1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
3
4
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17
18 --realm=REALM
19 Set the realm name
20
21 --simple-bind-dn=DN
22 DN to use for a simple bind
23
24 --password=PASSWORD
25 Password
26
27 -U USERNAME|--username=USERNAME
28 Username
29
30 -W WORKGROUP|--workgroup=WORKGROUP
31 Workgroup
32
33 -N|--no-pass
34 Don't ask for a password
35
36 -k KERBEROS|--kerberos=KERBEROS
37 Use Kerberos
38
39 --ipaddress=IPADDRESS
40 IP address of the server
41
42 -d|--debuglevel=level
43 level is an integer from 0 to 10. The default value if this
44 parameter is not specified is 1.
45
46 The higher this value, the more detail will be logged to the log
47 files about the activities of the server. At level 0, only critical
48 errors and serious warnings will be logged. Level 1 is a reasonable
49 level for day-to-day running - it generates a small amount of
50 information about operations carried out.
51
52 Levels above 1 will generate considerable amounts of log data, and
53 should only be used when investigating a problem. Levels above 3
54 are designed for use only by developers and generate HUGE amounts
55 of log data, most of which is extremely cryptic.
56
57 Note that specifying this parameter here will override the log
58 level parameter in the smb.conf file.
59
60 -V|--version
61 Prints the program version number.
62
63 -s|--configfile=<configuration file>
64 The file specified contains the configuration details required by
65 the server. The information in this file includes server-specific
66 information such as what printcap file to use, as well as
67 descriptions of all the services that the server is to provide. See
68 smb.conf for more information. The default configuration file name
69 is determined at compile time.
70
71 -l|--log-basename=logdirectory
72 Base directory name for log/debug files. The extension ".progname"
73 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
74 file is never removed by the client.
75
76 --option=<name>=<value>
77 Set the smb.conf(5) option "<name>" to value "<value>" from the
78 command line. This overrides compiled-in defaults and options read
79 from the configuration file.
80
82 computer create computername [options]
83 Create a new computer in the Active Directory Domain.
84
85 The new computer name specified on the command is the sAMAccountName,
86 with or without the trailing dollar sign.
87
88 --computerou=COMPUTEROU
89 DN of alternative location (with or without domainDN counterpart)
90 to default CN=Computers in which new computer object will be
91 created. E.g. 'OU=OUname'.
92
93 --description=DESCRIPTION
94 The new computers's description.
95
96 --ip-address=IP_ADDRESS_LIST
97 IPv4 address for the computer's A record, or IPv6 address for AAAA
98 record, can be provided multiple times.
99
100 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
101 Computer's Service Principal Name, can be provided multiple times.
102
103 --prepare-oldjoin
104 Prepare enabled machine account for oldjoin mechanism.
105
106 computer delete computername [options]
107 Delete an existing computer account.
108
109 The computer name specified on the command is the sAMAccountName, with
110 or without the trailing dollar sign.
111
112 computer list
113 List all computers.
114
115 computer move computername new_parent_dn [options]
116 This command moves a computer account into the specified organizational
117 unit or container.
118
119 The computername specified on the command is the sAMAccountName, with
120 or without the trailing dollar sign.
121
122 The name of the organizational unit or container can be specified as a
123 full DN or without the domainDN component.
124
125 computer show computername [options]
126 Display a computer AD object.
127
128 The computer name specified on the command is the sAMAccountName, with
129 or without the trailing dollar sign.
130
131 --attributes=USER_ATTRS
132 Comma separated list of attributes, which will be printed.
133
134 dbcheck
135 Check the local AD database for errors.
136
137 delegation
138 Manage Delegations.
139
140 delegation add-service accountname principal [options]
141 Add a service principal as msDS-AllowedToDelegateTo.
142
143 delegation del-service accountname principal [options]
144 Delete a service principal as msDS-AllowedToDelegateTo.
145
146 delegation for-any-protocol accountname [(on|off)] [options]
147 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
148 account.
149
150 delegation for-any-service accountname [(on|off)] [options]
151 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
152
153 delegation show accountname [options]
154 Show the delegation setting of an account.
155
156 dns
157 Manage Domain Name Service (DNS).
158
159 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
160 Add a DNS record.
161
162 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
163 Delete a DNS record.
164
165 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
166 data
167 Query a name.
168
169 dns roothints server [name] [options]
170 Query root hints.
171
172 dns serverinfo server [options]
173 Query server information.
174
175 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
176 Update a DNS record.
177
178 dns zonecreate server zone [options]
179 Create a zone.
180
181 dns zonedelete server zone [options]
182 Delete a zone.
183
184 dns zoneinfo server zone [options]
185 Query zone information.
186
187 dns zonelist server [options]
188 List zones.
189
190 domain
191 Manage Domain.
192
193 domain backup
194 Create or restore a backup of the domain.
195
196 domain backup offline
197 Backup (with proper locking) local domain directories into a tar file.
198
199 domain backup online
200 Copy a running DC's current DB into a backup tar file.
201
202 domain backup rename
203 Copy a running DC's DB to backup file, renaming the domain in the
204 process.
205
206 domain backup restore
207 Restore the domain's DB from a backup-file.
208
209 domain classicupgrade [options] classic_smb_conf
210 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
211
212 domain dcpromo dnsdomain [DC|RODC] [options]
213 Promote an existing domain member or NT4 PDC to an AD DC.
214
215 domain demote
216 Demote ourselves from the role of domain controller.
217
218 domain exportkeytab keytab [options]
219 Dumps Kerberos keys of the domain into a keytab.
220
221 domain info ip_address [options]
222 Print basic info about a domain and the specified DC.
223
224 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
225 Join a domain as either member or backup domain controller.
226
227 domain level show|raise options [options]
228 Show/raise domain and forest function levels.
229
230 domain passwordsettings show|set options [options]
231 Show/set password settings.
232
233 domain passwordsettings pso
234 Manage fine-grained Password Settings Objects (PSOs).
235
236 domain passwordsettings pso apply pso-name user-or-group-name [options]
237 Applies a PSO's password policy to a user or group.
238
239 domain passwordsettings pso create pso-name precedence [options]
240 Creates a new Password Settings Object (PSO).
241
242 domain passwordsettings pso delete pso-name [options]
243 Deletes a Password Settings Object (PSO).
244
245 domain passwordsettings pso list [options]
246 Lists all Password Settings Objects (PSOs).
247
248 domain passwordsettings pso set pso-name [options]
249 Modifies a Password Settings Object (PSO).
250
251 domain passwordsettings pso show user-name [options]
252 Displays a Password Settings Object (PSO).
253
254 domain passwordsettings pso show-user pso-name [options]
255 Displays the Password Settings that apply to a user.
256
257 domain passwordsettings pso unapply pso-name user-or-group-name [options]
258 Updates a PSO to no longer apply to a user or group.
259
260 domain provision
261 Promote an existing domain member or NT4 PDC to an AD DC.
262
263 domain trust
264 Domain and forest trust management.
265
266 domain trust create DOMAIN options [options]
267 Create a domain or forest trust.
268
269 domain trust delete DOMAIN options [options]
270 Delete a domain trust.
271
272 domain trust list options [options]
273 List domain trusts.
274
275 domain trust namespaces [DOMAIN] options [options]
276 Manage forest trust namespaces.
277
278 domain trust show DOMAIN options [options]
279 Show trusted domain details.
280
281 domain trust validate DOMAIN options [options]
282 Validate a domain trust.
283
284 drs
285 Manage Directory Replication Services (DRS).
286
287 drs bind
288 Show DRS capabilities of a server.
289
290 drs kcc
291 Trigger knowledge consistency center run.
292
293 drs options
294 Query or change options for NTDS Settings object of a domain
295 controller.
296
297 drs replicate destination_DC source_DC NC [options]
298 Replicate a naming context between two DCs.
299
300 drs showrepl
301 Show replication status. The [--json] option results in JSON output,
302 and with the [--summary] option produces very little output when the
303 replication status seems healthy.
304
305 dsacl
306 Administer DS ACLs
307
308 dsacl set
309 Modify access list on a directory object.
310
311 forest
312 Manage Forest configuration.
313
314 forest directory_service
315 Manage directory_service behaviour for the forest.
316
317 forest directory_service dsheuristics VALUE
318 Modify dsheuristics directory_service configuration for the forest.
319
320 forest directory_service show
321 Show current directory_service configuration for the forest.
322
323 fsmo
324 Manage Flexible Single Master Operations (FSMO).
325
326 fsmo seize [options]
327 Seize the role.
328
329 fsmo show
330 Show the roles.
331
332 fsmo transfer [options]
333 Transfer the role.
334
335 gpo
336 Manage Group Policy Objects (GPO).
337
338 gpo create displayname [options]
339 Create an empty GPO.
340
341 gpo del gpo [options]
342 Delete GPO.
343
344 gpo dellink container_dn gpo [options]
345 Delete GPO link from a container.
346
347 gpo fetch gpo [options]
348 Download a GPO.
349
350 gpo getinheritance container_dn [options]
351 Get inheritance flag for a container.
352
353 gpo getlink container_dn [options]
354 List GPO Links for a container.
355
356 gpo list username [options]
357 List GPOs for an account.
358
359 gpo listall
360 List all GPOs.
361
362 gpo listcontainers gpo [options]
363 List all linked containers for a GPO.
364
365 gpo setinheritance container_dn block|inherit [options]
366 Set inheritance flag on a container.
367
368 gpo setlink container_dn gpo [options]
369 Add or Update a GPO link to a container.
370
371 gpo show gpo [options]
372 Show information for a GPO.
373
374 group
375 Manage groups.
376
377 group add groupname [options]
378 Create a new AD group.
379
380 group addmembers groupname members [options]
381 Add members to an AD group.
382
383 group delete groupname [options]
384 Delete an AD group.
385
386 group list
387 List all groups.
388
389 group listmembers groupname [options]
390 List all members of the specified AD group.
391
392 group move groupname new_parent_dn [options]
393 This command moves a group into the specified organizational unit or
394 container.
395
396 The groupname specified on the command is the sAMAccountName.
397
398 The name of the organizational unit or container can be specified as a
399 full DN or without the domainDN component.
400
401 group removemembers groupname members [options]
402 Remove members from the specified AD group.
403
404 group show groupname [options]
405 Show group object and it's attributes.
406
407 group stats [options]
408 Show statistics for overall groups and group memberships.
409
410 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
411 Compare two LDAP databases.
412
413 ntacl
414 Manage NT ACLs.
415
416 ntacl get file [options]
417 Get ACLs on a file.
418
419 ntacl set acl file [options]
420 Set ACLs on a file.
421
422 ntacl sysvolcheck
423 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
424
425 ntacl sysvolreset
426 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
427
428 ou create ou_dn [options]
429 Create an organizational unit.
430
431 The name of the organizational unit can be specified as a full DN or
432 without the domainDN component.
433
434 --description=DESCRIPTION
435 Specify OU's description.
436
437 ou delete ou_dn [options]
438 Delete an organizational unit.
439
440 The name of the organizational unit can be specified as a full DN or
441 without the domainDN component.
442
443 --force-subtree-delete
444 Delete organizational unit and all children reclusively.
445
446 ou list [options]
447 List all organizational units.
448
449 --full-dn
450 Display DNs including the base DN.
451
452 ou listobjects ou_dn [options]
453 List all objects in an organizational unit.
454
455 The name of the organizational unit can be specified as a full DN or
456 without the domainDN component.
457
458 --full-dn
459 Display DNs including the base DN.
460
461 -r|--recursive
462 List objects recursively.
463
464 ou move old_ou_dn new_parent_dn [options]
465 Move an organizational unit.
466
467 The name of the organizational units can be specified as a full DN or
468 without the domainDN component.
469
470 ou rename old_ou_dn new_ou_dn [options]
471 Rename an organizational unit.
472
473 The name of the organizational units can be specified as a full DN or
474 without the domainDN component.
475
476 rodc
477 Manage Read-Only Domain Controller (RODC).
478
479 rodc preload SID|DN|accountname [options]
480 Preload one account for an RODC.
481
482 schema
483 Manage and query schema.
484
485 schema attribute modify attribute [options]
486 Modify the behaviour of an attribute in schema.
487
488 schema attribute show attribute [options]
489 Display an attribute schema definition.
490
491 schema attribute show_oc attribute [options]
492 Show objectclasses that MAY or MUST contain this attribute.
493
494 schema objectclass show objectclass [options]
495 Display an objectclass schema definition.
496
497 sites
498 Manage sites.
499
500 sites create site [options]
501 Create a new site.
502
503 sites remove site [options]
504 Delete an existing site.
505
506 spn
507 Manage Service Principal Names (SPN).
508
509 spn add name user [options]
510 Create a new SPN.
511
512 spn delete name [user] [options]
513 Delete an existing SPN.
514
515 spn list user [options]
516 List SPNs of a given user.
517
518 testparm
519 Check the syntax of the configuration file.
520
521 time
522 Retrieve the time on a server.
523
524 user
525 Manage users.
526
527 user add username [password]
528 Create a new user. Please note that this subcommand is deprecated and
529 available for compatibility reasons only. Please use samba-tool user
530 create instead.
531
532 user create username [password]
533 Create a new user in the Active Directory Domain.
534
535 user delete username [options]
536 Delete an existing user account.
537
538 user disable username
539 Disable an user account.
540
541 user enable username
542 Enable an user account.
543
544 user list
545 List all users.
546
547 user show username [options]
548 Display a user AD object.
549
550 --attributes=USER_ATTRS
551 Comma separated list of attributes, which will be printed.
552
553 user move username new_parent_dn [options]
554 This command moves a user account into the specified organizational
555 unit or container.
556
557 The username specified on the command is the sAMAccountName.
558
559 The name of the organizational unit or container can be specified as a
560 full DN or without the domainDN component.
561
562 user password [options]
563 Change password for an user account (the one provided in
564 authentication).
565
566 user setexpiry username [options]
567 Set the expiration of an user account.
568
569 user setpassword username [options]
570 Sets or resets the password of an user account.
571
572 user getpassword username [options]
573 Gets the password of an user account.
574
575 user syncpasswords --cache-ldb-initialize [options]
576 Syncs the passwords of all user accounts, using an optional script.
577
578 Note that this command should run on a single domain controller only
579 (typically the PDC-emulator).
580
581 vampire [options] domain
582 Join and synchronise a remote AD domain to the local server. Please
583 note that samba-tool vampire is deprecated, please use samba-tool
584 domain join instead.
585
586 visualize [options] subcommand
587 Produce graphical representations of Samba network state. To work out
588 what is happening in a replication graph, it is sometimes helpful to
589 use visualisations.
590
591 There are two subcommands, two graphical modes, and (roughly) two modes
592 of operation with respect to the location of authority.
593
594 MODES OF OPERATION
595 samba-tool visualize ntdsconn
596 Looks at NTDS connections.
597
598 samba-tool visualize reps
599 Looks at repsTo and repsFrom objects.
600
601 samba-tool visualize uptodateness
602 Looks at replication lag as shown by the uptodateness vectors.
603
604 GRAPHICAL MODES
605 --distance
606 Distances between DCs are shown in a matrix in the terminal.
607
608 --dot
609 Generate Graphviz dot output (for ntdsconn and reps modes). When
610 viewed using dot or xdot, this shows the network as a graph with
611 DCs as vertices and connections edges. Certain types of degenerate
612 edges are shown in different colours or line-styles.
613
614 --xdot
615 Generate Graphviz dot output as with [--dot] and attempt to view it
616 immediately using /usr/bin/xdot.
617
618 -r
619 Normally, samba-tool talks to one database; with the [-r] option
620 attempts are made to contact all the DCs known to the first
621 database. This is necessary for samba-tool visualize uptodateness
622 and for samba-tool visualize reps because the repsFrom/To objects
623 are not replicated, and it can reveal replication issues in other
624 modes.
625
626 help
627 Gives usage information.
628
630 This man page is complete for version 4.10.4 of the Samba suite.
631
633 The original Samba software and related utilities were created by
634 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
635 Source project similar to the way the Linux kernel is developed.
636
637
638
639Samba 4.10.4 05/28/2019 SAMBA-TOOL(8)