1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-I|--ipaddress ip-address] [-p|--port port] [-n myname] [-s conffile]
12 [-S|--server server] [-l|--long] [-v|--verbose] [-f|--force]
13 [-P|--machine-pass] [-d debuglevel] [-V] [--request-timeout seconds]
14 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
15
17 This tool is part of the samba(7) suite.
18 The Samba net utility is meant to work just like the net utility
20 available for windows and DOS. The first argument should be used to
21 specify the protocol to use when executing a certain command. ADS is
22 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
23 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
24 net will try to determine it automatically. Not all commands are
25 available on all protocols.
26
28 -?|--help
29 Print a summary of command line options.
30 -k|--kerberos
32 Try to authenticate with kerberos. Only useful in an Active
33 Directory environment.
34 -w|--workgroup target-workgroup
36 Sets target workgroup or domain. You have to specify either this
37 option or the IP address or the name of a server.
38 -W|--myworkgroup workgroup
40 Sets client workgroup or domain
41 -U|--user user
43 User name to use
44 -I|--ipaddress ip-address
46 IP address of target server to use. You have to specify either this
47 option or a target workgroup or a target server.
48 -p|--port port
50 Port on the target server to connect to (usually 139 or 445).
51 Defaults to trying 445 first, then 139.
52 -n|--netbiosname <primary NetBIOS name>
54 This option allows you to override the NetBIOS name that Samba uses
55 for itself. This is identical to setting the netbios name parameter
56 in the smb.conf file. However, a command line setting will take
57 precedence over settings in smb.conf.
58 -S|--server server
60 Name of target server. You should specify either this option or a
61 target workgroup or a target IP address.
62 -l|--long
64 When listing data, give more information on each item.
65 -v|--verbose
67 When listing data, give more verbose information on each item.
68 -f|--force
70 Enforcing a net command.
71 -P|--machine-pass
73 Make queries to the external server using the machine account of
74 the local server.
75 --request-timeout 30
77 Let client requests timeout after 30 seconds the default is 10
78 seconds.
79 -t|--timeout 30
81 Set timeout for client operations to 30 seconds.
82 --use-ccache
84 Try to use the credentials cached by winbind.
85 -i|--stdin
87 Take input for net commands from standard input.
88 --tallocreport
90 Generate a talloc report while processing a net command.
91 -T|--test
93 Only test command sequence, dry-run.
94 -F|--flags FLAGS
96 Pass down integer flags to a net subcommand.
97 -C|--comment COMMENT
99 Pass down a comment string to a net subcommand.
100 -n|--myname MYNAME
102 Use MYNAME as a requester name for a net subcommand.
103 -c|--container CONTAINER
105 Use a specific AD container for net ads operations.
106 -M|--maxusers MAXUSERS
108 Fill in the maxusers field in net rpc share operations.
109 -r|--reboot
111 Reboot a remote machine after a command has been successfully
112 executed (e.g. in remote join operations).
113 --force-full-repl
115 When calling "net rpc vampire keytab" this option enforces a full
116 re-creation of the generated keytab file.
117 --single-obj-repl
119 When calling "net rpc vampire keytab" this option allows one to
120 replicate just a single object to the generated keytab file.
121 --clean-old-entries
123 When calling "net rpc vampire keytab" this option allows one to
124 cleanup old entries from the generated keytab file.
125 --db
127 Define dbfile for "net idmap" commands.
128 --lock
130 Activates locking of the dbfile for "net idmap check" command.
131 -a|--auto
133 Activates noninteractive mode in "net idmap check".
134 --repair
136 Activates repair mode in "net idmap check".
137 --acls
139 Includes ACLs to be copied in "net rpc share migrate".
140 --attrs
142 Includes file attributes to be copied in "net rpc share migrate".
143 --timestamps
145 Includes timestamps to be copied in "net rpc share migrate".
146 -X|--exclude DIRECTORY
148 Allows one to exclude directories when copying with "net rpc share
149 migrate".
150 --destination SERVERNAME
152 Defines the target servername of migration process (defaults to
153 localhost).
154 -L|--local
156 Sets the type of group mapping to local (used in "net groupmap
157 set").
158 -D|--domain
160 Sets the type of group mapping to domain (used in "net groupmap
161 set").
162 -N|--ntname NTNAME
164 Sets the ntname of a group mapping (used in "net groupmap set").
165 -R|--rid RID
167 Sets the rid of a group mapping (used in "net groupmap set").
168 --reg-version REG_VERSION
170 Assume database version {n|1,2,3} (used in "net registry check").
171 -o|--output FILENAME
173 Output database file (used in "net registry check").
174 --wipe
176 Create a new database from scratch (used in "net registry check").
177 --precheck PRECHECK_DB_FILENAME
179 Defines filename for database prechecking (used in "net registry
180 import").
181 --no-dns-updates
183 Do not perform DNS updates as part of "net ads join".
184 -e|--encrypt
186 This command line parameter requires the remote server support the
187 UNIX extensions or that the SMB3 protocol has been selected.
188 Requests that the connection be encrypted. Negotiates SMB
189 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
190 the given credentials for the encryption negotiation (either
191 kerberos or NTLMv1/v2 if given domain/username/password triple.
192 Fails the connection if encryption cannot be negotiated.
193 -d|--debuglevel=level
195 level is an integer from 0 to 10. The default value if this
196 parameter is not specified is 1.
197 The higher this value, the more detail will be logged to the log
199 files about the activities of the server. At level 0, only critical
200 errors and serious warnings will be logged. Level 1 is a reasonable
201 level for day-to-day running - it generates a small amount of
202 information about operations carried out.
203 Levels above 1 will generate considerable amounts of log data, and
205 should only be used when investigating a problem. Levels above 3
206 are designed for use only by developers and generate HUGE amounts
207 of log data, most of which is extremely cryptic.
208 Note that specifying this parameter here will override the log
210 level parameter in the smb.conf file.
211 -V|--version
213 Prints the program version number.
214 -s|--configfile=<configuration file>
216 The file specified contains the configuration details required by
217 the server. The information in this file includes server-specific
218 information such as what printcap file to use, as well as
219 descriptions of all the services that the server is to provide. See
220 smb.conf for more information. The default configuration file name
221 is determined at compile time.
222 -l|--log-basename=logdirectory
224 Base directory name for log/debug files. The extension ".progname"
225 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
226 file is never removed by the client.
227 --option=<name>=<value>
229 Set the smb.conf(5) option "<name>" to value "<value>" from the
230 command line. This overrides compiled-in defaults and options read
231 from the configuration file.
232
234 CHANGESECRETPW
235 This command allows the Samba machine account password to be set from
236 an external application to a machine account password that has already
237 been stored in Active Directory. DO NOT USE this command unless you
238 know exactly what you are doing. The use of this command requires that
239 the force flag (-f) be used also. There will be NO command prompt.
240 Whatever information is piped into stdin, either by typing at the
241 command line or otherwise, will be stored as the literal machine
242 password. Do NOT use this without care and attention as it will
243 overwrite a legitimate machine password without warning. YOU HAVE BEEN
244 WARNED.
245 TIME
247 The NET TIME command allows you to view the time on a remote server or
248 synchronise the time on the local server with the time on the remote
249 server.
250 TIME
252 Without any options, the NET TIME command displays the time on the
253 remote server. The remote server must be specified with the -S option.
254 TIME SYSTEM
256 Displays the time on the remote server in a format ready for /bin/date.
257 The remote server must be specified with the -S option.
258 TIME SET
260 Tries to set the date and time of the local server to that on the
261 remote server using /bin/date. The remote server must be specified with
262 the -S option.
263 TIME ZONE
265 Displays the timezone in hours from GMT on the remote server. The
266 remote server must be specified with the -S option.
267 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
269 [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string
270 osVer=string] [options]
271 Join a domain. If the account already exists on the server, and [TYPE]
272 is MEMBER, the machine will attempt to join automatically. (Assuming
273 that the machine has been created in server manager) Otherwise, a
274 password will be prompted for, and a new account may be created.
275 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
277 the domain.
278 [UPN] (ADS only) set the principalname attribute during the join. The
280 default format is host/netbiosname@REALM.
281 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
283 string reads from top to bottom without RDNs, and is delimited by a
284 '/'. Please note that '\' is used for escape by both the shell and
285 ldap, so it may need to be doubled or quadrupled to pass through, and
286 it is not used as a delimiter.
287 [PASS] (ADS only) Set a specific password on the computer account being
289 created by the join.
290 [osName=string osVer=String] (ADS only) Set the operatingSystem and
292 operatingSystemVersion attribute during the join. Both parameters must
293 be specified for either to take effect.
294 [RPC] OLDJOIN [options]
296 Join a domain. Use the OLDJOIN option to join the domain using the old
297 style of domain joining - you need to create a trust account in server
298 manager first.
299 [RPC|ADS] USER
301 [RPC|ADS] USER
302 List all users
303 [RPC|ADS] USER DELETE target
305 Delete specified user
306 [RPC|ADS] USER INFO target
308 List the domain groups of the specified user.
309 [RPC|ADS] USER RENAME oldname newname
311 Rename specified user.
312 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
314 Add specified user.
315 [RPC|ADS] GROUP
317 [RPC|ADS] GROUP [misc options] [targets]
318 List user groups.
319 [RPC|ADS] GROUP DELETE name [misc. options]
321 Delete specified group.
322 [RPC|ADS] GROUP ADD name [-C comment]
324 Create specified group.
325 [ADS] LOOKUP
327 Lookup the closest Domain Controller in our domain and retrieve server
328 information about it.
329 [RAP|RPC] SHARE
331 [RAP|RPC] SHARE [misc. options] [targets]
332 Enumerates all exported resources (network shares) on target server.
333 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
335 Adds a share from a server (makes the export active). Maxusers
336 specifies the number of users that can be connected to the share
337 simultaneously.
338 SHARE DELETE sharename
340 Delete specified share.
341 [RPC|RAP] FILE
343 [RPC|RAP] FILE
344 List all open files on remote server.
345 [RPC|RAP] FILE CLOSE fileid
347 Close file with specified fileid on remote server.
348 [RPC|RAP] FILE INFO fileid
350 Print information on specified fileid. Currently listed are: file-id,
351 username, locks, path, permissions.
352 [RAP|RPC] FILE USER user
354 List files opened by specified user. Please note that net rap file user
355 does not work against Samba servers.
356 SESSION
358 RAP SESSION
359 Without any other options, SESSION enumerates all active SMB/CIFS
360 sessions on the target server.
361 RAP SESSION DELETE|CLOSE CLIENT_NAME
363 Close the specified sessions.
364 RAP SESSION INFO CLIENT_NAME
366 Give a list with all the open files in specified session.
367 RAP SERVER DOMAIN
369 List all servers in specified domain or workgroup. Defaults to local
370 domain.
371 RAP DOMAIN
373 Lists all domains and workgroups visible on the current network.
374 RAP PRINTQ
376 RAP PRINTQ INFO QUEUE_NAME
377 Lists the specified print queue and print jobs on the server. If the
378 QUEUE_NAME is omitted, all queues are listed.
379 RAP PRINTQ DELETE JOBID
381 Delete job with specified id.
382 RAP VALIDATE user [password]
384 Validate whether the specified user can log in to the remote server. If
385 the password is not specified on the commandline, it will be prompted.
386 Note
388 Currently NOT implemented.
389 RAP GROUPMEMBER
391 RAP GROUPMEMBER LIST GROUP
392 List all members of the specified group.
393 RAP GROUPMEMBER DELETE GROUP USER
395 Delete member from group.
396 RAP GROUPMEMBER ADD GROUP USER
398 Add member to group.
399 RAP ADMIN command
401 Execute the specified command on the remote server. Only works with
402 OS/2 servers.
403 Note
405 Currently NOT implemented.
406 RAP SERVICE
408 RAP SERVICE START NAME [arguments...]
409 Start the specified service on the remote server. Not implemented yet.
410 Note
412 Currently NOT implemented.
413 RAP SERVICE STOP
415 Stop the specified service on the remote server.
416 Note
418 Currently NOT implemented.
419 RAP PASSWORD USER OLDPASS NEWPASS
421 Change password of USER from OLDPASS to NEWPASS.
422 LOOKUP
424 LOOKUP HOST HOSTNAME [TYPE]
425 Lookup the IP address of the given host with the specified type
426 (netbios suffix). The type defaults to 0x20 (workstation).
427 LOOKUP LDAP [DOMAIN]
429 Give IP address of LDAP server of specified DOMAIN. Defaults to local
430 domain.
431 LOOKUP KDC [REALM]
433 Give IP address of KDC for the specified REALM. Defaults to local
434 realm.
435 LOOKUP DC [DOMAIN]
437 Give IP's of Domain Controllers for specified
438 DOMAIN. Defaults to local domain.
439 LOOKUP MASTER DOMAIN
441 Give IP of master browser for specified DOMAIN or workgroup. Defaults
442 to local domain.
443 CACHE
445 Samba uses a general caching interface called 'gencache'. It can be
446 controlled using 'NET CACHE'.
447 All the timeout parameters support the suffixes:
449 s - Seconds
450 m - Minutes
451 h - Hours
452 d - Days
453 w - Weeks
454 CACHE ADD key data time-out
456 Add specified key+data to the cache with the given timeout.
457 CACHE DEL key
459 Delete key from the cache.
460 CACHE SET key data time-out
462 Update data of existing cache entry.
463 CACHE SEARCH PATTERN
465 Search for the specified pattern in the cache data.
466 CACHE LIST
468 List all current items in the cache.
469 CACHE FLUSH
471 Remove all the current items from the cache.
472 GETLOCALSID [DOMAIN]
474 Prints the SID of the specified domain, or if the parameter is omitted,
475 the SID of the local server.
476 SETLOCALSID S-1-5-21-x-y-z
478 Sets SID for the local server to the specified SID.
479 GETDOMAINSID
481 Prints the local machine SID and the SID of the current domain.
482 SETDOMAINSID
484 Sets the SID of the current domain.
485 GROUPMAP
487 Manage the mappings between Windows group SIDs and UNIX groups. Common
488 options include:
489 · unixgroup - Name of the UNIX group
491 · ntgroup - Name of the Windows NT group (must be resolvable
493 to a SID
494 · rid - Unsigned 32-bit integer
496 · sid - Full SID in the form of "S-1-..."
498 · type - Type of the group; either 'domain', 'local', or
500 'builtin'
501 · comment - Freeform text description of the group
503 GROUPMAP ADD
506 Add a new group mapping entry:
507 net groupmap add {rid=int|sid=string} unixgroup=string \
509 [type={domain|local}] [ntgroup=string] [comment=string]
510 GROUPMAP DELETE
514 Delete a group mapping entry. If more than one group name matches, the
515 first entry found is deleted.
516 net groupmap delete {ntgroup=string|sid=SID}
518 GROUPMAP MODIFY
520 Update an existing group entry.
521 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
523 [comment=string] [type={domain|local}]
524 GROUPMAP LIST
528 List existing group mapping entries.
529 net groupmap list [verbose] [ntgroup=string] [sid=SID]
531 MAXRID
533 Prints out the highest RID currently in use on the local server (by the
534 active 'passdb backend').
535 RPC INFO
537 Print information about the domain of the remote server, such as domain
538 name, domain sid and number of users and groups.
539 [RPC|ADS] TESTJOIN
541 Check whether participation in a domain is still valid.
542 [RPC|ADS] CHANGETRUSTPW
544 Force change of domain trust password.
545 RPC TRUSTDOM
547 RPC TRUSTDOM ADD DOMAIN
548 Add a interdomain trust account for DOMAIN. This is in fact a Samba
549 account named DOMAIN$ with the account flag 'I' (interdomain trust
550 account). This is required for incoming trusts to work. It makes Samba
551 be a trusted domain of the foreign (trusting) domain. Users of the
552 Samba domain will be made available in the foreign domain. If the
553 command is used against localhost it has the same effect as smbpasswd
554 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
555 account.
556 RPC TRUSTDOM DEL DOMAIN
558 Remove interdomain trust account for DOMAIN. If it is used against
559 localhost it has the same effect as smbpasswd -x DOMAIN$.
560 RPC TRUSTDOM ESTABLISH DOMAIN
562 Establish a trust relationship to a trusted domain. Interdomain account
563 must already be created on the remote PDC. This is required for
564 outgoing trusts to work. It makes Samba be a trusting domain of a
565 foreign (trusted) domain. Users of the foreign domain will be made
566 available in our domain. You'll need winbind and a working idmap config
567 to make them appear in your system.
568 RPC TRUSTDOM REVOKE DOMAIN
570 Abandon relationship to trusted domain
571 RPC TRUSTDOM LIST
573 List all interdomain trust relationships.
574 RPC TRUST
576 RPC TRUST CREATE
577 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
578 done on a single server or on two servers at once with the possibility
579 to use a random trust password.
580 Options:
582 otherserver
584 Domain controller of the second domain
585 otheruser
587 Admin user in the second domain
588 otherdomainsid
590 SID of the second domain
591 other_netbios_domain
593 NetBIOS (short) name of the second domain
594 otherdomain
596 DNS (full) name of the second domain
597 trustpw
599 Trust password
600 Examples:
602 Create a trust object on srv1.dom1.dom for the domain dom2
604 net rpc trust create \
606 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
607 other_netbios_domain=dom2 \
608 otherdomain=dom2.dom \
609 trustpw=12345678 \
610 -S srv1.dom1.dom
611 Create a trust relationship between dom1 and dom2
613 net rpc trust create \
615 otherserver=srv2.dom2.test \
616 otheruser=dom2adm \
617 -S srv1.dom1.dom
618 RPC TRUST DELETE
620 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
621 done on a single server or on two servers at once.
622 Options:
624 otherserver
626 Domain controller of the second domain
627 otheruser
629 Admin user in the second domain
630 otherdomainsid
632 SID of the second domain
633 Examples:
635 Delete a trust object on srv1.dom1.dom for the domain dom2
637 net rpc trust delete \
639 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
640 -S srv1.dom1.dom
641 Delete a trust relationship between dom1 and dom2
643 net rpc trust delete \
645 otherserver=srv2.dom2.test \
646 otheruser=dom2adm \
647 -S srv1.dom1.dom
648 RPC RIGHTS
651 This subcommand is used to view and manage Samba's rights assignments
652 (also referred to as privileges). There are three options currently
653 available: list, grant, and revoke. More details on Samba's privilege
654 model and its use can be found in the Samba-HOWTO-Collection.
655 RPC ABORTSHUTDOWN
657 Abort the shutdown of a remote server.
658 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
660 Shut down the remote server.
661 -r
663 Reboot after shutdown.
664 -f
666 Force shutting down all applications.
667 -t timeout
669 Timeout before system will be shut down. An interactive user of the
670 system can use this time to cancel the shutdown.
671 -C message
673 Display the specified message on the screen to announce the
674 shutdown.
675 RPC SAMDUMP
677 Print out sam database of remote server. You need to run this against
678 the PDC, from a Samba machine joined as a BDC.
679 RPC VAMPIRE
681 Export users, aliases and groups from remote server to local server.
682 You need to run this against the PDC, from a Samba machine joined as a
683 BDC. This vampire command cannot be used against an Active Directory,
684 only against an NT4 Domain Controller.
685 RPC VAMPIRE KEYTAB
687 Dump remote SAM database to local Kerberos keytab file.
688 RPC VAMPIRE LDIF
690 Dump remote SAM database to local LDIF file or standard output.
691 RPC GETSID
693 Fetch domain SID and store it in the local secrets.tdb.
694 ADS LEAVE
696 Make the remote host leave the domain it is part of.
697 ADS STATUS
699 Print out status of machine account of the local machine in ADS. Prints
700 out quite some debug info. Aimed at developers, regular users should
701 use NET ADS TESTJOIN.
702 ADS PRINTER
704 ADS PRINTER INFO [PRINTER] [SERVER]
705 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
706 the server name defaults to the local host.
707 ADS PRINTER PUBLISH PRINTER
709 Publish specified printer using ADS.
710 ADS PRINTER REMOVE PRINTER
712 Remove specified printer from ADS directory.
713 ADS SEARCH EXPRESSION ATTRIBUTES...
715 Perform a raw LDAP search on a ADS server and dump the results. The
716 expression is a standard LDAP search expression, and the attributes are
717 a list of LDAP fields to show in the results.
718 Example: net ads search '(objectCategory=group)' sAMAccountName
720 ADS DN DN (attributes)
722 Perform a raw LDAP search on a ADS server and dump the results. The DN
723 standard LDAP DN, and the attributes are a list of LDAP fields to show
724 in the result.
725 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
727 SAMAccountName
728 ADS KEYTAB CREATE
730 Creates a new keytab file if one doesn't exist with default entries.
731 Default entries are kerberos principals created from the machinename of
732 the client, the UPN (if it exists) and any Windows SPN(s) associated
733 with the computer AD account for the client. If a keytab file already
734 exists then only missing kerberos principals from the default entries
735 are added. No changes are made to the computer AD account.
736 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
738 Adds a new keytab entry, the entry can be either;
739 kerberos principal
741 A kerberos principal (identified by the presence of '@') is just
742 added to the keytab file.
743 machinename
745 A machinename (identified by the trailing '$') is used to create a
746 a kerberos principal 'machinename@realm' which is added to the
747 keytab file.
748 serviceclass
750 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
751 pair of kerberos principals
752 'serviceclass/fully_qualified_dns_name@realm' &
753 'serviceclass/netbios_name@realm' which are added to the keytab
754 file.
755 Windows SPN
757 A Windows SPN is of the format 'serviceclass/host:port', it is used
758 to create a kerberos principal 'serviceclass/host@realm' which will
759 be written to the keytab file.
760 Unlike old versions no computer AD objects are modified by this
762 command. To preserve the bevhaviour of older clients 'net ads keytab
763 ad_update_ads' is available.
764 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
766 Adds a new keytab entry (see section for net ads keytab add). In
767 addition to adding entries to the keytab file corrosponding Windows
768 SPNs are created from the entry passed to this command. These SPN(s)
769 added to the AD computer account object associated with the client
770 machine running this command for the following entry types;
771 serviceclass
773 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
774 pair of Windows SPN(s) 'param/full_qualified_dns' &
775 'param/netbios_name' which are added to the AD computer account
776 object for this client.
777 Windows SPN
779 A Windows SPN is of the format 'serviceclass/host:port', it is
780 added as passed to the AD computer account object for this client.
781 ADS setspn SETSPN LIST [machine]
783 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
784 object. If 'machine' is not specified then computer account for this
785 client is used instead.
786 ADS setspn SETSPN ADD SPN [machine]
788 Adds the specified Windows SPN to the 'machine' Windows AD Computer
789 object. If 'machine' is not specified then computer account for this
790 client is used instead.
791 ADS setspn SETSPN DELETE SPN [machine]
793 DELETE the specified Window SPN from the 'machine' Windows AD Computer
794 object. If 'machine' is not specified then computer account for this
795 client is used instead.
796 ADS WORKGROUP
798 Print out workgroup name for specified kerberos realm.
799 ADS ENCTYPES
801 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
802 attribute of an account in AD.
803 This attribute allows one to control which Kerberos encryption types
805 are used for the generation of initial and service tickets. The value
806 consists of an integer bitmask with the following values:
807 0x00000001 DES-CBC-CRC
809 0x00000002 DES-CBC-MD5
811 0x00000004 RC4-HMAC
813 0x00000008 AES128-CTS-HMAC-SHA1-96
815 0x00000010 AES256-CTS-HMAC-SHA1-96
817 ADS ENCTYPES LIST <ACCOUNTNAME>
819 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
820 given account.
821 Example: net ads enctypes list Computername
823 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
825 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
826 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
827 the value is set to 31 which enables all the currently supported
828 encryption types.
829 Example: net ads enctypes set Computername 24
831 ADS ENCTYPES DELETE <ACCOUNTNAME>
833 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
834 object of ACCOUNTNAME.
835 Example: net ads enctypes set Computername 24
837 SAM CREATEBUILTINGROUP <NAME>
839 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
840 be created with this command. This is the list of currently recognized
841 group names: Administrators, Users, Guests, Power Users, Account
842 Operators, Server Operators, Print Operators, Backup Operators,
843 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
844 command requires a running Winbindd with idmap allocation properly
845 configured. The group gid will be allocated out of the winbindd range.
846 SAM CREATELOCALGROUP <NAME>
848 Create a LOCAL group (also known as Alias). This command requires a
849 running Winbindd with idmap allocation properly configured. The group
850 gid will be allocated out of the winbindd range.
851 SAM DELETELOCALGROUP <NAME>
853 Delete an existing LOCAL group (also known as Alias).
854 SAM MAPUNIXGROUP <NAME>
856 Map an existing Unix group and make it a Domain Group, the domain group
857 will have the same name.
858 SAM UNMAPUNIXGROUP <NAME>
860 Remove an existing group mapping entry.
861 SAM ADDMEM <GROUP> <MEMBER>
863 Add a member to a Local group. The group can be specified only by name,
864 the member can be specified by name or SID.
865 SAM DELMEM <GROUP> <MEMBER>
867 Remove a member from a Local group. The group and the member must be
868 specified by name.
869 SAM LISTMEM <GROUP>
871 List Local group members. The group must be specified by name.
872 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
874 List the specified set of accounts by name. If verbose is specified,
875 the rid and description is also provided for each account.
876 SAM RIGHTS LIST
878 List all available privileges.
879 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
881 Grant one or more privileges to a user.
882 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
884 Revoke one or more privileges from a user.
885 SAM SHOW <NAME>
887 Show the full DOMAIN\\NAME the SID and the type for the corresponding
888 account.
889 SAM SET HOMEDIR <NAME> <DIRECTORY>
891 Set the home directory for a user account.
892 SAM SET PROFILEPATH <NAME> <PATH>
894 Set the profile path for a user account.
895 SAM SET COMMENT <NAME> <COMMENT>
897 Set the comment for a user or group account.
898 SAM SET FULLNAME <NAME> <FULL NAME>
900 Set the full name for a user account.
901 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
903 Set the logon script for a user account.
904 SAM SET HOMEDRIVE <NAME> <DRIVE>
906 Set the home drive for a user account.
907 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
909 Set the workstations a user account is allowed to log in from.
910 SAM SET DISABLE <NAME>
912 Set the "disabled" flag for a user account.
913 SAM SET PWNOTREQ <NAME>
915 Set the "password not required" flag for a user account.
916 SAM SET AUTOLOCK <NAME>
918 Set the "autolock" flag for a user account.
919 SAM SET PWNOEXP <NAME>
921 Set the "password do not expire" flag for a user account.
922 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
924 Set or unset the "password must change" flag for a user account.
925 SAM POLICY LIST
927 List the available account policies.
928 SAM POLICY SHOW <account policy>
930 Show the account policy value.
931 SAM POLICY SET <account policy> <value>
933 Set a value for the account policy. Valid values can be: "forever",
934 "never", "off", or a number.
935 SAM PROVISION
937 Only available if ldapsam:editposix is set and winbindd is running.
938 Properly populates the ldap tree with the basic accounts
939 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
940 on the ldap tree.
941 IDMAP DUMP <local tdb file name>
943 Dumps the mappings contained in the local tdb file specified. This
944 command is useful to dump only the mappings produced by the idmap_tdb
945 backend.
946 IDMAP RESTORE [input file]
948 Restore the mappings from the specified file or stdin.
949 IDMAP SET SECRET <DOMAIN> <secret>
951 Store a secret for the specified domain, used primarily for domains
952 that use idmap_ldap as a backend. In this case the secret is used as
953 the password for the user DN used to bind to the ldap server.
954 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
956 Store a domain-range mapping for a given domain (and index) in autorid
957 database.
958 IDMAP SET CONFIG <config> [--db=<DB>]
960 Update CONFIG entry in autorid database.
961 IDMAP GET RANGE <SID> [index] [--db=<DB>]
963 Get the range for a given domain and index from autorid database.
964 IDMAP GET RANGES [<SID>] [--db=<DB>]
966 Get ranges for all domains or for one identified by given SID.
967 IDMAP GET CONFIG [--db=<DB>]
969 Get CONFIG entry from autorid database.
970 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
972 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
973 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
974 "GID number" or a uid: "UID number". Use -f to delete an invalid
975 partial mapping <ID> -> xx
976 Use "smbcontrol all idmap ..." to notify running smbd instances. See
978 the smbcontrol(1) manpage for details.
979 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
981 Delete a domain range mapping identified by 'RANGE' or "domain SID and
982 INDEX" from autorid database. Use -f to delete invalid mappings.
983 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
985 Delete all domain range mappings for a domain identified by SID. Use -f
986 to delete invalid mappings.
987 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
989 Check and repair the IDMAP database. If no option is given a read only
990 check of the database is done. Among others an interactive or automatic
991 repair mode may be chosen with one of the following options:
992 -r|--repair
994 Interactive repair mode, ask a lot of questions.
995 -a|--auto
997 Noninteractive repair mode, use default answers.
998 -v|--verbose
1000 Produce more output.
1001 -f|--force
1003 Try to apply changes, even if they do not apply cleanly.
1004 -T|--test
1006 Dry run, show what changes would be made but don't touch anything.
1007 -l|--lock
1009 Lock the database while doing the check.
1010 --db <DB>
1012 Check the specified database.
1013 It reports about the finding of the following errors:
1015 Missing reverse mapping:
1017 A record with mapping A->B where there is no B->A. Default action
1018 in repair mode is to "fix" this by adding the reverse mapping.
1019 Invalid mapping:
1021 A record with mapping A->B where B->C. Default action is to
1022 "delete" this record.
1023 Missing or invalid HWM:
1025 A high water mark is not at least equal to the largest ID in the
1026 database. Default action is to "fix" this by setting it to the
1027 largest ID found +1.
1028 Invalid record:
1030 Something we failed to parse. Default action is to "edit" it in
1031 interactive and "delete" it in automatic mode.
1032 USERSHARE
1034 Starting with version 3.0.23, a Samba server now supports the ability
1035 for non-root users to add user defined shares to be exported using the
1036 "net usershare" commands.
1037 To set this up, first set up your smb.conf by adding to the [global]
1039 section: usershare path = /usr/local/samba/lib/usershares Next create
1040 the directory /usr/local/samba/lib/usershares, change the owner to root
1041 and set the group owner to the UNIX group who should have the ability
1042 to create usershares, for example a group called "serverops". Set the
1043 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1044 group all access, no access for others, plus the sticky bit, which
1045 means that a file in that directory can be renamed or deleted only by
1046 the owner of the file). Finally, tell smbd how many usershares you will
1047 allow by adding to the [global] section of smb.conf a line such as :
1048 usershare max shares = 100. To allow 100 usershare definitions. Now,
1049 members of the UNIX group "serverops" can create user defined shares on
1050 demand using the commands below.
1051 The usershare commands are:
1053 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1054 to add or change a user defined share.
1055 net usershare delete sharename - to delete a user defined share.
1056 net usershare info [-l|--long] [wildcard sharename] - to print info
1057 about a user defined share.
1058 net usershare list [-l|--long] [wildcard sharename] - to list user
1059 defined shares.
1060 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1062 Add or replace a new user defined share, with name "sharename".
1063 "path" specifies the absolute pathname on the system to be exported.
1065 Restrictions may be put on this, see the global smb.conf parameters:
1066 "usershare owner only", "usershare prefix allow list", and "usershare
1067 prefix deny list".
1068 The optional "comment" parameter is the comment that will appear on the
1070 share when browsed to by a client.
1071 The optional "acl" field specifies which users have read and write
1073 access to the entire share. Note that guest connections are not allowed
1074 unless the smb.conf parameter "usershare allow guests" has been set.
1075 The definition of a user defined share acl is: "user:permission", where
1076 user is a valid username on the system and permission can be "F", "R",
1077 or "D". "F" stands for "full permissions", ie. read and write
1078 permissions. "D" stands for "deny" for a user, ie. prevent this user
1079 from accessing this share. "R" stands for "read only", ie. only allow
1080 read access to this share (no creation of new files or directories or
1081 writing to files).
1082 The default if no "acl" is given is "Everyone:R", which means any
1084 authenticated user has read-only access.
1085 The optional "guest_ok" has the same effect as the parameter of the
1087 same name in smb.conf, in that it allows guest access to this user
1088 defined share. This parameter is only allowed if the global parameter
1089 "usershare allow guests" has been set to true in the smb.conf.
1090 There is no separate command to modify an existing user defined share,
1093 just use the "net usershare add [sharename]" command using the same
1094 sharename as the one you wish to modify and specify the new options you
1095 wish. The Samba smbd daemon notices user defined share modifications at
1096 connect time so will see the change immediately, there is no need to
1097 restart smbd on adding, deleting or changing a user defined share.
1098 USERSHARE DELETE sharename
1100 Deletes the user defined share by name. The Samba smbd daemon
1101 immediately notices this change, although it will not disconnect any
1102 users currently connected to the deleted share.
1103 USERSHARE INFO [-l|--long] [wildcard sharename]
1105 Get info on user defined shares owned by the current user matching the
1106 given pattern, or all users.
1107 net usershare info on its own dumps out info on the user defined shares
1109 that were created by the current user, or restricts them to share names
1110 that match the given wildcard pattern ('*' matches one or more
1111 characters, '?' matches only one character). If the '-l' or '--long'
1112 option is also given, it prints out info on user defined shares created
1113 by other users.
1114 The information given about a share looks like: [foobar]
1116 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1117 And is a list of the current settings of the user defined share that
1118 can be modified by the "net usershare add" command.
1119 USERSHARE LIST [-l|--long] wildcard sharename
1121 List all the user defined shares owned by the current user matching the
1122 given pattern, or all users.
1123 net usershare list on its own list out the names of the user defined
1125 shares that were created by the current user, or restricts the list to
1126 share names that match the given wildcard pattern ('*' matches one or
1127 more characters, '?' matches only one character). If the '-l' or
1128 '--long' option is also given, it includes the names of user defined
1129 shares created by other users.
1130 [RPC] CONF
1132 Starting with version 3.2.0, a Samba server can be configured by data
1133 stored in registry. This configuration data can be edited with the new
1134 "net conf" commands. There is also the possibility to configure a
1135 remote Samba server by enabling the RPC conf mode and specifying the
1136 address of the remote server.
1137 The deployment of this configuration data can be activated in two
1139 levels from the smb.conf file: Share definitions from registry are
1140 activated by setting registry shares to “yes” in the [global] section
1141 and global configuration options are activated by setting include =
1142 registry in the [global] section for a mixed configuration or by
1143 setting config backend = registry in the [global] section for a
1144 registry-only configuration. See the smb.conf(5) manpage for details.
1145 The conf commands are:
1147 net [rpc] conf list - Dump the complete configuration in smb.conf
1148 like format.
1149 net [rpc] conf import - Import configuration from file in smb.conf
1150 format.
1151 net [rpc] conf listshares - List the registry shares.
1152 net [rpc] conf drop - Delete the complete configuration from
1153 registry.
1154 net [rpc] conf showshare - Show the definition of a registry share.
1155 net [rpc] conf addshare - Create a new registry share.
1156 net [rpc] conf delshare - Delete a registry share.
1157 net [rpc] conf setparm - Store a parameter.
1158 net [rpc] conf getparm - Retrieve the value of a parameter.
1159 net [rpc] conf delparm - Delete a parameter.
1160 net [rpc] conf getincludes - Show the includes of a share
1161 definition.
1162 net [rpc] conf setincludes - Set includes for a share.
1163 net [rpc] conf delincludes - Delete includes from a share
1164 definition.
1165 [RPC] CONF LIST
1167 Print the configuration data stored in the registry in a smb.conf-like
1168 format to standard output.
1169 [RPC] CONF IMPORT [--test|-T] filename [section]
1171 This command imports configuration from a file in smb.conf format. If a
1172 section encountered in the input file is present in registry, its
1173 contents is replaced. Sections of registry configuration that have no
1174 counterpart in the input file are not affected. If you want to delete
1175 these, you will have to use the "net conf drop" or "net conf delshare"
1176 commands. Optionally, a section may be specified to restrict the effect
1177 of the import command to that specific section. A test mode is enabled
1178 by specifying the parameter "-T" on the commandline. In test mode, no
1179 changes are made to the registry, and the resulting configuration is
1180 printed to standard output instead.
1181 [RPC] CONF LISTSHARES
1183 List the names of the shares defined in registry.
1184 [RPC] CONF DROP
1186 Delete the complete configuration data from registry.
1187 [RPC] CONF SHOWSHARE sharename
1189 Show the definition of the share or section specified. It is valid to
1190 specify "global" as sharename to retrieve the global configuration
1191 options from registry.
1192 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1194 [comment]]]
1195 Create a new share definition in registry. The sharename and path have
1196 to be given. The share name may not be "global". Optionally, values for
1197 the very common options "writeable", "guest ok" and a "comment" may be
1198 specified. The same result may be obtained by a sequence of "net conf
1199 setparm" commands.
1200 [RPC] CONF DELSHARE sharename
1202 Delete a share definition from registry.
1203 [RPC] CONF SETPARM section parameter value
1205 Store a parameter in registry. The section may be global or a
1206 sharename. The section is created if it does not exist yet.
1207 [RPC] CONF GETPARM section parameter
1209 Show a parameter stored in registry.
1210 [RPC] CONF DELPARM section parameter
1212 Delete a parameter stored in registry.
1213 [RPC] CONF GETINCLUDES section
1215 Get the list of includes for the provided section (global or share).
1216 Note that due to the nature of the registry database and the nature of
1218 include directives, the includes need special treatment: Parameters are
1219 stored in registry by the parameter name as valuename, so there is only
1220 ever one instance of a parameter per share. Also, a specific order like
1221 in a text file is not guaranteed. For all real parameters, this is
1222 perfectly ok, but the include directive is rather a meta parameter, for
1223 which, in the smb.conf text file, the place where it is specified
1224 between the other parameters is very important. This can not be
1225 achieved by the simple registry smbconf data model, so there is one
1226 ordered list of includes per share, and this list is evaluated after
1227 all the parameters of the share.
1228 Further note that currently, only files can be included from registry
1230 configuration. In the future, there will be the ability to include
1231 configuration data from other registry keys.
1232 [RPC] CONF SETINCLUDES section [filename]+
1234 Set the list of includes for the provided section (global or share) to
1235 the given list of one or more filenames. The filenames may contain the
1236 usual smb.conf macros like %I.
1237 [RPC] CONF DELINCLUDES section
1239 Delete the list of includes from the provided section (global or
1240 share).
1241 REGISTRY
1243 Manipulate Samba's registry.
1244 The registry commands are:
1246 net registry enumerate - Enumerate registry keys and values.
1247 net registry enumerate_recursive - Enumerate registry key and its
1248 subkeys.
1249 net registry createkey - Create a new registry key.
1250 net registry deletekey - Delete a registry key.
1251 net registry deletekey_recursive - Delete a registry key with
1252 subkeys.
1253 net registry getvalue - Print a registry value.
1254 net registry getvalueraw - Print a registry value (raw format).
1255 net registry setvalue - Set a new registry value.
1256 net registry increment - Increment a DWORD registry value under a
1257 lock.
1258 net registry deletevalue - Delete a registry value.
1259 net registry getsd - Get security descriptor.
1260 net registry getsd_sdd1 - Get security descriptor in sddl format.
1261 net registry setsd_sdd1 - Set security descriptor from sddl format
1262 string.
1263 net registry import - Import a registration entries (.reg)
1264 file.
1265 net registry export - Export a registration entries (.reg)
1266 file.
1267 net registry convert - Convert a registration entries (.reg)
1268 file.
1269 net registry check - Check and repair a registry database.
1270 REGISTRY ENUMERATE key
1272 Enumerate subkeys and values of key.
1273 REGISTRY ENUMERATE_RECURSIVE key
1275 Enumerate values of key and its subkeys.
1276 REGISTRY CREATEKEY key
1278 Create a new key if not yet existing.
1279 REGISTRY DELETEKEY key
1281 Delete the given key and its values from the registry, if it has no
1282 subkeys.
1283 REGISTRY DELETEKEY_RECURSIVE key
1285 Delete the given key and all of its subkeys and values from the
1286 registry.
1287 REGISTRY GETVALUE key name
1289 Output type and actual value of the value name of the given key.
1290 REGISTRY GETVALUERAW key name
1292 Output the actual value of the value name of the given key.
1293 REGISTRY SETVALUE key name type value ...
1295 Set the value name of an existing key. type may be one of sz, multi_sz
1296 or dword. In case of multi_sz value may be given multiple times.
1297 REGISTRY INCREMENT key name [inc]
1299 Increment the DWORD value name of key by inc while holding a g_lock.
1300 inc defaults to 1.
1301 REGISTRY DELETEVALUE key name
1303 Delete the value name of the given key.
1304 REGISTRY GETSD key
1306 Get the security descriptor of the given key.
1307 REGISTRY GETSD_SDDL key
1309 Get the security descriptor of the given key as a Security Descriptor
1310 Definition Language (SDDL) string.
1311 REGISTRY SETSD_SDDL keysd
1313 Set the security descriptor of the given key from a Security Descriptor
1314 Definition Language (SDDL) string sd.
1315 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1317 Import a registration entries (.reg) file.
1318 The following options are available:
1320 --precheck check-file
1322 This is a mechanism to check the existence or non-existence of
1323 certain keys or values specified in a precheck file before applying
1324 the import file. The import file will only be applied if the
1325 precheck succeeds.
1326 The check-file follows the normal registry file syntax with the
1328 following semantics:
1329 · <value name>=<value> checks whether the value exists and
1331 has the given value.
1332 · <value name>=- checks whether the value does not exist.
1334 · [key] checks whether the key exists.
1336 · [-key] checks whether the key does not exist.
1338 REGISTRY EXPORT keyfile[opt]
1341 Export a key to a registration entries (.reg) file.
1342 REGISTRY CONVERT in out [[inopt] outopt]
1344 Convert a registration entries (.reg) file in.
1345 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1347 Check and repair the registry database. If no option is given a read
1348 only check of the database is done. Among others an interactive or
1349 automatic repair mode may be chosen with one of the following options
1350 -r|--repair
1352 Interactive repair mode, ask a lot of questions.
1353 -a|--auto
1355 Noninteractive repair mode, use default answers.
1356 -v|--verbose
1358 Produce more output.
1359 -T|--test
1361 Dry run, show what changes would be made but don't touch anything.
1362 -l|--lock
1364 Lock the database while doing the check.
1365 --reg-version={1,2,3}
1367 Specify the format of the registry database. If not given it
1368 defaults to the value of the binary or, if an registry.tdb is
1369 explizitly stated at the commandline, to the value found in the
1370 INFO/version record.
1371 [--db] <DB>
1373 Check the specified database.
1374 -o|--output <ODB>
1376 Create a new registry database <ODB> instead of modifying the
1377 input. If <ODB> is already existing --wipe may be used to overwrite
1378 it.
1379 --wipe
1381 Replace the registry database instead of modifying the input or
1382 overwrite an existing output database.
1383 EVENTLOG
1385 Starting with version 3.4.0 net can read, dump, import and export
1386 native win32 eventlog files (usually *.evt). evt files are used by the
1387 native Windows eventviewer tools.
1388 The import and export of evt files can only succeed when eventlog list
1390 is used in smb.conf file. See the smb.conf(5) manpage for details.
1391 The eventlog commands are:
1393 net eventlog dump - Dump a eventlog *.evt file on the screen.
1394 net eventlog import - Import a eventlog *.evt into the samba
1395 internal tdb based representation of eventlogs.
1396 net eventlog export - Export the samba internal tdb based
1397 representation of eventlogs into an eventlog *.evt file.
1398 EVENTLOG DUMP filename
1400 Prints a eventlog *.evt file to standard output.
1401 EVENTLOG IMPORT filename eventlog
1403 Imports a eventlog *.evt file defined by filename into the samba
1404 internal tdb representation of eventlog defined by eventlog. eventlog
1405 needs to part of the eventlog list defined in smb.conf. See the
1406 smb.conf(5) manpage for details.
1407 EVENTLOG EXPORT filename eventlog
1409 Exports the samba internal tdb representation of eventlog defined by
1410 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1411 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1412 manpage for details.
1413 DOM
1415 Starting with version 3.2.0 Samba has support for remote join and
1416 unjoin APIs, both client and server-side. Windows supports remote join
1417 capabilities since Windows 2000.
1418 In order for Samba to be joined or unjoined remotely an account must be
1420 used that is either member of the Domain Admins group, a member of the
1421 local Administrators group or a user that is granted the
1422 SeMachineAccountPrivilege privilege.
1423 The client side support for remote join is implemented in the net dom
1425 commands which are:
1426 net dom join - Join a remote computer into a domain.
1427 net dom unjoin - Unjoin a remote computer from a domain.
1428 net dom renamecomputer - Renames a remote computer joined to a
1429 domain.
1430 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1432 Joins a computer into a domain. This command supports the following
1433 additional parameters:
1434 · DOMAIN can be a NetBIOS domain name (also known as short
1436 domain name) or a DNS domain name for Active Directory
1437 Domains. As in Windows, it is also possible to control which
1438 Domain Controller to use. This can be achieved by appending
1439 the DC name using the \ separator character. Example:
1440 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1441 · OU can be set to a RFC 1779 LDAP DN, like
1443 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1444 the machine account in a non-default LDAP container. This
1445 optional parameter is only supported when joining Active
1446 Directory Domains.
1447 · ACCOUNT defines a domain account that will be used to join
1449 the machine to the domain. This domain account needs to have
1450 sufficient privileges to join machines.
1451 · PASSWORD defines the password for the domain account defined
1453 with ACCOUNT.
1454 · REBOOT is an optional parameter that can be set to reboot
1456 the remote machine after successful join to the domain.
1457 Note that you also need to use standard net parameters to connect and
1460 authenticate to the remote machine that you want to join. These
1461 additional parameters include: -S computer and -U user.
1462 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1464 account=MYDOM\\administrator password=topsecret reboot.
1465 This example would connect to a computer named XP as the local
1467 administrator using password secret, and join the computer into a
1468 domain called MYDOM using the MYDOM domain administrator account and
1469 password topsecret. After successful join, the computer would reboot.
1470 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1472 Unjoins a computer from a domain. This command supports the following
1473 additional parameters:
1474 · ACCOUNT defines a domain account that will be used to unjoin
1476 the machine from the domain. This domain account needs to
1477 have sufficient privileges to unjoin machines.
1478 · PASSWORD defines the password for the domain account defined
1480 with ACCOUNT.
1481 · REBOOT is an optional parameter that can be set to reboot
1483 the remote machine after successful unjoin from the domain.
1484 Note that you also need to use standard net parameters to connect and
1487 authenticate to the remote machine that you want to unjoin. These
1488 additional parameters include: -S computer and -U user.
1489 Example: net dom unjoin -S xp -U XP\\administrator%secret
1491 account=MYDOM\\administrator password=topsecret reboot.
1492 This example would connect to a computer named XP as the local
1494 administrator using password secret, and unjoin the computer from the
1495 domain using the MYDOM domain administrator account and password
1496 topsecret. After successful unjoin, the computer would reboot.
1497 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1499 Renames a computer that is joined to a domain. This command supports
1500 the following additional parameters:
1501 · NEWNAME defines the new name of the machine in the domain.
1503 · ACCOUNT defines a domain account that will be used to rename
1505 the machine in the domain. This domain account needs to have
1506 sufficient privileges to rename machines.
1507 · PASSWORD defines the password for the domain account defined
1509 with ACCOUNT.
1510 · REBOOT is an optional parameter that can be set to reboot
1512 the remote machine after successful rename in the domain.
1513 Note that you also need to use standard net parameters to connect and
1516 authenticate to the remote machine that you want to rename in the
1517 domain. These additional parameters include: -S computer and -U user.
1518 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1520 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1521 This example would connect to a computer named XP as the local
1523 administrator using password secret, and rename the joined computer to
1524 XPNEW using the MYDOM domain administrator account and password
1525 topsecret. After successful rename, the computer would reboot.
1526 G_LOCK
1528 Manage global locks.
1529 G_LOCK DO lockname timeout command
1531 Execute a shell command under a global lock. This might be useful to
1532 define the order in which several shell commands will be executed. The
1533 locking information is stored in a file called g_lock.tdb. In setups
1534 with CTDB running, the locking information will be available on all
1535 cluster nodes.
1536 · LOCKNAME defines the name of the global lock.
1538 · TIMEOUT defines the timeout.
1540 · COMMAND defines the shell command to execute.
1542 G_LOCK LOCKS
1544 Print a list of all currently existing locknames.
1545 G_LOCK DUMP lockname
1547 Dump the locking table of a certain global lock.
1548 TDB
1550 Print information from tdb records.
1551 TDB LOCKING key [DUMP]
1553 List sharename, filename and number of share modes for a record from
1554 locking.tdb. With the optional DUMP options, dump the complete record.
1555 · KEY Key of the tdb record as hex string.
1557 HELP [COMMAND]
1559 Gives usage information for the specified command.
1560
1562 This man page is complete for version 3 of the Samba suite.
1563
1565 The original Samba software and related utilities were created by
1566 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1567 Source project similar to the way the Linux kernel is developed.
1568 The net manpage was written by Jelmer Vernooij.
1570Samba 4.9.1 05/11/2019 NET(8)