1SAMBA-TOOL(8)             System Administration tools            SAMBA-TOOL(8)
2
3
4

NAME

6       samba-tool - Main Samba administration tool.
7

SYNOPSIS

9       samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10

DESCRIPTION

12       This tool is part of the samba(7) suite.
13

OPTIONS

15       -h|--help
16           Show this help message and exit
17
18       --realm=REALM
19           Set the realm name
20
21       --simple-bind-dn=DN
22           DN to use for a simple bind
23
24       --password=PASSWORD
25           Password
26
27       -U USERNAME|--username=USERNAME
28           Username
29
30       -W WORKGROUP|--workgroup=WORKGROUP
31           Workgroup
32
33       -N|--no-pass
34           Don't ask for a password
35
36       -k KERBEROS|--kerberos=KERBEROS
37           Use Kerberos
38
39       --ipaddress=IPADDRESS
40           IP address of the server
41
42       -d|--debuglevel=level
43           level is an integer from 0 to 10. The default value if this
44           parameter is not specified is 1.
45
46           The higher this value, the more detail will be logged to the log
47           files about the activities of the server. At level 0, only critical
48           errors and serious warnings will be logged. Level 1 is a reasonable
49           level for day-to-day running - it generates a small amount of
50           information about operations carried out.
51
52           Levels above 1 will generate considerable amounts of log data, and
53           should only be used when investigating a problem. Levels above 3
54           are designed for use only by developers and generate HUGE amounts
55           of log data, most of which is extremely cryptic.
56
57           Note that specifying this parameter here will override the log
58           level parameter in the smb.conf file.
59
60       -V|--version
61           Prints the program version number.
62
63       -s|--configfile=<configuration file>
64           The file specified contains the configuration details required by
65           the server. The information in this file includes server-specific
66           information such as what printcap file to use, as well as
67           descriptions of all the services that the server is to provide. See
68           smb.conf for more information. The default configuration file name
69           is determined at compile time.
70
71       -l|--log-basename=logdirectory
72           Base directory name for log/debug files. The extension ".progname"
73           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
74           file is never removed by the client.
75
76       --option=<name>=<value>
77           Set the smb.conf(5) option "<name>" to value "<value>" from the
78           command line. This overrides compiled-in defaults and options read
79           from the configuration file.
80

COMMANDS

82   computer
83       Manage computer accounts.
84
85   computer create computername [options]
86       Create a new computer in the Active Directory Domain.
87
88       The new computer name specified on the command is the sAMAccountName,
89       with or without the trailing dollar sign.
90
91       --computerou=COMPUTEROU
92           DN of alternative location (with or without domainDN counterpart)
93           to default CN=Computers in which new computer object will be
94           created. E.g. 'OU=OUname'.
95
96       --description=DESCRIPTION
97           The new computers's description.
98
99       --ip-address=IP_ADDRESS_LIST
100           IPv4 address for the computer's A record, or IPv6 address for AAAA
101           record, can be provided multiple times.
102
103       --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
104           Computer's Service Principal Name, can be provided multiple times.
105
106       --prepare-oldjoin
107           Prepare enabled machine account for oldjoin mechanism.
108
109   computer delete computername [options]
110       Delete an existing computer account.
111
112       The computer name specified on the command is the sAMAccountName, with
113       or without the trailing dollar sign.
114
115   computer edit computername
116       Edit a computer AD object.
117
118       The computer name specified on the command is the sAMAccountName, with
119       or without the trailing dollar sign.
120
121       --editor=EDITOR
122           Specifies the editor to use instead of the system default, or 'vi'
123           if no system default is set.
124
125   computer list
126       List all computers.
127
128   computer move computername new_parent_dn [options]
129       This command moves a computer account into the specified organizational
130       unit or container.
131
132       The computername specified on the command is the sAMAccountName, with
133       or without the trailing dollar sign.
134
135       The name of the organizational unit or container can be specified as a
136       full DN or without the domainDN component.
137
138   computer show computername [options]
139       Display a computer AD object.
140
141       The computer name specified on the command is the sAMAccountName, with
142       or without the trailing dollar sign.
143
144       --attributes=USER_ATTRS
145           Comma separated list of attributes, which will be printed.
146
147   contact
148       Manage contacts.
149
150   contact create [contactname] [options]
151       Create a new contact in the Active Directory Domain.
152
153       The name of the new contact can be specified by the first argument
154       'contactname' or the --given-name, --initial and --surname arguments.
155       If no 'contactname' is given, contact's name will be made up of the
156       given arguments by combining the given-name, initials and surname. Each
157       argument is optional. A dot ('.') will be appended to the initials
158       automatically.
159
160       --ou=OU
161           DN of alternative location (with or without domainDN counterpart)
162           in which the new contact will be created. E.g. 'OU=OUname'. Default
163           is the domain base.
164
165       --description=DESCRIPTION
166           The new contacts's description.
167
168       --surname=SURNAME
169           Contact's surname.
170
171       --given-name=GIVEN_NAME
172           Contact's given name.
173
174       --initials=INITIALS
175           Contact's initials.
176
177       --display-name=DISPLAY_NAME
178           Contact's display name.
179
180       --job-title=JOB_TITLE
181           Contact's job title.
182
183       --department=DEPARTMENT
184           Contact's department.
185
186       --company=COMPANY
187           Contact's company.
188
189       --mail-address=MAIL_ADDRESS
190           Contact's email address.
191
192       --internet-address=INTERNET_ADDRESS
193           Contact's home page.
194
195       --telephone-number=TELEPHONE_NUMBER
196           Contact's phone number.
197
198       --mobile-number=MOBILE_NUMBER
199           Contact's mobile phone number.
200
201       --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
202           Contact's office location.
203
204   contact delete contactname [options]
205       Delete an existing contact.
206
207       The contactname specified on the command is the common name or the
208       distinguished name of the contact object. The distinguished name of the
209       contact can be specified with or without the domainDN component.
210
211   contact edit contactname
212       Modify a contact AD object.
213
214       The contactname specified on the command is the common name or the
215       distinguished name of the contact object. The distinguished name of the
216       contact can be specified with or without the domainDN component.
217
218       --editor=EDITOR
219           Specifies the editor to use instead of the system default, or 'vi'
220           if no system default is set.
221
222   contact list [options]
223       List all contacts.
224
225       --full-dn
226           Display contact's full DN instead of the name.
227
228   contact move contactname new_parent_dn [options]
229       This command moves a contact into the specified organizational unit or
230       container.
231
232       The contactname specified on the command is the common name or the
233       distinguished name of the contact object. The distinguished name of the
234       contact can be specified with or without the domainDN component.
235
236   contact show contactname [options]
237       Display a contact AD object.
238
239       The contactname specified on the command is the common name or the
240       distinguished name of the contact object. The distinguished name of the
241       contact can be specified with or without the domainDN component.
242
243       --attributes=CONTACT_ATTRS
244           Comma separated list of attributes, which will be printed.
245
246   dbcheck
247       Check the local AD database for errors.
248
249   delegation
250       Manage Delegations.
251
252   delegation add-service accountname principal [options]
253       Add a service principal as msDS-AllowedToDelegateTo.
254
255   delegation del-service accountname principal [options]
256       Delete a service principal as msDS-AllowedToDelegateTo.
257
258   delegation for-any-protocol accountname [(on|off)] [options]
259       Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
260       account.
261
262   delegation for-any-service accountname [(on|off)] [options]
263       Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
264
265   delegation show accountname [options]
266       Show the delegation setting of an account.
267
268   dns
269       Manage Domain Name Service (DNS).
270
271   dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
272       Add a DNS record.
273
274   dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
275       Delete a DNS record.
276
277   dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
278       data
279       Query a name.
280
281   dns roothints server [name] [options]
282       Query root hints.
283
284   dns serverinfo server [options]
285       Query server information.
286
287   dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
288       Update a DNS record.
289
290   dns zonecreate server zone [options]
291       Create a zone.
292
293   dns zonedelete server zone [options]
294       Delete a zone.
295
296   dns zoneinfo server zone [options]
297       Query zone information.
298
299   dns zonelist server [options]
300       List zones.
301
302   domain
303       Manage Domain.
304
305   domain backup
306       Create or restore a backup of the domain.
307
308   domain backup offline
309       Backup (with proper locking) local domain directories into a tar file.
310
311   domain backup online
312       Copy a running DC's current DB into a backup tar file.
313
314   domain backup rename
315       Copy a running DC's DB to backup file, renaming the domain in the
316       process.
317
318   domain backup restore
319       Restore the domain's DB from a backup-file.
320
321   domain classicupgrade [options] classic_smb_conf
322       Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
323
324   domain dcpromo dnsdomain [DC|RODC] [options]
325       Promote an existing domain member or NT4 PDC to an AD DC.
326
327   domain demote
328       Demote ourselves from the role of domain controller.
329
330   domain exportkeytab keytab [options]
331       Dumps Kerberos keys of the domain into a keytab.
332
333   domain info ip_address [options]
334       Print basic info about a domain and the specified DC.
335
336   domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
337       Join a domain as either member or backup domain controller.
338
339   domain level show|raise options [options]
340       Show/raise domain and forest function levels.
341
342   domain passwordsettings show|set options [options]
343       Show/set password settings.
344
345   domain passwordsettings pso
346       Manage fine-grained Password Settings Objects (PSOs).
347
348   domain passwordsettings pso apply pso-name user-or-group-name [options]
349       Applies a PSO's password policy to a user or group.
350
351   domain passwordsettings pso create pso-name precedence [options]
352       Creates a new Password Settings Object (PSO).
353
354   domain passwordsettings pso delete pso-name [options]
355       Deletes a Password Settings Object (PSO).
356
357   domain passwordsettings pso list [options]
358       Lists all Password Settings Objects (PSOs).
359
360   domain passwordsettings pso set pso-name [options]
361       Modifies a Password Settings Object (PSO).
362
363   domain passwordsettings pso show user-name [options]
364       Displays a Password Settings Object (PSO).
365
366   domain passwordsettings pso show-user pso-name [options]
367       Displays the Password Settings that apply to a user.
368
369   domain passwordsettings pso unapply pso-name user-or-group-name [options]
370       Updates a PSO to no longer apply to a user or group.
371
372   domain provision
373       Promote an existing domain member or NT4 PDC to an AD DC.
374
375   domain trust
376       Domain and forest trust management.
377
378   domain trust create DOMAIN options [options]
379       Create a domain or forest trust.
380
381   domain trust delete DOMAIN options [options]
382       Delete a domain trust.
383
384   domain trust list options [options]
385       List domain trusts.
386
387   domain trust namespaces [DOMAIN] options [options]
388       Manage forest trust namespaces.
389
390   domain trust show DOMAIN options [options]
391       Show trusted domain details.
392
393   domain trust validate DOMAIN options [options]
394       Validate a domain trust.
395
396   drs
397       Manage Directory Replication Services (DRS).
398
399   drs bind
400       Show DRS capabilities of a server.
401
402   drs kcc
403       Trigger knowledge consistency center run.
404
405   drs options
406       Query or change options for NTDS Settings object of a domain
407       controller.
408
409   drs replicate destination_DC source_DC NC [options]
410       Replicate a naming context between two DCs.
411
412   drs showrepl
413       Show replication status. The [--json] option results in JSON output,
414       and with the [--summary] option produces very little output when the
415       replication status seems healthy.
416
417   dsacl
418       Administer DS ACLs
419
420   dsacl set
421       Modify access list on a directory object.
422
423   forest
424       Manage Forest configuration.
425
426   forest directory_service
427       Manage directory_service behaviour for the forest.
428
429   forest directory_service dsheuristics VALUE
430       Modify dsheuristics directory_service configuration for the forest.
431
432   forest directory_service show
433       Show current directory_service configuration for the forest.
434
435   fsmo
436       Manage Flexible Single Master Operations (FSMO).
437
438   fsmo seize [options]
439       Seize the role.
440
441   fsmo show
442       Show the roles.
443
444   fsmo transfer [options]
445       Transfer the role.
446
447   gpo
448       Manage Group Policy Objects (GPO).
449
450   gpo create displayname [options]
451       Create an empty GPO.
452
453   gpo del gpo [options]
454       Delete GPO.
455
456   gpo dellink container_dn gpo [options]
457       Delete GPO link from a container.
458
459   gpo fetch gpo [options]
460       Download a GPO.
461
462   gpo getinheritance container_dn [options]
463       Get inheritance flag for a container.
464
465   gpo getlink container_dn [options]
466       List GPO Links for a container.
467
468   gpo list username [options]
469       List GPOs for an account.
470
471   gpo listall
472       List all GPOs.
473
474   gpo listcontainers gpo [options]
475       List all linked containers for a GPO.
476
477   gpo setinheritance container_dn block|inherit [options]
478       Set inheritance flag on a container.
479
480   gpo setlink container_dn gpo [options]
481       Add or Update a GPO link to a container.
482
483   gpo show gpo [options]
484       Show information for a GPO.
485
486   group
487       Manage groups.
488
489   group add groupname [options]
490       Create a new AD group.
491
492   group addmembers groupname members [options]
493       Add members to an AD group.
494
495   group delete groupname [options]
496       Delete an AD group.
497
498   group edit groupname
499       Edit a group AD object.
500
501       --editor=EDITOR
502           Specifies the editor to use instead of the system default, or 'vi'
503           if no system default is set.
504
505   group list
506       List all groups.
507
508   group listmembers groupname [options]
509       List all members of the specified AD group.
510
511   group move groupname new_parent_dn [options]
512       This command moves a group into the specified organizational unit or
513       container.
514
515       The groupname specified on the command is the sAMAccountName.
516
517       The name of the organizational unit or container can be specified as a
518       full DN or without the domainDN component.
519
520   group removemembers groupname members [options]
521       Remove members from the specified AD group.
522
523   group show groupname [options]
524       Show group object and it's attributes.
525
526   group stats [options]
527       Show statistics for overall groups and group memberships.
528
529   ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
530       Compare two LDAP databases.
531
532   ntacl
533       Manage NT ACLs.
534
535   ntacl changedomsid original-domain-SID new-domain-SID file [options]
536       Change the domain SID for ACLs. Can be used to change all entries in
537       acl_xattr when the machine's SID has accidentally changed or the data
538       set has been copied to another machine either via backup/restore or
539       rsync.
540
541       --use-ntvfs
542           Set the ACLs directly to the TDB or xattr. The POSIX permissions
543           will NOT be changed, only the NT ACL will be stored.
544
545       --service=SERVICE
546           Specify the name of the smb.conf service to use. This option is
547           required in combination with the --use-s3fs option.
548
549       --use-s3fs
550           Set the ACLs for use with the default s3fs file server via the VFS
551           layer. This option requires a smb.conf service, specified by the
552           --service=SERVICE option.
553
554       --xattr-backend=[native|tdb]
555           Specify the xattr backend type (native fs or tdb).
556
557       --eadb-file=EADB_FILE
558           Name of the tdb file where attributes are stored.
559
560       --recursive
561           Set the ACLs for directories and their contents recursively.
562
563       --follow-symlinks
564           Follow symlinks when --recursive is specified.
565
566       --verbose
567           Verbosely list files and ACLs which are being processed.
568
569   ntacl get file [options]
570       Get ACLs on a file.
571
572   ntacl set acl file [options]
573       Set ACLs on a file.
574
575   ntacl sysvolcheck
576       Check sysvol ACLs match defaults (including correct ACLs on GPOs).
577
578   ntacl sysvolreset
579       Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
580
581   ou
582       Manage organizational units (OUs).
583
584   ou create ou_dn [options]
585       Create an organizational unit.
586
587       The name of the organizational unit can be specified as a full DN or
588       without the domainDN component.
589
590       --description=DESCRIPTION
591           Specify OU's description.
592
593   ou delete ou_dn [options]
594       Delete an organizational unit.
595
596       The name of the organizational unit can be specified as a full DN or
597       without the domainDN component.
598
599       --force-subtree-delete
600           Delete organizational unit and all children reclusively.
601
602   ou list [options]
603       List all organizational units.
604
605       --full-dn
606           Display DNs including the base DN.
607
608   ou listobjects ou_dn [options]
609       List all objects in an organizational unit.
610
611       The name of the organizational unit can be specified as a full DN or
612       without the domainDN component.
613
614       --full-dn
615           Display DNs including the base DN.
616
617       -r|--recursive
618           List objects recursively.
619
620   ou move old_ou_dn new_parent_dn [options]
621       Move an organizational unit.
622
623       The name of the organizational units can be specified as a full DN or
624       without the domainDN component.
625
626   ou rename old_ou_dn new_ou_dn [options]
627       Rename an organizational unit.
628
629       The name of the organizational units can be specified as a full DN or
630       without the domainDN component.
631
632   rodc
633       Manage Read-Only Domain Controller (RODC).
634
635   rodc preload SID|DN|accountname [options]
636       Preload one account for an RODC.
637
638   schema
639       Manage and query schema.
640
641   schema attribute modify attribute [options]
642       Modify the behaviour of an attribute in schema.
643
644   schema attribute show attribute [options]
645       Display an attribute schema definition.
646
647   schema attribute show_oc attribute [options]
648       Show objectclasses that MAY or MUST contain this attribute.
649
650   schema objectclass show objectclass [options]
651       Display an objectclass schema definition.
652
653   sites
654       Manage sites.
655
656   sites create site [options]
657       Create a new site.
658
659   sites remove site [options]
660       Delete an existing site.
661
662   spn
663       Manage Service Principal Names (SPN).
664
665   spn add name user [options]
666       Create a new SPN.
667
668   spn delete name [user] [options]
669       Delete an existing SPN.
670
671   spn list user [options]
672       List SPNs of a given user.
673
674   testparm
675       Check the syntax of the configuration file.
676
677   time
678       Retrieve the time on a server.
679
680   user
681       Manage users.
682
683   user add username [password]
684       Create a new user. Please note that this subcommand is deprecated and
685       available for compatibility reasons only. Please use samba-tool user
686       create instead.
687
688   user create username [password]
689       Create a new user in the Active Directory Domain.
690
691   user delete username [options]
692       Delete an existing user account.
693
694   user disable username
695       Disable a user account.
696
697   user edit username
698       Edit a user account AD object.
699
700       --editor=EDITOR
701           Specifies the editor to use instead of the system default, or 'vi'
702           if no system default is set.
703
704   user enable username
705       Enable a user account.
706
707   user list
708       List all users.
709
710   user setprimarygroup username primarygroupname
711       Set the primary group a user account.
712
713   user getgroups username
714       Get the direct group memberships of a user account.
715
716   user show username [options]
717       Display a user AD object.
718
719       --attributes=USER_ATTRS
720           Comma separated list of attributes, which will be printed.
721
722   user move username new_parent_dn [options]
723       This command moves a user account into the specified organizational
724       unit or container.
725
726       The username specified on the command is the sAMAccountName.
727
728       The name of the organizational unit or container can be specified as a
729       full DN or without the domainDN component.
730
731   user password [options]
732       Change password for a user account (the one provided in
733       authentication).
734
735   user setexpiry username [options]
736       Set the expiration of a user account.
737
738   user setpassword username [options]
739       Sets or resets the password of a user account.
740
741   user getpassword username [options]
742       Gets the password of a user account.
743
744   user syncpasswords --cache-ldb-initialize [options]
745       Syncs the passwords of all user accounts, using an optional script.
746
747       Note that this command should run on a single domain controller only
748       (typically the PDC-emulator).
749
750   vampire [options] domain
751       Join and synchronise a remote AD domain to the local server. Please
752       note that samba-tool vampire is deprecated, please use samba-tool
753       domain join instead.
754
755   visualize [options] subcommand
756       Produce graphical representations of Samba network state. To work out
757       what is happening in a replication graph, it is sometimes helpful to
758       use visualisations.
759
760       There are two subcommands, two graphical modes, and (roughly) two modes
761       of operation with respect to the location of authority.
762
763   MODES OF OPERATION
764       samba-tool visualize ntdsconn
765           Looks at NTDS connections.
766
767       samba-tool visualize reps
768           Looks at repsTo and repsFrom objects.
769
770       samba-tool visualize uptodateness
771           Looks at replication lag as shown by the uptodateness vectors.
772
773   GRAPHICAL MODES
774       --distance
775           Distances between DCs are shown in a matrix in the terminal.
776
777       --dot
778           Generate Graphviz dot output (for ntdsconn and reps modes). When
779           viewed using dot or xdot, this shows the network as a graph with
780           DCs as vertices and connections edges. Certain types of degenerate
781           edges are shown in different colours or line-styles.
782
783       --xdot
784           Generate Graphviz dot output as with [--dot] and attempt to view it
785           immediately using /usr/bin/xdot.
786
787       -r
788           Normally, samba-tool talks to one database; with the [-r] option
789           attempts are made to contact all the DCs known to the first
790           database. This is necessary for samba-tool visualize uptodateness
791           and for samba-tool visualize reps because the repsFrom/To objects
792           are not replicated, and it can reveal replication issues in other
793           modes.
794
795   help
796       Gives usage information.
797

VERSION

799       This man page is complete for version 4.12.2 of the Samba suite.
800

AUTHOR

802       The original Samba software and related utilities were created by
803       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
804       Source project similar to the way the Linux kernel is developed.
805
806
807
808Samba 4.12.2                      04/28/2020                     SAMBA-TOOL(8)
Impressum