1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-I|--ipaddress ip-address] [-p|--port port] [-n myname] [-s conffile]
12 [-S|--server server] [-l|--long] [-v|--verbose] [-f|--force]
13 [-P|--machine-pass] [-d debuglevel] [-V] [--request-timeout seconds]
14 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
15
17 This tool is part of the samba(7) suite.
18 The Samba net utility is meant to work just like the net utility
20 available for windows and DOS. The first argument should be used to
21 specify the protocol to use when executing a certain command. ADS is
22 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
23 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
24 net will try to determine it automatically. Not all commands are
25 available on all protocols.
26
28 -?|--help
29 Print a summary of command line options.
30 -k|--kerberos
32 Try to authenticate with kerberos. Only useful in an Active
33 Directory environment.
34 -w|--workgroup target-workgroup
36 Sets target workgroup or domain. You have to specify either this
37 option or the IP address or the name of a server.
38 -W|--myworkgroup workgroup
40 Sets client workgroup or domain
41 -U|--user user
43 User name to use
44 -I|--ipaddress ip-address
46 IP address of target server to use. You have to specify either this
47 option or a target workgroup or a target server.
48 -p|--port port
50 Port on the target server to connect to (usually 139 or 445).
51 Defaults to trying 445 first, then 139.
52 -n|--netbiosname <primary NetBIOS name>
54 This option allows you to override the NetBIOS name that Samba uses
55 for itself. This is identical to setting the netbios name parameter
56 in the smb.conf file. However, a command line setting will take
57 precedence over settings in smb.conf.
58 -S|--server server
60 Name of target server. You should specify either this option or a
61 target workgroup or a target IP address.
62 -l|--long
64 When listing data, give more information on each item.
65 -v|--verbose
67 When listing data, give more verbose information on each item.
68 -f|--force
70 Enforcing a net command.
71 -P|--machine-pass
73 Make queries to the external server using the machine account of
74 the local server.
75 --request-timeout 30
77 Let client requests timeout after 30 seconds the default is 10
78 seconds.
79 -t|--timeout 30
81 Set timeout for client operations to 30 seconds.
82 --use-ccache
84 Try to use the credentials cached by winbind.
85 -i|--stdin
87 Take input for net commands from standard input.
88 --tallocreport
90 Generate a talloc report while processing a net command.
91 -T|--test
93 Only test command sequence, dry-run.
94 -F|--flags FLAGS
96 Pass down integer flags to a net subcommand.
97 -C|--comment COMMENT
99 Pass down a comment string to a net subcommand.
100 -n|--myname MYNAME
102 Use MYNAME as a requester name for a net subcommand.
103 -c|--container CONTAINER
105 Use a specific AD container for net ads operations.
106 -M|--maxusers MAXUSERS
108 Fill in the maxusers field in net rpc share operations.
109 -r|--reboot
111 Reboot a remote machine after a command has been successfully
112 executed (e.g. in remote join operations).
113 --force-full-repl
115 When calling "net rpc vampire keytab" this option enforces a full
116 re-creation of the generated keytab file.
117 --single-obj-repl
119 When calling "net rpc vampire keytab" this option allows one to
120 replicate just a single object to the generated keytab file.
121 --clean-old-entries
123 When calling "net rpc vampire keytab" this option allows one to
124 cleanup old entries from the generated keytab file.
125 --db
127 Define dbfile for "net idmap" commands.
128 --lock
130 Activates locking of the dbfile for "net idmap check" command.
131 -a|--auto
133 Activates noninteractive mode in "net idmap check".
134 --repair
136 Activates repair mode in "net idmap check".
137 --acls
139 Includes ACLs to be copied in "net rpc share migrate".
140 --attrs
142 Includes file attributes to be copied in "net rpc share migrate".
143 --timestamps
145 Includes timestamps to be copied in "net rpc share migrate".
146 -X|--exclude DIRECTORY
148 Allows one to exclude directories when copying with "net rpc share
149 migrate".
150 --destination SERVERNAME
152 Defines the target servername of migration process (defaults to
153 localhost).
154 -L|--local
156 Sets the type of group mapping to local (used in "net groupmap
157 set").
158 -D|--domain
160 Sets the type of group mapping to domain (used in "net groupmap
161 set").
162 -N|--ntname NTNAME
164 Sets the ntname of a group mapping (used in "net groupmap set").
165 -R|--rid RID
167 Sets the rid of a group mapping (used in "net groupmap set").
168 --reg-version REG_VERSION
170 Assume database version {n|1,2,3} (used in "net registry check").
171 -o|--output FILENAME
173 Output database file (used in "net registry check").
174 --wipe
176 Create a new database from scratch (used in "net registry check").
177 --precheck PRECHECK_DB_FILENAME
179 Defines filename for database prechecking (used in "net registry
180 import").
181 --no-dns-updates
183 Do not perform DNS updates as part of "net ads join".
184 --keep-account
186 Prevent the machine account removal as part of "net ads leave".
187 -e|--encrypt
189 This command line parameter requires the remote server support the
190 UNIX extensions or that the SMB3 protocol has been selected.
191 Requests that the connection be encrypted. Negotiates SMB
192 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
193 the given credentials for the encryption negotiation (either
194 kerberos or NTLMv1/v2 if given domain/username/password triple.
195 Fails the connection if encryption cannot be negotiated.
196 -d|--debuglevel=level
198 level is an integer from 0 to 10. The default value if this
199 parameter is not specified is 1.
200 The higher this value, the more detail will be logged to the log
202 files about the activities of the server. At level 0, only critical
203 errors and serious warnings will be logged. Level 1 is a reasonable
204 level for day-to-day running - it generates a small amount of
205 information about operations carried out.
206 Levels above 1 will generate considerable amounts of log data, and
208 should only be used when investigating a problem. Levels above 3
209 are designed for use only by developers and generate HUGE amounts
210 of log data, most of which is extremely cryptic.
211 Note that specifying this parameter here will override the log
213 level parameter in the smb.conf file.
214 -V|--version
216 Prints the program version number.
217 -s|--configfile=<configuration file>
219 The file specified contains the configuration details required by
220 the server. The information in this file includes server-specific
221 information such as what printcap file to use, as well as
222 descriptions of all the services that the server is to provide. See
223 smb.conf for more information. The default configuration file name
224 is determined at compile time.
225 -l|--log-basename=logdirectory
227 Base directory name for log/debug files. The extension ".progname"
228 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
229 file is never removed by the client.
230 --option=<name>=<value>
232 Set the smb.conf(5) option "<name>" to value "<value>" from the
233 command line. This overrides compiled-in defaults and options read
234 from the configuration file.
235
237 CHANGESECRETPW
238 This command allows the Samba machine account password to be set from
239 an external application to a machine account password that has already
240 been stored in Active Directory. DO NOT USE this command unless you
241 know exactly what you are doing. The use of this command requires that
242 the force flag (-f) be used also. There will be NO command prompt.
243 Whatever information is piped into stdin, either by typing at the
244 command line or otherwise, will be stored as the literal machine
245 password. Do NOT use this without care and attention as it will
246 overwrite a legitimate machine password without warning. YOU HAVE BEEN
247 WARNED.
248 TIME
250 The NET TIME command allows you to view the time on a remote server or
251 synchronise the time on the local server with the time on the remote
252 server.
253 TIME
255 Without any options, the NET TIME command displays the time on the
256 remote server. The remote server must be specified with the -S option.
257 TIME SYSTEM
259 Displays the time on the remote server in a format ready for /bin/date.
260 The remote server must be specified with the -S option.
261 TIME SET
263 Tries to set the date and time of the local server to that on the
264 remote server using /bin/date. The remote server must be specified with
265 the -S option.
266 TIME ZONE
268 Displays the timezone in hours from GMT on the remote server. The
269 remote server must be specified with the -S option.
270 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
272 [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string
273 osVer=string] [options]
274 Join a domain. If the account already exists on the server, and [TYPE]
275 is MEMBER, the machine will attempt to join automatically. (Assuming
276 that the machine has been created in server manager) Otherwise, a
277 password will be prompted for, and a new account may be created.
278 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
280 the domain.
281 [UPN] (ADS only) set the principalname attribute during the join. The
283 default format is host/netbiosname@REALM.
284 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
286 string reads from top to bottom without RDNs, and is delimited by a
287 '/'. Please note that '\' is used for escape by both the shell and
288 ldap, so it may need to be doubled or quadrupled to pass through, and
289 it is not used as a delimiter.
290 [PASS] (ADS only) Set a specific password on the computer account being
292 created by the join.
293 [osName=string osVer=String] (ADS only) Set the operatingSystem and
295 operatingSystemVersion attribute during the join. Both parameters must
296 be specified for either to take effect.
297 [RPC] OLDJOIN [options]
299 Join a domain. Use the OLDJOIN option to join the domain using the old
300 style of domain joining - you need to create a trust account in server
301 manager first.
302 [RPC|ADS] USER
304 [RPC|ADS] USER
305 List all users
306 [RPC|ADS] USER DELETE target
308 Delete specified user
309 [RPC|ADS] USER INFO target
311 List the domain groups of the specified user.
312 [RPC|ADS] USER RENAME oldname newname
314 Rename specified user.
315 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
317 Add specified user.
318 [RPC|ADS] GROUP
320 [RPC|ADS] GROUP [misc options] [targets]
321 List user groups.
322 [RPC|ADS] GROUP DELETE name [misc. options]
324 Delete specified group.
325 [RPC|ADS] GROUP ADD name [-C comment]
327 Create specified group.
328 [ADS] LOOKUP
330 Lookup the closest Domain Controller in our domain and retrieve server
331 information about it.
332 [RAP|RPC] SHARE
334 [RAP|RPC] SHARE [misc. options] [targets]
335 Enumerates all exported resources (network shares) on target server.
336 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
338 Adds a share from a server (makes the export active). Maxusers
339 specifies the number of users that can be connected to the share
340 simultaneously.
341 SHARE DELETE sharename
343 Delete specified share.
344 [RPC|RAP] FILE
346 [RPC|RAP] FILE
347 List all open files on remote server.
348 [RPC|RAP] FILE CLOSE fileid
350 Close file with specified fileid on remote server.
351 [RPC|RAP] FILE INFO fileid
353 Print information on specified fileid. Currently listed are: file-id,
354 username, locks, path, permissions.
355 [RAP|RPC] FILE USER user
357 List files opened by specified user. Please note that net rap file user
358 does not work against Samba servers.
359 SESSION
361 RAP SESSION
362 Without any other options, SESSION enumerates all active SMB/CIFS
363 sessions on the target server.
364 RAP SESSION DELETE|CLOSE CLIENT_NAME
366 Close the specified sessions.
367 RAP SESSION INFO CLIENT_NAME
369 Give a list with all the open files in specified session.
370 RAP SERVER DOMAIN
372 List all servers in specified domain or workgroup. Defaults to local
373 domain.
374 RAP DOMAIN
376 Lists all domains and workgroups visible on the current network.
377 RAP PRINTQ
379 RAP PRINTQ INFO QUEUE_NAME
380 Lists the specified print queue and print jobs on the server. If the
381 QUEUE_NAME is omitted, all queues are listed.
382 RAP PRINTQ DELETE JOBID
384 Delete job with specified id.
385 RAP VALIDATE user [password]
387 Validate whether the specified user can log in to the remote server. If
388 the password is not specified on the commandline, it will be prompted.
389 Note
391 Currently NOT implemented.
392 RAP GROUPMEMBER
394 RAP GROUPMEMBER LIST GROUP
395 List all members of the specified group.
396 RAP GROUPMEMBER DELETE GROUP USER
398 Delete member from group.
399 RAP GROUPMEMBER ADD GROUP USER
401 Add member to group.
402 RAP ADMIN command
404 Execute the specified command on the remote server. Only works with
405 OS/2 servers.
406 Note
408 Currently NOT implemented.
409 RAP SERVICE
411 RAP SERVICE START NAME [arguments...]
412 Start the specified service on the remote server. Not implemented yet.
413 Note
415 Currently NOT implemented.
416 RAP SERVICE STOP
418 Stop the specified service on the remote server.
419 Note
421 Currently NOT implemented.
422 RAP PASSWORD USER OLDPASS NEWPASS
424 Change password of USER from OLDPASS to NEWPASS.
425 LOOKUP
427 LOOKUP HOST HOSTNAME [TYPE]
428 Lookup the IP address of the given host with the specified type
429 (netbios suffix). The type defaults to 0x20 (workstation).
430 LOOKUP LDAP [DOMAIN]
432 Give IP address of LDAP server of specified DOMAIN. Defaults to local
433 domain.
434 LOOKUP KDC [REALM]
436 Give IP address of KDC for the specified REALM. Defaults to local
437 realm.
438 LOOKUP DC [DOMAIN]
440 Give IP's of Domain Controllers for specified
441 DOMAIN. Defaults to local domain.
442 LOOKUP MASTER DOMAIN
444 Give IP of master browser for specified DOMAIN or workgroup. Defaults
445 to local domain.
446 CACHE
448 Samba uses a general caching interface called 'gencache'. It can be
449 controlled using 'NET CACHE'.
450 All the timeout parameters support the suffixes:
452 s - Seconds
453 m - Minutes
454 h - Hours
455 d - Days
456 w - Weeks
457 CACHE ADD key data time-out
459 Add specified key+data to the cache with the given timeout.
460 CACHE DEL key
462 Delete key from the cache.
463 CACHE SET key data time-out
465 Update data of existing cache entry.
466 CACHE SEARCH PATTERN
468 Search for the specified pattern in the cache data.
469 CACHE LIST
471 List all current items in the cache.
472 CACHE FLUSH
474 Remove all the current items from the cache.
475 GETLOCALSID [DOMAIN]
477 Prints the SID of the specified domain, or if the parameter is omitted,
478 the SID of the local server.
479 SETLOCALSID S-1-5-21-x-y-z
481 Sets SID for the local server to the specified SID.
482 GETDOMAINSID
484 Prints the local machine SID and the SID of the current domain.
485 SETDOMAINSID
487 Sets the SID of the current domain.
488 GROUPMAP
490 Manage the mappings between Windows group SIDs and UNIX groups. Common
491 options include:
492 · unixgroup - Name of the UNIX group
494 · ntgroup - Name of the Windows NT group (must be resolvable
496 to a SID
497 · rid - Unsigned 32-bit integer
499 · sid - Full SID in the form of "S-1-..."
501 · type - Type of the group; either 'domain', 'local', or
503 'builtin'
504 · comment - Freeform text description of the group
506 GROUPMAP ADD
509 Add a new group mapping entry:
510 net groupmap add {rid=int|sid=string} unixgroup=string \
512 [type={domain|local}] [ntgroup=string] [comment=string]
513 GROUPMAP DELETE
517 Delete a group mapping entry. If more than one group name matches, the
518 first entry found is deleted.
519 net groupmap delete {ntgroup=string|sid=SID}
521 GROUPMAP MODIFY
523 Update an existing group entry.
524 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
526 [comment=string] [type={domain|local}]
527 GROUPMAP LIST
531 List existing group mapping entries.
532 net groupmap list [verbose] [ntgroup=string] [sid=SID]
534 MAXRID
536 Prints out the highest RID currently in use on the local server (by the
537 active 'passdb backend').
538 RPC INFO
540 Print information about the domain of the remote server, such as domain
541 name, domain sid and number of users and groups.
542 [RPC|ADS] TESTJOIN
544 Check whether participation in a domain is still valid.
545 [RPC|ADS] CHANGETRUSTPW
547 Force change of domain trust password.
548 RPC TRUSTDOM
550 RPC TRUSTDOM ADD DOMAIN
551 Add a interdomain trust account for DOMAIN. This is in fact a Samba
552 account named DOMAIN$ with the account flag 'I' (interdomain trust
553 account). This is required for incoming trusts to work. It makes Samba
554 be a trusted domain of the foreign (trusting) domain. Users of the
555 Samba domain will be made available in the foreign domain. If the
556 command is used against localhost it has the same effect as smbpasswd
557 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
558 account.
559 RPC TRUSTDOM DEL DOMAIN
561 Remove interdomain trust account for DOMAIN. If it is used against
562 localhost it has the same effect as smbpasswd -x DOMAIN$.
563 RPC TRUSTDOM ESTABLISH DOMAIN
565 Establish a trust relationship to a trusted domain. Interdomain account
566 must already be created on the remote PDC. This is required for
567 outgoing trusts to work. It makes Samba be a trusting domain of a
568 foreign (trusted) domain. Users of the foreign domain will be made
569 available in our domain. You'll need winbind and a working idmap config
570 to make them appear in your system.
571 RPC TRUSTDOM REVOKE DOMAIN
573 Abandon relationship to trusted domain
574 RPC TRUSTDOM LIST
576 List all interdomain trust relationships.
577 RPC TRUST
579 RPC TRUST CREATE
580 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
581 done on a single server or on two servers at once with the possibility
582 to use a random trust password.
583 Options:
585 otherserver
587 Domain controller of the second domain
588 otheruser
590 Admin user in the second domain
591 otherdomainsid
593 SID of the second domain
594 other_netbios_domain
596 NetBIOS (short) name of the second domain
597 otherdomain
599 DNS (full) name of the second domain
600 trustpw
602 Trust password
603 Examples:
605 Create a trust object on srv1.dom1.dom for the domain dom2
607 net rpc trust create \
609 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
610 other_netbios_domain=dom2 \
611 otherdomain=dom2.dom \
612 trustpw=12345678 \
613 -S srv1.dom1.dom
614 Create a trust relationship between dom1 and dom2
616 net rpc trust create \
618 otherserver=srv2.dom2.test \
619 otheruser=dom2adm \
620 -S srv1.dom1.dom
621 RPC TRUST DELETE
623 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
624 done on a single server or on two servers at once.
625 Options:
627 otherserver
629 Domain controller of the second domain
630 otheruser
632 Admin user in the second domain
633 otherdomainsid
635 SID of the second domain
636 Examples:
638 Delete a trust object on srv1.dom1.dom for the domain dom2
640 net rpc trust delete \
642 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
643 -S srv1.dom1.dom
644 Delete a trust relationship between dom1 and dom2
646 net rpc trust delete \
648 otherserver=srv2.dom2.test \
649 otheruser=dom2adm \
650 -S srv1.dom1.dom
651 RPC RIGHTS
654 This subcommand is used to view and manage Samba's rights assignments
655 (also referred to as privileges). There are three options currently
656 available: list, grant, and revoke. More details on Samba's privilege
657 model and its use can be found in the Samba-HOWTO-Collection.
658 RPC ABORTSHUTDOWN
660 Abort the shutdown of a remote server.
661 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
663 Shut down the remote server.
664 -r
666 Reboot after shutdown.
667 -f
669 Force shutting down all applications.
670 -t timeout
672 Timeout before system will be shut down. An interactive user of the
673 system can use this time to cancel the shutdown.
674 -C message
676 Display the specified message on the screen to announce the
677 shutdown.
678 RPC SAMDUMP
680 Print out sam database of remote server. You need to run this against
681 the PDC, from a Samba machine joined as a BDC.
682 RPC VAMPIRE
684 Export users, aliases and groups from remote server to local server.
685 You need to run this against the PDC, from a Samba machine joined as a
686 BDC. This vampire command cannot be used against an Active Directory,
687 only against an NT4 Domain Controller.
688 RPC VAMPIRE KEYTAB
690 Dump remote SAM database to local Kerberos keytab file.
691 RPC VAMPIRE LDIF
693 Dump remote SAM database to local LDIF file or standard output.
694 RPC GETSID
696 Fetch domain SID and store it in the local secrets.tdb.
697 ADS LEAVE [--keep-account]
699 Make the remote host leave the domain it is part of.
700 ADS STATUS
702 Print out status of machine account of the local machine in ADS. Prints
703 out quite some debug info. Aimed at developers, regular users should
704 use NET ADS TESTJOIN.
705 ADS PRINTER
707 ADS PRINTER INFO [PRINTER] [SERVER]
708 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
709 the server name defaults to the local host.
710 ADS PRINTER PUBLISH PRINTER
712 Publish specified printer using ADS.
713 ADS PRINTER REMOVE PRINTER
715 Remove specified printer from ADS directory.
716 ADS SEARCH EXPRESSION ATTRIBUTES...
718 Perform a raw LDAP search on a ADS server and dump the results. The
719 expression is a standard LDAP search expression, and the attributes are
720 a list of LDAP fields to show in the results.
721 Example: net ads search '(objectCategory=group)' sAMAccountName
723 ADS DN DN (attributes)
725 Perform a raw LDAP search on a ADS server and dump the results. The DN
726 standard LDAP DN, and the attributes are a list of LDAP fields to show
727 in the result.
728 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
730 SAMAccountName
731 ADS KEYTAB CREATE
733 Creates a new keytab file if one doesn't exist with default entries.
734 Default entries are kerberos principals created from the machinename of
735 the client, the UPN (if it exists) and any Windows SPN(s) associated
736 with the computer AD account for the client. If a keytab file already
737 exists then only missing kerberos principals from the default entries
738 are added. No changes are made to the computer AD account.
739 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
741 Adds a new keytab entry, the entry can be either;
742 kerberos principal
744 A kerberos principal (identified by the presence of '@') is just
745 added to the keytab file.
746 machinename
748 A machinename (identified by the trailing '$') is used to create a
749 a kerberos principal 'machinename@realm' which is added to the
750 keytab file.
751 serviceclass
753 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
754 pair of kerberos principals
755 'serviceclass/fully_qualified_dns_name@realm' &
756 'serviceclass/netbios_name@realm' which are added to the keytab
757 file.
758 Windows SPN
760 A Windows SPN is of the format 'serviceclass/host:port', it is used
761 to create a kerberos principal 'serviceclass/host@realm' which will
762 be written to the keytab file.
763 Unlike old versions no computer AD objects are modified by this
765 command. To preserve the bevhaviour of older clients 'net ads keytab
766 ad_update_ads' is available.
767 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
769 Adds a new keytab entry (see section for net ads keytab add). In
770 addition to adding entries to the keytab file corrosponding Windows
771 SPNs are created from the entry passed to this command. These SPN(s)
772 added to the AD computer account object associated with the client
773 machine running this command for the following entry types;
774 serviceclass
776 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
777 pair of Windows SPN(s) 'param/full_qualified_dns' &
778 'param/netbios_name' which are added to the AD computer account
779 object for this client.
780 Windows SPN
782 A Windows SPN is of the format 'serviceclass/host:port', it is
783 added as passed to the AD computer account object for this client.
784 ADS setspn SETSPN LIST [machine]
786 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
787 object. If 'machine' is not specified then computer account for this
788 client is used instead.
789 ADS setspn SETSPN ADD SPN [machine]
791 Adds the specified Windows SPN to the 'machine' Windows AD Computer
792 object. If 'machine' is not specified then computer account for this
793 client is used instead.
794 ADS setspn SETSPN DELETE SPN [machine]
796 DELETE the specified Window SPN from the 'machine' Windows AD Computer
797 object. If 'machine' is not specified then computer account for this
798 client is used instead.
799 ADS WORKGROUP
801 Print out workgroup name for specified kerberos realm.
802 ADS ENCTYPES
804 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
805 attribute of an account in AD.
806 This attribute allows one to control which Kerberos encryption types
808 are used for the generation of initial and service tickets. The value
809 consists of an integer bitmask with the following values:
810 0x00000001 DES-CBC-CRC
812 0x00000002 DES-CBC-MD5
814 0x00000004 RC4-HMAC
816 0x00000008 AES128-CTS-HMAC-SHA1-96
818 0x00000010 AES256-CTS-HMAC-SHA1-96
820 ADS ENCTYPES LIST <ACCOUNTNAME>
822 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
823 given account.
824 Example: net ads enctypes list Computername
826 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
828 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
829 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
830 the value is set to 31 which enables all the currently supported
831 encryption types.
832 Example: net ads enctypes set Computername 24
834 ADS ENCTYPES DELETE <ACCOUNTNAME>
836 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
837 object of ACCOUNTNAME.
838 Example: net ads enctypes set Computername 24
840 SAM CREATEBUILTINGROUP <NAME>
842 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
843 be created with this command. This is the list of currently recognized
844 group names: Administrators, Users, Guests, Power Users, Account
845 Operators, Server Operators, Print Operators, Backup Operators,
846 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
847 command requires a running Winbindd with idmap allocation properly
848 configured. The group gid will be allocated out of the winbindd range.
849 SAM CREATELOCALGROUP <NAME>
851 Create a LOCAL group (also known as Alias). This command requires a
852 running Winbindd with idmap allocation properly configured. The group
853 gid will be allocated out of the winbindd range.
854 SAM DELETELOCALGROUP <NAME>
856 Delete an existing LOCAL group (also known as Alias).
857 SAM MAPUNIXGROUP <NAME>
859 Map an existing Unix group and make it a Domain Group, the domain group
860 will have the same name.
861 SAM UNMAPUNIXGROUP <NAME>
863 Remove an existing group mapping entry.
864 SAM ADDMEM <GROUP> <MEMBER>
866 Add a member to a Local group. The group can be specified only by name,
867 the member can be specified by name or SID.
868 SAM DELMEM <GROUP> <MEMBER>
870 Remove a member from a Local group. The group and the member must be
871 specified by name.
872 SAM LISTMEM <GROUP>
874 List Local group members. The group must be specified by name.
875 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
877 List the specified set of accounts by name. If verbose is specified,
878 the rid and description is also provided for each account.
879 SAM RIGHTS LIST
881 List all available privileges.
882 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
884 Grant one or more privileges to a user.
885 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
887 Revoke one or more privileges from a user.
888 SAM SHOW <NAME>
890 Show the full DOMAIN\\NAME the SID and the type for the corresponding
891 account.
892 SAM SET HOMEDIR <NAME> <DIRECTORY>
894 Set the home directory for a user account.
895 SAM SET PROFILEPATH <NAME> <PATH>
897 Set the profile path for a user account.
898 SAM SET COMMENT <NAME> <COMMENT>
900 Set the comment for a user or group account.
901 SAM SET FULLNAME <NAME> <FULL NAME>
903 Set the full name for a user account.
904 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
906 Set the logon script for a user account.
907 SAM SET HOMEDRIVE <NAME> <DRIVE>
909 Set the home drive for a user account.
910 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
912 Set the workstations a user account is allowed to log in from.
913 SAM SET DISABLE <NAME>
915 Set the "disabled" flag for a user account.
916 SAM SET PWNOTREQ <NAME>
918 Set the "password not required" flag for a user account.
919 SAM SET AUTOLOCK <NAME>
921 Set the "autolock" flag for a user account.
922 SAM SET PWNOEXP <NAME>
924 Set the "password do not expire" flag for a user account.
925 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
927 Set or unset the "password must change" flag for a user account.
928 SAM POLICY LIST
930 List the available account policies.
931 SAM POLICY SHOW <account policy>
933 Show the account policy value.
934 SAM POLICY SET <account policy> <value>
936 Set a value for the account policy. Valid values can be: "forever",
937 "never", "off", or a number.
938 SAM PROVISION
940 Only available if ldapsam:editposix is set and winbindd is running.
941 Properly populates the ldap tree with the basic accounts
942 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
943 on the ldap tree.
944 IDMAP DUMP <local tdb file name>
946 Dumps the mappings contained in the local tdb file specified. This
947 command is useful to dump only the mappings produced by the idmap_tdb
948 backend.
949 IDMAP RESTORE [input file]
951 Restore the mappings from the specified file or stdin.
952 IDMAP SET SECRET <DOMAIN> <secret>
954 Store a secret for the specified domain, used primarily for domains
955 that use idmap_ldap as a backend. In this case the secret is used as
956 the password for the user DN used to bind to the ldap server.
957 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
959 Store a domain-range mapping for a given domain (and index) in autorid
960 database.
961 IDMAP SET CONFIG <config> [--db=<DB>]
963 Update CONFIG entry in autorid database.
964 IDMAP GET RANGE <SID> [index] [--db=<DB>]
966 Get the range for a given domain and index from autorid database.
967 IDMAP GET RANGES [<SID>] [--db=<DB>]
969 Get ranges for all domains or for one identified by given SID.
970 IDMAP GET CONFIG [--db=<DB>]
972 Get CONFIG entry from autorid database.
973 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
975 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
976 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
977 "GID number" or a uid: "UID number". Use -f to delete an invalid
978 partial mapping <ID> -> xx
979 Use "smbcontrol all idmap ..." to notify running smbd instances. See
981 the smbcontrol(1) manpage for details.
982 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
984 Delete a domain range mapping identified by 'RANGE' or "domain SID and
985 INDEX" from autorid database. Use -f to delete invalid mappings.
986 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
988 Delete all domain range mappings for a domain identified by SID. Use -f
989 to delete invalid mappings.
990 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
992 Check and repair the IDMAP database. If no option is given a read only
993 check of the database is done. Among others an interactive or automatic
994 repair mode may be chosen with one of the following options:
995 -r|--repair
997 Interactive repair mode, ask a lot of questions.
998 -a|--auto
1000 Noninteractive repair mode, use default answers.
1001 -v|--verbose
1003 Produce more output.
1004 -f|--force
1006 Try to apply changes, even if they do not apply cleanly.
1007 -T|--test
1009 Dry run, show what changes would be made but don't touch anything.
1010 -l|--lock
1012 Lock the database while doing the check.
1013 --db <DB>
1015 Check the specified database.
1016 It reports about the finding of the following errors:
1018 Missing reverse mapping:
1020 A record with mapping A->B where there is no B->A. Default action
1021 in repair mode is to "fix" this by adding the reverse mapping.
1022 Invalid mapping:
1024 A record with mapping A->B where B->C. Default action is to
1025 "delete" this record.
1026 Missing or invalid HWM:
1028 A high water mark is not at least equal to the largest ID in the
1029 database. Default action is to "fix" this by setting it to the
1030 largest ID found +1.
1031 Invalid record:
1033 Something we failed to parse. Default action is to "edit" it in
1034 interactive and "delete" it in automatic mode.
1035 USERSHARE
1037 Starting with version 3.0.23, a Samba server now supports the ability
1038 for non-root users to add user defined shares to be exported using the
1039 "net usershare" commands.
1040 To set this up, first set up your smb.conf by adding to the [global]
1042 section: usershare path = /usr/local/samba/lib/usershares Next create
1043 the directory /usr/local/samba/lib/usershares, change the owner to root
1044 and set the group owner to the UNIX group who should have the ability
1045 to create usershares, for example a group called "serverops". Set the
1046 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1047 group all access, no access for others, plus the sticky bit, which
1048 means that a file in that directory can be renamed or deleted only by
1049 the owner of the file). Finally, tell smbd how many usershares you will
1050 allow by adding to the [global] section of smb.conf a line such as :
1051 usershare max shares = 100. To allow 100 usershare definitions. Now,
1052 members of the UNIX group "serverops" can create user defined shares on
1053 demand using the commands below.
1054 The usershare commands are:
1056 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1057 to add or change a user defined share.
1058 net usershare delete sharename - to delete a user defined share.
1059 net usershare info [-l|--long] [wildcard sharename] - to print info
1060 about a user defined share.
1061 net usershare list [-l|--long] [wildcard sharename] - to list user
1062 defined shares.
1063 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1065 Add or replace a new user defined share, with name "sharename".
1066 "path" specifies the absolute pathname on the system to be exported.
1068 Restrictions may be put on this, see the global smb.conf parameters:
1069 "usershare owner only", "usershare prefix allow list", and "usershare
1070 prefix deny list".
1071 The optional "comment" parameter is the comment that will appear on the
1073 share when browsed to by a client.
1074 The optional "acl" field specifies which users have read and write
1076 access to the entire share. Note that guest connections are not allowed
1077 unless the smb.conf parameter "usershare allow guests" has been set.
1078 The definition of a user defined share acl is: "user:permission", where
1079 user is a valid username on the system and permission can be "F", "R",
1080 or "D". "F" stands for "full permissions", ie. read and write
1081 permissions. "D" stands for "deny" for a user, ie. prevent this user
1082 from accessing this share. "R" stands for "read only", ie. only allow
1083 read access to this share (no creation of new files or directories or
1084 writing to files).
1085 The default if no "acl" is given is "Everyone:R", which means any
1087 authenticated user has read-only access.
1088 The optional "guest_ok" has the same effect as the parameter of the
1090 same name in smb.conf, in that it allows guest access to this user
1091 defined share. This parameter is only allowed if the global parameter
1092 "usershare allow guests" has been set to true in the smb.conf.
1093 There is no separate command to modify an existing user defined share,
1096 just use the "net usershare add [sharename]" command using the same
1097 sharename as the one you wish to modify and specify the new options you
1098 wish. The Samba smbd daemon notices user defined share modifications at
1099 connect time so will see the change immediately, there is no need to
1100 restart smbd on adding, deleting or changing a user defined share.
1101 USERSHARE DELETE sharename
1103 Deletes the user defined share by name. The Samba smbd daemon
1104 immediately notices this change, although it will not disconnect any
1105 users currently connected to the deleted share.
1106 USERSHARE INFO [-l|--long] [wildcard sharename]
1108 Get info on user defined shares owned by the current user matching the
1109 given pattern, or all users.
1110 net usershare info on its own dumps out info on the user defined shares
1112 that were created by the current user, or restricts them to share names
1113 that match the given wildcard pattern ('*' matches one or more
1114 characters, '?' matches only one character). If the '-l' or '--long'
1115 option is also given, it prints out info on user defined shares created
1116 by other users.
1117 The information given about a share looks like: [foobar]
1119 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1120 And is a list of the current settings of the user defined share that
1121 can be modified by the "net usershare add" command.
1122 USERSHARE LIST [-l|--long] wildcard sharename
1124 List all the user defined shares owned by the current user matching the
1125 given pattern, or all users.
1126 net usershare list on its own list out the names of the user defined
1128 shares that were created by the current user, or restricts the list to
1129 share names that match the given wildcard pattern ('*' matches one or
1130 more characters, '?' matches only one character). If the '-l' or
1131 '--long' option is also given, it includes the names of user defined
1132 shares created by other users.
1133 [RPC] CONF
1135 Starting with version 3.2.0, a Samba server can be configured by data
1136 stored in registry. This configuration data can be edited with the new
1137 "net conf" commands. There is also the possibility to configure a
1138 remote Samba server by enabling the RPC conf mode and specifying the
1139 address of the remote server.
1140 The deployment of this configuration data can be activated in two
1142 levels from the smb.conf file: Share definitions from registry are
1143 activated by setting registry shares to “yes” in the [global] section
1144 and global configuration options are activated by setting include =
1145 registry in the [global] section for a mixed configuration or by
1146 setting config backend = registry in the [global] section for a
1147 registry-only configuration. See the smb.conf(5) manpage for details.
1148 The conf commands are:
1150 net [rpc] conf list - Dump the complete configuration in smb.conf
1151 like format.
1152 net [rpc] conf import - Import configuration from file in smb.conf
1153 format.
1154 net [rpc] conf listshares - List the registry shares.
1155 net [rpc] conf drop - Delete the complete configuration from
1156 registry.
1157 net [rpc] conf showshare - Show the definition of a registry share.
1158 net [rpc] conf addshare - Create a new registry share.
1159 net [rpc] conf delshare - Delete a registry share.
1160 net [rpc] conf setparm - Store a parameter.
1161 net [rpc] conf getparm - Retrieve the value of a parameter.
1162 net [rpc] conf delparm - Delete a parameter.
1163 net [rpc] conf getincludes - Show the includes of a share
1164 definition.
1165 net [rpc] conf setincludes - Set includes for a share.
1166 net [rpc] conf delincludes - Delete includes from a share
1167 definition.
1168 [RPC] CONF LIST
1170 Print the configuration data stored in the registry in a smb.conf-like
1171 format to standard output.
1172 [RPC] CONF IMPORT [--test|-T] filename [section]
1174 This command imports configuration from a file in smb.conf format. If a
1175 section encountered in the input file is present in registry, its
1176 contents is replaced. Sections of registry configuration that have no
1177 counterpart in the input file are not affected. If you want to delete
1178 these, you will have to use the "net conf drop" or "net conf delshare"
1179 commands. Optionally, a section may be specified to restrict the effect
1180 of the import command to that specific section. A test mode is enabled
1181 by specifying the parameter "-T" on the commandline. In test mode, no
1182 changes are made to the registry, and the resulting configuration is
1183 printed to standard output instead.
1184 [RPC] CONF LISTSHARES
1186 List the names of the shares defined in registry.
1187 [RPC] CONF DROP
1189 Delete the complete configuration data from registry.
1190 [RPC] CONF SHOWSHARE sharename
1192 Show the definition of the share or section specified. It is valid to
1193 specify "global" as sharename to retrieve the global configuration
1194 options from registry.
1195 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1197 [comment]]]
1198 Create a new share definition in registry. The sharename and path have
1199 to be given. The share name may not be "global". Optionally, values for
1200 the very common options "writeable", "guest ok" and a "comment" may be
1201 specified. The same result may be obtained by a sequence of "net conf
1202 setparm" commands.
1203 [RPC] CONF DELSHARE sharename
1205 Delete a share definition from registry.
1206 [RPC] CONF SETPARM section parameter value
1208 Store a parameter in registry. The section may be global or a
1209 sharename. The section is created if it does not exist yet.
1210 [RPC] CONF GETPARM section parameter
1212 Show a parameter stored in registry.
1213 [RPC] CONF DELPARM section parameter
1215 Delete a parameter stored in registry.
1216 [RPC] CONF GETINCLUDES section
1218 Get the list of includes for the provided section (global or share).
1219 Note that due to the nature of the registry database and the nature of
1221 include directives, the includes need special treatment: Parameters are
1222 stored in registry by the parameter name as valuename, so there is only
1223 ever one instance of a parameter per share. Also, a specific order like
1224 in a text file is not guaranteed. For all real parameters, this is
1225 perfectly ok, but the include directive is rather a meta parameter, for
1226 which, in the smb.conf text file, the place where it is specified
1227 between the other parameters is very important. This can not be
1228 achieved by the simple registry smbconf data model, so there is one
1229 ordered list of includes per share, and this list is evaluated after
1230 all the parameters of the share.
1231 Further note that currently, only files can be included from registry
1233 configuration. In the future, there will be the ability to include
1234 configuration data from other registry keys.
1235 [RPC] CONF SETINCLUDES section [filename]+
1237 Set the list of includes for the provided section (global or share) to
1238 the given list of one or more filenames. The filenames may contain the
1239 usual smb.conf macros like %I.
1240 [RPC] CONF DELINCLUDES section
1242 Delete the list of includes from the provided section (global or
1243 share).
1244 REGISTRY
1246 Manipulate Samba's registry.
1247 The registry commands are:
1249 net registry enumerate - Enumerate registry keys and values.
1250 net registry enumerate_recursive - Enumerate registry key and its
1251 subkeys.
1252 net registry createkey - Create a new registry key.
1253 net registry deletekey - Delete a registry key.
1254 net registry deletekey_recursive - Delete a registry key with
1255 subkeys.
1256 net registry getvalue - Print a registry value.
1257 net registry getvalueraw - Print a registry value (raw format).
1258 net registry setvalue - Set a new registry value.
1259 net registry increment - Increment a DWORD registry value under a
1260 lock.
1261 net registry deletevalue - Delete a registry value.
1262 net registry getsd - Get security descriptor.
1263 net registry getsd_sdd1 - Get security descriptor in sddl format.
1264 net registry setsd_sdd1 - Set security descriptor from sddl format
1265 string.
1266 net registry import - Import a registration entries (.reg)
1267 file.
1268 net registry export - Export a registration entries (.reg)
1269 file.
1270 net registry convert - Convert a registration entries (.reg)
1271 file.
1272 net registry check - Check and repair a registry database.
1273 REGISTRY ENUMERATE key
1275 Enumerate subkeys and values of key.
1276 REGISTRY ENUMERATE_RECURSIVE key
1278 Enumerate values of key and its subkeys.
1279 REGISTRY CREATEKEY key
1281 Create a new key if not yet existing.
1282 REGISTRY DELETEKEY key
1284 Delete the given key and its values from the registry, if it has no
1285 subkeys.
1286 REGISTRY DELETEKEY_RECURSIVE key
1288 Delete the given key and all of its subkeys and values from the
1289 registry.
1290 REGISTRY GETVALUE key name
1292 Output type and actual value of the value name of the given key.
1293 REGISTRY GETVALUERAW key name
1295 Output the actual value of the value name of the given key.
1296 REGISTRY SETVALUE key name type value ...
1298 Set the value name of an existing key. type may be one of sz, multi_sz
1299 or dword. In case of multi_sz value may be given multiple times.
1300 REGISTRY INCREMENT key name [inc]
1302 Increment the DWORD value name of key by inc while holding a g_lock.
1303 inc defaults to 1.
1304 REGISTRY DELETEVALUE key name
1306 Delete the value name of the given key.
1307 REGISTRY GETSD key
1309 Get the security descriptor of the given key.
1310 REGISTRY GETSD_SDDL key
1312 Get the security descriptor of the given key as a Security Descriptor
1313 Definition Language (SDDL) string.
1314 REGISTRY SETSD_SDDL keysd
1316 Set the security descriptor of the given key from a Security Descriptor
1317 Definition Language (SDDL) string sd.
1318 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1320 Import a registration entries (.reg) file.
1321 The following options are available:
1323 --precheck check-file
1325 This is a mechanism to check the existence or non-existence of
1326 certain keys or values specified in a precheck file before applying
1327 the import file. The import file will only be applied if the
1328 precheck succeeds.
1329 The check-file follows the normal registry file syntax with the
1331 following semantics:
1332 · <value name>=<value> checks whether the value exists and
1334 has the given value.
1335 · <value name>=- checks whether the value does not exist.
1337 · [key] checks whether the key exists.
1339 · [-key] checks whether the key does not exist.
1341 REGISTRY EXPORT keyfile[opt]
1344 Export a key to a registration entries (.reg) file.
1345 REGISTRY CONVERT in out [[inopt] outopt]
1347 Convert a registration entries (.reg) file in.
1348 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1350 Check and repair the registry database. If no option is given a read
1351 only check of the database is done. Among others an interactive or
1352 automatic repair mode may be chosen with one of the following options
1353 -r|--repair
1355 Interactive repair mode, ask a lot of questions.
1356 -a|--auto
1358 Noninteractive repair mode, use default answers.
1359 -v|--verbose
1361 Produce more output.
1362 -T|--test
1364 Dry run, show what changes would be made but don't touch anything.
1365 -l|--lock
1367 Lock the database while doing the check.
1368 --reg-version={1,2,3}
1370 Specify the format of the registry database. If not given it
1371 defaults to the value of the binary or, if an registry.tdb is
1372 explizitly stated at the commandline, to the value found in the
1373 INFO/version record.
1374 [--db] <DB>
1376 Check the specified database.
1377 -o|--output <ODB>
1379 Create a new registry database <ODB> instead of modifying the
1380 input. If <ODB> is already existing --wipe may be used to overwrite
1381 it.
1382 --wipe
1384 Replace the registry database instead of modifying the input or
1385 overwrite an existing output database.
1386 EVENTLOG
1388 Starting with version 3.4.0 net can read, dump, import and export
1389 native win32 eventlog files (usually *.evt). evt files are used by the
1390 native Windows eventviewer tools.
1391 The import and export of evt files can only succeed when eventlog list
1393 is used in smb.conf file. See the smb.conf(5) manpage for details.
1394 The eventlog commands are:
1396 net eventlog dump - Dump a eventlog *.evt file on the screen.
1397 net eventlog import - Import a eventlog *.evt into the samba
1398 internal tdb based representation of eventlogs.
1399 net eventlog export - Export the samba internal tdb based
1400 representation of eventlogs into an eventlog *.evt file.
1401 EVENTLOG DUMP filename
1403 Prints a eventlog *.evt file to standard output.
1404 EVENTLOG IMPORT filename eventlog
1406 Imports a eventlog *.evt file defined by filename into the samba
1407 internal tdb representation of eventlog defined by eventlog. eventlog
1408 needs to part of the eventlog list defined in smb.conf. See the
1409 smb.conf(5) manpage for details.
1410 EVENTLOG EXPORT filename eventlog
1412 Exports the samba internal tdb representation of eventlog defined by
1413 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1414 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1415 manpage for details.
1416 DOM
1418 Starting with version 3.2.0 Samba has support for remote join and
1419 unjoin APIs, both client and server-side. Windows supports remote join
1420 capabilities since Windows 2000.
1421 In order for Samba to be joined or unjoined remotely an account must be
1423 used that is either member of the Domain Admins group, a member of the
1424 local Administrators group or a user that is granted the
1425 SeMachineAccountPrivilege privilege.
1426 The client side support for remote join is implemented in the net dom
1428 commands which are:
1429 net dom join - Join a remote computer into a domain.
1430 net dom unjoin - Unjoin a remote computer from a domain.
1431 net dom renamecomputer - Renames a remote computer joined to a
1432 domain.
1433 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1435 Joins a computer into a domain. This command supports the following
1436 additional parameters:
1437 · DOMAIN can be a NetBIOS domain name (also known as short
1439 domain name) or a DNS domain name for Active Directory
1440 Domains. As in Windows, it is also possible to control which
1441 Domain Controller to use. This can be achieved by appending
1442 the DC name using the \ separator character. Example:
1443 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1444 · OU can be set to a RFC 1779 LDAP DN, like
1446 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1447 the machine account in a non-default LDAP container. This
1448 optional parameter is only supported when joining Active
1449 Directory Domains.
1450 · ACCOUNT defines a domain account that will be used to join
1452 the machine to the domain. This domain account needs to have
1453 sufficient privileges to join machines.
1454 · PASSWORD defines the password for the domain account defined
1456 with ACCOUNT.
1457 · REBOOT is an optional parameter that can be set to reboot
1459 the remote machine after successful join to the domain.
1460 Note that you also need to use standard net parameters to connect and
1463 authenticate to the remote machine that you want to join. These
1464 additional parameters include: -S computer and -U user.
1465 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1467 account=MYDOM\\administrator password=topsecret reboot.
1468 This example would connect to a computer named XP as the local
1470 administrator using password secret, and join the computer into a
1471 domain called MYDOM using the MYDOM domain administrator account and
1472 password topsecret. After successful join, the computer would reboot.
1473 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1475 Unjoins a computer from a domain. This command supports the following
1476 additional parameters:
1477 · ACCOUNT defines a domain account that will be used to unjoin
1479 the machine from the domain. This domain account needs to
1480 have sufficient privileges to unjoin machines.
1481 · PASSWORD defines the password for the domain account defined
1483 with ACCOUNT.
1484 · REBOOT is an optional parameter that can be set to reboot
1486 the remote machine after successful unjoin from the domain.
1487 Note that you also need to use standard net parameters to connect and
1490 authenticate to the remote machine that you want to unjoin. These
1491 additional parameters include: -S computer and -U user.
1492 Example: net dom unjoin -S xp -U XP\\administrator%secret
1494 account=MYDOM\\administrator password=topsecret reboot.
1495 This example would connect to a computer named XP as the local
1497 administrator using password secret, and unjoin the computer from the
1498 domain using the MYDOM domain administrator account and password
1499 topsecret. After successful unjoin, the computer would reboot.
1500 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1502 Renames a computer that is joined to a domain. This command supports
1503 the following additional parameters:
1504 · NEWNAME defines the new name of the machine in the domain.
1506 · ACCOUNT defines a domain account that will be used to rename
1508 the machine in the domain. This domain account needs to have
1509 sufficient privileges to rename machines.
1510 · PASSWORD defines the password for the domain account defined
1512 with ACCOUNT.
1513 · REBOOT is an optional parameter that can be set to reboot
1515 the remote machine after successful rename in the domain.
1516 Note that you also need to use standard net parameters to connect and
1519 authenticate to the remote machine that you want to rename in the
1520 domain. These additional parameters include: -S computer and -U user.
1521 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1523 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1524 This example would connect to a computer named XP as the local
1526 administrator using password secret, and rename the joined computer to
1527 XPNEW using the MYDOM domain administrator account and password
1528 topsecret. After successful rename, the computer would reboot.
1529 G_LOCK
1531 Manage global locks.
1532 G_LOCK DO lockname timeout command
1534 Execute a shell command under a global lock. This might be useful to
1535 define the order in which several shell commands will be executed. The
1536 locking information is stored in a file called g_lock.tdb. In setups
1537 with CTDB running, the locking information will be available on all
1538 cluster nodes.
1539 · LOCKNAME defines the name of the global lock.
1541 · TIMEOUT defines the timeout.
1543 · COMMAND defines the shell command to execute.
1545 G_LOCK LOCKS
1547 Print a list of all currently existing locknames.
1548 G_LOCK DUMP lockname
1550 Dump the locking table of a certain global lock.
1551 TDB
1553 Print information from tdb records.
1554 TDB LOCKING key [DUMP]
1556 List sharename, filename and number of share modes for a record from
1557 locking.tdb. With the optional DUMP options, dump the complete record.
1558 · KEY Key of the tdb record as hex string.
1560 HELP [COMMAND]
1562 Gives usage information for the specified command.
1563
1565 This man page is complete for version 3 of the Samba suite.
1566
1568 The original Samba software and related utilities were created by
1569 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1570 Source project similar to the way the Linux kernel is developed.
1571 The net manpage was written by Jelmer Vernooij.
1573Samba 4.9.8 05/14/2019 NET(8)