1NET(8) System Administration tools NET(8)
2
3
4
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-A|--authentication-file authfile] [-I|--ipaddress ip-address]
12 [-p|--port port] [-n myname] [-s conffile] [-S|--server server]
13 [-l|--long] [-v|--verbose] [-f|--force] [-P|--machine-pass]
14 [-d debuglevel] [-V] [--request-timeout seconds]
15 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
16
18 This tool is part of the samba(7) suite.
19
20 The Samba net utility is meant to work just like the net utility
21 available for windows and DOS. The first argument should be used to
22 specify the protocol to use when executing a certain command. ADS is
23 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
24 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
25 net will try to determine it automatically. Not all commands are
26 available on all protocols.
27
29 -?|--help
30 Print a summary of command line options.
31
32 -k|--kerberos
33 Try to authenticate with kerberos. Only useful in an Active
34 Directory environment.
35
36 -w|--workgroup target-workgroup
37 Sets target workgroup or domain. You have to specify either this
38 option or the IP address or the name of a server.
39
40 -W|--myworkgroup workgroup
41 Sets client workgroup or domain
42
43 -U|--user user
44 User name to use
45
46 -I|--ipaddress ip-address
47 IP address of target server to use. You have to specify either this
48 option or a target workgroup or a target server.
49
50 -p|--port port
51 Port on the target server to connect to (usually 139 or 445).
52 Defaults to trying 445 first, then 139.
53
54 -n|--netbiosname <primary NetBIOS name>
55 This option allows you to override the NetBIOS name that Samba uses
56 for itself. This is identical to setting the netbios name parameter
57 in the smb.conf file. However, a command line setting will take
58 precedence over settings in smb.conf.
59
60 -S|--server server
61 Name of target server. You should specify either this option or a
62 target workgroup or a target IP address.
63
64 -l|--long
65 When listing data, give more information on each item.
66
67 -v|--verbose
68 When listing data, give more verbose information on each item.
69
70 -f|--force
71 Enforcing a net command.
72
73 -P|--machine-pass
74 Make queries to the external server using the machine account of
75 the local server.
76
77 --request-timeout 30
78 Let client requests timeout after 30 seconds the default is 10
79 seconds.
80
81 -t|--timeout 30
82 Set timeout for client operations to 30 seconds.
83
84 --use-ccache
85 Try to use the credentials cached by winbind.
86
87 -i|--stdin
88 Take input for net commands from standard input.
89
90 --tallocreport
91 Generate a talloc report while processing a net command.
92
93 -T|--test
94 Only test command sequence, dry-run.
95
96 -F|--flags FLAGS
97 Pass down integer flags to a net subcommand.
98
99 -C|--comment COMMENT
100 Pass down a comment string to a net subcommand.
101
102 -n|--myname MYNAME
103 Use MYNAME as a requester name for a net subcommand.
104
105 -c|--container CONTAINER
106 Use a specific AD container for net ads operations.
107
108 -M|--maxusers MAXUSERS
109 Fill in the maxusers field in net rpc share operations.
110
111 -r|--reboot
112 Reboot a remote machine after a command has been successfully
113 executed (e.g. in remote join operations).
114
115 --force-full-repl
116 When calling "net rpc vampire keytab" this option enforces a full
117 re-creation of the generated keytab file.
118
119 --single-obj-repl
120 When calling "net rpc vampire keytab" this option allows one to
121 replicate just a single object to the generated keytab file.
122
123 --clean-old-entries
124 When calling "net rpc vampire keytab" this option allows one to
125 cleanup old entries from the generated keytab file.
126
127 --db
128 Define dbfile for "net idmap" commands.
129
130 --lock
131 Activates locking of the dbfile for "net idmap check" command.
132
133 -a|--auto
134 Activates noninteractive mode in "net idmap check".
135
136 --repair
137 Activates repair mode in "net idmap check".
138
139 --acls
140 Includes ACLs to be copied in "net rpc share migrate".
141
142 --attrs
143 Includes file attributes to be copied in "net rpc share migrate".
144
145 --timestamps
146 Includes timestamps to be copied in "net rpc share migrate".
147
148 -X|--exclude DIRECTORY
149 Allows one to exclude directories when copying with "net rpc share
150 migrate".
151
152 --destination SERVERNAME
153 Defines the target servername of migration process (defaults to
154 localhost).
155
156 -L|--local
157 Sets the type of group mapping to local (used in "net groupmap
158 set").
159
160 -D|--domain
161 Sets the type of group mapping to domain (used in "net groupmap
162 set").
163
164 -N|--ntname NTNAME
165 Sets the ntname of a group mapping (used in "net groupmap set").
166
167 -R|--rid RID
168 Sets the rid of a group mapping (used in "net groupmap set").
169
170 --reg-version REG_VERSION
171 Assume database version {n|1,2,3} (used in "net registry check").
172
173 -o|--output FILENAME
174 Output database file (used in "net registry check").
175
176 --wipe
177 Create a new database from scratch (used in "net registry check").
178
179 --precheck PRECHECK_DB_FILENAME
180 Defines filename for database prechecking (used in "net registry
181 import").
182
183 --no-dns-updates
184 Do not perform DNS updates as part of "net ads join".
185
186 --keep-account
187 Prevent the machine account removal as part of "net ads leave".
188
189 --json
190 Report results in JSON format for "net ads info" and "net ads
191 lookup".
192
193 --recursive
194 Traverse a directory hierarchy.
195
196 --continue
197 Continue traversing a directory hierarchy in case conversion of one
198 file fails.
199
200 --follow-symlinks
201 Follow symlinks encountered while traversing a directory.
202
203 -e|--encrypt
204 This command line parameter requires the remote server support the
205 UNIX extensions or that the SMB3 protocol has been selected.
206 Requests that the connection be encrypted. Negotiates SMB
207 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
208 the given credentials for the encryption negotiation (either
209 kerberos or NTLMv1/v2 if given domain/username/password triple.
210 Fails the connection if encryption cannot be negotiated.
211
212 -d|--debuglevel=level
213 level is an integer from 0 to 10. The default value if this
214 parameter is not specified is 1.
215
216 The higher this value, the more detail will be logged to the log
217 files about the activities of the server. At level 0, only critical
218 errors and serious warnings will be logged. Level 1 is a reasonable
219 level for day-to-day running - it generates a small amount of
220 information about operations carried out.
221
222 Levels above 1 will generate considerable amounts of log data, and
223 should only be used when investigating a problem. Levels above 3
224 are designed for use only by developers and generate HUGE amounts
225 of log data, most of which is extremely cryptic.
226
227 Note that specifying this parameter here will override the log
228 level parameter in the smb.conf file.
229
230 -V|--version
231 Prints the program version number.
232
233 -s|--configfile=<configuration file>
234 The file specified contains the configuration details required by
235 the server. The information in this file includes server-specific
236 information such as what printcap file to use, as well as
237 descriptions of all the services that the server is to provide. See
238 smb.conf for more information. The default configuration file name
239 is determined at compile time.
240
241 -l|--log-basename=logdirectory
242 Base directory name for log/debug files. The extension ".progname"
243 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
244 file is never removed by the client.
245
246 --option=<name>=<value>
247 Set the smb.conf(5) option "<name>" to value "<value>" from the
248 command line. This overrides compiled-in defaults and options read
249 from the configuration file.
250
252 CHANGESECRETPW
253 This command allows the Samba machine account password to be set from
254 an external application to a machine account password that has already
255 been stored in Active Directory. DO NOT USE this command unless you
256 know exactly what you are doing. The use of this command requires that
257 the force flag (-f) be used also. There will be NO command prompt.
258 Whatever information is piped into stdin, either by typing at the
259 command line or otherwise, will be stored as the literal machine
260 password. Do NOT use this without care and attention as it will
261 overwrite a legitimate machine password without warning. YOU HAVE BEEN
262 WARNED.
263
264 TIME
265 The NET TIME command allows you to view the time on a remote server or
266 synchronise the time on the local server with the time on the remote
267 server.
268
269 TIME
270 Without any options, the NET TIME command displays the time on the
271 remote server. The remote server must be specified with the -S option.
272
273 TIME SYSTEM
274 Displays the time on the remote server in a format ready for /bin/date.
275 The remote server must be specified with the -S option.
276
277 TIME SET
278 Tries to set the date and time of the local server to that on the
279 remote server using /bin/date. The remote server must be specified with
280 the -S option.
281
282 TIME ZONE
283 Displays the timezone in hours from GMT on the remote server. The
284 remote server must be specified with the -S option.
285
286 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
287 [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string
288 osVer=string] [options]
289 Join a domain. If the account already exists on the server, and [TYPE]
290 is MEMBER, the machine will attempt to join automatically. (Assuming
291 that the machine has been created in server manager) Otherwise, a
292 password will be prompted for, and a new account may be created.
293
294 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
295 the domain.
296
297 [UPN] (ADS only) set the principalname attribute during the join. The
298 default format is host/netbiosname@REALM.
299
300 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
301 string reads from top to bottom without RDNs, and is delimited by a
302 '/'. Please note that '\' is used for escape by both the shell and
303 ldap, so it may need to be doubled or quadrupled to pass through, and
304 it is not used as a delimiter.
305
306 [PASS] (ADS only) Set a specific password on the computer account being
307 created by the join.
308
309 [osName=string osVer=String] (ADS only) Set the operatingSystem and
310 operatingSystemVersion attribute during the join. Both parameters must
311 be specified for either to take effect.
312
313 [RPC] OLDJOIN [options]
314 Join a domain. Use the OLDJOIN option to join the domain using the old
315 style of domain joining - you need to create a trust account in server
316 manager first.
317
318 [RPC|ADS] USER
319 [RPC|ADS] USER
320 List all users
321
322 [RPC|ADS] USER DELETE target
323 Delete specified user
324
325 [RPC|ADS] USER INFO target
326 List the domain groups of the specified user.
327
328 [RPC|ADS] USER RENAME oldname newname
329 Rename specified user.
330
331 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
332 Add specified user.
333
334 [RPC|ADS] GROUP
335 [RPC|ADS] GROUP [misc options] [targets]
336 List user groups.
337
338 [RPC|ADS] GROUP DELETE name [misc. options]
339 Delete specified group.
340
341 [RPC|ADS] GROUP ADD name [-C comment]
342 Create specified group.
343
344 [ADS] LOOKUP
345 Lookup the closest Domain Controller in our domain and retrieve server
346 information about it.
347
348 [RAP|RPC] SHARE
349 [RAP|RPC] SHARE [misc. options] [targets]
350 Enumerates all exported resources (network shares) on target server.
351
352 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
353 Adds a share from a server (makes the export active). Maxusers
354 specifies the number of users that can be connected to the share
355 simultaneously.
356
357 SHARE DELETE sharename
358 Delete specified share.
359
360 [RPC|RAP] FILE
361 [RPC|RAP] FILE
362 List all open files on remote server.
363
364 [RPC|RAP] FILE CLOSE fileid
365 Close file with specified fileid on remote server.
366
367 [RPC|RAP] FILE INFO fileid
368 Print information on specified fileid. Currently listed are: file-id,
369 username, locks, path, permissions.
370
371 [RAP|RPC] FILE USER user
372 List files opened by specified user. Please note that net rap file user
373 does not work against Samba servers.
374
375 SESSION
376 RAP SESSION
377 Without any other options, SESSION enumerates all active SMB/CIFS
378 sessions on the target server.
379
380 RAP SESSION DELETE|CLOSE CLIENT_NAME
381 Close the specified sessions.
382
383 RAP SESSION INFO CLIENT_NAME
384 Give a list with all the open files in specified session.
385
386 RAP SERVER DOMAIN
387 List all servers in specified domain or workgroup. Defaults to local
388 domain.
389
390 RAP DOMAIN
391 Lists all domains and workgroups visible on the current network.
392
393 RAP PRINTQ
394 RAP PRINTQ INFO QUEUE_NAME
395 Lists the specified print queue and print jobs on the server. If the
396 QUEUE_NAME is omitted, all queues are listed.
397
398 RAP PRINTQ DELETE JOBID
399 Delete job with specified id.
400
401 RAP VALIDATE user [password]
402 Validate whether the specified user can log in to the remote server. If
403 the password is not specified on the commandline, it will be prompted.
404
405 Note
406 Currently NOT implemented.
407
408 RAP GROUPMEMBER
409 RAP GROUPMEMBER LIST GROUP
410 List all members of the specified group.
411
412 RAP GROUPMEMBER DELETE GROUP USER
413 Delete member from group.
414
415 RAP GROUPMEMBER ADD GROUP USER
416 Add member to group.
417
418 RAP ADMIN command
419 Execute the specified command on the remote server. Only works with
420 OS/2 servers.
421
422 Note
423 Currently NOT implemented.
424
425 RAP SERVICE
426 RAP SERVICE START NAME [arguments...]
427 Start the specified service on the remote server. Not implemented yet.
428
429 Note
430 Currently NOT implemented.
431
432 RAP SERVICE STOP
433 Stop the specified service on the remote server.
434
435 Note
436 Currently NOT implemented.
437
438 RAP PASSWORD USER OLDPASS NEWPASS
439 Change password of USER from OLDPASS to NEWPASS.
440
441 LOOKUP
442 LOOKUP HOST HOSTNAME [TYPE]
443 Lookup the IP address of the given host with the specified type
444 (netbios suffix). The type defaults to 0x20 (workstation).
445
446 LOOKUP LDAP [DOMAIN]
447 Give IP address of LDAP server of specified DOMAIN. Defaults to local
448 domain.
449
450 LOOKUP KDC [REALM]
451 Give IP address of KDC for the specified REALM. Defaults to local
452 realm.
453
454 LOOKUP DC [DOMAIN]
455 Give IP's of Domain Controllers for specified
456 DOMAIN. Defaults to local domain.
457
458 LOOKUP MASTER DOMAIN
459 Give IP of master browser for specified DOMAIN or workgroup. Defaults
460 to local domain.
461
462 LOOKUP NAME [NAME]
463 Lookup username's sid and type for specified NAME
464
465 LOOKUP SID [SID]
466 Give sid's name and type for specified SID
467
468 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
469 Give Domain Controller information for specified domain NAME
470
471 CACHE
472 Samba uses a general caching interface called 'gencache'. It can be
473 controlled using 'NET CACHE'.
474
475 All the timeout parameters support the suffixes:
476 s - Seconds
477 m - Minutes
478 h - Hours
479 d - Days
480 w - Weeks
481
482 CACHE ADD key data time-out
483 Add specified key+data to the cache with the given timeout.
484
485 CACHE DEL key
486 Delete key from the cache.
487
488 CACHE SET key data time-out
489 Update data of existing cache entry.
490
491 CACHE SEARCH PATTERN
492 Search for the specified pattern in the cache data.
493
494 CACHE LIST
495 List all current items in the cache.
496
497 CACHE FLUSH
498 Remove all the current items from the cache.
499
500 GETLOCALSID [DOMAIN]
501 Prints the SID of the specified domain, or if the parameter is omitted,
502 the SID of the local server.
503
504 SETLOCALSID S-1-5-21-x-y-z
505 Sets SID for the local server to the specified SID.
506
507 GETDOMAINSID
508 Prints the local machine SID and the SID of the current domain.
509
510 SETDOMAINSID
511 Sets the SID of the current domain.
512
513 GROUPMAP
514 Manage the mappings between Windows group SIDs and UNIX groups. Common
515 options include:
516
517 · unixgroup - Name of the UNIX group
518
519 · ntgroup - Name of the Windows NT group (must be resolvable
520 to a SID
521
522 · rid - Unsigned 32-bit integer
523
524 · sid - Full SID in the form of "S-1-..."
525
526 · type - Type of the group; either 'domain', 'local', or
527 'builtin'
528
529 · comment - Freeform text description of the group
530
531
532 GROUPMAP ADD
533 Add a new group mapping entry:
534
535 net groupmap add {rid=int|sid=string} unixgroup=string \
536 [type={domain|local}] [ntgroup=string] [comment=string]
537
538
539
540 GROUPMAP DELETE
541 Delete a group mapping entry. If more than one group name matches, the
542 first entry found is deleted.
543
544 net groupmap delete {ntgroup=string|sid=SID}
545
546 GROUPMAP MODIFY
547 Update an existing group entry.
548
549 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
550 [comment=string] [type={domain|local}]
551
552
553
554 GROUPMAP LIST
555 List existing group mapping entries.
556
557 net groupmap list [verbose] [ntgroup=string] [sid=SID]
558
559 MAXRID
560 Prints out the highest RID currently in use on the local server (by the
561 active 'passdb backend').
562
563 RPC INFO
564 Print information about the domain of the remote server, such as domain
565 name, domain sid and number of users and groups.
566
567 [RPC|ADS] TESTJOIN
568 Check whether participation in a domain is still valid.
569
570 [RPC|ADS] CHANGETRUSTPW
571 Force change of domain trust password.
572
573 RPC TRUSTDOM
574 RPC TRUSTDOM ADD DOMAIN
575 Add a interdomain trust account for DOMAIN. This is in fact a Samba
576 account named DOMAIN$ with the account flag 'I' (interdomain trust
577 account). This is required for incoming trusts to work. It makes Samba
578 be a trusted domain of the foreign (trusting) domain. Users of the
579 Samba domain will be made available in the foreign domain. If the
580 command is used against localhost it has the same effect as smbpasswd
581 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
582 account.
583
584 RPC TRUSTDOM DEL DOMAIN
585 Remove interdomain trust account for DOMAIN. If it is used against
586 localhost it has the same effect as smbpasswd -x DOMAIN$.
587
588 RPC TRUSTDOM ESTABLISH DOMAIN
589 Establish a trust relationship to a trusted domain. Interdomain account
590 must already be created on the remote PDC. This is required for
591 outgoing trusts to work. It makes Samba be a trusting domain of a
592 foreign (trusted) domain. Users of the foreign domain will be made
593 available in our domain. You'll need winbind and a working idmap config
594 to make them appear in your system.
595
596 RPC TRUSTDOM REVOKE DOMAIN
597 Abandon relationship to trusted domain
598
599 RPC TRUSTDOM LIST
600 List all interdomain trust relationships.
601
602 RPC TRUST
603 RPC TRUST CREATE
604 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
605 done on a single server or on two servers at once with the possibility
606 to use a random trust password.
607
608 Options:
609
610 otherserver
611 Domain controller of the second domain
612
613 otheruser
614 Admin user in the second domain
615
616 otherdomainsid
617 SID of the second domain
618
619 other_netbios_domain
620 NetBIOS (short) name of the second domain
621
622 otherdomain
623 DNS (full) name of the second domain
624
625 trustpw
626 Trust password
627
628 Examples:
629
630 Create a trust object on srv1.dom1.dom for the domain dom2
631
632 net rpc trust create \
633 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
634 other_netbios_domain=dom2 \
635 otherdomain=dom2.dom \
636 trustpw=12345678 \
637 -S srv1.dom1.dom
638
639 Create a trust relationship between dom1 and dom2
640
641 net rpc trust create \
642 otherserver=srv2.dom2.test \
643 otheruser=dom2adm \
644 -S srv1.dom1.dom
645
646 RPC TRUST DELETE
647 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
648 done on a single server or on two servers at once.
649
650 Options:
651
652 otherserver
653 Domain controller of the second domain
654
655 otheruser
656 Admin user in the second domain
657
658 otherdomainsid
659 SID of the second domain
660
661 Examples:
662
663 Delete a trust object on srv1.dom1.dom for the domain dom2
664
665 net rpc trust delete \
666 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
667 -S srv1.dom1.dom
668
669 Delete a trust relationship between dom1 and dom2
670
671 net rpc trust delete \
672 otherserver=srv2.dom2.test \
673 otheruser=dom2adm \
674 -S srv1.dom1.dom
675
676
677 RPC RIGHTS
678 This subcommand is used to view and manage Samba's rights assignments
679 (also referred to as privileges). There are three options currently
680 available: list, grant, and revoke. More details on Samba's privilege
681 model and its use can be found in the Samba-HOWTO-Collection.
682
683 RPC ABORTSHUTDOWN
684 Abort the shutdown of a remote server.
685
686 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
687 Shut down the remote server.
688
689 -r
690 Reboot after shutdown.
691
692 -f
693 Force shutting down all applications.
694
695 -t timeout
696 Timeout before system will be shut down. An interactive user of the
697 system can use this time to cancel the shutdown.
698
699 -C message
700 Display the specified message on the screen to announce the
701 shutdown.
702
703 RPC SAMDUMP
704 Print out sam database of remote server. You need to run this against
705 the PDC, from a Samba machine joined as a BDC.
706
707 RPC VAMPIRE
708 Export users, aliases and groups from remote server to local server.
709 You need to run this against the PDC, from a Samba machine joined as a
710 BDC. This vampire command cannot be used against an Active Directory,
711 only against an NT4 Domain Controller.
712
713 RPC VAMPIRE KEYTAB
714 Dump remote SAM database to local Kerberos keytab file.
715
716 RPC VAMPIRE LDIF
717 Dump remote SAM database to local LDIF file or standard output.
718
719 RPC GETSID
720 Fetch domain SID and store it in the local secrets.tdb.
721
722 ADS GPO
723 ADS GPO APPLY <USERNAME|MACHINENAME>
724 Apply GPOs for a username or machine name. Either username or machine
725 name should be provided to the command, not both.
726
727 ADS GPO GETGPO [GPO]
728 List specified GPO.
729
730 ADS GPO LINKADD [LINKDN] [GPODN]
731 Link a container to a GPO. LINKDN Container to link to a GPO. GPODN
732 GPO to link container to. DNs must be provided properly escaped. See
733 RFC 4514 for details.
734
735 ADS GPO LINKGET [CONTAINER]
736 Lists gPLink of a containter.
737
738 ADS GPO LIST <USERNAME|MACHINENAME>
739 Lists all GPOs for a username or machine name. Either username or
740 machine name should be provided to the command, not both.
741
742 ADS GPO LISTALL
743 Lists all GPOs on a DC.
744
745 ADS GPO REFRESH [USERNAME] [MACHINENAME]
746 Lists all GPOs assigned to an account and download them. USERNAME User
747 to refresh GPOs for. MACHINENAME Machine to refresh GPOs for.
748
749 ADS DNS
750 ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
751 Add host dns entry to Active Directory.
752
753 ADS DNS UNREGISTER <HOSTNAME>
754 Remove host dns entry from Active Directory.
755
756 ADS DNS GETHOSTBYNAME <NAMESERVER|HOSTNAME>
757 Look up the hostname from Active Directory. You can either provide
758 nameserver ie IPv4|IPv6 address or the hostname. Only one should be
759 provided at a time.
760
761 ADS LEAVE [--keep-account]
762 Make the remote host leave the domain it is part of.
763
764 ADS STATUS
765 Print out status of machine account of the local machine in ADS. Prints
766 out quite some debug info. Aimed at developers, regular users should
767 use NET ADS TESTJOIN.
768
769 ADS PRINTER
770 ADS PRINTER INFO [PRINTER] [SERVER]
771 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
772 the server name defaults to the local host.
773
774 ADS PRINTER PUBLISH PRINTER
775 Publish specified printer using ADS.
776
777 ADS PRINTER REMOVE PRINTER
778 Remove specified printer from ADS directory.
779
780 ADS SEARCH EXPRESSION ATTRIBUTES...
781 Perform a raw LDAP search on a ADS server and dump the results. The
782 expression is a standard LDAP search expression, and the attributes are
783 a list of LDAP fields to show in the results.
784
785 Example: net ads search '(objectCategory=group)' sAMAccountName
786
787 ADS DN DN (attributes)
788 Perform a raw LDAP search on a ADS server and dump the results. The DN
789 standard LDAP DN, and the attributes are a list of LDAP fields to show
790 in the result.
791
792 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
793 SAMAccountName
794
795 ADS KEYTAB CREATE
796 Creates a new keytab file if one doesn't exist with default entries.
797 Default entries are kerberos principals created from the machinename of
798 the client, the UPN (if it exists) and any Windows SPN(s) associated
799 with the computer AD account for the client. If a keytab file already
800 exists then only missing kerberos principals from the default entries
801 are added. No changes are made to the computer AD account.
802
803 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
804 Adds a new keytab entry, the entry can be either;
805
806 kerberos principal
807 A kerberos principal (identified by the presence of '@') is just
808 added to the keytab file.
809
810 machinename
811 A machinename (identified by the trailing '$') is used to create a
812 a kerberos principal 'machinename@realm' which is added to the
813 keytab file.
814
815 serviceclass
816 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
817 pair of kerberos principals
818 'serviceclass/fully_qualified_dns_name@realm' &
819 'serviceclass/netbios_name@realm' which are added to the keytab
820 file.
821
822 Windows SPN
823 A Windows SPN is of the format 'serviceclass/host:port', it is used
824 to create a kerberos principal 'serviceclass/host@realm' which will
825 be written to the keytab file.
826
827 Unlike old versions no computer AD objects are modified by this
828 command. To preserve the bevhaviour of older clients 'net ads keytab
829 ad_update_ads' is available.
830
831 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
832 Adds a new keytab entry (see section for net ads keytab add). In
833 addition to adding entries to the keytab file corrosponding Windows
834 SPNs are created from the entry passed to this command. These SPN(s)
835 added to the AD computer account object associated with the client
836 machine running this command for the following entry types;
837
838 serviceclass
839 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
840 pair of Windows SPN(s) 'param/full_qualified_dns' &
841 'param/netbios_name' which are added to the AD computer account
842 object for this client.
843
844 Windows SPN
845 A Windows SPN is of the format 'serviceclass/host:port', it is
846 added as passed to the AD computer account object for this client.
847
848 ADS setspn SETSPN LIST [machine]
849 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
850 object. If 'machine' is not specified then computer account for this
851 client is used instead.
852
853 ADS setspn SETSPN ADD SPN [machine]
854 Adds the specified Windows SPN to the 'machine' Windows AD Computer
855 object. If 'machine' is not specified then computer account for this
856 client is used instead.
857
858 ADS setspn SETSPN DELETE SPN [machine]
859 DELETE the specified Window SPN from the 'machine' Windows AD Computer
860 object. If 'machine' is not specified then computer account for this
861 client is used instead.
862
863 ADS WORKGROUP
864 Print out workgroup name for specified kerberos realm.
865
866 ADS ENCTYPES
867 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
868 attribute of an account in AD.
869
870 This attribute allows one to control which Kerberos encryption types
871 are used for the generation of initial and service tickets. The value
872 consists of an integer bitmask with the following values:
873
874 0x00000001 DES-CBC-CRC
875
876 0x00000002 DES-CBC-MD5
877
878 0x00000004 RC4-HMAC
879
880 0x00000008 AES128-CTS-HMAC-SHA1-96
881
882 0x00000010 AES256-CTS-HMAC-SHA1-96
883
884 ADS ENCTYPES LIST <ACCOUNTNAME>
885 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
886 given account.
887
888 Example: net ads enctypes list Computername
889
890 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
891 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
892 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
893 the value is set to 31 which enables all the currently supported
894 encryption types.
895
896 Example: net ads enctypes set Computername 24
897
898 ADS ENCTYPES DELETE <ACCOUNTNAME>
899 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
900 object of ACCOUNTNAME.
901
902 Example: net ads enctypes set Computername 24
903
904 SAM CREATEBUILTINGROUP <NAME>
905 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
906 be created with this command. This is the list of currently recognized
907 group names: Administrators, Users, Guests, Power Users, Account
908 Operators, Server Operators, Print Operators, Backup Operators,
909 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
910 command requires a running Winbindd with idmap allocation properly
911 configured. The group gid will be allocated out of the winbindd range.
912
913 SAM CREATELOCALGROUP <NAME>
914 Create a LOCAL group (also known as Alias). This command requires a
915 running Winbindd with idmap allocation properly configured. The group
916 gid will be allocated out of the winbindd range.
917
918 SAM DELETELOCALGROUP <NAME>
919 Delete an existing LOCAL group (also known as Alias).
920
921 SAM MAPUNIXGROUP <NAME>
922 Map an existing Unix group and make it a Domain Group, the domain group
923 will have the same name.
924
925 SAM UNMAPUNIXGROUP <NAME>
926 Remove an existing group mapping entry.
927
928 SAM ADDMEM <GROUP> <MEMBER>
929 Add a member to a Local group. The group can be specified only by name,
930 the member can be specified by name or SID.
931
932 SAM DELMEM <GROUP> <MEMBER>
933 Remove a member from a Local group. The group and the member must be
934 specified by name.
935
936 SAM LISTMEM <GROUP>
937 List Local group members. The group must be specified by name.
938
939 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
940 List the specified set of accounts by name. If verbose is specified,
941 the rid and description is also provided for each account.
942
943 SAM RIGHTS LIST
944 List all available privileges.
945
946 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
947 Grant one or more privileges to a user.
948
949 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
950 Revoke one or more privileges from a user.
951
952 SAM SHOW <NAME>
953 Show the full DOMAIN\\NAME the SID and the type for the corresponding
954 account.
955
956 SAM SET HOMEDIR <NAME> <DIRECTORY>
957 Set the home directory for a user account.
958
959 SAM SET PROFILEPATH <NAME> <PATH>
960 Set the profile path for a user account.
961
962 SAM SET COMMENT <NAME> <COMMENT>
963 Set the comment for a user or group account.
964
965 SAM SET FULLNAME <NAME> <FULL NAME>
966 Set the full name for a user account.
967
968 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
969 Set the logon script for a user account.
970
971 SAM SET HOMEDRIVE <NAME> <DRIVE>
972 Set the home drive for a user account.
973
974 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
975 Set the workstations a user account is allowed to log in from.
976
977 SAM SET DISABLE <NAME>
978 Set the "disabled" flag for a user account.
979
980 SAM SET PWNOTREQ <NAME>
981 Set the "password not required" flag for a user account.
982
983 SAM SET AUTOLOCK <NAME>
984 Set the "autolock" flag for a user account.
985
986 SAM SET PWNOEXP <NAME>
987 Set the "password do not expire" flag for a user account.
988
989 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
990 Set or unset the "password must change" flag for a user account.
991
992 SAM POLICY LIST
993 List the available account policies.
994
995 SAM POLICY SHOW <account policy>
996 Show the account policy value.
997
998 SAM POLICY SET <account policy> <value>
999 Set a value for the account policy. Valid values can be: "forever",
1000 "never", "off", or a number.
1001
1002 SAM PROVISION
1003 Only available if ldapsam:editposix is set and winbindd is running.
1004 Properly populates the ldap tree with the basic accounts
1005 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1006 on the ldap tree.
1007
1008 IDMAP DUMP <local tdb file name>
1009 Dumps the mappings contained in the local tdb file specified. This
1010 command is useful to dump only the mappings produced by the idmap_tdb
1011 backend.
1012
1013 IDMAP RESTORE [input file]
1014 Restore the mappings from the specified file or stdin.
1015
1016 IDMAP SET SECRET <DOMAIN> <secret>
1017 Store a secret for the specified domain, used primarily for domains
1018 that use idmap_ldap as a backend. In this case the secret is used as
1019 the password for the user DN used to bind to the ldap server.
1020
1021 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1022 Store a domain-range mapping for a given domain (and index) in autorid
1023 database.
1024
1025 IDMAP SET CONFIG <config> [--db=<DB>]
1026 Update CONFIG entry in autorid database.
1027
1028 IDMAP GET RANGE <SID> [index] [--db=<DB>]
1029 Get the range for a given domain and index from autorid database.
1030
1031 IDMAP GET RANGES [<SID>] [--db=<DB>]
1032 Get ranges for all domains or for one identified by given SID.
1033
1034 IDMAP GET CONFIG [--db=<DB>]
1035 Get CONFIG entry from autorid database.
1036
1037 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1038 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1039 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1040 "GID number" or a uid: "UID number". Use -f to delete an invalid
1041 partial mapping <ID> -> xx
1042
1043 Use "smbcontrol all idmap ..." to notify running smbd instances. See
1044 the smbcontrol(1) manpage for details.
1045
1046 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1047 Delete a domain range mapping identified by 'RANGE' or "domain SID and
1048 INDEX" from autorid database. Use -f to delete invalid mappings.
1049
1050 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1051 Delete all domain range mappings for a domain identified by SID. Use -f
1052 to delete invalid mappings.
1053
1054 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1055 Check and repair the IDMAP database. If no option is given a read only
1056 check of the database is done. Among others an interactive or automatic
1057 repair mode may be chosen with one of the following options:
1058
1059 -r|--repair
1060 Interactive repair mode, ask a lot of questions.
1061
1062 -a|--auto
1063 Noninteractive repair mode, use default answers.
1064
1065 -v|--verbose
1066 Produce more output.
1067
1068 -f|--force
1069 Try to apply changes, even if they do not apply cleanly.
1070
1071 -T|--test
1072 Dry run, show what changes would be made but don't touch anything.
1073
1074 -l|--lock
1075 Lock the database while doing the check.
1076
1077 --db <DB>
1078 Check the specified database.
1079
1080 It reports about the finding of the following errors:
1081
1082 Missing reverse mapping:
1083 A record with mapping A->B where there is no B->A. Default action
1084 in repair mode is to "fix" this by adding the reverse mapping.
1085
1086 Invalid mapping:
1087 A record with mapping A->B where B->C. Default action is to
1088 "delete" this record.
1089
1090 Missing or invalid HWM:
1091 A high water mark is not at least equal to the largest ID in the
1092 database. Default action is to "fix" this by setting it to the
1093 largest ID found +1.
1094
1095 Invalid record:
1096 Something we failed to parse. Default action is to "edit" it in
1097 interactive and "delete" it in automatic mode.
1098
1099 USERSHARE
1100 Starting with version 3.0.23, a Samba server now supports the ability
1101 for non-root users to add user defined shares to be exported using the
1102 "net usershare" commands.
1103
1104 To set this up, first set up your smb.conf by adding to the [global]
1105 section: usershare path = /usr/local/samba/lib/usershares Next create
1106 the directory /usr/local/samba/lib/usershares, change the owner to root
1107 and set the group owner to the UNIX group who should have the ability
1108 to create usershares, for example a group called "serverops". Set the
1109 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1110 group all access, no access for others, plus the sticky bit, which
1111 means that a file in that directory can be renamed or deleted only by
1112 the owner of the file). Finally, tell smbd how many usershares you will
1113 allow by adding to the [global] section of smb.conf a line such as :
1114 usershare max shares = 100. To allow 100 usershare definitions. Now,
1115 members of the UNIX group "serverops" can create user defined shares on
1116 demand using the commands below.
1117
1118 The usershare commands are:
1119 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1120 to add or change a user defined share.
1121 net usershare delete sharename - to delete a user defined share.
1122 net usershare info [-l|--long] [wildcard sharename] - to print info
1123 about a user defined share.
1124 net usershare list [-l|--long] [wildcard sharename] - to list user
1125 defined shares.
1126
1127 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1128 Add or replace a new user defined share, with name "sharename".
1129
1130 "path" specifies the absolute pathname on the system to be exported.
1131 Restrictions may be put on this, see the global smb.conf parameters:
1132 "usershare owner only", "usershare prefix allow list", and "usershare
1133 prefix deny list".
1134
1135 The optional "comment" parameter is the comment that will appear on the
1136 share when browsed to by a client.
1137
1138 The optional "acl" field specifies which users have read and write
1139 access to the entire share. Note that guest connections are not allowed
1140 unless the smb.conf parameter "usershare allow guests" has been set.
1141 The definition of a user defined share acl is: "user:permission", where
1142 user is a valid username on the system and permission can be "F", "R",
1143 or "D". "F" stands for "full permissions", ie. read and write
1144 permissions. "D" stands for "deny" for a user, ie. prevent this user
1145 from accessing this share. "R" stands for "read only", ie. only allow
1146 read access to this share (no creation of new files or directories or
1147 writing to files).
1148
1149 The default if no "acl" is given is "Everyone:R", which means any
1150 authenticated user has read-only access.
1151
1152 The optional "guest_ok" has the same effect as the parameter of the
1153 same name in smb.conf, in that it allows guest access to this user
1154 defined share. This parameter is only allowed if the global parameter
1155 "usershare allow guests" has been set to true in the smb.conf.
1156
1157
1158 There is no separate command to modify an existing user defined share,
1159 just use the "net usershare add [sharename]" command using the same
1160 sharename as the one you wish to modify and specify the new options you
1161 wish. The Samba smbd daemon notices user defined share modifications at
1162 connect time so will see the change immediately, there is no need to
1163 restart smbd on adding, deleting or changing a user defined share.
1164
1165 USERSHARE DELETE sharename
1166 Deletes the user defined share by name. The Samba smbd daemon
1167 immediately notices this change, although it will not disconnect any
1168 users currently connected to the deleted share.
1169
1170 USERSHARE INFO [-l|--long] [wildcard sharename]
1171 Get info on user defined shares owned by the current user matching the
1172 given pattern, or all users.
1173
1174 net usershare info on its own dumps out info on the user defined shares
1175 that were created by the current user, or restricts them to share names
1176 that match the given wildcard pattern ('*' matches one or more
1177 characters, '?' matches only one character). If the '-l' or '--long'
1178 option is also given, it prints out info on user defined shares created
1179 by other users.
1180
1181 The information given about a share looks like: [foobar]
1182 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1183 And is a list of the current settings of the user defined share that
1184 can be modified by the "net usershare add" command.
1185
1186 USERSHARE LIST [-l|--long] wildcard sharename
1187 List all the user defined shares owned by the current user matching the
1188 given pattern, or all users.
1189
1190 net usershare list on its own list out the names of the user defined
1191 shares that were created by the current user, or restricts the list to
1192 share names that match the given wildcard pattern ('*' matches one or
1193 more characters, '?' matches only one character). If the '-l' or
1194 '--long' option is also given, it includes the names of user defined
1195 shares created by other users.
1196
1197 [RPC] CONF
1198 Starting with version 3.2.0, a Samba server can be configured by data
1199 stored in registry. This configuration data can be edited with the new
1200 "net conf" commands. There is also the possibility to configure a
1201 remote Samba server by enabling the RPC conf mode and specifying the
1202 address of the remote server.
1203
1204 The deployment of this configuration data can be activated in two
1205 levels from the smb.conf file: Share definitions from registry are
1206 activated by setting registry shares to “yes” in the [global] section
1207 and global configuration options are activated by setting include =
1208 registry in the [global] section for a mixed configuration or by
1209 setting config backend = registry in the [global] section for a
1210 registry-only configuration. See the smb.conf(5) manpage for details.
1211
1212 The conf commands are:
1213 net [rpc] conf list - Dump the complete configuration in smb.conf
1214 like format.
1215 net [rpc] conf import - Import configuration from file in smb.conf
1216 format.
1217 net [rpc] conf listshares - List the registry shares.
1218 net [rpc] conf drop - Delete the complete configuration from
1219 registry.
1220 net [rpc] conf showshare - Show the definition of a registry share.
1221 net [rpc] conf addshare - Create a new registry share.
1222 net [rpc] conf delshare - Delete a registry share.
1223 net [rpc] conf setparm - Store a parameter.
1224 net [rpc] conf getparm - Retrieve the value of a parameter.
1225 net [rpc] conf delparm - Delete a parameter.
1226 net [rpc] conf getincludes - Show the includes of a share
1227 definition.
1228 net [rpc] conf setincludes - Set includes for a share.
1229 net [rpc] conf delincludes - Delete includes from a share
1230 definition.
1231
1232 [RPC] CONF LIST
1233 Print the configuration data stored in the registry in a smb.conf-like
1234 format to standard output.
1235
1236 [RPC] CONF IMPORT [--test|-T] filename [section]
1237 This command imports configuration from a file in smb.conf format. If a
1238 section encountered in the input file is present in registry, its
1239 contents is replaced. Sections of registry configuration that have no
1240 counterpart in the input file are not affected. If you want to delete
1241 these, you will have to use the "net conf drop" or "net conf delshare"
1242 commands. Optionally, a section may be specified to restrict the effect
1243 of the import command to that specific section. A test mode is enabled
1244 by specifying the parameter "-T" on the commandline. In test mode, no
1245 changes are made to the registry, and the resulting configuration is
1246 printed to standard output instead.
1247
1248 [RPC] CONF LISTSHARES
1249 List the names of the shares defined in registry.
1250
1251 [RPC] CONF DROP
1252 Delete the complete configuration data from registry.
1253
1254 [RPC] CONF SHOWSHARE sharename
1255 Show the definition of the share or section specified. It is valid to
1256 specify "global" as sharename to retrieve the global configuration
1257 options from registry.
1258
1259 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1260 [comment]]]
1261 Create a new share definition in registry. The sharename and path have
1262 to be given. The share name may not be "global". Optionally, values for
1263 the very common options "writeable", "guest ok" and a "comment" may be
1264 specified. The same result may be obtained by a sequence of "net conf
1265 setparm" commands.
1266
1267 [RPC] CONF DELSHARE sharename
1268 Delete a share definition from registry.
1269
1270 [RPC] CONF SETPARM section parameter value
1271 Store a parameter in registry. The section may be global or a
1272 sharename. The section is created if it does not exist yet.
1273
1274 [RPC] CONF GETPARM section parameter
1275 Show a parameter stored in registry.
1276
1277 [RPC] CONF DELPARM section parameter
1278 Delete a parameter stored in registry.
1279
1280 [RPC] CONF GETINCLUDES section
1281 Get the list of includes for the provided section (global or share).
1282
1283 Note that due to the nature of the registry database and the nature of
1284 include directives, the includes need special treatment: Parameters are
1285 stored in registry by the parameter name as valuename, so there is only
1286 ever one instance of a parameter per share. Also, a specific order like
1287 in a text file is not guaranteed. For all real parameters, this is
1288 perfectly ok, but the include directive is rather a meta parameter, for
1289 which, in the smb.conf text file, the place where it is specified
1290 between the other parameters is very important. This can not be
1291 achieved by the simple registry smbconf data model, so there is one
1292 ordered list of includes per share, and this list is evaluated after
1293 all the parameters of the share.
1294
1295 Further note that currently, only files can be included from registry
1296 configuration. In the future, there will be the ability to include
1297 configuration data from other registry keys.
1298
1299 [RPC] CONF SETINCLUDES section [filename]+
1300 Set the list of includes for the provided section (global or share) to
1301 the given list of one or more filenames. The filenames may contain the
1302 usual smb.conf macros like %I.
1303
1304 [RPC] CONF DELINCLUDES section
1305 Delete the list of includes from the provided section (global or
1306 share).
1307
1308 REGISTRY
1309 Manipulate Samba's registry.
1310
1311 The registry commands are:
1312 net registry enumerate - Enumerate registry keys and values.
1313 net registry enumerate_recursive - Enumerate registry key and its
1314 subkeys.
1315 net registry createkey - Create a new registry key.
1316 net registry deletekey - Delete a registry key.
1317 net registry deletekey_recursive - Delete a registry key with
1318 subkeys.
1319 net registry getvalue - Print a registry value.
1320 net registry getvalueraw - Print a registry value (raw format).
1321 net registry setvalue - Set a new registry value.
1322 net registry increment - Increment a DWORD registry value under a
1323 lock.
1324 net registry deletevalue - Delete a registry value.
1325 net registry getsd - Get security descriptor.
1326 net registry getsd_sdd1 - Get security descriptor in sddl format.
1327 net registry setsd_sdd1 - Set security descriptor from sddl format
1328 string.
1329 net registry import - Import a registration entries (.reg)
1330 file.
1331 net registry export - Export a registration entries (.reg)
1332 file.
1333 net registry convert - Convert a registration entries (.reg)
1334 file.
1335 net registry check - Check and repair a registry database.
1336
1337 REGISTRY ENUMERATE key
1338 Enumerate subkeys and values of key.
1339
1340 REGISTRY ENUMERATE_RECURSIVE key
1341 Enumerate values of key and its subkeys.
1342
1343 REGISTRY CREATEKEY key
1344 Create a new key if not yet existing.
1345
1346 REGISTRY DELETEKEY key
1347 Delete the given key and its values from the registry, if it has no
1348 subkeys.
1349
1350 REGISTRY DELETEKEY_RECURSIVE key
1351 Delete the given key and all of its subkeys and values from the
1352 registry.
1353
1354 REGISTRY GETVALUE key name
1355 Output type and actual value of the value name of the given key.
1356
1357 REGISTRY GETVALUERAW key name
1358 Output the actual value of the value name of the given key.
1359
1360 REGISTRY SETVALUE key name type value ...
1361 Set the value name of an existing key. type may be one of sz, multi_sz
1362 or dword. In case of multi_sz value may be given multiple times.
1363
1364 REGISTRY INCREMENT key name [inc]
1365 Increment the DWORD value name of key by inc while holding a g_lock.
1366 inc defaults to 1.
1367
1368 REGISTRY DELETEVALUE key name
1369 Delete the value name of the given key.
1370
1371 REGISTRY GETSD key
1372 Get the security descriptor of the given key.
1373
1374 REGISTRY GETSD_SDDL key
1375 Get the security descriptor of the given key as a Security Descriptor
1376 Definition Language (SDDL) string.
1377
1378 REGISTRY SETSD_SDDL keysd
1379 Set the security descriptor of the given key from a Security Descriptor
1380 Definition Language (SDDL) string sd.
1381
1382 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1383 Import a registration entries (.reg) file.
1384
1385 The following options are available:
1386
1387 --precheck check-file
1388 This is a mechanism to check the existence or non-existence of
1389 certain keys or values specified in a precheck file before applying
1390 the import file. The import file will only be applied if the
1391 precheck succeeds.
1392
1393 The check-file follows the normal registry file syntax with the
1394 following semantics:
1395
1396 · <value name>=<value> checks whether the value exists and
1397 has the given value.
1398
1399 · <value name>=- checks whether the value does not exist.
1400
1401 · [key] checks whether the key exists.
1402
1403 · [-key] checks whether the key does not exist.
1404
1405
1406 REGISTRY EXPORT keyfile[opt]
1407 Export a key to a registration entries (.reg) file.
1408
1409 REGISTRY CONVERT in out [[inopt] outopt]
1410 Convert a registration entries (.reg) file in.
1411
1412 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1413 Check and repair the registry database. If no option is given a read
1414 only check of the database is done. Among others an interactive or
1415 automatic repair mode may be chosen with one of the following options
1416
1417 -r|--repair
1418 Interactive repair mode, ask a lot of questions.
1419
1420 -a|--auto
1421 Noninteractive repair mode, use default answers.
1422
1423 -v|--verbose
1424 Produce more output.
1425
1426 -T|--test
1427 Dry run, show what changes would be made but don't touch anything.
1428
1429 -l|--lock
1430 Lock the database while doing the check.
1431
1432 --reg-version={1,2,3}
1433 Specify the format of the registry database. If not given it
1434 defaults to the value of the binary or, if an registry.tdb is
1435 explicitly stated at the commandline, to the value found in the
1436 INFO/version record.
1437
1438 [--db] <DB>
1439 Check the specified database.
1440
1441 -o|--output <ODB>
1442 Create a new registry database <ODB> instead of modifying the
1443 input. If <ODB> is already existing --wipe may be used to overwrite
1444 it.
1445
1446 --wipe
1447 Replace the registry database instead of modifying the input or
1448 overwrite an existing output database.
1449
1450 EVENTLOG
1451 Starting with version 3.4.0 net can read, dump, import and export
1452 native win32 eventlog files (usually *.evt). evt files are used by the
1453 native Windows eventviewer tools.
1454
1455 The import and export of evt files can only succeed when eventlog list
1456 is used in smb.conf file. See the smb.conf(5) manpage for details.
1457
1458 The eventlog commands are:
1459 net eventlog dump - Dump a eventlog *.evt file on the screen.
1460 net eventlog import - Import a eventlog *.evt into the samba
1461 internal tdb based representation of eventlogs.
1462 net eventlog export - Export the samba internal tdb based
1463 representation of eventlogs into an eventlog *.evt file.
1464
1465 EVENTLOG DUMP filename
1466 Prints a eventlog *.evt file to standard output.
1467
1468 EVENTLOG IMPORT filename eventlog
1469 Imports a eventlog *.evt file defined by filename into the samba
1470 internal tdb representation of eventlog defined by eventlog. eventlog
1471 needs to part of the eventlog list defined in smb.conf. See the
1472 smb.conf(5) manpage for details.
1473
1474 EVENTLOG EXPORT filename eventlog
1475 Exports the samba internal tdb representation of eventlog defined by
1476 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1477 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1478 manpage for details.
1479
1480 DOM
1481 Starting with version 3.2.0 Samba has support for remote join and
1482 unjoin APIs, both client and server-side. Windows supports remote join
1483 capabilities since Windows 2000.
1484
1485 In order for Samba to be joined or unjoined remotely an account must be
1486 used that is either member of the Domain Admins group, a member of the
1487 local Administrators group or a user that is granted the
1488 SeMachineAccountPrivilege privilege.
1489
1490 The client side support for remote join is implemented in the net dom
1491 commands which are:
1492 net dom join - Join a remote computer into a domain.
1493 net dom unjoin - Unjoin a remote computer from a domain.
1494 net dom renamecomputer - Renames a remote computer joined to a
1495 domain.
1496
1497 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1498 Joins a computer into a domain. This command supports the following
1499 additional parameters:
1500
1501 · DOMAIN can be a NetBIOS domain name (also known as short
1502 domain name) or a DNS domain name for Active Directory
1503 Domains. As in Windows, it is also possible to control which
1504 Domain Controller to use. This can be achieved by appending
1505 the DC name using the \ separator character. Example:
1506 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1507
1508 · OU can be set to a RFC 1779 LDAP DN, like
1509 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1510 the machine account in a non-default LDAP container. This
1511 optional parameter is only supported when joining Active
1512 Directory Domains.
1513
1514 · ACCOUNT defines a domain account that will be used to join
1515 the machine to the domain. This domain account needs to have
1516 sufficient privileges to join machines.
1517
1518 · PASSWORD defines the password for the domain account defined
1519 with ACCOUNT.
1520
1521 · REBOOT is an optional parameter that can be set to reboot
1522 the remote machine after successful join to the domain.
1523
1524
1525 Note that you also need to use standard net parameters to connect and
1526 authenticate to the remote machine that you want to join. These
1527 additional parameters include: -S computer and -U user.
1528
1529 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1530 account=MYDOM\\administrator password=topsecret reboot.
1531
1532 This example would connect to a computer named XP as the local
1533 administrator using password secret, and join the computer into a
1534 domain called MYDOM using the MYDOM domain administrator account and
1535 password topsecret. After successful join, the computer would reboot.
1536
1537 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1538 Unjoins a computer from a domain. This command supports the following
1539 additional parameters:
1540
1541 · ACCOUNT defines a domain account that will be used to unjoin
1542 the machine from the domain. This domain account needs to
1543 have sufficient privileges to unjoin machines.
1544
1545 · PASSWORD defines the password for the domain account defined
1546 with ACCOUNT.
1547
1548 · REBOOT is an optional parameter that can be set to reboot
1549 the remote machine after successful unjoin from the domain.
1550
1551
1552 Note that you also need to use standard net parameters to connect and
1553 authenticate to the remote machine that you want to unjoin. These
1554 additional parameters include: -S computer and -U user.
1555
1556 Example: net dom unjoin -S xp -U XP\\administrator%secret
1557 account=MYDOM\\administrator password=topsecret reboot.
1558
1559 This example would connect to a computer named XP as the local
1560 administrator using password secret, and unjoin the computer from the
1561 domain using the MYDOM domain administrator account and password
1562 topsecret. After successful unjoin, the computer would reboot.
1563
1564 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1565 Renames a computer that is joined to a domain. This command supports
1566 the following additional parameters:
1567
1568 · NEWNAME defines the new name of the machine in the domain.
1569
1570 · ACCOUNT defines a domain account that will be used to rename
1571 the machine in the domain. This domain account needs to have
1572 sufficient privileges to rename machines.
1573
1574 · PASSWORD defines the password for the domain account defined
1575 with ACCOUNT.
1576
1577 · REBOOT is an optional parameter that can be set to reboot
1578 the remote machine after successful rename in the domain.
1579
1580
1581 Note that you also need to use standard net parameters to connect and
1582 authenticate to the remote machine that you want to rename in the
1583 domain. These additional parameters include: -S computer and -U user.
1584
1585 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1586 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1587
1588 This example would connect to a computer named XP as the local
1589 administrator using password secret, and rename the joined computer to
1590 XPNEW using the MYDOM domain administrator account and password
1591 topsecret. After successful rename, the computer would reboot.
1592
1593 G_LOCK
1594 Manage global locks.
1595
1596 G_LOCK DO lockname timeout command
1597 Execute a shell command under a global lock. This might be useful to
1598 define the order in which several shell commands will be executed. The
1599 locking information is stored in a file called g_lock.tdb. In setups
1600 with CTDB running, the locking information will be available on all
1601 cluster nodes.
1602
1603 · LOCKNAME defines the name of the global lock.
1604
1605 · TIMEOUT defines the timeout.
1606
1607 · COMMAND defines the shell command to execute.
1608
1609 G_LOCK LOCKS
1610 Print a list of all currently existing locknames.
1611
1612 G_LOCK DUMP lockname
1613 Dump the locking table of a certain global lock.
1614
1615 TDB
1616 Print information from tdb records.
1617
1618 TDB LOCKING key [DUMP]
1619 List sharename, filename and number of share modes for a record from
1620 locking.tdb. With the optional DUMP options, dump the complete record.
1621
1622 · KEY Key of the tdb record as hex string.
1623
1624 vfs
1625 Access shared filesystem through the VFS.
1626
1627 vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1628 symlinks] share path
1629 Convert file streams to AppleDouble files.
1630
1631 · share A Samba share.
1632
1633
1634 · path A relative path of something in the Samba share. "."
1635 can be used for the root directory of the share.
1636
1637
1638 Options:
1639
1640 --recursive
1641 Traverse a directory hierarchy.
1642
1643 --verbose
1644 Verbose output.
1645
1646 --continue
1647 Continue traversing a directory hierarchy if a single conversion
1648 fails.
1649
1650 --follow-symlinks
1651 Follow symlinks encountered while traversing a directory.
1652
1653 vfs getntacl share path
1654 Display the security descriptor of a file or directory.
1655
1656 · share A Samba share.
1657
1658
1659 · path A relative path of something in the Samba share. "."
1660 can be used for the root directory of the share.
1661
1662 HELP [COMMAND]
1663 Gives usage information for the specified command.
1664
1666 This man page is complete for version 3 of the Samba suite.
1667
1669 The original Samba software and related utilities were created by
1670 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1671 Source project similar to the way the Linux kernel is developed.
1672
1673 The net manpage was written by Jelmer Vernooij.
1674
1675
1676
1677Samba 4.12.2 04/28/2020 NET(8)