AD Bridge Command Line Reference

This chapter provides an overview of the commands in AD Bridge. Most of the commands are intended to be run as root.

For information about troubleshooting the Group Policy commands for AD Bridge Enterprise, please see the Group Policy Reference Guide.

Change the Hostname in the Local Provider (set-machine-name)

After you change the hostname of a computer, you must also change the name in the AD Bridge local provider database so that the local AD Bridge accounts use the correct prefix.

./lsa set-machine-name <hostname>

Run the command as root.

List the Status of Authentication Providers (get-status)

AD Bridge includes two authentication providers: a local provider and an Active Directory provider. If the AD provider is offline, you cannot log on with your AD credentials. You can check the status of the authentication providers.

/opt/pbis/bin/get-status

Healthy result output:

LSA Server Status:
Agent version: 5.4.0
        Uptime:   22 days 21 hours 16 minutes 29 seconds
[Authentication provider: lsa-local-provider]
        Status:   Online
        Mode:     Local system
[Authentication provider: lsa-activedirectory-provider]
        Status:   Online
        Mode:     Un-provisioned
        Domain:   example.com
        Forest:   example.com
        Site:     Default-First-Site-Name

Unhealthy result output:

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication service.

If the result looks like the line below, check the status of the AD Bridge Enterprise services to make sure they are running.

Failed to query status from LSA service.  The LSASS server is not responding.

To check the status of the services. Run the following command as root:

/opt/pbis/bin/lwsm list

List the Domain (ad-get-machine)

Retrieve the Active Directory domain to which the computer is connected.

./lsa ad-get-machine account

List Domain Controllers (get-dc-list)

List the domain controllers for a target domain. You can delimit the list in several ways, including by site.

./get-dc-list

Example:

[root@rhel5d bin]# ./get-dc-list example.com
Got 1 DCs:
===========
DC 1: Name = 'steveh-dc.example.com', Address = '192.168.100.132'

List Domain Controller Information (get-dc-name)

Display the name of the current domain controller for the domain you specify. This command can help you select a domain controller.

./get-dc-list

Example:

To select a domain controller, run the following command as root until the domain controller you want is displayed.

/opt/pbis/bin/get-dc-name <domain-name> --force

List Domain Controller Time (get-dc-time)

Displays the time of the current domain controller for the domain that you specify. This command can help you determine whether there is a Kerberos time-skew error between a client and a domain controller.

./get-dc-time

Example:

[root@rhel5d bin]# ./get-dc-time
example.com DC TIME: 2009-09-08 14:54:18 PDT

List Computer Account Information (lsa ad-get-machine)

Print out the computer account name, computer account password, SID, and other information by running the following command as root.

./lsa ad-get-machine account <domain-name>

Example:

/opt/pbis/bin/lsa ad-get-machine account example.com

Dynamically Update DNS (update-dns)

Registers an IP address for the computer in DNS. The command is useful when you want to register A and PTR records for your computer and the DHCP server is not registering them.

./update-dns

Examples:

Register an IP address:

/opt/pbis/bin/update-dns --ipaddress 192.168.100.4 --fqdn corp.example.com

If your system has multiple NICs and you are trying to register all their IP addresses in DNS, run the command once with multiple instances of the option:

/opt/pbis/bin/update-dns --fqdn corp.example.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7 --ipaddress 192.168.100.9

To troubleshoot, add the option with the parameter:

/opt/pbis/bin/update-dns --loglevel debug --fqdn corp.example.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7

--fqdn is the fully qualified domain name for the client computer.

Manage the AD Cache (ad-cache)

This command manages the AD Bridge cache for Active Directory users and groups on Linux and Unix computers. You can use the command to clear the cache. The command's arguments can delete from the cache a user, a group, or all users and groups.

./ad-cache

Examples:

Delete all the users and groups from the cache.

/opt/pbis/bin/ad-cache --delete-all

To reclaim disk space from SQLite after you clear the cache when you are using the non-default SQLite caching option, execute the following command as root, replacing with your fully qualified domain name:

/opt/pbis/bin/sqlite3 /var/lib/pbis/db/lsass-adcache.filedb.fqdn vacuum

You can also use the command to enumerate users in the cache, which may be helpful in troubleshooting.

[root@rhel5d bin]# ./ad-cache --enum-users
TotalNumUsersFound:      0
[root@rhel5d bin]# ssh example.com\\hab@localhost
Password: 
Last login: Tue Aug 11 15:30:05 2009 from rhel5d.example.com
[EXAMPLE\hab@rhel5d ~]$ exit
logout
Connection to localhost closed.
[root@rhel5d bin]# ./ad-cache --enum-users
User info (Level-0):
====================
Name:     EXAMPLE\hab
Uid:      593495196
Gid:      593494529
Gecos:    <null>
Shell:    /bin/bash
Home dir: /home/EXAMPLE/hab
TotalNumUsersFound:      1
[root@rhel5d bin]# 

Display NIS Map (ypcat)

This command is the AD Bridge Network Information Services (NIS) ypcat function for group passwd and netgroup maps.

ypcat

Example:

/opt/pbis/bin/ypcat -d example.com -k map-name

Display the Value of a Key in a NIS Map (ypmatch)

This command is the AD Bridge Network Information Services (NIS) ypmatch function for group passwd and netgroup maps.

/opt/pbis/bin/ypmatch -d example.com -k key-name map-name

Example:

/opt/pbis/bin/ypmatch

Copy Files Across Disparate Operating Systems (lwio-copy)

This command lets you copy files across computers running different operating systems. For example, you can copy files from a Linux computer to a Windows computer.

lwio-copy

There are two prerequisites to use lwio-copy:

  • The lwio service must be running.
  • The rdr driver must be available as specified by the registry. By default, the rdr driver is available at /opt/pbis/lib/lwio-driver/rdr.so.