Domain Join tool commands for AD Bridge

The command-line utility domainjoin-cli gives you tools to add or remove accounts from a domain. The utility prompts for the domain, username, and organizational unit parameters. A history of entries is saved between join and leave prompts. To access the utility, run the following command:

/opt/pbis/bin/domainjoin-cli

Options

--help

Displays the command-line options and commands.

✅

Example

domainjoin-cli --help

--help-internal

Displays a list of the internal debugging and configuration commands.

✅

Example

domainjoin-cli --help-internal

--logfile {.| path}

Generates a log file or prints the log to the console.

✅

Example

domainjoin-cli --logfile /var/log/domainjoin.log join example.com Administrator

domainjoin-cli --logfile . join example.com Administrator

--loglevel {error|warning|info|verbose}

Adjusts the logging details generated during a domain join.

✅

Example

domainjoin-cli --loglevel error

Join commands

query

Displays the hostname, current domain, and distinguished name, which includes the organizational unit to which the computer belongs. If the computer is not joined to a domain, it displays only the hostname.

✅

Example

domainjoin-cli query

setname computerName

Renames the computer and modifies the /etc/hosts file with the name that you enter. computerName is a required field. If not provided, you are prompted for it.

✅

Example

domainjoin-cli setname RHEL44ID

join [--ou organizationalUnit] domainName userName

Joins the computer to the domain. If not provided, you are prompted to enter the domain, username, and password.

You can use the --ou option to join the computer to a specific organizational unit in the domain by setting the path to the OU. The path to the OU is top down and separated by a slash (/). To be prompted for an organizational unit you must pass in --ou. When you use this option, you must use an account that is a member in the Domain Administrators security group.

✅

Example

domainjoin-cli join --ou Eng/Dev example.com Administrator

join --notimesync

Joins the computer to the domain without synchronizing the computer's time with the domain controller's.

When you use this option, the sync-system-time value for lsass is set to no.

✅

Example

domainjoin-cli join --notimesync example.com Administrator

join --trustEnumerationWaitSeconds 60

The length of time lsass waits for trust enumeration to finish during startup. The range is 1 - 1000 seconds.

✅

Example

domainjoin-cli join --trustEnumerationWaitSeconds 300

Leave commands

leave [userName]

Removes the computer from the Active Directory domain. If the username is provided, the computer account is disabled in Active Directory. If not provided, you are prompted to enter a username and password.

✅

Example

domainjoin-cli leave

domainjoin-cli leave [email protected]

leave [--enable <module> | --disable <module>]

Enables or disables the module when you run the leave command.

✅

Example

domainjoin-cli leave --enable pam

leave [--keepLicense]

Retains the license information after the computer leaves the domain. The license key is released by default when you run the leave command.

✅

Example

domainjoin-cli leave --keepLicense

leave [--deleteAccount <user name> [<password>]]

Deletes the computer account after the computer leaves the domain.

✅

Example

domainjoin-cli leave --deleteAccount Administrator AdminPassword

leave [--advanced] --preview [username] [password]

Displays information on the configuration.

✅

Example

domainjoin-cli leave --advanced --preview Administrator AdminPassword

leave --details <module>

Displays the configuration information for the module.

✅

Example

domainjoin-cli leave --details pam

Join mode commands

--assumeDefaultCell { auto | no | force }

In Assume Default Cell mode, information is not read from the cells, but from the user objects and group objects directly. This supports joining to a domain which does not have any Named or Default Cells.

If set to auto, enable this mode when no cells are found.

If set to force, enable this mode even if Named or Default Cells exist. When this mode is enabled, get-status reports the AD authentication provider mode as Default Cell (Assumed).

The default setting is no.

ℹ️

Note

This mode is intended for Proof of Concept (PoC) and small environments. It does not require cells or schema changes. User and group information is read directly from the domain controllers in the forest; no Global Catalog searches are used. Features that rely on items stored in the cell (for example, custom NIS maps) are not supported in this mode.

✅

Example

domainjoin-cli join --assumeDefaultCell auto

--unprovisioned { auto | no | force }

When set, the AD provider computes the user and group IDs from their security identifier. It uses local settings for the Unix shell and home directory, ignoring the values set in AD.

If set to auto, enable this mode when no cells are found.

If set to force, enable this mode even if Named or Default Cells exist. The default setting is no.

✅

Example

domainjoin-cli join --unprovisioned force

Domain join advanced commands for AD Bridge

Use the advanced commands in this section to troubleshoot issues when configuring a Linux or Unix computer.

To see how systems interact when you join a domain, review the Domain Join Dataflow diagram.

Preview the stages of the domain join for your computer

Preview the stages of the domain join for a computer, including the domain stage, DNS name stage, and configuration stage that are run after you start the process.

✅

Example

[root@rhel4d bin]# domainjoin-cli join --preview example.com
Joining to AD Domain:   example.com
With Computer DNS Name: rhel4d.example.com

The following stages are currently configured to be run during the domain join:
join     - join computer to AD
krb5     - configure krb5.conf
nsswitch - enable/disable AD Bridge nsswitch module
start    - start daemons
pam      - configure pam.d/pam.conf
ssh      - configure ssh and sshd

Check required configurations with join command

List the modules that apply to your operating system, when joining a domain, including those modules that will not be run.

✅

Example

domainjoin-cli join --advanced --preview example.com

Check required configurations with leave command

List the modules that apply to your operating system when leaving a domain, including those modules that will not be run.

✅

Example

domainjoin-cli leave --advanced --preview example.com

✅

Example

[root@rhel4d bin]# domainjoin-cli join --advanced --preview example.com
Joining to AD Domain:   example.com
With Computer DNS Name: rhel4d.example.com
[X] [F] stop              - stop daemons
    [F] hostname          - set computer hostname
    [F] keytab            - initialize kerberos keytab
[X] [N] join              - join computer to AD
[X] [N] nsswitch          - enable/disable AD Bridge nsswitch module
[X] [N] cache             - manage caches for this host
[X] [N] start             - start daemons
[X] [N] krb5              - configure krb5.conf
[X] [N] pam               - configure pam.d/pam.conf
[X] [S] ssh               - configure ssh and sshd 
    [F] DDNS              - Configure Dynamic DNS Entry for this host

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

Modules

The AD Bridge domain join tool includes the following modules, which are the components and services that the tool must configure before it can join a computer to a domain:

Join and leave commands for modules

View examples for the use of join and leave commands.

domainjoin-cli join --advanced --preview domainName

View the modules that must be configured on your computer.

✅

Example

domainjoin-cli join --advanced --preview example.com

domainjoin-cli join --details module domainName joinAccount

View more information about a module, including the modules that are configured.

✅

Example

domainjoin-cli join --details nsswitch example.com Administrator

domainjoin-cli join --disable module domainName accountName

Turn off (disable) a module when you join a domain. Disabling a module can be useful in cases where a module has been manually configured or in cases where you must ensure that certain system files will not be modified.

ℹ️

Note

If you disable a necessary module and you have not manually configured it, the domain join utility will not join your computer to the domain.

✅

Example

domainjoin-cli join --disable nsswitch example.com Administrator

domainjoin-cli join --enable module domainName accountName

Turn on (enable) a module when you join a domain.

✅

Example

domainjoin-cli join --enable nsswitch example.com Administrator

domainjoin-cli leave --advanced --preview domainName

List the modules that apply to your operating system when leaving a domain, including those modules that will not be run.

✅

Example

domainjoin-cli leave --advanced --preview example.com

domainjoin-cli leave --details module domainName joinAccount

View more information about a module, including the modules that are configured.

✅

Example

domainjoin-cli leave --details pam example.com Administrator

domainjoin-cli leave --disable module domainName accountName

Turn off (disable) a module when you leave a domain.

✅

Example

/opt/pbis/bin/domainjoin-cli leave --advanced --preview --disable nsswitch example.com
[X] [N] nsswitch          - enable/disable  nsswitch module

[F] DDNS - Configure Dynamic DNS Entry for this host
[X] [S] ssh - configure ssh and sshd
[F] pam - configure pam.d/pam.conf
[F] nsswitch - enable/disable nsswitch module
[F] krb5 - configure krb5.conf
[F] stop - stop daemons
[F] leave - leave the domain and release the license
[F] keytab - initialize kerberos keytab

Key to flags
[F]ully configured - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
requirements for this step
[N]ecessary - this step must be run or manually performed.

[X] - this step is enabled and will make changes
[ ] - this step is disabled and will not make changes

Configuration and debugging commands

The domainjoin-cli tool includes commands for debugging the domainjoin process and for configuring or preconfiguring a module.

For example, run the configure command to preconfigure a system before you join a domain, a useful strategy when you are deploying AD Bridge in a virtual environment and you need to preconfigure the nsswitch, ssh, or pam module of the target computers to avoid restarting them after they are added to the domain.

ℹ️

Note

The --testprefix option supports testing system configuration file changes. If supplied, the --testprefix directory is prepended to the path of the configuration file target.

For example, the following command changes the /testconfig/etc/nsswitch.conf file instead of /etc/nsswitch.conf:

configure --enable --testprefix testconfig nsswitch

✅

Example

Example with nsswitch

domainjoin-cli configure --enable nsswitch

✅

Example

Example with fixfqdn

domainjoin-cli fixfqdn

Help syntax:

domainjoin-cli --help-internal

fixfqdn
configure { --enable | --disable } [--testprefix <dir>] pam 
configure { --enable | --disable } [--testprefix <dir>] nsswitch 
configure { --enable | --disable } [--testprefix <dir>] ssh 
configure { --enable | --disable } [--testprefix <dir>] [--long <longdomain>] [--short <shortdomain>] krb5
configure { --enable | --disable } eventfwdd
configure { --enable | --disable } reapsysld
get_os_type
get_arch
get_distro
get_distro_version