>
|
|
Packit Service |
6d40f9 |
is used.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
f43384 |
which to create the computer account. If not specified,
|
|
Packit Service |
6d40f9 |
then the computer account will be created in a default
|
|
Packit Service |
6d40f9 |
location.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Override the local machine's fully qualified
|
|
Packit Service |
f43384 |
domain name. If not specified, the local machine's hostname
|
|
Packit Service |
c68da5 |
will be retrieved via <function>gethostname()</function>.
|
|
Packit Service |
c68da5 |
If <function>gethostname()</function> only returns a short name
|
|
Packit Service |
c68da5 |
<function>getaddrinfo()</function> with the AI_CANONNAME hint
|
|
Packit Service |
c68da5 |
is called to expand the name to a fully qualified domain
|
|
Packit Service |
c68da5 |
name.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify the path to the host keytab where
|
|
Packit Service |
6d40f9 |
host credentials will be written after a successful join
|
|
Packit Service |
f43384 |
operation. If not specified, the default location will be
|
|
Packit Service |
6d40f9 |
used, usually <filename>/etc/krb5.keytab</filename>.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--login-type=<parameter>{computer|user}</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify the type of authentication that
|
|
Packit Service |
6d40f9 |
will be performed before creating the machine account in
|
|
Packit Service |
f43384 |
the domain. If set to 'computer', then the computer must
|
|
Packit Service |
6d40f9 |
already have a preset account in the domain. If not
|
|
Packit Service |
6d40f9 |
specified and none of the other <option>--login-xxx</option>
|
|
Packit Service |
6d40f9 |
arguments have been specified, then will try both
|
|
Packit Service |
6d40f9 |
'computer' and 'user' authentication.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-name=<parameter>name</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system name on the computer
|
|
Packit Service |
6d40f9 |
account. The default depends on where adcli was built, but
|
|
Packit Service |
6d40f9 |
is usually something like 'linux-gnu'.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system service pack on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-version=<parameter>version</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system version on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
0a8a87 |
<term><option>--description=<parameter>description</parameter></option></term>
|
|
Packit Service |
0a8a87 |
<listitem><para>Set the description attribute on the computer
|
|
Packit Service |
0a8a87 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
0a8a87 |
</varlistentry>
|
|
Packit Service |
0a8a87 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--service-name=<parameter>service</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Additional service name for a kerberos
|
|
Packit Service |
6d40f9 |
principal to be created on the computer account. This
|
|
Packit Service |
6d40f9 |
option may be specified multiple times.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the userPrincipalName field of the
|
|
Packit Service |
6d40f9 |
computer account to this kerberos principal. If you omit
|
|
Packit Service |
6d40f9 |
the value for this option, then a principal will be set
|
|
Packit Service |
6d40f9 |
in the form of host/host.example.com@REALM </para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--one-time-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify a one time password for a preset
|
|
Packit Service |
6d40f9 |
computer account. This is equivalent to using
|
|
Packit Service |
6d40f9 |
<option>--login-type=computer</option> and providing a
|
|
Packit Service |
6d40f9 |
password as input.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
9b2c4a |
<term><option>--trusted-for-delegation=<parameter>yes|no|true|false</parameter></option></term>
|
|
Packit Service |
9b2c4a |
<listitem><para>Set or unset the TRUSTED_FOR_DELEGATION
|
|
Packit Service |
9b2c4a |
flag in the userAccountControl attribute to allow or
|
|
Packit Service |
9b2c4a |
not allow that Kerberos tickets can be forwarded to the
|
|
Packit Service |
9b2c4a |
host.</para></listitem>
|
|
Packit Service |
9b2c4a |
</varlistentry>
|
|
Packit Service |
9b2c4a |
<varlistentry>
|
|
Packit Service |
69847a |
<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
|
|
Packit Service |
69847a |
<listitem><para>Add a service principal name. In
|
|
Packit Service |
69847a |
contrast to the <option>--service-name</option> the
|
|
Packit Service |
69847a |
hostname part can be specified as well in case the
|
|
Packit Service |
69847a |
service should be accessible with a different host
|
|
Packit Service |
69847a |
name as well.</para></listitem>
|
|
Packit Service |
69847a |
</varlistentry>
|
|
Packit Service |
69847a |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--show-details</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>After a successful join print out information
|
|
Packit Service |
6d40f9 |
about join operation. This is output in a format that should
|
|
Packit Service |
6d40f9 |
be both human and machine readable.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--show-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>After a successful join print out the computer
|
|
Packit Service |
6d40f9 |
machine account password. This is output in a format that should
|
|
Packit Service |
6d40f9 |
be both human and machine readable.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
2e2783 |
<varlistentry>
|
|
Packit Service |
2e2783 |
<term><option>--add-samba-data</option></term>
|
|
Packit Service |
2e2783 |
<listitem><para>After a successful join add the domain
|
|
Packit Service |
2e2783 |
SID and the machine account password to the Samba
|
|
Packit Service |
2e2783 |
specific databases by calling Samba's
|
|
Packit Service |
2e2783 |
<command>net</command> utility.</para>
|
|
Packit Service |
2e2783 |
|
|
Packit Service |
2e2783 |
<para>Please note that Samba's <command>net</command>
|
|
Packit Service |
2e2783 |
requires some settings in <filename>smb.conf</filename>
|
|
Packit Service |
2e2783 |
to create the database entries correctly. Most
|
|
Packit Service |
2e2783 |
important here is currently the
|
|
Packit Service |
2e2783 |
<option>workgroup</option> option, see
|
|
Packit Service |
2e2783 |
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
Packit Service |
7bc3bf |
for details.</para></listitem>
|
|
Packit Service |
2e2783 |
</varlistentry>
|
|
Packit Service |
bff25d |
<varlistentry>
|
|
Packit Service |
bff25d |
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
|
|
Packit Service |
bff25d |
<listitem><para>If Samba's <command>net</command>
|
|
Packit Service |
bff25d |
cannot be found at
|
|
Packit Service |
f43384 |
<filename>&samba_data_tool;</filename>, this option can
|
|
Packit Service |
bff25d |
be used to specific an alternative location with the
|
|
Packit Service |
bff25d |
help of an absolute path.</para></listitem>
|
|
Packit Service |
bff25d |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
ae0400 |
<para>If supported on the AD side the
|
|
Packit Service |
ae0400 |
<option>msDS-supportedEncryptionTypes</option> attribute will be set as
|
|
Packit Service |
ae0400 |
well. Either the current value or the default list of AD's supported
|
|
Packit Service |
ae0400 |
encryption types filtered by the permitted encryption types of the
|
|
Packit Service |
ae0400 |
client's Kerberos configuration are written.</para>
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='updating'>
|
|
Packit Service |
6d40f9 |
<title>Updating the machine account password and other attributes</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli update</command> updates the password of the computer
|
|
Packit Service |
6d40f9 |
account on the domain controller for the local machine, write the new
|
|
Packit Service |
6d40f9 |
keys to the keytab and removes older keys. It keeps the previous key on purpose
|
|
Packit Service |
6d40f9 |
because AD will need some time to replicate the new key to all DCs hence the
|
|
Packit Service |
6d40f9 |
previous key might still be used.
|
|
Packit Service |
6d40f9 |
</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli update
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
f43384 |
<para>If used with a credential cache, other attributes of the computer
|
|
Packit Service |
6d40f9 |
account can be changed as well if the principal has sufficient
|
|
Packit Service |
6d40f9 |
privileges.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ kinit Administrator
|
|
Packit Service |
6d40f9 |
$ adcli update --login-ccache=/tmp/krbcc_123
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how this operation is done.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The short non-dotted name of the computer
|
|
Packit Service |
f43384 |
account that will be created in the domain. If not specified,
|
|
Packit Service |
6d40f9 |
it will be retrieved from the keytab entries.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The local machine's fully qualified
|
|
Packit Service |
f43384 |
domain name. If not specified, the local machine's hostname
|
|
Packit Service |
6d40f9 |
will be retrieved from the keytab entries.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify the path to the host keytab where
|
|
Packit Service |
6d40f9 |
current host credentials are stored and the new ones
|
|
Packit Service |
f43384 |
will be written to. If not specified, the default
|
|
Packit Service |
6d40f9 |
location will be used, usually
|
|
Packit Service |
6d40f9 |
<filename>/etc/krb5.keytab</filename>.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-name=<parameter>name</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system name on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system service pack on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-version=<parameter>version</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system version on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
0a8a87 |
<term><option>--description=<parameter>description</parameter></option></term>
|
|
Packit Service |
0a8a87 |
<listitem><para>Set the description attribute on the computer
|
|
Packit Service |
0a8a87 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
0a8a87 |
</varlistentry>
|
|
Packit Service |
0a8a87 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--service-name=<parameter>service</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Additional service name for a Kerberos
|
|
Packit Service |
6d40f9 |
principal to be created on the computer account. This
|
|
Packit Service |
6d40f9 |
option may be specified multiple times.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the userPrincipalName field of the
|
|
Packit Service |
6d40f9 |
computer account to this Kerberos principal.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--computer-password-lifetime=<parameter>lifetime</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Only update the password of the
|
|
Packit Service |
6d40f9 |
computer account if it is older than the lifetime given
|
|
Packit Service |
6d40f9 |
in days. By default the password is updated if it is
|
|
Packit Service |
6d40f9 |
older than 30 days.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
9b2c4a |
<term><option>--trusted-for-delegation=<parameter>yes|no|true|false</parameter></option></term>
|
|
Packit Service |
9b2c4a |
<listitem><para>Set or unset the TRUSTED_FOR_DELEGATION
|
|
Packit Service |
9b2c4a |
flag in the userAccountControl attribute to allow or
|
|
Packit Service |
9b2c4a |
not allow that Kerberos tickets can be forwarded to the
|
|
Packit Service |
9b2c4a |
host.</para></listitem>
|
|
Packit Service |
9b2c4a |
</varlistentry>
|
|
Packit Service |
9b2c4a |
<varlistentry>
|
|
Packit Service |
69847a |
<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
|
|
Packit Service |
69847a |
<listitem><para>Add a service principal name. In
|
|
Packit Service |
69847a |
contrast to the <option>--service-name</option> the
|
|
Packit Service |
69847a |
hostname part can be specified as well in case the
|
|
Packit Service |
69847a |
service should be accessible with a different host
|
|
Packit Service |
69847a |
name as well.</para></listitem>
|
|
Packit Service |
69847a |
</varlistentry>
|
|
Packit Service |
69847a |
<varlistentry>
|
|
Packit Service |
69847a |
<term><option>--remove-service-principal=<parameter>service/hostname</parameter></option></term>
|
|
Packit Service |
69847a |
<listitem><para>Remove a service principal name from
|
|
Packit Service |
69847a |
the keytab and the AD host object.</para></listitem>
|
|
Packit Service |
69847a |
</varlistentry>
|
|
Packit Service |
69847a |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--show-details</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>After a successful join print out information
|
|
Packit Service |
6d40f9 |
about join operation. This is output in a format that should
|
|
Packit Service |
6d40f9 |
be both human and machine readable.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
2e2783 |
<varlistentry>
|
|
Packit Service |
2e2783 |
<term><option>--add-samba-data</option></term>
|
|
Packit Service |
2e2783 |
<listitem><para>After a successful join add the domain
|
|
Packit Service |
2e2783 |
SID and the machine account password to the Samba
|
|
Packit Service |
2e2783 |
specific databases by calling Samba's
|
|
Packit Service |
2e2783 |
<command>net</command> utility.</para>
|
|
Packit Service |
2e2783 |
|
|
Packit Service |
2e2783 |
<para>Please note that Samba's <command>net</command>
|
|
Packit Service |
2e2783 |
requires some settings in <filename>smb.conf</filename>
|
|
Packit Service |
2e2783 |
to create the database entries correctly. Most
|
|
Packit Service |
2e2783 |
important here is currently the
|
|
Packit Service |
2e2783 |
<option>workgroup</option> option, see
|
|
Packit Service |
2e2783 |
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
Packit Service |
7bc3bf |
for details.</para>
|
|
Packit Service |
7bc3bf |
<para>Note that if the machine account password is not
|
|
Packit Service |
7bc3bf |
older than 30 days, you have to pass
|
|
Packit Service |
7bc3bf |
<option>--computer-password-lifetime=0</option> to
|
|
Packit Service |
7bc3bf |
force the update.</para></listitem>
|
|
Packit Service |
2e2783 |
</varlistentry>
|
|
Packit Service |
bff25d |
<varlistentry>
|
|
Packit Service |
bff25d |
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
|
|
Packit Service |
bff25d |
<listitem><para>If Samba's <command>net</command>
|
|
Packit Service |
bff25d |
cannot be found at
|
|
Packit Service |
f43384 |
<filename>&samba_data_tool;</filename>, this option can
|
|
Packit Service |
bff25d |
be used to specific an alternative location with the
|
|
Packit Service |
bff25d |
help of an absolute path.</para></listitem>
|
|
Packit Service |
bff25d |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
ae0400 |
<para>If supported on the AD side the
|
|
Packit Service |
ae0400 |
<option>msDS-supportedEncryptionTypes</option> attribute will be set as
|
|
Packit Service |
ae0400 |
well. Either the current value or the default list of AD's supported
|
|
Packit Service |
ae0400 |
encryption types filtered by the permitted encryption types of the
|
|
Packit Service |
ae0400 |
client's Kerberos configuration are written.</para>
|
|
Packit Service |
76a35c |
</refsect1>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<refsect1 id='testjoin'>
|
|
Packit Service |
ed710c |
<title>Testing if the machine account password is valid</title>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<para><command>adcli testjoin</command> uses the current credentials in
|
|
Packit Service |
ed710c |
the keytab and tries to authenticate with the machine account to the AD
|
|
Packit Service |
ed710c |
domain. If this works the machine account password and the join are
|
|
Packit Service |
ed710c |
still valid. If it fails the machine account password or the whole
|
|
Packit Service |
ed710c |
machine account have to be refreshed with
|
|
Packit Service |
ed710c |
<command>adcli join</command> or <command>adcli update</command>.
|
|
Packit Service |
ed710c |
</para>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<programlisting>
|
|
Packit Service |
ed710c |
$ adcli testjoin
|
|
Packit Service |
ed710c |
</programlisting>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<para>Only the global options not related to authentication are
|
|
Packit Service |
ed710c |
available, additionally you can specify the following options to
|
|
Packit Service |
ed710c |
control how this operation is done.</para>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<variablelist>
|
|
Packit Service |
ed710c |
<varlistentry>
|
|
Packit Service |
ed710c |
<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
|
Packit Service |
ed710c |
<listitem><para>Specify the path to the host keytab where
|
|
Packit Service |
ed710c |
current host credentials are stored and the new ones
|
|
Packit Service |
ed710c |
will be written to. If not specified, the default
|
|
Packit Service |
ed710c |
location will be used, usually
|
|
Packit Service |
ed710c |
<filename>/etc/krb5.keytab</filename>.</para></listitem>
|
|
Packit Service |
ed710c |
</varlistentry>
|
|
Packit Service |
ed710c |
</variablelist>
|
|
Packit Service |
ed710c |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='create_user'>
|
|
Packit Service |
6d40f9 |
<title>Creating a User</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli create-user</command> creates a new user account
|
|
Packit Service |
6d40f9 |
in the domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli create-user Fry --domain=domain.example.com \
|
|
Packit Service |
6d40f9 |
--display-name="Philip J. Fry" --mail=fry@domain.example.com
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how the user is created.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--display-name=<parameter>"Name"</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the displayName attribute
|
|
Packit Service |
6d40f9 |
of the new created user account.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
f43384 |
which to create the user account. If not specified,
|
|
Packit Service |
6d40f9 |
then the computer account will be created in a default
|
|
Packit Service |
6d40f9 |
location.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--mail=<parameter>email@domain.com</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the mail attribute of
|
|
Packit Service |
6d40f9 |
the new created user account. This attribute may be
|
|
Packit Service |
6d40f9 |
specified multiple times.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--unix-home=<parameter>/home/user</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the unixHomeDirectory attribute of
|
|
Packit Service |
6d40f9 |
the new created user account, which should be an absolute
|
|
Packit Service |
6d40f9 |
path to the user's home directory.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--unix-gid=<parameter>111</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the gidNumber attribute of
|
|
Packit Service |
6d40f9 |
the new created user account, which should be the user's
|
|
Packit Service |
6d40f9 |
numeric primary group id.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--unix-shell=<parameter>/bin/shell</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the loginShell attribute of
|
|
Packit Service |
6d40f9 |
the new created user account, which should be a path to
|
|
Packit Service |
6d40f9 |
a valid shell.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--unix-uid=<parameter>111</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the uidNumber attribute of
|
|
Packit Service |
6d40f9 |
the new created user account, which should be the user's
|
|
Packit Service |
6d40f9 |
numeric primary user id.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
371c62 |
<varlistentry>
|
|
Packit Service |
371c62 |
<term><option>--nis-domain=<parameter>nis_domain</parameter></option></term>
|
|
Packit Service |
371c62 |
<listitem><para>Set the msSFU30NisDomain attribute of
|
|
Packit Service |
371c62 |
the new created user account, which should be the user's
|
|
Packit Service |
371c62 |
NIS domain is the NIS/YP service of Active Directory's Services for Unix (SFU)
|
|
Packit Service |
371c62 |
are used. This is needed to let the 'UNIX attributes' tab of older Active
|
|
Packit Service |
78c748 |
Directoy versions show the set UNIX specific attributes. If not specified
|
|
Packit Service |
78c748 |
adcli will try to determine the NIS domain automatically if needed.
|
|
Packit Service |
78c748 |
</para></listitem>
|
|
Packit Service |
371c62 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='delete_user'>
|
|
Packit Service |
6d40f9 |
<title>Deleting a User</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli delete-user</command> deletes a user account from
|
|
Packit Service |
6d40f9 |
the domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli delete-user Fry --domain=domain.example.com
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='create_group'>
|
|
Packit Service |
6d40f9 |
<title>Creating a Group</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli create-group</command> creates a new group in the
|
|
Packit Service |
6d40f9 |
domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli create-group Pilots --domain=domain.example.com \
|
|
Packit Service |
6d40f9 |
--description="Group for all pilots"
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how the group is created.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--description=<parameter>"text"</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the description attribute
|
|
Packit Service |
6d40f9 |
of the new created group.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
f43384 |
which to create the group. If not specified,
|
|
Packit Service |
6d40f9 |
then the group will be created in a default
|
|
Packit Service |
6d40f9 |
location.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='delete_group'>
|
|
Packit Service |
6d40f9 |
<title>Deleting a Group</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli delete-group</command> deletes a group from
|
|
Packit Service |
6d40f9 |
the domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli delete-group Pilots --domain=domain.example.com
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='add_group_member'>
|
|
Packit Service |
6d40f9 |
<title>Adding a Member to a Group</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli add-member</command> adds one or more users to a
|
|
Packit Service |
6d40f9 |
group in the domain. The group is specified first, and then the various
|
|
Packit Service |
6d40f9 |
users to be added.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para></para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='remove_group_member'>
|
|
Packit Service |
6d40f9 |
<title>Removing a Member from a Group</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli remove-member</command> removes a user from a group
|
|
Packit Service |
6d40f9 |
in the domain. The group is specified first, and then the various users
|
|
Packit Service |
6d40f9 |
to be removed.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli remove-member --domain=domain.example.com Pilots Scruffy
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='preset_computer_account'>
|
|
Packit Service |
6d40f9 |
<title>Preset Computer Accounts</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli preset-computer</command> pre-creates one or more
|
|
Packit Service |
6d40f9 |
computer accounts in the domain for machines to later use when joining
|
|
Packit Service |
6d40f9 |
the domain. By doing this machines can join using a one time password
|
|
Packit Service |
6d40f9 |
or automatically without a password.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli preset-computer --domain=domain.example.com \
|
|
Packit Service |
6d40f9 |
host1.example.com host2
|
|
Packit Service |
6d40f9 |
Password for Administrator:
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>If the computer names specified contain dots, then they are
|
|
Packit Service |
6d40f9 |
treated as fully qualified host names, otherwise they are treated
|
|
Packit Service |
6d40f9 |
as short computer names. The computer accounts must not already
|
|
Packit Service |
6d40f9 |
exist.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how this operation is done.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
f43384 |
which to create the computer accounts. If not specified,
|
|
Packit Service |
6d40f9 |
then the computer account will be created in a default
|
|
Packit Service |
6d40f9 |
location.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--one-time-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify a one time password to use when
|
|
Packit Service |
f43384 |
presetting the computer accounts. If not specified, then
|
|
Packit Service |
6d40f9 |
a default password will be used, which allows for later
|
|
Packit Service |
6d40f9 |
automatic joins.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-name=<parameter>name</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system name on the computer
|
|
Packit Service |
6d40f9 |
account. The default depends on where adcli was built, but
|
|
Packit Service |
6d40f9 |
is usually something like 'linux-gnu'.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system service pack on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-version=<parameter>version</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system version on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--service-name=<parameter>service</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Additional service name for a kerberos
|
|
Packit Service |
6d40f9 |
principal to be created on the computer account. This
|
|
Packit Service |
6d40f9 |
option may be specified multiple times.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--user-principal</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the userPrincipalName field of the
|
|
Packit Service |
6d40f9 |
computer account to this kerberos principal in the form
|
|
Packit Service |
6d40f9 |
of host/host.example.com@REALM </para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='reset_computer_account'>
|
|
Packit Service |
6d40f9 |
<title>Reset Computer Account</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli reset-computer</command> resets a computer account
|
|
Packit Service |
f43384 |
in the domain. If the appropriate machine is currently joined to the
|
|
Packit Service |
6d40f9 |
domain, then its membership will be broken. The account must already
|
|
Packit Service |
6d40f9 |
exist.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli reset-computer --domain=domain.example.com host2
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>If the computer names specified contain dots, then they are
|
|
Packit Service |
6d40f9 |
treated as fully qualified host names, otherwise they are treated
|
|
Packit Service |
6d40f9 |
as short computer names.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how this operation is done.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--login-type=<parameter>{computer|user}</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify the type of authentication that
|
|
Packit Service |
6d40f9 |
will be performed before creating the machine account in
|
|
Packit Service |
f43384 |
the domain. If set to 'computer', then the computer must
|
|
Packit Service |
6d40f9 |
already have a preset account in the domain. If not
|
|
Packit Service |
6d40f9 |
specified and none of the other <option>--login-xxx</option>
|
|
Packit Service |
6d40f9 |
arguments have been specified, then will try both
|
|
Packit Service |
6d40f9 |
'computer' and 'user' authentication.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='delete_computer_account'>
|
|
Packit Service |
6d40f9 |
<title>Delete Computer Account</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli delete-computer</command> deletes a computer account
|
|
Packit Service |
6d40f9 |
in the domain. The account must already exist.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli delete-computer --domain=domain.example.com host2
|
|
Packit Service |
6d40f9 |
Password for Administrator:
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>If the computer name contains a dot, then it is
|
|
Packit Service |
6d40f9 |
treated as fully qualified host name, otherwise it is treated
|
|
Packit Service |
6d40f9 |
as short computer name.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>If no computer name is specified, then the host name of the
|
|
Packit Service |
6d40f9 |
computer adcli is running on is used, as returned by
|
|
Packit Service |
6d40f9 |
<literal>gethostname()</literal>.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
</refsect1>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<refsect1 id='show_computer_account'>
|
|
Packit Service |
147c59 |
<title>Show Computer Account Attributes</title>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<para><command>adcli show-computer</command> show the computer account
|
|
Packit Service |
147c59 |
attributes stored in AD. The account must already exist.</para>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<programlisting>
|
|
Packit Service |
147c59 |
$ adcli show-computer --domain=domain.example.com host2
|
|
Packit Service |
147c59 |
Password for Administrator:
|
|
Packit Service |
147c59 |
</programlisting>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<para>If the computer name contains a dot, then it is
|
|
Packit Service |
147c59 |
treated as fully qualified host name, otherwise it is treated
|
|
Packit Service |
147c59 |
as short computer name.</para>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<para>If no computer name is specified, then the host name of the
|
|
Packit Service |
147c59 |
computer adcli is running on is used, as returned by
|
|
Packit Service |
147c59 |
<literal>gethostname()</literal>.</para>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<para>The various global options can be used.</para>
|
|
Packit Service |
362609 |
|
|
Packit Service |
362609 |
</refsect1>
|
|
Packit Service |
362609 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='bugs'>
|
|
Packit Service |
6d40f9 |
<title>Bugs</title>
|
|
Packit Service |
6d40f9 |
<para>
|
|
Packit Service |
6d40f9 |
Please send bug reports to either the distribution bug tracker
|
|
Packit Service |
6d40f9 |
or the upstream bug tracker at
|
|
Packit Service |
6d40f9 |
<ulink url="https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli">https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli</ulink>
|
|
Packit Service |
6d40f9 |
</para>
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='see_also'>
|
|
Packit Service |
6d40f9 |
<title>See also</title>
|
|
Packit Service |
6d40f9 |
<simplelist type="inline">
|
|
Packit Service |
6d40f9 |
<member><citerefentry><refentrytitle>realmd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
Packit Service |
6d40f9 |
<member><citerefentry><refentrytitle>net</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
Packit Service |
6d40f9 |
<member><citerefentry><refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
Packit Service |
6d40f9 |
</simplelist>
|
|
Packit Service |
6d40f9 |
<para>
|
|
Packit Service |
6d40f9 |
Further details available in the realmd online documentation at
|
|
Packit Service |
6d40f9 |
<ulink url="http://www.freedesktop.org/software/realmd/">http://www.freedesktop.org/software/realmd/</ulink>
|
|
Packit Service |
6d40f9 |
</para>
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refentry>
|