cache-clear
Clear or invalidate the himmelblaud resolver cache.
By default (no flags), marks all cached user and group entries as stale, forcing them to refresh from Entra ID the next time they are used. Use --nss or --mapped to target individual caches. Use --full to completely wipe the cache and unjoin the device from Entra ID.
# Mark all entries stale (soft refresh)
sudo aad-tool cache-clear
# Clear only the NSS cache
sudo aad-tool cache-clear --nss
# Clear only the mapped name cache
sudo aad-tool cache-clear --mapped
# Full wipe and unjoin from Entra ID (destructive, irreversible)
sudo aad-tool cache-clear --full
| Flag | Description |
|---|
--nss | Clear only the NSS resolution cache. |
--mapped | Clear only the mapped name cache. |
--full | Completely purge all cached user and group entries and unjoin the host from Entra ID. |
--debug / -d | Enable verbose debug logging. |
--full unjoins the device from Entra ID. This is irreversible — you will need to re-enroll the machine to restore Entra ID authentication.
cache-invalidate (deprecated)
Previously used to mark cache entries as stale for immediate refresh. This command now behaves identically to cache-clear and will be removed in a future release. Use cache-clear instead.
| Flag | Description |
|---|
--nss | Clear only the NSS resolution cache. |
--mapped | Clear only the mapped name cache. |
--full | Completely purge all cached entries and unjoin from Entra ID. |
--debug / -d | Enable verbose debug logging. |
enumerate
Enumerate all users and groups in Entra ID that have rfc2307 attributes, and cache their values locally. This addresses the case where UID/GID mappings are needed before authentication can succeed — for example, when getent passwd must resolve users who have not yet logged in.
# Enumerate using the app_id from himmelblau.conf
sudo aad-tool enumerate
# Enumerate using a specific account and client application
sudo aad-tool enumerate --name [email protected] --client-id <CLIENT_ID>
| Flag | Short | Description |
|---|
--name | -D | The Entra ID user on whose behalf the token is requested, enabling delegated access through the specified client application. |
--client-id | | Client ID of a registered Entra ID application with User.Read.All and Group.Read.All permissions. If omitted, uses the app_id set in himmelblau.conf. |
--debug | -d | Enable verbose debug logging. |
This command can only be run from an Entra ID enrolled host.
