1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-A|--authentication-file authfile] [-I|--ipaddress ip-address]
12 [-p|--port port] [-n myname] [-s conffile] [-S|--server server]
13 [-l|--long] [-v|--verbose] [-f|--force] [-P|--machine-pass]
14 [-d debuglevel] [-V] [--request-timeout seconds]
15 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
16
18 This tool is part of the samba(7) suite.
19 The Samba net utility is meant to work just like the net utility
21 available for windows and DOS. The first argument should be used to
22 specify the protocol to use when executing a certain command. ADS is
23 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
24 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
25 net will try to determine it automatically. Not all commands are
26 available on all protocols.
27
29 -?|--help
30 Print a summary of command line options.
31 -k|--kerberos
33 Try to authenticate with kerberos. Only useful in an Active
34 Directory environment.
35 -w|--workgroup target-workgroup
37 Sets target workgroup or domain. You have to specify either this
38 option or the IP address or the name of a server.
39 -W|--myworkgroup workgroup
41 Sets client workgroup or domain
42 -U|--user user
44 User name to use
45 -I|--ipaddress ip-address
47 IP address of target server to use. You have to specify either this
48 option or a target workgroup or a target server.
49 -p|--port port
51 Port on the target server to connect to (usually 139 or 445).
52 Defaults to trying 445 first, then 139.
53 -n|--netbiosname <primary NetBIOS name>
55 This option allows you to override the NetBIOS name that Samba uses
56 for itself. This is identical to setting the netbios name parameter
57 in the smb.conf file. However, a command line setting will take
58 precedence over settings in smb.conf.
59 -S|--server server
61 Name of target server. You should specify either this option or a
62 target workgroup or a target IP address.
63 -l|--long
65 When listing data, give more information on each item.
66 -v|--verbose
68 When listing data, give more verbose information on each item.
69 -f|--force
71 Enforcing a net command.
72 -P|--machine-pass
74 Make queries to the external server using the machine account of
75 the local server.
76 --request-timeout 30
78 Let client requests timeout after 30 seconds the default is 10
79 seconds.
80 -t|--timeout 30
82 Set timeout for client operations to 30 seconds.
83 --use-ccache
85 Try to use the credentials cached by winbind.
86 -i|--stdin
88 Take input for net commands from standard input.
89 --tallocreport
91 Generate a talloc report while processing a net command.
92 -T|--test
94 Only test command sequence, dry-run.
95 -F|--flags FLAGS
97 Pass down integer flags to a net subcommand.
98 -C|--comment COMMENT
100 Pass down a comment string to a net subcommand.
101 -n|--myname MYNAME
103 Use MYNAME as a requester name for a net subcommand.
104 -c|--container CONTAINER
106 Use a specific AD container for net ads operations.
107 -M|--maxusers MAXUSERS
109 Fill in the maxusers field in net rpc share operations.
110 -r|--reboot
112 Reboot a remote machine after a command has been successfully
113 executed (e.g. in remote join operations).
114 --force-full-repl
116 When calling "net rpc vampire keytab" this option enforces a full
117 re-creation of the generated keytab file.
118 --single-obj-repl
120 When calling "net rpc vampire keytab" this option allows one to
121 replicate just a single object to the generated keytab file.
122 --clean-old-entries
124 When calling "net rpc vampire keytab" this option allows one to
125 cleanup old entries from the generated keytab file.
126 --db
128 Define dbfile for "net idmap" commands.
129 --lock
131 Activates locking of the dbfile for "net idmap check" command.
132 -a|--auto
134 Activates noninteractive mode in "net idmap check".
135 --repair
137 Activates repair mode in "net idmap check".
138 --acls
140 Includes ACLs to be copied in "net rpc share migrate".
141 --attrs
143 Includes file attributes to be copied in "net rpc share migrate".
144 --timestamps
146 Includes timestamps to be copied in "net rpc share migrate".
147 -X|--exclude DIRECTORY
149 Allows one to exclude directories when copying with "net rpc share
150 migrate".
151 --destination SERVERNAME
153 Defines the target servername of migration process (defaults to
154 localhost).
155 -L|--local
157 Sets the type of group mapping to local (used in "net groupmap
158 set").
159 -D|--domain
161 Sets the type of group mapping to domain (used in "net groupmap
162 set").
163 -N|--ntname NTNAME
165 Sets the ntname of a group mapping (used in "net groupmap set").
166 -R|--rid RID
168 Sets the rid of a group mapping (used in "net groupmap set").
169 --reg-version REG_VERSION
171 Assume database version {n|1,2,3} (used in "net registry check").
172 -o|--output FILENAME
174 Output database file (used in "net registry check").
175 --wipe
177 Create a new database from scratch (used in "net registry check").
178 --precheck PRECHECK_DB_FILENAME
180 Defines filename for database prechecking (used in "net registry
181 import").
182 --no-dns-updates
184 Do not perform DNS updates as part of "net ads join".
185 --keep-account
187 Prevent the machine account removal as part of "net ads leave".
188 --json
190 Report results in JSON format for "net ads info" and "net ads
191 lookup".
192 --recursive
194 Traverse a directory hierarchy.
195 --continue
197 Continue traversing a directory hierarchy in case conversion of one
198 file fails.
199 --follow-symlinks
201 Follow symlinks encountered while traversing a directory.
202 -e|--encrypt
204 This command line parameter requires the remote server support the
205 UNIX extensions or that the SMB3 protocol has been selected.
206 Requests that the connection be encrypted. Negotiates SMB
207 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
208 the given credentials for the encryption negotiation (either
209 kerberos or NTLMv1/v2 if given domain/username/password triple.
210 Fails the connection if encryption cannot be negotiated.
211 -d|--debuglevel=level
213 level is an integer from 0 to 10. The default value if this
214 parameter is not specified is 1.
215 The higher this value, the more detail will be logged to the log
217 files about the activities of the server. At level 0, only critical
218 errors and serious warnings will be logged. Level 1 is a reasonable
219 level for day-to-day running - it generates a small amount of
220 information about operations carried out.
221 Levels above 1 will generate considerable amounts of log data, and
223 should only be used when investigating a problem. Levels above 3
224 are designed for use only by developers and generate HUGE amounts
225 of log data, most of which is extremely cryptic.
226 Note that specifying this parameter here will override the log
228 level parameter in the smb.conf file.
229 -V|--version
231 Prints the program version number.
232 -s|--configfile=<configuration file>
234 The file specified contains the configuration details required by
235 the server. The information in this file includes server-specific
236 information such as what printcap file to use, as well as
237 descriptions of all the services that the server is to provide. See
238 smb.conf for more information. The default configuration file name
239 is determined at compile time.
240 -l|--log-basename=logdirectory
242 Base directory name for log/debug files. The extension ".progname"
243 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
244 file is never removed by the client.
245 --option=<name>=<value>
247 Set the smb.conf(5) option "<name>" to value "<value>" from the
248 command line. This overrides compiled-in defaults and options read
249 from the configuration file.
250
252 CHANGESECRETPW
253 This command allows the Samba machine account password to be set from
254 an external application to a machine account password that has already
255 been stored in Active Directory. DO NOT USE this command unless you
256 know exactly what you are doing. The use of this command requires that
257 the force flag (-f) be used also. There will be NO command prompt.
258 Whatever information is piped into stdin, either by typing at the
259 command line or otherwise, will be stored as the literal machine
260 password. Do NOT use this without care and attention as it will
261 overwrite a legitimate machine password without warning. YOU HAVE BEEN
262 WARNED.
263 TIME
265 The NET TIME command allows you to view the time on a remote server or
266 synchronise the time on the local server with the time on the remote
267 server.
268 TIME
270 Without any options, the NET TIME command displays the time on the
271 remote server. The remote server must be specified with the -S option.
272 TIME SYSTEM
274 Displays the time on the remote server in a format ready for /bin/date.
275 The remote server must be specified with the -S option.
276 TIME SET
278 Tries to set the date and time of the local server to that on the
279 remote server using /bin/date. The remote server must be specified with
280 the -S option.
281 TIME ZONE
283 Displays the timezone in hours from GMT on the remote server. The
284 remote server must be specified with the -S option.
285 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
287 [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU]
288 [machinepass=PASS] [osName=string osVer=string] [options]
289 Join a domain. If the account already exists on the server, and [TYPE]
290 is MEMBER, the machine will attempt to join automatically. (Assuming
291 that the machine has been created in server manager) Otherwise, a
292 password will be prompted for, and a new account may be created.
293 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
295 the domain.
296 [FQDN] (ADS only) set the dnsHostName attribute during the join. The
298 default format is netbiosname.dnsdomain.
299 [UPN] (ADS only) set the principalname attribute during the join. The
301 default format is host/netbiosname@REALM.
302 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
304 string reads from top to bottom without RDNs, and is delimited by a
305 '/'. Please note that '\' is used for escape by both the shell and
306 ldap, so it may need to be doubled or quadrupled to pass through, and
307 it is not used as a delimiter.
308 [PASS] (ADS only) Set a specific password on the computer account being
310 created by the join.
311 [osName=string osVer=String] (ADS only) Set the operatingSystem and
313 operatingSystemVersion attribute during the join. Both parameters must
314 be specified for either to take effect.
315 [RPC] OLDJOIN [options]
317 Join a domain. Use the OLDJOIN option to join the domain using the old
318 style of domain joining - you need to create a trust account in server
319 manager first.
320 [RPC|ADS] USER
322 [RPC|ADS] USER
323 List all users
324 [RPC|ADS] USER DELETE target
326 Delete specified user
327 [RPC|ADS] USER INFO target
329 List the domain groups of the specified user.
330 [RPC|ADS] USER RENAME oldname newname
332 Rename specified user.
333 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
335 Add specified user.
336 [RPC|ADS] GROUP
338 [RPC|ADS] GROUP [misc options] [targets]
339 List user groups.
340 [RPC|ADS] GROUP DELETE name [misc. options]
342 Delete specified group.
343 [RPC|ADS] GROUP ADD name [-C comment]
345 Create specified group.
346 [ADS] LOOKUP
348 Lookup the closest Domain Controller in our domain and retrieve server
349 information about it.
350 [RAP|RPC] SHARE
352 [RAP|RPC] SHARE [misc. options] [targets]
353 Enumerates all exported resources (network shares) on target server.
354 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
356 Adds a share from a server (makes the export active). Maxusers
357 specifies the number of users that can be connected to the share
358 simultaneously.
359 SHARE DELETE sharename
361 Delete specified share.
362 [RPC|RAP] FILE
364 [RPC|RAP] FILE
365 List all open files on remote server.
366 [RPC|RAP] FILE CLOSE fileid
368 Close file with specified fileid on remote server.
369 [RPC|RAP] FILE INFO fileid
371 Print information on specified fileid. Currently listed are: file-id,
372 username, locks, path, permissions.
373 [RAP|RPC] FILE USER user
375 List files opened by specified user. Please note that net rap file user
376 does not work against Samba servers.
377 SESSION
379 RAP SESSION
380 Without any other options, SESSION enumerates all active SMB/CIFS
381 sessions on the target server.
382 RAP SESSION DELETE|CLOSE CLIENT_NAME
384 Close the specified sessions.
385 RAP SESSION INFO CLIENT_NAME
387 Give a list with all the open files in specified session.
388 RAP SERVER DOMAIN
390 List all servers in specified domain or workgroup. Defaults to local
391 domain.
392 RAP DOMAIN
394 Lists all domains and workgroups visible on the current network.
395 RAP PRINTQ
397 RAP PRINTQ INFO QUEUE_NAME
398 Lists the specified print queue and print jobs on the server. If the
399 QUEUE_NAME is omitted, all queues are listed.
400 RAP PRINTQ DELETE JOBID
402 Delete job with specified id.
403 RAP VALIDATE user [password]
405 Validate whether the specified user can log in to the remote server. If
406 the password is not specified on the commandline, it will be prompted.
407 Note
409 Currently NOT implemented.
410 RAP GROUPMEMBER
412 RAP GROUPMEMBER LIST GROUP
413 List all members of the specified group.
414 RAP GROUPMEMBER DELETE GROUP USER
416 Delete member from group.
417 RAP GROUPMEMBER ADD GROUP USER
419 Add member to group.
420 RAP ADMIN command
422 Execute the specified command on the remote server. Only works with
423 OS/2 servers.
424 Note
426 Currently NOT implemented.
427 RAP SERVICE
429 RAP SERVICE START NAME [arguments...]
430 Start the specified service on the remote server. Not implemented yet.
431 Note
433 Currently NOT implemented.
434 RAP SERVICE STOP
436 Stop the specified service on the remote server.
437 Note
439 Currently NOT implemented.
440 RAP PASSWORD USER OLDPASS NEWPASS
442 Change password of USER from OLDPASS to NEWPASS.
443 LOOKUP
445 LOOKUP HOST HOSTNAME [TYPE]
446 Lookup the IP address of the given host with the specified type
447 (netbios suffix). The type defaults to 0x20 (workstation).
448 LOOKUP LDAP [DOMAIN]
450 Give IP address of LDAP server of specified DOMAIN. Defaults to local
451 domain.
452 LOOKUP KDC [REALM]
454 Give IP address of KDC for the specified REALM. Defaults to local
455 realm.
456 LOOKUP DC [DOMAIN]
458 Give IP's of Domain Controllers for specified
459 DOMAIN. Defaults to local domain.
460 LOOKUP MASTER DOMAIN
462 Give IP of master browser for specified DOMAIN or workgroup. Defaults
463 to local domain.
464 LOOKUP NAME [NAME]
466 Lookup username's sid and type for specified NAME
467 LOOKUP SID [SID]
469 Give sid's name and type for specified SID
470 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
472 Give Domain Controller information for specified domain NAME
473 CACHE
475 Samba uses a general caching interface called 'gencache'. It can be
476 controlled using 'NET CACHE'.
477 All the timeout parameters support the suffixes:
479 s - Seconds
480 m - Minutes
481 h - Hours
482 d - Days
483 w - Weeks
484 CACHE ADD key data time-out
486 Add specified key+data to the cache with the given timeout.
487 CACHE DEL key
489 Delete key from the cache.
490 CACHE SET key data time-out
492 Update data of existing cache entry.
493 CACHE SEARCH PATTERN
495 Search for the specified pattern in the cache data.
496 CACHE LIST
498 List all current items in the cache.
499 CACHE FLUSH
501 Remove all the current items from the cache.
502 GETLOCALSID [DOMAIN]
504 Prints the SID of the specified domain, or if the parameter is omitted,
505 the SID of the local server.
506 SETLOCALSID S-1-5-21-x-y-z
508 Sets SID for the local server to the specified SID.
509 GETDOMAINSID
511 Prints the local machine SID and the SID of the current domain.
512 SETDOMAINSID
514 Sets the SID of the current domain.
515 GROUPMAP
517 Manage the mappings between Windows group SIDs and UNIX groups. Common
518 options include:
519 · unixgroup - Name of the UNIX group
521 · ntgroup - Name of the Windows NT group (must be resolvable
523 to a SID
524 · rid - Unsigned 32-bit integer
526 · sid - Full SID in the form of "S-1-..."
528 · type - Type of the group; either 'domain', 'local', or
530 'builtin'
531 · comment - Freeform text description of the group
533 GROUPMAP ADD
536 Add a new group mapping entry:
537 net groupmap add {rid=int|sid=string} unixgroup=string \
539 [type={domain|local}] [ntgroup=string] [comment=string]
540 GROUPMAP DELETE
544 Delete a group mapping entry. If more than one group name matches, the
545 first entry found is deleted.
546 net groupmap delete {ntgroup=string|sid=SID}
548 GROUPMAP MODIFY
550 Update an existing group entry.
551 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
553 [comment=string] [type={domain|local}]
554 GROUPMAP LIST
558 List existing group mapping entries.
559 net groupmap list [verbose] [ntgroup=string] [sid=SID]
561 MAXRID
563 Prints out the highest RID currently in use on the local server (by the
564 active 'passdb backend').
565 RPC INFO
567 Print information about the domain of the remote server, such as domain
568 name, domain sid and number of users and groups.
569 [RPC|ADS] TESTJOIN
571 Check whether participation in a domain is still valid.
572 [RPC|ADS] CHANGETRUSTPW
574 Force change of domain trust password.
575 RPC TRUSTDOM
577 RPC TRUSTDOM ADD DOMAIN
578 Add a interdomain trust account for DOMAIN. This is in fact a Samba
579 account named DOMAIN$ with the account flag 'I' (interdomain trust
580 account). This is required for incoming trusts to work. It makes Samba
581 be a trusted domain of the foreign (trusting) domain. Users of the
582 Samba domain will be made available in the foreign domain. If the
583 command is used against localhost it has the same effect as smbpasswd
584 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
585 account.
586 RPC TRUSTDOM DEL DOMAIN
588 Remove interdomain trust account for DOMAIN. If it is used against
589 localhost it has the same effect as smbpasswd -x DOMAIN$.
590 RPC TRUSTDOM ESTABLISH DOMAIN
592 Establish a trust relationship to a trusted domain. Interdomain account
593 must already be created on the remote PDC. This is required for
594 outgoing trusts to work. It makes Samba be a trusting domain of a
595 foreign (trusted) domain. Users of the foreign domain will be made
596 available in our domain. You'll need winbind and a working idmap config
597 to make them appear in your system.
598 RPC TRUSTDOM REVOKE DOMAIN
600 Abandon relationship to trusted domain
601 RPC TRUSTDOM LIST
603 List all interdomain trust relationships.
604 RPC TRUST
606 RPC TRUST CREATE
607 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
608 done on a single server or on two servers at once with the possibility
609 to use a random trust password.
610 Options:
612 otherserver
614 Domain controller of the second domain
615 otheruser
617 Admin user in the second domain
618 otherdomainsid
620 SID of the second domain
621 other_netbios_domain
623 NetBIOS (short) name of the second domain
624 otherdomain
626 DNS (full) name of the second domain
627 trustpw
629 Trust password
630 Examples:
632 Create a trust object on srv1.dom1.dom for the domain dom2
634 net rpc trust create \
636 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
637 other_netbios_domain=dom2 \
638 otherdomain=dom2.dom \
639 trustpw=12345678 \
640 -S srv1.dom1.dom
641 Create a trust relationship between dom1 and dom2
643 net rpc trust create \
645 otherserver=srv2.dom2.test \
646 otheruser=dom2adm \
647 -S srv1.dom1.dom
648 RPC TRUST DELETE
650 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
651 done on a single server or on two servers at once.
652 Options:
654 otherserver
656 Domain controller of the second domain
657 otheruser
659 Admin user in the second domain
660 otherdomainsid
662 SID of the second domain
663 Examples:
665 Delete a trust object on srv1.dom1.dom for the domain dom2
667 net rpc trust delete \
669 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
670 -S srv1.dom1.dom
671 Delete a trust relationship between dom1 and dom2
673 net rpc trust delete \
675 otherserver=srv2.dom2.test \
676 otheruser=dom2adm \
677 -S srv1.dom1.dom
678 RPC RIGHTS
681 This subcommand is used to view and manage Samba's rights assignments
682 (also referred to as privileges). There are three options currently
683 available: list, grant, and revoke. More details on Samba's privilege
684 model and its use can be found in the Samba-HOWTO-Collection.
685 RPC ABORTSHUTDOWN
687 Abort the shutdown of a remote server.
688 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
690 Shut down the remote server.
691 -r
693 Reboot after shutdown.
694 -f
696 Force shutting down all applications.
697 -t timeout
699 Timeout before system will be shut down. An interactive user of the
700 system can use this time to cancel the shutdown.
701 -C message
703 Display the specified message on the screen to announce the
704 shutdown.
705 RPC SAMDUMP
707 Print out sam database of remote server. You need to run this against
708 the PDC, from a Samba machine joined as a BDC.
709 RPC VAMPIRE
711 Export users, aliases and groups from remote server to local server.
712 You need to run this against the PDC, from a Samba machine joined as a
713 BDC. This vampire command cannot be used against an Active Directory,
714 only against an NT4 Domain Controller.
715 RPC VAMPIRE KEYTAB
717 Dump remote SAM database to local Kerberos keytab file.
718 RPC VAMPIRE LDIF
720 Dump remote SAM database to local LDIF file or standard output.
721 RPC GETSID
723 Fetch domain SID and store it in the local secrets.tdb.
724 ADS GPO
726 ADS GPO APPLY <USERNAME|MACHINENAME>
727 Apply GPOs for a username or machine name. Either username or machine
728 name should be provided to the command, not both.
729 ADS GPO GETGPO [GPO]
731 List specified GPO.
732 ADS GPO LINKADD [LINKDN] [GPODN]
734 Link a container to a GPO. LINKDN Container to link to a GPO. GPODN
735 GPO to link container to. DNs must be provided properly escaped. See
736 RFC 4514 for details.
737 ADS GPO LINKGET [CONTAINER]
739 Lists gPLink of a containter.
740 ADS GPO LIST <USERNAME|MACHINENAME>
742 Lists all GPOs for a username or machine name. Either username or
743 machine name should be provided to the command, not both.
744 ADS GPO LISTALL
746 Lists all GPOs on a DC.
747 ADS GPO REFRESH [USERNAME] [MACHINENAME]
749 Lists all GPOs assigned to an account and download them. USERNAME User
750 to refresh GPOs for. MACHINENAME Machine to refresh GPOs for.
751 ADS DNS
753 ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
754 Add host dns entry to Active Directory.
755 ADS DNS UNREGISTER <HOSTNAME>
757 Remove host dns entry from Active Directory.
758 ADS DNS GETHOSTBYNAME <NAMESERVER|HOSTNAME>
760 Look up the hostname from Active Directory. You can either provide
761 nameserver ie IPv4|IPv6 address or the hostname. Only one should be
762 provided at a time.
763 ADS LEAVE [--keep-account]
765 Make the remote host leave the domain it is part of.
766 ADS STATUS
768 Print out status of machine account of the local machine in ADS. Prints
769 out quite some debug info. Aimed at developers, regular users should
770 use NET ADS TESTJOIN.
771 ADS PRINTER
773 ADS PRINTER INFO [PRINTER] [SERVER]
774 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
775 the server name defaults to the local host.
776 ADS PRINTER PUBLISH PRINTER
778 Publish specified printer using ADS.
779 ADS PRINTER REMOVE PRINTER
781 Remove specified printer from ADS directory.
782 ADS SEARCH EXPRESSION ATTRIBUTES...
784 Perform a raw LDAP search on a ADS server and dump the results. The
785 expression is a standard LDAP search expression, and the attributes are
786 a list of LDAP fields to show in the results.
787 Example: net ads search '(objectCategory=group)' sAMAccountName
789 ADS DN DN (attributes)
791 Perform a raw LDAP search on a ADS server and dump the results. The DN
792 standard LDAP DN, and the attributes are a list of LDAP fields to show
793 in the result.
794 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
796 SAMAccountName
797 ADS KEYTAB CREATE
799 Creates a new keytab file if one doesn't exist with default entries.
800 Default entries are kerberos principals created from the machinename of
801 the client, the UPN (if it exists) and any Windows SPN(s) associated
802 with the computer AD account for the client. If a keytab file already
803 exists then only missing kerberos principals from the default entries
804 are added. No changes are made to the computer AD account.
805 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
807 Adds a new keytab entry, the entry can be either;
808 kerberos principal
810 A kerberos principal (identified by the presence of '@') is just
811 added to the keytab file.
812 machinename
814 A machinename (identified by the trailing '$') is used to create a
815 a kerberos principal 'machinename@realm' which is added to the
816 keytab file.
817 serviceclass
819 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
820 pair of kerberos principals
821 'serviceclass/fully_qualified_dns_name@realm' &
822 'serviceclass/netbios_name@realm' which are added to the keytab
823 file.
824 Windows SPN
826 A Windows SPN is of the format 'serviceclass/host:port', it is used
827 to create a kerberos principal 'serviceclass/host@realm' which will
828 be written to the keytab file.
829 Unlike old versions no computer AD objects are modified by this
831 command. To preserve the bevhaviour of older clients 'net ads keytab
832 ad_update_ads' is available.
833 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
835 Adds a new keytab entry (see section for net ads keytab add). In
836 addition to adding entries to the keytab file corrosponding Windows
837 SPNs are created from the entry passed to this command. These SPN(s)
838 added to the AD computer account object associated with the client
839 machine running this command for the following entry types;
840 serviceclass
842 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
843 pair of Windows SPN(s) 'param/full_qualified_dns' &
844 'param/netbios_name' which are added to the AD computer account
845 object for this client.
846 Windows SPN
848 A Windows SPN is of the format 'serviceclass/host:port', it is
849 added as passed to the AD computer account object for this client.
850 ADS setspn SETSPN LIST [machine]
852 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
853 object. If 'machine' is not specified then computer account for this
854 client is used instead.
855 ADS setspn SETSPN ADD SPN [machine]
857 Adds the specified Windows SPN to the 'machine' Windows AD Computer
858 object. If 'machine' is not specified then computer account for this
859 client is used instead.
860 ADS setspn SETSPN DELETE SPN [machine]
862 DELETE the specified Window SPN from the 'machine' Windows AD Computer
863 object. If 'machine' is not specified then computer account for this
864 client is used instead.
865 ADS WORKGROUP
867 Print out workgroup name for specified kerberos realm.
868 ADS ENCTYPES
870 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
871 attribute of an account in AD.
872 This attribute allows one to control which Kerberos encryption types
874 are used for the generation of initial and service tickets. The value
875 consists of an integer bitmask with the following values:
876 0x00000001 DES-CBC-CRC
878 0x00000002 DES-CBC-MD5
880 0x00000004 RC4-HMAC
882 0x00000008 AES128-CTS-HMAC-SHA1-96
884 0x00000010 AES256-CTS-HMAC-SHA1-96
886 ADS ENCTYPES LIST <ACCOUNTNAME>
888 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
889 given account.
890 Example: net ads enctypes list Computername
892 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
894 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
895 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
896 the value is set to 31 which enables all the currently supported
897 encryption types.
898 Example: net ads enctypes set Computername 24
900 ADS ENCTYPES DELETE <ACCOUNTNAME>
902 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
903 object of ACCOUNTNAME.
904 Example: net ads enctypes set Computername 24
906 SAM CREATEBUILTINGROUP <NAME>
908 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
909 be created with this command. This is the list of currently recognized
910 group names: Administrators, Users, Guests, Power Users, Account
911 Operators, Server Operators, Print Operators, Backup Operators,
912 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
913 command requires a running Winbindd with idmap allocation properly
914 configured. The group gid will be allocated out of the winbindd range.
915 SAM CREATELOCALGROUP <NAME>
917 Create a LOCAL group (also known as Alias). This command requires a
918 running Winbindd with idmap allocation properly configured. The group
919 gid will be allocated out of the winbindd range.
920 SAM DELETELOCALGROUP <NAME>
922 Delete an existing LOCAL group (also known as Alias).
923 SAM MAPUNIXGROUP <NAME>
925 Map an existing Unix group and make it a Domain Group, the domain group
926 will have the same name.
927 SAM UNMAPUNIXGROUP <NAME>
929 Remove an existing group mapping entry.
930 SAM ADDMEM <GROUP> <MEMBER>
932 Add a member to a Local group. The group can be specified only by name,
933 the member can be specified by name or SID.
934 SAM DELMEM <GROUP> <MEMBER>
936 Remove a member from a Local group. The group and the member must be
937 specified by name.
938 SAM LISTMEM <GROUP>
940 List Local group members. The group must be specified by name.
941 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
943 List the specified set of accounts by name. If verbose is specified,
944 the rid and description is also provided for each account.
945 SAM RIGHTS LIST
947 List all available privileges.
948 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
950 Grant one or more privileges to a user.
951 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
953 Revoke one or more privileges from a user.
954 SAM SHOW <NAME>
956 Show the full DOMAIN\\NAME the SID and the type for the corresponding
957 account.
958 SAM SET HOMEDIR <NAME> <DIRECTORY>
960 Set the home directory for a user account.
961 SAM SET PROFILEPATH <NAME> <PATH>
963 Set the profile path for a user account.
964 SAM SET COMMENT <NAME> <COMMENT>
966 Set the comment for a user or group account.
967 SAM SET FULLNAME <NAME> <FULL NAME>
969 Set the full name for a user account.
970 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
972 Set the logon script for a user account.
973 SAM SET HOMEDRIVE <NAME> <DRIVE>
975 Set the home drive for a user account.
976 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
978 Set the workstations a user account is allowed to log in from.
979 SAM SET DISABLE <NAME>
981 Set the "disabled" flag for a user account.
982 SAM SET PWNOTREQ <NAME>
984 Set the "password not required" flag for a user account.
985 SAM SET AUTOLOCK <NAME>
987 Set the "autolock" flag for a user account.
988 SAM SET PWNOEXP <NAME>
990 Set the "password do not expire" flag for a user account.
991 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
993 Set or unset the "password must change" flag for a user account.
994 SAM POLICY LIST
996 List the available account policies.
997 SAM POLICY SHOW <account policy>
999 Show the account policy value.
1000 SAM POLICY SET <account policy> <value>
1002 Set a value for the account policy. Valid values can be: "forever",
1003 "never", "off", or a number.
1004 SAM PROVISION
1006 Only available if ldapsam:editposix is set and winbindd is running.
1007 Properly populates the ldap tree with the basic accounts
1008 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1009 on the ldap tree.
1010 IDMAP DUMP <local tdb file name>
1012 Dumps the mappings contained in the local tdb file specified. This
1013 command is useful to dump only the mappings produced by the idmap_tdb
1014 backend.
1015 IDMAP RESTORE [input file]
1017 Restore the mappings from the specified file or stdin.
1018 IDMAP SET SECRET <DOMAIN> <secret>
1020 Store a secret for the specified domain, used primarily for domains
1021 that use idmap_ldap as a backend. In this case the secret is used as
1022 the password for the user DN used to bind to the ldap server.
1023 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1025 Store a domain-range mapping for a given domain (and index) in autorid
1026 database.
1027 IDMAP SET CONFIG <config> [--db=<DB>]
1029 Update CONFIG entry in autorid database.
1030 IDMAP GET RANGE <SID> [index] [--db=<DB>]
1032 Get the range for a given domain and index from autorid database.
1033 IDMAP GET RANGES [<SID>] [--db=<DB>]
1035 Get ranges for all domains or for one identified by given SID.
1036 IDMAP GET CONFIG [--db=<DB>]
1038 Get CONFIG entry from autorid database.
1039 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1041 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1042 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1043 "GID number" or a uid: "UID number". Use -f to delete an invalid
1044 partial mapping <ID> -> xx
1045 Use "smbcontrol all idmap ..." to notify running smbd instances. See
1047 the smbcontrol(1) manpage for details.
1048 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1050 Delete a domain range mapping identified by 'RANGE' or "domain SID and
1051 INDEX" from autorid database. Use -f to delete invalid mappings.
1052 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1054 Delete all domain range mappings for a domain identified by SID. Use -f
1055 to delete invalid mappings.
1056 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1058 Check and repair the IDMAP database. If no option is given a read only
1059 check of the database is done. Among others an interactive or automatic
1060 repair mode may be chosen with one of the following options:
1061 -r|--repair
1063 Interactive repair mode, ask a lot of questions.
1064 -a|--auto
1066 Noninteractive repair mode, use default answers.
1067 -v|--verbose
1069 Produce more output.
1070 -f|--force
1072 Try to apply changes, even if they do not apply cleanly.
1073 -T|--test
1075 Dry run, show what changes would be made but don't touch anything.
1076 -l|--lock
1078 Lock the database while doing the check.
1079 --db <DB>
1081 Check the specified database.
1082 It reports about the finding of the following errors:
1084 Missing reverse mapping:
1086 A record with mapping A->B where there is no B->A. Default action
1087 in repair mode is to "fix" this by adding the reverse mapping.
1088 Invalid mapping:
1090 A record with mapping A->B where B->C. Default action is to
1091 "delete" this record.
1092 Missing or invalid HWM:
1094 A high water mark is not at least equal to the largest ID in the
1095 database. Default action is to "fix" this by setting it to the
1096 largest ID found +1.
1097 Invalid record:
1099 Something we failed to parse. Default action is to "edit" it in
1100 interactive and "delete" it in automatic mode.
1101 USERSHARE
1103 Starting with version 3.0.23, a Samba server now supports the ability
1104 for non-root users to add user defined shares to be exported using the
1105 "net usershare" commands.
1106 To set this up, first set up your smb.conf by adding to the [global]
1108 section: usershare path = /usr/local/samba/lib/usershares Next create
1109 the directory /usr/local/samba/lib/usershares, change the owner to root
1110 and set the group owner to the UNIX group who should have the ability
1111 to create usershares, for example a group called "serverops". Set the
1112 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1113 group all access, no access for others, plus the sticky bit, which
1114 means that a file in that directory can be renamed or deleted only by
1115 the owner of the file). Finally, tell smbd how many usershares you will
1116 allow by adding to the [global] section of smb.conf a line such as :
1117 usershare max shares = 100. To allow 100 usershare definitions. Now,
1118 members of the UNIX group "serverops" can create user defined shares on
1119 demand using the commands below.
1120 The usershare commands are:
1122 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1123 to add or change a user defined share.
1124 net usershare delete sharename - to delete a user defined share.
1125 net usershare info [-l|--long] [wildcard sharename] - to print info
1126 about a user defined share.
1127 net usershare list [-l|--long] [wildcard sharename] - to list user
1128 defined shares.
1129 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1131 Add or replace a new user defined share, with name "sharename".
1132 "path" specifies the absolute pathname on the system to be exported.
1134 Restrictions may be put on this, see the global smb.conf parameters:
1135 "usershare owner only", "usershare prefix allow list", and "usershare
1136 prefix deny list".
1137 The optional "comment" parameter is the comment that will appear on the
1139 share when browsed to by a client.
1140 The optional "acl" field specifies which users have read and write
1142 access to the entire share. Note that guest connections are not allowed
1143 unless the smb.conf parameter "usershare allow guests" has been set.
1144 The definition of a user defined share acl is: "user:permission", where
1145 user is a valid username on the system and permission can be "F", "R",
1146 or "D". "F" stands for "full permissions", ie. read and write
1147 permissions. "D" stands for "deny" for a user, ie. prevent this user
1148 from accessing this share. "R" stands for "read only", ie. only allow
1149 read access to this share (no creation of new files or directories or
1150 writing to files).
1151 The default if no "acl" is given is "Everyone:R", which means any
1153 authenticated user has read-only access.
1154 The optional "guest_ok" has the same effect as the parameter of the
1156 same name in smb.conf, in that it allows guest access to this user
1157 defined share. This parameter is only allowed if the global parameter
1158 "usershare allow guests" has been set to true in the smb.conf.
1159 There is no separate command to modify an existing user defined share,
1162 just use the "net usershare add [sharename]" command using the same
1163 sharename as the one you wish to modify and specify the new options you
1164 wish. The Samba smbd daemon notices user defined share modifications at
1165 connect time so will see the change immediately, there is no need to
1166 restart smbd on adding, deleting or changing a user defined share.
1167 USERSHARE DELETE sharename
1169 Deletes the user defined share by name. The Samba smbd daemon
1170 immediately notices this change, although it will not disconnect any
1171 users currently connected to the deleted share.
1172 USERSHARE INFO [-l|--long] [wildcard sharename]
1174 Get info on user defined shares owned by the current user matching the
1175 given pattern, or all users.
1176 net usershare info on its own dumps out info on the user defined shares
1178 that were created by the current user, or restricts them to share names
1179 that match the given wildcard pattern ('*' matches one or more
1180 characters, '?' matches only one character). If the '-l' or '--long'
1181 option is also given, it prints out info on user defined shares created
1182 by other users.
1183 The information given about a share looks like: [foobar]
1185 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1186 And is a list of the current settings of the user defined share that
1187 can be modified by the "net usershare add" command.
1188 USERSHARE LIST [-l|--long] wildcard sharename
1190 List all the user defined shares owned by the current user matching the
1191 given pattern, or all users.
1192 net usershare list on its own list out the names of the user defined
1194 shares that were created by the current user, or restricts the list to
1195 share names that match the given wildcard pattern ('*' matches one or
1196 more characters, '?' matches only one character). If the '-l' or
1197 '--long' option is also given, it includes the names of user defined
1198 shares created by other users.
1199 [RPC] CONF
1201 Starting with version 3.2.0, a Samba server can be configured by data
1202 stored in registry. This configuration data can be edited with the new
1203 "net conf" commands. There is also the possibility to configure a
1204 remote Samba server by enabling the RPC conf mode and specifying the
1205 address of the remote server.
1206 The deployment of this configuration data can be activated in two
1208 levels from the smb.conf file: Share definitions from registry are
1209 activated by setting registry shares to “yes” in the [global] section
1210 and global configuration options are activated by setting include =
1211 registry in the [global] section for a mixed configuration or by
1212 setting config backend = registry in the [global] section for a
1213 registry-only configuration. See the smb.conf(5) manpage for details.
1214 The conf commands are:
1216 net [rpc] conf list - Dump the complete configuration in smb.conf
1217 like format.
1218 net [rpc] conf import - Import configuration from file in smb.conf
1219 format.
1220 net [rpc] conf listshares - List the registry shares.
1221 net [rpc] conf drop - Delete the complete configuration from
1222 registry.
1223 net [rpc] conf showshare - Show the definition of a registry share.
1224 net [rpc] conf addshare - Create a new registry share.
1225 net [rpc] conf delshare - Delete a registry share.
1226 net [rpc] conf setparm - Store a parameter.
1227 net [rpc] conf getparm - Retrieve the value of a parameter.
1228 net [rpc] conf delparm - Delete a parameter.
1229 net [rpc] conf getincludes - Show the includes of a share
1230 definition.
1231 net [rpc] conf setincludes - Set includes for a share.
1232 net [rpc] conf delincludes - Delete includes from a share
1233 definition.
1234 [RPC] CONF LIST
1236 Print the configuration data stored in the registry in a smb.conf-like
1237 format to standard output.
1238 [RPC] CONF IMPORT [--test|-T] filename [section]
1240 This command imports configuration from a file in smb.conf format. If a
1241 section encountered in the input file is present in registry, its
1242 contents is replaced. Sections of registry configuration that have no
1243 counterpart in the input file are not affected. If you want to delete
1244 these, you will have to use the "net conf drop" or "net conf delshare"
1245 commands. Optionally, a section may be specified to restrict the effect
1246 of the import command to that specific section. A test mode is enabled
1247 by specifying the parameter "-T" on the commandline. In test mode, no
1248 changes are made to the registry, and the resulting configuration is
1249 printed to standard output instead.
1250 [RPC] CONF LISTSHARES
1252 List the names of the shares defined in registry.
1253 [RPC] CONF DROP
1255 Delete the complete configuration data from registry.
1256 [RPC] CONF SHOWSHARE sharename
1258 Show the definition of the share or section specified. It is valid to
1259 specify "global" as sharename to retrieve the global configuration
1260 options from registry.
1261 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1263 [comment]]]
1264 Create a new share definition in registry. The sharename and path have
1265 to be given. The share name may not be "global". Optionally, values for
1266 the very common options "writeable", "guest ok" and a "comment" may be
1267 specified. The same result may be obtained by a sequence of "net conf
1268 setparm" commands.
1269 [RPC] CONF DELSHARE sharename
1271 Delete a share definition from registry.
1272 [RPC] CONF SETPARM section parameter value
1274 Store a parameter in registry. The section may be global or a
1275 sharename. The section is created if it does not exist yet.
1276 [RPC] CONF GETPARM section parameter
1278 Show a parameter stored in registry.
1279 [RPC] CONF DELPARM section parameter
1281 Delete a parameter stored in registry.
1282 [RPC] CONF GETINCLUDES section
1284 Get the list of includes for the provided section (global or share).
1285 Note that due to the nature of the registry database and the nature of
1287 include directives, the includes need special treatment: Parameters are
1288 stored in registry by the parameter name as valuename, so there is only
1289 ever one instance of a parameter per share. Also, a specific order like
1290 in a text file is not guaranteed. For all real parameters, this is
1291 perfectly ok, but the include directive is rather a meta parameter, for
1292 which, in the smb.conf text file, the place where it is specified
1293 between the other parameters is very important. This can not be
1294 achieved by the simple registry smbconf data model, so there is one
1295 ordered list of includes per share, and this list is evaluated after
1296 all the parameters of the share.
1297 Further note that currently, only files can be included from registry
1299 configuration. In the future, there will be the ability to include
1300 configuration data from other registry keys.
1301 [RPC] CONF SETINCLUDES section [filename]+
1303 Set the list of includes for the provided section (global or share) to
1304 the given list of one or more filenames. The filenames may contain the
1305 usual smb.conf macros like %I.
1306 [RPC] CONF DELINCLUDES section
1308 Delete the list of includes from the provided section (global or
1309 share).
1310 REGISTRY
1312 Manipulate Samba's registry.
1313 The registry commands are:
1315 net registry enumerate - Enumerate registry keys and values.
1316 net registry enumerate_recursive - Enumerate registry key and its
1317 subkeys.
1318 net registry createkey - Create a new registry key.
1319 net registry deletekey - Delete a registry key.
1320 net registry deletekey_recursive - Delete a registry key with
1321 subkeys.
1322 net registry getvalue - Print a registry value.
1323 net registry getvalueraw - Print a registry value (raw format).
1324 net registry setvalue - Set a new registry value.
1325 net registry increment - Increment a DWORD registry value under a
1326 lock.
1327 net registry deletevalue - Delete a registry value.
1328 net registry getsd - Get security descriptor.
1329 net registry getsd_sdd1 - Get security descriptor in sddl format.
1330 net registry setsd_sdd1 - Set security descriptor from sddl format
1331 string.
1332 net registry import - Import a registration entries (.reg)
1333 file.
1334 net registry export - Export a registration entries (.reg)
1335 file.
1336 net registry convert - Convert a registration entries (.reg)
1337 file.
1338 net registry check - Check and repair a registry database.
1339 REGISTRY ENUMERATE key
1341 Enumerate subkeys and values of key.
1342 REGISTRY ENUMERATE_RECURSIVE key
1344 Enumerate values of key and its subkeys.
1345 REGISTRY CREATEKEY key
1347 Create a new key if not yet existing.
1348 REGISTRY DELETEKEY key
1350 Delete the given key and its values from the registry, if it has no
1351 subkeys.
1352 REGISTRY DELETEKEY_RECURSIVE key
1354 Delete the given key and all of its subkeys and values from the
1355 registry.
1356 REGISTRY GETVALUE key name
1358 Output type and actual value of the value name of the given key.
1359 REGISTRY GETVALUERAW key name
1361 Output the actual value of the value name of the given key.
1362 REGISTRY SETVALUE key name type value ...
1364 Set the value name of an existing key. type may be one of sz, multi_sz
1365 or dword. In case of multi_sz value may be given multiple times.
1366 REGISTRY INCREMENT key name [inc]
1368 Increment the DWORD value name of key by inc while holding a g_lock.
1369 inc defaults to 1.
1370 REGISTRY DELETEVALUE key name
1372 Delete the value name of the given key.
1373 REGISTRY GETSD key
1375 Get the security descriptor of the given key.
1376 REGISTRY GETSD_SDDL key
1378 Get the security descriptor of the given key as a Security Descriptor
1379 Definition Language (SDDL) string.
1380 REGISTRY SETSD_SDDL keysd
1382 Set the security descriptor of the given key from a Security Descriptor
1383 Definition Language (SDDL) string sd.
1384 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1386 Import a registration entries (.reg) file.
1387 The following options are available:
1389 --precheck check-file
1391 This is a mechanism to check the existence or non-existence of
1392 certain keys or values specified in a precheck file before applying
1393 the import file. The import file will only be applied if the
1394 precheck succeeds.
1395 The check-file follows the normal registry file syntax with the
1397 following semantics:
1398 · <value name>=<value> checks whether the value exists and
1400 has the given value.
1401 · <value name>=- checks whether the value does not exist.
1403 · [key] checks whether the key exists.
1405 · [-key] checks whether the key does not exist.
1407 REGISTRY EXPORT keyfile[opt]
1410 Export a key to a registration entries (.reg) file.
1411 REGISTRY CONVERT in out [[inopt] outopt]
1413 Convert a registration entries (.reg) file in.
1414 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1416 Check and repair the registry database. If no option is given a read
1417 only check of the database is done. Among others an interactive or
1418 automatic repair mode may be chosen with one of the following options
1419 -r|--repair
1421 Interactive repair mode, ask a lot of questions.
1422 -a|--auto
1424 Noninteractive repair mode, use default answers.
1425 -v|--verbose
1427 Produce more output.
1428 -T|--test
1430 Dry run, show what changes would be made but don't touch anything.
1431 -l|--lock
1433 Lock the database while doing the check.
1434 --reg-version={1,2,3}
1436 Specify the format of the registry database. If not given it
1437 defaults to the value of the binary or, if an registry.tdb is
1438 explicitly stated at the commandline, to the value found in the
1439 INFO/version record.
1440 [--db] <DB>
1442 Check the specified database.
1443 -o|--output <ODB>
1445 Create a new registry database <ODB> instead of modifying the
1446 input. If <ODB> is already existing --wipe may be used to overwrite
1447 it.
1448 --wipe
1450 Replace the registry database instead of modifying the input or
1451 overwrite an existing output database.
1452 EVENTLOG
1454 Starting with version 3.4.0 net can read, dump, import and export
1455 native win32 eventlog files (usually *.evt). evt files are used by the
1456 native Windows eventviewer tools.
1457 The import and export of evt files can only succeed when eventlog list
1459 is used in smb.conf file. See the smb.conf(5) manpage for details.
1460 The eventlog commands are:
1462 net eventlog dump - Dump a eventlog *.evt file on the screen.
1463 net eventlog import - Import a eventlog *.evt into the samba
1464 internal tdb based representation of eventlogs.
1465 net eventlog export - Export the samba internal tdb based
1466 representation of eventlogs into an eventlog *.evt file.
1467 EVENTLOG DUMP filename
1469 Prints a eventlog *.evt file to standard output.
1470 EVENTLOG IMPORT filename eventlog
1472 Imports a eventlog *.evt file defined by filename into the samba
1473 internal tdb representation of eventlog defined by eventlog. eventlog
1474 needs to part of the eventlog list defined in smb.conf. See the
1475 smb.conf(5) manpage for details.
1476 EVENTLOG EXPORT filename eventlog
1478 Exports the samba internal tdb representation of eventlog defined by
1479 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1480 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1481 manpage for details.
1482 DOM
1484 Starting with version 3.2.0 Samba has support for remote join and
1485 unjoin APIs, both client and server-side. Windows supports remote join
1486 capabilities since Windows 2000.
1487 In order for Samba to be joined or unjoined remotely an account must be
1489 used that is either member of the Domain Admins group, a member of the
1490 local Administrators group or a user that is granted the
1491 SeMachineAccountPrivilege privilege.
1492 The client side support for remote join is implemented in the net dom
1494 commands which are:
1495 net dom join - Join a remote computer into a domain.
1496 net dom unjoin - Unjoin a remote computer from a domain.
1497 net dom renamecomputer - Renames a remote computer joined to a
1498 domain.
1499 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1501 Joins a computer into a domain. This command supports the following
1502 additional parameters:
1503 · DOMAIN can be a NetBIOS domain name (also known as short
1505 domain name) or a DNS domain name for Active Directory
1506 Domains. As in Windows, it is also possible to control which
1507 Domain Controller to use. This can be achieved by appending
1508 the DC name using the \ separator character. Example:
1509 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1510 · OU can be set to a RFC 1779 LDAP DN, like
1512 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1513 the machine account in a non-default LDAP container. This
1514 optional parameter is only supported when joining Active
1515 Directory Domains.
1516 · ACCOUNT defines a domain account that will be used to join
1518 the machine to the domain. This domain account needs to have
1519 sufficient privileges to join machines.
1520 · PASSWORD defines the password for the domain account defined
1522 with ACCOUNT.
1523 · REBOOT is an optional parameter that can be set to reboot
1525 the remote machine after successful join to the domain.
1526 Note that you also need to use standard net parameters to connect and
1529 authenticate to the remote machine that you want to join. These
1530 additional parameters include: -S computer and -U user.
1531 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1533 account=MYDOM\\administrator password=topsecret reboot.
1534 This example would connect to a computer named XP as the local
1536 administrator using password secret, and join the computer into a
1537 domain called MYDOM using the MYDOM domain administrator account and
1538 password topsecret. After successful join, the computer would reboot.
1539 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1541 Unjoins a computer from a domain. This command supports the following
1542 additional parameters:
1543 · ACCOUNT defines a domain account that will be used to unjoin
1545 the machine from the domain. This domain account needs to
1546 have sufficient privileges to unjoin machines.
1547 · PASSWORD defines the password for the domain account defined
1549 with ACCOUNT.
1550 · REBOOT is an optional parameter that can be set to reboot
1552 the remote machine after successful unjoin from the domain.
1553 Note that you also need to use standard net parameters to connect and
1556 authenticate to the remote machine that you want to unjoin. These
1557 additional parameters include: -S computer and -U user.
1558 Example: net dom unjoin -S xp -U XP\\administrator%secret
1560 account=MYDOM\\administrator password=topsecret reboot.
1561 This example would connect to a computer named XP as the local
1563 administrator using password secret, and unjoin the computer from the
1564 domain using the MYDOM domain administrator account and password
1565 topsecret. After successful unjoin, the computer would reboot.
1566 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1568 Renames a computer that is joined to a domain. This command supports
1569 the following additional parameters:
1570 · NEWNAME defines the new name of the machine in the domain.
1572 · ACCOUNT defines a domain account that will be used to rename
1574 the machine in the domain. This domain account needs to have
1575 sufficient privileges to rename machines.
1576 · PASSWORD defines the password for the domain account defined
1578 with ACCOUNT.
1579 · REBOOT is an optional parameter that can be set to reboot
1581 the remote machine after successful rename in the domain.
1582 Note that you also need to use standard net parameters to connect and
1585 authenticate to the remote machine that you want to rename in the
1586 domain. These additional parameters include: -S computer and -U user.
1587 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1589 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1590 This example would connect to a computer named XP as the local
1592 administrator using password secret, and rename the joined computer to
1593 XPNEW using the MYDOM domain administrator account and password
1594 topsecret. After successful rename, the computer would reboot.
1595 G_LOCK
1597 Manage global locks.
1598 G_LOCK DO lockname timeout command
1600 Execute a shell command under a global lock. This might be useful to
1601 define the order in which several shell commands will be executed. The
1602 locking information is stored in a file called g_lock.tdb. In setups
1603 with CTDB running, the locking information will be available on all
1604 cluster nodes.
1605 · LOCKNAME defines the name of the global lock.
1607 · TIMEOUT defines the timeout.
1609 · COMMAND defines the shell command to execute.
1611 G_LOCK LOCKS
1613 Print a list of all currently existing locknames.
1614 G_LOCK DUMP lockname
1616 Dump the locking table of a certain global lock.
1617 TDB
1619 Print information from tdb records.
1620 TDB LOCKING key [DUMP]
1622 List sharename, filename and number of share modes for a record from
1623 locking.tdb. With the optional DUMP options, dump the complete record.
1624 · KEY Key of the tdb record as hex string.
1626 vfs
1628 Access shared filesystem through the VFS.
1629 vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1631 symlinks] share path
1632 Convert file streams to AppleDouble files.
1633 · share A Samba share.
1635 · path A relative path of something in the Samba share. "."
1638 can be used for the root directory of the share.
1639 Options:
1642 --recursive
1644 Traverse a directory hierarchy.
1645 --verbose
1647 Verbose output.
1648 --continue
1650 Continue traversing a directory hierarchy if a single conversion
1651 fails.
1652 --follow-symlinks
1654 Follow symlinks encountered while traversing a directory.
1655 vfs getntacl share path
1657 Display the security descriptor of a file or directory.
1658 · share A Samba share.
1660 · path A relative path of something in the Samba share. "."
1663 can be used for the root directory of the share.
1664 HELP [COMMAND]
1666 Gives usage information for the specified command.
1667
1669 This man page is complete for version 3 of the Samba suite.
1670
1672 The original Samba software and related utilities were created by
1673 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1674 Source project similar to the way the Linux kernel is developed.
1675 The net manpage was written by Jelmer Vernooij.
1677Samba 4.13.7 03/25/2021 NET(8)