AD Bridge Command Line Reference

This topic provides an overview of the commands available for use in AD Bridge. Most of the commands are intended to be run as root.

Commands for managing the event log are covered in the AD Bridge Configuration Tool Reference Guide's Event Log topic.

For information about troubleshooting the Group Policy commands for AD Bridge, see the Group Policy Reference Guide.

Change the Hostname in the Local Provider (set-machine-name)

After you change the hostname of a computer, you must also change the name in the AD Bridge local provider database so that the local AD Bridge accounts use the correct prefix.

./lsa set-machine-name <hostname>

Run the command as root.

List the Status of Authentication Providers (get-status)

AD Bridgeincludes two authentication providers: a local provider and an Active Directory provider. If the AD provider is offline, you cannot log on with your AD credentials. You can check the status of the authentication providers.

/opt/pbis/bin/get-status

Healthy result output:

LSA Server Status:
Agent version: 5.4.0
        Uptime:   22 days 21 hours 16 minutes 29 seconds
[Authentication provider: lsa-local-provider]
        Status:   Online
        Mode:     Local system
[Authentication provider: lsa-activedirectory-provider]
        Status:   Online
        Mode:     Un-provisioned
        Domain:   example.com
        Forest:   example.com
        Site:     Default-First-Site-Name

Unhealthy result output:

An unhealthy result will not include the AD authentication provider or will indicate that it is offline. If the AD authentication provider is not listed in the results, restart the authentication service.

If the result looks like the line below, check the status of the AD Bridge services to make sure they are running.

Failed to query status from LSA service.  The LSASS server is not responding.

To check the status of the services. Run the following command as root:

/opt/pbis/bin/lwsm list

List the Domain (ad-get-machine)

Retrieve the Active Directory domain to which the computer is connected.

./lsa ad-get-machine account

List Domain Controllers (get-dc-list)

List the domain controllers for a target domain. You can delimit the list in several ways, including by site.

./get-dc-list
[root@rhel5d bin]# ./get-dc-list example.com
Got 1 DCs:
===========
DC 1: Name = 'steveh-dc.example.com', Address = '192.168.100.132'

List Domain Controller Information (get-dc-name)

Display the name of the current domain controller for the domain you specify. This command can help you select a domain controller.

./get-dc-list
To select a domain controller, run the following command as root until the domain controller you want is displayed. 
/opt/pbis/bin/get-dc-name <domain-name> --force

List Domain Controller Time (get-dc-time)

Displays the time of the current domain controller for the domain that you specify. This command can help you determine whether there is a Kerberos time-skew error between a client and a domain controller.

./get-dc-time
[root@rhel5d bin]# ./get-dc-time
example.com DC TIME: 2009-09-08 14:54:18 PDT

List Computer Account Information (lsa ad-get-machine)

Print out the computer account name, computer account password, SID, and other information by running the following command as root.

./lsa ad-get-machine account <domain-name>
/opt/pbis/bin/lsa ad-get-machine account example.com

Dynamically Update DNS (update-dns)

The update-dns command registers an IP address for the computer in DNS. The command is useful when you want to register A and PTR records for your computer and the DHCP server is not registering them.

By default, this registers all interface addresses using the default FQDN determined from the machine account. The DNS servers are determined from start of authority (SOA) records for the domain and the reverse lookup zone. 

./update-dns

The --dnsserver <fqdn | ip> Option

The --dnsserver <fqdn | ip> option can be used to override the default. The fqdn is required for updates of secure Active Directory DNS server zones as they use a Kerberos secured connection.

--fqdn is the fully qualified domain name for the client computer.

Register an IP address:
/opt/pbis/bin/update-dns --ipaddress 192.168.100.4 --fqdn corp.example.com

If your system has multiple NICs and you are trying to register all their IP addresses in DNS, run the command once with multiple instances of the option:

/opt/pbis/bin/update-dns --fqdn corp.example.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7 --ipaddress 192.168.100.9

To troubleshoot, add the option with the parameter:

/opt/pbis/bin/update-dns --loglevel debug --fqdn corp.example.com --ipaddress 192.168.100.4 --ipaddress 192.168.100.7

The --delete Option

The --delete option can be used to delete specific address records.

/opt/pbis/bin/update-dns --delete --ipaddress 192.168.100.4 --fqdn corp.example.com

At a minimum the --delete option can be used on its own, to delete all address records for the FQDN.

/opt/pbis/bin/update-dns --delete

Manage the AD Cache (ad-cache)

The ad-cache command manages the AD Bridge cache for Active Directory and Entra ID users and groups on Linux and Unix computers. You can use the command to clear the cache. The command's arguments can delete from the cache a user, a group, or all users and groups. The --tenant flag can be used to filter Entra ID users and group objects.

./ad-cache
To see the help output for ad-cache, run the following command:
/opt/pbis/bin/ad-cache --help
Usage:
ad-cache --delete-all [--domain domain] [--force-offline-delete true]
ad-cache --delete-user [--domain domain] {--name <user login id> | --uid <uid>}
ad-cache --delete-group [--domain domain] {--name <group name> | --gid <gid>}
ad-cache --enum-users [--domain domain | --tenant] {--batchsize [1..1000]}
ad-cache --enum-groups [--domain domain | --tenant] {--batchsize [1..1000]}

Command

Description

--delete-all

Deletes everything from the cache

--delete-user

Deletes one user from the cache

--delete-group

Deletes one group from the cache

--enum-users

Enumerates users in the cache

--enum-groups

Enumerates groups in the cache

--batchsize

Enumerate all entries retrieving objects from the cache in batches (default: 10)

 

Delete all the users and groups from the cache.
/opt/pbis/bin/ad-cache --delete-all

To reclaim disk space from SQLite after you clear the cache when you are using the non-default SQLite caching option, execute the following command as root, replacing with your fully qualified domain name:

/opt/pbis/bin/sqlite3 /var/lib/pbis/db/lsass-adcache.filedb.fqdn vacuum

You can also use the command to enumerate users in the cache, which may be helpful in troubleshooting.

[root@rhel5d bin]# ./ad-cache --enum-users
TotalNumUsersFound:      0
[root@rhel5d bin]# ssh example.com\\hab@localhost
Password: 
Last login: Tue Aug 11 15:30:05 2009 from rhel5d.example.com
[EXAMPLE\hab@rhel5d ~]$ exit
logout
Connection to localhost closed.
[root@rhel5d bin]# ./ad-cache --enum-users
User info (Level-0):
====================
Name:     EXAMPLE\hab
Uid:      593495196
Gid:      593494529
Gecos:    <null>
Shell:    /bin/bash
Home dir: /home/EXAMPLE/hab
TotalNumUsersFound:      1
[root@rhel5d bin]#

Copy Files Across Disparate Operating Systems (lwio-copy)

This command lets you copy files across computers running different operating systems. For example, you can copy files from a Linux computer to a Windows computer.

lwio-copy

There are two prerequisites to use lwio-copy:

  • The lwio service must be running.
  • The rdr driver must be available as specified by the registry. By default, the rdr driver is available at /opt/pbis/lib/lwio-driver/rdr.so.