1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-A|--authentication-file authfile] [-I|--ipaddress ip-address]
12 [-p|--port port] [-n myname] [-s conffile] [-S|--server server]
13 [-l|--long] [-v|--verbose] [-f|--force] [-P|--machine-pass]
14 [-d debuglevel] [-V] [--request-timeout seconds]
15 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
16
18 This tool is part of the samba(7) suite.
19 The Samba net utility is meant to work just like the net utility
21 available for windows and DOS. The first argument should be used to
22 specify the protocol to use when executing a certain command. ADS is
23 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
24 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
25 net will try to determine it automatically. Not all commands are
26 available on all protocols.
27
29 -?|--help
30 Print a summary of command line options.
31 -k|--kerberos
33 Try to authenticate with kerberos. Only useful in an Active
34 Directory environment.
35 -w|--workgroup target-workgroup
37 Sets target workgroup or domain. You have to specify either this
38 option or the IP address or the name of a server.
39 -W|--myworkgroup workgroup
41 Sets client workgroup or domain
42 -U|--user user
44 User name to use
45 -I|--ipaddress ip-address
47 IP address of target server to use. You have to specify either this
48 option or a target workgroup or a target server.
49 -p|--port port
51 Port on the target server to connect to (usually 139 or 445).
52 Defaults to trying 445 first, then 139.
53 -n|--netbiosname <primary NetBIOS name>
55 This option allows you to override the NetBIOS name that Samba uses
56 for itself. This is identical to setting the netbios name parameter
57 in the smb.conf file. However, a command line setting will take
58 precedence over settings in smb.conf.
59 -S|--server server
61 Name of target server. You should specify either this option or a
62 target workgroup or a target IP address.
63 -l|--long
65 When listing data, give more information on each item.
66 -v|--verbose
68 When listing data, give more verbose information on each item.
69 -f|--force
71 Enforcing a net command.
72 -P|--machine-pass
74 Make queries to the external server using the machine account of
75 the local server.
76 --request-timeout 30
78 Let client requests timeout after 30 seconds the default is 10
79 seconds.
80 -t|--timeout 30
82 Set timeout for client operations to 30 seconds.
83 --use-ccache
85 Try to use the credentials cached by winbind.
86 -i|--stdin
88 Take input for net commands from standard input.
89 --tallocreport
91 Generate a talloc report while processing a net command.
92 -T|--test
94 Only test command sequence, dry-run.
95 -F|--flags FLAGS
97 Pass down integer flags to a net subcommand.
98 -C|--comment COMMENT
100 Pass down a comment string to a net subcommand.
101 -n|--myname MYNAME
103 Use MYNAME as a requester name for a net subcommand.
104 -c|--container CONTAINER
106 Use a specific AD container for net ads operations.
107 -M|--maxusers MAXUSERS
109 Fill in the maxusers field in net rpc share operations.
110 -r|--reboot
112 Reboot a remote machine after a command has been successfully
113 executed (e.g. in remote join operations).
114 --force-full-repl
116 When calling "net rpc vampire keytab" this option enforces a full
117 re-creation of the generated keytab file.
118 --single-obj-repl
120 When calling "net rpc vampire keytab" this option allows one to
121 replicate just a single object to the generated keytab file.
122 --clean-old-entries
124 When calling "net rpc vampire keytab" this option allows one to
125 cleanup old entries from the generated keytab file.
126 --db
128 Define dbfile for "net idmap" commands.
129 --lock
131 Activates locking of the dbfile for "net idmap check" command.
132 -a|--auto
134 Activates noninteractive mode in "net idmap check".
135 --repair
137 Activates repair mode in "net idmap check".
138 --acls
140 Includes ACLs to be copied in "net rpc share migrate".
141 --attrs
143 Includes file attributes to be copied in "net rpc share migrate".
144 --timestamps
146 Includes timestamps to be copied in "net rpc share migrate".
147 -X|--exclude DIRECTORY
149 Allows one to exclude directories when copying with "net rpc share
150 migrate".
151 --destination SERVERNAME
153 Defines the target servername of migration process (defaults to
154 localhost).
155 -L|--local
157 Sets the type of group mapping to local (used in "net groupmap
158 set").
159 -D|--domain
161 Sets the type of group mapping to domain (used in "net groupmap
162 set").
163 -N|--ntname NTNAME
165 Sets the ntname of a group mapping (used in "net groupmap set").
166 -R|--rid RID
168 Sets the rid of a group mapping (used in "net groupmap set").
169 --reg-version REG_VERSION
171 Assume database version {n|1,2,3} (used in "net registry check").
172 -o|--output FILENAME
174 Output database file (used in "net registry check").
175 --wipe
177 Create a new database from scratch (used in "net registry check").
178 --precheck PRECHECK_DB_FILENAME
180 Defines filename for database prechecking (used in "net registry
181 import").
182 --no-dns-updates
184 Do not perform DNS updates as part of "net ads join".
185 --keep-account
187 Prevent the machine account removal as part of "net ads leave".
188 --json
190 Report results in JSON format for "net ads info" and "net ads
191 lookup".
192 --recursive
194 Traverse a directory hierarchy.
195 --continue
197 Continue traversing a directory hierarchy in case conversion of one
198 file fails.
199 --follow-symlinks
201 Follow symlinks encountered while traversing a directory.
202 -e|--encrypt
204 This command line parameter requires the remote server support the
205 UNIX extensions or that the SMB3 protocol has been selected.
206 Requests that the connection be encrypted. Negotiates SMB
207 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
208 the given credentials for the encryption negotiation (either
209 kerberos or NTLMv1/v2 if given domain/username/password triple.
210 Fails the connection if encryption cannot be negotiated.
211 -d|--debuglevel=level
213 level is an integer from 0 to 10. The default value if this
214 parameter is not specified is 1.
215 The higher this value, the more detail will be logged to the log
217 files about the activities of the server. At level 0, only critical
218 errors and serious warnings will be logged. Level 1 is a reasonable
219 level for day-to-day running - it generates a small amount of
220 information about operations carried out.
221 Levels above 1 will generate considerable amounts of log data, and
223 should only be used when investigating a problem. Levels above 3
224 are designed for use only by developers and generate HUGE amounts
225 of log data, most of which is extremely cryptic.
226 Note that specifying this parameter here will override the log
228 level parameter in the smb.conf file.
229 -V|--version
231 Prints the program version number.
232 -s|--configfile=<configuration file>
234 The file specified contains the configuration details required by
235 the server. The information in this file includes server-specific
236 information such as what printcap file to use, as well as
237 descriptions of all the services that the server is to provide. See
238 smb.conf for more information. The default configuration file name
239 is determined at compile time.
240 -l|--log-basename=logdirectory
242 Base directory name for log/debug files. The extension ".progname"
243 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
244 file is never removed by the client.
245 --option=<name>=<value>
247 Set the smb.conf(5) option "<name>" to value "<value>" from the
248 command line. This overrides compiled-in defaults and options read
249 from the configuration file.
250
252 CHANGESECRETPW
253 This command allows the Samba machine account password to be set from
254 an external application to a machine account password that has already
255 been stored in Active Directory. DO NOT USE this command unless you
256 know exactly what you are doing. The use of this command requires that
257 the force flag (-f) be used also. There will be NO command prompt.
258 Whatever information is piped into stdin, either by typing at the
259 command line or otherwise, will be stored as the literal machine
260 password. Do NOT use this without care and attention as it will
261 overwrite a legitimate machine password without warning. YOU HAVE BEEN
262 WARNED.
263 TIME
265 The NET TIME command allows you to view the time on a remote server or
266 synchronise the time on the local server with the time on the remote
267 server.
268 TIME
270 Without any options, the NET TIME command displays the time on the
271 remote server. The remote server must be specified with the -S option.
272 TIME SYSTEM
274 Displays the time on the remote server in a format ready for /bin/date.
275 The remote server must be specified with the -S option.
276 TIME SET
278 Tries to set the date and time of the local server to that on the
279 remote server using /bin/date. The remote server must be specified with
280 the -S option.
281 TIME ZONE
283 Displays the timezone in hours from GMT on the remote server. The
284 remote server must be specified with the -S option.
285 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
287 [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string
288 osVer=string] [options]
289 Join a domain. If the account already exists on the server, and [TYPE]
290 is MEMBER, the machine will attempt to join automatically. (Assuming
291 that the machine has been created in server manager) Otherwise, a
292 password will be prompted for, and a new account may be created.
293 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
295 the domain.
296 [UPN] (ADS only) set the principalname attribute during the join. The
298 default format is host/netbiosname@REALM.
299 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
301 string reads from top to bottom without RDNs, and is delimited by a
302 '/'. Please note that '\' is used for escape by both the shell and
303 ldap, so it may need to be doubled or quadrupled to pass through, and
304 it is not used as a delimiter.
305 [PASS] (ADS only) Set a specific password on the computer account being
307 created by the join.
308 [osName=string osVer=String] (ADS only) Set the operatingSystem and
310 operatingSystemVersion attribute during the join. Both parameters must
311 be specified for either to take effect.
312 [RPC] OLDJOIN [options]
314 Join a domain. Use the OLDJOIN option to join the domain using the old
315 style of domain joining - you need to create a trust account in server
316 manager first.
317 [RPC|ADS] USER
319 [RPC|ADS] USER
320 List all users
321 [RPC|ADS] USER DELETE target
323 Delete specified user
324 [RPC|ADS] USER INFO target
326 List the domain groups of the specified user.
327 [RPC|ADS] USER RENAME oldname newname
329 Rename specified user.
330 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
332 Add specified user.
333 [RPC|ADS] GROUP
335 [RPC|ADS] GROUP [misc options] [targets]
336 List user groups.
337 [RPC|ADS] GROUP DELETE name [misc. options]
339 Delete specified group.
340 [RPC|ADS] GROUP ADD name [-C comment]
342 Create specified group.
343 [ADS] LOOKUP
345 Lookup the closest Domain Controller in our domain and retrieve server
346 information about it.
347 [RAP|RPC] SHARE
349 [RAP|RPC] SHARE [misc. options] [targets]
350 Enumerates all exported resources (network shares) on target server.
351 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
353 Adds a share from a server (makes the export active). Maxusers
354 specifies the number of users that can be connected to the share
355 simultaneously.
356 SHARE DELETE sharename
358 Delete specified share.
359 [RPC|RAP] FILE
361 [RPC|RAP] FILE
362 List all open files on remote server.
363 [RPC|RAP] FILE CLOSE fileid
365 Close file with specified fileid on remote server.
366 [RPC|RAP] FILE INFO fileid
368 Print information on specified fileid. Currently listed are: file-id,
369 username, locks, path, permissions.
370 [RAP|RPC] FILE USER user
372 List files opened by specified user. Please note that net rap file user
373 does not work against Samba servers.
374 SESSION
376 RAP SESSION
377 Without any other options, SESSION enumerates all active SMB/CIFS
378 sessions on the target server.
379 RAP SESSION DELETE|CLOSE CLIENT_NAME
381 Close the specified sessions.
382 RAP SESSION INFO CLIENT_NAME
384 Give a list with all the open files in specified session.
385 RAP SERVER DOMAIN
387 List all servers in specified domain or workgroup. Defaults to local
388 domain.
389 RAP DOMAIN
391 Lists all domains and workgroups visible on the current network.
392 RAP PRINTQ
394 RAP PRINTQ INFO QUEUE_NAME
395 Lists the specified print queue and print jobs on the server. If the
396 QUEUE_NAME is omitted, all queues are listed.
397 RAP PRINTQ DELETE JOBID
399 Delete job with specified id.
400 RAP VALIDATE user [password]
402 Validate whether the specified user can log in to the remote server. If
403 the password is not specified on the commandline, it will be prompted.
404 Note
406 Currently NOT implemented.
407 RAP GROUPMEMBER
409 RAP GROUPMEMBER LIST GROUP
410 List all members of the specified group.
411 RAP GROUPMEMBER DELETE GROUP USER
413 Delete member from group.
414 RAP GROUPMEMBER ADD GROUP USER
416 Add member to group.
417 RAP ADMIN command
419 Execute the specified command on the remote server. Only works with
420 OS/2 servers.
421 Note
423 Currently NOT implemented.
424 RAP SERVICE
426 RAP SERVICE START NAME [arguments...]
427 Start the specified service on the remote server. Not implemented yet.
428 Note
430 Currently NOT implemented.
431 RAP SERVICE STOP
433 Stop the specified service on the remote server.
434 Note
436 Currently NOT implemented.
437 RAP PASSWORD USER OLDPASS NEWPASS
439 Change password of USER from OLDPASS to NEWPASS.
440 LOOKUP
442 LOOKUP HOST HOSTNAME [TYPE]
443 Lookup the IP address of the given host with the specified type
444 (netbios suffix). The type defaults to 0x20 (workstation).
445 LOOKUP LDAP [DOMAIN]
447 Give IP address of LDAP server of specified DOMAIN. Defaults to local
448 domain.
449 LOOKUP KDC [REALM]
451 Give IP address of KDC for the specified REALM. Defaults to local
452 realm.
453 LOOKUP DC [DOMAIN]
455 Give IP's of Domain Controllers for specified
456 DOMAIN. Defaults to local domain.
457 LOOKUP MASTER DOMAIN
459 Give IP of master browser for specified DOMAIN or workgroup. Defaults
460 to local domain.
461 LOOKUP NAME [NAME]
463 Lookup username's sid and type for specified NAME
464 LOOKUP SID [SID]
466 Give sid's name and type for specified SID
467 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
469 Give Domain Controller information for specified domain NAME
470 CACHE
472 Samba uses a general caching interface called 'gencache'. It can be
473 controlled using 'NET CACHE'.
474 All the timeout parameters support the suffixes:
476 s - Seconds
477 m - Minutes
478 h - Hours
479 d - Days
480 w - Weeks
481 CACHE ADD key data time-out
483 Add specified key+data to the cache with the given timeout.
484 CACHE DEL key
486 Delete key from the cache.
487 CACHE SET key data time-out
489 Update data of existing cache entry.
490 CACHE SEARCH PATTERN
492 Search for the specified pattern in the cache data.
493 CACHE LIST
495 List all current items in the cache.
496 CACHE FLUSH
498 Remove all the current items from the cache.
499 GETLOCALSID [DOMAIN]
501 Prints the SID of the specified domain, or if the parameter is omitted,
502 the SID of the local server.
503 SETLOCALSID S-1-5-21-x-y-z
505 Sets SID for the local server to the specified SID.
506 GETDOMAINSID
508 Prints the local machine SID and the SID of the current domain.
509 SETDOMAINSID
511 Sets the SID of the current domain.
512 GROUPMAP
514 Manage the mappings between Windows group SIDs and UNIX groups. Common
515 options include:
516 · unixgroup - Name of the UNIX group
518 · ntgroup - Name of the Windows NT group (must be resolvable
520 to a SID
521 · rid - Unsigned 32-bit integer
523 · sid - Full SID in the form of "S-1-..."
525 · type - Type of the group; either 'domain', 'local', or
527 'builtin'
528 · comment - Freeform text description of the group
530 GROUPMAP ADD
533 Add a new group mapping entry:
534 net groupmap add {rid=int|sid=string} unixgroup=string \
536 [type={domain|local}] [ntgroup=string] [comment=string]
537 GROUPMAP DELETE
541 Delete a group mapping entry. If more than one group name matches, the
542 first entry found is deleted.
543 net groupmap delete {ntgroup=string|sid=SID}
545 GROUPMAP MODIFY
547 Update an existing group entry.
548 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
550 [comment=string] [type={domain|local}]
551 GROUPMAP LIST
555 List existing group mapping entries.
556 net groupmap list [verbose] [ntgroup=string] [sid=SID]
558 MAXRID
560 Prints out the highest RID currently in use on the local server (by the
561 active 'passdb backend').
562 RPC INFO
564 Print information about the domain of the remote server, such as domain
565 name, domain sid and number of users and groups.
566 [RPC|ADS] TESTJOIN
568 Check whether participation in a domain is still valid.
569 [RPC|ADS] CHANGETRUSTPW
571 Force change of domain trust password.
572 RPC TRUSTDOM
574 RPC TRUSTDOM ADD DOMAIN
575 Add a interdomain trust account for DOMAIN. This is in fact a Samba
576 account named DOMAIN$ with the account flag 'I' (interdomain trust
577 account). This is required for incoming trusts to work. It makes Samba
578 be a trusted domain of the foreign (trusting) domain. Users of the
579 Samba domain will be made available in the foreign domain. If the
580 command is used against localhost it has the same effect as smbpasswd
581 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
582 account.
583 RPC TRUSTDOM DEL DOMAIN
585 Remove interdomain trust account for DOMAIN. If it is used against
586 localhost it has the same effect as smbpasswd -x DOMAIN$.
587 RPC TRUSTDOM ESTABLISH DOMAIN
589 Establish a trust relationship to a trusted domain. Interdomain account
590 must already be created on the remote PDC. This is required for
591 outgoing trusts to work. It makes Samba be a trusting domain of a
592 foreign (trusted) domain. Users of the foreign domain will be made
593 available in our domain. You'll need winbind and a working idmap config
594 to make them appear in your system.
595 RPC TRUSTDOM REVOKE DOMAIN
597 Abandon relationship to trusted domain
598 RPC TRUSTDOM LIST
600 List all interdomain trust relationships.
601 RPC TRUST
603 RPC TRUST CREATE
604 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
605 done on a single server or on two servers at once with the possibility
606 to use a random trust password.
607 Options:
609 otherserver
611 Domain controller of the second domain
612 otheruser
614 Admin user in the second domain
615 otherdomainsid
617 SID of the second domain
618 other_netbios_domain
620 NetBIOS (short) name of the second domain
621 otherdomain
623 DNS (full) name of the second domain
624 trustpw
626 Trust password
627 Examples:
629 Create a trust object on srv1.dom1.dom for the domain dom2
631 net rpc trust create \
633 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
634 other_netbios_domain=dom2 \
635 otherdomain=dom2.dom \
636 trustpw=12345678 \
637 -S srv1.dom1.dom
638 Create a trust relationship between dom1 and dom2
640 net rpc trust create \
642 otherserver=srv2.dom2.test \
643 otheruser=dom2adm \
644 -S srv1.dom1.dom
645 RPC TRUST DELETE
647 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
648 done on a single server or on two servers at once.
649 Options:
651 otherserver
653 Domain controller of the second domain
654 otheruser
656 Admin user in the second domain
657 otherdomainsid
659 SID of the second domain
660 Examples:
662 Delete a trust object on srv1.dom1.dom for the domain dom2
664 net rpc trust delete \
666 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
667 -S srv1.dom1.dom
668 Delete a trust relationship between dom1 and dom2
670 net rpc trust delete \
672 otherserver=srv2.dom2.test \
673 otheruser=dom2adm \
674 -S srv1.dom1.dom
675 RPC RIGHTS
678 This subcommand is used to view and manage Samba's rights assignments
679 (also referred to as privileges). There are three options currently
680 available: list, grant, and revoke. More details on Samba's privilege
681 model and its use can be found in the Samba-HOWTO-Collection.
682 RPC ABORTSHUTDOWN
684 Abort the shutdown of a remote server.
685 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
687 Shut down the remote server.
688 -r
690 Reboot after shutdown.
691 -f
693 Force shutting down all applications.
694 -t timeout
696 Timeout before system will be shut down. An interactive user of the
697 system can use this time to cancel the shutdown.
698 -C message
700 Display the specified message on the screen to announce the
701 shutdown.
702 RPC SAMDUMP
704 Print out sam database of remote server. You need to run this against
705 the PDC, from a Samba machine joined as a BDC.
706 RPC VAMPIRE
708 Export users, aliases and groups from remote server to local server.
709 You need to run this against the PDC, from a Samba machine joined as a
710 BDC. This vampire command cannot be used against an Active Directory,
711 only against an NT4 Domain Controller.
712 RPC VAMPIRE KEYTAB
714 Dump remote SAM database to local Kerberos keytab file.
715 RPC VAMPIRE LDIF
717 Dump remote SAM database to local LDIF file or standard output.
718 RPC GETSID
720 Fetch domain SID and store it in the local secrets.tdb.
721 ADS GPO
723 ADS GPO APPLY <USERNAME|MACHINENAME>
724 Apply GPOs for a username or machine name. Either username or machine
725 name should be provided to the command, not both.
726 ADS GPO GETGPO [GPO]
728 List specified GPO.
729 ADS GPO LINKADD [LINKDN] [GPODN]
731 Link a container to a GPO. LINKDN Container to link to a GPO. GPODN
732 GPO to link container to. DNs must be provided properly escaped. See
733 RFC 4514 for details.
734 ADS GPO LINKGET [CONTAINER]
736 Lists gPLink of a containter.
737 ADS GPO LIST <USERNAME|MACHINENAME>
739 Lists all GPOs for a username or machine name. Either username or
740 machine name should be provided to the command, not both.
741 ADS GPO LISTALL
743 Lists all GPOs on a DC.
744 ADS GPO REFRESH [USERNAME] [MACHINENAME]
746 Lists all GPOs assigned to an account and download them. USERNAME User
747 to refresh GPOs for. MACHINENAME Machine to refresh GPOs for.
748 ADS DNS
750 ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
751 Add host dns entry to Active Directory.
752 ADS DNS UNREGISTER <HOSTNAME>
754 Remove host dns entry from Active Directory.
755 ADS DNS GETHOSTBYNAME <NAMESERVER|HOSTNAME>
757 Look up the hostname from Active Directory. You can either provide
758 nameserver ie IPv4|IPv6 address or the hostname. Only one should be
759 provided at a time.
760 ADS LEAVE [--keep-account]
762 Make the remote host leave the domain it is part of.
763 ADS STATUS
765 Print out status of machine account of the local machine in ADS. Prints
766 out quite some debug info. Aimed at developers, regular users should
767 use NET ADS TESTJOIN.
768 ADS PRINTER
770 ADS PRINTER INFO [PRINTER] [SERVER]
771 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
772 the server name defaults to the local host.
773 ADS PRINTER PUBLISH PRINTER
775 Publish specified printer using ADS.
776 ADS PRINTER REMOVE PRINTER
778 Remove specified printer from ADS directory.
779 ADS SEARCH EXPRESSION ATTRIBUTES...
781 Perform a raw LDAP search on a ADS server and dump the results. The
782 expression is a standard LDAP search expression, and the attributes are
783 a list of LDAP fields to show in the results.
784 Example: net ads search '(objectCategory=group)' sAMAccountName
786 ADS DN DN (attributes)
788 Perform a raw LDAP search on a ADS server and dump the results. The DN
789 standard LDAP DN, and the attributes are a list of LDAP fields to show
790 in the result.
791 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
793 SAMAccountName
794 ADS KEYTAB CREATE
796 Creates a new keytab file if one doesn't exist with default entries.
797 Default entries are kerberos principals created from the machinename of
798 the client, the UPN (if it exists) and any Windows SPN(s) associated
799 with the computer AD account for the client. If a keytab file already
800 exists then only missing kerberos principals from the default entries
801 are added. No changes are made to the computer AD account.
802 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
804 Adds a new keytab entry, the entry can be either;
805 kerberos principal
807 A kerberos principal (identified by the presence of '@') is just
808 added to the keytab file.
809 machinename
811 A machinename (identified by the trailing '$') is used to create a
812 a kerberos principal 'machinename@realm' which is added to the
813 keytab file.
814 serviceclass
816 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
817 pair of kerberos principals
818 'serviceclass/fully_qualified_dns_name@realm' &
819 'serviceclass/netbios_name@realm' which are added to the keytab
820 file.
821 Windows SPN
823 A Windows SPN is of the format 'serviceclass/host:port', it is used
824 to create a kerberos principal 'serviceclass/host@realm' which will
825 be written to the keytab file.
826 Unlike old versions no computer AD objects are modified by this
828 command. To preserve the bevhaviour of older clients 'net ads keytab
829 ad_update_ads' is available.
830 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
832 Adds a new keytab entry (see section for net ads keytab add). In
833 addition to adding entries to the keytab file corrosponding Windows
834 SPNs are created from the entry passed to this command. These SPN(s)
835 added to the AD computer account object associated with the client
836 machine running this command for the following entry types;
837 serviceclass
839 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
840 pair of Windows SPN(s) 'param/full_qualified_dns' &
841 'param/netbios_name' which are added to the AD computer account
842 object for this client.
843 Windows SPN
845 A Windows SPN is of the format 'serviceclass/host:port', it is
846 added as passed to the AD computer account object for this client.
847 ADS setspn SETSPN LIST [machine]
849 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
850 object. If 'machine' is not specified then computer account for this
851 client is used instead.
852 ADS setspn SETSPN ADD SPN [machine]
854 Adds the specified Windows SPN to the 'machine' Windows AD Computer
855 object. If 'machine' is not specified then computer account for this
856 client is used instead.
857 ADS setspn SETSPN DELETE SPN [machine]
859 DELETE the specified Window SPN from the 'machine' Windows AD Computer
860 object. If 'machine' is not specified then computer account for this
861 client is used instead.
862 ADS WORKGROUP
864 Print out workgroup name for specified kerberos realm.
865 ADS ENCTYPES
867 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
868 attribute of an account in AD.
869 This attribute allows one to control which Kerberos encryption types
871 are used for the generation of initial and service tickets. The value
872 consists of an integer bitmask with the following values:
873 0x00000001 DES-CBC-CRC
875 0x00000002 DES-CBC-MD5
877 0x00000004 RC4-HMAC
879 0x00000008 AES128-CTS-HMAC-SHA1-96
881 0x00000010 AES256-CTS-HMAC-SHA1-96
883 ADS ENCTYPES LIST <ACCOUNTNAME>
885 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
886 given account.
887 Example: net ads enctypes list Computername
889 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
891 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
892 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
893 the value is set to 31 which enables all the currently supported
894 encryption types.
895 Example: net ads enctypes set Computername 24
897 ADS ENCTYPES DELETE <ACCOUNTNAME>
899 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
900 object of ACCOUNTNAME.
901 Example: net ads enctypes set Computername 24
903 SAM CREATEBUILTINGROUP <NAME>
905 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
906 be created with this command. This is the list of currently recognized
907 group names: Administrators, Users, Guests, Power Users, Account
908 Operators, Server Operators, Print Operators, Backup Operators,
909 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
910 command requires a running Winbindd with idmap allocation properly
911 configured. The group gid will be allocated out of the winbindd range.
912 SAM CREATELOCALGROUP <NAME>
914 Create a LOCAL group (also known as Alias). This command requires a
915 running Winbindd with idmap allocation properly configured. The group
916 gid will be allocated out of the winbindd range.
917 SAM DELETELOCALGROUP <NAME>
919 Delete an existing LOCAL group (also known as Alias).
920 SAM MAPUNIXGROUP <NAME>
922 Map an existing Unix group and make it a Domain Group, the domain group
923 will have the same name.
924 SAM UNMAPUNIXGROUP <NAME>
926 Remove an existing group mapping entry.
927 SAM ADDMEM <GROUP> <MEMBER>
929 Add a member to a Local group. The group can be specified only by name,
930 the member can be specified by name or SID.
931 SAM DELMEM <GROUP> <MEMBER>
933 Remove a member from a Local group. The group and the member must be
934 specified by name.
935 SAM LISTMEM <GROUP>
937 List Local group members. The group must be specified by name.
938 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
940 List the specified set of accounts by name. If verbose is specified,
941 the rid and description is also provided for each account.
942 SAM RIGHTS LIST
944 List all available privileges.
945 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
947 Grant one or more privileges to a user.
948 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
950 Revoke one or more privileges from a user.
951 SAM SHOW <NAME>
953 Show the full DOMAIN\\NAME the SID and the type for the corresponding
954 account.
955 SAM SET HOMEDIR <NAME> <DIRECTORY>
957 Set the home directory for a user account.
958 SAM SET PROFILEPATH <NAME> <PATH>
960 Set the profile path for a user account.
961 SAM SET COMMENT <NAME> <COMMENT>
963 Set the comment for a user or group account.
964 SAM SET FULLNAME <NAME> <FULL NAME>
966 Set the full name for a user account.
967 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
969 Set the logon script for a user account.
970 SAM SET HOMEDRIVE <NAME> <DRIVE>
972 Set the home drive for a user account.
973 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
975 Set the workstations a user account is allowed to log in from.
976 SAM SET DISABLE <NAME>
978 Set the "disabled" flag for a user account.
979 SAM SET PWNOTREQ <NAME>
981 Set the "password not required" flag for a user account.
982 SAM SET AUTOLOCK <NAME>
984 Set the "autolock" flag for a user account.
985 SAM SET PWNOEXP <NAME>
987 Set the "password do not expire" flag for a user account.
988 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
990 Set or unset the "password must change" flag for a user account.
991 SAM POLICY LIST
993 List the available account policies.
994 SAM POLICY SHOW <account policy>
996 Show the account policy value.
997 SAM POLICY SET <account policy> <value>
999 Set a value for the account policy. Valid values can be: "forever",
1000 "never", "off", or a number.
1001 SAM PROVISION
1003 Only available if ldapsam:editposix is set and winbindd is running.
1004 Properly populates the ldap tree with the basic accounts
1005 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1006 on the ldap tree.
1007 IDMAP DUMP <local tdb file name>
1009 Dumps the mappings contained in the local tdb file specified. This
1010 command is useful to dump only the mappings produced by the idmap_tdb
1011 backend.
1012 IDMAP RESTORE [input file]
1014 Restore the mappings from the specified file or stdin.
1015 IDMAP SET SECRET <DOMAIN> <secret>
1017 Store a secret for the specified domain, used primarily for domains
1018 that use idmap_ldap as a backend. In this case the secret is used as
1019 the password for the user DN used to bind to the ldap server.
1020 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1022 Store a domain-range mapping for a given domain (and index) in autorid
1023 database.
1024 IDMAP SET CONFIG <config> [--db=<DB>]
1026 Update CONFIG entry in autorid database.
1027 IDMAP GET RANGE <SID> [index] [--db=<DB>]
1029 Get the range for a given domain and index from autorid database.
1030 IDMAP GET RANGES [<SID>] [--db=<DB>]
1032 Get ranges for all domains or for one identified by given SID.
1033 IDMAP GET CONFIG [--db=<DB>]
1035 Get CONFIG entry from autorid database.
1036 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1038 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1039 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1040 "GID number" or a uid: "UID number". Use -f to delete an invalid
1041 partial mapping <ID> -> xx
1042 Use "smbcontrol all idmap ..." to notify running smbd instances. See
1044 the smbcontrol(1) manpage for details.
1045 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1047 Delete a domain range mapping identified by 'RANGE' or "domain SID and
1048 INDEX" from autorid database. Use -f to delete invalid mappings.
1049 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1051 Delete all domain range mappings for a domain identified by SID. Use -f
1052 to delete invalid mappings.
1053 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1055 Check and repair the IDMAP database. If no option is given a read only
1056 check of the database is done. Among others an interactive or automatic
1057 repair mode may be chosen with one of the following options:
1058 -r|--repair
1060 Interactive repair mode, ask a lot of questions.
1061 -a|--auto
1063 Noninteractive repair mode, use default answers.
1064 -v|--verbose
1066 Produce more output.
1067 -f|--force
1069 Try to apply changes, even if they do not apply cleanly.
1070 -T|--test
1072 Dry run, show what changes would be made but don't touch anything.
1073 -l|--lock
1075 Lock the database while doing the check.
1076 --db <DB>
1078 Check the specified database.
1079 It reports about the finding of the following errors:
1081 Missing reverse mapping:
1083 A record with mapping A->B where there is no B->A. Default action
1084 in repair mode is to "fix" this by adding the reverse mapping.
1085 Invalid mapping:
1087 A record with mapping A->B where B->C. Default action is to
1088 "delete" this record.
1089 Missing or invalid HWM:
1091 A high water mark is not at least equal to the largest ID in the
1092 database. Default action is to "fix" this by setting it to the
1093 largest ID found +1.
1094 Invalid record:
1096 Something we failed to parse. Default action is to "edit" it in
1097 interactive and "delete" it in automatic mode.
1098 USERSHARE
1100 Starting with version 3.0.23, a Samba server now supports the ability
1101 for non-root users to add user defined shares to be exported using the
1102 "net usershare" commands.
1103 To set this up, first set up your smb.conf by adding to the [global]
1105 section: usershare path = /usr/local/samba/lib/usershares Next create
1106 the directory /usr/local/samba/lib/usershares, change the owner to root
1107 and set the group owner to the UNIX group who should have the ability
1108 to create usershares, for example a group called "serverops". Set the
1109 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1110 group all access, no access for others, plus the sticky bit, which
1111 means that a file in that directory can be renamed or deleted only by
1112 the owner of the file). Finally, tell smbd how many usershares you will
1113 allow by adding to the [global] section of smb.conf a line such as :
1114 usershare max shares = 100. To allow 100 usershare definitions. Now,
1115 members of the UNIX group "serverops" can create user defined shares on
1116 demand using the commands below.
1117 The usershare commands are:
1119 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1120 to add or change a user defined share.
1121 net usershare delete sharename - to delete a user defined share.
1122 net usershare info [-l|--long] [wildcard sharename] - to print info
1123 about a user defined share.
1124 net usershare list [-l|--long] [wildcard sharename] - to list user
1125 defined shares.
1126 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1128 Add or replace a new user defined share, with name "sharename".
1129 "path" specifies the absolute pathname on the system to be exported.
1131 Restrictions may be put on this, see the global smb.conf parameters:
1132 "usershare owner only", "usershare prefix allow list", and "usershare
1133 prefix deny list".
1134 The optional "comment" parameter is the comment that will appear on the
1136 share when browsed to by a client.
1137 The optional "acl" field specifies which users have read and write
1139 access to the entire share. Note that guest connections are not allowed
1140 unless the smb.conf parameter "usershare allow guests" has been set.
1141 The definition of a user defined share acl is: "user:permission", where
1142 user is a valid username on the system and permission can be "F", "R",
1143 or "D". "F" stands for "full permissions", ie. read and write
1144 permissions. "D" stands for "deny" for a user, ie. prevent this user
1145 from accessing this share. "R" stands for "read only", ie. only allow
1146 read access to this share (no creation of new files or directories or
1147 writing to files).
1148 The default if no "acl" is given is "Everyone:R", which means any
1150 authenticated user has read-only access.
1151 The optional "guest_ok" has the same effect as the parameter of the
1153 same name in smb.conf, in that it allows guest access to this user
1154 defined share. This parameter is only allowed if the global parameter
1155 "usershare allow guests" has been set to true in the smb.conf.
1156 There is no separate command to modify an existing user defined share,
1159 just use the "net usershare add [sharename]" command using the same
1160 sharename as the one you wish to modify and specify the new options you
1161 wish. The Samba smbd daemon notices user defined share modifications at
1162 connect time so will see the change immediately, there is no need to
1163 restart smbd on adding, deleting or changing a user defined share.
1164 USERSHARE DELETE sharename
1166 Deletes the user defined share by name. The Samba smbd daemon
1167 immediately notices this change, although it will not disconnect any
1168 users currently connected to the deleted share.
1169 USERSHARE INFO [-l|--long] [wildcard sharename]
1171 Get info on user defined shares owned by the current user matching the
1172 given pattern, or all users.
1173 net usershare info on its own dumps out info on the user defined shares
1175 that were created by the current user, or restricts them to share names
1176 that match the given wildcard pattern ('*' matches one or more
1177 characters, '?' matches only one character). If the '-l' or '--long'
1178 option is also given, it prints out info on user defined shares created
1179 by other users.
1180 The information given about a share looks like: [foobar]
1182 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1183 And is a list of the current settings of the user defined share that
1184 can be modified by the "net usershare add" command.
1185 USERSHARE LIST [-l|--long] wildcard sharename
1187 List all the user defined shares owned by the current user matching the
1188 given pattern, or all users.
1189 net usershare list on its own list out the names of the user defined
1191 shares that were created by the current user, or restricts the list to
1192 share names that match the given wildcard pattern ('*' matches one or
1193 more characters, '?' matches only one character). If the '-l' or
1194 '--long' option is also given, it includes the names of user defined
1195 shares created by other users.
1196 [RPC] CONF
1198 Starting with version 3.2.0, a Samba server can be configured by data
1199 stored in registry. This configuration data can be edited with the new
1200 "net conf" commands. There is also the possibility to configure a
1201 remote Samba server by enabling the RPC conf mode and specifying the
1202 address of the remote server.
1203 The deployment of this configuration data can be activated in two
1205 levels from the smb.conf file: Share definitions from registry are
1206 activated by setting registry shares to “yes” in the [global] section
1207 and global configuration options are activated by setting include =
1208 registry in the [global] section for a mixed configuration or by
1209 setting config backend = registry in the [global] section for a
1210 registry-only configuration. See the smb.conf(5) manpage for details.
1211 The conf commands are:
1213 net [rpc] conf list - Dump the complete configuration in smb.conf
1214 like format.
1215 net [rpc] conf import - Import configuration from file in smb.conf
1216 format.
1217 net [rpc] conf listshares - List the registry shares.
1218 net [rpc] conf drop - Delete the complete configuration from
1219 registry.
1220 net [rpc] conf showshare - Show the definition of a registry share.
1221 net [rpc] conf addshare - Create a new registry share.
1222 net [rpc] conf delshare - Delete a registry share.
1223 net [rpc] conf setparm - Store a parameter.
1224 net [rpc] conf getparm - Retrieve the value of a parameter.
1225 net [rpc] conf delparm - Delete a parameter.
1226 net [rpc] conf getincludes - Show the includes of a share
1227 definition.
1228 net [rpc] conf setincludes - Set includes for a share.
1229 net [rpc] conf delincludes - Delete includes from a share
1230 definition.
1231 [RPC] CONF LIST
1233 Print the configuration data stored in the registry in a smb.conf-like
1234 format to standard output.
1235 [RPC] CONF IMPORT [--test|-T] filename [section]
1237 This command imports configuration from a file in smb.conf format. If a
1238 section encountered in the input file is present in registry, its
1239 contents is replaced. Sections of registry configuration that have no
1240 counterpart in the input file are not affected. If you want to delete
1241 these, you will have to use the "net conf drop" or "net conf delshare"
1242 commands. Optionally, a section may be specified to restrict the effect
1243 of the import command to that specific section. A test mode is enabled
1244 by specifying the parameter "-T" on the commandline. In test mode, no
1245 changes are made to the registry, and the resulting configuration is
1246 printed to standard output instead.
1247 [RPC] CONF LISTSHARES
1249 List the names of the shares defined in registry.
1250 [RPC] CONF DROP
1252 Delete the complete configuration data from registry.
1253 [RPC] CONF SHOWSHARE sharename
1255 Show the definition of the share or section specified. It is valid to
1256 specify "global" as sharename to retrieve the global configuration
1257 options from registry.
1258 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1260 [comment]]]
1261 Create a new share definition in registry. The sharename and path have
1262 to be given. The share name may not be "global". Optionally, values for
1263 the very common options "writeable", "guest ok" and a "comment" may be
1264 specified. The same result may be obtained by a sequence of "net conf
1265 setparm" commands.
1266 [RPC] CONF DELSHARE sharename
1268 Delete a share definition from registry.
1269 [RPC] CONF SETPARM section parameter value
1271 Store a parameter in registry. The section may be global or a
1272 sharename. The section is created if it does not exist yet.
1273 [RPC] CONF GETPARM section parameter
1275 Show a parameter stored in registry.
1276 [RPC] CONF DELPARM section parameter
1278 Delete a parameter stored in registry.
1279 [RPC] CONF GETINCLUDES section
1281 Get the list of includes for the provided section (global or share).
1282 Note that due to the nature of the registry database and the nature of
1284 include directives, the includes need special treatment: Parameters are
1285 stored in registry by the parameter name as valuename, so there is only
1286 ever one instance of a parameter per share. Also, a specific order like
1287 in a text file is not guaranteed. For all real parameters, this is
1288 perfectly ok, but the include directive is rather a meta parameter, for
1289 which, in the smb.conf text file, the place where it is specified
1290 between the other parameters is very important. This can not be
1291 achieved by the simple registry smbconf data model, so there is one
1292 ordered list of includes per share, and this list is evaluated after
1293 all the parameters of the share.
1294 Further note that currently, only files can be included from registry
1296 configuration. In the future, there will be the ability to include
1297 configuration data from other registry keys.
1298 [RPC] CONF SETINCLUDES section [filename]+
1300 Set the list of includes for the provided section (global or share) to
1301 the given list of one or more filenames. The filenames may contain the
1302 usual smb.conf macros like %I.
1303 [RPC] CONF DELINCLUDES section
1305 Delete the list of includes from the provided section (global or
1306 share).
1307 REGISTRY
1309 Manipulate Samba's registry.
1310 The registry commands are:
1312 net registry enumerate - Enumerate registry keys and values.
1313 net registry enumerate_recursive - Enumerate registry key and its
1314 subkeys.
1315 net registry createkey - Create a new registry key.
1316 net registry deletekey - Delete a registry key.
1317 net registry deletekey_recursive - Delete a registry key with
1318 subkeys.
1319 net registry getvalue - Print a registry value.
1320 net registry getvalueraw - Print a registry value (raw format).
1321 net registry setvalue - Set a new registry value.
1322 net registry increment - Increment a DWORD registry value under a
1323 lock.
1324 net registry deletevalue - Delete a registry value.
1325 net registry getsd - Get security descriptor.
1326 net registry getsd_sdd1 - Get security descriptor in sddl format.
1327 net registry setsd_sdd1 - Set security descriptor from sddl format
1328 string.
1329 net registry import - Import a registration entries (.reg)
1330 file.
1331 net registry export - Export a registration entries (.reg)
1332 file.
1333 net registry convert - Convert a registration entries (.reg)
1334 file.
1335 net registry check - Check and repair a registry database.
1336 REGISTRY ENUMERATE key
1338 Enumerate subkeys and values of key.
1339 REGISTRY ENUMERATE_RECURSIVE key
1341 Enumerate values of key and its subkeys.
1342 REGISTRY CREATEKEY key
1344 Create a new key if not yet existing.
1345 REGISTRY DELETEKEY key
1347 Delete the given key and its values from the registry, if it has no
1348 subkeys.
1349 REGISTRY DELETEKEY_RECURSIVE key
1351 Delete the given key and all of its subkeys and values from the
1352 registry.
1353 REGISTRY GETVALUE key name
1355 Output type and actual value of the value name of the given key.
1356 REGISTRY GETVALUERAW key name
1358 Output the actual value of the value name of the given key.
1359 REGISTRY SETVALUE key name type value ...
1361 Set the value name of an existing key. type may be one of sz, multi_sz
1362 or dword. In case of multi_sz value may be given multiple times.
1363 REGISTRY INCREMENT key name [inc]
1365 Increment the DWORD value name of key by inc while holding a g_lock.
1366 inc defaults to 1.
1367 REGISTRY DELETEVALUE key name
1369 Delete the value name of the given key.
1370 REGISTRY GETSD key
1372 Get the security descriptor of the given key.
1373 REGISTRY GETSD_SDDL key
1375 Get the security descriptor of the given key as a Security Descriptor
1376 Definition Language (SDDL) string.
1377 REGISTRY SETSD_SDDL keysd
1379 Set the security descriptor of the given key from a Security Descriptor
1380 Definition Language (SDDL) string sd.
1381 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1383 Import a registration entries (.reg) file.
1384 The following options are available:
1386 --precheck check-file
1388 This is a mechanism to check the existence or non-existence of
1389 certain keys or values specified in a precheck file before applying
1390 the import file. The import file will only be applied if the
1391 precheck succeeds.
1392 The check-file follows the normal registry file syntax with the
1394 following semantics:
1395 · <value name>=<value> checks whether the value exists and
1397 has the given value.
1398 · <value name>=- checks whether the value does not exist.
1400 · [key] checks whether the key exists.
1402 · [-key] checks whether the key does not exist.
1404 REGISTRY EXPORT keyfile[opt]
1407 Export a key to a registration entries (.reg) file.
1408 REGISTRY CONVERT in out [[inopt] outopt]
1410 Convert a registration entries (.reg) file in.
1411 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1413 Check and repair the registry database. If no option is given a read
1414 only check of the database is done. Among others an interactive or
1415 automatic repair mode may be chosen with one of the following options
1416 -r|--repair
1418 Interactive repair mode, ask a lot of questions.
1419 -a|--auto
1421 Noninteractive repair mode, use default answers.
1422 -v|--verbose
1424 Produce more output.
1425 -T|--test
1427 Dry run, show what changes would be made but don't touch anything.
1428 -l|--lock
1430 Lock the database while doing the check.
1431 --reg-version={1,2,3}
1433 Specify the format of the registry database. If not given it
1434 defaults to the value of the binary or, if an registry.tdb is
1435 explicitly stated at the commandline, to the value found in the
1436 INFO/version record.
1437 [--db] <DB>
1439 Check the specified database.
1440 -o|--output <ODB>
1442 Create a new registry database <ODB> instead of modifying the
1443 input. If <ODB> is already existing --wipe may be used to overwrite
1444 it.
1445 --wipe
1447 Replace the registry database instead of modifying the input or
1448 overwrite an existing output database.
1449 EVENTLOG
1451 Starting with version 3.4.0 net can read, dump, import and export
1452 native win32 eventlog files (usually *.evt). evt files are used by the
1453 native Windows eventviewer tools.
1454 The import and export of evt files can only succeed when eventlog list
1456 is used in smb.conf file. See the smb.conf(5) manpage for details.
1457 The eventlog commands are:
1459 net eventlog dump - Dump a eventlog *.evt file on the screen.
1460 net eventlog import - Import a eventlog *.evt into the samba
1461 internal tdb based representation of eventlogs.
1462 net eventlog export - Export the samba internal tdb based
1463 representation of eventlogs into an eventlog *.evt file.
1464 EVENTLOG DUMP filename
1466 Prints a eventlog *.evt file to standard output.
1467 EVENTLOG IMPORT filename eventlog
1469 Imports a eventlog *.evt file defined by filename into the samba
1470 internal tdb representation of eventlog defined by eventlog. eventlog
1471 needs to part of the eventlog list defined in smb.conf. See the
1472 smb.conf(5) manpage for details.
1473 EVENTLOG EXPORT filename eventlog
1475 Exports the samba internal tdb representation of eventlog defined by
1476 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1477 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1478 manpage for details.
1479 DOM
1481 Starting with version 3.2.0 Samba has support for remote join and
1482 unjoin APIs, both client and server-side. Windows supports remote join
1483 capabilities since Windows 2000.
1484 In order for Samba to be joined or unjoined remotely an account must be
1486 used that is either member of the Domain Admins group, a member of the
1487 local Administrators group or a user that is granted the
1488 SeMachineAccountPrivilege privilege.
1489 The client side support for remote join is implemented in the net dom
1491 commands which are:
1492 net dom join - Join a remote computer into a domain.
1493 net dom unjoin - Unjoin a remote computer from a domain.
1494 net dom renamecomputer - Renames a remote computer joined to a
1495 domain.
1496 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1498 Joins a computer into a domain. This command supports the following
1499 additional parameters:
1500 · DOMAIN can be a NetBIOS domain name (also known as short
1502 domain name) or a DNS domain name for Active Directory
1503 Domains. As in Windows, it is also possible to control which
1504 Domain Controller to use. This can be achieved by appending
1505 the DC name using the \ separator character. Example:
1506 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1507 · OU can be set to a RFC 1779 LDAP DN, like
1509 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1510 the machine account in a non-default LDAP container. This
1511 optional parameter is only supported when joining Active
1512 Directory Domains.
1513 · ACCOUNT defines a domain account that will be used to join
1515 the machine to the domain. This domain account needs to have
1516 sufficient privileges to join machines.
1517 · PASSWORD defines the password for the domain account defined
1519 with ACCOUNT.
1520 · REBOOT is an optional parameter that can be set to reboot
1522 the remote machine after successful join to the domain.
1523 Note that you also need to use standard net parameters to connect and
1526 authenticate to the remote machine that you want to join. These
1527 additional parameters include: -S computer and -U user.
1528 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1530 account=MYDOM\\administrator password=topsecret reboot.
1531 This example would connect to a computer named XP as the local
1533 administrator using password secret, and join the computer into a
1534 domain called MYDOM using the MYDOM domain administrator account and
1535 password topsecret. After successful join, the computer would reboot.
1536 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1538 Unjoins a computer from a domain. This command supports the following
1539 additional parameters:
1540 · ACCOUNT defines a domain account that will be used to unjoin
1542 the machine from the domain. This domain account needs to
1543 have sufficient privileges to unjoin machines.
1544 · PASSWORD defines the password for the domain account defined
1546 with ACCOUNT.
1547 · REBOOT is an optional parameter that can be set to reboot
1549 the remote machine after successful unjoin from the domain.
1550 Note that you also need to use standard net parameters to connect and
1553 authenticate to the remote machine that you want to unjoin. These
1554 additional parameters include: -S computer and -U user.
1555 Example: net dom unjoin -S xp -U XP\\administrator%secret
1557 account=MYDOM\\administrator password=topsecret reboot.
1558 This example would connect to a computer named XP as the local
1560 administrator using password secret, and unjoin the computer from the
1561 domain using the MYDOM domain administrator account and password
1562 topsecret. After successful unjoin, the computer would reboot.
1563 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1565 Renames a computer that is joined to a domain. This command supports
1566 the following additional parameters:
1567 · NEWNAME defines the new name of the machine in the domain.
1569 · ACCOUNT defines a domain account that will be used to rename
1571 the machine in the domain. This domain account needs to have
1572 sufficient privileges to rename machines.
1573 · PASSWORD defines the password for the domain account defined
1575 with ACCOUNT.
1576 · REBOOT is an optional parameter that can be set to reboot
1578 the remote machine after successful rename in the domain.
1579 Note that you also need to use standard net parameters to connect and
1582 authenticate to the remote machine that you want to rename in the
1583 domain. These additional parameters include: -S computer and -U user.
1584 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1586 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1587 This example would connect to a computer named XP as the local
1589 administrator using password secret, and rename the joined computer to
1590 XPNEW using the MYDOM domain administrator account and password
1591 topsecret. After successful rename, the computer would reboot.
1592 G_LOCK
1594 Manage global locks.
1595 G_LOCK DO lockname timeout command
1597 Execute a shell command under a global lock. This might be useful to
1598 define the order in which several shell commands will be executed. The
1599 locking information is stored in a file called g_lock.tdb. In setups
1600 with CTDB running, the locking information will be available on all
1601 cluster nodes.
1602 · LOCKNAME defines the name of the global lock.
1604 · TIMEOUT defines the timeout.
1606 · COMMAND defines the shell command to execute.
1608 G_LOCK LOCKS
1610 Print a list of all currently existing locknames.
1611 G_LOCK DUMP lockname
1613 Dump the locking table of a certain global lock.
1614 TDB
1616 Print information from tdb records.
1617 TDB LOCKING key [DUMP]
1619 List sharename, filename and number of share modes for a record from
1620 locking.tdb. With the optional DUMP options, dump the complete record.
1621 · KEY Key of the tdb record as hex string.
1623 vfs
1625 Access shared filesystem through the VFS.
1626 vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1628 symlinks] share path
1629 Convert file streams to AppleDouble files.
1630 · share A Samba share.
1632 · path A relative path of something in the Samba share. "."
1635 can be used for the root directory of the share.
1636 Options:
1639 --recursive
1641 Traverse a directory hierarchy.
1642 --verbose
1644 Verbose output.
1645 --continue
1647 Continue traversing a directory hierarchy if a single conversion
1648 fails.
1649 --follow-symlinks
1651 Follow symlinks encountered while traversing a directory.
1652 vfs getntacl share path
1654 Display the security descriptor of a file or directory.
1655 · share A Samba share.
1657 · path A relative path of something in the Samba share. "."
1660 can be used for the root directory of the share.
1661 HELP [COMMAND]
1663 Gives usage information for the specified command.
1664
1666 This man page is complete for version 3 of the Samba suite.
1667
1669 The original Samba software and related utilities were created by
1670 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1671 Source project similar to the way the Linux kernel is developed.
1672 The net manpage was written by Jelmer Vernooij.
1674Samba 4.12.2 04/28/2020 NET(8)