|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
bff25d |
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"
|
|
Packit Service |
bff25d |
[
|
|
Packit Service |
bff25d |
|
|
Packit Service |
bff25d |
]>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refentry id="adcli">
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refentryinfo>
|
|
Packit Service |
6d40f9 |
<title>adcli</title>
|
|
Packit Service |
6d40f9 |
<productname>realmd</productname>
|
|
Packit Service |
6d40f9 |
<authorgroup>
|
|
Packit Service |
6d40f9 |
<author>
|
|
Packit Service |
6d40f9 |
<contrib>Maintainer</contrib>
|
|
Packit Service |
6d40f9 |
<firstname>Stef</firstname>
|
|
Packit Service |
6d40f9 |
<surname>Walter</surname>
|
|
Packit Service |
6d40f9 |
<email>stefw@redhat.com</email>
|
|
Packit Service |
6d40f9 |
</author>
|
|
Packit Service |
6d40f9 |
</authorgroup>
|
|
Packit Service |
6d40f9 |
</refentryinfo>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refmeta>
|
|
Packit Service |
6d40f9 |
<refentrytitle>adcli</refentrytitle>
|
|
Packit Service |
6d40f9 |
<manvolnum>8</manvolnum>
|
|
Packit Service |
6d40f9 |
<refmiscinfo class="manual">System Commands</refmiscinfo>
|
|
Packit Service |
6d40f9 |
</refmeta>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refnamediv>
|
|
Packit Service |
6d40f9 |
<refname>adcli</refname>
|
|
Packit Service |
6d40f9 |
<refpurpose>Tool for performing actions on an Active Directory domain</refpurpose>
|
|
Packit Service |
6d40f9 |
</refnamediv>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsynopsisdiv>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli info</command>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli join</command>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli update</command>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
ed710c |
<command>adcli testjoin</command>
|
|
Packit Service |
ed710c |
</cmdsynopsis>
|
|
Packit Service |
ed710c |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli create-user</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli delete-user</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli create-group</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli delete-group</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli add-member</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">group</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain" rep="repeat">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli remove-member</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">group</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain" rep="repeat">user</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli preset-computer</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain" rep="repeat">computer</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli reset-computer</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">computer</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<cmdsynopsis>
|
|
Packit Service |
6d40f9 |
<command>adcli delete-computer</command>
|
|
Packit Service |
6d40f9 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
6d40f9 |
<arg choice="plain">computer</arg>
|
|
Packit Service |
6d40f9 |
</cmdsynopsis>
|
|
Packit Service |
147c59 |
<cmdsynopsis>
|
|
Packit Service |
147c59 |
<command>adcli show-computer</command>
|
|
Packit Service |
147c59 |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
147c59 |
<arg choice="plain">computer</arg>
|
|
Packit Service |
147c59 |
</cmdsynopsis>
|
|
Packit Service |
8bf96a |
<cmdsynopsis>
|
|
Packit Service |
8bf96a |
<command>adcli create-msa</command>
|
|
Packit Service |
8bf96a |
<arg choice="opt">--domain=domain.example.com</arg>
|
|
Packit Service |
8bf96a |
</cmdsynopsis>
|
|
Packit Service |
6d40f9 |
</refsynopsisdiv>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='general_overview'>
|
|
Packit Service |
6d40f9 |
<title>General Overview</title>
|
|
Packit Service |
6d40f9 |
<para><command>adcli</command> is a command line tool that
|
|
Packit Service |
6d40f9 |
can perform actions in an Active Directory domain. Among other things
|
|
Packit Service |
6d40f9 |
it can be used to join a computer to a domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>See the various sub commands below. The following global options
|
|
Packit Service |
6d40f9 |
can be used:</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-D, --domain=<parameter>domain</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The domain to connect to. If a domain is
|
|
Packit Service |
f43384 |
not specified, then the domain part of the local computer's
|
|
Packit Service |
6d40f9 |
host name is used.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-R, --domain-realm=<parameter>REALM</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Kerberos realm for the domain. If not
|
|
Packit Service |
f43384 |
specified, then the upper cased domain name is
|
|
Packit Service |
6d40f9 |
used.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-S, --domain-controller=<parameter>server</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Connect to a specific domain controller.
|
|
Packit Service |
f43384 |
If not specified, then an appropriate domain controller
|
|
Packit Service |
6d40f9 |
is automatically discovered.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
aa0613 |
<term><option>--use-ldaps</option></term>
|
|
Packit Service |
aa0613 |
<listitem><para>Connect to the domain controller
|
|
Packit Service |
aa0613 |
with LDAPS. By default the LDAP port is used and SASL
|
|
Packit Service |
aa0613 |
GSS-SPNEGO or GSSAPI is used for authentication and to
|
|
Packit Service |
aa0613 |
establish encryption. This should satisfy all
|
|
Packit Service |
aa0613 |
requirements set on the server side and LDAPS should
|
|
Packit Service |
aa0613 |
only be used if the LDAP port is not accessible due to
|
|
Packit Service |
aa0613 |
firewalls or other reasons.</para>
|
|
Packit Service |
aa0613 |
<para> Please note that the place where CA certificates
|
|
Packit Service |
aa0613 |
can be found to validate the AD DC certificates
|
|
Packit Service |
aa0613 |
must be configured in the OpenLDAP configuration
|
|
Packit Service |
aa0613 |
file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
|
|
Packit Service |
aa0613 |
As an alternative it can be specified with the help of
|
|
Packit Service |
aa0613 |
an environment variable, e.g.
|
|
Packit Service |
aa0613 |
<programlisting>
|
|
Packit Service |
aa0613 |
$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
|
|
Packit Service |
aa0613 |
...
|
|
Packit Service |
aa0613 |
</programlisting>
|
|
Packit Service |
aa0613 |
Please see
|
|
Packit Service |
aa0613 |
<citerefentry><refentrytitle>ldap.conf</refentrytitle>
|
|
Packit Service |
aa0613 |
<manvolnum>5</manvolnum></citerefentry> for details.
|
|
Packit Service |
aa0613 |
</para></listitem>
|
|
Packit Service |
aa0613 |
</varlistentry>
|
|
Packit Service |
aa0613 |
<varlistentry>
|
|
Packit Service |
20960c |
<term><option>-C</option></term>
|
|
Packit Service |
20960c |
<listitem><para>Use the default Kerberos credential
|
|
Packit Service |
20960c |
cache to authenticate with the domain.
|
|
Packit Service |
20960c |
</para></listitem>
|
|
Packit Service |
20960c |
</varlistentry>
|
|
Packit Service |
20960c |
<varlistentry>
|
|
Packit Service |
20960c |
<term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
|
|
Packit Service |
20960c |
<listitem><para>Use the specified Kerberos credential
|
|
Packit Service |
414a7a |
cache to authenticate with the domain. If no credential
|
|
Packit Service |
20960c |
cache is specified, the default Kerberos credential
|
|
Packit Service |
414a7a |
cache will be used. Credential caches of type FILE can
|
|
Packit Service |
414a7a |
be given with the path to the file. For other
|
|
Packit Service |
414a7a |
credential cache types, e.g. DIR, KEYRING or KCM, the
|
|
Packit Service |
414a7a |
type must be specified explicitly together with a
|
|
Packit Service |
414a7a |
suitable identifier.</para>
|
|
Packit Service |
414a7a |
<para>Please note that since the
|
|
Packit Service |
414a7a |
<parameter>ccache_name</parameter> is optional the
|
|
Packit Service |
414a7a |
=(equal) sign is mandatory. If = is missing the
|
|
Packit Service |
414a7a |
parameter is treated as optionless extra argument. How
|
|
Packit Service |
414a7a |
this is handled depends on the specific sub-command.
|
|
Packit Service |
414a7a |
</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-U, --login-user=<parameter>User</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Use the specified user account to
|
|
Packit Service |
f43384 |
authenticate with the domain. If not specified, then
|
|
Packit Service |
6d40f9 |
the name 'Administrator' will be used.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--no-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Don't show prompts for or read a
|
|
Packit Service |
6d40f9 |
password from input.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-W, --prompt-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Prompt for a password if necessary.
|
|
Packit Service |
6d40f9 |
This is the default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--stdin-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Read a password from stdin input instead
|
|
Packit Service |
6d40f9 |
of prompting for a password.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-v, --verbose</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Run in verbose mode with debug
|
|
Packit Service |
6d40f9 |
output.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='querying'>
|
|
Packit Service |
6d40f9 |
<title>Querying Domain Information</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli info</command> displays discovered information
|
|
Packit Service |
6d40f9 |
about an Active Directory domain or an Active Directory domain
|
|
Packit Service |
6d40f9 |
controller.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli info domain.example.com
|
|
Packit Service |
6d40f9 |
...
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli info --domain-controller=dc.domain.example.com
|
|
Packit Service |
6d40f9 |
...
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli info</command> will output as much information as
|
|
Packit Service |
6d40f9 |
it can about the domain. The information is designed to be both machine
|
|
Packit Service |
6d40f9 |
and human readable. The command will exit with a non-zero exit code
|
|
Packit Service |
f43384 |
if the domain does not exist or cannot be reached.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>To show domain info for a specific domain controller use the
|
|
Packit Service |
6d40f9 |
<option>--domain-controller</option> option to specify which domain
|
|
Packit Service |
6d40f9 |
controller to query.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>Use the <option>--verbose</option> option to show details of how
|
|
Packit Service |
6d40f9 |
the domain is discovered and queried. Many of the global options, in
|
|
Packit Service |
6d40f9 |
particular authentication options, are not usable with the
|
|
Packit Service |
6d40f9 |
<command>adcli info</command> command.</para>
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='joining'>
|
|
Packit Service |
6d40f9 |
<title>Joining the Local Machine to a Domain</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli join</command> creates a computer account in the
|
|
Packit Service |
6d40f9 |
domain for the local machine, and sets up a keytab for the machine.
|
|
Packit Service |
6d40f9 |
It does not configure an authentication service (such as
|
|
Packit Service |
6d40f9 |
<command>sssd</command>).</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli join domain.example.com
|
|
Packit Service |
6d40f9 |
Password for Administrator:
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how this operation is done.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The short non-dotted name of the computer
|
|
Packit Service |
f43384 |
account that will be created in the domain. If not specified,
|
|
Packit Service |
6d40f9 |
then the first portion of the <option>--host-fqdn</option>
|
|
Packit Service |
6d40f9 |
is used.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
f43384 |
which to create the computer account. If not specified,
|
|
Packit Service |
6d40f9 |
then the computer account will be created in a default
|
|
Packit Service |
6d40f9 |
location.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Override the local machine's fully qualified
|
|
Packit Service |
f43384 |
domain name. If not specified, the local machine's hostname
|
|
Packit Service |
c68da5 |
will be retrieved via <function>gethostname()</function>.
|
|
Packit Service |
c68da5 |
If <function>gethostname()</function> only returns a short name
|
|
Packit Service |
c68da5 |
<function>getaddrinfo()</function> with the AI_CANONNAME hint
|
|
Packit Service |
c68da5 |
is called to expand the name to a fully qualified domain
|
|
Packit Service |
c68da5 |
name.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify the path to the host keytab where
|
|
Packit Service |
6d40f9 |
host credentials will be written after a successful join
|
|
Packit Service |
f43384 |
operation. If not specified, the default location will be
|
|
Packit Service |
6d40f9 |
used, usually <filename>/etc/krb5.keytab</filename>.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--login-type=<parameter>{computer|user}</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify the type of authentication that
|
|
Packit Service |
6d40f9 |
will be performed before creating the machine account in
|
|
Packit Service |
f43384 |
the domain. If set to 'computer', then the computer must
|
|
Packit Service |
6d40f9 |
already have a preset account in the domain. If not
|
|
Packit Service |
6d40f9 |
specified and none of the other <option>--login-xxx</option>
|
|
Packit Service |
6d40f9 |
arguments have been specified, then will try both
|
|
Packit Service |
6d40f9 |
'computer' and 'user' authentication.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-name=<parameter>name</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system name on the computer
|
|
Packit Service |
6d40f9 |
account. The default depends on where adcli was built, but
|
|
Packit Service |
6d40f9 |
is usually something like 'linux-gnu'.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system service pack on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-version=<parameter>version</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system version on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
0a8a87 |
<term><option>--description=<parameter>description</parameter></option></term>
|
|
Packit Service |
0a8a87 |
<listitem><para>Set the description attribute on the computer
|
|
Packit Service |
0a8a87 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
0a8a87 |
</varlistentry>
|
|
Packit Service |
0a8a87 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--service-name=<parameter>service</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Additional service name for a kerberos
|
|
Packit Service |
6d40f9 |
principal to be created on the computer account. This
|
|
Packit Service |
6d40f9 |
option may be specified multiple times.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the userPrincipalName field of the
|
|
Packit Service |
6d40f9 |
computer account to this kerberos principal. If you omit
|
|
Packit Service |
6d40f9 |
the value for this option, then a principal will be set
|
|
Packit Service |
6d40f9 |
in the form of host/host.example.com@REALM </para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--one-time-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify a one time password for a preset
|
|
Packit Service |
6d40f9 |
computer account. This is equivalent to using
|
|
Packit Service |
6d40f9 |
<option>--login-type=computer</option> and providing a
|
|
Packit Service |
6d40f9 |
password as input.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
9b2c4a |
<term><option>--trusted-for-delegation=<parameter>yes|no|true|false</parameter></option></term>
|
|
Packit Service |
9b2c4a |
<listitem><para>Set or unset the TRUSTED_FOR_DELEGATION
|
|
Packit Service |
9b2c4a |
flag in the userAccountControl attribute to allow or
|
|
Packit Service |
9b2c4a |
not allow that Kerberos tickets can be forwarded to the
|
|
Packit Service |
9b2c4a |
host.</para></listitem>
|
|
Packit Service |
9b2c4a |
</varlistentry>
|
|
Packit Service |
9b2c4a |
<varlistentry>
|
|
Packit Service |
69847a |
<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
|
|
Packit Service |
69847a |
<listitem><para>Add a service principal name. In
|
|
Packit Service |
69847a |
contrast to the <option>--service-name</option> the
|
|
Packit Service |
69847a |
hostname part can be specified as well in case the
|
|
Packit Service |
69847a |
service should be accessible with a different host
|
|
Packit Service |
69847a |
name as well.</para></listitem>
|
|
Packit Service |
69847a |
</varlistentry>
|
|
Packit Service |
69847a |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--show-details</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>After a successful join print out information
|
|
Packit Service |
6d40f9 |
about join operation. This is output in a format that should
|
|
Packit Service |
6d40f9 |
be both human and machine readable.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--show-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>After a successful join print out the computer
|
|
Packit Service |
6d40f9 |
machine account password. This is output in a format that should
|
|
Packit Service |
6d40f9 |
be both human and machine readable.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
2e2783 |
<varlistentry>
|
|
Packit Service |
2e2783 |
<term><option>--add-samba-data</option></term>
|
|
Packit Service |
2e2783 |
<listitem><para>After a successful join add the domain
|
|
Packit Service |
2e2783 |
SID and the machine account password to the Samba
|
|
Packit Service |
2e2783 |
specific databases by calling Samba's
|
|
Packit Service |
2e2783 |
<command>net</command> utility.</para>
|
|
Packit Service |
2e2783 |
|
|
Packit Service |
2e2783 |
<para>Please note that Samba's <command>net</command>
|
|
Packit Service |
2e2783 |
requires some settings in <filename>smb.conf</filename>
|
|
Packit Service |
2e2783 |
to create the database entries correctly. Most
|
|
Packit Service |
2e2783 |
important here is currently the
|
|
Packit Service |
2e2783 |
<option>workgroup</option> option, see
|
|
Packit Service |
2e2783 |
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
Packit Service |
7bc3bf |
for details.</para></listitem>
|
|
Packit Service |
2e2783 |
</varlistentry>
|
|
Packit Service |
bff25d |
<varlistentry>
|
|
Packit Service |
bff25d |
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
|
|
Packit Service |
bff25d |
<listitem><para>If Samba's <command>net</command>
|
|
Packit Service |
bff25d |
cannot be found at
|
|
Packit Service |
f43384 |
<filename>&samba_data_tool;</filename>, this option can
|
|
Packit Service |
bff25d |
be used to specific an alternative location with the
|
|
Packit Service |
bff25d |
help of an absolute path.</para></listitem>
|
|
Packit Service |
bff25d |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
ae0400 |
<para>If supported on the AD side the
|
|
Packit Service |
ae0400 |
<option>msDS-supportedEncryptionTypes</option> attribute will be set as
|
|
Packit Service |
ae0400 |
well. Either the current value or the default list of AD's supported
|
|
Packit Service |
ae0400 |
encryption types filtered by the permitted encryption types of the
|
|
Packit Service |
ae0400 |
client's Kerberos configuration are written.</para>
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='updating'>
|
|
Packit Service |
6d40f9 |
<title>Updating the machine account password and other attributes</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli update</command> updates the password of the computer
|
|
Packit Service |
6d40f9 |
account on the domain controller for the local machine, write the new
|
|
Packit Service |
6d40f9 |
keys to the keytab and removes older keys. It keeps the previous key on purpose
|
|
Packit Service |
6d40f9 |
because AD will need some time to replicate the new key to all DCs hence the
|
|
Packit Service |
6d40f9 |
previous key might still be used.
|
|
Packit Service |
6d40f9 |
</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli update
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
f43384 |
<para>If used with a credential cache, other attributes of the computer
|
|
Packit Service |
6d40f9 |
account can be changed as well if the principal has sufficient
|
|
Packit Service |
6d40f9 |
privileges.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ kinit Administrator
|
|
Packit Service |
6d40f9 |
$ adcli update --login-ccache=/tmp/krbcc_123
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how this operation is done.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The short non-dotted name of the computer
|
|
Packit Service |
f43384 |
account that will be created in the domain. If not specified,
|
|
Packit Service |
6d40f9 |
it will be retrieved from the keytab entries.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The local machine's fully qualified
|
|
Packit Service |
f43384 |
domain name. If not specified, the local machine's hostname
|
|
Packit Service |
6d40f9 |
will be retrieved from the keytab entries.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify the path to the host keytab where
|
|
Packit Service |
6d40f9 |
current host credentials are stored and the new ones
|
|
Packit Service |
f43384 |
will be written to. If not specified, the default
|
|
Packit Service |
6d40f9 |
location will be used, usually
|
|
Packit Service |
6d40f9 |
<filename>/etc/krb5.keytab</filename>.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-name=<parameter>name</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system name on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system service pack on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-version=<parameter>version</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system version on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
0a8a87 |
<term><option>--description=<parameter>description</parameter></option></term>
|
|
Packit Service |
0a8a87 |
<listitem><para>Set the description attribute on the computer
|
|
Packit Service |
0a8a87 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
0a8a87 |
</varlistentry>
|
|
Packit Service |
0a8a87 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--service-name=<parameter>service</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Additional service name for a Kerberos
|
|
Packit Service |
6d40f9 |
principal to be created on the computer account. This
|
|
Packit Service |
6d40f9 |
option may be specified multiple times.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the userPrincipalName field of the
|
|
Packit Service |
6d40f9 |
computer account to this Kerberos principal.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--computer-password-lifetime=<parameter>lifetime</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Only update the password of the
|
|
Packit Service |
6d40f9 |
computer account if it is older than the lifetime given
|
|
Packit Service |
6d40f9 |
in days. By default the password is updated if it is
|
|
Packit Service |
6d40f9 |
older than 30 days.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
9b2c4a |
<term><option>--trusted-for-delegation=<parameter>yes|no|true|false</parameter></option></term>
|
|
Packit Service |
9b2c4a |
<listitem><para>Set or unset the TRUSTED_FOR_DELEGATION
|
|
Packit Service |
9b2c4a |
flag in the userAccountControl attribute to allow or
|
|
Packit Service |
9b2c4a |
not allow that Kerberos tickets can be forwarded to the
|
|
Packit Service |
9b2c4a |
host.</para></listitem>
|
|
Packit Service |
9b2c4a |
</varlistentry>
|
|
Packit Service |
9b2c4a |
<varlistentry>
|
|
Packit Service |
69847a |
<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
|
|
Packit Service |
69847a |
<listitem><para>Add a service principal name. In
|
|
Packit Service |
69847a |
contrast to the <option>--service-name</option> the
|
|
Packit Service |
69847a |
hostname part can be specified as well in case the
|
|
Packit Service |
69847a |
service should be accessible with a different host
|
|
Packit Service |
69847a |
name as well.</para></listitem>
|
|
Packit Service |
69847a |
</varlistentry>
|
|
Packit Service |
69847a |
<varlistentry>
|
|
Packit Service |
69847a |
<term><option>--remove-service-principal=<parameter>service/hostname</parameter></option></term>
|
|
Packit Service |
69847a |
<listitem><para>Remove a service principal name from
|
|
Packit Service |
69847a |
the keytab and the AD host object.</para></listitem>
|
|
Packit Service |
69847a |
</varlistentry>
|
|
Packit Service |
69847a |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--show-details</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>After a successful join print out information
|
|
Packit Service |
6d40f9 |
about join operation. This is output in a format that should
|
|
Packit Service |
6d40f9 |
be both human and machine readable.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
2e2783 |
<varlistentry>
|
|
Packit Service |
2e2783 |
<term><option>--add-samba-data</option></term>
|
|
Packit Service |
2e2783 |
<listitem><para>After a successful join add the domain
|
|
Packit Service |
2e2783 |
SID and the machine account password to the Samba
|
|
Packit Service |
2e2783 |
specific databases by calling Samba's
|
|
Packit Service |
2e2783 |
<command>net</command> utility.</para>
|
|
Packit Service |
2e2783 |
|
|
Packit Service |
2e2783 |
<para>Please note that Samba's <command>net</command>
|
|
Packit Service |
2e2783 |
requires some settings in <filename>smb.conf</filename>
|
|
Packit Service |
2e2783 |
to create the database entries correctly. Most
|
|
Packit Service |
2e2783 |
important here is currently the
|
|
Packit Service |
2e2783 |
<option>workgroup</option> option, see
|
|
Packit Service |
2e2783 |
<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
Packit Service |
7bc3bf |
for details.</para>
|
|
Packit Service |
7bc3bf |
<para>Note that if the machine account password is not
|
|
Packit Service |
7bc3bf |
older than 30 days, you have to pass
|
|
Packit Service |
7bc3bf |
<option>--computer-password-lifetime=0</option> to
|
|
Packit Service |
7bc3bf |
force the update.</para></listitem>
|
|
Packit Service |
2e2783 |
</varlistentry>
|
|
Packit Service |
bff25d |
<varlistentry>
|
|
Packit Service |
bff25d |
<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
|
|
Packit Service |
bff25d |
<listitem><para>If Samba's <command>net</command>
|
|
Packit Service |
bff25d |
cannot be found at
|
|
Packit Service |
f43384 |
<filename>&samba_data_tool;</filename>, this option can
|
|
Packit Service |
bff25d |
be used to specific an alternative location with the
|
|
Packit Service |
bff25d |
help of an absolute path.</para></listitem>
|
|
Packit Service |
bff25d |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
ae0400 |
<para>If supported on the AD side the
|
|
Packit Service |
ae0400 |
<option>msDS-supportedEncryptionTypes</option> attribute will be set as
|
|
Packit Service |
ae0400 |
well. Either the current value or the default list of AD's supported
|
|
Packit Service |
ae0400 |
encryption types filtered by the permitted encryption types of the
|
|
Packit Service |
ae0400 |
client's Kerberos configuration are written.</para>
|
|
Packit Service |
76a35c |
</refsect1>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<refsect1 id='testjoin'>
|
|
Packit Service |
ed710c |
<title>Testing if the machine account password is valid</title>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<para><command>adcli testjoin</command> uses the current credentials in
|
|
Packit Service |
ed710c |
the keytab and tries to authenticate with the machine account to the AD
|
|
Packit Service |
ed710c |
domain. If this works the machine account password and the join are
|
|
Packit Service |
ed710c |
still valid. If it fails the machine account password or the whole
|
|
Packit Service |
ed710c |
machine account have to be refreshed with
|
|
Packit Service |
ed710c |
<command>adcli join</command> or <command>adcli update</command>.
|
|
Packit Service |
ed710c |
</para>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<programlisting>
|
|
Packit Service |
ed710c |
$ adcli testjoin
|
|
Packit Service |
ed710c |
</programlisting>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<para>Only the global options not related to authentication are
|
|
Packit Service |
ed710c |
available, additionally you can specify the following options to
|
|
Packit Service |
ed710c |
control how this operation is done.</para>
|
|
Packit Service |
ed710c |
|
|
Packit Service |
ed710c |
<variablelist>
|
|
Packit Service |
ed710c |
<varlistentry>
|
|
Packit Service |
ed710c |
<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
|
Packit Service |
ed710c |
<listitem><para>Specify the path to the host keytab where
|
|
Packit Service |
ed710c |
current host credentials are stored and the new ones
|
|
Packit Service |
ed710c |
will be written to. If not specified, the default
|
|
Packit Service |
ed710c |
location will be used, usually
|
|
Packit Service |
ed710c |
<filename>/etc/krb5.keytab</filename>.</para></listitem>
|
|
Packit Service |
ed710c |
</varlistentry>
|
|
Packit Service |
ed710c |
</variablelist>
|
|
Packit Service |
ed710c |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='create_user'>
|
|
Packit Service |
6d40f9 |
<title>Creating a User</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli create-user</command> creates a new user account
|
|
Packit Service |
6d40f9 |
in the domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli create-user Fry --domain=domain.example.com \
|
|
Packit Service |
6d40f9 |
--display-name="Philip J. Fry" --mail=fry@domain.example.com
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how the user is created.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--display-name=<parameter>"Name"</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the displayName attribute
|
|
Packit Service |
6d40f9 |
of the new created user account.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
f43384 |
which to create the user account. If not specified,
|
|
Packit Service |
6d40f9 |
then the computer account will be created in a default
|
|
Packit Service |
6d40f9 |
location.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--mail=<parameter>email@domain.com</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the mail attribute of
|
|
Packit Service |
6d40f9 |
the new created user account. This attribute may be
|
|
Packit Service |
6d40f9 |
specified multiple times.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--unix-home=<parameter>/home/user</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the unixHomeDirectory attribute of
|
|
Packit Service |
6d40f9 |
the new created user account, which should be an absolute
|
|
Packit Service |
6d40f9 |
path to the user's home directory.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--unix-gid=<parameter>111</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the gidNumber attribute of
|
|
Packit Service |
6d40f9 |
the new created user account, which should be the user's
|
|
Packit Service |
6d40f9 |
numeric primary group id.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--unix-shell=<parameter>/bin/shell</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the loginShell attribute of
|
|
Packit Service |
6d40f9 |
the new created user account, which should be a path to
|
|
Packit Service |
6d40f9 |
a valid shell.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--unix-uid=<parameter>111</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the uidNumber attribute of
|
|
Packit Service |
6d40f9 |
the new created user account, which should be the user's
|
|
Packit Service |
6d40f9 |
numeric primary user id.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
371c62 |
<varlistentry>
|
|
Packit Service |
371c62 |
<term><option>--nis-domain=<parameter>nis_domain</parameter></option></term>
|
|
Packit Service |
371c62 |
<listitem><para>Set the msSFU30NisDomain attribute of
|
|
Packit Service |
371c62 |
the new created user account, which should be the user's
|
|
Packit Service |
371c62 |
NIS domain is the NIS/YP service of Active Directory's Services for Unix (SFU)
|
|
Packit Service |
371c62 |
are used. This is needed to let the 'UNIX attributes' tab of older Active
|
|
Packit Service |
78c748 |
Directoy versions show the set UNIX specific attributes. If not specified
|
|
Packit Service |
78c748 |
adcli will try to determine the NIS domain automatically if needed.
|
|
Packit Service |
78c748 |
</para></listitem>
|
|
Packit Service |
371c62 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='delete_user'>
|
|
Packit Service |
6d40f9 |
<title>Deleting a User</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli delete-user</command> deletes a user account from
|
|
Packit Service |
6d40f9 |
the domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli delete-user Fry --domain=domain.example.com
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='create_group'>
|
|
Packit Service |
6d40f9 |
<title>Creating a Group</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli create-group</command> creates a new group in the
|
|
Packit Service |
6d40f9 |
domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli create-group Pilots --domain=domain.example.com \
|
|
Packit Service |
6d40f9 |
--description="Group for all pilots"
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how the group is created.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--description=<parameter>"text"</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the description attribute
|
|
Packit Service |
6d40f9 |
of the new created group.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
f43384 |
which to create the group. If not specified,
|
|
Packit Service |
6d40f9 |
then the group will be created in a default
|
|
Packit Service |
6d40f9 |
location.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='delete_group'>
|
|
Packit Service |
6d40f9 |
<title>Deleting a Group</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli delete-group</command> deletes a group from
|
|
Packit Service |
6d40f9 |
the domain.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli delete-group Pilots --domain=domain.example.com
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='add_group_member'>
|
|
Packit Service |
6d40f9 |
<title>Adding a Member to a Group</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli add-member</command> adds one or more users to a
|
|
Packit Service |
6d40f9 |
group in the domain. The group is specified first, and then the various
|
|
Packit Service |
6d40f9 |
users to be added.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para></para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='remove_group_member'>
|
|
Packit Service |
6d40f9 |
<title>Removing a Member from a Group</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli remove-member</command> removes a user from a group
|
|
Packit Service |
6d40f9 |
in the domain. The group is specified first, and then the various users
|
|
Packit Service |
6d40f9 |
to be removed.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli remove-member --domain=domain.example.com Pilots Scruffy
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='preset_computer_account'>
|
|
Packit Service |
6d40f9 |
<title>Preset Computer Accounts</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli preset-computer</command> pre-creates one or more
|
|
Packit Service |
6d40f9 |
computer accounts in the domain for machines to later use when joining
|
|
Packit Service |
6d40f9 |
the domain. By doing this machines can join using a one time password
|
|
Packit Service |
6d40f9 |
or automatically without a password.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli preset-computer --domain=domain.example.com \
|
|
Packit Service |
6d40f9 |
host1.example.com host2
|
|
Packit Service |
6d40f9 |
Password for Administrator:
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>If the computer names specified contain dots, then they are
|
|
Packit Service |
6d40f9 |
treated as fully qualified host names, otherwise they are treated
|
|
Packit Service |
6d40f9 |
as short computer names. The computer accounts must not already
|
|
Packit Service |
6d40f9 |
exist.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how this operation is done.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
f43384 |
which to create the computer accounts. If not specified,
|
|
Packit Service |
6d40f9 |
then the computer account will be created in a default
|
|
Packit Service |
6d40f9 |
location.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--one-time-password</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify a one time password to use when
|
|
Packit Service |
f43384 |
presetting the computer accounts. If not specified, then
|
|
Packit Service |
6d40f9 |
a default password will be used, which allows for later
|
|
Packit Service |
6d40f9 |
automatic joins.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-name=<parameter>name</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system name on the computer
|
|
Packit Service |
6d40f9 |
account. The default depends on where adcli was built, but
|
|
Packit Service |
6d40f9 |
is usually something like 'linux-gnu'.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system service pack on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--os-version=<parameter>version</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the operating system version on the computer
|
|
Packit Service |
6d40f9 |
account. Not set by default.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--service-name=<parameter>service</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Additional service name for a kerberos
|
|
Packit Service |
6d40f9 |
principal to be created on the computer account. This
|
|
Packit Service |
6d40f9 |
option may be specified multiple times.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--user-principal</option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Set the userPrincipalName field of the
|
|
Packit Service |
6d40f9 |
computer account to this kerberos principal in the form
|
|
Packit Service |
6d40f9 |
of host/host.example.com@REALM </para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='reset_computer_account'>
|
|
Packit Service |
6d40f9 |
<title>Reset Computer Account</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli reset-computer</command> resets a computer account
|
|
Packit Service |
f43384 |
in the domain. If the appropriate machine is currently joined to the
|
|
Packit Service |
6d40f9 |
domain, then its membership will be broken. The account must already
|
|
Packit Service |
6d40f9 |
exist.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli reset-computer --domain=domain.example.com host2
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>If the computer names specified contain dots, then they are
|
|
Packit Service |
6d40f9 |
treated as fully qualified host names, otherwise they are treated
|
|
Packit Service |
6d40f9 |
as short computer names.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
6d40f9 |
options to control how this operation is done.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<variablelist>
|
|
Packit Service |
6d40f9 |
<varlistentry>
|
|
Packit Service |
6d40f9 |
<term><option>--login-type=<parameter>{computer|user}</parameter></option></term>
|
|
Packit Service |
6d40f9 |
<listitem><para>Specify the type of authentication that
|
|
Packit Service |
6d40f9 |
will be performed before creating the machine account in
|
|
Packit Service |
f43384 |
the domain. If set to 'computer', then the computer must
|
|
Packit Service |
6d40f9 |
already have a preset account in the domain. If not
|
|
Packit Service |
6d40f9 |
specified and none of the other <option>--login-xxx</option>
|
|
Packit Service |
6d40f9 |
arguments have been specified, then will try both
|
|
Packit Service |
6d40f9 |
'computer' and 'user' authentication.</para></listitem>
|
|
Packit Service |
6d40f9 |
</varlistentry>
|
|
Packit Service |
6d40f9 |
</variablelist>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='delete_computer_account'>
|
|
Packit Service |
6d40f9 |
<title>Delete Computer Account</title>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para><command>adcli delete-computer</command> deletes a computer account
|
|
Packit Service |
6d40f9 |
in the domain. The account must already exist.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<programlisting>
|
|
Packit Service |
6d40f9 |
$ adcli delete-computer --domain=domain.example.com host2
|
|
Packit Service |
6d40f9 |
Password for Administrator:
|
|
Packit Service |
6d40f9 |
</programlisting>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>If the computer name contains a dot, then it is
|
|
Packit Service |
6d40f9 |
treated as fully qualified host name, otherwise it is treated
|
|
Packit Service |
6d40f9 |
as short computer name.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>If no computer name is specified, then the host name of the
|
|
Packit Service |
6d40f9 |
computer adcli is running on is used, as returned by
|
|
Packit Service |
6d40f9 |
<literal>gethostname()</literal>.</para>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<para>The various global options can be used.</para>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
</refsect1>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<refsect1 id='show_computer_account'>
|
|
Packit Service |
147c59 |
<title>Show Computer Account Attributes</title>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<para><command>adcli show-computer</command> show the computer account
|
|
Packit Service |
147c59 |
attributes stored in AD. The account must already exist.</para>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<programlisting>
|
|
Packit Service |
147c59 |
$ adcli show-computer --domain=domain.example.com host2
|
|
Packit Service |
147c59 |
Password for Administrator:
|
|
Packit Service |
147c59 |
</programlisting>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<para>If the computer name contains a dot, then it is
|
|
Packit Service |
147c59 |
treated as fully qualified host name, otherwise it is treated
|
|
Packit Service |
147c59 |
as short computer name.</para>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<para>If no computer name is specified, then the host name of the
|
|
Packit Service |
147c59 |
computer adcli is running on is used, as returned by
|
|
Packit Service |
147c59 |
<literal>gethostname()</literal>.</para>
|
|
Packit Service |
147c59 |
|
|
Packit Service |
147c59 |
<para>The various global options can be used.</para>
|
|
Packit Service |
362609 |
|
|
Packit Service |
362609 |
</refsect1>
|
|
Packit Service |
362609 |
|
|
Packit Service |
8bf96a |
<refsect1 id='managed_service_account'>
|
|
Packit Service |
8bf96a |
<title>Create a managed service account</title>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<para><command>adcli create-msa</command> creates a managed service
|
|
Packit Service |
8bf96a |
account (MSA) in the given Active Directory domain. This is useful if a
|
|
Packit Service |
8bf96a |
computer should not fully join the Active Directory domain but LDAP
|
|
Packit Service |
8bf96a |
access is needed. A typical use case is that the computer is already
|
|
Packit Service |
8bf96a |
joined an Active Directory domain and needs access to another Active
|
|
Packit Service |
8bf96a |
Directory domain in the same or a trusted forest where the host
|
|
Packit Service |
8bf96a |
credentials from the joined Active Directory domain are
|
|
Packit Service |
8bf96a |
not valid, e.g. there is only a one-way trust.</para>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<programlisting>
|
|
Packit Service |
8bf96a |
$ adcli create-msa --domain=domain.example.com
|
|
Packit Service |
8bf96a |
Password for Administrator:
|
|
Packit Service |
8bf96a |
</programlisting>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<para>The managed service account, as maintained by adcli, cannot have
|
|
Packit Service |
8bf96a |
additional service principals names (SPNs) associated with it. An SPN
|
|
Packit Service |
8bf96a |
is defined within the context of a Kerberos service which is tied to a
|
|
Packit Service |
8bf96a |
machine account in Active Directory. Since a machine can be joined to a
|
|
Packit Service |
8bf96a |
single Active Directory domain, managed service account in a different
|
|
Packit Service |
8bf96a |
Active Directory domain will not have the SPNs that otherwise are part
|
|
Packit Service |
8bf96a |
of another Active Directory domain's machine.</para>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<para>Since it is expected that a client will most probably join to the
|
|
Packit Service |
8bf96a |
Active Directory domain matching its DNS domain the managed service
|
|
Packit Service |
8bf96a |
account will be needed for a different Active directory domain and as a
|
|
Packit Service |
8bf96a |
result the Active Directory domain name is a mandatory option. If
|
|
Packit Service |
8bf96a |
called with no other options <command>adcli create-msa</command>
|
|
Packit Service |
8bf96a |
will use the short hostname with an additional random suffix as
|
|
Packit Service |
8bf96a |
computer name to avoid name collisions.</para>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<para>LDAP attribute sAMAccountName has a limit of 20 characters.
|
|
Packit Service |
8bf96a |
However, machine account's NetBIOS name must be at most 16 characters
|
|
Packit Service |
8bf96a |
long, including a trailing '$' sign. Since it is not expected that the
|
|
Packit Service |
8bf96a |
managed service accounts created by adcli will be used on the NetBIOS
|
|
Packit Service |
8bf96a |
level the remaining 4 characters can be used to add uniqueness. Managed
|
|
Packit Service |
8bf96a |
service account names will have a suffix of 3 random characters from
|
|
Packit Service |
8bf96a |
number and upper- and lowercase ASCII ranges appended to the chosen
|
|
Packit Service |
8bf96a |
short host name, using '!' as a separator. For a host with the
|
|
Packit Service |
8bf96a |
shortname 'myhost', a managed service account will have a common name
|
|
Packit Service |
8bf96a |
(CN attribute) 'myhost!A2c' and a NetBIOS name
|
|
Packit Service |
8bf96a |
(sAMAccountName attribute) will be 'myhost!A2c$'. A corresponding
|
|
Packit Service |
8bf96a |
Kerberos principal in the Active Directory domain where the managed
|
|
Packit Service |
8bf96a |
service account was created would be
|
|
Packit Service |
8bf96a |
'myhost!A2c$@DOMAIN.EXAMPLE.COM'.</para>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<para>A keytab for the managed service account is stored into a file
|
|
Packit Service |
8bf96a |
specified with -K option. If it is not specified, the file is named
|
|
Packit Service |
8bf96a |
after the default keytab file, with lowercase Active Directory domain
|
|
Packit Service |
8bf96a |
of the managed service account as a suffix. On most systems it would be
|
|
Packit Service |
8bf96a |
<filename>/etc/krb5.keytab</filename> with a suffix of
|
|
Packit Service |
8bf96a |
'domain.example.com', e.g.
|
|
Packit Service |
db56f7 |
<filename>/etc/krb5.keytab.domain.example.com</filename>.</para>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<para><command>adcli create-msa</command> can be called multiple
|
|
Packit Service |
8bf96a |
times to reset the password of the managed service account. To identify
|
|
Packit Service |
8bf96a |
the right account with the random component in the name the
|
|
Packit Service |
8bf96a |
corresponding principal is read from the keytab. If the keytab got
|
|
Packit Service |
8bf96a |
deleted <command>adcli</command> will try to identify an existing
|
|
Packit Service |
8bf96a |
managed service account with the help of the fully-qualified name, if
|
|
Packit Service |
8bf96a |
this fails a new managed service account will be created.</para>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<para>The managed service account password can be updated with
|
|
Packit Service |
8bf96a |
<programlisting>
|
|
Packit Service |
db56f7 |
$ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
|
|
Packit Service |
8bf96a |
</programlisting>
|
|
Packit Service |
8bf96a |
and the managed service account can be deleted with
|
|
Packit Service |
8bf96a |
<programlisting>
|
|
Packit Service |
8bf96a |
$ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
|
|
Packit Service |
8bf96a |
</programlisting>
|
|
Packit Service |
8bf96a |
</para>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<para>In addition to the global options, you can specify the following
|
|
Packit Service |
8bf96a |
options to control how this operation is done.</para>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bf96a |
<variablelist>
|
|
Packit Service |
8bf96a |
<varlistentry>
|
|
Packit Service |
8bf96a |
<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
|
|
Packit Service |
8bf96a |
<listitem><para>The short non-dotted name of the managed
|
|
Packit Service |
8bf96a |
service account that will be created in the Active
|
|
Packit Service |
8bf96a |
Directory domain. The long option name
|
|
Packit Service |
8bf96a |
<option>--computer-name</option> is
|
|
Packit Service |
8bf96a |
kept to underline the similarity with the same option
|
|
Packit Service |
8bf96a |
of the other sub-commands. If not specified,
|
|
Packit Service |
8bf96a |
then the first portion of the <option>--host-fqdn</option>
|
|
Packit Service |
8bf96a |
or its default is used with a random suffix.</para></listitem>
|
|
Packit Service |
8bf96a |
</varlistentry>
|
|
Packit Service |
8bf96a |
<varlistentry>
|
|
Packit Service |
8bf96a |
<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
|
|
Packit Service |
8bf96a |
<listitem><para>The full distinguished name of the OU in
|
|
Packit Service |
8bf96a |
which to create the managed service account. If not
|
|
Packit Service |
8bf96a |
specified, then the managed service account will be
|
|
Packit Service |
8bf96a |
created in a default location.</para></listitem>
|
|
Packit Service |
8bf96a |
</varlistentry>
|
|
Packit Service |
8bf96a |
<varlistentry>
|
|
Packit Service |
8bf96a |
<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
|
|
Packit Service |
8bf96a |
<listitem><para>Override the local machine's fully
|
|
Packit Service |
8bf96a |
qualified DNS domain name. If not specified, the local
|
|
Packit Service |
8bf96a |
machine's hostname will be retrieved via
|
|
Packit Service |
8bf96a |
<function>gethostname()</function>.
|
|
Packit Service |
8bf96a |
If <function>gethostname()</function> only returns a short name
|
|
Packit Service |
8bf96a |
<function>getaddrinfo()</function> with the AI_CANONNAME hint
|
|
Packit Service |
8bf96a |
is called to expand the name to a fully qualified DNS
|
|
Packit Service |
8bf96a |
domain name.</para></listitem>
|
|
Packit Service |
8bf96a |
</varlistentry>
|
|
Packit Service |
8bf96a |
<varlistentry>
|
|
Packit Service |
8bf96a |
<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
|
|
Packit Service |
8bf96a |
<listitem><para>Specify the path to the host keytab where
|
|
Packit Service |
8bf96a |
credentials of the managed service account will be
|
|
Packit Service |
8bf96a |
written after a successful creation. If not specified,
|
|
Packit Service |
8bf96a |
the default location will be used, usually
|
|
Packit Service |
8bf96a |
<filename>/etc/krb5.keytab</filename> with
|
|
Packit Service |
8bf96a |
the lower-cased Active Directory domain name added as a
|
|
Packit Service |
8bf96a |
suffix e.g.
|
|
Packit Service |
8bf96a |
<filename>/etc/krb5.keytab.domain.example.com</filename>.
|
|
Packit Service |
8bf96a |
</para></listitem>
|
|
Packit Service |
8bf96a |
</varlistentry>
|
|
Packit Service |
8bf96a |
<varlistentry>
|
|
Packit Service |
8bf96a |
<term><option>--show-details</option></term>
|
|
Packit Service |
8bf96a |
<listitem><para>After a successful creation print out
|
|
Packit Service |
8bf96a |
information about the created object. This is output in
|
|
Packit Service |
8bf96a |
a format that should be both human and machine
|
|
Packit Service |
8bf96a |
readable.</para></listitem>
|
|
Packit Service |
8bf96a |
</varlistentry>
|
|
Packit Service |
8bf96a |
<varlistentry>
|
|
Packit Service |
8bf96a |
<term><option>--show-password</option></term>
|
|
Packit Service |
8bf96a |
<listitem><para>After a successful creation print out
|
|
Packit Service |
8bf96a |
the managed service account password. This is output in
|
|
Packit Service |
8bf96a |
a format that should be both human and machine
|
|
Packit Service |
8bf96a |
readable.</para></listitem>
|
|
Packit Service |
8bf96a |
</varlistentry>
|
|
Packit Service |
8bf96a |
</variablelist>
|
|
Packit Service |
8bf96a |
</refsect1>
|
|
Packit Service |
8bf96a |
|
|
Packit Service |
8bc578 |
<refsect1 id='delegation'>
|
|
Packit Service |
8bc578 |
<title>Delegated Permissions</title>
|
|
Packit Service |
8bc578 |
<para>It is common practice in AD to not use an account from the Domain
|
|
Packit Service |
8bc578 |
Administrators group to join a machine to a domain but use a dedicated
|
|
Packit Service |
8bc578 |
account which only has permissions to join a machine to one or more OUs
|
|
Packit Service |
8bc578 |
in the Active Directory tree. Giving the needed permissions to a single
|
|
Packit Service |
8bc578 |
account or a group in Active Directory is called Delegation. A typical
|
|
Packit Service |
8bc578 |
example on how to configured Delegation can be found in the Delegation
|
|
Packit Service |
8bc578 |
section of the blog post
|
|
Packit Service |
8bc578 |
<ulink url="https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain">Who can add workstation to the domain</ulink>.
|
|
Packit Service |
8bc578 |
</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>When using an account with delegated permissions with adcli
|
|
Packit Service |
8bc578 |
basically the same applies as well. However some aspects are explained
|
|
Packit Service |
8bc578 |
here in a bit more details to better illustrate different concepts of
|
|
Packit Service |
8bc578 |
Active Directory and to make it more easy to debug permissions issues
|
|
Packit Service |
8bc578 |
during the join. Please note that the following is not specific to
|
|
Packit Service |
8bc578 |
adcli but applies to all applications which would like to modify
|
|
Packit Service |
8bc578 |
certain properties or objects in Active Directory with an account with
|
|
Packit Service |
8bc578 |
limited permissions.</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>First, as said in the blog post it is sufficient to have
|
|
Packit Service |
8bc578 |
<literal>"Create computer object"</literal> permissions to join a
|
|
Packit Service |
8bc578 |
computer to a domain. But this would only work as expected if the
|
|
Packit Service |
8bc578 |
computer object does not exist in Active Directory before the join.
|
|
Packit Service |
8bc578 |
Because only when a new object is created Active Directory does not
|
|
Packit Service |
8bc578 |
apply additional permission checks on the attributes of the new
|
|
Packit Service |
8bc578 |
computer object. This means the delegated user can add any kind of
|
|
Packit Service |
8bc578 |
attribute with any value to a new computer object also long as they
|
|
Packit Service |
8bc578 |
meet general constraints like e.g. that the attribute must be defined
|
|
Packit Service |
8bc578 |
in the schema and is allowed in a objectclass of the object, the value
|
|
Packit Service |
8bc578 |
must match the syntax defined in the schema or that the
|
|
Packit Service |
8bc578 |
<option>sAMAccountName</option> must be unique in the domain.</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>If you want to use the account with delegated permission to
|
|
Packit Service |
8bc578 |
remove computer objects in Active Directory (adcli delete-computer) you
|
|
Packit Service |
8bc578 |
should of course make sure that the account has
|
|
Packit Service |
8bc578 |
<literal>"Delete computer object"</literal> permissions.</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>If the computer object already exists the
|
|
Packit Service |
8bc578 |
<literal>"Create computer object"</literal> permission does not apply
|
|
Packit Service |
8bc578 |
anymore since now an existing object must be modified. Now permissions
|
|
Packit Service |
8bc578 |
on the individual attributes are needed. e.g.
|
|
Packit Service |
8bc578 |
<literal>"Read and write Account Restrictions"</literal> or
|
|
Packit Service |
8bc578 |
<literal>"Reset Password"</literal>. For some attributes Active
|
|
Packit Service |
8bc578 |
Directory has two types of permissions the plain
|
|
Packit Service |
8bc578 |
<literal>"Read and Write"</literal> permissions and the
|
|
Packit Service |
8bc578 |
<literal>"Validated Write"</literal> permissions. For the latter case
|
|
Packit Service |
8bc578 |
there are two specific permissions relevant for adcli, namely
|
|
Packit Service |
8bc578 |
<itemizedlist>
|
|
Packit Service |
8bc578 |
<listitem><para>Validated write to DNS host name</para></listitem>
|
|
Packit Service |
8bc578 |
<listitem><para>Validated write to service principal name</para></listitem>
|
|
Packit Service |
8bc578 |
</itemizedlist>
|
|
Packit Service |
8bc578 |
Details about the validation of the values can be found in the
|
|
Packit Service |
8bc578 |
<literal>"Validated Writes"</literal> section of
|
|
Packit Service |
8bc578 |
<literal>[MS-ADTS]</literal>, especially
|
|
Packit Service |
8bc578 |
<ulink url="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1">dNSHostName</ulink>
|
|
Packit Service |
8bc578 |
and
|
|
Packit Service |
8bc578 |
<ulink url="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada">servicePrincipalName</ulink>.
|
|
Packit Service |
8bc578 |
To cut it short for <literal>"Validated write to DNS host name"</literal>
|
|
Packit Service |
8bc578 |
the domain part of the fully-qualified hostname must either match the
|
|
Packit Service |
8bc578 |
domain name of the domain you want to join to or must be listed in the
|
|
Packit Service |
8bc578 |
<option>msDS-AllowedDNSSuffixes</option> attribute. And for
|
|
Packit Service |
8bc578 |
<literal>"Validated write to service principal name"</literal> the
|
|
Packit Service |
8bc578 |
hostname part of the service principal name must match the name stored
|
|
Packit Service |
8bc578 |
in <option>dNSHostName</option> or some other attributes which are
|
|
Packit Service |
8bc578 |
not handled by adcli. This also means that
|
|
Packit Service |
8bc578 |
<option>dNSHostName</option> cannot be empty or only contain a short
|
|
Packit Service |
8bc578 |
name if the service principal name should contain a fully-qualified
|
|
Packit Service |
8bc578 |
name.</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>To summarize, if you only have validated write permissions you
|
|
Packit Service |
8bc578 |
should make sure the domain part of the hostname matches the domain you
|
|
Packit Service |
8bc578 |
want to join or use the <option>--host-fqdn</option> with a matching
|
|
Packit Service |
8bc578 |
name.</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>The plain read write permissions do not run additional
|
|
Packit Service |
8bc578 |
validations but the attribute values must still be in agreement with
|
|
Packit Service |
8bc578 |
the general constraints mentioned above. If the computer object already
|
|
Packit Service |
8bc578 |
exists adcli might need the following permissions which are also needed
|
|
Packit Service |
8bc578 |
by Windows clients to modify existing attributes:
|
|
Packit Service |
8bc578 |
<itemizedlist>
|
|
Packit Service |
8bc578 |
<listitem><para>Reset Password</para></listitem>
|
|
Packit Service |
8bc578 |
<listitem><para>Read and write Account Restrictions</para></listitem>
|
|
Packit Service |
8bc578 |
<listitem><para>Read and (validated) write to DNS host name</para></listitem>
|
|
Packit Service |
8bc578 |
<listitem><para>Read and (validated) write to service principal name</para></listitem>
|
|
Packit Service |
8bc578 |
</itemizedlist>
|
|
Packit Service |
8bc578 |
additionally adcli needs
|
|
Packit Service |
8bc578 |
<itemizedlist>
|
|
Packit Service |
8bc578 |
<listitem><para>Read and write msDS-supportedEncryptionTypes</para></listitem>
|
|
Packit Service |
8bc578 |
</itemizedlist>
|
|
Packit Service |
8bc578 |
This is added for security reasons to avoid that Active Directory
|
|
Packit Service |
8bc578 |
stores Kerberos keys with (potentially weaker) encryption types than
|
|
Packit Service |
8bc578 |
the client supports since Active Directory is often configured to still
|
|
Packit Service |
8bc578 |
support older (weaker) encryption types for compatibility reasons.
|
|
Packit Service |
8bc578 |
</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>All other attributes are only set or modified on demand, i.e.
|
|
Packit Service |
8bc578 |
adcli must be called with an option the would set or modify the given
|
|
Packit Service |
8bc578 |
attribute. In the following the attributes adcli can modify together
|
|
Packit Service |
8bc578 |
with the required permissions are listed:
|
|
Packit Service |
8bc578 |
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="permissions.xml" />
|
|
Packit Service |
8bc578 |
</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>For the management of users and groups (adcli create-user,
|
|
Packit Service |
8bc578 |
adcli delete-user, adcli create-group, adcli delete-group) the same
|
|
Packit Service |
8bc578 |
applies only for different types of objects, i.e. users and groups.
|
|
Packit Service |
8bc578 |
Since currently adcli only supports the creation and the removal of
|
|
Packit Service |
8bc578 |
user and group objects it is sufficient to have the
|
|
Packit Service |
8bc578 |
<literal>"Create/Delete User objects"</literal> and
|
|
Packit Service |
8bc578 |
<literal>"Create/Delete Group objects"</literal> permissions.</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>If you want to manage group members as well (adcli add-member,
|
|
Packit Service |
8bc578 |
adcli remove-member) <literal>"Read/Write Members"</literal> permissions
|
|
Packit Service |
8bc578 |
are needed as well.</para>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
8bc578 |
<para>Depending on the version of Active Directory the
|
|
Packit Service |
8bc578 |
<literal>"Delegation of Control Wizard"</literal> might offer some
|
|
Packit Service |
8bc578 |
shortcuts for common task like e.g.
|
|
Packit Service |
8bc578 |
<itemizedlist>
|
|
Packit Service |
8bc578 |
<listitem><para>Create, delete and manage user accounts</para></listitem>
|
|
Packit Service |
8bc578 |
<listitem><para>Create, delete and manage groups</para></listitem>
|
|
Packit Service |
8bc578 |
<listitem><para>Modify the membership of a group</para></listitem>
|
|
Packit Service |
8bc578 |
</itemizedlist>
|
|
Packit Service |
8bc578 |
The first 2 shortcuts will provided full access to user and group
|
|
Packit Service |
8bc578 |
objects which, as explained above, is more than currently is needed.
|
|
Packit Service |
8bc578 |
After using those shortcut it is a good idea to verify in the
|
|
Packit Service |
8bc578 |
<literal>"Security"</literal> tab in the <literal>"Properties"</literal>
|
|
Packit Service |
8bc578 |
of the related Active Directory container that the assigned permissions
|
|
Packit Service |
8bc578 |
meet the expectations.</para>
|
|
Packit Service |
8bc578 |
</refsect1>
|
|
Packit Service |
8bc578 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='bugs'>
|
|
Packit Service |
6d40f9 |
<title>Bugs</title>
|
|
Packit Service |
6d40f9 |
<para>
|
|
Packit Service |
6d40f9 |
Please send bug reports to either the distribution bug tracker
|
|
Packit Service |
6d40f9 |
or the upstream bug tracker at
|
|
Packit Service |
6d40f9 |
<ulink url="https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli">https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli</ulink>
|
|
Packit Service |
6d40f9 |
</para>
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
<refsect1 id='see_also'>
|
|
Packit Service |
6d40f9 |
<title>See also</title>
|
|
Packit Service |
6d40f9 |
<simplelist type="inline">
|
|
Packit Service |
6d40f9 |
<member><citerefentry><refentrytitle>realmd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
Packit Service |
6d40f9 |
<member><citerefentry><refentrytitle>net</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
Packit Service |
6d40f9 |
<member><citerefentry><refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
Packit Service |
6d40f9 |
</simplelist>
|
|
Packit Service |
6d40f9 |
<para>
|
|
Packit Service |
6d40f9 |
Further details available in the realmd online documentation at
|
|
Packit Service |
6d40f9 |
<ulink url="http://www.freedesktop.org/software/realmd/">http://www.freedesktop.org/software/realmd/</ulink>
|
|
Packit Service |
6d40f9 |
</para>
|
|
Packit Service |
6d40f9 |
</refsect1>
|
|
Packit Service |
6d40f9 |
|
|
Packit Service |
6d40f9 |
</refentry>
|