1NET(8) System Administration tools NET(8)
2
3
4
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-I|--ipaddress ip-address] [-p|--port port] [-n myname] [-s conffile]
12 [-S|--server server] [-l|--long] [-v|--verbose] [-f|--force]
13 [-P|--machine-pass] [-d debuglevel] [-V] [--request-timeout seconds]
14 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
15
17 This tool is part of the samba(7) suite.
18
19 The Samba net utility is meant to work just like the net utility
20 available for windows and DOS. The first argument should be used to
21 specify the protocol to use when executing a certain command. ADS is
22 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
23 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
24 net will try to determine it automatically. Not all commands are
25 available on all protocols.
26
28 -?|--help
29 Print a summary of command line options.
30
31 -k|--kerberos
32 Try to authenticate with kerberos. Only useful in an Active
33 Directory environment.
34
35 -w|--workgroup target-workgroup
36 Sets target workgroup or domain. You have to specify either this
37 option or the IP address or the name of a server.
38
39 -W|--myworkgroup workgroup
40 Sets client workgroup or domain
41
42 -U|--user user
43 User name to use
44
45 -I|--ipaddress ip-address
46 IP address of target server to use. You have to specify either this
47 option or a target workgroup or a target server.
48
49 -p|--port port
50 Port on the target server to connect to (usually 139 or 445).
51 Defaults to trying 445 first, then 139.
52
53 -n|--netbiosname <primary NetBIOS name>
54 This option allows you to override the NetBIOS name that Samba uses
55 for itself. This is identical to setting the netbios name parameter
56 in the smb.conf file. However, a command line setting will take
57 precedence over settings in smb.conf.
58
59 -S|--server server
60 Name of target server. You should specify either this option or a
61 target workgroup or a target IP address.
62
63 -l|--long
64 When listing data, give more information on each item.
65
66 -v|--verbose
67 When listing data, give more verbose information on each item.
68
69 -f|--force
70 Enforcing a net command.
71
72 -P|--machine-pass
73 Make queries to the external server using the machine account of
74 the local server.
75
76 --request-timeout 30
77 Let client requests timeout after 30 seconds the default is 10
78 seconds.
79
80 -t|--timeout 30
81 Set timeout for client operations to 30 seconds.
82
83 --use-ccache
84 Try to use the credentials cached by winbind.
85
86 -i|--stdin
87 Take input for net commands from standard input.
88
89 --tallocreport
90 Generate a talloc report while processing a net command.
91
92 -T|--test
93 Only test command sequence, dry-run.
94
95 -F|--flags FLAGS
96 Pass down integer flags to a net subcommand.
97
98 -C|--comment COMMENT
99 Pass down a comment string to a net subcommand.
100
101 -n|--myname MYNAME
102 Use MYNAME as a requester name for a net subcommand.
103
104 -c|--container CONTAINER
105 Use a specific AD container for net ads operations.
106
107 -M|--maxusers MAXUSERS
108 Fill in the maxusers field in net rpc share operations.
109
110 -r|--reboot
111 Reboot a remote machine after a command has been successfully
112 executed (e.g. in remote join operations).
113
114 --force-full-repl
115 When calling "net rpc vampire keytab" this option enforces a full
116 re-creation of the generated keytab file.
117
118 --single-obj-repl
119 When calling "net rpc vampire keytab" this option allows one to
120 replicate just a single object to the generated keytab file.
121
122 --clean-old-entries
123 When calling "net rpc vampire keytab" this option allows one to
124 cleanup old entries from the generated keytab file.
125
126 --db
127 Define dbfile for "net idmap" commands.
128
129 --lock
130 Activates locking of the dbfile for "net idmap check" command.
131
132 -a|--auto
133 Activates noninteractive mode in "net idmap check".
134
135 --repair
136 Activates repair mode in "net idmap check".
137
138 --acls
139 Includes ACLs to be copied in "net rpc share migrate".
140
141 --attrs
142 Includes file attributes to be copied in "net rpc share migrate".
143
144 --timestamps
145 Includes timestamps to be copied in "net rpc share migrate".
146
147 -X|--exclude DIRECTORY
148 Allows one to exclude directories when copying with "net rpc share
149 migrate".
150
151 --destination SERVERNAME
152 Defines the target servername of migration process (defaults to
153 localhost).
154
155 -L|--local
156 Sets the type of group mapping to local (used in "net groupmap
157 set").
158
159 -D|--domain
160 Sets the type of group mapping to domain (used in "net groupmap
161 set").
162
163 -N|--ntname NTNAME
164 Sets the ntname of a group mapping (used in "net groupmap set").
165
166 -R|--rid RID
167 Sets the rid of a group mapping (used in "net groupmap set").
168
169 --reg-version REG_VERSION
170 Assume database version {n|1,2,3} (used in "net registry check").
171
172 -o|--output FILENAME
173 Output database file (used in "net registry check").
174
175 --wipe
176 Create a new database from scratch (used in "net registry check").
177
178 --precheck PRECHECK_DB_FILENAME
179 Defines filename for database prechecking (used in "net registry
180 import").
181
182 --no-dns-updates
183 Do not perform DNS updates as part of "net ads join".
184
185 -e|--encrypt
186 This command line parameter requires the remote server support the
187 UNIX extensions or that the SMB3 protocol has been selected.
188 Requests that the connection be encrypted. Negotiates SMB
189 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
190 the given credentials for the encryption negotiation (either
191 kerberos or NTLMv1/v2 if given domain/username/password triple.
192 Fails the connection if encryption cannot be negotiated.
193
194 -d|--debuglevel=level
195 level is an integer from 0 to 10. The default value if this
196 parameter is not specified is 1.
197
198 The higher this value, the more detail will be logged to the log
199 files about the activities of the server. At level 0, only critical
200 errors and serious warnings will be logged. Level 1 is a reasonable
201 level for day-to-day running - it generates a small amount of
202 information about operations carried out.
203
204 Levels above 1 will generate considerable amounts of log data, and
205 should only be used when investigating a problem. Levels above 3
206 are designed for use only by developers and generate HUGE amounts
207 of log data, most of which is extremely cryptic.
208
209 Note that specifying this parameter here will override the log
210 level parameter in the smb.conf file.
211
212 -V|--version
213 Prints the program version number.
214
215 -s|--configfile=<configuration file>
216 The file specified contains the configuration details required by
217 the server. The information in this file includes server-specific
218 information such as what printcap file to use, as well as
219 descriptions of all the services that the server is to provide. See
220 smb.conf for more information. The default configuration file name
221 is determined at compile time.
222
223 -l|--log-basename=logdirectory
224 Base directory name for log/debug files. The extension ".progname"
225 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
226 file is never removed by the client.
227
228 --option=<name>=<value>
229 Set the smb.conf(5) option "<name>" to value "<value>" from the
230 command line. This overrides compiled-in defaults and options read
231 from the configuration file.
232
234 CHANGESECRETPW
235 This command allows the Samba machine account password to be set from
236 an external application to a machine account password that has already
237 been stored in Active Directory. DO NOT USE this command unless you
238 know exactly what you are doing. The use of this command requires that
239 the force flag (-f) be used also. There will be NO command prompt.
240 Whatever information is piped into stdin, either by typing at the
241 command line or otherwise, will be stored as the literal machine
242 password. Do NOT use this without care and attention as it will
243 overwrite a legitimate machine password without warning. YOU HAVE BEEN
244 WARNED.
245
246 TIME
247 The NET TIME command allows you to view the time on a remote server or
248 synchronise the time on the local server with the time on the remote
249 server.
250
251 TIME
252 Without any options, the NET TIME command displays the time on the
253 remote server. The remote server must be specified with the -S option.
254
255 TIME SYSTEM
256 Displays the time on the remote server in a format ready for /bin/date.
257 The remote server must be specified with the -S option.
258
259 TIME SET
260 Tries to set the date and time of the local server to that on the
261 remote server using /bin/date. The remote server must be specified with
262 the -S option.
263
264 TIME ZONE
265 Displays the timezone in hours from GMT on the remote server. The
266 remote server must be specified with the -S option.
267
268 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
269 [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string
270 osVer=string] [options]
271 Join a domain. If the account already exists on the server, and [TYPE]
272 is MEMBER, the machine will attempt to join automatically. (Assuming
273 that the machine has been created in server manager) Otherwise, a
274 password will be prompted for, and a new account may be created.
275
276 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
277 the domain.
278
279 [UPN] (ADS only) set the principalname attribute during the join. The
280 default format is host/netbiosname@REALM.
281
282 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
283 string reads from top to bottom without RDNs, and is delimited by a
284 '/'. Please note that '\' is used for escape by both the shell and
285 ldap, so it may need to be doubled or quadrupled to pass through, and
286 it is not used as a delimiter.
287
288 [PASS] (ADS only) Set a specific password on the computer account being
289 created by the join.
290
291 [osName=string osVer=String] (ADS only) Set the operatingSystem and
292 operatingSystemVersion attribute during the join. Both parameters must
293 be specified for either to take effect.
294
295 [RPC] OLDJOIN [options]
296 Join a domain. Use the OLDJOIN option to join the domain using the old
297 style of domain joining - you need to create a trust account in server
298 manager first.
299
300 [RPC|ADS] USER
301 [RPC|ADS] USER
302 List all users
303
304 [RPC|ADS] USER DELETE target
305 Delete specified user
306
307 [RPC|ADS] USER INFO target
308 List the domain groups of the specified user.
309
310 [RPC|ADS] USER RENAME oldname newname
311 Rename specified user.
312
313 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
314 Add specified user.
315
316 [RPC|ADS] GROUP
317 [RPC|ADS] GROUP [misc options] [targets]
318 List user groups.
319
320 [RPC|ADS] GROUP DELETE name [misc. options]
321 Delete specified group.
322
323 [RPC|ADS] GROUP ADD name [-C comment]
324 Create specified group.
325
326 [RAP|RPC] SHARE
327 [RAP|RPC] SHARE [misc. options] [targets]
328 Enumerates all exported resources (network shares) on target server.
329
330 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
331 Adds a share from a server (makes the export active). Maxusers
332 specifies the number of users that can be connected to the share
333 simultaneously.
334
335 SHARE DELETE sharename
336 Delete specified share.
337
338 [RPC|RAP] FILE
339 [RPC|RAP] FILE
340 List all open files on remote server.
341
342 [RPC|RAP] FILE CLOSE fileid
343 Close file with specified fileid on remote server.
344
345 [RPC|RAP] FILE INFO fileid
346 Print information on specified fileid. Currently listed are: file-id,
347 username, locks, path, permissions.
348
349 [RAP|RPC] FILE USER user
350 List files opened by specified user. Please note that net rap file user
351 does not work against Samba servers.
352
353 SESSION
354 RAP SESSION
355 Without any other options, SESSION enumerates all active SMB/CIFS
356 sessions on the target server.
357
358 RAP SESSION DELETE|CLOSE CLIENT_NAME
359 Close the specified sessions.
360
361 RAP SESSION INFO CLIENT_NAME
362 Give a list with all the open files in specified session.
363
364 RAP SERVER DOMAIN
365 List all servers in specified domain or workgroup. Defaults to local
366 domain.
367
368 RAP DOMAIN
369 Lists all domains and workgroups visible on the current network.
370
371 RAP PRINTQ
372 RAP PRINTQ INFO QUEUE_NAME
373 Lists the specified print queue and print jobs on the server. If the
374 QUEUE_NAME is omitted, all queues are listed.
375
376 RAP PRINTQ DELETE JOBID
377 Delete job with specified id.
378
379 RAP VALIDATE user [password]
380 Validate whether the specified user can log in to the remote server. If
381 the password is not specified on the commandline, it will be prompted.
382
383 Note
384 Currently NOT implemented.
385
386 RAP GROUPMEMBER
387 RAP GROUPMEMBER LIST GROUP
388 List all members of the specified group.
389
390 RAP GROUPMEMBER DELETE GROUP USER
391 Delete member from group.
392
393 RAP GROUPMEMBER ADD GROUP USER
394 Add member to group.
395
396 RAP ADMIN command
397 Execute the specified command on the remote server. Only works with
398 OS/2 servers.
399
400 Note
401 Currently NOT implemented.
402
403 RAP SERVICE
404 RAP SERVICE START NAME [arguments...]
405 Start the specified service on the remote server. Not implemented yet.
406
407 Note
408 Currently NOT implemented.
409
410 RAP SERVICE STOP
411 Stop the specified service on the remote server.
412
413 Note
414 Currently NOT implemented.
415
416 RAP PASSWORD USER OLDPASS NEWPASS
417 Change password of USER from OLDPASS to NEWPASS.
418
419 LOOKUP
420 LOOKUP HOST HOSTNAME [TYPE]
421 Lookup the IP address of the given host with the specified type
422 (netbios suffix). The type defaults to 0x20 (workstation).
423
424 LOOKUP LDAP [DOMAIN]
425 Give IP address of LDAP server of specified DOMAIN. Defaults to local
426 domain.
427
428 LOOKUP KDC [REALM]
429 Give IP address of KDC for the specified REALM. Defaults to local
430 realm.
431
432 LOOKUP DC [DOMAIN]
433 Give IP's of Domain Controllers for specified
434 DOMAIN. Defaults to local domain.
435
436 LOOKUP MASTER DOMAIN
437 Give IP of master browser for specified DOMAIN or workgroup. Defaults
438 to local domain.
439
440 CACHE
441 Samba uses a general caching interface called 'gencache'. It can be
442 controlled using 'NET CACHE'.
443
444 All the timeout parameters support the suffixes:
445 s - Seconds
446 m - Minutes
447 h - Hours
448 d - Days
449 w - Weeks
450
451 CACHE ADD key data time-out
452 Add specified key+data to the cache with the given timeout.
453
454 CACHE DEL key
455 Delete key from the cache.
456
457 CACHE SET key data time-out
458 Update data of existing cache entry.
459
460 CACHE SEARCH PATTERN
461 Search for the specified pattern in the cache data.
462
463 CACHE LIST
464 List all current items in the cache.
465
466 CACHE FLUSH
467 Remove all the current items from the cache.
468
469 GETLOCALSID [DOMAIN]
470 Prints the SID of the specified domain, or if the parameter is omitted,
471 the SID of the local server.
472
473 SETLOCALSID S-1-5-21-x-y-z
474 Sets SID for the local server to the specified SID.
475
476 GETDOMAINSID
477 Prints the local machine SID and the SID of the current domain.
478
479 SETDOMAINSID
480 Sets the SID of the current domain.
481
482 GROUPMAP
483 Manage the mappings between Windows group SIDs and UNIX groups. Common
484 options include:
485
486 · unixgroup - Name of the UNIX group
487
488 · ntgroup - Name of the Windows NT group (must be resolvable
489 to a SID
490
491 · rid - Unsigned 32-bit integer
492
493 · sid - Full SID in the form of "S-1-..."
494
495 · type - Type of the group; either 'domain', 'local', or
496 'builtin'
497
498 · comment - Freeform text description of the group
499
500
501 GROUPMAP ADD
502 Add a new group mapping entry:
503
504 net groupmap add {rid=int|sid=string} unixgroup=string \
505 [type={domain|local}] [ntgroup=string] [comment=string]
506
507
508
509 GROUPMAP DELETE
510 Delete a group mapping entry. If more than one group name matches, the
511 first entry found is deleted.
512
513 net groupmap delete {ntgroup=string|sid=SID}
514
515 GROUPMAP MODIFY
516 Update an existing group entry.
517
518 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
519 [comment=string] [type={domain|local}]
520
521
522
523 GROUPMAP LIST
524 List existing group mapping entries.
525
526 net groupmap list [verbose] [ntgroup=string] [sid=SID]
527
528 MAXRID
529 Prints out the highest RID currently in use on the local server (by the
530 active 'passdb backend').
531
532 RPC INFO
533 Print information about the domain of the remote server, such as domain
534 name, domain sid and number of users and groups.
535
536 [RPC|ADS] TESTJOIN
537 Check whether participation in a domain is still valid.
538
539 [RPC|ADS] CHANGETRUSTPW
540 Force change of domain trust password.
541
542 RPC TRUSTDOM
543 RPC TRUSTDOM ADD DOMAIN
544 Add a interdomain trust account for DOMAIN. This is in fact a Samba
545 account named DOMAIN$ with the account flag 'I' (interdomain trust
546 account). This is required for incoming trusts to work. It makes Samba
547 be a trusted domain of the foreign (trusting) domain. Users of the
548 Samba domain will be made available in the foreign domain. If the
549 command is used against localhost it has the same effect as smbpasswd
550 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
551 account.
552
553 RPC TRUSTDOM DEL DOMAIN
554 Remove interdomain trust account for DOMAIN. If it is used against
555 localhost it has the same effect as smbpasswd -x DOMAIN$.
556
557 RPC TRUSTDOM ESTABLISH DOMAIN
558 Establish a trust relationship to a trusted domain. Interdomain account
559 must already be created on the remote PDC. This is required for
560 outgoing trusts to work. It makes Samba be a trusting domain of a
561 foreign (trusted) domain. Users of the foreign domain will be made
562 available in our domain. You'll need winbind and a working idmap config
563 to make them appear in your system.
564
565 RPC TRUSTDOM REVOKE DOMAIN
566 Abandon relationship to trusted domain
567
568 RPC TRUSTDOM LIST
569 List all interdomain trust relationships.
570
571 RPC TRUST
572 RPC TRUST CREATE
573 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
574 done on a single server or on two servers at once with the possibility
575 to use a random trust password.
576
577 Options:
578
579 otherserver
580 Domain controller of the second domain
581
582 otheruser
583 Admin user in the second domain
584
585 otherdomainsid
586 SID of the second domain
587
588 other_netbios_domain
589 NetBIOS (short) name of the second domain
590
591 otherdomain
592 DNS (full) name of the second domain
593
594 trustpw
595 Trust password
596
597 Examples:
598
599 Create a trust object on srv1.dom1.dom for the domain dom2
600
601 net rpc trust create \
602 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
603 other_netbios_domain=dom2 \
604 otherdomain=dom2.dom \
605 trustpw=12345678 \
606 -S srv1.dom1.dom
607
608 Create a trust relationship between dom1 and dom2
609
610 net rpc trust create \
611 otherserver=srv2.dom2.test \
612 otheruser=dom2adm \
613 -S srv1.dom1.dom
614
615 RPC TRUST DELETE
616 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
617 done on a single server or on two servers at once.
618
619 Options:
620
621 otherserver
622 Domain controller of the second domain
623
624 otheruser
625 Admin user in the second domain
626
627 otherdomainsid
628 SID of the second domain
629
630 Examples:
631
632 Delete a trust object on srv1.dom1.dom for the domain dom2
633
634 net rpc trust delete \
635 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
636 -S srv1.dom1.dom
637
638 Delete a trust relationship between dom1 and dom2
639
640 net rpc trust delete \
641 otherserver=srv2.dom2.test \
642 otheruser=dom2adm \
643 -S srv1.dom1.dom
644
645
646 RPC RIGHTS
647 This subcommand is used to view and manage Samba's rights assignments
648 (also referred to as privileges). There are three options currently
649 available: list, grant, and revoke. More details on Samba's privilege
650 model and its use can be found in the Samba-HOWTO-Collection.
651
652 RPC ABORTSHUTDOWN
653 Abort the shutdown of a remote server.
654
655 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
656 Shut down the remote server.
657
658 -r
659 Reboot after shutdown.
660
661 -f
662 Force shutting down all applications.
663
664 -t timeout
665 Timeout before system will be shut down. An interactive user of the
666 system can use this time to cancel the shutdown.
667
668 -C message
669 Display the specified message on the screen to announce the
670 shutdown.
671
672 RPC SAMDUMP
673 Print out sam database of remote server. You need to run this against
674 the PDC, from a Samba machine joined as a BDC.
675
676 RPC VAMPIRE
677 Export users, aliases and groups from remote server to local server.
678 You need to run this against the PDC, from a Samba machine joined as a
679 BDC. This vampire command cannot be used against an Active Directory,
680 only against an NT4 Domain Controller.
681
682 RPC VAMPIRE KEYTAB
683 Dump remote SAM database to local Kerberos keytab file.
684
685 RPC VAMPIRE LDIF
686 Dump remote SAM database to local LDIF file or standard output.
687
688 RPC GETSID
689 Fetch domain SID and store it in the local secrets.tdb.
690
691 ADS LEAVE
692 Make the remote host leave the domain it is part of.
693
694 ADS STATUS
695 Print out status of machine account of the local machine in ADS. Prints
696 out quite some debug info. Aimed at developers, regular users should
697 use NET ADS TESTJOIN.
698
699 ADS PRINTER
700 ADS PRINTER INFO [PRINTER] [SERVER]
701 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
702 the server name defaults to the local host.
703
704 ADS PRINTER PUBLISH PRINTER
705 Publish specified printer using ADS.
706
707 ADS PRINTER REMOVE PRINTER
708 Remove specified printer from ADS directory.
709
710 ADS SEARCH EXPRESSION ATTRIBUTES...
711 Perform a raw LDAP search on a ADS server and dump the results. The
712 expression is a standard LDAP search expression, and the attributes are
713 a list of LDAP fields to show in the results.
714
715 Example: net ads search '(objectCategory=group)' sAMAccountName
716
717 ADS DN DN (attributes)
718 Perform a raw LDAP search on a ADS server and dump the results. The DN
719 standard LDAP DN, and the attributes are a list of LDAP fields to show
720 in the result.
721
722 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
723 SAMAccountName
724
725 ADS WORKGROUP
726 Print out workgroup name for specified kerberos realm.
727
728 ADS ENCTYPES
729 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
730 attribute of an account in AD.
731
732 This attribute allows one to control which Kerberos encryption types
733 are used for the generation of initial and service tickets. The value
734 consists of an integer bitmask with the following values:
735
736 0x00000001 DES-CBC-CRC
737
738 0x00000002 DES-CBC-MD5
739
740 0x00000004 RC4-HMAC
741
742 0x00000008 AES128-CTS-HMAC-SHA1-96
743
744 0x00000010 AES256-CTS-HMAC-SHA1-96
745
746 ADS ENCTYPES LIST <ACCOUNTNAME>
747 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
748 given account.
749
750 Example: net ads enctypes list Computername
751
752 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
753 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
754 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
755 the value is set to 31 which enables all the currently supported
756 encryption types.
757
758 Example: net ads enctypes set Computername 24
759
760 ADS ENCTYPES DELETE <ACCOUNTNAME>
761 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
762 object of ACCOUNTNAME.
763
764 Example: net ads enctypes set Computername 24
765
766 SAM CREATEBUILTINGROUP <NAME>
767 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
768 be created with this command. This is the list of currently recognized
769 group names: Administrators, Users, Guests, Power Users, Account
770 Operators, Server Operators, Print Operators, Backup Operators,
771 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
772 command requires a running Winbindd with idmap allocation properly
773 configured. The group gid will be allocated out of the winbindd range.
774
775 SAM CREATELOCALGROUP <NAME>
776 Create a LOCAL group (also known as Alias). This command requires a
777 running Winbindd with idmap allocation properly configured. The group
778 gid will be allocated out of the winbindd range.
779
780 SAM DELETELOCALGROUP <NAME>
781 Delete an existing LOCAL group (also known as Alias).
782
783 SAM MAPUNIXGROUP <NAME>
784 Map an existing Unix group and make it a Domain Group, the domain group
785 will have the same name.
786
787 SAM UNMAPUNIXGROUP <NAME>
788 Remove an existing group mapping entry.
789
790 SAM ADDMEM <GROUP> <MEMBER>
791 Add a member to a Local group. The group can be specified only by name,
792 the member can be specified by name or SID.
793
794 SAM DELMEM <GROUP> <MEMBER>
795 Remove a member from a Local group. The group and the member must be
796 specified by name.
797
798 SAM LISTMEM <GROUP>
799 List Local group members. The group must be specified by name.
800
801 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
802 List the specified set of accounts by name. If verbose is specified,
803 the rid and description is also provided for each account.
804
805 SAM RIGHTS LIST
806 List all available privileges.
807
808 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
809 Grant one or more privileges to a user.
810
811 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
812 Revoke one or more privileges from a user.
813
814 SAM SHOW <NAME>
815 Show the full DOMAIN\\NAME the SID and the type for the corresponding
816 account.
817
818 SAM SET HOMEDIR <NAME> <DIRECTORY>
819 Set the home directory for a user account.
820
821 SAM SET PROFILEPATH <NAME> <PATH>
822 Set the profile path for a user account.
823
824 SAM SET COMMENT <NAME> <COMMENT>
825 Set the comment for a user or group account.
826
827 SAM SET FULLNAME <NAME> <FULL NAME>
828 Set the full name for a user account.
829
830 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
831 Set the logon script for a user account.
832
833 SAM SET HOMEDRIVE <NAME> <DRIVE>
834 Set the home drive for a user account.
835
836 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
837 Set the workstations a user account is allowed to log in from.
838
839 SAM SET DISABLE <NAME>
840 Set the "disabled" flag for a user account.
841
842 SAM SET PWNOTREQ <NAME>
843 Set the "password not required" flag for a user account.
844
845 SAM SET AUTOLOCK <NAME>
846 Set the "autolock" flag for a user account.
847
848 SAM SET PWNOEXP <NAME>
849 Set the "password do not expire" flag for a user account.
850
851 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
852 Set or unset the "password must change" flag for a user account.
853
854 SAM POLICY LIST
855 List the available account policies.
856
857 SAM POLICY SHOW <account policy>
858 Show the account policy value.
859
860 SAM POLICY SET <account policy> <value>
861 Set a value for the account policy. Valid values can be: "forever",
862 "never", "off", or a number.
863
864 SAM PROVISION
865 Only available if ldapsam:editposix is set and winbindd is running.
866 Properly populates the ldap tree with the basic accounts
867 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
868 on the ldap tree.
869
870 IDMAP DUMP <local tdb file name>
871 Dumps the mappings contained in the local tdb file specified. This
872 command is useful to dump only the mappings produced by the idmap_tdb
873 backend.
874
875 IDMAP RESTORE [input file]
876 Restore the mappings from the specified file or stdin.
877
878 IDMAP SET SECRET <DOMAIN> <secret>
879 Store a secret for the specified domain, used primarily for domains
880 that use idmap_ldap as a backend. In this case the secret is used as
881 the password for the user DN used to bind to the ldap server.
882
883 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
884 Store a domain-range mapping for a given domain (and index) in autorid
885 database.
886
887 IDMAP SET CONFIG <config> [--db=<DB>]
888 Update CONFIG entry in autorid database.
889
890 IDMAP GET RANGE <SID> [index] [--db=<DB>]
891 Get the range for a given domain and index from autorid database.
892
893 IDMAP GET RANGES [<SID>] [--db=<DB>]
894 Get ranges for all domains or for one identified by given SID.
895
896 IDMAP GET CONFIG [--db=<DB>]
897 Get CONFIG entry from autorid database.
898
899 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
900 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
901 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
902 "GID number" or a uid: "UID number". Use -f to delete an invalid
903 partial mapping <ID> -> xx
904
905 Use "smbcontrol all idmap ..." to notify running smbd instances. See
906 the smbcontrol(1) manpage for details.
907
908 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
909 Delete a domain range mapping identified by 'RANGE' or "domain SID and
910 INDEX" from autorid database. Use -f to delete invalid mappings.
911
912 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
913 Delete all domain range mappings for a domain identified by SID. Use -f
914 to delete invalid mappings.
915
916 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
917 Check and repair the IDMAP database. If no option is given a read only
918 check of the database is done. Among others an interactive or automatic
919 repair mode may be chosen with one of the following options:
920
921 -r|--repair
922 Interactive repair mode, ask a lot of questions.
923
924 -a|--auto
925 Noninteractive repair mode, use default answers.
926
927 -v|--verbose
928 Produce more output.
929
930 -f|--force
931 Try to apply changes, even if they do not apply cleanly.
932
933 -T|--test
934 Dry run, show what changes would be made but don't touch anything.
935
936 -l|--lock
937 Lock the database while doing the check.
938
939 --db <DB>
940 Check the specified database.
941
942 It reports about the finding of the following errors:
943
944 Missing reverse mapping:
945 A record with mapping A->B where there is no B->A. Default action
946 in repair mode is to "fix" this by adding the reverse mapping.
947
948 Invalid mapping:
949 A record with mapping A->B where B->C. Default action is to
950 "delete" this record.
951
952 Missing or invalid HWM:
953 A high water mark is not at least equal to the largest ID in the
954 database. Default action is to "fix" this by setting it to the
955 largest ID found +1.
956
957 Invalid record:
958 Something we failed to parse. Default action is to "edit" it in
959 interactive and "delete" it in automatic mode.
960
961 USERSHARE
962 Starting with version 3.0.23, a Samba server now supports the ability
963 for non-root users to add user defined shares to be exported using the
964 "net usershare" commands.
965
966 To set this up, first set up your smb.conf by adding to the [global]
967 section: usershare path = /usr/local/samba/lib/usershares Next create
968 the directory /usr/local/samba/lib/usershares, change the owner to root
969 and set the group owner to the UNIX group who should have the ability
970 to create usershares, for example a group called "serverops". Set the
971 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
972 group all access, no access for others, plus the sticky bit, which
973 means that a file in that directory can be renamed or deleted only by
974 the owner of the file). Finally, tell smbd how many usershares you will
975 allow by adding to the [global] section of smb.conf a line such as :
976 usershare max shares = 100. To allow 100 usershare definitions. Now,
977 members of the UNIX group "serverops" can create user defined shares on
978 demand using the commands below.
979
980 The usershare commands are:
981 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
982 to add or change a user defined share.
983 net usershare delete sharename - to delete a user defined share.
984 net usershare info [-l|--long] [wildcard sharename] - to print info
985 about a user defined share.
986 net usershare list [-l|--long] [wildcard sharename] - to list user
987 defined shares.
988
989 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
990 Add or replace a new user defined share, with name "sharename".
991
992 "path" specifies the absolute pathname on the system to be exported.
993 Restrictions may be put on this, see the global smb.conf parameters:
994 "usershare owner only", "usershare prefix allow list", and "usershare
995 prefix deny list".
996
997 The optional "comment" parameter is the comment that will appear on the
998 share when browsed to by a client.
999
1000 The optional "acl" field specifies which users have read and write
1001 access to the entire share. Note that guest connections are not allowed
1002 unless the smb.conf parameter "usershare allow guests" has been set.
1003 The definition of a user defined share acl is: "user:permission", where
1004 user is a valid username on the system and permission can be "F", "R",
1005 or "D". "F" stands for "full permissions", ie. read and write
1006 permissions. "D" stands for "deny" for a user, ie. prevent this user
1007 from accessing this share. "R" stands for "read only", ie. only allow
1008 read access to this share (no creation of new files or directories or
1009 writing to files).
1010
1011 The default if no "acl" is given is "Everyone:R", which means any
1012 authenticated user has read-only access.
1013
1014 The optional "guest_ok" has the same effect as the parameter of the
1015 same name in smb.conf, in that it allows guest access to this user
1016 defined share. This parameter is only allowed if the global parameter
1017 "usershare allow guests" has been set to true in the smb.conf.
1018
1019
1020 There is no separate command to modify an existing user defined share,
1021 just use the "net usershare add [sharename]" command using the same
1022 sharename as the one you wish to modify and specify the new options you
1023 wish. The Samba smbd daemon notices user defined share modifications at
1024 connect time so will see the change immediately, there is no need to
1025 restart smbd on adding, deleting or changing a user defined share.
1026
1027 USERSHARE DELETE sharename
1028 Deletes the user defined share by name. The Samba smbd daemon
1029 immediately notices this change, although it will not disconnect any
1030 users currently connected to the deleted share.
1031
1032 USERSHARE INFO [-l|--long] [wildcard sharename]
1033 Get info on user defined shares owned by the current user matching the
1034 given pattern, or all users.
1035
1036 net usershare info on its own dumps out info on the user defined shares
1037 that were created by the current user, or restricts them to share names
1038 that match the given wildcard pattern ('*' matches one or more
1039 characters, '?' matches only one character). If the '-l' or '--long'
1040 option is also given, it prints out info on user defined shares created
1041 by other users.
1042
1043 The information given about a share looks like: [foobar]
1044 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1045 And is a list of the current settings of the user defined share that
1046 can be modified by the "net usershare add" command.
1047
1048 USERSHARE LIST [-l|--long] wildcard sharename
1049 List all the user defined shares owned by the current user matching the
1050 given pattern, or all users.
1051
1052 net usershare list on its own list out the names of the user defined
1053 shares that were created by the current user, or restricts the list to
1054 share names that match the given wildcard pattern ('*' matches one or
1055 more characters, '?' matches only one character). If the '-l' or
1056 '--long' option is also given, it includes the names of user defined
1057 shares created by other users.
1058
1059 [RPC] CONF
1060 Starting with version 3.2.0, a Samba server can be configured by data
1061 stored in registry. This configuration data can be edited with the new
1062 "net conf" commands. There is also the possibility to configure a
1063 remote Samba server by enabling the RPC conf mode and specifying the
1064 address of the remote server.
1065
1066 The deployment of this configuration data can be activated in two
1067 levels from the smb.conf file: Share definitions from registry are
1068 activated by setting registry shares to “yes” in the [global] section
1069 and global configuration options are activated by setting include =
1070 registry in the [global] section for a mixed configuration or by
1071 setting config backend = registry in the [global] section for a
1072 registry-only configuration. See the smb.conf(5) manpage for details.
1073
1074 The conf commands are:
1075 net [rpc] conf list - Dump the complete configuration in smb.conf
1076 like format.
1077 net [rpc] conf import - Import configuration from file in smb.conf
1078 format.
1079 net [rpc] conf listshares - List the registry shares.
1080 net [rpc] conf drop - Delete the complete configuration from
1081 registry.
1082 net [rpc] conf showshare - Show the definition of a registry share.
1083 net [rpc] conf addshare - Create a new registry share.
1084 net [rpc] conf delshare - Delete a registry share.
1085 net [rpc] conf setparm - Store a parameter.
1086 net [rpc] conf getparm - Retrieve the value of a parameter.
1087 net [rpc] conf delparm - Delete a parameter.
1088 net [rpc] conf getincludes - Show the includes of a share
1089 definition.
1090 net [rpc] conf setincludes - Set includes for a share.
1091 net [rpc] conf delincludes - Delete includes from a share
1092 definition.
1093
1094 [RPC] CONF LIST
1095 Print the configuration data stored in the registry in a smb.conf-like
1096 format to standard output.
1097
1098 [RPC] CONF IMPORT [--test|-T] filename [section]
1099 This command imports configuration from a file in smb.conf format. If a
1100 section encountered in the input file is present in registry, its
1101 contents is replaced. Sections of registry configuration that have no
1102 counterpart in the input file are not affected. If you want to delete
1103 these, you will have to use the "net conf drop" or "net conf delshare"
1104 commands. Optionally, a section may be specified to restrict the effect
1105 of the import command to that specific section. A test mode is enabled
1106 by specifying the parameter "-T" on the commandline. In test mode, no
1107 changes are made to the registry, and the resulting configuration is
1108 printed to standard output instead.
1109
1110 [RPC] CONF LISTSHARES
1111 List the names of the shares defined in registry.
1112
1113 [RPC] CONF DROP
1114 Delete the complete configuration data from registry.
1115
1116 [RPC] CONF SHOWSHARE sharename
1117 Show the definition of the share or section specified. It is valid to
1118 specify "global" as sharename to retrieve the global configuration
1119 options from registry.
1120
1121 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1122 [comment]]]
1123 Create a new share definition in registry. The sharename and path have
1124 to be given. The share name may not be "global". Optionally, values for
1125 the very common options "writeable", "guest ok" and a "comment" may be
1126 specified. The same result may be obtained by a sequence of "net conf
1127 setparm" commands.
1128
1129 [RPC] CONF DELSHARE sharename
1130 Delete a share definition from registry.
1131
1132 [RPC] CONF SETPARM section parameter value
1133 Store a parameter in registry. The section may be global or a
1134 sharename. The section is created if it does not exist yet.
1135
1136 [RPC] CONF GETPARM section parameter
1137 Show a parameter stored in registry.
1138
1139 [RPC] CONF DELPARM section parameter
1140 Delete a parameter stored in registry.
1141
1142 [RPC] CONF GETINCLUDES section
1143 Get the list of includes for the provided section (global or share).
1144
1145 Note that due to the nature of the registry database and the nature of
1146 include directives, the includes need special treatment: Parameters are
1147 stored in registry by the parameter name as valuename, so there is only
1148 ever one instance of a parameter per share. Also, a specific order like
1149 in a text file is not guaranteed. For all real parameters, this is
1150 perfectly ok, but the include directive is rather a meta parameter, for
1151 which, in the smb.conf text file, the place where it is specified
1152 between the other parameters is very important. This can not be
1153 achieved by the simple registry smbconf data model, so there is one
1154 ordered list of includes per share, and this list is evaluated after
1155 all the parameters of the share.
1156
1157 Further note that currently, only files can be included from registry
1158 configuration. In the future, there will be the ability to include
1159 configuration data from other registry keys.
1160
1161 [RPC] CONF SETINCLUDES section [filename]+
1162 Set the list of includes for the provided section (global or share) to
1163 the given list of one or more filenames. The filenames may contain the
1164 usual smb.conf macros like %I.
1165
1166 [RPC] CONF DELINCLUDES section
1167 Delete the list of includes from the provided section (global or
1168 share).
1169
1170 REGISTRY
1171 Manipulate Samba's registry.
1172
1173 The registry commands are:
1174 net registry enumerate - Enumerate registry keys and values.
1175 net registry enumerate_recursive - Enumerate registry key and its
1176 subkeys.
1177 net registry createkey - Create a new registry key.
1178 net registry deletekey - Delete a registry key.
1179 net registry deletekey_recursive - Delete a registry key with
1180 subkeys.
1181 net registry getvalue - Print a registry value.
1182 net registry getvalueraw - Print a registry value (raw format).
1183 net registry setvalue - Set a new registry value.
1184 net registry increment - Increment a DWORD registry value under a
1185 lock.
1186 net registry deletevalue - Delete a registry value.
1187 net registry getsd - Get security descriptor.
1188 net registry getsd_sdd1 - Get security descriptor in sddl format.
1189 net registry setsd_sdd1 - Set security descriptor from sddl format
1190 string.
1191 net registry import - Import a registration entries (.reg)
1192 file.
1193 net registry export - Export a registration entries (.reg)
1194 file.
1195 net registry convert - Convert a registration entries (.reg)
1196 file.
1197 net registry check - Check and repair a registry database.
1198
1199 REGISTRY ENUMERATE key
1200 Enumerate subkeys and values of key.
1201
1202 REGISTRY ENUMERATE_RECURSIVE key
1203 Enumerate values of key and its subkeys.
1204
1205 REGISTRY CREATEKEY key
1206 Create a new key if not yet existing.
1207
1208 REGISTRY DELETEKEY key
1209 Delete the given key and its values from the registry, if it has no
1210 subkeys.
1211
1212 REGISTRY DELETEKEY_RECURSIVE key
1213 Delete the given key and all of its subkeys and values from the
1214 registry.
1215
1216 REGISTRY GETVALUE key name
1217 Output type and actual value of the value name of the given key.
1218
1219 REGISTRY GETVALUERAW key name
1220 Output the actual value of the value name of the given key.
1221
1222 REGISTRY SETVALUE key name type value ...
1223 Set the value name of an existing key. type may be one of sz, multi_sz
1224 or dword. In case of multi_szvalue may be given multiple times.
1225
1226 REGISTRY INCREMENT key name [inc]
1227 Increment the DWORD value name of key by inc while holding a g_lock.
1228 inc defaults to 1.
1229
1230 REGISTRY DELETEVALUE key name
1231 Delete the value name of the given key.
1232
1233 REGISTRY GETSD key
1234 Get the security descriptor of the given key.
1235
1236 REGISTRY GETSD_SDDL key
1237 Get the security descriptor of the given key as a Security Descriptor
1238 Definition Language (SDDL) string.
1239
1240 REGISTRY SETSD_SDDL keysd
1241 Set the security descriptor of the given key from a Security Descriptor
1242 Definition Language (SDDL) string sd.
1243
1244 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1245 Import a registration entries (.reg) file.
1246
1247 The following options are available:
1248
1249 --precheck check-file
1250 This is a mechanism to check the existence or non-existence of
1251 certain keys or values specified in a precheck file before applying
1252 the import file. The import file will only be applied if the
1253 precheck succeeds.
1254
1255 The check-file follows the normal registry file syntax with the
1256 following semantics:
1257
1258 · <value name>=<value> checks whether the value exists and
1259 has the given value.
1260
1261 · <value name>=- checks whether the value does not exist.
1262
1263 · [key] checks whether the key exists.
1264
1265 · [-key] checks whether the key does not exist.
1266
1267
1268 REGISTRY EXPORT keyfile[opt]
1269 Export a key to a registration entries (.reg) file.
1270
1271 REGISTRY CONVERT in out [[inopt] outopt]
1272 Convert a registration entries (.reg) file in.
1273
1274 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1275 Check and repair the registry database. If no option is given a read
1276 only check of the database is done. Among others an interactive or
1277 automatic repair mode may be chosen with one of the following options
1278
1279 -r|--repair
1280 Interactive repair mode, ask a lot of questions.
1281
1282 -a|--auto
1283 Noninteractive repair mode, use default answers.
1284
1285 -v|--verbose
1286 Produce more output.
1287
1288 -T|--test
1289 Dry run, show what changes would be made but don't touch anything.
1290
1291 -l|--lock
1292 Lock the database while doing the check.
1293
1294 --reg-version={1,2,3}
1295 Specify the format of the registry database. If not given it
1296 defaults to the value of the binary or, if an registry.tdb is
1297 explizitly stated at the commandline, to the value found in the
1298 INFO/version record.
1299
1300 [--db] <DB>
1301 Check the specified database.
1302
1303 -o|--output <ODB>
1304 Create a new registry database <ODB> instead of modifying the
1305 input. If <ODB> is already existing --wipe may be used to overwrite
1306 it.
1307
1308 --wipe
1309 Replace the registry database instead of modifying the input or
1310 overwrite an existing output database.
1311
1312 EVENTLOG
1313 Starting with version 3.4.0 net can read, dump, import and export
1314 native win32 eventlog files (usually *.evt). evt files are used by the
1315 native Windows eventviewer tools.
1316
1317 The import and export of evt files can only succeed when eventlog list
1318 is used in smb.conf file. See the smb.conf(5) manpage for details.
1319
1320 The eventlog commands are:
1321 net eventlog dump - Dump a eventlog *.evt file on the screen.
1322 net eventlog import - Import a eventlog *.evt into the samba
1323 internal tdb based representation of eventlogs.
1324 net eventlog export - Export the samba internal tdb based
1325 representation of eventlogs into an eventlog *.evt file.
1326
1327 EVENTLOG DUMP filename
1328 Prints a eventlog *.evt file to standard output.
1329
1330 EVENTLOG IMPORT filename eventlog
1331 Imports a eventlog *.evt file defined by filename into the samba
1332 internal tdb representation of eventlog defined by eventlog. eventlog
1333 needs to part of the eventlog list defined in smb.conf. See the
1334 smb.conf(5) manpage for details.
1335
1336 EVENTLOG EXPORT filename eventlog
1337 Exports the samba internal tdb representation of eventlog defined by
1338 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1339 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1340 manpage for details.
1341
1342 DOM
1343 Starting with version 3.2.0 Samba has support for remote join and
1344 unjoin APIs, both client and server-side. Windows supports remote join
1345 capabilities since Windows 2000.
1346
1347 In order for Samba to be joined or unjoined remotely an account must be
1348 used that is either member of the Domain Admins group, a member of the
1349 local Administrators group or a user that is granted the
1350 SeMachineAccountPrivilege privilege.
1351
1352 The client side support for remote join is implemented in the net dom
1353 commands which are:
1354 net dom join - Join a remote computer into a domain.
1355 net dom unjoin - Unjoin a remote computer from a domain.
1356 net dom renamecomputer - Renames a remote computer joined to a
1357 domain.
1358
1359 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1360 Joins a computer into a domain. This command supports the following
1361 additional parameters:
1362
1363 · DOMAIN can be a NetBIOS domain name (also known as short
1364 domain name) or a DNS domain name for Active Directory
1365 Domains. As in Windows, it is also possible to control which
1366 Domain Controller to use. This can be achieved by appending
1367 the DC name using the \ separator character. Example:
1368 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1369
1370 · OU can be set to a RFC 1779 LDAP DN, like
1371 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1372 the machine account in a non-default LDAP container. This
1373 optional parameter is only supported when joining Active
1374 Directory Domains.
1375
1376 · ACCOUNT defines a domain account that will be used to join
1377 the machine to the domain. This domain account needs to have
1378 sufficient privileges to join machines.
1379
1380 · PASSWORD defines the password for the domain account defined
1381 with ACCOUNT.
1382
1383 · REBOOT is an optional parameter that can be set to reboot
1384 the remote machine after successful join to the domain.
1385
1386
1387 Note that you also need to use standard net parameters to connect and
1388 authenticate to the remote machine that you want to join. These
1389 additional parameters include: -S computer and -U user.
1390
1391 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1392 account=MYDOM\\administrator password=topsecret reboot.
1393
1394 This example would connect to a computer named XP as the local
1395 administrator using password secret, and join the computer into a
1396 domain called MYDOM using the MYDOM domain administrator account and
1397 password topsecret. After successful join, the computer would reboot.
1398
1399 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1400 Unjoins a computer from a domain. This command supports the following
1401 additional parameters:
1402
1403 · ACCOUNT defines a domain account that will be used to unjoin
1404 the machine from the domain. This domain account needs to
1405 have sufficient privileges to unjoin machines.
1406
1407 · PASSWORD defines the password for the domain account defined
1408 with ACCOUNT.
1409
1410 · REBOOT is an optional parameter that can be set to reboot
1411 the remote machine after successful unjoin from the domain.
1412
1413
1414 Note that you also need to use standard net parameters to connect and
1415 authenticate to the remote machine that you want to unjoin. These
1416 additional parameters include: -S computer and -U user.
1417
1418 Example: net dom unjoin -S xp -U XP\\administrator%secret
1419 account=MYDOM\\administrator password=topsecret reboot.
1420
1421 This example would connect to a computer named XP as the local
1422 administrator using password secret, and unjoin the computer from the
1423 domain using the MYDOM domain administrator account and password
1424 topsecret. After successful unjoin, the computer would reboot.
1425
1426 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1427 Renames a computer that is joined to a domain. This command supports
1428 the following additional parameters:
1429
1430 · NEWNAME defines the new name of the machine in the domain.
1431
1432 · ACCOUNT defines a domain account that will be used to rename
1433 the machine in the domain. This domain account needs to have
1434 sufficient privileges to rename machines.
1435
1436 · PASSWORD defines the password for the domain account defined
1437 with ACCOUNT.
1438
1439 · REBOOT is an optional parameter that can be set to reboot
1440 the remote machine after successful rename in the domain.
1441
1442
1443 Note that you also need to use standard net parameters to connect and
1444 authenticate to the remote machine that you want to rename in the
1445 domain. These additional parameters include: -S computer and -U user.
1446
1447 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1448 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1449
1450 This example would connect to a computer named XP as the local
1451 administrator using password secret, and rename the joined computer to
1452 XPNEW using the MYDOM domain administrator account and password
1453 topsecret. After successful rename, the computer would reboot.
1454
1455 G_LOCK
1456 Manage global locks.
1457
1458 G_LOCK DO lockname timeout command
1459 Execute a shell command under a global lock. This might be useful to
1460 define the order in which several shell commands will be executed. The
1461 locking information is stored in a file called g_lock.tdb. In setups
1462 with CTDB running, the locking information will be available on all
1463 cluster nodes.
1464
1465 · LOCKNAME defines the name of the global lock.
1466
1467 · TIMEOUT defines the timeout.
1468
1469 · COMMAND defines the shell command to execute.
1470
1471 G_LOCK LOCKS
1472 Print a list of all currently existing locknames.
1473
1474 G_LOCK DUMP lockname
1475 Dump the locking table of a certain global lock.
1476
1477 TDB
1478 Print information from tdb records.
1479
1480 TDB LOCKING key [DUMP]
1481 List sharename, filename and number of share modes for a record from
1482 locking.tdb. With the optional DUMP options, dump the complete record.
1483
1484 · KEY Key of the tdb record as hex string.
1485
1486 HELP [COMMAND]
1487 Gives usage information for the specified command.
1488
1490 This man page is complete for version 3 of the Samba suite.
1491
1493 The original Samba software and related utilities were created by
1494 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1495 Source project similar to the way the Linux kernel is developed.
1496
1497 The net manpage was written by Jelmer Vernooij.
1498
1499
1500
1501Samba 4.8.3 10/30/2018 NET(8)