1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user]
10 [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l]
11 [-P] [-d debuglevel] [-V] [--request-timeout seconds]
12
14 This tool is part of the samba(7) suite.
15 The Samba net utility is meant to work just like the net utility
17 available for windows and DOS. The first argument should be used to
18 specify the protocol to use when executing a certain command. ADS is
19 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
20 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
21 net will try to determine it automatically. Not all commands are
22 available on all protocols.
23
25 -?|--help
26 Print a summary of command line options.
27 -k|--kerberos
29 Try to authenticate with kerberos. Only useful in an Active
30 Directory environment.
31 -w target-workgroup
33 Sets target workgroup or domain. You have to specify either this
34 option or the IP address or the name of a server.
35 -W workgroup
37 Sets client workgroup or domain
38 -U user
40 User name to use
41 -I ip-address
43 IP address of target server to use. You have to specify either this
44 option or a target workgroup or a target server.
45 -p port
47 Port on the target server to connect to (usually 139 or 445).
48 Defaults to trying 445 first, then 139.
49 -n|--netbiosname <primary NetBIOS name>
51 This option allows you to override the NetBIOS name that Samba uses
52 for itself. This is identical to setting the netbios name parameter
53 in the smb.conf file. However, a command line setting will take
54 precedence over settings in smb.conf.
55 -s|--configfile <configuration file>
57 The file specified contains the configuration details required by
58 the server. The information in this file includes server-specific
59 information such as what printcap file to use, as well as
60 descriptions of all the services that the server is to provide. See
61 smb.conf for more information. The default configuration file name
62 is determined at compile time.
63 -S server
65 Name of target server. You should specify either this option or a
66 target workgroup or a target IP address.
67 -l
69 When listing data, give more information on each item.
70 -P
72 Make queries to the external server using the machine account of
73 the local server.
74 --request-timeout 30
76 Let client requests timeout after 30 seconds the default is 10
77 seconds.
78 --no-dns-updates
80 Do not perform DNS updates as part of "net ads join".
81 -d|--debuglevel=level
83 level is an integer from 0 to 10. The default value if this
84 parameter is not specified is 0.
85 The higher this value, the more detail will be logged to the log
87 files about the activities of the server. At level 0, only critical
88 errors and serious warnings will be logged. Level 1 is a reasonable
89 level for day-to-day running - it generates a small amount of
90 information about operations carried out.
91 Levels above 1 will generate considerable amounts of log data, and
93 should only be used when investigating a problem. Levels above 3
94 are designed for use only by developers and generate HUGE amounts
95 of log data, most of which is extremely cryptic.
96 Note that specifying this parameter here will override the log
98 level parameter in the smb.conf file.
99
101 CHANGESECRETPW
102 This command allows the Samba machine account password to be set from
103 an external application to a machine account password that has already
104 been stored in Active Directory. DO NOT USE this command unless you
105 know exactly what you are doing. The use of this command requires that
106 the force flag (-f) be used also. There will be NO command prompt.
107 Whatever information is piped into stdin, either by typing at the
108 command line or otherwise, will be stored as the literal machine
109 password. Do NOT use this without care and attention as it will
110 overwrite a legitimate machine password without warning. YOU HAVE BEEN
111 WARNED.
112 TIME
114 The NET TIME command allows you to view the time on a remote server or
115 synchronise the time on the local server with the time on the remote
116 server.
117 TIME
119 Without any options, the NET TIME command displays the time on the
120 remote server.
121 TIME SYSTEM
123 Displays the time on the remote server in a format ready for /bin/date.
124 TIME SET
126 Tries to set the date and time of the local server to that on the
127 remote server using /bin/date.
128 TIME ZONE
130 Displays the timezone in hours from GMT on the remote computer.
131 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
133 [createupn=UPN] [createcomputer=OU] [options]
134 Join a domain. If the account already exists on the server, and [TYPE]
135 is MEMBER, the machine will attempt to join automatically. (Assuming
136 that the machine has been created in server manager) Otherwise, a
137 password will be prompted for, and a new account may be created.
138 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
140 the domain.
141 [UPN] (ADS only) set the principalname attribute during the join. The
143 default format is host/netbiosname@REALM.
144 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
146 string reads from top to bottom without RDNs, and is delimited by a
147 '/'. Please note that '\' is used for escape by both the shell and
148 ldap, so it may need to be doubled or quadrupled to pass through, and
149 it is not used as a delimiter.
150 [RPC] OLDJOIN [options]
152 Join a domain. Use the OLDJOIN option to join the domain using the old
153 style of domain joining - you need to create a trust account in server
154 manager first.
155 [RPC|ADS] USER
157 [RPC|ADS] USER
158 List all users
159 [RPC|ADS] USER DELETE target
161 Delete specified user
162 [RPC|ADS] USER INFO target
164 List the domain groups of the specified user.
165 [RPC|ADS] USER RENAME oldname newname
167 Rename specified user.
168 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
170 Add specified user.
171 [RPC|ADS] GROUP
173 [RPC|ADS] GROUP [misc options] [targets]
174 List user groups.
175 [RPC|ADS] GROUP DELETE name [misc. options]
177 Delete specified group.
178 [RPC|ADS] GROUP ADD name [-C comment]
180 Create specified group.
181 [RAP|RPC] SHARE
183 [RAP|RPC] SHARE [misc. options] [targets]
184 Enumerates all exported resources (network shares) on target server.
185 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
187 Adds a share from a server (makes the export active). Maxusers
188 specifies the number of users that can be connected to the share
189 simultaneously.
190 SHARE DELETE sharename
192 Delete specified share.
193 [RPC|RAP] FILE
195 [RPC|RAP] FILE
196 List all open files on remote server.
197 [RPC|RAP] FILE CLOSE fileid
199 Close file with specified fileid on remote server.
200 [RPC|RAP] FILE INFO fileid
202 Print information on specified fileid. Currently listed are: file-id,
203 username, locks, path, permissions.
204 [RAP|RPC] FILE USER user
206 List files opened by specified user. Please note that net rap file user
207 does not work against Samba servers.
208 SESSION
210 RAP SESSION
211 Without any other options, SESSION enumerates all active SMB/CIFS
212 sessions on the target server.
213 RAP SESSION DELETE|CLOSE CLIENT_NAME
215 Close the specified sessions.
216 RAP SESSION INFO CLIENT_NAME
218 Give a list with all the open files in specified session.
219 RAP SERVER DOMAIN
221 List all servers in specified domain or workgroup. Defaults to local
222 domain.
223 RAP DOMAIN
225 Lists all domains and workgroups visible on the current network.
226 RAP PRINTQ
228 RAP PRINTQ INFO QUEUE_NAME
229 Lists the specified print queue and print jobs on the server. If the
230 QUEUE_NAME is omitted, all queues are listed.
231 RAP PRINTQ DELETE JOBID
233 Delete job with specified id.
234 RAP VALIDATE user [password]
236 Validate whether the specified user can log in to the remote server. If
237 the password is not specified on the commandline, it will be prompted.
238 Note
240 Currently NOT implemented.
241 RAP GROUPMEMBER
243 RAP GROUPMEMBER LIST GROUP
244 List all members of the specified group.
245 RAP GROUPMEMBER DELETE GROUP USER
247 Delete member from group.
248 RAP GROUPMEMBER ADD GROUP USER
250 Add member to group.
251 RAP ADMIN command
253 Execute the specified command on the remote server. Only works with
254 OS/2 servers.
255 Note
257 Currently NOT implemented.
258 RAP SERVICE
260 RAP SERVICE START NAME [arguments...]
261 Start the specified service on the remote server. Not implemented yet.
262 Note
264 Currently NOT implemented.
265 RAP SERVICE STOP
267 Stop the specified service on the remote server.
268 Note
270 Currently NOT implemented.
271 RAP PASSWORD USER OLDPASS NEWPASS
273 Change password of USER from OLDPASS to NEWPASS.
274 LOOKUP
276 LOOKUP HOST HOSTNAME [TYPE]
277 Lookup the IP address of the given host with the specified type
278 (netbios suffix). The type defaults to 0x20 (workstation).
279 LOOKUP LDAP [DOMAIN]
281 Give IP address of LDAP server of specified DOMAIN. Defaults to local
282 domain.
283 LOOKUP KDC [REALM]
285 Give IP address of KDC for the specified REALM. Defaults to local
286 realm.
287 LOOKUP DC [DOMAIN]
289 Give IP's of Domain Controllers for specified
290 DOMAIN. Defaults to local domain.
291 LOOKUP MASTER DOMAIN
293 Give IP of master browser for specified DOMAIN or workgroup. Defaults
294 to local domain.
295 CACHE
297 Samba uses a general caching interface called 'gencache'. It can be
298 controlled using 'NET CACHE'.
299 All the timeout parameters support the suffixes:
301 s - Seconds
302 m - Minutes
303 h - Hours
304 d - Days
305 w - Weeks
306 CACHE ADD key data time-out
308 Add specified key+data to the cache with the given timeout.
309 CACHE DEL key
311 Delete key from the cache.
312 CACHE SET key data time-out
314 Update data of existing cache entry.
315 CACHE SEARCH PATTERN
317 Search for the specified pattern in the cache data.
318 CACHE LIST
320 List all current items in the cache.
321 CACHE FLUSH
323 Remove all the current items from the cache.
324 GETLOCALSID [DOMAIN]
326 Prints the SID of the specified domain, or if the parameter is omitted,
327 the SID of the local server.
328 SETLOCALSID S-1-5-21-x-y-z
330 Sets SID for the local server to the specified SID.
331 GETDOMAINSID
333 Prints the local machine SID and the SID of the current domain.
334 SETDOMAINSID
336 Sets the SID of the current domain.
337 GROUPMAP
339 Manage the mappings between Windows group SIDs and UNIX groups. Common
340 options include:
341 · unixgroup - Name of the UNIX group
343 · ntgroup - Name of the Windows NT group (must be resolvable to a SID
345 · rid - Unsigned 32-bit integer
347 · sid - Full SID in the form of "S-1-..."
349 · type - Type of the group; either 'domain', 'local', or 'builtin'
351 · comment - Freeform text description of the group
353 GROUPMAP ADD
356 Add a new group mapping entry:
357 net groupmap add {rid=int|sid=string} unixgroup=string \
359 [type={domain|local}] [ntgroup=string] [comment=string]
360 GROUPMAP DELETE
364 Delete a group mapping entry. If more than one group name matches, the
365 first entry found is deleted.
366 net groupmap delete {ntgroup=string|sid=SID}
368 GROUPMAP MODIFY
370 Update en existing group entry.
371 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
373 [comment=string] [type={domain|local}]
374 GROUPMAP LIST
378 List existing group mapping entries.
379 net groupmap list [verbose] [ntgroup=string] [sid=SID]
381 MAXRID
383 Prints out the highest RID currently in use on the local server (by the
384 active 'passdb backend').
385 RPC INFO
387 Print information about the domain of the remote server, such as domain
388 name, domain sid and number of users and groups.
389 [RPC|ADS] TESTJOIN
391 Check whether participation in a domain is still valid.
392 [RPC|ADS] CHANGETRUSTPW
394 Force change of domain trust password.
395 RPC TRUSTDOM
397 RPC TRUSTDOM ADD DOMAIN
398 Add a interdomain trust account for DOMAIN. This is in fact a Samba
399 account named DOMAIN$ with the account flag 'I' (interdomain trust
400 account). This is required for incoming trusts to work. It makes Samba
401 be a trusted domain of the foreign (trusting) domain. Users of the
402 Samba domain will be made available in the foreign domain. If the
403 command is used against localhost it has the same effect as smbpasswd
404 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
405 account.
406 RPC TRUSTDOM DEL DOMAIN
408 Remove interdomain trust account for DOMAIN. If it is used against
409 localhost it has the same effect as smbpasswd -x DOMAIN$.
410 RPC TRUSTDOM ESTABLISH DOMAIN
412 Establish a trust relationship to a trusted domain. Interdomain account
413 must already be created on the remote PDC. This is required for
414 outgoing trusts to work. It makes Samba be a trusting domain of a
415 foreign (trusted) domain. Users of the foreign domain will be made
416 available in our domain. You'll need winbind and a working idmap config
417 to make them appear in your system.
418 RPC TRUSTDOM REVOKE DOMAIN
420 Abandon relationship to trusted domain
421 RPC TRUSTDOM LIST
423 List all interdomain trust relationships.
424 RPC TRUSTDOM LIST
426 List all interdomain trust relationships.
427 RPC TRUST
429 RPC TRUST CREATE
430 Create a trust trust object by calling lsaCreateTrustedDomainEx2. The
431 can be done on a single server or on two servers at once with the
432 possibility to use a random trust password.
433 Options:
435 otherserver
437 Domain controller of the second domain
438 otheruser
440 Admin user in the second domain
441 otherdomainsid
443 SID of the second domain
444 other_netbios_domain
446 NetBIOS (short) name of the second domain
447 otherdomain
449 DNS (full) name of the second domain
450 trustpw
452 Trust password
453 Examples:
455 Create a trust object on srv1.dom1.dom for the domain dom2
457 net rpc trust create \
459 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
460 other_netbios_domain=dom2 \
461 otherdomain=dom2.dom \
462 trustpw=12345678 \
463 -S srv1.dom1.dom
464 Create a trust relationship between dom1 and dom2
466 net rpc trust create \
468 otherserver=srv2.dom2.test \
469 otheruser=dom2adm \
470 -S srv1.dom1.dom
471 RPC TRUST DELETE
473 Delete a trust trust object by calling lsaDeleteTrustedDomain. The can
474 be done on a single server or on two servers at once.
475 Options:
477 otherserver
479 Domain controller of the second domain
480 otheruser
482 Admin user in the second domain
483 otherdomainsid
485 SID of the second domain
486 Examples:
488 Delete a trust object on srv1.dom1.dom for the domain dom2
490 net rpc trust delete \
492 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
493 -S srv1.dom1.dom
494 Delete a trust relationship between dom1 and dom2
496 net rpc trust delete \
498 otherserver=srv2.dom2.test \
499 otheruser=dom2adm \
500 -S srv1.dom1.dom
501 RPC RIGHTS
504 This subcommand is used to view and manage Samba's rights assignments
505 (also referred to as privileges). There are three options currently
506 available: list, grant, and revoke. More details on Samba's privilege
507 model and its use can be found in the Samba-HOWTO-Collection.
508 RPC ABORTSHUTDOWN
510 Abort the shutdown of a remote server.
511 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
513 Shut down the remote server.
514 -r
516 Reboot after shutdown.
517 -f
519 Force shutting down all applications.
520 -t timeout
522 Timeout before system will be shut down. An interactive user of the
523 system can use this time to cancel the shutdown.
524 -C message
526 Display the specified message on the screen to announce the
527 shutdown.
528 RPC SAMDUMP
530 Print out sam database of remote server. You need to run this against
531 the PDC, from a Samba machine joined as a BDC.
532 RPC VAMPIRE
534 Export users, aliases and groups from remote server to local server.
535 You need to run this against the PDC, from a Samba machine joined as a
536 BDC.
537 RPC VAMPIRE KEYTAB
539 Dump remote SAM database to local Kerberos keytab file.
540 RPC VAMPIRE LDIF
542 Dump remote SAM database to local LDIF file or standard output.
543 RPC GETSID
545 Fetch domain SID and store it in the local secrets.tdb.
546 ADS LEAVE
548 Make the remote host leave the domain it is part of.
549 ADS STATUS
551 Print out status of machine account of the local machine in ADS. Prints
552 out quite some debug info. Aimed at developers, regular users should
553 use NET ADS TESTJOIN.
554 ADS PRINTER
556 ADS PRINTER INFO [PRINTER] [SERVER]
557 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
558 the server name defaults to the local host.
559 ADS PRINTER PUBLISH PRINTER
561 Publish specified printer using ADS.
562 ADS PRINTER REMOVE PRINTER
564 Remove specified printer from ADS directory.
565 ADS SEARCH EXPRESSION ATTRIBUTES...
567 Perform a raw LDAP search on a ADS server and dump the results. The
568 expression is a standard LDAP search expression, and the attributes are
569 a list of LDAP fields to show in the results.
570 Example: net ads search '(objectCategory=group)' sAMAccountName
572 ADS DN DN (attributes)
574 Perform a raw LDAP search on a ADS server and dump the results. The DN
575 standard LDAP DN, and the attributes are a list of LDAP fields to show
576 in the result.
577 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
579 SAMAccountName
580 ADS WORKGROUP
582 Print out workgroup name for specified kerberos realm.
583 SAM CREATEBUILTINGROUP <NAME>
585 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
586 be created with this command. This is the list of currently recognized
587 group names: Administrators, Users, Guests, Power Users, Account
588 Operators, Server Operators, Print Operators, Backup Operators,
589 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
590 command requires a running Winbindd with idmap allocation properly
591 configured. The group gid will be allocated out of the winbindd range.
592 SAM CREATELOCALGROUP <NAME>
594 Create a LOCAL group (also known as Alias). This command requires a
595 running Winbindd with idmap allocation properly configured. The group
596 gid will be allocated out of the winbindd range.
597 SAM DELETELOCALGROUP <NAME>
599 Delete an existing LOCAL group (also known as Alias).
600 SAM MAPUNIXGROUP <NAME>
602 Map an existing Unix group and make it a Domain Group, the domain group
603 will have the same name.
604 SAM UNMAPUNIXGROUP <NAME>
606 Remove an existing group mapping entry.
607 SAM ADDMEM <GROUP> <MEMBER>
609 Add a member to a Local group. The group can be specified only by name,
610 the member can be specified by name or SID.
611 SAM DELMEM <GROUP> <MEMBER>
613 Remove a member from a Local group. The group and the member must be
614 specified by name.
615 SAM LISTMEM <GROUP>
617 List Local group members. The group must be specified by name.
618 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
620 List the specified set of accounts by name. If verbose is specified,
621 the rid and description is also provided for each account.
622 SAM RIGHTS LIST
624 List all available privileges.
625 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
627 Grant one or more privileges to a user.
628 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
630 Revoke one or more privileges from a user.
631 SAM SHOW <NAME>
633 Show the full DOMAIN\\NAME the SID and the type for the corresponding
634 account.
635 SAM SET HOMEDIR <NAME> <DIRECTORY>
637 Set the home directory for a user account.
638 SAM SET PROFILEPATH <NAME> <PATH>
640 Set the profile path for a user account.
641 SAM SET COMMENT <NAME> <COMMENT>
643 Set the comment for a user or group account.
644 SAM SET FULLNAME <NAME> <FULL NAME>
646 Set the full name for a user account.
647 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
649 Set the logon script for a user account.
650 SAM SET HOMEDRIVE <NAME> <DRIVE>
652 Set the home drive for a user account.
653 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
655 Set the workstations a user account is allowed to log in from.
656 SAM SET DISABLE <NAME>
658 Set the "disabled" flag for a user account.
659 SAM SET PWNOTREQ <NAME>
661 Set the "password not required" flag for a user account.
662 SAM SET AUTOLOCK <NAME>
664 Set the "autolock" flag for a user account.
665 SAM SET PWNOEXP <NAME>
667 Set the "password do not expire" flag for a user account.
668 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
670 Set or unset the "password must change" flag for a user account.
671 SAM POLICY LIST
673 List the available account policies.
674 SAM POLICY SHOW <account policy>
676 Show the account policy value.
677 SAM POLICY SET <account policy> <value>
679 Set a value for the account policy. Valid values can be: "forever",
680 "never", "off", or a number.
681 SAM PROVISION
683 Only available if ldapsam:editposix is set and winbindd is running.
684 Properly populates the ldap tree with the basic accounts
685 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
686 on the ldap tree.
687 IDMAP DUMP <local tdb file name>
689 Dumps the mappings contained in the local tdb file specified. This
690 command is useful to dump only the mappings produced by the idmap_tdb
691 backend.
692 IDMAP RESTORE [input file]
694 Restore the mappings from the specified file or stdin.
695 IDMAP SECRET <DOMAIN> <secret>
697 Store a secret for the specified domain, used primarily for domains
698 that use idmap_ldap as a backend. In this case the secret is used as
699 the password for the user DN used to bind to the ldap server.
700 IDMAP DELETE [-f] [--db=<DB>] <ID>
702 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
703 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
704 "GID number" or a uid: "UID number". Use -f to delete an invalid
705 partial mapping <ID> -> xx
706 Use "smbcontrol all idmap ..." to notify running smbd instances. See
708 the smbcontrol(1) manpage for details.
709 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
711 Check and repair the IDMAP database. If no option is given a read only
712 check of the database is done. Among others an interactive or automatic
713 repair mode may be chosen with one of the following options:
714 -r|--repair
716 Interactive repair mode, ask a lot of questions.
717 -a|--auto
719 Noninteractive repair mode, use default answers.
720 -v|--verbose
722 Produce more output.
723 -f|--force
725 Try to apply changes, even if they do not apply cleanly.
726 -T|--test
728 Dry run, show what changes would be made but don't touch anything.
729 -l|--lock
731 Lock the database while doing the check.
732 --db <DB>
734 Check the specified database.
735 It reports about the finding of the following errors:
737 Missing reverse mapping:
739 A record with mapping A->B where there is no B->A. Default action
740 in repair mode is to "fix" this by adding the reverse mapping.
741 Invalid mapping:
743 A record with mapping A->B where B->C. Default action is to
744 "delete" this record.
745 Missing or invalid HWM:
747 A high water mark is not at least equal to the largest ID in the
748 database. Default action is to "fix" this by setting it to the
749 largest ID found +1.
750 Invalid record:
752 Something we failed to parse. Default action is to "edit" it in
753 interactive and "delete" it in automatic mode.
754 USERSHARE
756 Starting with version 3.0.23, a Samba server now supports the ability
757 for non-root users to add user defined shares to be exported using the
758 "net usershare" commands.
759 To set this up, first set up your smb.conf by adding to the [global]
761 section: usershare path = /usr/local/samba/lib/usershares Next create
762 the directory /usr/local/samba/lib/usershares, change the owner to root
763 and set the group owner to the UNIX group who should have the ability
764 to create usershares, for example a group called "serverops". Set the
765 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
766 group all access, no access for others, plus the sticky bit, which
767 means that a file in that directory can be renamed or deleted only by
768 the owner of the file). Finally, tell smbd how many usershares you will
769 allow by adding to the [global] section of smb.conf a line such as :
770 usershare max shares = 100. To allow 100 usershare definitions. Now,
771 members of the UNIX group "serverops" can create user defined shares on
772 demand using the commands below.
773 The usershare commands are:
775 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
776 to add or change a user defined share.
777 net usershare delete sharename - to delete a user defined share.
778 net usershare info [-l|--long] [wildcard sharename] - to print info
779 about a user defined share.
780 net usershare list [-l|--long] [wildcard sharename] - to list user
781 defined shares.
782 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
784 Add or replace a new user defined share, with name "sharename".
785 "path" specifies the absolute pathname on the system to be exported.
787 Restrictions may be put on this, see the global smb.conf parameters:
788 "usershare owner only", "usershare prefix allow list", and "usershare
789 prefix deny list".
790 The optional "comment" parameter is the comment that will appear on the
792 share when browsed to by a client.
793 The optional "acl" field specifies which users have read and write
795 access to the entire share. Note that guest connections are not allowed
796 unless the smb.conf parameter "usershare allow guests" has been set.
797 The definition of a user defined share acl is: "user:permission", where
798 user is a valid username on the system and permission can be "F", "R",
799 or "D". "F" stands for "full permissions", ie. read and write
800 permissions. "D" stands for "deny" for a user, ie. prevent this user
801 from accessing this share. "R" stands for "read only", ie. only allow
802 read access to this share (no creation of new files or directories or
803 writing to files).
804 The default if no "acl" is given is "Everyone:R", which means any
806 authenticated user has read-only access.
807 The optional "guest_ok" has the same effect as the parameter of the
809 same name in smb.conf, in that it allows guest access to this user
810 defined share. This parameter is only allowed if the global parameter
811 "usershare allow guests" has been set to true in the smb.conf.
812 There is no separate command to modify an existing user defined share,
815 just use the "net usershare add [sharename]" command using the same
816 sharename as the one you wish to modify and specify the new options you
817 wish. The Samba smbd daemon notices user defined share modifications at
818 connect time so will see the change immediately, there is no need to
819 restart smbd on adding, deleting or changing a user defined share.
820 USERSHARE DELETE sharename
822 Deletes the user defined share by name. The Samba smbd daemon
823 immediately notices this change, although it will not disconnect any
824 users currently connected to the deleted share.
825 USERSHARE INFO [-l|--long] [wildcard sharename]
827 Get info on user defined shares owned by the current user matching the
828 given pattern, or all users.
829 net usershare info on its own dumps out info on the user defined shares
831 that were created by the current user, or restricts them to share names
832 that match the given wildcard pattern ('*' matches one or more
833 characters, '?' matches only one character). If the '-l' or '--long'
834 option is also given, it prints out info on user defined shares created
835 by other users.
836 The information given about a share looks like: [foobar]
838 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
839 And is a list of the current settings of the user defined share that
840 can be modified by the "net usershare add" command.
841 USERSHARE LIST [-l|--long] wildcard sharename
843 List all the user defined shares owned by the current user matching the
844 given pattern, or all users.
845 net usershare list on its own list out the names of the user defined
847 shares that were created by the current user, or restricts the list to
848 share names that match the given wildcard pattern ('*' matches one or
849 more characters, '?' matches only one character). If the '-l' or
850 '--long' option is also given, it includes the names of user defined
851 shares created by other users.
852 CONF
854 Starting with version 3.2.0, a Samba server can be configured by data
855 stored in registry. This configuration data can be edited with the new
856 "net conf" commands.
857 The deployment of this configuration data can be activated in two
859 levels from the smb.conf file: Share definitions from registry are
860 activated by setting registry shares to “yes” in the [global] section
861 and global configuration options are activated by setting include =
862 registry in the [global] section for a mixed configuration or by
863 setting config backend = registry in the [global] section for a
864 registry-only configuration. See the smb.conf(5) manpage for details.
865 The conf commands are:
867 net conf list - Dump the complete configuration in smb.conf like
868 format.
869 net conf import - Import configuration from file in smb.conf
870 format.
871 net conf listshares - List the registry shares.
872 net conf drop - Delete the complete configuration from registry.
873 net conf showshare - Show the definition of a registry share.
874 net conf addshare - Create a new registry share.
875 net conf delshare - Delete a registry share.
876 net conf setparm - Store a parameter.
877 net conf getparm - Retrieve the value of a parameter.
878 net conf delparm - Delete a parameter.
879 net conf getincludes - Show the includes of a share definition.
880 net conf setincludes - Set includes for a share.
881 net conf delincludes - Delete includes from a share definition.
882 CONF LIST
884 Print the configuration data stored in the registry in a smb.conf-like
885 format to standard output.
886 CONF IMPORT [--test|-T] filename [section]
888 This command imports configuration from a file in smb.conf format. If a
889 section encountered in the input file is present in registry, its
890 contents is replaced. Sections of registry configuration that have no
891 counterpart in the input file are not affected. If you want to delete
892 these, you will have to use the "net conf drop" or "net conf delshare"
893 commands. Optionally, a section may be specified to restrict the effect
894 of the import command to that specific section. A test mode is enabled
895 by specifying the parameter "-T" on the commandline. In test mode, no
896 changes are made to the registry, and the resulting configuration is
897 printed to standard output instead.
898 CONF LISTSHARES
900 List the names of the shares defined in registry.
901 CONF DROP
903 Delete the complete configuration data from registry.
904 CONF SHOWSHARE sharename
906 Show the definition of the share or section specified. It is valid to
907 specify "global" as sharename to retrieve the global configuration
908 options from registry.
909 CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N} [comment]]]
911 Create a new share definition in registry. The sharename and path have
912 to be given. The share name may not be "global". Optionally, values for
913 the very common options "writeable", "guest ok" and a "comment" may be
914 specified. The same result may be obtained by a sequence of "net conf
915 setparm" commands.
916 CONF DELSHARE sharename
918 Delete a share definition from registry.
919 CONF SETPARM section parameter value
921 Store a parameter in registry. The section may be global or a
922 sharename. The section is created if it does not exist yet.
923 CONF GETPARM section parameter
925 Show a parameter stored in registry.
926 CONF DELPARM section parameter
928 Delete a parameter stored in registry.
929 CONF GETINCLUDES section
931 Get the list of includes for the provided section (global or share).
932 Note that due to the nature of the registry database and the nature of
934 include directives, the includes need special treatment: Parameters are
935 stored in registry by the parameter name as valuename, so there is only
936 ever one instance of a parameter per share. Also, a specific order like
937 in a text file is not guaranteed. For all real parameters, this is
938 perfectly ok, but the include directive is rather a meta parameter, for
939 which, in the smb.conf text file, the place where it is specified
940 between the other parameters is very important. This can not be
941 achieved by the simple registry smbconf data model, so there is one
942 ordered list of includes per share, and this list is evaluated after
943 all the parameters of the share.
944 Further note that currently, only files can be included from registry
946 configuration. In the future, there will be the ability to include
947 configuration data from other registry keys.
948 CONF SETINCLUDES section [filename]+
950 Set the list of includes for the provided section (global or share) to
951 the given list of one or more filenames. The filenames may contain the
952 usual smb.conf macros like %I.
953 CONF DELINCLUDES section
955 Delete the list of includes from the provided section (global or
956 share).
957 REGISTRY
959 Manipulate Samba's registry.
960 The registry commands are:
962 net registry enumerate - Enumerate registry keys and values.
963 net registry enumerate_recursive - Enumerate registry key and its
964 subkeys.
965 net registry createkey - Create a new registry key.
966 net registry deletekey - Delete a registry key.
967 net registry deletekey_recursive - Delete a registry key with
968 subkeys.
969 net registry getvalue - Print a registry value.
970 net registry getvalueraw - Print a registry value (raw format).
971 net registry setvalue - Set a new registry value.
972 net registry increment - Increment a DWORD registry value under a
973 lock.
974 net registry deletevalue - Delete a registry value.
975 net registry getsd - Get security descriptor.
976 net registry getsd_sdd1 - Get security descriptor in sddl format.
977 net registry setsd_sdd1 - Set security descriptor from sddl format
978 string.
979 net registry import - Import a registration entries (.reg)
980 file.
981 net registry export - Export a registration entries (.reg)
982 file.
983 net registry convert - Convert a registration entries (.reg)
984 file.
985 REGISTRY ENUMERATE key
987 Enumerate subkeys and values of key.
988 REGISTRY ENUMERATE_RECURSIVE key
990 Enumerate values of key and its subkeys.
991 REGISTRY CREATEKEY key
993 Create a new key if not yet existing.
994 REGISTRY DELETEKEY key
996 Delete the given key and its values from the registry, if it has no
997 subkeys.
998 REGISTRY DELETEKEY_RECURSIVE key
1000 Delete the given key and all of its subkeys and values from the
1001 registry.
1002 REGISTRY GETVALUE key name
1004 Output type and actual value of the value name of the given key.
1005 REGISTRY GETVALUERAW key name
1007 Output the actual value of the value name of the given key.
1008 REGISTRY SETVALUE key name type value ...
1010 Set the value name of an existing key. type may be one of sz, multi_sz
1011 or dword. In case of multi_szvalue may be given multiple times.
1012 REGISTRY INCREMENT key name [inc]
1014 Increment the DWORD value name of key by inc while holding a g_lock.
1015 inc defaults to 1.
1016 REGISTRY DELETEVALUE key name
1018 Delete the value name of the given key.
1019 REGISTRY GETSD key
1021 Get the security descriptor of the given key.
1022 REGISTRY GETSD_SDDL key
1024 Get the security descriptor of the given key as a Security Descriptor
1025 Definition Language (SDDL) string.
1026 REGISTRY SETSD_SDDL keysd
1028 Set the security descriptor of the given key from a Security Descriptor
1029 Definition Language (SDDL) string sd.
1030 REGISTRY IMPORT file[opt]
1032 Import a registration entries (.reg) file.
1033 REGISTRY EXPORT keyfile[opt]
1035 Export a key to a registration entries (.reg) file.
1036 REGISTRY CONVERT in out [[inopt] outopt]
1038 Convert a registration entries (.reg) file in.
1039 EVENTLOG
1041 Starting with version 3.4.0 net can read, dump, import and export
1042 native win32 eventlog files (usually *.evt). evt files are used by the
1043 native Windows eventviewer tools.
1044 The import and export of evt files can only succeed when eventlog list
1046 is used in smb.conf file. See the smb.conf(5) manpage for details.
1047 The eventlog commands are:
1049 net eventlog dump - Dump a eventlog *.evt file on the screen.
1050 net eventlog import - Import a eventlog *.evt into the samba
1051 internal tdb based representation of eventlogs.
1052 net eventlog export - Export the samba internal tdb based
1053 representation of eventlogs into an eventlog *.evt file.
1054 EVENTLOG DUMP filename
1056 Prints a eventlog *.evt file to standard output.
1057 EVENTLOG IMPORT filename eventlog
1059 Imports a eventlog *.evt file defined by filename into the samba
1060 internal tdb representation of eventlog defined by eventlog. eventlog
1061 needs to part of the eventlog list defined in smb.conf. See the
1062 smb.conf(5) manpage for details.
1063 EVENTLOG EXPORT filename eventlog
1065 Exports the samba internal tdb representation of eventlog defined by
1066 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1067 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1068 manpage for details.
1069 DOM
1071 Starting with version 3.2.0 Samba has support for remote join and
1072 unjoin APIs, both client and server-side. Windows supports remote join
1073 capabilities since Windows 2000.
1074 In order for Samba to be joined or unjoined remotely an account must be
1076 used that is either member of the Domain Admins group, a member of the
1077 local Administrators group or a user that is granted the
1078 SeMachineAccountPrivilege privilege.
1079 The client side support for remote join is implemented in the net dom
1081 commands which are:
1082 net dom join - Join a remote computer into a domain.
1083 net dom unjoin - Unjoin a remote computer from a domain.
1084 net dom renamecomputer - Renames a remote computer joined to a
1085 domain.
1086 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1088 Joins a computer into a domain. This command supports the following
1089 additional parameters:
1090 · DOMAIN can be a NetBIOS domain name (also known as short domain
1092 name) or a DNS domain name for Active Directory Domains. As in
1093 Windows, it is also possible to control which Domain Controller to
1094 use. This can be achieved by appending the DC name using the \
1095 separator character. Example: MYDOM\MYDC. The DOMAIN parameter
1096 cannot be NULL.
1097 · OU can be set to a RFC 1779 LDAP DN, like
1099 ou=mymachines,cn=Users,dc=example,dc=com in order to create the
1100 machine account in a non-default LDAP container. This optional
1101 parameter is only supported when joining Active Directory Domains.
1102 · ACCOUNT defines a domain account that will be used to join the
1104 machine to the domain. This domain account needs to have sufficient
1105 privileges to join machines.
1106 · PASSWORD defines the password for the domain account defined with
1108 ACCOUNT.
1109 · REBOOT is an optional parameter that can be set to reboot the
1111 remote machine after successful join to the domain.
1112 Note that you also need to use standard net parameters to connect and
1115 authenticate to the remote machine that you want to join. These
1116 additional parameters include: -S computer and -U user.
1117 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1119 account=MYDOM\\administrator password=topsecret reboot.
1120 This example would connect to a computer named XP as the local
1122 administrator using password secret, and join the computer into a
1123 domain called MYDOM using the MYDOM domain administrator account and
1124 password topsecret. After successful join, the computer would reboot.
1125 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1127 Unjoins a computer from a domain. This command supports the following
1128 additional parameters:
1129 · ACCOUNT defines a domain account that will be used to unjoin the
1131 machine from the domain. This domain account needs to have
1132 sufficient privileges to unjoin machines.
1133 · PASSWORD defines the password for the domain account defined with
1135 ACCOUNT.
1136 · REBOOT is an optional parameter that can be set to reboot the
1138 remote machine after successful unjoin from the domain.
1139 Note that you also need to use standard net parameters to connect and
1142 authenticate to the remote machine that you want to unjoin. These
1143 additional parameters include: -S computer and -U user.
1144 Example: net dom unjoin -S xp -U XP\\administrator%secret
1146 account=MYDOM\\administrator password=topsecret reboot.
1147 This example would connect to a computer named XP as the local
1149 administrator using password secret, and unjoin the computer from the
1150 domain using the MYDOM domain administrator account and password
1151 topsecret. After successful unjoin, the computer would reboot.
1152 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1154 Renames a computer that is joined to a domain. This command supports
1155 the following additional parameters:
1156 · NEWNAME defines the new name of the machine in the domain.
1158 · ACCOUNT defines a domain account that will be used to rename the
1160 machine in the domain. This domain account needs to have sufficient
1161 privileges to rename machines.
1162 · PASSWORD defines the password for the domain account defined with
1164 ACCOUNT.
1165 · REBOOT is an optional parameter that can be set to reboot the
1167 remote machine after successful rename in the domain.
1168 Note that you also need to use standard net parameters to connect and
1171 authenticate to the remote machine that you want to rename in the
1172 domain. These additional parameters include: -S computer and -U user.
1173 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1175 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1176 This example would connect to a computer named XP as the local
1178 administrator using password secret, and rename the joined computer to
1179 XPNEW using the MYDOM domain administrator account and password
1180 topsecret. After successful rename, the computer would reboot.
1181 G_LOCK
1183 Manage global locks.
1184 G_LOCK DO lockname timeout command
1186 Execute a shell command under a global lock. This might be useful to
1187 define the order in which several shell commands will be executed. The
1188 locking information is stored in a file called g_lock.tdb. In setups
1189 with CTDB running, the locking information will be available on all
1190 cluster nodes.
1191 · LOCKNAME defines the name of the global lock.
1193 · TIMEOUT defines the timeout.
1195 · COMMAND defines the shell command to execute.
1197 G_LOCK LOCKS
1199 Print a list of all currently existing locknames.
1200 G_LOCK DUMP lockname
1202 Dump the locking table of a certain global lock.
1203 HELP [COMMAND]
1205 Gives usage information for the specified command.
1206
1208 This man page is complete for version 3 of the Samba suite.
1209
1211 The original Samba software and related utilities were created by
1212 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1213 Source project similar to the way the Linux kernel is developed.
1214 The net manpage was written by Jelmer Vernooij.
1216Samba 3.6 04/11/2016 NET(8)