LinuxCommandLibrary

adcli

SYNOPSIS

adcli [global-options] <command> [<arguments>]

PARAMETERS

--domain=DOMAIN
    AD domain name (e.g., example.com)

--domain-controller=DC
    Specific domain controller host[:port]

--domain-controller-location=LOCATION
    DC location (e.g., site name)

--domain-ou=OU
    Organizational unit for computer object

--host-fqdn=FQDN
    Fully qualified domain name of host

--computer-name=NAME
    Name for AD computer object

--user-name=USER
    Username for authentication

--user-password=PASSWORD
    Password (visible in process list; insecure)

--user-principal=UPN
    User Principal Name (user@domain.com)

--one-time-password=OTP
    One-time password for initial auth

--keytab=PATH
    Path to Kerberos keytab file

--verbose
    Increase output verbosity

--debug
    Enable debug logging

--log=FILE
    Log to specified file

--dry-run
    Simulate without changes

--os-name=NAME
    Set osName attribute (e.g., linux)

--os-version=VERSION
    Set osVersion attribute

--authorized-hosts=HOSTS
    Allowed hosts for service

--enctypes=ENC
    Encryption types for keytab

--service-names=SVCS
    Service principal names to register

DESCRIPTION

adcli is a lightweight command-line utility for managing Active Directory (AD) integration on Linux systems. It allows joining computers to AD domains, leaving domains, testing connectivity, querying domain info, users, groups, and computers. Built on libadcli, it handles LDAP, Kerberos, and DCE/RPC protocols for AD operations without needing full Samba server.

Primary use cases include automating domain joins in enterprise environments using SSSD for auth. It supports password and keytab auth, OU placement, custom computer names, and platform attributes. adcli verifies prerequisites like DNS resolution, time sync, and port access (88, 389, 636, etc.) before operations.

Unlike GUI tools or heavier suites, adcli is script-friendly for DevOps. Commands like join, leave, testjoin simplify hybrid AD/Linux setups. Security-focused: prefers keytabs over passwords. Widely used in RHEL, Fedora, Ubuntu with SSSD or realmd.

Limitations: client-only (no domain controller mgmt); requires root for some ops like keytab writes.

CAVEATS

Passwords on CLI are insecure (use keytabs); requires root for keytab/host changes; needs open ports to DCs (TCP 88,389,445,464,636); DNS must resolve _ldap._tcp.dc._msdcs.DOMAIN; not for production without testing.

COMMON SUBCOMMANDS

join - Join computer to domain
leave - Unjoin computer
update - Refresh computer attrs
testjoin - Validate join feasibility
info - Display domain details
show-user - User info
list - List group/computer members

BASIC EXAMPLE

adcli join --domain=example.com --user-name=admin --user-password=pass
adcli testjoin --domain=example.com --verbose

HISTORY

Developed by Stephen Gallagher for Red Hat's SSSD project. Debuted in SSSD 1.6 (2011) via libadcli. Evolved for IPA/FreeIPA integration; now standalone package in Fedora/RHEL/Ubuntu. Active maintenance tracks AD protocol changes.

SEE ALSO

realmd(8), sssctl(8), kinit(1), samba-tool(1), wbinfo(1), net(8)

Copied to clipboard