1SAMBA-TOOL(8)             System Administration tools            SAMBA-TOOL(8)
2
3
4

NAME

6       samba-tool - Main Samba administration tool.
7

SYNOPSIS

9       samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10

DESCRIPTION

12       This tool is part of the samba(7) suite.
13

OPTIONS

15       -h|--help
16           Show this help message and exit
17
18       --realm=REALM
19           Set the realm name
20
21       --simple-bind-dn=DN
22           DN to use for a simple bind
23
24       --password=PASSWORD
25           Password
26
27       -U USERNAME|--username=USERNAME
28           Username
29
30       -W WORKGROUP|--workgroup=WORKGROUP
31           Workgroup
32
33       -N|--no-pass
34           Don't ask for a password
35
36       -k KERBEROS|--kerberos=KERBEROS
37           Use Kerberos
38
39       --ipaddress=IPADDRESS
40           IP address of the server
41
42       -d|--debuglevel=level
43           level is an integer from 0 to 10. The default value if this
44           parameter is not specified is 1.
45
46           The higher this value, the more detail will be logged to the log
47           files about the activities of the server. At level 0, only critical
48           errors and serious warnings will be logged. Level 1 is a reasonable
49           level for day-to-day running - it generates a small amount of
50           information about operations carried out.
51
52           Levels above 1 will generate considerable amounts of log data, and
53           should only be used when investigating a problem. Levels above 3
54           are designed for use only by developers and generate HUGE amounts
55           of log data, most of which is extremely cryptic.
56
57           Note that specifying this parameter here will override the log
58           level parameter in the smb.conf file.
59
60       -V|--version
61           Prints the program version number.
62
63       -s|--configfile=<configuration file>
64           The file specified contains the configuration details required by
65           the server. The information in this file includes server-specific
66           information such as what printcap file to use, as well as
67           descriptions of all the services that the server is to provide. See
68           smb.conf for more information. The default configuration file name
69           is determined at compile time.
70
71       -l|--log-basename=logdirectory
72           Base directory name for log/debug files. The extension ".progname"
73           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
74           file is never removed by the client.
75
76       --option=<name>=<value>
77           Set the smb.conf(5) option "<name>" to value "<value>" from the
78           command line. This overrides compiled-in defaults and options read
79           from the configuration file.
80

COMMANDS

82   computer create computername [options]
83       Create a new computer in the Active Directory Domain.
84
85       The new computer name specified on the command is the sAMAccountName,
86       with or without the trailing dollar sign.
87
88       --computerou=COMPUTEROU
89           DN of alternative location (with or without domainDN counterpart)
90           to default CN=Computers in which new computer object will be
91           created. E.g. 'OU=OUname'.
92
93       --description=DESCRIPTION
94           The new computers's description.
95
96       --ip-address=IP_ADDRESS_LIST
97           IPv4 address for the computer's A record, or IPv6 address for AAAA
98           record, can be provided multiple times.
99
100       --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
101           Computer's Service Principal Name, can be provided multiple times.
102
103       --prepare-oldjoin
104           Prepare enabled machine account for oldjoin mechanism.
105
106   computer delete computername [options]
107       Delete an existing computer account.
108
109       The computer name specified on the command is the sAMAccountName, with
110       or without the trailing dollar sign.
111
112   computer list
113       List all computers.
114
115   computer move computername new_parent_dn [options]
116       This command moves a computer account into the specified organizational
117       unit or container.
118
119       The computername specified on the command is the sAMAccountName, with
120       or without the trailing dollar sign.
121
122       The name of the organizational unit or container can be specified as a
123       full DN or without the domainDN component.
124
125   computer show computername [options]
126       Display a computer AD object.
127
128       The computer name specified on the command is the sAMAccountName, with
129       or without the trailing dollar sign.
130
131       --attributes=USER_ATTRS
132           Comma separated list of attributes, which will be printed.
133
134   dbcheck
135       Check the local AD database for errors.
136
137   delegation
138       Manage Delegations.
139
140   delegation add-service accountname principal [options]
141       Add a service principal as msDS-AllowedToDelegateTo.
142
143   delegation del-service accountname principal [options]
144       Delete a service principal as msDS-AllowedToDelegateTo.
145
146   delegation for-any-protocol accountname [(on|off)] [options]
147       Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
148       account.
149
150   delegation for-any-service accountname [(on|off)] [options]
151       Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
152
153   delegation show accountname [options]
154       Show the delegation setting of an account.
155
156   dns
157       Manage Domain Name Service (DNS).
158
159   dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
160       Add a DNS record.
161
162   dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
163       Delete a DNS record.
164
165   dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
166       data
167       Query a name.
168
169   dns roothints server [name] [options]
170       Query root hints.
171
172   dns serverinfo server [options]
173       Query server information.
174
175   dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
176       Update a DNS record.
177
178   dns zonecreate server zone [options]
179       Create a zone.
180
181   dns zonedelete server zone [options]
182       Delete a zone.
183
184   dns zoneinfo server zone [options]
185       Query zone information.
186
187   dns zonelist server [options]
188       List zones.
189
190   domain
191       Manage Domain.
192
193   domain backup
194       Create or restore a backup of the domain.
195
196   domain backup offline
197       Backup (with proper locking) local domain directories into a tar file.
198
199   domain backup online
200       Copy a running DC's current DB into a backup tar file.
201
202   domain backup rename
203       Copy a running DC's DB to backup file, renaming the domain in the
204       process.
205
206   domain backup restore
207       Restore the domain's DB from a backup-file.
208
209   domain classicupgrade [options] classic_smb_conf
210       Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
211
212   domain dcpromo dnsdomain [DC|RODC] [options]
213       Promote an existing domain member or NT4 PDC to an AD DC.
214
215   domain demote
216       Demote ourselves from the role of domain controller.
217
218   domain exportkeytab keytab [options]
219       Dumps Kerberos keys of the domain into a keytab.
220
221   domain info ip_address [options]
222       Print basic info about a domain and the specified DC.
223
224   domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
225       Join a domain as either member or backup domain controller.
226
227   domain level show|raise options [options]
228       Show/raise domain and forest function levels.
229
230   domain passwordsettings show|set options [options]
231       Show/set password settings.
232
233   domain passwordsettings pso
234       Manage fine-grained Password Settings Objects (PSOs).
235
236   domain passwordsettings pso apply pso-name user-or-group-name [options]
237       Applies a PSO's password policy to a user or group.
238
239   domain passwordsettings pso create pso-name precedence [options]
240       Creates a new Password Settings Object (PSO).
241
242   domain passwordsettings pso delete pso-name [options]
243       Deletes a Password Settings Object (PSO).
244
245   domain passwordsettings pso list [options]
246       Lists all Password Settings Objects (PSOs).
247
248   domain passwordsettings pso set pso-name [options]
249       Modifies a Password Settings Object (PSO).
250
251   domain passwordsettings pso show user-name [options]
252       Displays a Password Settings Object (PSO).
253
254   domain passwordsettings pso show-user pso-name [options]
255       Displays the Password Settings that apply to a user.
256
257   domain passwordsettings pso unapply pso-name user-or-group-name [options]
258       Updates a PSO to no longer apply to a user or group.
259
260   domain provision
261       Promote an existing domain member or NT4 PDC to an AD DC.
262
263   domain trust
264       Domain and forest trust management.
265
266   domain trust create DOMAIN options [options]
267       Create a domain or forest trust.
268
269   domain trust delete DOMAIN options [options]
270       Delete a domain trust.
271
272   domain trust list options [options]
273       List domain trusts.
274
275   domain trust namespaces [DOMAIN] options [options]
276       Manage forest trust namespaces.
277
278   domain trust show DOMAIN options [options]
279       Show trusted domain details.
280
281   domain trust validate DOMAIN options [options]
282       Validate a domain trust.
283
284   drs
285       Manage Directory Replication Services (DRS).
286
287   drs bind
288       Show DRS capabilities of a server.
289
290   drs kcc
291       Trigger knowledge consistency center run.
292
293   drs options
294       Query or change options for NTDS Settings object of a domain
295       controller.
296
297   drs replicate destination_DC source_DC NC [options]
298       Replicate a naming context between two DCs.
299
300   drs showrepl
301       Show replication status. The [--json] option results in JSON output,
302       and with the [--summary] option produces very little output when the
303       replication status seems healthy.
304
305   dsacl
306       Administer DS ACLs
307
308   dsacl set
309       Modify access list on a directory object.
310
311   forest
312       Manage Forest configuration.
313
314   forest directory_service
315       Manage directory_service behaviour for the forest.
316
317   forest directory_service dsheuristics VALUE
318       Modify dsheuristics directory_service configuration for the forest.
319
320   forest directory_service show
321       Show current directory_service configuration for the forest.
322
323   fsmo
324       Manage Flexible Single Master Operations (FSMO).
325
326   fsmo seize [options]
327       Seize the role.
328
329   fsmo show
330       Show the roles.
331
332   fsmo transfer [options]
333       Transfer the role.
334
335   gpo
336       Manage Group Policy Objects (GPO).
337
338   gpo create displayname [options]
339       Create an empty GPO.
340
341   gpo del gpo [options]
342       Delete GPO.
343
344   gpo dellink container_dn gpo [options]
345       Delete GPO link from a container.
346
347   gpo fetch gpo [options]
348       Download a GPO.
349
350   gpo getinheritance container_dn [options]
351       Get inheritance flag for a container.
352
353   gpo getlink container_dn [options]
354       List GPO Links for a container.
355
356   gpo list username [options]
357       List GPOs for an account.
358
359   gpo listall
360       List all GPOs.
361
362   gpo listcontainers gpo [options]
363       List all linked containers for a GPO.
364
365   gpo setinheritance container_dn block|inherit [options]
366       Set inheritance flag on a container.
367
368   gpo setlink container_dn gpo [options]
369       Add or Update a GPO link to a container.
370
371   gpo show gpo [options]
372       Show information for a GPO.
373
374   group
375       Manage groups.
376
377   group add groupname [options]
378       Create a new AD group.
379
380   group addmembers groupname members [options]
381       Add members to an AD group.
382
383   group delete groupname [options]
384       Delete an AD group.
385
386   group list
387       List all groups.
388
389   group listmembers groupname [options]
390       List all members of the specified AD group.
391
392   group move groupname new_parent_dn [options]
393       This command moves a group into the specified organizational unit or
394       container.
395
396       The groupname specified on the command is the sAMAccountName.
397
398       The name of the organizational unit or container can be specified as a
399       full DN or without the domainDN component.
400
401   group removemembers groupname members [options]
402       Remove members from the specified AD group.
403
404   group show groupname [options]
405       Show group object and it's attributes.
406
407   group stats [options]
408       Show statistics for overall groups and group memberships.
409
410   ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
411       Compare two LDAP databases.
412
413   ntacl
414       Manage NT ACLs.
415
416   ntacl get file [options]
417       Get ACLs on a file.
418
419   ntacl set acl file [options]
420       Set ACLs on a file.
421
422   ntacl sysvolcheck
423       Check sysvol ACLs match defaults (including correct ACLs on GPOs).
424
425   ntacl sysvolreset
426       Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
427
428   ou create ou_dn [options]
429       Create an organizational unit.
430
431       The name of the organizational unit can be specified as a full DN or
432       without the domainDN component.
433
434       --description=DESCRIPTION
435           Specify OU's description.
436
437   ou delete ou_dn [options]
438       Delete an organizational unit.
439
440       The name of the organizational unit can be specified as a full DN or
441       without the domainDN component.
442
443       --force-subtree-delete
444           Delete organizational unit and all children reclusively.
445
446   ou list [options]
447       List all organizational units.
448
449       --full-dn
450           Display DNs including the base DN.
451
452   ou listobjects ou_dn [options]
453       List all objects in an organizational unit.
454
455       The name of the organizational unit can be specified as a full DN or
456       without the domainDN component.
457
458       --full-dn
459           Display DNs including the base DN.
460
461       -r|--recursive
462           List objects recursively.
463
464   ou move old_ou_dn new_parent_dn [options]
465       Move an organizational unit.
466
467       The name of the organizational units can be specified as a full DN or
468       without the domainDN component.
469
470   ou rename old_ou_dn new_ou_dn [options]
471       Rename an organizational unit.
472
473       The name of the organizational units can be specified as a full DN or
474       without the domainDN component.
475
476   rodc
477       Manage Read-Only Domain Controller (RODC).
478
479   rodc preload SID|DN|accountname [options]
480       Preload one account for an RODC.
481
482   schema
483       Manage and query schema.
484
485   schema attribute modify attribute [options]
486       Modify the behaviour of an attribute in schema.
487
488   schema attribute show attribute [options]
489       Display an attribute schema definition.
490
491   schema attribute show_oc attribute [options]
492       Show objectclasses that MAY or MUST contain this attribute.
493
494   schema objectclass show objectclass [options]
495       Display an objectclass schema definition.
496
497   sites
498       Manage sites.
499
500   sites create site [options]
501       Create a new site.
502
503   sites remove site [options]
504       Delete an existing site.
505
506   spn
507       Manage Service Principal Names (SPN).
508
509   spn add name user [options]
510       Create a new SPN.
511
512   spn delete name [user] [options]
513       Delete an existing SPN.
514
515   spn list user [options]
516       List SPNs of a given user.
517
518   testparm
519       Check the syntax of the configuration file.
520
521   time
522       Retrieve the time on a server.
523
524   user
525       Manage users.
526
527   user add username [password]
528       Create a new user. Please note that this subcommand is deprecated and
529       available for compatibility reasons only. Please use samba-tool user
530       create instead.
531
532   user create username [password]
533       Create a new user in the Active Directory Domain.
534
535   user delete username [options]
536       Delete an existing user account.
537
538   user disable username
539       Disable an user account.
540
541   user enable username
542       Enable an user account.
543
544   user list
545       List all users.
546
547   user show username [options]
548       Display a user AD object.
549
550       --attributes=USER_ATTRS
551           Comma separated list of attributes, which will be printed.
552
553   user move username new_parent_dn [options]
554       This command moves a user account into the specified organizational
555       unit or container.
556
557       The username specified on the command is the sAMAccountName.
558
559       The name of the organizational unit or container can be specified as a
560       full DN or without the domainDN component.
561
562   user password [options]
563       Change password for an user account (the one provided in
564       authentication).
565
566   user setexpiry username [options]
567       Set the expiration of an user account.
568
569   user setpassword username [options]
570       Sets or resets the password of an user account.
571
572   user getpassword username [options]
573       Gets the password of an user account.
574
575   user syncpasswords --cache-ldb-initialize [options]
576       Syncs the passwords of all user accounts, using an optional script.
577
578       Note that this command should run on a single domain controller only
579       (typically the PDC-emulator).
580
581   vampire [options] domain
582       Join and synchronise a remote AD domain to the local server. Please
583       note that samba-tool vampire is deprecated, please use samba-tool
584       domain join instead.
585
586   visualize [options] subcommand
587       Produce graphical representations of Samba network state. To work out
588       what is happening in a replication graph, it is sometimes helpful to
589       use visualisations.
590
591       There are two subcommands, two graphical modes, and (roughly) two modes
592       of operation with respect to the location of authority.
593
594   MODES OF OPERATION
595       samba-tool visualize ntdsconn
596           Looks at NTDS connections.
597
598       samba-tool visualize reps
599           Looks at repsTo and repsFrom objects.
600
601       samba-tool visualize uptodateness
602           Looks at replication lag as shown by the uptodateness vectors.
603
604   GRAPHICAL MODES
605       --distance
606           Distances between DCs are shown in a matrix in the terminal.
607
608       --dot
609           Generate Graphviz dot output (for ntdsconn and reps modes). When
610           viewed using dot or xdot, this shows the network as a graph with
611           DCs as vertices and connections edges. Certain types of degenerate
612           edges are shown in different colours or line-styles.
613
614       --xdot
615           Generate Graphviz dot output as with [--dot] and attempt to view it
616           immediately using /usr/bin/xdot.
617
618       -r
619           Normally, samba-tool talks to one database; with the [-r] option
620           attempts are made to contact all the DCs known to the first
621           database. This is necessary for samba-tool visualize uptodateness
622           and for samba-tool visualize reps because the repsFrom/To objects
623           are not replicated, and it can reveal replication issues in other
624           modes.
625
626   help
627       Gives usage information.
628

VERSION

630       This man page is complete for version 4.10.4 of the Samba suite.
631

AUTHOR

633       The original Samba software and related utilities were created by
634       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
635       Source project similar to the way the Linux kernel is developed.
636
637
638
639Samba 4.10.4                      05/28/2019                     SAMBA-TOOL(8)
Impressum