Domain Join Advanced Commands for AD Bridge

Use the advanced commands in this section to troubleshoot issues when configuring a Linux or Unix computer.

To see how systems interact when you join a domain, review the Domain Join Dataflow diagram.

Domain Join Component Interaction diagram

Preview the Stages of the Domain Join for Your Computer

Preview the stages of the domain join for a computer, including the domain stage, DNS name stage, and configuration stage that are run after you start the process.

[root@rhel4d bin]# domainjoin-cli join --preview example.com
Joining to AD Domain:   example.com
With Computer DNS Name: rhel4d.example.com

The following stages are currently configured to be run during the domain join:
join     - join computer to AD
krb5     - configure krb5.conf
nsswitch - enable/disable AD Bridge nsswitch module
start    - start daemons
pam      - configure pam.d/pam.conf
ssh      - configure ssh and sshd

Check Required Configurations with Join Command

List the modules that apply to your operating system, when joining a domain, including those modules that will not be run.

domainjoin-cli join --advanced --preview example.com

Check Required Configurations with Leave Command

List the modules that apply to your operating system when leaving a domain, including those modules that will not be run.

domainjoin-cli leave --advanced --preview example.com
[root@rhel4d bin]# domainjoin-cli join --advanced --preview example.com
Joining to AD Domain:   example.com
With Computer DNS Name: rhel4d.example.com
[X] [F] stop              - stop daemons
    [F] hostname          - set computer hostname
    [F] keytab            - initialize kerberos keytab
[X] [N] join              - join computer to AD
[X] [N] nsswitch          - enable/disable AD Bridge nsswitch module
[X] [N] cache             - manage caches for this host
[X] [N] start             - start daemons
[X] [N] krb5              - configure krb5.conf
[X] [N] pam               - configure pam.d/pam.conf
[X] [S] ssh               - configure ssh and sshd 
    [F] DDNS              - Configure Dynamic DNS Entry for this host

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

Modules

The AD Bridge domain join tool includes the following modules, which are the components and services that the tool must configure before it can join a computer to a domain:

Module Description

join

Joins the computer to Active Directory

leave

Removes the machine account in Active Directory

stop

Stops services so that the system can be configured

start

Starts services after configuration

firewall

Opens ports to the domain controller

hostname

Sets the computer hostname

krb5

Configures krb5.conf

pam-mode

Switches authentication from LAM to PAM

nsswitch

Enables or disables the AD Bridge nsswitch module

pam

Configures pam.d and pam.conf

lam-auth

Configures LAM for Active Directory authentication

ssh

Configures ssh and sshd

bash

Fixes the bash prompt for backslashes in usernames

gdm

Fixes the gdm pre-session script for spaces in usernames

Join and Leave Commands for the Modules

View examples for the use of join and leave commands.

domainjoin-cli join --advanced --preview domainName

View the modules that must be configured on your computer.

domainjoin-cli join --advanced --preview example.com

domainjoin-cli join --details module domainName joinAccount

View more information about a module, including the modules that are configured.

domainjoin-cli join --details nsswitch example.com Administrator

domainjoin-cli join --disable module domainName accountName

Turn off (disable) a module when you join a domain. Disabling a module can be useful in cases where a module has been manually configured or in cases where you must ensure that certain system files will not be modified.

If you disable a necessary module and you have not manually configured it, the domain join utility will not join your computer to the domain.

domainjoin-cli join --disable nsswitch example.com Administrator

domainjoin-cli join --enable module domainName accountName

Turn on (enable) a module when you join a domain.

domainjoin-cli join --enable nsswitch example.com Administrator

domainjoin-cli leave --advanced --preview domainName

List the modules that apply to your operating system when leaving a domain, including those modules that will not be run.

domainjoin-cli leave --advanced --preview example.com

domainjoin-cli leave --details module domainName joinAccount

View more information about a module, including the modules that are configured.

domainjoin-cli leave --details pam example.com Administrator

domainjoin-cli leave --disable module domainName accountName

Turn off (disable) a module when you leave a domain.

/opt/pbis/bin/domainjoin-cli leave --advanced --preview --disable nsswitch example.com
[X] [N] nsswitch          - enable/disable  nsswitch module

[F] DDNS - Configure Dynamic DNS Entry for this host
[X] [S] ssh - configure ssh and sshd
[F] pam - configure pam.d/pam.conf
[F] nsswitch - enable/disable nsswitch module
[F] krb5 - configure krb5.conf
[F] stop - stop daemons
[F] leave - leave the domain and release the license
[F] keytab - initialize kerberos keytab

Key to flags
[F]ully configured - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
requirements for this step
[N]ecessary - this step must be run or manually performed.

[X] - this step is enabled and will make changes
[ ] - this step is disabled and will not make changes

Configuration and Debugging Commands

The domainjoin-cli tool includes commands for debugging the domainjoin process and for configuring or preconfiguring a module.

For example, run the configure command to preconfigure a system before you join a domain, a useful strategy when you are deploying AD Bridge in a virtual environment and you need to preconfigure the nsswitch, ssh, or pam module of the target computers to avoid restarting them after they are added to the domain.

The --testprefix option supports testing system configuration file changes. If supplied, the --testprefix directory is prepended to the path of the configuration file target.

For example, the following command changes the /testconfig/etc/nsswitch.conf file instead of /etc/nsswitch.conf:

configure --enable --testprefix testconfig nsswitch
Example with nsswitch
domainjoin-cli configure --enable nsswitch
Example with fixfqdn
domainjoin-cli fixfqdn

Help Syntax:

domainjoin-cli --help-internal
fixfqdn
configure { --enable | --disable } [--testprefix <dir>] pam 
configure { --enable | --disable } [--testprefix <dir>] nsswitch 
configure { --enable | --disable } [--testprefix <dir>] ssh 
configure { --enable | --disable } [--testprefix <dir>] [--long <longdomain>] [--short <shortdomain>] krb5
configure { --enable | --disable } eventfwdd
configure { --enable | --disable } reapsysld
get_os_type
get_arch
get_distro
get_distro_version