1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17 --realm=REALM
19 Set the realm name
20 --simple-bind-dn=DN
22 DN to use for a simple bind
23 --password=PASSWORD
25 Password
26 -U USERNAME|--username=USERNAME
28 Username
29 -W WORKGROUP|--workgroup=WORKGROUP
31 Workgroup
32 -N|--no-pass
34 Don't ask for a password
35 -k KERBEROS|--kerberos=KERBEROS
37 Use Kerberos
38 --ipaddress=IPADDRESS
40 IP address of the server
41 -d|--debuglevel=level
43 level is an integer from 0 to 10. The default value if this
44 parameter is not specified is 1.
45 The higher this value, the more detail will be logged to the log
47 files about the activities of the server. At level 0, only critical
48 errors and serious warnings will be logged. Level 1 is a reasonable
49 level for day-to-day running - it generates a small amount of
50 information about operations carried out.
51 Levels above 1 will generate considerable amounts of log data, and
53 should only be used when investigating a problem. Levels above 3
54 are designed for use only by developers and generate HUGE amounts
55 of log data, most of which is extremely cryptic.
56 Note that specifying this parameter here will override the log
58 level parameter in the smb.conf file.
59 -V|--version
61 Prints the program version number.
62 -s|--configfile=<configuration file>
64 The file specified contains the configuration details required by
65 the server. The information in this file includes server-specific
66 information such as what printcap file to use, as well as
67 descriptions of all the services that the server is to provide. See
68 smb.conf for more information. The default configuration file name
69 is determined at compile time.
70 -l|--log-basename=logdirectory
72 Base directory name for log/debug files. The extension ".progname"
73 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
74 file is never removed by the client.
75 --option=<name>=<value>
77 Set the smb.conf(5) option "<name>" to value "<value>" from the
78 command line. This overrides compiled-in defaults and options read
79 from the configuration file.
80
82 computer create computername [options]
83 Create a new computer in the Active Directory Domain.
84 The new computer name specified on the command is the sAMAccountName,
86 with or without the trailing dollar sign.
87 --computerou=COMPUTEROU
89 DN of alternative location (with or without domainDN counterpart)
90 to default CN=Computers in which new computer object will be
91 created. E.g. 'OU=OUname'.
92 --description=DESCRIPTION
94 The new computers's description.
95 --ip-address=IP_ADDRESS_LIST
97 IPv4 address for the computer's A record, or IPv6 address for AAAA
98 record, can be provided multiple times.
99 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
101 Computer's Service Principal Name, can be provided multiple times.
102 --prepare-oldjoin
104 Prepare enabled machine account for oldjoin mechanism.
105 computer delete computername [options]
107 Delete an existing computer account.
108 The computer name specified on the command is the sAMAccountName, with
110 or without the trailing dollar sign.
111 computer list
113 List all computers.
114 computer move computername new_parent_dn [options]
116 This command moves a computer account into the specified organizational
117 unit or container.
118 The computername specified on the command is the sAMAccountName, with
120 or without the trailing dollar sign.
121 The name of the organizational unit or container can be specified as a
123 full DN or without the domainDN component.
124 computer show computername [options]
126 Display a computer AD object.
127 The computer name specified on the command is the sAMAccountName, with
129 or without the trailing dollar sign.
130 --attributes=USER_ATTRS
132 Comma separated list of attributes, which will be printed.
133 dbcheck
135 Check the local AD database for errors.
136 delegation
138 Manage Delegations.
139 delegation add-service accountname principal [options]
141 Add a service principal as msDS-AllowedToDelegateTo.
142 delegation del-service accountname principal [options]
144 Delete a service principal as msDS-AllowedToDelegateTo.
145 delegation for-any-protocol accountname [(on|off)] [options]
147 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
148 account.
149 delegation for-any-service accountname [(on|off)] [options]
151 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
152 delegation show accountname [options]
154 Show the delegation setting of an account.
155 dns
157 Manage Domain Name Service (DNS).
158 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
160 Add a DNS record.
161 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
163 Delete a DNS record.
164 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
166 data
167 Query a name.
168 dns roothints server [name] [options]
170 Query root hints.
171 dns serverinfo server [options]
173 Query server information.
174 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
176 Update a DNS record.
177 dns zonecreate server zone [options]
179 Create a zone.
180 dns zonedelete server zone [options]
182 Delete a zone.
183 dns zoneinfo server zone [options]
185 Query zone information.
186 dns zonelist server [options]
188 List zones.
189 domain
191 Manage Domain.
192 domain backup
194 Create or restore a backup of the domain.
195 domain backup offline
197 Backup (with proper locking) local domain directories into a tar file.
198 domain backup online
200 Copy a running DC's current DB into a backup tar file.
201 domain backup rename
203 Copy a running DC's DB to backup file, renaming the domain in the
204 process.
205 domain backup restore
207 Restore the domain's DB from a backup-file.
208 domain classicupgrade [options] classic_smb_conf
210 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
211 domain dcpromo dnsdomain [DC|RODC] [options]
213 Promote an existing domain member or NT4 PDC to an AD DC.
214 domain demote
216 Demote ourselves from the role of domain controller.
217 domain exportkeytab keytab [options]
219 Dumps Kerberos keys of the domain into a keytab.
220 domain info ip_address [options]
222 Print basic info about a domain and the specified DC.
223 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
225 Join a domain as either member or backup domain controller.
226 domain level show|raise options [options]
228 Show/raise domain and forest function levels.
229 domain passwordsettings show|set options [options]
231 Show/set password settings.
232 domain passwordsettings pso
234 Manage fine-grained Password Settings Objects (PSOs).
235 domain passwordsettings pso apply pso-name user-or-group-name [options]
237 Applies a PSO's password policy to a user or group.
238 domain passwordsettings pso create pso-name precedence [options]
240 Creates a new Password Settings Object (PSO).
241 domain passwordsettings pso delete pso-name [options]
243 Deletes a Password Settings Object (PSO).
244 domain passwordsettings pso list [options]
246 Lists all Password Settings Objects (PSOs).
247 domain passwordsettings pso set pso-name [options]
249 Modifies a Password Settings Object (PSO).
250 domain passwordsettings pso show user-name [options]
252 Displays a Password Settings Object (PSO).
253 domain passwordsettings pso show-user pso-name [options]
255 Displays the Password Settings that apply to a user.
256 domain passwordsettings pso unapply pso-name user-or-group-name [options]
258 Updates a PSO to no longer apply to a user or group.
259 domain provision
261 Promote an existing domain member or NT4 PDC to an AD DC.
262 domain trust
264 Domain and forest trust management.
265 domain trust create DOMAIN options [options]
267 Create a domain or forest trust.
268 domain trust delete DOMAIN options [options]
270 Delete a domain trust.
271 domain trust list options [options]
273 List domain trusts.
274 domain trust namespaces [DOMAIN] options [options]
276 Manage forest trust namespaces.
277 domain trust show DOMAIN options [options]
279 Show trusted domain details.
280 domain trust validate DOMAIN options [options]
282 Validate a domain trust.
283 drs
285 Manage Directory Replication Services (DRS).
286 drs bind
288 Show DRS capabilities of a server.
289 drs kcc
291 Trigger knowledge consistency center run.
292 drs options
294 Query or change options for NTDS Settings object of a domain
295 controller.
296 drs replicate destination_DC source_DC NC [options]
298 Replicate a naming context between two DCs.
299 drs showrepl
301 Show replication status. The [--json] option results in JSON output,
302 and with the [--summary] option produces very little output when the
303 replication status seems healthy.
304 dsacl
306 Administer DS ACLs
307 dsacl set
309 Modify access list on a directory object.
310 forest
312 Manage Forest configuration.
313 forest directory_service
315 Manage directory_service behaviour for the forest.
316 forest directory_service dsheuristics VALUE
318 Modify dsheuristics directory_service configuration for the forest.
319 forest directory_service show
321 Show current directory_service configuration for the forest.
322 fsmo
324 Manage Flexible Single Master Operations (FSMO).
325 fsmo seize [options]
327 Seize the role.
328 fsmo show
330 Show the roles.
331 fsmo transfer [options]
333 Transfer the role.
334 gpo
336 Manage Group Policy Objects (GPO).
337 gpo create displayname [options]
339 Create an empty GPO.
340 gpo del gpo [options]
342 Delete GPO.
343 gpo dellink container_dn gpo [options]
345 Delete GPO link from a container.
346 gpo fetch gpo [options]
348 Download a GPO.
349 gpo getinheritance container_dn [options]
351 Get inheritance flag for a container.
352 gpo getlink container_dn [options]
354 List GPO Links for a container.
355 gpo list username [options]
357 List GPOs for an account.
358 gpo listall
360 List all GPOs.
361 gpo listcontainers gpo [options]
363 List all linked containers for a GPO.
364 gpo setinheritance container_dn block|inherit [options]
366 Set inheritance flag on a container.
367 gpo setlink container_dn gpo [options]
369 Add or Update a GPO link to a container.
370 gpo show gpo [options]
372 Show information for a GPO.
373 group
375 Manage groups.
376 group add groupname [options]
378 Create a new AD group.
379 group addmembers groupname members [options]
381 Add members to an AD group.
382 group delete groupname [options]
384 Delete an AD group.
385 group list
387 List all groups.
388 group listmembers groupname [options]
390 List all members of the specified AD group.
391 group move groupname new_parent_dn [options]
393 This command moves a group into the specified organizational unit or
394 container.
395 The groupname specified on the command is the sAMAccountName.
397 The name of the organizational unit or container can be specified as a
399 full DN or without the domainDN component.
400 group removemembers groupname members [options]
402 Remove members from the specified AD group.
403 group show groupname [options]
405 Show group object and it's attributes.
406 group stats [options]
408 Show statistics for overall groups and group memberships.
409 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
411 Compare two LDAP databases.
412 ntacl
414 Manage NT ACLs.
415 ntacl get file [options]
417 Get ACLs on a file.
418 ntacl set acl file [options]
420 Set ACLs on a file.
421 ntacl sysvolcheck
423 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
424 ntacl sysvolreset
426 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
427 ou create ou_dn [options]
429 Create an organizational unit.
430 The name of the organizational unit can be specified as a full DN or
432 without the domainDN component.
433 --description=DESCRIPTION
435 Specify OU's description.
436 ou delete ou_dn [options]
438 Delete an organizational unit.
439 The name of the organizational unit can be specified as a full DN or
441 without the domainDN component.
442 --force-subtree-delete
444 Delete organizational unit and all children reclusively.
445 ou list [options]
447 List all organizational units.
448 --full-dn
450 Display DNs including the base DN.
451 ou listobjects ou_dn [options]
453 List all objects in an organizational unit.
454 The name of the organizational unit can be specified as a full DN or
456 without the domainDN component.
457 --full-dn
459 Display DNs including the base DN.
460 -r|--recursive
462 List objects recursively.
463 ou move old_ou_dn new_parent_dn [options]
465 Move an organizational unit.
466 The name of the organizational units can be specified as a full DN or
468 without the domainDN component.
469 ou rename old_ou_dn new_ou_dn [options]
471 Rename an organizational unit.
472 The name of the organizational units can be specified as a full DN or
474 without the domainDN component.
475 rodc
477 Manage Read-Only Domain Controller (RODC).
478 rodc preload SID|DN|accountname [options]
480 Preload one account for an RODC.
481 schema
483 Manage and query schema.
484 schema attribute modify attribute [options]
486 Modify the behaviour of an attribute in schema.
487 schema attribute show attribute [options]
489 Display an attribute schema definition.
490 schema attribute show_oc attribute [options]
492 Show objectclasses that MAY or MUST contain this attribute.
493 schema objectclass show objectclass [options]
495 Display an objectclass schema definition.
496 sites
498 Manage sites.
499 sites create site [options]
501 Create a new site.
502 sites remove site [options]
504 Delete an existing site.
505 spn
507 Manage Service Principal Names (SPN).
508 spn add name user [options]
510 Create a new SPN.
511 spn delete name [user] [options]
513 Delete an existing SPN.
514 spn list user [options]
516 List SPNs of a given user.
517 testparm
519 Check the syntax of the configuration file.
520 time
522 Retrieve the time on a server.
523 user
525 Manage users.
526 user add username [password]
528 Create a new user. Please note that this subcommand is deprecated and
529 available for compatibility reasons only. Please use samba-tool user
530 create instead.
531 user create username [password]
533 Create a new user in the Active Directory Domain.
534 user delete username [options]
536 Delete an existing user account.
537 user disable username
539 Disable an user account.
540 user enable username
542 Enable an user account.
543 user list
545 List all users.
546 user show username [options]
548 Display a user AD object.
549 --attributes=USER_ATTRS
551 Comma separated list of attributes, which will be printed.
552 user move username new_parent_dn [options]
554 This command moves a user account into the specified organizational
555 unit or container.
556 The username specified on the command is the sAMAccountName.
558 The name of the organizational unit or container can be specified as a
560 full DN or without the domainDN component.
561 user password [options]
563 Change password for an user account (the one provided in
564 authentication).
565 user setexpiry username [options]
567 Set the expiration of an user account.
568 user setpassword username [options]
570 Sets or resets the password of an user account.
571 user getpassword username [options]
573 Gets the password of an user account.
574 user syncpasswords --cache-ldb-initialize [options]
576 Syncs the passwords of all user accounts, using an optional script.
577 Note that this command should run on a single domain controller only
579 (typically the PDC-emulator).
580 vampire [options] domain
582 Join and synchronise a remote AD domain to the local server. Please
583 note that samba-tool vampire is deprecated, please use samba-tool
584 domain join instead.
585 visualize [options] subcommand
587 Produce graphical representations of Samba network state. To work out
588 what is happening in a replication graph, it is sometimes helpful to
589 use visualisations.
590 There are two subcommands, two graphical modes, and (roughly) two modes
592 of operation with respect to the location of authority.
593 MODES OF OPERATION
595 samba-tool visualize ntdsconn
596 Looks at NTDS connections.
597 samba-tool visualize reps
599 Looks at repsTo and repsFrom objects.
600 samba-tool visualize uptodateness
602 Looks at replication lag as shown by the uptodateness vectors.
603 GRAPHICAL MODES
605 --distance
606 Distances between DCs are shown in a matrix in the terminal.
607 --dot
609 Generate Graphviz dot output (for ntdsconn and reps modes). When
610 viewed using dot or xdot, this shows the network as a graph with
611 DCs as vertices and connections edges. Certain types of degenerate
612 edges are shown in different colours or line-styles.
613 --xdot
615 Generate Graphviz dot output as with [--dot] and attempt to view it
616 immediately using /usr/bin/xdot.
617 -r
619 Normally, samba-tool talks to one database; with the [-r] option
620 attempts are made to contact all the DCs known to the first
621 database. This is necessary for samba-tool visualize uptodateness
622 and for samba-tool visualize reps because the repsFrom/To objects
623 are not replicated, and it can reveal replication issues in other
624 modes.
625 help
627 Gives usage information.
628
630 This man page is complete for version 4.10.4 of the Samba suite.
631
633 The original Samba software and related utilities were created by
634 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
635 Source project similar to the way the Linux kernel is developed.
636Samba 4.10.4 05/28/2019 SAMBA-TOOL(8)