Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

PowerScaleOneFS CLI Command Reference

PDF

isi auth ads create

Configures an Active Directory provider and joins an Active Directory domain.

Syntax

isi auth ads create <name> <user>
  [--machine-account <string>]
  [--instance <string>]
  [--password <string>]
  [--organizational-unit <string>]
  [--kerberos-nfs-spn {yes | no} ]
  [--kerberos-hdfs-spn {yes | no} ]
  [--dns-domain <dns-domain>]
  [--groupnet <groupnet>]
  [--allocate-gids {yes | no}]
  [--allocate-uids {yes | no}]
  [--assume-default-domain {yes | no}]
  [--check-online-interval <duration>]
  [--create-home-directory {yes | no}]
  [--domain-offline-alerts {yes | no}]
  [--findable-groups <string>...]
  [--findable-users <string>...]
  [--home-directory-template <path>]
  [--ignore-all-trusts {yes | no}]
  [--ignored-trusted-domains <dns-domain>...]
  [--include-trusted-domains <dns-domain>...]
  [--ldap-sign-and-seal {yes | no}]
  [--login-shell <path>]
  [--lookup-domains <dns-domain>...]
  [--lookup-groups {yes | no}]
  [--lookup-normalize-groups {yes | no}]
  [--lookup-normalize-users {yes | no}]
  [--lookup-users {yes | no}]
  [--machine-password-changes {yes | no}]
  [--machine-password-lifespan <duration>]
  [--node-dc-affinity <string>]
  [--node-dc-affinity-timeout <timestamp>]
  [--nss-enumeration {yes | no}]
  [--restrict-findable {yes | no}]
  [--rpc-call-timeout <integer>]
  [--server-retry-limit <duration>]
  [--sfu-support {none | rfc2307}]
  [--store-sfu-mappings {true | false}]
  [--unfindable-groups <string>...]
  [--unfindable-users <string>...]
  [--verbose]

Options

<name>
Specifies the fully-qualified Active Directory domain name, which can be resolved to an IPv4 or an IPv6 address. The domain name will also be used as the provider name.
<user>
Specifies the user name of an account that has permission to join machine accounts to the Active Directory domain.
--machine-account <string>
The machine account name to be used by Active Directory. The default value is the cluster name.
--instance <string>
Sets the Active Directory name for this instance.
--password <string>
Specifies the password of the provided user account. If you omit this option, you will be prompted to supply a password.
--organizational-unit <string>
Specifies the name of the organizational unit (OU) to connect to on the Active Directory server. Specify the OU in the form OuName or OuName1/SubName2.
--kerberos-nfs-spn {yes | no}
Specifies whether to add SPNs for using Kerberized NFS.
--kerberos-hdfs-spn {yes | no}
Specifies whether to add SPNs for using Kerberized HDFS.
--dns-domain <dns-domain>
Specifies a DNS search domain to use instead of the domain that is specified in the --name setting.
--groupnet <groupnet>
Specifies the groupnet referenced by the Active Directory provider. The groupnet is a top-level networking container that manages hostname resolution against DNS nameservers and contains subnets and IP address pools. The groupnet specifies which networking properties the Active Directory provider will use when communicating with external servers.
--allocate-gids {yes | no}
Enables or disables GID allocation for unmapped Active Directory groups. Active Directory groups without GIDs can be proactively assigned a GID by the ID mapper. If this option is disabled, GIDs are not proactively assigned, but when a user's primary group does not include a GID, the system may allocate one.
--allocate-uids {yes | no}
Enables or disables UID allocation for unmapped Active Directory users. Active Directory users without UIDs can be proactively assigned a UID by the ID mapper. If this option is disabled, UIDs are not proactively assigned, but when a user's identity does not include a UID, the system may allocate one.
--assume-default-domain {yes | no}
Enables lookup of unqualified user names in the primary domain.
--check-online-interval <duration>
Specifies the time between provider online checks, in the format <integer>{Y|M|W|D|H|m|s}.
--create-home-directory {yes | no}
Specifies whether to create a home directory the first time that a user logs in, if a home directory does not already exist for the user.
--domain-offline-alerts {yes | no}
Specifies whether to send an alert if the domain goes offline. If this option is set to yes, notifications are sent as specified in the global notification rules. The default value is no.
--findable-groups <string>...
Specifies a list of groups that can be resolved by this authentication provider. Repeat this option to specify multiple list items.
--findable-users <string>...
Specifies a list of users that can be resolved by this authentication provider. Repeat this option to specify multiple list items.
--home-directory-template <path>
Specifies the template path to use when creating home directories. The path must begin with /ifs and can include special character sequences that are dynamically replaced with strings at home directory creation time that represent specific variables. For example, %U, %D, and %Z are replaced with the user name, provider domain name, and zone name, respectively. For more information, see the Home directories section.
NOTE:If you are using Active Directory with Services for UNIX (SFU), spaces in Windows-created directory names are converted to underscores for UNIX compatibility.
--ignore-all-trusts {yes | no}
Specifies whether to ignore all trusted domains.
--ignored-trusted-domains <dns-domain>...
Specifies a list of trusted domains to ignore if --ignore-all-trusts is disabled. Repeat this option to specify multiple list items.
--include-trusted-domains <dns-domain>...
Specifies a list of trusted domain to include if --ignore-all-trusts is enabled. Repeat this option to specify multiple list items.
--ldap-sign-and-seal {yes | no}
Specifies whether to use encryption and signing for LDAP requests to a domain controller.
--login-shell <path>
Specifies the full path to the login shell to use if the Active Directory server does not provide login-shell information. This setting applies only to users who access the file system through SSH.
--lookup-domains <string>...
Specifies a list of domains to which user and group lookups are to be limited. Repeat this option to specify multiple list items.
--lookup-groups {yes | no}
Specifies whether to look up Active Directory groups in other providers before allocating a GID.
--lookup-normalize-groups {yes | no}
Specifies whether to normalize Active Directory group names to lowercase before looking them up.
--lookup-normalize-users {yes | no}
Specifies whether to normalize Active Directory user names to lowercase before looking them up.
--lookup-users {yes | no}
Specifies whether to look up Active Directory users in other providers before allocating a UID.
--machine-password-changes {yes | no}
Specifies whether to enable periodic changes of the machine account password for security purposes.
--machine-password-lifespan <duration>
Sets the maximum age of the machine account password, in the format <integer>{Y|M|W|D|H|m|s}.
{--node-dc-affinity | -x} <string>
Specifies the domain controller that the node should exclusively communicate with (affinitize to). This option should be used with a timeout value, which is configured using the --node-dc-affinity-timeout option. Otherwise, the default timeout value of 30 minutes is assigned.
NOTE:This setting is for debugging purposes and should be left unconfigured during normal operation. To disable this feature, use a timeout value of 0.
{--node-dc-affinity-timeout} <timestamp>
Specifies the timeout setting for the local node affinity to a domain controller, using the date format <YYYY>-<MM>-<DD> or the date/time format <YYYY>-<MM>-<DD>T<hh>:<mm>[:<ss>].
NOTE:A value of 0 disables the affinity. When affinitization is disabled, communication with the specified domain controller may not end immediately. It may persist until another domain controller can be chosen.
--nss-enumeration {yes | no}
Specifies whether to allow the Active Directory provider to respond to getpwent and getgrent requests.
--restrict-findable {yes | no}
Specifies whether to check the authentication provider for filtered lists of findable and unfindable users and groups.
--rpc-call-timeout <integer>
The maximum amount of time (in seconds) that an RPC call to Active Directory is allowed to take. A value of 0 indicates no timeout.
--server-retry-limit <duration>
The number of retries to attempt when a call to Active Directory fails due to a network error.
--sfu-support {none | rfc2307}
Specifies whether to support RFC 2307 attributes for Windows domain controllers. RFC 2307 is required for Windows UNIX Integration and for Services For UNIX (SFU) technologies.
--store-sfu-mappings {true | false}
Specifies whether to store SFU mappings permanently in the ID mapper.
--unfindable-groups <string>...
Specifies a list of groups that cannot be resolved by this authentication provider. Repeat this option to specify multiple list items.
--unfindable-users <string>...
Specifies a list of users that cannot be resolved by this authentication provider. Repeat this option to specify multiple list items.
{--verbose | -v}
Displays the results of running the command.

Rate this content

Accurate
Useful
Easy to understand
Was this article helpful?
0/3000 characters
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please provide ratings (1-5 stars).
  Please select whether the article was helpful or not.
  Comments cannot contain these special characters: <>()\