Joining a domain and zone with the adjoin command

In most cases, you add a computer to the domain by running the adjoin command directly on a local computer. You run this command once for each Linux or UNIX computer you want to add to a domain in the forest. Using the administrator or a designated user account, you can run the command interactively at the command line or include the command in a script to automate joining a domain.

Specifying the most common arguments

Whether you join the domain interactively from the command line or using a script, you must specify a few required arguments. You might also need to specify several additional arguments, such as a user name and password for an account with permission to join the domain, an alias for the computer in Active Directory, or the organizational unit in which to place the computer.

The most common format for the adjoin command is:

adjoin --user username --zone zonename domain

For example, the following command illustrates the most common format for the adjoin command:

adjoin --user shea@acme.com --zone LinuxDev sales.acme.com

This command connects to Active Directory as the user shea@acme.com to add the local computer to a previously-created zone called LinuxDev zone and to the sales.acme.com domain. In this example, the zone and domain name are required. The user name is not a required argument—if not specified the adjoin command would prompt for the Administrator account password. However, because the user shea is a member of the acme.com domain rather than the sales.acme.com domain, the user account must be specified in the user_name@domain_name format.

Because the password is not specified in the command line, the adjoin program prompts for the Active Directory password to authenticate the shea@acme.com account before connecting to Active Directory.

In most cases, you should avoid including the password for an account as part of the adjoin command line for security reasons. If you are using adjoin in a script, however, you must include the --password option or provide another mechanism for inputting a valid password. For more information about adjoin command line options and running adjoin commands, see the adjoin man page.

If the adclient process is able to connect to Active Directory and the join is successful, a confirmation message is displayed. By default, the join operation adds the new computer account to Active Directory in the domain_name/Computers container. If the connection to Active Directory fails, a warning message is displayed and the join operation fails.

Using the self-serve option for a previously-created computer account

If you have previously prepared a computer account in Active Directory as described in Preparing computer accounts before joining, you can use the ‑‑selfserve (-S) option to join a domain without specifying a user name and password. For example, you can run a command similar to the following to join the domain:

adjoin --selfserve domain

For example:

adjoin --selfserve cendura.org

Note that you must specify the domain to join but not the zone—the computer is automatically joined to the zone in which the computer object was pre-created.

If you want to preserve service principal names (SPN) configured in the centrifydc.conf, use the adjoin command option -r spn or --useConf spn. This option only works in conjunction with the -S, --selfserve command.

Joining a domain in workstation mode

In most cases, zones are required if you are adding Linux and UNIX computers to Active Directory to address account migration and role-based access rights. However, it is possible to deploy without using zones to organize computers, rights, roles, and other information.

The workstation mode is intended for computers that function in the same way as Windows workstations where any valid user can log on to any computer that is joined to the domain. In general, workstations do not require you to manage identity attributes, such as UIDs and GIDs, or access-related attributes, such as the hours a user is allowed to log on. To mirror this behavior for Linux and UNIX computers, the workstation mode automatically creates a local user profile for users when they log on and does not apply any access rules unless you configured them for the user account in Active Directory.

Computers that join the domain using workstation mode are added to a single Auto Zone and are treated the same as Windows workstations, and are managed by Active Directory and group policy settings. You can use the workstation mode and Auto Zone for any computers that do not require profile management or role-based access controls. You can also have any combination of workstation computers that don’t require profile management and access control and workstations and servers that do require profile management, access control, hierarchical zones. For more information, see Using workstation mode and Auto Zone.

To join a domain using workstation mode instead of zones, you can run a command similar to the following:

adjoin --workstation --user username domain

For example:

adjoin --workstation --user kai.rodriguez cendura.org

This command adds the local computer to a single Auto Zone. The Auto Zone requires no configuration and there are no properties, user profiles, or access rights to manage. All Active Directory users and groups in the forest, or in forests with a two-way trust, can access the computers in the Auto Zone.

Joining the domain using the computer account

On the computer to which you have given administrative rights, run the adjoin command and set the user name parameter to the computer name with a dollar sign ($) appended and the password to the computer name.

adjoin domain --zone zoneName --user computername$ --password computername

For example, if the computer name is valencia and the Active Directory domain is arcade.com, you would run a command similar to the following:

adjoin arcade.com --zone finance --user valencia$ --password valencia