AD Bridge command line reference
This topic provides an overview of the commands available for use in AD Bridge. Most of the commands are intended to be run as root.
Note
Commands for managing the event log are covered in Config tool.
Note
For information about troubleshooting the Group Policy commands for AD Bridge, see AD Bridge group policy settings reference.
Change the hostname in the local provider (set-machine-name)
After you change the hostname of a computer, you must also change the name in the AD Bridge local provider database so that the local AD Bridge accounts use the correct prefix.
./lsa set-machine-name <hostname>
Note
Run the command as root.
List the status of authentication providers (get-status)
AD Bridgeincludes two authentication providers: a local provider and an Active Directory provider. If the AD provider is offline, you cannot log on with your AD credentials. You can check the status of the authentication providers.
/opt/pbis/bin/get-status
Healthy result output:
LSA Server Status:
Agent version: 5.4.0
Uptime: 22 days 21 hours 16 minutes 29 seconds
[Authentication provider: lsa-local-provider]
Status: Online
Mode: Local system
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: example.com
Forest: example.com
Site: Default-First-Site-Name
Unhealthy result output:
An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication service.
If the result looks like the line below, check the status of the AD Bridge services to make sure they are running.
Failed to query status from LSA service. The LSASS server is not responding.
To check the status of the services. Run the following command as root:
/opt/pbis/bin/lwsm list
List the domain (ad-get-machine)
Retrieve the Active Directory domain to which the computer is connected.
./lsa ad-get-machine account
List domain controllers (get-dc-list)
List the domain controllers for a target domain. You can delimit the list in several ways, including by site.
./get-dc-list
Example
[root@rhel5d bin]# ./get-dc-list example.com Got 1 DCs: =========== DC 1: Name = 'steveh-dc.example.com', Address = '192.168.100.132'
List domain controller information (get-dc-name)
Display the name of the current domain controller for the domain you specify. This command can help you select a domain controller.
./get-dc-list
Example
To select a domain controller, run the following command as root until the domain controller you want is displayed.
/opt/pbis/bin/get-dc-name <domain-name> --force
List domain controller time (get-dc-time)
Displays the time of the current domain controller for the domain that you specify. This command can help you determine whether there is a Kerberos time-skew error between a client and a domain controller.
./get-dc-time
Example
[root@rhel5d bin]# ./get-dc-time example.com DC TIME: 2009-09-08 14:54:18 PDT
List computer account information (lsa ad-get-machine)
Print out the computer account name, computer account password, SID, and other information by running the following command as root.
./lsa ad-get-machine account <domain-name>
Example
/opt/pbis/bin/lsa ad-get-machine account example.com
Force a machine password reset (lsa ad-reset-machine-passwords)
The computer password will get reset once half the machine lifespan has been reached. ad-reset-machine-passwordprovides the option to force a machine password reset on demand.
./lsa ad-reset-machine-password
Example
/opt/pbis/bin/lsa ad-reset-machine-password
Dynamically update DNS (update-dns)
The update-dns command registers an IP address for the computer in DNS. The command is useful when you want to register A and PTR records for your computer and the DHCP server is not registering them.
By default, this registers all interface addresses using the default FQDN determined from the machine account. The DNS servers are determined from start of authority (SOA) records for the domain and the reverse lookup zone.
./update-dns
The --dnsserver <fqdn | ip> Option
The --dnsserver <fqdn | ip> option can be used to override the default. The fqdn is required for updates of secure Active Directory DNS server zones as they use a Kerberos secured connection.
Note
--fqdn is the fully qualified domain name for the client computer.
Example
Register an IP address:
/opt/pbis/bin/update-dns --ipaddress 192.168.100.4 --fqdn corp.example.comIf your system has multiple NICs and you are trying to register all their IP addresses in DNS, run the command once with multiple instances of the option:
/opt/pbis/bin/update-dns --fqdn corp.example.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7 --ipaddress 192.168.100.9To troubleshoot, add the option with the parameter:
/opt/pbis/bin/update-dns --loglevel debug --fqdn corp.example.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7
The --delete Option
The --delete option can be used to delete specific address records.
/opt/pbis/bin/update-dns --delete --ipaddress 192.168.100.4 --fqdn corp.example.com
At a minimum the --delete option can be used on its own, to delete all address records for the FQDN.
/opt/pbis/bin/update-dns --delete
Manage the AD cache (ad-cache)
The ad-cache command manages the AD Bridge cache for Active Directory and Entra ID users and groups on Linux and Unix computers. You can use the command to clear the cache. The command's arguments can delete from the cache a user, a group, or all users and groups. The --tenant flag can be used to filter Entra ID users and group objects.
./ad-cache
Note
To see the help output for ad-cache, run the following command:
/opt/pbis/bin/ad-cache --helpUsage: ad-cache --delete-all [--domain domain] [--force-offline-delete true] ad-cache --delete-user [--domain domain] {--name <user login id> | --uid <uid>} ad-cache --delete-group [--domain domain] {--name <group name> | --gid <gid>} ad-cache --enum-users [--domain domain | --tenant] {--batchsize [1..1000]} ad-cache --enum-groups [--domain domain | --tenant] {--batchsize [1..1000]}
Command Description --delete-all Deletes everything from the cache --delete-user Deletes one user from the cache --delete-group Deletes one group from the cache --enum-users Enumerates users in the cache --enum-groups Enumerates groups in the cache --batchsize Enumerate all entries retrieving objects from the cache in batches (default: 10)
Example
Delete all the users and groups from the cache.
/opt/pbis/bin/ad-cache --delete-allTo reclaim disk space from SQLite after you clear the cache when you are using the non-default SQLite caching option, execute the following command as root, replacing with your fully qualified domain name:
/opt/pbis/bin/sqlite3 /var/lib/pbis/db/lsass-adcache.filedb.fqdn vacuumYou can also use the command to enumerate users in the cache, which may be helpful in troubleshooting.
[root@rhel5d bin]# ./ad-cache --enum-users TotalNumUsersFound: 0 [root@rhel5d bin]# ssh example.com\\hab@localhost Password: Last login: Tue Aug 11 15:30:05 2009 from rhel5d.example.com [EXAMPLE\hab@rhel5d ~]$ exit logout Connection to localhost closed. [root@rhel5d bin]# ./ad-cache --enum-users User info (Level-0): ==================== Name: EXAMPLE\hab Uid: 593495196 Gid: 593494529 Gecos: <null> Shell: /bin/bash Home dir: /home/EXAMPLE/hab TotalNumUsersFound: 1 [root@rhel5d bin]#
Copy files across disparate operating systems (lwio-copy)
This command lets you copy files across computers running different operating systems. For example, you can copy files from a Linux computer to a Windows computer.
lwio-copy
There are two prerequisites to use lwio-copy:
- The lwio service must be running.
- The rdr driver must be available as specified by the registry. By default, the rdr driver is available at /opt/pbis/lib/lwio-driver/rdr.so.
Updated about 1 month ago