1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17 --realm=REALM
19 Set the realm name
20 --simple-bind-dn=DN
22 DN to use for a simple bind
23 --password=PASSWORD
25 Password
26 -U USERNAME|--username=USERNAME
28 Username
29 -W WORKGROUP|--workgroup=WORKGROUP
31 Workgroup
32 -N|--no-pass
34 Don't ask for a password
35 -k KERBEROS|--kerberos=KERBEROS
37 Use Kerberos
38 --ipaddress=IPADDRESS
40 IP address of the server
41 -d|--debuglevel=level
43 level is an integer from 0 to 10. The default value if this
44 parameter is not specified is 1.
45 The higher this value, the more detail will be logged to the log
47 files about the activities of the server. At level 0, only critical
48 errors and serious warnings will be logged. Level 1 is a reasonable
49 level for day-to-day running - it generates a small amount of
50 information about operations carried out.
51 Levels above 1 will generate considerable amounts of log data, and
53 should only be used when investigating a problem. Levels above 3
54 are designed for use only by developers and generate HUGE amounts
55 of log data, most of which is extremely cryptic.
56 Note that specifying this parameter here will override the log
58 level parameter in the smb.conf file.
59 -V|--version
61 Prints the program version number.
62 -s|--configfile=<configuration file>
64 The file specified contains the configuration details required by
65 the server. The information in this file includes server-specific
66 information such as what printcap file to use, as well as
67 descriptions of all the services that the server is to provide. See
68 smb.conf for more information. The default configuration file name
69 is determined at compile time.
70 -l|--log-basename=logdirectory
72 Base directory name for log/debug files. The extension ".progname"
73 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
74 file is never removed by the client.
75 --option=<name>=<value>
77 Set the smb.conf(5) option "<name>" to value "<value>" from the
78 command line. This overrides compiled-in defaults and options read
79 from the configuration file.
80
82 computer create computername [options]
83 Create a new computer in the Active Directory Domain.
84 The new computer name specified on the command is the sAMAccountName,
86 with or without the trailing dollar sign.
87 --computerou=COMPUTEROU
89 DN of alternative location (with or without domainDN counterpart)
90 to default CN=Computers in which new computer object will be
91 created. E.g. 'OU=OUname'.
92 --description=DESCRIPTION
94 The new computers's description.
95 --ip-address=IP_ADDRESS_LIST
97 IPv4 address for the computer's A record, or IPv6 address for AAAA
98 record, can be provided multiple times.
99 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
101 Computer's Service Principal Name, can be provided multiple times.
102 --prepare-oldjoin
104 Prepare enabled machine account for oldjoin mechanism.
105 computer delete computername [options]
107 Delete an existing computer account.
108 The computer name specified on the command is the sAMAccountName, with
110 or without the trailing dollar sign.
111 computer list
113 List all computers.
114 computer move computername new_parent_dn [options]
116 This command moves a computer account into the specified organizational
117 unit or container.
118 The computername specified on the command is the sAMAccountName, with
120 or without the trailing dollar sign.
121 The name of the organizational unit or container can be specified as a
123 full DN or without the domainDN component.
124 computer show computername [options]
126 Display a computer AD object.
127 The computer name specified on the command is the sAMAccountName, with
129 or without the trailing dollar sign.
130 --attributes=USER_ATTRS
132 Comma separated list of attributes, which will be printed.
133 dbcheck
135 Check the local AD database for errors.
136 delegation
138 Manage Delegations.
139 delegation add-service accountname principal [options]
141 Add a service principal as msDS-AllowedToDelegateTo.
142 delegation del-service accountname principal [options]
144 Delete a service principal as msDS-AllowedToDelegateTo.
145 delegation for-any-protocol accountname [(on|off)] [options]
147 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
148 account.
149 delegation for-any-service accountname [(on|off)] [options]
151 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
152 delegation show accountname [options]
154 Show the delegation setting of an account.
155 dns
157 Manage Domain Name Service (DNS).
158 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
160 Add a DNS record.
161 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
163 Delete a DNS record.
164 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
166 data
167 Query a name.
168 dns roothints server [name] [options]
170 Query root hints.
171 dns serverinfo server [options]
173 Query server information.
174 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
176 Update a DNS record.
177 dns zonecreate server zone [options]
179 Create a zone.
180 dns zonedelete server zone [options]
182 Delete a zone.
183 dns zoneinfo server zone [options]
185 Query zone information.
186 dns zonelist server [options]
188 List zones.
189 domain
191 Manage Domain.
192 domain backup
194 Create or restore a backup of the domain.
195 domain backup online
197 Copy a running DC's current DB into a backup tar file.
198 domain backup rename
200 Copy a running DC's DB to backup file, renaming the domain in the
201 process.
202 domain backup restore
204 Restore the domain's DB from a backup-file.
205 domain classicupgrade [options] classic_smb_conf
207 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
208 domain dcpromo dnsdomain [DC|RODC] [options]
210 Promote an existing domain member or NT4 PDC to an AD DC.
211 domain demote
213 Demote ourselves from the role of domain controller.
214 domain exportkeytab keytab [options]
216 Dumps Kerberos keys of the domain into a keytab.
217 domain info ip_address [options]
219 Print basic info about a domain and the specified DC.
220 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
222 Join a domain as either member or backup domain controller.
223 domain level show|raise options [options]
225 Show/raise domain and forest function levels.
226 domain passwordsettings show|set options [options]
228 Show/set password settings.
229 domain passwordsettings pso
231 Manage fine-grained Password Settings Objects (PSOs).
232 domain passwordsettings pso apply pso-name user-or-group-name [options]
234 Applies a PSO's password policy to a user or group.
235 domain passwordsettings pso create pso-name precedence [options]
237 Creates a new Password Settings Object (PSO).
238 domain passwordsettings pso delete pso-name [options]
240 Deletes a Password Settings Object (PSO).
241 domain passwordsettings pso list [options]
243 Lists all Password Settings Objects (PSOs).
244 domain passwordsettings pso set pso-name [options]
246 Modifies a Password Settings Object (PSO).
247 domain passwordsettings pso show user-name [options]
249 Displays a Password Settings Object (PSO).
250 domain passwordsettings pso show-user pso-name [options]
252 Displays the Password Settings that apply to a user.
253 domain passwordsettings pso unapply pso-name user-or-group-name [options]
255 Updates a PSO to no longer apply to a user or group.
256 domain provision
258 Promote an existing domain member or NT4 PDC to an AD DC.
259 domain trust
261 Domain and forest trust management.
262 domain trust create DOMAIN options [options]
264 Create a domain or forest trust.
265 domain trust delete DOMAIN options [options]
267 Delete a domain trust.
268 domain trust list options [options]
270 List domain trusts.
271 domain trust namespaces [DOMAIN] options [options]
273 Manage forest trust namespaces.
274 domain trust show DOMAIN options [options]
276 Show trusted domain details.
277 domain trust validate DOMAIN options [options]
279 Validate a domain trust.
280 drs
282 Manage Directory Replication Services (DRS).
283 drs bind
285 Show DRS capabilities of a server.
286 drs kcc
288 Trigger knowledge consistency center run.
289 drs options
291 Query or change options for NTDS Settings object of a domain
292 controller.
293 drs replicate destination_DC source_DC NC [options]
295 Replicate a naming context between two DCs.
296 drs showrepl
298 Show replication status. The [--json] option results in JSON output,
299 and with the [--summary] option produces very little output when the
300 replication status seems healthy.
301 dsacl
303 Administer DS ACLs
304 dsacl set
306 Modify access list on a directory object.
307 forest
309 Manage Forest configuration.
310 forest directory_service
312 Manage directory_service behaviour for the forest.
313 forest directory_service dsheuristics VALUE
315 Modify dsheuristics directory_service configuration for the forest.
316 forest directory_service show
318 Show current directory_service configuration for the forest.
319 fsmo
321 Manage Flexible Single Master Operations (FSMO).
322 fsmo seize [options]
324 Seize the role.
325 fsmo show
327 Show the roles.
328 fsmo transfer [options]
330 Transfer the role.
331 gpo
333 Manage Group Policy Objects (GPO).
334 gpo create displayname [options]
336 Create an empty GPO.
337 gpo del gpo [options]
339 Delete GPO.
340 gpo dellink container_dn gpo [options]
342 Delete GPO link from a container.
343 gpo fetch gpo [options]
345 Download a GPO.
346 gpo getinheritance container_dn [options]
348 Get inheritance flag for a container.
349 gpo getlink container_dn [options]
351 List GPO Links for a container.
352 gpo list username [options]
354 List GPOs for an account.
355 gpo listall
357 List all GPOs.
358 gpo listcontainers gpo [options]
360 List all linked containers for a GPO.
361 gpo setinheritance container_dn block|inherit [options]
363 Set inheritance flag on a container.
364 gpo setlink container_dn gpo [options]
366 Add or Update a GPO link to a container.
367 gpo show gpo [options]
369 Show information for a GPO.
370 group
372 Manage groups.
373 group add groupname [options]
375 Create a new AD group.
376 group addmembers groupname members [options]
378 Add members to an AD group.
379 group delete groupname [options]
381 Delete an AD group.
382 group list
384 List all groups.
385 group listmembers groupname [options]
387 List all members of the specified AD group.
388 group move groupname new_parent_dn [options]
390 This command moves a group into the specified organizational unit or
391 container.
392 The groupname specified on the command is the sAMAccountName.
394 The name of the organizational unit or container can be specified as a
396 full DN or without the domainDN component.
397 group removemembers groupname members [options]
399 Remove members from the specified AD group.
400 group show groupname [options]
402 Show group object and it's attributes.
403 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
405 Compare two LDAP databases.
406 ntacl
408 Manage NT ACLs.
409 ntacl get file [options]
411 Get ACLs on a file.
412 ntacl set acl file [options]
414 Set ACLs on a file.
415 ntacl sysvolcheck
417 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
418 ntacl sysvolreset
420 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
421 ou create ou_dn [options]
423 Create an organizational unit.
424 The name of the organizational unit can be specified as a full DN or
426 without the domainDN component.
427 --description=DESCRIPTION
429 Specify OU's description.
430 ou delete ou_dn [options]
432 Delete an organizational unit.
433 The name of the organizational unit can be specified as a full DN or
435 without the domainDN component.
436 --force-subtree-delete
438 Delete organizational unit and all children reclusively.
439 ou list [options]
441 List all organizational units.
442 --full-dn
444 Display DNs including the base DN.
445 ou listobjects ou_dn [options]
447 List all objects in an organizational unit.
448 The name of the organizational unit can be specified as a full DN or
450 without the domainDN component.
451 --full-dn
453 Display DNs including the base DN.
454 -r|--recursive
456 List objects recursively.
457 ou move old_ou_dn new_parent_dn [options]
459 Move an organizational unit.
460 The name of the organizational units can be specified as a full DN or
462 without the domainDN component.
463 ou rename old_ou_dn new_ou_dn [options]
465 Rename an organizational unit.
466 The name of the organizational units can be specified as a full DN or
468 without the domainDN component.
469 rodc
471 Manage Read-Only Domain Controller (RODC).
472 rodc preload SID|DN|accountname [options]
474 Preload one account for an RODC.
475 schema
477 Manage and query schema.
478 schema attribute modify attribute [options]
480 Modify the behaviour of an attribute in schema.
481 schema attribute show attribute [options]
483 Display an attribute schema definition.
484 schema attribute show_oc attribute [options]
486 Show objectclasses that MAY or MUST contain this attribute.
487 schema objectclass show objectclass [options]
489 Display an objectclass schema definition.
490 sites
492 Manage sites.
493 sites create site [options]
495 Create a new site.
496 sites remove site [options]
498 Delete an existing site.
499 spn
501 Manage Service Principal Names (SPN).
502 spn add name user [options]
504 Create a new SPN.
505 spn delete name [user] [options]
507 Delete an existing SPN.
508 spn list user [options]
510 List SPNs of a given user.
511 testparm
513 Check the syntax of the configuration file.
514 time
516 Retrieve the time on a server.
517 user
519 Manage users.
520 user add username [password]
522 Create a new user. Please note that this subcommand is deprecated and
523 available for compatibility reasons only. Please use samba-tool user
524 create instead.
525 user create username [password]
527 Create a new user in the Active Directory Domain.
528 user delete username [options]
530 Delete an existing user account.
531 user disable username
533 Disable an user account.
534 user enable username
536 Enable an user account.
537 user list
539 List all users.
540 user show username [options]
542 Display a user AD object.
543 --attributes=USER_ATTRS
545 Comma separated list of attributes, which will be printed.
546 user move username new_parent_dn [options]
548 This command moves a user account into the specified organizational
549 unit or container.
550 The username specified on the command is the sAMAccountName.
552 The name of the organizational unit or container can be specified as a
554 full DN or without the domainDN component.
555 user password [options]
557 Change password for an user account (the one provided in
558 authentication).
559 user setexpiry username [options]
561 Set the expiration of an user account.
562 user setpassword username [options]
564 Sets or resets the password of an user account.
565 user getpassword username [options]
567 Gets the password of an user account.
568 user syncpasswords --cache-ldb-initialize [options]
570 Syncs the passwords of all user accounts, using an optional script.
571 Note that this command should run on a single domain controller only
573 (typically the PDC-emulator).
574 vampire [options] domain
576 Join and synchronise a remote AD domain to the local server. Please
577 note that samba-tool vampire is deprecated, please use samba-tool
578 domain join instead.
579 visualize [options] subcommand
581 Produce graphical representations of Samba network state. To work out
582 what is happening in a replication graph, it is sometimes helpful to
583 use visualisations.
584 There are two subcommands, two graphical modes, and (roughly) two modes
586 of operation with respect to the location of authority.
587 MODES OF OPERATION
589 samba-tool visualize ntdsconn
590 Looks at NTDS connections.
591 samba-tool visualize reps
593 Looks at repsTo and repsFrom objects.
594 samba-tool visualize uptodateness
596 Looks at replication lag as shown by the uptodateness vectors.
597 GRAPHICAL MODES
599 --distance
600 Distances between DCs are shown in a matrix in the terminal.
601 --dot
603 Generate Graphviz dot output (for ntdsconn and reps modes). When
604 viewed using dot or xdot, this shows the network as a graph with
605 DCs as vertices and connections edges. Certain types of degenerate
606 edges are shown in different colours or line-styles.
607 --xdot
609 Generate Graphviz dot output as with [--dot] and attempt to view it
610 immediately using /usr/bin/xdot.
611 -r
613 Normally, samba-tool talks to one database; with the [-r] option
614 attempts are made to contact all the DCs known to the first
615 database. This is necessary for samba-tool visualize uptodateness
616 and for samba-tool visualize reps because the repsFrom/To objects
617 are not replicated, and it can reveal replication issues in other
618 modes.
619 help
621 Gives usage information.
622
624 This man page is complete for version 4.9.8 of the Samba suite.
625
627 The original Samba software and related utilities were created by
628 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
629 Source project similar to the way the Linux kernel is developed.
630Samba 4.9.8 05/14/2019 SAMBA-TOOL(8)