adcli

adcli [GLOBAL_OPTIONS] COMMAND [COMMAND_OPTIONS]

Common usage for joining a domain:
adcli join [OPTIONS] DOMAIN_NAME

join
    The primary command to join a Linux system to an Active Directory domain.

--domain=
    Specifies the Active Directory domain to join. Can often be inferred if not provided.

--login-user=
    The Active Directory user with sufficient permissions to create computer objects (e.g., Administrator).

--login-password=
    The password for the --login-user. It's generally recommended to let adcli prompt for the password securely.

--computer-ou=
    Specifies the organizational unit (OU) where the computer account should be created (e.g., OU=Servers,DC=example,DC=com).

--host-name=
    Specifies the hostname that will be used for the computer object in Active Directory. Defaults to the system's hostname.

--krb5-config=
    Specifies a custom path to the Kerberos configuration file (krb5.conf).

--kerberos-keytab=
    Specifies a custom path for the Kerberos keytab file to store service principal names (SPNs).

--force
    Forces joining the domain even if a computer account with the same name already exists in Active Directory.

--only-machine-account
    Only creates the machine account in Active Directory and generates the keytab, skipping other local system configurations.

--verbose
    Enables verbose output, showing more details about the operations being performed.

--debug
    Enables extensive debug logging, providing detailed output highly useful for troubleshooting issues.

--server=
    Specifies a particular domain controller to connect to for the join operation.

--enabling-dns
    Configures the system to perform dynamic DNS updates when enabled.

--os-name=
    Sets the OperatingSystem attribute on the computer object in Active Directory.

--os-version=
    Sets the OperatingSystemVersion attribute on the computer object.

adcli is a command-line utility for managing Active Directory domain membership for Linux systems. It provides a robust and modern way to integrate Linux clients into an Active Directory environment, often working in conjunction with SSSD (System Security Services Daemon) for authentication and identity management. adcli can perform various tasks, including joining a machine to a domain, updating machine account information, creating DNS records, and configuring Kerberos. Unlike some older tools, adcli focuses on direct communication with Active Directory servers using standard protocols, making it a preferred choice for reliable and secure integration in enterprise settings. Its primary use case is to establish a trust relationship, create a computer object in AD, and configure the local system for Kerberos authentication, enabling users to log in with their AD credentials.

DNS Resolution: Proper DNS configuration is critical. The Linux host must be able to resolve Active Directory domain controllers and SRV records for the domain.
Time Synchronization: The client machine's time must be closely synchronized with the Active Directory domain controllers (ideally via NTP) to prevent Kerberos authentication issues.
Network Connectivity: Firewall rules must allow communication to AD ports (e.g., 389 LDAP, 88 Kerberos, 445 SMB, 53 DNS).
Permissions: The --login-user must have sufficient permissions to create computer objects within the specified OU in Active Directory. If no OU is specified, permissions are needed in the default 'Computers' container.
Existing Machine Accounts: If a machine account with the same name already exists in AD, adcli might fail or require the --force option, which could lead to conflicts if not handled carefully.

While adcli can be used directly, it is often called by the realm command (e.g., realm join) which provides a higher-level, more automated workflow for configuring system services like SSSD and Kerberos after joining the domain. Using realm is generally recommended for a complete setup.

Beyond joining, adcli can also be used to update existing machine accounts in Active Directory, for example, to modify attributes or renew the machine password. The adcli update subcommand is used for this purpose, allowing maintenance of the AD computer object from the Linux client.

adcli emerged as a modern, standalone command-line tool primarily developed for Red Hat Enterprise Linux and its derivatives to facilitate Active Directory integration. It was designed to provide a more direct and streamlined approach compared to older Samba-based net ads join utilities, especially for systems using systemd and sssd. Its development aimed at improving reliability, security, and ease of integration with contemporary Linux identity management frameworks. It became a core component for tools like realm to handle the underlying AD joining process, solidifying its role in enterprise Linux environments.

realm(8), sssd(8), kinit(1), krb5.conf(5), net(8)