Domain Join Tool Commands for AD Bridge

The command-line utility domainjoin-cli gives you tools to add or remove accounts from a domain. The utility prompts for the domain, username, and organizational unit parameters. A history of entries is saved between join and leave prompts. To access the utility, run the following command:

/opt/pbis/bin/domainjoin-cli

Options

--help

Displays the command-line options and commands.

Example:

domainjoin-cli --help

--help-internal

Displays a list of the internal debugging and configuration commands.

Example:

domainjoin-cli --help-internal

--logfile {.| path}

Generates a log file or prints the log to the console.

Examples:

domainjoin-cli --logfile /var/log/domainjoin.log join example.com Administrator
domainjoin-cli --logfile . join example.com Administrator

--loglevel {error|warning|info|verbose}

Adjusts the logging details generated during a domain join.

Example:

domainjoin-cli --loglevel error

Join Commands

query

Displays the hostname, current domain, and distinguished name, which includes the organizational unit to which the computer belongs. If the computer is not joined to a domain, it displays only the hostname.

Example:

domainjoin-cli query

setname computerName

Renames the computer and modifies the /etc/hosts file with the name that you enter. computerName is a required field. If not provided, you are prompted for it.

Example:

domainjoin-cli setname RHEL44ID

join [--ou organizationalUnit] domainName userName

Joins the computer to the domain. If not provided, you are prompted to enter the domain, username, and password.

You can use the --ou option to join the computer to a specific organizational unit in the domain by setting the path to the OU. The path to the OU is top down and separated by a slash (/). To be prompted for an organizational unit you must pass in --ou. When you use this option, you must use an account that is a member in the Domain Administrators security group.

Example:

domainjoin-cli join --ou Eng/Dev example.com Administrator

join --notimesync

Joins the computer to the domain without synchronizing the computer's time with the domain controller's.

When you use this option, the sync-system-time value for lsass is set to no.

Example:

domainjoin-cli join --notimesync example.com Administrator

join --trustEnumerationWaitSeconds 60

The length of time lsass waits for trust enumeration to finish during startup. The range is 1 - 1000 seconds.

Example:

domainjoin-cli join --trustEnumerationWaitSeconds 300

Leave Commands

leave [userName]

Removes the computer from the Active Directory domain. If the username is provided, the computer account is disabled in Active Directory. If not provided, you are prompted to enter a username and password.

Examples:

domainjoin-cli leave
domainjoin-cli leave smithy@example.com

leave [--enable <module> | --disable <module>]

Enables or disables the module when you run the leave command.

Example:

domainjoin-cli leave --enable pam

leave [--keepLicense]

Retains the license information after the computer leaves the domain. The license key is released by default when you run the leave command.

Example:

domainjoin-cli leave --keepLicense

leave [--deleteAccount <user name> [<password>]]

Deletes the computer account after the computer leaves the domain.

Example:

domainjoin-cli leave --deleteAccount Administrator AdminPassword

leave [--advanced] --preview [username] [password]

Displays information on the configuration.

Example:

domainjoin-cli leave --advanced --preview Administrator AdminPassword

leave --details <module>

Displays the configuration information for the module.

Example:

domainjoin-cli leave --details pam

Join Mode Commands

--assumeDefaultCell { auto | no | force }

In Assume Default Cell mode, information is not read from the cells, but from the user objects and group objects directly. This supports joining to a domain which does not have any named or default cells.

If set to auto, enable this mode when no cells are found.

If set to force, enable this mode even if named or default cells exist. When this mode is enabled, get-status reports the AD authentication provider mode as Default Cell (Assumed).

The default setting is no.

This mode is intended for Proof of Concept (PoC) and small environments. It does not require cells or schema changes. User and group information is read directly from the domain controllers in the forest; no Global Catalog searches are used. Features that rely on items stored in the cell (for example, custom NIS maps) are not supported in this mode.

Example:

domainjoin-cli --assumeDefaultCell auto

--unprovisioned { auto | no | force }

When set, the AD provider computes the user and group IDs from their security identifier. It uses local settings for the Unix shell and home directory, ignoring the values set in AD.

If set to auto, enable this mode when no cells are found.

If set to force, enable this mode even if named or default cells exist. The default setting is no.

Example:

domainjoin-cli --unprovisioned force