AD Bridge Command Line Reference
This chapter provides an overview of the commands in AD Bridge. Most of the commands are intended to be run as root.
For information about troubleshooting the Group Policy commands for AD Bridge Enterprise, please see the Group Policy Reference Guide.
Change the Hostname in the Local Provider (set-machine-name)
After you change the hostname of a computer, you must also change the name in the AD Bridge local provider database so that the local AD Bridge accounts use the correct prefix.
./lsa set-machine-name <hostname>
Run the command as root.
List the Status of Authentication Providers (get-status)
AD Bridge includes two authentication providers: a local provider and an Active Directory provider. If the AD provider is offline, you cannot log on with your AD credentials. You can check the status of the authentication providers.
Healthy result output:
LSA Server Status: Agent version: 5.4.0 Uptime: 22 days 21 hours 16 minutes 29 seconds [Authentication provider: lsa-local-provider] Status: Online Mode: Local system [Authentication provider: lsa-activedirectory-provider] Status: Online Mode: Un-provisioned Domain: example.com Forest: example.com Site: Default-First-Site-Name
Unhealthy result output:
An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication service.
If the result looks like the line below, check the status of the AD Bridge Enterprise services to make sure they are running.
Failed to query status from LSA service. The LSASS server is not responding.
To check the status of the services. Run the following command as root:
List the Domain (ad-get-machine)
Retrieve the Active Directory domain to which the computer is connected.
./lsa ad-get-machine account
List Domain Controllers (get-dc-list)
List the domain controllers for a target domain. You can delimit the list in several ways, including by site.
[root@rhel5d bin]# ./get-dc-list example.com Got 1 DCs: =========== DC 1: Name = 'steveh-dc.example.com', Address = '192.168.100.132'
List Domain Controller Information (get-dc-name)
Display the name of the current domain controller for the domain you specify. This command can help you select a domain controller.
To select a domain controller, run the following command as root until the domain controller you want is displayed.
/opt/pbis/bin/get-dc-name <domain-name> --force
List Domain Controller Time (get-dc-time)
Displays the time of the current domain controller for the domain that you specify. This command can help you determine whether there is a Kerberos time-skew error between a client and a domain controller.
[root@rhel5d bin]# ./get-dc-time example.com DC TIME: 2009-09-08 14:54:18 PDT
List Computer Account Information (lsa ad-get-machine)
Print out the computer account name, computer account password, SID, and other information by running the following command as root.
./lsa ad-get-machine account <domain-name>
/opt/pbis/bin/lsa ad-get-machine account example.com
Dynamically Update DNS (update-dns)
Registers an IP address for the computer in DNS. The command is useful when you want to register A and PTR records for your computer and the DHCP server is not registering them.
Register an IP address:
/opt/pbis/bin/update-dns --ipaddress 192.168.100.4 --fqdn corp.example.com
If your system has multiple NICs and you are trying to register all their IP addresses in DNS, run the command once with multiple instances of the option:
/opt/pbis/bin/update-dns --fqdn corp.example.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7 --ipaddress 192.168.100.9
To troubleshoot, add the option with the parameter:
/opt/pbis/bin/update-dns --loglevel debug --fqdn corp.example.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7
--fqdn is the fully qualified domain name for the client computer.
Manage the AD Cache (ad-cache)
This command manages the AD Bridge cache for Active Directory users and groups on Linux and Unix computers. You can use the command to clear the cache. The command's arguments can delete from the cache a user, a group, or all users and groups.
Delete all the users and groups from the cache.
To reclaim disk space from SQLite after you clear the cache when you are using the non-default SQLite caching option, execute the following command as root, replacing with your fully qualified domain name:
/opt/pbis/bin/sqlite3 /var/lib/pbis/db/lsass-adcache.filedb.fqdn vacuum
You can also use the command to enumerate users in the cache, which may be helpful in troubleshooting.
[root@rhel5d bin]# ./ad-cache --enum-users TotalNumUsersFound: 0 [root@rhel5d bin]# ssh example.com\\hab@localhost Password: Last login: Tue Aug 11 15:30:05 2009 from rhel5d.example.com [EXAMPLE\hab@rhel5d ~]$ exit logout Connection to localhost closed. [root@rhel5d bin]# ./ad-cache --enum-users User info (Level-0): ==================== Name: EXAMPLE\hab Uid: 593495196 Gid: 593494529 Gecos: <null>Shell: /bin/bash Home dir: /home/EXAMPLE/hab TotalNumUsersFound: 1 [root@rhel5d bin]#
On a macOS computer, clear the DirectoryService cache (not the AD Bridge Enterprise cache) by running the following command with superuser privileges in Terminal:
Display NIS Map (ypcat)
This command is the AD Bridge Network Information Services (NIS) ypcat function for group passwd and netgroup maps.
/opt/pbis/bin/ypcat -d example.com -k map-name
Display the Value of a Key in a NIS Map (ypmatch)
This command is the AD Bridge Network Information Services (NIS) ypmatch function for group passwd and netgroup maps.
/opt/pbis/bin/ypmatch -d example.com -k key-name map-name
Copy Files Across Disparate Operating Systems (lwio-copy)
This command lets you copy files across computers running different operating systems. For example, you can copy files from a Linux computer to a Windows computer.
There are two prerequisites to use lwio-copy:
- The lwio service must be running.
- The rdr driver must be available as specified by the registry. By default, the rdr driver is available at /opt/pbis/lib/lwio-driver/rdr.so.