Domain Join Advanced Commands for AD Bridge

The advanced commands in this section can be used to troubleshoot issues when configuring a Linux or Unix computer.

Review the Domain Join Dataflow diagram to see how systems interact when you join a domain.

Domain Join Component Interaction diagram

Preview the Stages of the Domain Join for Your Computer

Preview the stages of the domain join for a computer, including the domain stage, DNS name stage, and configuration stage that are run after you start the process.

domainjoin-cli join --preview domainName
        

Example:

domainjoin-cli join --preview example.com

Example Results:

[root@rhel4d bin]# domainjoin-cli join --preview example.com
Joining to AD Domain:   example.com
With Computer DNS Name: rhel4d.example.com

The following stages are currently configured to be run during the domain join:
join     - join computer to AD
krb5     - configure krb5.conf
nsswitch - enable/disable AD Bridge nsswitch module
start    - start daemons
pam      - configure pam.d/pam.conf
ssh      - configure ssh and sshd

Results vary by computer.

Check Required Configurations with Join Command

List the modules that apply to your operating system, when joining a domain, including those modules that will not be run.

domainjoin-cli join --advanced --preview domainName

Example:

domainjoin-cli join --advanced --preview example.com

Check Required Configurations with Leave Command

List the modules that apply to your operating system when leaving a domain, including those modules that will not be run.

domainjoin-cli leave --advanced --preview domainName

Example:

domainjoin-cli leave --advanced --preview example.com

Example Results:

[root@rhel4d bin]# domainjoin-cli join --advanced --preview example.com
Joining to AD Domain:   example.com
With Computer DNS Name: rhel4d.example.com
[X] [F] stop              - stop daemons
    [F] hostname          - set computer hostname
    [F] keytab            - initialize kerberos keytab
[X] [N] join              - join computer to AD
[X] [N] nsswitch          - enable/disable AD Bridge nsswitch module
[X] [N] cache             - manage caches for this host
[X] [N] start             - start daemons
[X] [N] krb5              - configure krb5.conf
[X] [N] pam               - configure pam.d/pam.conf
[X] [S] ssh               - configure ssh and sshd 
    [F] DDNS              - Configure Dynamic DNS Entry for this host

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

Results vary by computer.

Modules

The AD Bridge Enterprise domain join tool includes the following modules, which are the components and services that the tool must configure before it can join a computer to a domain:

Module Description

join

Joins the computer to Active Directory

leave

Deletes the machine account in Active Directory

dsplugin

Enables the AD Bridge Enterprise directory services plugin on a Mac computer

stop

Stops services so that the system can be configured

start

Starts services after configuration

firewall

Opens ports to the domain controller

hostname

Sets the computer hostname

krb5

Configures krb5.conf

pam-mode

Switches authentication from LAM to PAM

nsswitch

Enables or disables the AD Bridge Enterprise nsswitch module

pam

Configures pam.d and pam.conf

lam-auth

Configures LAM for Active Directory authentication

ssh

Configures ssh and sshd

bash

Fixes the bash prompt for backslashes in usernames

gdm

Fixes the gdm pre-session script for spaces in usernames

Join and Leave Commands for the Modules

domainjoin-cli join --advanced --preview domainName

View the modules that must be configured on your computer.

Example:

domainjoin-cli join --advanced --preview example.com

domainjoin-cli join --details module domainName joinAccount

View more information about a module, including the modules that are configured.

Example:

domainjoin-cli join --details nsswitch example.com Administrator

domainjoin-cli join --disable module domainName accountName

Turn off a module when you join a domain. Disabling a module can be useful in cases where a module has been manually configured or in cases where you must ensure that certain system files will not be modified.

If you disable a necessary module and you have not manually configured it, the domain join utility will not join your computer to the domain.

Example:

domainjoin-cli join --disable nsswitch example.com Administrator

domainjoin-cli join --enable module domainName accountName

Turn on a module when you join a domain.

Example:

domainjoin-cli join --enable nsswitch example.com Administrator

domainjoin-cli leave --advanced --preview domainName

List the modules that apply to your operating system when leaving a domain, including those modules that will not be run.

Example:

domainjoin-cli leave --advanced --preview example.com

domainjoin-cli leave --details module domainName joinAccount

View more information about a module, including the modules that are configured.

Example:

domainjoin-cli leave --details pam example.com Administrator

domainjoin-cli leave --disable module domainName accountName

Turn off a module when you leave a domain.

Example:

domainjoin-cli join --leave --disable pam example.com Administrator

Example Results:

domainjoin-cli join --details nsswitch example.com Administrator
[X] [N] nsswitch          - enable/disable AD Bridge nsswitch module

Key to flags
[F]ully configured        - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration requirements for this step
[N]ecessary               - this step must be run or manually performed.
[X]                       - this step is enabled and will make changes
[ ]                       - this step is disabled and will not make changes

Details for 'enable/disable AD Bridge nsswitch module':
The following steps are required and can be performed automatically:
* Edit nsswitch apparmor profile to allow libraries in the /opt/pbis/lib and /opt/pbis/lib64 directories
	* List lwidentity module in /usr/lib/security/methods.cfg (AIX only)
	* Add lwidentity to passwd and group/groups line /etc/nsswitch.conf or /etc/netsvc.conf

If any changes are performed, then the following services must be restarted:
	* GDM
	* XDM
	* Cron
	* Dbus
	* Nscd

Configuration and Debugging Commands

The domainjoin-cli tool includes commands for debugging the domain-join process and for configuring or preconfiguring a module.

For example, run the configure command to preconfigure a system before you join a domain, a useful strategy when you are deploying AD Bridge Enterprise in a virtual environment and you need to preconfigure the nsswitch, ssh, or pam module of the target computers to avoid restarting them after they are added to the domain.

The --testprefix option supports testing system configuration file changes. If supplied, the --testprefix directory is prepended to the path of the configuration file target.

For example, the following command changes the /testconfig/etc/nsswitch.conf file instead of /etc/nsswitch.conf:

configure --enable --testprefix testconfig nsswitch

Example with nsswitch:

domainjoin-cli configure --enable nsswitch

Example with fixfqdn:

domainjoin-cli fixfqdn

Help Syntax:

domainjoin-cli --help-internal
fixfqdn
configure { --enable | --disable } [--testprefix <dir>] pam 
configure { --enable | --disable } [--testprefix <dir>] nsswitch 
configure { --enable | --disable } [--testprefix <dir>] ssh 
configure { --enable | --disable } [--testprefix <dir>] [--long <longdomain>] [--short <shortdomain>] krb5
configure { --enable | --disable } eventfwdd
configure { --enable | --disable } reapsysld
get_os_type
get_arch
get_distro
get_distro_version