The adsysctl command¶
adsysctl
is a command line utility to request actions from the daemon and query its current status. You can get more verbose output with the -v
accumulative flags, which will stream all logs from the service corresponding to your specific request.
As a general rule, favour shell completion and the help command for discovering various parts of the adsysctl user interface. It will help you by completing subcommands, flags, users and even chapters of the offline documentation!
Which policies are applied¶
You can check with policies are currently applied to your current AD user with the
adsysctl policy applied
command:
$ adsysctl policy applied
Policies from machine configuration:
- MainOffice Policy 2 ({B8D10A86-0B78-4899-91AF-6F0124ECEB48})
- MainOffice Policy ({C4F393CA-AD9A-4595-AEBC-3FA6EE484285})
- Default Domain Policy ({31B2F340-016D-11D2-945F-00C04FB984F9})
Policies from user configuration:
- RnD Policy 3 ({073AA7FC-5C1A-4A12-9AFC-42EC9C5CAF04})
- RnD Policy 2 ({83A5BD5B-1D5D-472D-827F-DE0E6F714300})
- RnD Policy ({5EC4DF8F-FF4E-41DE-846B-52AA6FFAF242})
- IT Policy ({75545F76-DEC2-4ADA-B7B8-D5209FD48727})
- Default Domain Policy ({31B2F340-016D-11D2-945F-00C04FB984F9})
The order of policies are top-down, higher GPOs have priorities over lower ones on the stack (respecting OU order, GPO enforcement, GPO block instructions on your AD setup…).
If you have the right permission, you can request other users as well:
$ adsysctl policy applied tina
Policies from machine configuration:
- MainOffice Policy ({A2F393CA-AD9A-4595-AEBC-3FA6EE484285})
- Default Domain Policy ({31B2F340-016D-11D2-945F-00C04FB984F9})
Policies from user configuration:
- RnD Policy 4 ({25A5BD5B-1D5D-472D-827F-DE0E6F714300})
- IT Policy ({75545F76-DEC2-4ADA-B7B8-D5209FD48727})
- Default Domain Policy ({31B2F340-016D-11D2-945F-00C04FB984F9})
Pro tip! Use shell completion to get the list of active users you can request which policies are applied on.
To get which policy are set to a given value or disabled by which key, use the
--details
flags:
$ adsysctl policy applied --details
Policies from machine configuration:
- MainOffice Policy 2 ({B8D10A86-0B78-4899-91AF-6F0124ECEB48})
- gdm:
- dconf/org/gnome/desktop/notifications/show-banners: Locked to system default
- MainOffice Policy ({C4F393CA-AD9A-4595-AEBC-3FA6EE484285})
- gdm:
- dconf/org/gnome/desktop/interface/clock-format: 24h
- dconf/org/gnome/desktop/interface/clock-show-date: false
- dconf/org/gnome/desktop/interface/clock-show-weekday: true
- dconf/org/gnome/desktop/screensaver/picture-uri: 'file:///usr/share/backgrounds/ubuntu-default-greyscale-wallpaper.png'
- Default Domain Policy ({31B2F340-016D-11D2-945F-00C04FB984F9})
Policies from user configuration:
- RnD Policy 3 ({073AA7FC-5C1A-4A12-9AFC-42EC9C5CAF04})
- dconf:
- org/gnome/desktop/media-handling/automount: Locked to system default
- RnD Policy 2 ({83A5BD5B-1D5D-472D-827F-DE0E6F714300})
- RnD Policy ({5EC4DF8F-FF4E-41DE-846B-52AA6FFAF242})
- dconf:
- org/gnome/shell/favorite-apps: libreoffice-writer.desktop\nsnap-store_ubuntu-software.desktop\nyelp.desktop
- IT Policy ({75545F76-DEC2-4ADA-B7B8-D5209FD48727})
- dconf:
- org/gnome/desktop/background/picture-options: stretched
- org/gnome/desktop/background/picture-uri: file:///usr/share/backgrounds/canonical.png
- Default Domain Policy ({31B2F340-016D-11D2-945F-00C04FB984F9})
The
--all
flag will list every key set by a given GPO, including the ones that are redefined by another GPO with a higher priority. This is traditionally helpful for debugging your GPO stack and discover where a given value is defined:
$ adsysctl policy applied --all
Policies from machine configuration:
- MainOffice Policy 2 ({B8D10A86-0B78-4899-91AF-6F0124ECEB48})
- gdm:
- dconf/org/gnome/desktop/notifications/show-banners: Locked to system default
- MainOffice Policy ({C4F393CA-AD9A-4595-AEBC-3FA6EE484285})
- gdm:
- dconf/org/gnome/desktop/interface/clock-format: 24h
- dconf/org/gnome/desktop/interface/clock-show-date: false
- dconf/org/gnome/desktop/interface/clock-show-weekday: true
- dconf/org/gnome/desktop/screensaver/picture-uri: 'file:///usr/share/backgrounds/ubuntu-default-greyscale-wallpaper.png'
- Default Domain Policy ({31B2F340-016D-11D2-945F-00C04FB984F9})
Policies from user configuration:
- RnD Policy 3 ({073AA7FC-5C1A-4A12-9AFC-42EC9C5CAF04})
- dconf:
- org/gnome/desktop/media-handling/automount: Locked to system default
- RnD Policy 2 ({83A5BD5B-1D5D-472D-827F-DE0E6F714300})
- RnD Policy ({5EC4DF8F-FF4E-41DE-846B-52AA6FFAF242})
- dconf:
- org/gnome/shell/favorite-apps: libreoffice-writer.desktop\nsnap-store_ubuntu-software.desktop\nyelp.desktop
- IT Policy ({75545F76-DEC2-4ADA-B7B8-D5209FD48727})
- dconf:
- org/gnome/desktop/background/picture-options: stretched
- org/gnome/desktop/background/picture-uri: file:///usr/share/backgrounds/canonical.png
- org/gnome/shell/favorite-apps: 'firefox.desktop'\n'thunderbird.desktop'\n'org.gnome.Nautilus.desktop'
- Default Domain Policy ({31B2F340-016D-11D2-945F-00C04FB984F9})
Refreshing the policies¶
The command adsysctl policy update
is used to refresh the policies. By default only the policy of the current user is updated. It can also refresh only the policy of the machine with the flag -m
, or the machine and all the active users with the flag -a
. On success nothing is displayed.
For example, refreshing the policy for all the objects:
$ adsysctl policy update --all -v
INFO No configuration file: Config File "adsys" Not Found in "[/home/warthogs.biz/b/bob /etc]".
We will only use the defaults, env variables or flags.
INFO Apply policy for adclient04 (machine: true)
INFO Apply policy for [email protected] (machine: false)
You can provide the name of a user and the path to its Kerberos ticket to refresh a given user.
For example for user bob@warthogs.biz
$ adsysctl update [email protected] /tmp/krb5cc_1899001102_wBlbck -vv
INFO No configuration file: Config File "adsys" Not Found in "[/home/warthogs.biz/b/bob /etc]".
We will only use the defaults, env variables or flags.
DEBUG Connecting as [[26812:519495]]
DEBUG New request /service/UpdatePolicy
DEBUG Requesting with parameters: IsComputer: false, All: false, Target: [email protected], Krb5Cc: /tmp/krb5cc_1899001102_wBlbck
DEBUG Check if grpc request peer is authorized
DEBUG Polkit call result, authorized: true
DEBUG GetPolicies for "[email protected]", type "user"
DEBUG GPO "RnD Policy 3" for "[email protected]" available at "smb://warthogs.biz/SysVol/warthogs.biz/Policies/{073AA7FC-5C1A-4A12-9AFC-42EC9C5CAF04}"
DEBUG GPO "RnD Policy 2" for "[email protected]" available at "smb://warthogs.biz/SysVol/warthogs.biz/Policies/{83A5BD5B-1D5D-472D-827F-DE0E6F714300}"
DEBUG GPO "RnD Policy" for "[email protected]" available at "smb://warthogs.biz/SysVol/warthogs.biz/Policies/{5EC4DF8F-FF4E-41DE-846B-52AA6FFAF242}"
DEBUG GPO "IT Policy" for "[email protected]" available at "smb://warthogs.biz/SysVol/warthogs.biz/Policies/{75545F76-DEC2-4ADA-B7B8-D5209FD48727}"
DEBUG GPO "Default Domain Policy" for "[email protected]" available at "smb://warthogs.biz/sysvol/warthogs.biz/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}"
DEBUG Analyzing GPO "Default Domain Policy"
DEBUG Analyzing GPO "IT Policy"
DEBUG Analyzing GPO "RnD Policy 2"
DEBUG Analyzing GPO "RnD Policy 3"
DEBUG Analyzing GPO "RnD Policy"
DEBUG Policy "RnD Policy 2" doesn't have any policy for class "user" open /var/cache/adsys/gpo_cache/{83A5BD5B-1D5D-472D-827F-DE0E6F714300}/User/Registry.pol: no such file or directory
DEBUG Policy "Default Domain Policy" doesn't have any policy for class "user" open /var/cache/adsys/gpo_cache/{31B2F340-016D-11D2-945F-00C04FB984F9}/User/Registry.pol: no such file or directory
INFO Apply policy for [email protected] (machine: false)
DEBUG ApplyPolicy dconf policy to [email protected]
DEBUG Update user profile /etc/dconf/profile/[email protected]
DEBUG Analyzing entry {Key:org/gnome/desktop/background/picture-options Value:stretched Disabled:false Meta:s}
DEBUG Analyzing entry {Key:org/gnome/desktop/background/picture-uri Value:file:///usr/share/backgrounds/canonical.png Disabled:false Meta:s}
DEBUG Analyzing entry {Key:org/gnome/desktop/media-handling/automount Value: Disabled:true Meta:}
DEBUG Analyzing entry {Key:org/gnome/shell/favorite-apps Value:libreoffice-writer.desktop
snap-store_ubuntu-software.desktop
yelp.desktop
Disabled:false Meta:as}
Getting the status¶
The status of the service is provided by the command adsysctl service status
$ adsysctl service status
Machine, updated on Tue May 18 12:15
Connected users:
[email protected], updated on Tue May 18 12:15
Active Directory:
Server: ldap://adc01.warthogs.biz
Domain: warthogs.biz
SSS:
Configuration: /etc/sssd/sssd.conf
Cache directory: /var/lib/sss/db
Daemon:
Timeout after 2m0s
Listening on: /run/adsysd.sock
Cache path: /var/cache/adsys
Run path: /run/adsys
Dconf path: /etc/dconf
You can get the list of connected users, when they were last refreshed, when the next refresh is scheduled and various service configuration options (static or dynamically configured).
Debugging¶
The cat
command has already been described in the previous chapter. You can display logs with debugging levels independent of daemon and clients debugging levels. Local printing will also be forwarded.
For example, running cat
while the command version
and applied
are executed:
# adsysctl service cat -vv
INFO No configuration file: Config File "adsys" Not Found in "[/root /etc]".
We will only use the defaults, env variables or flags.
DEBUG Connecting as [[29220:823925]]
DEBUG New request /service/Cat
DEBUG Requesting with parameters:
DEBUG Check if grpc request peer is authorized
DEBUG Authorized as being administrator
INFO New connection from client [[29302:462445]]
DEBUG [[29302:462445]] New request /service/Version
DEBUG [[29302:462445]] Requesting with parameters:
DEBUG [[29302:462445]] Check if grpc request peer is authorized
DEBUG [[29302:462445]] Any user always authorized
DEBUG Request /service/Version done
INFO New connection from client [[29455:217212]]
DEBUG [[29455:217212]] New request /service/DumpPolicies
DEBUG [[29455:217212]] Requesting with parameters: Target: [email protected], Details: false, All: false
DEBUG [[29455:217212]] Check if grpc request peer is authorized
DEBUG [[29455:217212]] Polkit call result, authorized: true
INFO [[29455:217212]] Dumping policies for [email protected]
DEBUG Request /service/DumpPolicies done
Other commands¶
Versions¶
You can get the current service and client versions with the version
command to check you are running with latest version on both sides:
$ adsysctl version
adsysctl 0.5
adsysd 0.5
Documentation¶
An offline version of this documentation is available in the daemon. It will render the documentation on the command line.
You can get a list of all chapters with their titles:
$ adysctl doc
Table of content
1. [Welcome] ADSys: Active Directory Group Policy integration
2. [Prerequisites] Prerequisites and installation
[…]
And render a given chapter by requesting it:
$ adsysctl doc Welcome
ADSys: Active Directory Group Policy integration
ADSys is the Active Directory Group Policy client for Ubuntu. It allows
[…]
Finally, there are different rendering modes to dump documentation in html for instance with the --format
flag.
Admx generation¶
The policy admx
commands dumps pre-built Active Directory administrative templates that can be deployed on the Active Directory server. For more information, check the AD setup documentation
Stopping the service¶
If you do not wish to wait for the idling timeout to stop the server, you can request graceful shutdown with adsysctl service stop
. This will first wait for all active connections to ends before shutting down.
The -force
flag will end the service immediately.