source-git / adcli

Clone
Source Code
GIT

Blame doc/adcli.xml

c8 c8s master
  1.   db56f74419637c52f93a53284071f78198bee2c6
  2.   doc
  3.   adcli.xml
Blob History Raw
Packit Service 6d40f9
Packit Service 6d40f9
Packit Service bff25d 
	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"
Packit Service bff25d 
[
Packit Service bff25d
Packit Service bff25d 
]>
Packit Service 6d40f9
Packit Service 6d40f9 
<refentry id="adcli">
Packit Service 6d40f9
Packit Service 6d40f9 
<refentryinfo>
Packit Service 6d40f9 
	<title>adcli</title>
Packit Service 6d40f9 
	<productname>realmd</productname>
Packit Service 6d40f9 
	<authorgroup>
Packit Service 6d40f9 
		<author>
Packit Service 6d40f9 
			<contrib>Maintainer</contrib>
Packit Service 6d40f9 
			<firstname>Stef</firstname>
Packit Service 6d40f9 
			<surname>Walter</surname>
Packit Service 6d40f9 
			<email>stefw@redhat.com</email>
Packit Service 6d40f9 
		</author>
Packit Service 6d40f9 
	</authorgroup>
Packit Service 6d40f9 
</refentryinfo>
Packit Service 6d40f9
Packit Service 6d40f9 
<refmeta>
Packit Service 6d40f9 
	<refentrytitle>adcli</refentrytitle>
Packit Service 6d40f9 
	<manvolnum>8</manvolnum>
Packit Service 6d40f9 
	<refmiscinfo class="manual">System Commands</refmiscinfo>
Packit Service 6d40f9 
</refmeta>
Packit Service 6d40f9
Packit Service 6d40f9 
<refnamediv>
Packit Service 6d40f9 
	<refname>adcli</refname>
Packit Service 6d40f9 
	<refpurpose>Tool for performing actions on an Active Directory domain</refpurpose>
Packit Service 6d40f9 
</refnamediv>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsynopsisdiv>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli info</command>
Packit Service 6d40f9 
		<arg choice="plain">domain.example.com</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli join</command>
Packit Service 6d40f9 
		<arg choice="plain">domain.example.com</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli update</command>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service ed710c 
		<command>adcli testjoin</command>
Packit Service ed710c 
	</cmdsynopsis>
Packit Service ed710c 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli create-user</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain">user</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli delete-user</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain">user</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli create-group</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain">user</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli delete-group</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain">user</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli add-member</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain">group</arg>
Packit Service 6d40f9 
		<arg choice="plain" rep="repeat">user</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli remove-member</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain">group</arg>
Packit Service 6d40f9 
		<arg choice="plain" rep="repeat">user</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli preset-computer</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain" rep="repeat">computer</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli reset-computer</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain">computer</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 6d40f9 
	<cmdsynopsis>
Packit Service 6d40f9 
		<command>adcli delete-computer</command>
Packit Service 6d40f9 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 6d40f9 
		<arg choice="plain">computer</arg>
Packit Service 6d40f9 
	</cmdsynopsis>
Packit Service 147c59 
	<cmdsynopsis>
Packit Service 147c59 
		<command>adcli show-computer</command>
Packit Service 147c59 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 147c59 
		<arg choice="plain">computer</arg>
Packit Service 147c59 
	</cmdsynopsis>
Packit Service 8bf96a 
	<cmdsynopsis>
Packit Service 8bf96a 
		<command>adcli create-msa</command>
Packit Service 8bf96a 
		<arg choice="opt">--domain=domain.example.com</arg>
Packit Service 8bf96a 
	</cmdsynopsis>
Packit Service 6d40f9 
</refsynopsisdiv>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='general_overview'>
Packit Service 6d40f9 
	<title>General Overview</title>
Packit Service 6d40f9 
	<para><command>adcli</command> is a command line tool that
Packit Service 6d40f9 
	can perform actions in an Active Directory domain. Among other things
Packit Service 6d40f9 
	it can be used to join a computer to a domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>See the various sub commands below. The following global options
Packit Service 6d40f9 
	can be used:</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<variablelist>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-D, --domain=<parameter>domain</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>The domain to connect to. If a domain is
Packit Service f43384 
			not specified, then the domain part of the local computer's
Packit Service 6d40f9 
			host name is used.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-R, --domain-realm=<parameter>REALM</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Kerberos realm for the domain. If not
Packit Service f43384 
			specified, then the upper cased domain name is
Packit Service 6d40f9 
			used.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-S, --domain-controller=<parameter>server</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Connect to a specific domain controller.
Packit Service f43384 
			If not specified, then an appropriate domain controller
Packit Service 6d40f9 
			is automatically discovered.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service aa0613 
			<term><option>--use-ldaps</option></term>
Packit Service aa0613 
			<listitem><para>Connect to the domain controller
Packit Service aa0613 
			with LDAPS. By default the LDAP port is used and SASL
Packit Service aa0613 
			GSS-SPNEGO or GSSAPI is used for authentication and to
Packit Service aa0613 
			establish encryption. This should satisfy all
Packit Service aa0613 
			requirements set on the server side and LDAPS should
Packit Service aa0613 
			only be used if the LDAP port is not accessible due to
Packit Service aa0613 
			firewalls or other reasons.</para>
Packit Service aa0613 
			<para> Please note that the place where CA certificates
Packit Service aa0613 
			can be found to validate the AD DC certificates
Packit Service aa0613 
			must be configured in the OpenLDAP configuration
Packit Service aa0613 
			file, e.g. <filename>/etc/openldap/ldap.conf</filename>.
Packit Service aa0613 
			As an alternative it can be specified with the help of
Packit Service aa0613 
			an environment variable, e.g.
Packit Service aa0613 
<programlisting>
Packit Service aa0613 
$ LDAPTLS_CACERT=/path/to/ad_dc_ca_cert.pem adcli join --use-ldaps -D domain.example.com
Packit Service aa0613 
...
Packit Service aa0613 
</programlisting>
Packit Service aa0613 
			Please see
Packit Service aa0613 
			<citerefentry><refentrytitle>ldap.conf</refentrytitle>
Packit Service aa0613 
			<manvolnum>5</manvolnum></citerefentry> for details.
Packit Service aa0613 
			</para></listitem>
Packit Service aa0613 
		</varlistentry>
Packit Service aa0613 
		<varlistentry>
Packit Service 20960c 
			<term><option>-C</option></term>
Packit Service 20960c 
			<listitem><para>Use the default Kerberos credential
Packit Service 20960c 
			cache to authenticate with the domain.
Packit Service 20960c 
			</para></listitem>
Packit Service 20960c 
		</varlistentry>
Packit Service 20960c 
		<varlistentry>
Packit Service 20960c 
			<term><option>--login-ccache<parameter>[=ccache_name]</parameter></option></term>
Packit Service 20960c 
			<listitem><para>Use the specified Kerberos credential
Packit Service 414a7a 
			cache to authenticate with the domain. If no credential
Packit Service 20960c 
			cache is specified, the default Kerberos credential
Packit Service 414a7a 
			cache will be used. Credential caches of type FILE can
Packit Service 414a7a 
			be given with the path to the file. For other
Packit Service 414a7a 
			credential cache types, e.g. DIR, KEYRING or KCM, the
Packit Service 414a7a 
			type must be specified explicitly together with a
Packit Service 414a7a 
			suitable identifier.</para>
Packit Service 414a7a 
			<para>Please note that since the
Packit Service 414a7a 
			<parameter>ccache_name</parameter> is optional the
Packit Service 414a7a 
			=(equal) sign is mandatory. If = is missing the
Packit Service 414a7a 
			parameter is treated as optionless extra argument. How
Packit Service 414a7a 
			this is handled depends on the specific sub-command.
Packit Service 414a7a 
			</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-U, --login-user=<parameter>User</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Use the specified user account to
Packit Service f43384 
			authenticate with the domain. If not specified, then
Packit Service 6d40f9 
			the name 'Administrator' will be used.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--no-password</option></term>
Packit Service 6d40f9 
			<listitem><para>Don't show prompts for or read a
Packit Service 6d40f9 
			password from input.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-W, --prompt-password</option></term>
Packit Service 6d40f9 
			<listitem><para>Prompt for a password if necessary.
Packit Service 6d40f9 
			This is the default.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--stdin-password</option></term>
Packit Service 6d40f9 
			<listitem><para>Read a password from stdin input instead
Packit Service 6d40f9 
			of prompting for a password.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-v, --verbose</option></term>
Packit Service 6d40f9 
			<listitem><para>Run in verbose mode with debug
Packit Service 6d40f9 
			output.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='querying'>
Packit Service 6d40f9 
	<title>Querying Domain Information</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli info</command> displays discovered information
Packit Service 6d40f9 
	about an Active Directory domain or an Active Directory domain
Packit Service 6d40f9 
	controller.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli info domain.example.com
Packit Service 6d40f9 
...
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli info --domain-controller=dc.domain.example.com
Packit Service 6d40f9 
...
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli info</command> will output as much information as
Packit Service 6d40f9 
	it can about the domain. The information is designed to be both machine
Packit Service 6d40f9 
	and human readable. The command will exit with a non-zero exit code
Packit Service f43384 
	if the domain does not exist or cannot be reached.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>To show domain info for a specific domain controller use the
Packit Service 6d40f9 
	<option>--domain-controller</option> option to specify which domain
Packit Service 6d40f9 
	controller to query.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>Use the <option>--verbose</option> option to show details of how
Packit Service 6d40f9 
	the domain is discovered and queried. Many of the global options, in
Packit Service 6d40f9 
	particular authentication options, are not usable with the
Packit Service 6d40f9 
	<command>adcli info</command> command.</para>
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='joining'>
Packit Service 6d40f9 
	<title>Joining the Local Machine to a Domain</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli join</command> creates a computer account in the
Packit Service 6d40f9 
	domain for the local machine, and sets up a keytab for the machine.
Packit Service 6d40f9 
	It does not configure an authentication service (such as
Packit Service 6d40f9 
	<command>sssd</command>).</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli join domain.example.com
Packit Service 6d40f9 
Password for Administrator:
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9 
	options to control how this operation is done.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<variablelist>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>The short non-dotted name of the computer
Packit Service f43384 
			account that will be created in the domain. If not specified,
Packit Service 6d40f9 
			then the first portion of the <option>--host-fqdn</option>
Packit Service 6d40f9 
			is used.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>The full distinguished name of the OU in
Packit Service f43384 
			which to create the computer account. If not specified,
Packit Service 6d40f9 
			then the computer account will be created in a default
Packit Service 6d40f9 
			location.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Override the local machine's fully qualified
Packit Service f43384 
			domain name. If not specified, the local machine's hostname
Packit Service c68da5 
			will be retrieved via <function>gethostname()</function>.
Packit Service c68da5 
			If <function>gethostname()</function> only returns a short name
Packit Service c68da5 
			<function>getaddrinfo()</function> with the AI_CANONNAME hint
Packit Service c68da5 
			is called to expand the name to a fully qualified domain
Packit Service c68da5 
			name.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Specify the path to the host keytab where
Packit Service 6d40f9 
			host credentials will be written after a successful join
Packit Service f43384 
			operation. If not specified, the default location will be
Packit Service 6d40f9 
			used, usually <filename>/etc/krb5.keytab</filename>.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--login-type=<parameter>{computer|user}</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Specify the type of authentication that
Packit Service 6d40f9 
			will be performed before creating the machine account in
Packit Service f43384 
			the domain. If set to 'computer', then the computer must
Packit Service 6d40f9 
			already have a preset account in the domain. If not
Packit Service 6d40f9 
			specified and none of the other <option>--login-xxx</option>
Packit Service 6d40f9 
			arguments have been specified, then will try both
Packit Service 6d40f9 
			'computer' and 'user' authentication.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-name=<parameter>name</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system name on the computer
Packit Service 6d40f9 
			account. The default depends on where adcli was  built, but
Packit Service 6d40f9 
			is usually something like 'linux-gnu'.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system service pack on the computer
Packit Service 6d40f9 
			account. Not set by default.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-version=<parameter>version</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system version on the computer
Packit Service 6d40f9 
			account. Not set by default.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 0a8a87 
			<term><option>--description=<parameter>description</parameter></option></term>
Packit Service 0a8a87 
			<listitem><para>Set the description attribute on the computer
Packit Service 0a8a87 
			account. Not set by default.</para></listitem>
Packit Service 0a8a87 
		</varlistentry>
Packit Service 0a8a87 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--service-name=<parameter>service</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Additional service name for a kerberos
Packit Service 6d40f9 
			principal to be created on the computer account. This
Packit Service 6d40f9 
			option may be specified multiple times.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the userPrincipalName field of the
Packit Service 6d40f9 
			computer account to this kerberos principal. If you omit
Packit Service 6d40f9 
			the value for this option, then a principal will be set
Packit Service 6d40f9 
			in the form of host/host.example.com@REALM</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--one-time-password</option></term>
Packit Service 6d40f9 
			<listitem><para>Specify a one time password for a preset
Packit Service 6d40f9 
			computer account. This is equivalent to using
Packit Service 6d40f9 
			<option>--login-type=computer</option> and providing a
Packit Service 6d40f9 
			password as input.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 9b2c4a 
			<term><option>--trusted-for-delegation=<parameter>yes|no|true|false</parameter></option></term>
Packit Service 9b2c4a 
			<listitem><para>Set or unset the TRUSTED_FOR_DELEGATION
Packit Service 9b2c4a 
			flag in the userAccountControl attribute to allow or
Packit Service 9b2c4a 
			not allow that Kerberos tickets can be forwarded to the
Packit Service 9b2c4a 
			host.</para></listitem>
Packit Service 9b2c4a 
		</varlistentry>
Packit Service 9b2c4a 
		<varlistentry>
Packit Service 69847a 
			<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
Packit Service 69847a 
			<listitem><para>Add a service principal name. In
Packit Service 69847a 
			contrast to the <option>--service-name</option> the
Packit Service 69847a 
			hostname part can be specified as well in case the
Packit Service 69847a 
			service should be accessible with a different host
Packit Service 69847a 
			name as well.</para></listitem>
Packit Service 69847a 
		</varlistentry>
Packit Service 69847a 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--show-details</option></term>
Packit Service 6d40f9 
			<listitem><para>After a successful join print out information
Packit Service 6d40f9 
			about join operation. This is output in a format that should
Packit Service 6d40f9 
			be both human and machine readable.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--show-password</option></term>
Packit Service 6d40f9 
			<listitem><para>After a successful join print out the computer
Packit Service 6d40f9 
			machine account password. This is output in a format that should
Packit Service 6d40f9 
			be both human and machine readable.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 2e2783 
		<varlistentry>
Packit Service 2e2783 
			<term><option>--add-samba-data</option></term>
Packit Service 2e2783 
			<listitem><para>After a successful join add the domain
Packit Service 2e2783 
			SID and the machine account password to the Samba
Packit Service 2e2783 
			specific databases by calling Samba's
Packit Service 2e2783 
			<command>net</command> utility.</para>
Packit Service 2e2783
Packit Service 2e2783 
			<para>Please note that Samba's <command>net</command>
Packit Service 2e2783 
			requires some settings in <filename>smb.conf</filename>
Packit Service 2e2783 
			to create the database entries correctly. Most
Packit Service 2e2783 
			important here is currently the
Packit Service 2e2783 
			<option>workgroup</option> option, see
Packit Service 2e2783 
			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
Packit Service 7bc3bf 
			for details.</para></listitem>
Packit Service 2e2783 
		</varlistentry>
Packit Service bff25d 
		<varlistentry>
Packit Service bff25d 
			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
Packit Service bff25d 
			<listitem><para>If Samba's <command>net</command>
Packit Service bff25d 
			cannot be found at
Packit Service f43384 
			<filename>&samba_data_tool;</filename>, this option can
Packit Service bff25d 
			be used to specific an alternative location with the
Packit Service bff25d 
			help of an absolute path.</para></listitem>
Packit Service bff25d 
		</varlistentry>
Packit Service 6d40f9 
	</variablelist>
Packit Service 6d40f9
Packit Service ae0400 
	<para>If supported on the AD side the
Packit Service ae0400 
	<option>msDS-supportedEncryptionTypes</option> attribute will be set as
Packit Service ae0400 
	well. Either the current value or the default list of AD's supported
Packit Service ae0400 
	encryption types filtered by the permitted encryption types of the
Packit Service ae0400 
	client's Kerberos configuration are written.</para>
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='updating'>
Packit Service 6d40f9 
	<title>Updating the machine account password and other attributes</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli update</command> updates the password of the computer
Packit Service 6d40f9 
	account on the domain controller for the local machine, write the new
Packit Service 6d40f9 
	keys to the keytab and removes older keys. It keeps the previous key on purpose
Packit Service 6d40f9 
	because AD will need some time to replicate the new key to all DCs hence the
Packit Service 6d40f9 
	previous key might still be used.
Packit Service 6d40f9 
	</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli update
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service f43384 
	<para>If used with a credential cache, other attributes of the computer
Packit Service 6d40f9 
	account can be changed as well if the principal has sufficient
Packit Service 6d40f9 
	privileges.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ kinit Administrator
Packit Service 6d40f9 
$ adcli update --login-ccache=/tmp/krbcc_123
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9 
	options to control how this operation is done.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<variablelist>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>The short non-dotted name of the computer
Packit Service f43384 
			account that will be created in the domain. If not specified,
Packit Service 6d40f9 
			it will be retrieved from the keytab entries.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>The local machine's fully qualified
Packit Service f43384 
			domain name. If not specified, the local machine's hostname
Packit Service 6d40f9 
			will be retrieved from the keytab entries.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Specify the path to the host keytab where
Packit Service 6d40f9 
			current host credentials are stored and the new ones
Packit Service f43384 
			will be written to.  If not specified, the default
Packit Service 6d40f9 
			location will be used, usually
Packit Service 6d40f9 
			<filename>/etc/krb5.keytab</filename>.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-name=<parameter>name</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system name on the computer
Packit Service 6d40f9 
			account. Not set by default.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system service pack on the computer
Packit Service 6d40f9 
			account. Not set by default.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-version=<parameter>version</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system version on the computer
Packit Service 6d40f9 
			account. Not set by default.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 0a8a87 
			<term><option>--description=<parameter>description</parameter></option></term>
Packit Service 0a8a87 
			<listitem><para>Set the description attribute on the computer
Packit Service 0a8a87 
			account. Not set by default.</para></listitem>
Packit Service 0a8a87 
		</varlistentry>
Packit Service 0a8a87 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--service-name=<parameter>service</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Additional service name for a Kerberos
Packit Service 6d40f9 
			principal to be created on the computer account. This
Packit Service 6d40f9 
			option may be specified multiple times.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the userPrincipalName field of the
Packit Service 6d40f9 
			computer account to this Kerberos principal.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--computer-password-lifetime=<parameter>lifetime</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Only update the password of the
Packit Service 6d40f9 
			computer account if it is older than the lifetime given
Packit Service 6d40f9 
			in days. By default the password is updated if it is
Packit Service 6d40f9 
			older than 30 days.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 9b2c4a 
			<term><option>--trusted-for-delegation=<parameter>yes|no|true|false</parameter></option></term>
Packit Service 9b2c4a 
			<listitem><para>Set or unset the TRUSTED_FOR_DELEGATION
Packit Service 9b2c4a 
			flag in the userAccountControl attribute to allow or
Packit Service 9b2c4a 
			not allow that Kerberos tickets can be forwarded to the
Packit Service 9b2c4a 
			host.</para></listitem>
Packit Service 9b2c4a 
		</varlistentry>
Packit Service 9b2c4a 
		<varlistentry>
Packit Service 69847a 
			<term><option>--add-service-principal=<parameter>service/hostname</parameter></option></term>
Packit Service 69847a 
			<listitem><para>Add a service principal name. In
Packit Service 69847a 
			contrast to the <option>--service-name</option> the
Packit Service 69847a 
			hostname part can be specified as well in case the
Packit Service 69847a 
			service should be accessible with a different host
Packit Service 69847a 
			name as well.</para></listitem>
Packit Service 69847a 
		</varlistentry>
Packit Service 69847a 
		<varlistentry>
Packit Service 69847a 
			<term><option>--remove-service-principal=<parameter>service/hostname</parameter></option></term>
Packit Service 69847a 
			<listitem><para>Remove a service principal name from
Packit Service 69847a 
			the keytab and the AD host object.</para></listitem>
Packit Service 69847a 
		</varlistentry>
Packit Service 69847a 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--show-details</option></term>
Packit Service 6d40f9 
			<listitem><para>After a successful join print out information
Packit Service 6d40f9 
			about join operation. This is output in a format that should
Packit Service 6d40f9 
			be both human and machine readable.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 2e2783 
		<varlistentry>
Packit Service 2e2783 
			<term><option>--add-samba-data</option></term>
Packit Service 2e2783 
			<listitem><para>After a successful join add the domain
Packit Service 2e2783 
			SID and the machine account password to the Samba
Packit Service 2e2783 
			specific databases by calling Samba's
Packit Service 2e2783 
			<command>net</command> utility.</para>
Packit Service 2e2783
Packit Service 2e2783 
			<para>Please note that Samba's <command>net</command>
Packit Service 2e2783 
			requires some settings in <filename>smb.conf</filename>
Packit Service 2e2783 
			to create the database entries correctly. Most
Packit Service 2e2783 
			important here is currently the
Packit Service 2e2783 
			<option>workgroup</option> option, see
Packit Service 2e2783 
			<citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
Packit Service 7bc3bf 
			for details.</para>
Packit Service 7bc3bf 
			<para>Note that if the machine account password is not
Packit Service 7bc3bf 
			older than 30 days, you have to pass
Packit Service 7bc3bf 
			<option>--computer-password-lifetime=0</option> to
Packit Service 7bc3bf 
			force the update.</para></listitem>
Packit Service 2e2783 
		</varlistentry>
Packit Service bff25d 
		<varlistentry>
Packit Service bff25d 
			<term><option>--samba-data-tool=<parameter>/path/to/net</parameter></option></term>
Packit Service bff25d 
			<listitem><para>If Samba's <command>net</command>
Packit Service bff25d 
			cannot be found at
Packit Service f43384 
			<filename>&samba_data_tool;</filename>, this option can
Packit Service bff25d 
			be used to specific an alternative location with the
Packit Service bff25d 
			help of an absolute path.</para></listitem>
Packit Service bff25d 
		</varlistentry>
Packit Service 6d40f9 
	</variablelist>
Packit Service 6d40f9
Packit Service ae0400 
	<para>If supported on the AD side the
Packit Service ae0400 
	<option>msDS-supportedEncryptionTypes</option> attribute will be set as
Packit Service ae0400 
	well. Either the current value or the default list of AD's supported
Packit Service ae0400 
	encryption types filtered by the permitted encryption types of the
Packit Service ae0400 
	client's Kerberos configuration are written.</para>
Packit Service 76a35c 
</refsect1>
Packit Service ed710c
Packit Service ed710c 
<refsect1 id='testjoin'>
Packit Service ed710c 
	<title>Testing if the machine account password is valid</title>
Packit Service ed710c
Packit Service ed710c 
	<para><command>adcli testjoin</command> uses the current credentials in
Packit Service ed710c 
	the keytab and tries to authenticate with the machine account to the AD
Packit Service ed710c 
	domain. If this works the machine account password and the join are
Packit Service ed710c 
	still valid. If it fails the machine account password or the whole
Packit Service ed710c 
	machine account have to be refreshed with
Packit Service ed710c 
	<command>adcli join</command> or <command>adcli update</command>.
Packit Service ed710c 
	</para>
Packit Service ed710c
Packit Service ed710c 
<programlisting>
Packit Service ed710c 
$ adcli testjoin
Packit Service ed710c 
</programlisting>
Packit Service ed710c
Packit Service ed710c 
	<para>Only the global options not related to authentication are
Packit Service ed710c 
	available, additionally you can specify the following options to
Packit Service ed710c 
	control how this operation is done.</para>
Packit Service ed710c
Packit Service ed710c 
	<variablelist>
Packit Service ed710c 
		<varlistentry>
Packit Service ed710c 
			<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
Packit Service ed710c 
			<listitem><para>Specify the path to the host keytab where
Packit Service ed710c 
			current host credentials are stored and the new ones
Packit Service ed710c 
			will be written to.  If not specified, the default
Packit Service ed710c 
			location will be used, usually
Packit Service ed710c 
			<filename>/etc/krb5.keytab</filename>.</para></listitem>
Packit Service ed710c 
		</varlistentry>
Packit Service ed710c 
	</variablelist>
Packit Service ed710c 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='create_user'>
Packit Service 6d40f9 
	<title>Creating a User</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli create-user</command> creates a new user account
Packit Service 6d40f9 
	in the domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli create-user Fry --domain=domain.example.com \
Packit Service 6d40f9 
	--display-name="Philip J. Fry" --mail=fry@domain.example.com
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9 
	options to control how the user is created.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<variablelist>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--display-name=<parameter>"Name"</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the displayName attribute
Packit Service 6d40f9 
			of the new created user account.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>The full distinguished name of the OU in
Packit Service f43384 
			which to create the user account. If not specified,
Packit Service 6d40f9 
			then the computer account will be created in a default
Packit Service 6d40f9 
			location.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--mail=<parameter>email@domain.com</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the mail attribute of
Packit Service 6d40f9 
			the new created user account. This attribute may be
Packit Service 6d40f9 
			specified multiple times.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--unix-home=<parameter>/home/user</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the unixHomeDirectory attribute of
Packit Service 6d40f9 
			the new created user account, which should be an absolute
Packit Service 6d40f9 
			path to the user's home directory.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--unix-gid=<parameter>111</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the gidNumber attribute of
Packit Service 6d40f9 
			the new created user account, which should be the user's
Packit Service 6d40f9 
			numeric primary group id.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--unix-shell=<parameter>/bin/shell</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the loginShell attribute of
Packit Service 6d40f9 
			the new created user account, which should be a path to
Packit Service 6d40f9 
			a valid shell.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--unix-uid=<parameter>111</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the uidNumber attribute of
Packit Service 6d40f9 
			the new created user account, which should be the user's
Packit Service 6d40f9 
			numeric primary user id.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 371c62 
		<varlistentry>
Packit Service 371c62 
			<term><option>--nis-domain=<parameter>nis_domain</parameter></option></term>
Packit Service 371c62 
			<listitem><para>Set the msSFU30NisDomain attribute of
Packit Service 371c62 
			the new created user account, which should be the user's
Packit Service 371c62 
			NIS domain is the NIS/YP service of Active Directory's Services for Unix (SFU)
Packit Service 371c62 
			are used. This is needed to let the 'UNIX attributes' tab of older Active
Packit Service 78c748 
			Directoy versions show the set UNIX specific attributes. If not specified
Packit Service 78c748 
			adcli will try to determine the NIS domain automatically if needed.
Packit Service 78c748 
			</para></listitem>
Packit Service 371c62 
		</varlistentry>
Packit Service 6d40f9 
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='delete_user'>
Packit Service 6d40f9 
	<title>Deleting a User</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli delete-user</command> deletes a user account from
Packit Service 6d40f9 
	the domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli delete-user Fry --domain=domain.example.com
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>The various global options can be used.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='create_group'>
Packit Service 6d40f9 
	<title>Creating a Group</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli create-group</command> creates a new group in the
Packit Service 6d40f9 
	domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli create-group Pilots --domain=domain.example.com \
Packit Service 6d40f9 
	--description="Group for all pilots"
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9 
	options to control how the group is created.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<variablelist>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--description=<parameter>"text"</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the description attribute
Packit Service 6d40f9 
			of the new created group.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>The full distinguished name of the OU in
Packit Service f43384 
			which to create the group. If not specified,
Packit Service 6d40f9 
			then the group will be created in a default
Packit Service 6d40f9 
			location.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='delete_group'>
Packit Service 6d40f9 
	<title>Deleting a Group</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli delete-group</command> deletes a group from
Packit Service 6d40f9 
	the domain.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli delete-group Pilots --domain=domain.example.com
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>The various global options can be used.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='add_group_member'>
Packit Service 6d40f9 
	<title>Adding a Member to a Group</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli add-member</command> adds one or more users to a
Packit Service 6d40f9 
	group in the domain. The group is specified first, and then the various
Packit Service 6d40f9 
	users to be added.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli add-member --domain=domain.example.com Pilots Leela Scruffy
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>The various global options can be used.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para></para>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='remove_group_member'>
Packit Service 6d40f9 
	<title>Removing a Member from a Group</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli remove-member</command> removes a user from  a group
Packit Service 6d40f9 
	in the domain. The group is specified first, and then the various users
Packit Service 6d40f9 
	to be removed.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli remove-member --domain=domain.example.com Pilots Scruffy
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>The various global options can be used.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='preset_computer_account'>
Packit Service 6d40f9 
	<title>Preset Computer Accounts</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli preset-computer</command> pre-creates one or more
Packit Service 6d40f9 
	computer accounts in the domain for machines to later use when joining
Packit Service 6d40f9 
	the domain. By doing this machines can join using a one time password
Packit Service 6d40f9 
	or automatically without a password.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli preset-computer --domain=domain.example.com \
Packit Service 6d40f9 
	host1.example.com host2
Packit Service 6d40f9 
Password for Administrator:
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>If the computer names specified contain dots, then they are
Packit Service 6d40f9 
	treated as fully qualified host names, otherwise they are treated
Packit Service 6d40f9 
	as short computer names. The computer accounts must not already
Packit Service 6d40f9 
	exist.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9 
	options to control how this operation is done.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<variablelist>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>The full distinguished name of the OU in
Packit Service f43384 
			which to create the computer accounts. If not specified,
Packit Service 6d40f9 
			then the computer account will be created in a default
Packit Service 6d40f9 
			location.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--one-time-password</option></term>
Packit Service 6d40f9 
			<listitem><para>Specify a one time password to use when
Packit Service f43384 
			presetting the computer accounts. If not specified, then
Packit Service 6d40f9 
			a default password will be used, which allows for later
Packit Service 6d40f9 
			automatic joins.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-name=<parameter>name</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system name on the computer
Packit Service 6d40f9 
			account. The default depends on where adcli was  built, but
Packit Service 6d40f9 
			is usually something like 'linux-gnu'.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-service-pack=<parameter>pack</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system service pack on the computer
Packit Service 6d40f9 
			account. Not set by default.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--os-version=<parameter>version</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Set the operating system version on the computer
Packit Service 6d40f9 
			account. Not set by default.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--service-name=<parameter>service</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Additional service name for a kerberos
Packit Service 6d40f9 
			principal to be created on the computer account. This
Packit Service 6d40f9 
			option may be specified multiple times.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--user-principal</option></term>
Packit Service 6d40f9 
			<listitem><para>Set the userPrincipalName field of the
Packit Service 6d40f9 
			computer account to this kerberos principal in the form
Packit Service 6d40f9 
			of host/host.example.com@REALM</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='reset_computer_account'>
Packit Service 6d40f9 
	<title>Reset Computer Account</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli reset-computer</command> resets a computer account
Packit Service f43384 
	in the domain. If the appropriate machine is currently joined to the
Packit Service 6d40f9 
	domain, then its membership will be broken. The account must already
Packit Service 6d40f9 
	exist.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli reset-computer --domain=domain.example.com host2
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>If the computer names specified contain dots, then they are
Packit Service 6d40f9 
	treated as fully qualified host names, otherwise they are treated
Packit Service 6d40f9 
	as short computer names.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>In addition to the global options, you can specify the following
Packit Service 6d40f9 
	options to control how this operation is done.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<variablelist>
Packit Service 6d40f9 
		<varlistentry>
Packit Service 6d40f9 
			<term><option>--login-type=<parameter>{computer|user}</parameter></option></term>
Packit Service 6d40f9 
			<listitem><para>Specify the type of authentication that
Packit Service 6d40f9 
			will be performed before creating the machine account in
Packit Service f43384 
			the domain. If set to 'computer', then the computer must
Packit Service 6d40f9 
			already have a preset account in the domain. If not
Packit Service 6d40f9 
			specified and none of the other <option>--login-xxx</option>
Packit Service 6d40f9 
			arguments have been specified, then will try both
Packit Service 6d40f9 
			'computer' and 'user' authentication.</para></listitem>
Packit Service 6d40f9 
		</varlistentry>
Packit Service 6d40f9 
	</variablelist>
Packit Service 6d40f9
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='delete_computer_account'>
Packit Service 6d40f9 
	<title>Delete Computer Account</title>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para><command>adcli delete-computer</command> deletes a computer account
Packit Service 6d40f9 
	in the domain. The account must already exist.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
<programlisting>
Packit Service 6d40f9 
$ adcli delete-computer --domain=domain.example.com host2
Packit Service 6d40f9 
Password for Administrator:
Packit Service 6d40f9 
</programlisting>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>If the computer name contains a dot, then it is
Packit Service 6d40f9 
	treated as fully qualified host name, otherwise it is treated
Packit Service 6d40f9 
	as short computer name.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>If no computer name is specified, then the host name of the
Packit Service 6d40f9 
	computer adcli is running on is used, as returned by
Packit Service 6d40f9 
	<literal>gethostname()</literal>.</para>
Packit Service 6d40f9
Packit Service 6d40f9 
	<para>The various global options can be used.</para>
Packit Service 147c59
Packit Service 147c59 
</refsect1>
Packit Service 147c59
Packit Service 147c59 
<refsect1 id='show_computer_account'>
Packit Service 147c59 
	<title>Show Computer Account Attributes</title>
Packit Service 147c59
Packit Service 147c59 
	<para><command>adcli show-computer</command> show the computer account
Packit Service 147c59 
	attributes stored in AD. The account must already exist.</para>
Packit Service 147c59
Packit Service 147c59 
<programlisting>
Packit Service 147c59 
$ adcli show-computer --domain=domain.example.com host2
Packit Service 147c59 
Password for Administrator:
Packit Service 147c59 
</programlisting>
Packit Service 147c59
Packit Service 147c59 
	<para>If the computer name contains a dot, then it is
Packit Service 147c59 
	treated as fully qualified host name, otherwise it is treated
Packit Service 147c59 
	as short computer name.</para>
Packit Service 147c59
Packit Service 147c59 
	<para>If no computer name is specified, then the host name of the
Packit Service 147c59 
	computer adcli is running on is used, as returned by
Packit Service 147c59 
	<literal>gethostname()</literal>.</para>
Packit Service 147c59
Packit Service 147c59 
	<para>The various global options can be used.</para>
Packit Service 362609
Packit Service 362609 
</refsect1>
Packit Service 362609
Packit Service 8bf96a 
<refsect1 id='managed_service_account'>
Packit Service 8bf96a 
	<title>Create a managed service account</title>
Packit Service 8bf96a
Packit Service 8bf96a 
	<para><command>adcli create-msa</command> creates a managed service
Packit Service 8bf96a 
	account (MSA) in the given Active Directory domain. This is useful if a
Packit Service 8bf96a 
	computer should not fully join the Active Directory domain but LDAP
Packit Service 8bf96a 
	access is needed. A typical use case is that the computer is already
Packit Service 8bf96a 
	joined an Active Directory domain and needs access to another Active
Packit Service 8bf96a 
	Directory domain in the same or a trusted forest where the host
Packit Service 8bf96a 
	credentials from the joined Active Directory domain are
Packit Service 8bf96a 
	not valid, e.g. there is only a one-way trust.</para>
Packit Service 8bf96a
Packit Service 8bf96a 
<programlisting>
Packit Service 8bf96a 
$ adcli create-msa --domain=domain.example.com
Packit Service 8bf96a 
Password for Administrator:
Packit Service 8bf96a 
</programlisting>
Packit Service 8bf96a
Packit Service 8bf96a 
	<para>The managed service account, as maintained by adcli, cannot have
Packit Service 8bf96a 
	additional service principals names (SPNs) associated with it. An SPN
Packit Service 8bf96a 
	is defined within the context of a Kerberos service which is tied to a
Packit Service 8bf96a 
	machine account in Active Directory. Since a machine can be joined to a
Packit Service 8bf96a 
	single Active Directory domain, managed service account in a different
Packit Service 8bf96a 
	Active Directory domain will not have the SPNs that otherwise are part
Packit Service 8bf96a 
	of another Active Directory domain's machine.</para>
Packit Service 8bf96a
Packit Service 8bf96a 
	<para>Since it is expected that a client will most probably join to the
Packit Service 8bf96a 
	Active Directory domain matching its DNS domain the managed service
Packit Service 8bf96a 
	account will be needed for a different Active directory domain and as a
Packit Service 8bf96a 
	result the Active Directory domain name is a mandatory option. If
Packit Service 8bf96a 
	called with no other options <command>adcli create-msa</command>
Packit Service 8bf96a 
	will use the short hostname with an additional random suffix as
Packit Service 8bf96a 
	computer name to avoid name collisions.</para>
Packit Service 8bf96a
Packit Service 8bf96a 
	<para>LDAP attribute sAMAccountName has a limit of 20 characters.
Packit Service 8bf96a 
	However, machine account's NetBIOS name must be at most 16 characters
Packit Service 8bf96a 
	long, including a trailing '$' sign. Since it is not expected that the
Packit Service 8bf96a 
	managed service accounts created by adcli will be used on the NetBIOS
Packit Service 8bf96a 
	level the remaining 4 characters can be used to add uniqueness. Managed
Packit Service 8bf96a 
	service account names will have a suffix of 3 random characters from
Packit Service 8bf96a 
	number and upper- and lowercase ASCII ranges appended to the chosen
Packit Service 8bf96a 
	short host name, using '!' as a separator. For a host with the
Packit Service 8bf96a 
	shortname 'myhost', a managed service account will have a common name
Packit Service 8bf96a 
	(CN attribute) 'myhost!A2c' and a NetBIOS name
Packit Service 8bf96a 
	(sAMAccountName attribute) will be 'myhost!A2c$'. A corresponding
Packit Service 8bf96a 
	Kerberos principal in the Active Directory domain where the managed
Packit Service 8bf96a 
	service account was created would be
Packit Service 8bf96a 
	'myhost!A2c$@DOMAIN.EXAMPLE.COM'.</para>
Packit Service 8bf96a
Packit Service 8bf96a 
	<para>A keytab for the managed service account is stored into a file
Packit Service 8bf96a 
	specified with -K option. If it is not specified, the file is named
Packit Service 8bf96a 
	after the default keytab file, with lowercase Active Directory domain
Packit Service 8bf96a 
	of the managed service account as a suffix. On most systems it would be
Packit Service 8bf96a 
	<filename>/etc/krb5.keytab</filename> with a suffix of
Packit Service 8bf96a 
	'domain.example.com', e.g.
Packit Service db56f7 
	<filename>/etc/krb5.keytab.domain.example.com</filename>.</para>
Packit Service 8bf96a
Packit Service 8bf96a 
	<para><command>adcli create-msa</command> can be called multiple
Packit Service 8bf96a 
	times to reset the password of the managed service account. To identify
Packit Service 8bf96a 
	the right account with the random component in the name the
Packit Service 8bf96a 
	corresponding principal is read from the keytab. If the keytab got
Packit Service 8bf96a 
	deleted <command>adcli</command> will try to identify an existing
Packit Service 8bf96a 
	managed service account with the help of the fully-qualified name, if
Packit Service 8bf96a 
	this fails a new managed service account will be created.</para>
Packit Service 8bf96a
Packit Service 8bf96a 
	<para>The managed service account password can be updated with
Packit Service 8bf96a 
<programlisting>
Packit Service db56f7 
$ adcli update --domain=domain.example.com --host-keytab=/etc/krb5.keytab.domain.example.com
Packit Service 8bf96a 
</programlisting>
Packit Service 8bf96a 
	and the managed service account can be deleted with
Packit Service 8bf96a 
<programlisting>
Packit Service 8bf96a 
$ adcli delete-computer --domain=domain.example.com 'myhost!A2c'
Packit Service 8bf96a 
</programlisting>
Packit Service 8bf96a 
	</para>
Packit Service 8bf96a
Packit Service 8bf96a 
	<para>In addition to the global options, you can specify the following
Packit Service 8bf96a 
	options to control how this operation is done.</para>
Packit Service 8bf96a
Packit Service 8bf96a 
	<variablelist>
Packit Service 8bf96a 
		<varlistentry>
Packit Service 8bf96a 
			<term><option>-N, --computer-name=<parameter>computer</parameter></option></term>
Packit Service 8bf96a 
			<listitem><para>The short non-dotted name of the managed
Packit Service 8bf96a 
			service account that will be created in the Active
Packit Service 8bf96a 
			Directory domain. The long option name
Packit Service 8bf96a 
			<option>--computer-name</option> is
Packit Service 8bf96a 
			kept to underline the similarity with the same option
Packit Service 8bf96a 
			of the other sub-commands. If not specified,
Packit Service 8bf96a 
			then the first portion of the <option>--host-fqdn</option>
Packit Service 8bf96a 
			or its default is used with a random suffix.</para></listitem>
Packit Service 8bf96a 
		</varlistentry>
Packit Service 8bf96a 
		<varlistentry>
Packit Service 8bf96a 
			<term><option>-O, --domain-ou=<parameter>OU=xxx</parameter></option></term>
Packit Service 8bf96a 
			<listitem><para>The full distinguished name of the OU in
Packit Service 8bf96a 
			which to create the managed service account. If not
Packit Service 8bf96a 
			specified, then the managed service account will be
Packit Service 8bf96a 
			created in a default location.</para></listitem>
Packit Service 8bf96a 
		</varlistentry>
Packit Service 8bf96a 
		<varlistentry>
Packit Service 8bf96a 
			<term><option>-H, --host-fqdn=<parameter>host</parameter></option></term>
Packit Service 8bf96a 
			<listitem><para>Override the local machine's fully
Packit Service 8bf96a 
			qualified DNS domain name. If not specified, the local
Packit Service 8bf96a 
			machine's hostname will be retrieved via
Packit Service 8bf96a 
			<function>gethostname()</function>.
Packit Service 8bf96a 
			If <function>gethostname()</function> only returns a short name
Packit Service 8bf96a 
			<function>getaddrinfo()</function> with the AI_CANONNAME hint
Packit Service 8bf96a 
			is called to expand the name to a fully qualified DNS
Packit Service 8bf96a 
			domain name.</para></listitem>
Packit Service 8bf96a 
		</varlistentry>
Packit Service 8bf96a 
		<varlistentry>
Packit Service 8bf96a 
			<term><option>-K, --host-keytab=<parameter>/path/to/keytab</parameter></option></term>
Packit Service 8bf96a 
			<listitem><para>Specify the path to the host keytab where
Packit Service 8bf96a 
			credentials of the managed service account will be
Packit Service 8bf96a 
			written after a successful creation. If not specified,
Packit Service 8bf96a 
			the default location will be used, usually
Packit Service 8bf96a 
			<filename>/etc/krb5.keytab</filename> with
Packit Service 8bf96a 
			the lower-cased Active Directory domain name added as a
Packit Service 8bf96a 
			suffix e.g.
Packit Service 8bf96a 
			<filename>/etc/krb5.keytab.domain.example.com</filename>.
Packit Service 8bf96a 
			</para></listitem>
Packit Service 8bf96a 
		</varlistentry>
Packit Service 8bf96a 
		<varlistentry>
Packit Service 8bf96a 
			<term><option>--show-details</option></term>
Packit Service 8bf96a 
			<listitem><para>After a successful creation print out
Packit Service 8bf96a 
			information about the created object. This is output in
Packit Service 8bf96a 
			a format that should be both human and machine
Packit Service 8bf96a 
			readable.</para></listitem>
Packit Service 8bf96a 
		</varlistentry>
Packit Service 8bf96a 
		<varlistentry>
Packit Service 8bf96a 
			<term><option>--show-password</option></term>
Packit Service 8bf96a 
			<listitem><para>After a successful creation print out
Packit Service 8bf96a 
			the managed service account password. This is output in
Packit Service 8bf96a 
			a format that should be both human and machine
Packit Service 8bf96a 
			readable.</para></listitem>
Packit Service 8bf96a 
		</varlistentry>
Packit Service 8bf96a 
	</variablelist>
Packit Service 8bf96a 
</refsect1>
Packit Service 8bf96a
Packit Service 8bc578 
<refsect1 id='delegation'>
Packit Service 8bc578 
	<title>Delegated Permissions</title>
Packit Service 8bc578 
	<para>It is common practice in AD to not use an account from the Domain
Packit Service 8bc578 
	Administrators group to join a machine to a domain but use a dedicated
Packit Service 8bc578 
	account which only has permissions to join a machine to one or more OUs
Packit Service 8bc578 
	in the Active Directory tree. Giving the needed permissions to a single
Packit Service 8bc578 
	account or a group in Active Directory is called Delegation. A typical
Packit Service 8bc578 
	example on how to configured Delegation can be found in the Delegation
Packit Service 8bc578 
	section of the blog post
Packit Service 8bc578 
	<ulink url="https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain">Who can add workstation to the domain</ulink>.
Packit Service 8bc578 
	</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>When using an account with delegated permissions with adcli
Packit Service 8bc578 
	basically the same applies as well. However some aspects are explained
Packit Service 8bc578 
	here in a bit more details to better illustrate different concepts of
Packit Service 8bc578 
	Active Directory and to make it more easy to debug permissions issues
Packit Service 8bc578 
	during the join. Please note that the following is not specific to
Packit Service 8bc578 
	adcli but applies to all applications which would like to modify
Packit Service 8bc578 
	certain properties or objects in Active Directory with an account with
Packit Service 8bc578 
	limited permissions.</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>First, as said in the blog post it is sufficient to have
Packit Service 8bc578 
	<literal>"Create computer object"</literal> permissions to join a
Packit Service 8bc578 
	computer to a domain. But this would only work as expected if the
Packit Service 8bc578 
	computer object does not exist in Active Directory before the join.
Packit Service 8bc578 
	Because only when a new object is created Active Directory does not
Packit Service 8bc578 
	apply additional permission checks on the attributes of the new
Packit Service 8bc578 
	computer object. This means the delegated user can add any kind of
Packit Service 8bc578 
	attribute with any value to a new computer object also long as they
Packit Service 8bc578 
	meet general constraints like e.g. that the attribute must be defined
Packit Service 8bc578 
	in the schema and is allowed in a objectclass of the object, the value
Packit Service 8bc578 
	must match the syntax defined in the schema or that the
Packit Service 8bc578 
	<option>sAMAccountName</option> must be unique in the domain.</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>If you want to use the account with delegated permission to
Packit Service 8bc578 
	remove computer objects in Active Directory (adcli delete-computer) you
Packit Service 8bc578 
	should of course make sure that the account has
Packit Service 8bc578 
	<literal>"Delete computer object"</literal> permissions.</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>If the computer object already exists the
Packit Service 8bc578 
	<literal>"Create computer object"</literal> permission does not apply
Packit Service 8bc578 
	anymore since now an existing object must be modified. Now permissions
Packit Service 8bc578 
	on the individual attributes are needed. e.g.
Packit Service 8bc578 
	<literal>"Read and write Account Restrictions"</literal> or
Packit Service 8bc578 
	<literal>"Reset Password"</literal>. For some attributes Active
Packit Service 8bc578 
	Directory has two types of permissions the plain
Packit Service 8bc578 
	<literal>"Read and Write"</literal> permissions and the
Packit Service 8bc578 
	<literal>"Validated Write"</literal> permissions. For the latter case
Packit Service 8bc578 
	there are two specific permissions relevant for adcli, namely
Packit Service 8bc578 
		<itemizedlist>
Packit Service 8bc578 
			<listitem><para>Validated write to DNS host name</para></listitem>
Packit Service 8bc578 
			<listitem><para>Validated write to service principal name</para></listitem>
Packit Service 8bc578 
		</itemizedlist>
Packit Service 8bc578 
	Details about the validation of the values can be found in the
Packit Service 8bc578 
	<literal>"Validated Writes"</literal> section of
Packit Service 8bc578 
	<literal>[MS-ADTS]</literal>, especially
Packit Service 8bc578 
	<ulink url="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/5c578b15-d619-408d-ba17-380714b89fd1">dNSHostName</ulink>
Packit Service 8bc578 
	and
Packit Service 8bc578 
	<ulink url="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/28ca4eca-0e0b-4666-9175-a37ccb8edada">servicePrincipalName</ulink>.
Packit Service 8bc578 
	To cut it short for <literal>"Validated write to DNS host name"</literal>
Packit Service 8bc578 
	the domain part of the fully-qualified hostname must either match the
Packit Service 8bc578 
	domain name of the domain you want to join to or must be listed in the
Packit Service 8bc578 
	<option>msDS-AllowedDNSSuffixes</option> attribute. And for
Packit Service 8bc578 
	<literal>"Validated write to service principal name"</literal> the
Packit Service 8bc578 
	hostname part of the service principal name must match the name stored
Packit Service 8bc578 
	in <option>dNSHostName</option> or some other attributes which are
Packit Service 8bc578 
	not handled by adcli. This also means that
Packit Service 8bc578 
	<option>dNSHostName</option> cannot be empty or only contain a short
Packit Service 8bc578 
	name if the service principal name should contain a fully-qualified
Packit Service 8bc578 
	name.</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>To summarize, if you only have validated write permissions you
Packit Service 8bc578 
	should make sure the domain part of the hostname matches the domain you
Packit Service 8bc578 
	want to join or use the <option>--host-fqdn</option> with a matching
Packit Service 8bc578 
	name.</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>The plain read write permissions do not run additional
Packit Service 8bc578 
	validations but the attribute values must still be in agreement with
Packit Service 8bc578 
	the general constraints mentioned above. If the computer object already
Packit Service 8bc578 
	exists adcli might need the following permissions which are also needed
Packit Service 8bc578 
	by Windows clients to modify existing attributes:
Packit Service 8bc578 
		<itemizedlist>
Packit Service 8bc578 
			<listitem><para>Reset Password</para></listitem>
Packit Service 8bc578 
			<listitem><para>Read and write Account Restrictions</para></listitem>
Packit Service 8bc578 
			<listitem><para>Read and (validated) write to DNS host name</para></listitem>
Packit Service 8bc578 
			<listitem><para>Read and (validated) write to service principal name</para></listitem>
Packit Service 8bc578 
		</itemizedlist>
Packit Service 8bc578 
	additionally adcli needs
Packit Service 8bc578 
		<itemizedlist>
Packit Service 8bc578 
			<listitem><para>Read and write msDS-supportedEncryptionTypes</para></listitem>
Packit Service 8bc578 
		</itemizedlist>
Packit Service 8bc578 
	This is added for security reasons to avoid that Active Directory
Packit Service 8bc578 
	stores Kerberos keys with (potentially weaker) encryption types than
Packit Service 8bc578 
	the client supports since Active Directory is often configured to still
Packit Service 8bc578 
	support older (weaker) encryption types for compatibility reasons.
Packit Service 8bc578 
	</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>All other attributes are only set or modified on demand, i.e.
Packit Service 8bc578 
	adcli must be called with an option the would set or modify the given
Packit Service 8bc578 
	attribute. In the following the attributes adcli can modify together
Packit Service 8bc578 
	with the required permissions are listed:
Packit Service 8bc578 
	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="permissions.xml" />
Packit Service 8bc578 
	</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>For the management of users and groups (adcli create-user,
Packit Service 8bc578 
	adcli delete-user, adcli create-group, adcli delete-group) the same
Packit Service 8bc578 
	applies only for different types of objects, i.e. users and groups.
Packit Service 8bc578 
	Since currently adcli only supports the creation and the removal of
Packit Service 8bc578 
	user and group objects it is sufficient to have the
Packit Service 8bc578 
	<literal>"Create/Delete User objects"</literal> and
Packit Service 8bc578 
	<literal>"Create/Delete Group objects"</literal> permissions.</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>If you want to manage group members as well (adcli add-member,
Packit Service 8bc578 
	adcli remove-member) <literal>"Read/Write Members"</literal> permissions
Packit Service 8bc578 
	are needed as well.</para>
Packit Service 8bc578
Packit Service 8bc578 
	<para>Depending on the version of Active Directory the
Packit Service 8bc578 
	<literal>"Delegation of Control Wizard"</literal> might offer some
Packit Service 8bc578 
	shortcuts for common task like e.g.
Packit Service 8bc578 
		<itemizedlist>
Packit Service 8bc578 
			<listitem><para>Create, delete and manage user accounts</para></listitem>
Packit Service 8bc578 
			<listitem><para>Create, delete and manage groups</para></listitem>
Packit Service 8bc578 
			<listitem><para>Modify the membership of a group</para></listitem>
Packit Service 8bc578 
		</itemizedlist>
Packit Service 8bc578 
	The first 2 shortcuts will provided full access to user and group
Packit Service 8bc578 
	objects which, as explained above, is more than currently is needed.
Packit Service 8bc578 
	After using those shortcut it is a good idea to verify in the
Packit Service 8bc578 
	<literal>"Security"</literal> tab in the <literal>"Properties"</literal>
Packit Service 8bc578 
	of the related Active Directory container that the assigned permissions
Packit Service 8bc578 
	meet the expectations.</para>
Packit Service 8bc578 
</refsect1>
Packit Service 8bc578
Packit Service 6d40f9 
<refsect1 id='bugs'>
Packit Service 6d40f9 
	<title>Bugs</title>
Packit Service 6d40f9 
	<para>
Packit Service 6d40f9 
		Please send bug reports to either the distribution bug tracker
Packit Service 6d40f9 
		or the upstream bug tracker at
Packit Service 6d40f9 
		<ulink url="https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli">https://bugs.freedesktop.org/enter_bug.cgi?product=realmd&component=adcli</ulink>
Packit Service 6d40f9 
	</para>
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
<refsect1 id='see_also'>
Packit Service 6d40f9 
	<title>See also</title>
Packit Service 6d40f9 
	<simplelist type="inline">
Packit Service 6d40f9 
		<member><citerefentry><refentrytitle>realmd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
Packit Service 6d40f9 
		<member><citerefentry><refentrytitle>net</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
Packit Service 6d40f9 
		<member><citerefentry><refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
Packit Service 6d40f9 
	</simplelist>
Packit Service 6d40f9 
	<para>
Packit Service 6d40f9 
		Further details available in the realmd online documentation at
Packit Service 6d40f9 
		<ulink url="http://www.freedesktop.org/software/realmd/">http://www.freedesktop.org/software/realmd/</ulink>
Packit Service 6d40f9 
	</para>
Packit Service 6d40f9 
</refsect1>
Packit Service 6d40f9
Packit Service 6d40f9 
</refentry>

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation