mmadquery command
Queries and validates Active Directory (AD) server settings.
Synopsis
mmadquery list {user | uids | gids | groups | dc | trusts | idrange} [Options]
or
mmadquery check {uids | gids | idrange} [Options]
or
mmadquery stats {user |uids}Availability
Available on all IBM Spectrum Scale editions.
Description
Use the mmadquery command to query an AD Server for users, groups, user IDs, group IDs, known domain controller and trusts, and to run consistency checks.
Parameters
- user
- Queries and lists the defined users.
- uids
- Queries and lists the defined users with user IDs and group IDs.
- gids
- Queries and lists the defined groups with group IDs.
- groups
- Queries and lists the defined groups.
- dc
- Queries and lists the defined domain controllers.
- trusts
- Queries and lists the defined trusts.
- idrange
- Queries and lists the ID range used by a given AD server.
- Options
- --server SERVER
- Specifies the IP address of the AD server you want to query. If you do not specify a server,
mmadquery attempts to get the AD server from the
/etc/resolv.conf file (nameserver).Note: This option should be used along with the domain option, which is provided in the following section.
- --domain DOMAIN
- Specifies the Windows domain. If you do not specify a
domain, mmadquery uses nslookup to determine the domain
based on the server.Note: This option should be used along with the server option.
- --user USER
- Specifies the AD user used to run the LDAP query against the AD server. The default is Administrator.
- --pwd-file File
- Specifies the file that contains a password to use for authentication.
- --filter FILTER
- Specifies a search phrase to limit the number of LDAP objects, thus is applied only to first column of output. Every LDAP object beginning with the search phrase is queried.
- --CSV
- Shows output in machine parseable (CSV) format.
- -Y
- Displays the command output in a parseable format with a colon (:) as a field
delimiter. Each column is described by a header.Note: Fields that have a colon (:) are encoded to prevent confusion. For the set of characters that might be encoded, see the command documentation of mmclidecode. Use the mmclidecode command to decode the field.
- --debug or -d
- Shows debugging information
- --basedn or -b
- Includes basedn for LDAP objects queried in query output. This option is not supported when querying idrange or running a 'stats' query.
- --traverse
- Traverses all known domains and provide query output for all domains that are detected.
- --long or -L
- Indicates that you want to see more details. For more information, see Level of query detail below. This option is not supported for the "stats" queries.
Level of query detail
| Query | Additional content |
|---|---|
| User | Group membership |
| DC | Operating system |
| UIDs | GID, Primary Group ID |
| Trusts | DC |
Exit status
- 0
- No errors found.
- 1
- No arguments specified.
- 10
- Failed a check.
- 11
- Unable to determine the AD server to check.
- 12
- Unable to determine the domain.
- 13
- Failed to construct a basedn for an LDAP query.
- 99
- Access to the AD server failed, can be incorrect password, user, or domain.
Security
You must have root authority to run the mmadquery command. For more information, see Requirements for administering a GPFS file system.
Examples
- To show a list of users for the AD server, run this command:
The system displays information similar to:mmadquery list user --pwd-file /tmp/mmadquery.cfgUSER from server 9.155.106.234 (domain subdom1.mzdom.com) User ------------- Administrator Guest krbtgt MZDOM$ aduser1 aduser2 Taduser3 - To show a list of groups for the AD server, run this command:
The system displays information similar to:mmadquey list groups --pwd-file /tmp/mmadquery.cfgGROUPS from server 9.155.106.234 (domain subdom1.mzdom.com) Group --------------------------------------- Domain Computers Cert Publishers Domain Users Domain Guests RAS and IAS Servers Domain Admins Schema Admins Enterprise Admins Group Policy Creator Owners Allowed RODC Password Replication Group Denied RODC Password Replication Group Enterprise Read-only Domain Controllers Domain Controllers Read-only Domain Controllers DnsAdmins DnsUpdateProxy UNIXGRP unmapped group bla - To check user IDs against locally defined ID
mapping range, issue the following
command:
mmadquery check uids --pwd-file /tmp/mmadquery.cfg -LThe system displays information similar to:UIDS from server 9.155.106.234 (domain subdom1.mzdom.com) User SID UID UIDNumber GIDNumber Primary Group ID ---------------------------------------------------------------------------------------------- Guest S-1-5-21-2808815044-4164012579-2832416960-501 - - - 514 SUBDOM1$ S-1-5-21-2808815044-4164012579-2832416960-1103 - - - 513 Administrator S-1-5-21-2808815044-4164012579-2832416960-500 - - - 513 krbtgt S-1-5-21-2808815044-4164012579-2832416960-502 - - - 513 User 1 S-1-5-21-2808815044-4164012579-2832416960-1107 - - - 513 aduser1 S-1-5-21-2808815044-4164012579-2832416960-1601 aduser1 20000007 20000008 513 User 2 S-1-5-21-2808815044-4164012579-2832416960-1110 aduser 10001 20000009 513 WARNING: UID of user User 2 outside id mapping range 'mzdom'. - To show a list of users with group membership by domain, run this command:
mmadquery list user -L --pwd-file /tmp/mmadquery.cfg --traverseThe system displays information similar to:USER from server 9.155.106.232 (domain mzdom.com) User Groups ---------------------------------------------------------------------------------- --------- Guest Guests SUBDOM1$ Administrator Group Policy Creator Owners,Enterprise Admins,Schema Admins,Domain Admins,Administrators krbtgt Denied RODC Password Replication Group aduser1 Administrators aduser2 bla,unmapped group aduser3 aduser4 USER from server 9.155.106.234 (domain subdom1.mzdom.com) User Groups ------------- -------------------------------------------------------- Administrator Group Policy Creator Owners,Domain Admins,Administrators Guest Guests krbtgt Denied RODC Password Replication Group Administrators MZDOM$ aduser1 aduser2 aduser3 aduser4 - To show the number of users by group and domain, run this
command:
The system displays information similar to:mmadquery stats user -L --pwd-file /tmp/mmadquery.cfg --traverseUSER from server 9.155.106.232 (domain mzdom.com) Group Count -------------------------------------- ----- TOTAL 7 Guests 1 Group Policy Creator Owners 1 Enterprise Admins 1 Schema Admins 1 Domain Admins 1 Administrators 2 Denied RODC Password Replication Group 1 bla 1 unmapped group 1 USER from server 198.51.100.13 (domain subdom1.mzdom.com) Group Count -------------------------------------- ----- TOTAL 7 Group Policy Creator Owners 1 Domain Admins 1 Administrators 2 Guests 1 Denied RODC Password Replication Group 1 - To show a list of the number of unmapped users, run this
command:
mmadquery stats uids --pwd-file /tmp/mmadquery.cfgThe system displays information similar to:UIDS from server 9.155.106.232 (domain mzdom.com) Group Count --------- ----- TOTAL 7 MAPPED 2 UN-MAPPED 5 - To check group IDs against locally
defined ID map, run this
command:
mmadquery check gids -L --pwd-file /tmp/mmadquery.cfgThe system displays information similar to:
GIDS from server 9.155.106.232 (domain w2k8r2-dom02.mzdom.com)GIDS from server 9.155.106.232 (domain w2k8r2-dom02.mzdom.com) Group SID UID UIDNumber GIDNumber ------------------------------------------------------------------------------------------------------------------------- Domain Computers S-1-5-21-2808815044-4164012579-2832416960-515 - - - Cert Publishers S-1-5-21-2808815044-4164012579-2832416960-517 - - - Domain Users S-1-5-21-2808815044-4164012579-2832416960-513 - - 20000008 - Domain Guests S-1-5-21-2808815044-4164012579-2832416960-514 - - - RAS and IAS Servers S-1-5-21-2808815044-4164012579-2832416960-553 - - - Domain Admins S-1-5-21-2808815044-4164012579-2832416960-512 - - - Schema Admins S-1-5-21-2808815044-4164012579-2832416960-518 - - - Enterprise Admins S-1-5-21-2808815044-4164012579-2832416960-519 - - - Group Policy Creator Owners S-1-5-21-2808815044-4164012579-2832416960-520 - - - Allowed RODC Password Replication Group S-1-5-21-2808815044-4164012579-2832416960-571 - - - Denied RODC Password Replication Group S-1-5-21-2808815044-4164012579-2832416960-57 - - - Enterprise Read-only Domain Controllers S-1-5-21-2808815044-4164012579-2832416960-498 - - - Domain Controllers S-1-5-21-2808815044-4164012579-2832416960-516 - - - Read-only Domain Controllers S-1-5-21-2808815044-4164012579-2832416960-521 - - - DnsAdmins S-1-5-21-2808815044-4164012579-2832416960-1101 - - - DnsUpdateProxy S-1-5-21-2808815044-4164012579-2832416960-1102 - - - UNIXGRP S-1-5-21-2808815044-4164012579-2832416960-1104 - - 200002222 - unmapped group S-1-5-21-2808815044-4164012579-2832416960-1603 - - - bla S-1-5-21-2808815044-4164012579-2832416960-1604 - - - -WARNING: GID of group 'UNIXGRP' outside id mapping range 'mzdom'. - To show a list of domain controllers, run the following
command:
mmadquery list dc L --pwd-file /tmp/mmadquery.cfgThe system displays information similar to:DC from server 9.155.106.232 (domain w2k8r2-dom02.mzdom.com) DC Hostname Operating System ------------- --------------------- ------------------------------ WW2K8R2-DOM03 w2k8r2-dom03.mzdom.com Windows Server 2008 R2 Standard WW2K8R2-DOM02 w2k8r2-dom02.mzdom.com Windows Server 2008 R2 Standard - To show a list of trusts, run the following
command:
mmadquery list trusts --pwd-file /tmp/mmadquery.cfgThe system displays information similar to:TRUSTS from server 9.155.106.232 (domain w2k8r2-dom02.mzdom.com) DC Trust Type ----------------- ---------------------------- subdom1.mzdom.com Within Forest bi-directional w2k12dom.com Forest Transitive outbound - To show a list of ID ranges and to check whether any IDs on the Ad server are outside of the
locally defined ID range, run this
command:
mmadquery check idrange --pwd-file /tmp/mmadquery.cfgThe system displays information similar to:IDRANGE from server 9.155.106.232 (domain w2k8r2-dom02.mzdom.com) Domain IDRange IDMapRange --------- --------------- ----------------- msdom.com 10001-200000000 20000000-25999999 WARNING: IDs from domain 'mzdom.com' are outside locally defined id mapping range 'mzdom'. - To show a list of ID ranges by domain, run this
command:
mmadquery list idrange --pwd-file /tmp/mmadquery.cfg -L --traverseThe system displays information similar to:IDRANGE from server 9.155.106.232 (domain mzdom.com) Domain IDRange IDMapRange ----------------- ------------------ ----------------- mzdom.com 10001--260000009 10000000-29999999 IDRANGE from server 9.155.106.234 (domain subdom1.mzdom.com) Domain IDRange IDMapRange ----------------- ------------------ ----------------- subdom1.mzdom.com 200000001-26000010 10000000-29999999
Location
/usr/lpp/mmfs/bin