1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-A|--authentication-file authfile] [-I|--ipaddress ip-address]
12 [-p|--port port] [-n myname] [-s conffile] [-S|--server server]
13 [-l|--long] [-v|--verbose] [-f|--force] [-P|--machine-pass]
14 [-d debuglevel] [-V] [--request-timeout seconds]
15 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
16
18 This tool is part of the samba(7) suite.
19 The Samba net utility is meant to work just like the net utility
21 available for windows and DOS. The first argument should be used to
22 specify the protocol to use when executing a certain command. ADS is
23 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
24 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
25 net will try to determine it automatically. Not all commands are
26 available on all protocols.
27
29 -?|--help
30 Print a summary of command line options.
31 -k|--kerberos
33 Try to authenticate with kerberos. Only useful in an Active
34 Directory environment.
35 -w|--workgroup target-workgroup
37 Sets target workgroup or domain. You have to specify either this
38 option or the IP address or the name of a server.
39 -W|--myworkgroup workgroup
41 Sets client workgroup or domain
42 -U|--user user
44 User name to use
45 -I|--ipaddress ip-address
47 IP address of target server to use. You have to specify either this
48 option or a target workgroup or a target server.
49 -p|--port port
51 Port on the target server to connect to (usually 139 or 445).
52 Defaults to trying 445 first, then 139.
53 -n|--netbiosname <primary NetBIOS name>
55 This option allows you to override the NetBIOS name that Samba uses
56 for itself. This is identical to setting the netbios name parameter
57 in the smb.conf file. However, a command line setting will take
58 precedence over settings in smb.conf.
59 -S|--server server
61 Name of target server. You should specify either this option or a
62 target workgroup or a target IP address.
63 -l|--long
65 When listing data, give more information on each item.
66 -v|--verbose
68 When listing data, give more verbose information on each item.
69 -f|--force
71 Enforcing a net command.
72 -P|--machine-pass
74 Make queries to the external server using the machine account of
75 the local server.
76 --request-timeout 30
78 Let client requests timeout after 30 seconds the default is 10
79 seconds.
80 -t|--timeout 30
82 Set timeout for client operations to 30 seconds.
83 --use-ccache
85 Try to use the credentials cached by winbind.
86 -i|--stdin
88 Take input for net commands from standard input.
89 --tallocreport
91 Generate a talloc report while processing a net command.
92 -T|--test
94 Only test command sequence, dry-run.
95 -F|--flags FLAGS
97 Pass down integer flags to a net subcommand.
98 -C|--comment COMMENT
100 Pass down a comment string to a net subcommand.
101 -n|--myname MYNAME
103 Use MYNAME as a requester name for a net subcommand.
104 -c|--container CONTAINER
106 Use a specific AD container for net ads operations.
107 -M|--maxusers MAXUSERS
109 Fill in the maxusers field in net rpc share operations.
110 -r|--reboot
112 Reboot a remote machine after a command has been successfully
113 executed (e.g. in remote join operations).
114 --force-full-repl
116 When calling "net rpc vampire keytab" this option enforces a full
117 re-creation of the generated keytab file.
118 --single-obj-repl
120 When calling "net rpc vampire keytab" this option allows one to
121 replicate just a single object to the generated keytab file.
122 --clean-old-entries
124 When calling "net rpc vampire keytab" this option allows one to
125 cleanup old entries from the generated keytab file.
126 --db
128 Define dbfile for "net idmap" commands.
129 --lock
131 Activates locking of the dbfile for "net idmap check" command.
132 -a|--auto
134 Activates noninteractive mode in "net idmap check".
135 --repair
137 Activates repair mode in "net idmap check".
138 --acls
140 Includes ACLs to be copied in "net rpc share migrate".
141 --attrs
143 Includes file attributes to be copied in "net rpc share migrate".
144 --timestamps
146 Includes timestamps to be copied in "net rpc share migrate".
147 -X|--exclude DIRECTORY
149 Allows one to exclude directories when copying with "net rpc share
150 migrate".
151 --destination SERVERNAME
153 Defines the target servername of migration process (defaults to
154 localhost).
155 -L|--local
157 Sets the type of group mapping to local (used in "net groupmap
158 set").
159 -D|--domain
161 Sets the type of group mapping to domain (used in "net groupmap
162 set").
163 -N|--ntname NTNAME
165 Sets the ntname of a group mapping (used in "net groupmap set").
166 -R|--rid RID
168 Sets the rid of a group mapping (used in "net groupmap set").
169 --reg-version REG_VERSION
171 Assume database version {n|1,2,3} (used in "net registry check").
172 -o|--output FILENAME
174 Output database file (used in "net registry check").
175 --wipe
177 Create a new database from scratch (used in "net registry check").
178 --precheck PRECHECK_DB_FILENAME
180 Defines filename for database prechecking (used in "net registry
181 import").
182 --no-dns-updates
184 Do not perform DNS updates as part of "net ads join".
185 --keep-account
187 Prevent the machine account removal as part of "net ads leave".
188 -e|--encrypt
190 This command line parameter requires the remote server support the
191 UNIX extensions or that the SMB3 protocol has been selected.
192 Requests that the connection be encrypted. Negotiates SMB
193 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
194 the given credentials for the encryption negotiation (either
195 kerberos or NTLMv1/v2 if given domain/username/password triple.
196 Fails the connection if encryption cannot be negotiated.
197 -d|--debuglevel=level
199 level is an integer from 0 to 10. The default value if this
200 parameter is not specified is 1.
201 The higher this value, the more detail will be logged to the log
203 files about the activities of the server. At level 0, only critical
204 errors and serious warnings will be logged. Level 1 is a reasonable
205 level for day-to-day running - it generates a small amount of
206 information about operations carried out.
207 Levels above 1 will generate considerable amounts of log data, and
209 should only be used when investigating a problem. Levels above 3
210 are designed for use only by developers and generate HUGE amounts
211 of log data, most of which is extremely cryptic.
212 Note that specifying this parameter here will override the log
214 level parameter in the smb.conf file.
215 -V|--version
217 Prints the program version number.
218 -s|--configfile=<configuration file>
220 The file specified contains the configuration details required by
221 the server. The information in this file includes server-specific
222 information such as what printcap file to use, as well as
223 descriptions of all the services that the server is to provide. See
224 smb.conf for more information. The default configuration file name
225 is determined at compile time.
226 -l|--log-basename=logdirectory
228 Base directory name for log/debug files. The extension ".progname"
229 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
230 file is never removed by the client.
231 --option=<name>=<value>
233 Set the smb.conf(5) option "<name>" to value "<value>" from the
234 command line. This overrides compiled-in defaults and options read
235 from the configuration file.
236
238 CHANGESECRETPW
239 This command allows the Samba machine account password to be set from
240 an external application to a machine account password that has already
241 been stored in Active Directory. DO NOT USE this command unless you
242 know exactly what you are doing. The use of this command requires that
243 the force flag (-f) be used also. There will be NO command prompt.
244 Whatever information is piped into stdin, either by typing at the
245 command line or otherwise, will be stored as the literal machine
246 password. Do NOT use this without care and attention as it will
247 overwrite a legitimate machine password without warning. YOU HAVE BEEN
248 WARNED.
249 TIME
251 The NET TIME command allows you to view the time on a remote server or
252 synchronise the time on the local server with the time on the remote
253 server.
254 TIME
256 Without any options, the NET TIME command displays the time on the
257 remote server. The remote server must be specified with the -S option.
258 TIME SYSTEM
260 Displays the time on the remote server in a format ready for /bin/date.
261 The remote server must be specified with the -S option.
262 TIME SET
264 Tries to set the date and time of the local server to that on the
265 remote server using /bin/date. The remote server must be specified with
266 the -S option.
267 TIME ZONE
269 Displays the timezone in hours from GMT on the remote server. The
270 remote server must be specified with the -S option.
271 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
273 [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string
274 osVer=string] [options]
275 Join a domain. If the account already exists on the server, and [TYPE]
276 is MEMBER, the machine will attempt to join automatically. (Assuming
277 that the machine has been created in server manager) Otherwise, a
278 password will be prompted for, and a new account may be created.
279 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
281 the domain.
282 [UPN] (ADS only) set the principalname attribute during the join. The
284 default format is host/netbiosname@REALM.
285 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
287 string reads from top to bottom without RDNs, and is delimited by a
288 '/'. Please note that '\' is used for escape by both the shell and
289 ldap, so it may need to be doubled or quadrupled to pass through, and
290 it is not used as a delimiter.
291 [PASS] (ADS only) Set a specific password on the computer account being
293 created by the join.
294 [osName=string osVer=String] (ADS only) Set the operatingSystem and
296 operatingSystemVersion attribute during the join. Both parameters must
297 be specified for either to take effect.
298 [RPC] OLDJOIN [options]
300 Join a domain. Use the OLDJOIN option to join the domain using the old
301 style of domain joining - you need to create a trust account in server
302 manager first.
303 [RPC|ADS] USER
305 [RPC|ADS] USER
306 List all users
307 [RPC|ADS] USER DELETE target
309 Delete specified user
310 [RPC|ADS] USER INFO target
312 List the domain groups of the specified user.
313 [RPC|ADS] USER RENAME oldname newname
315 Rename specified user.
316 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
318 Add specified user.
319 [RPC|ADS] GROUP
321 [RPC|ADS] GROUP [misc options] [targets]
322 List user groups.
323 [RPC|ADS] GROUP DELETE name [misc. options]
325 Delete specified group.
326 [RPC|ADS] GROUP ADD name [-C comment]
328 Create specified group.
329 [ADS] LOOKUP
331 Lookup the closest Domain Controller in our domain and retrieve server
332 information about it.
333 [RAP|RPC] SHARE
335 [RAP|RPC] SHARE [misc. options] [targets]
336 Enumerates all exported resources (network shares) on target server.
337 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
339 Adds a share from a server (makes the export active). Maxusers
340 specifies the number of users that can be connected to the share
341 simultaneously.
342 SHARE DELETE sharename
344 Delete specified share.
345 [RPC|RAP] FILE
347 [RPC|RAP] FILE
348 List all open files on remote server.
349 [RPC|RAP] FILE CLOSE fileid
351 Close file with specified fileid on remote server.
352 [RPC|RAP] FILE INFO fileid
354 Print information on specified fileid. Currently listed are: file-id,
355 username, locks, path, permissions.
356 [RAP|RPC] FILE USER user
358 List files opened by specified user. Please note that net rap file user
359 does not work against Samba servers.
360 SESSION
362 RAP SESSION
363 Without any other options, SESSION enumerates all active SMB/CIFS
364 sessions on the target server.
365 RAP SESSION DELETE|CLOSE CLIENT_NAME
367 Close the specified sessions.
368 RAP SESSION INFO CLIENT_NAME
370 Give a list with all the open files in specified session.
371 RAP SERVER DOMAIN
373 List all servers in specified domain or workgroup. Defaults to local
374 domain.
375 RAP DOMAIN
377 Lists all domains and workgroups visible on the current network.
378 RAP PRINTQ
380 RAP PRINTQ INFO QUEUE_NAME
381 Lists the specified print queue and print jobs on the server. If the
382 QUEUE_NAME is omitted, all queues are listed.
383 RAP PRINTQ DELETE JOBID
385 Delete job with specified id.
386 RAP VALIDATE user [password]
388 Validate whether the specified user can log in to the remote server. If
389 the password is not specified on the commandline, it will be prompted.
390 Note
392 Currently NOT implemented.
393 RAP GROUPMEMBER
395 RAP GROUPMEMBER LIST GROUP
396 List all members of the specified group.
397 RAP GROUPMEMBER DELETE GROUP USER
399 Delete member from group.
400 RAP GROUPMEMBER ADD GROUP USER
402 Add member to group.
403 RAP ADMIN command
405 Execute the specified command on the remote server. Only works with
406 OS/2 servers.
407 Note
409 Currently NOT implemented.
410 RAP SERVICE
412 RAP SERVICE START NAME [arguments...]
413 Start the specified service on the remote server. Not implemented yet.
414 Note
416 Currently NOT implemented.
417 RAP SERVICE STOP
419 Stop the specified service on the remote server.
420 Note
422 Currently NOT implemented.
423 RAP PASSWORD USER OLDPASS NEWPASS
425 Change password of USER from OLDPASS to NEWPASS.
426 LOOKUP
428 LOOKUP HOST HOSTNAME [TYPE]
429 Lookup the IP address of the given host with the specified type
430 (netbios suffix). The type defaults to 0x20 (workstation).
431 LOOKUP LDAP [DOMAIN]
433 Give IP address of LDAP server of specified DOMAIN. Defaults to local
434 domain.
435 LOOKUP KDC [REALM]
437 Give IP address of KDC for the specified REALM. Defaults to local
438 realm.
439 LOOKUP DC [DOMAIN]
441 Give IP's of Domain Controllers for specified
442 DOMAIN. Defaults to local domain.
443 LOOKUP MASTER DOMAIN
445 Give IP of master browser for specified DOMAIN or workgroup. Defaults
446 to local domain.
447 LOOKUP NAME [NAME]
449 Lookup username's sid and type for specified NAME
450 LOOKUP SID [SID]
452 Give sid's name and type for specified SID
453 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
455 Give Domain Controller information for specified domain NAME
456 CACHE
458 Samba uses a general caching interface called 'gencache'. It can be
459 controlled using 'NET CACHE'.
460 All the timeout parameters support the suffixes:
462 s - Seconds
463 m - Minutes
464 h - Hours
465 d - Days
466 w - Weeks
467 CACHE ADD key data time-out
469 Add specified key+data to the cache with the given timeout.
470 CACHE DEL key
472 Delete key from the cache.
473 CACHE SET key data time-out
475 Update data of existing cache entry.
476 CACHE SEARCH PATTERN
478 Search for the specified pattern in the cache data.
479 CACHE LIST
481 List all current items in the cache.
482 CACHE FLUSH
484 Remove all the current items from the cache.
485 GETLOCALSID [DOMAIN]
487 Prints the SID of the specified domain, or if the parameter is omitted,
488 the SID of the local server.
489 SETLOCALSID S-1-5-21-x-y-z
491 Sets SID for the local server to the specified SID.
492 GETDOMAINSID
494 Prints the local machine SID and the SID of the current domain.
495 SETDOMAINSID
497 Sets the SID of the current domain.
498 GROUPMAP
500 Manage the mappings between Windows group SIDs and UNIX groups. Common
501 options include:
502 · unixgroup - Name of the UNIX group
504 · ntgroup - Name of the Windows NT group (must be resolvable
506 to a SID
507 · rid - Unsigned 32-bit integer
509 · sid - Full SID in the form of "S-1-..."
511 · type - Type of the group; either 'domain', 'local', or
513 'builtin'
514 · comment - Freeform text description of the group
516 GROUPMAP ADD
519 Add a new group mapping entry:
520 net groupmap add {rid=int|sid=string} unixgroup=string \
522 [type={domain|local}] [ntgroup=string] [comment=string]
523 GROUPMAP DELETE
527 Delete a group mapping entry. If more than one group name matches, the
528 first entry found is deleted.
529 net groupmap delete {ntgroup=string|sid=SID}
531 GROUPMAP MODIFY
533 Update an existing group entry.
534 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
536 [comment=string] [type={domain|local}]
537 GROUPMAP LIST
541 List existing group mapping entries.
542 net groupmap list [verbose] [ntgroup=string] [sid=SID]
544 MAXRID
546 Prints out the highest RID currently in use on the local server (by the
547 active 'passdb backend').
548 RPC INFO
550 Print information about the domain of the remote server, such as domain
551 name, domain sid and number of users and groups.
552 [RPC|ADS] TESTJOIN
554 Check whether participation in a domain is still valid.
555 [RPC|ADS] CHANGETRUSTPW
557 Force change of domain trust password.
558 RPC TRUSTDOM
560 RPC TRUSTDOM ADD DOMAIN
561 Add a interdomain trust account for DOMAIN. This is in fact a Samba
562 account named DOMAIN$ with the account flag 'I' (interdomain trust
563 account). This is required for incoming trusts to work. It makes Samba
564 be a trusted domain of the foreign (trusting) domain. Users of the
565 Samba domain will be made available in the foreign domain. If the
566 command is used against localhost it has the same effect as smbpasswd
567 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
568 account.
569 RPC TRUSTDOM DEL DOMAIN
571 Remove interdomain trust account for DOMAIN. If it is used against
572 localhost it has the same effect as smbpasswd -x DOMAIN$.
573 RPC TRUSTDOM ESTABLISH DOMAIN
575 Establish a trust relationship to a trusted domain. Interdomain account
576 must already be created on the remote PDC. This is required for
577 outgoing trusts to work. It makes Samba be a trusting domain of a
578 foreign (trusted) domain. Users of the foreign domain will be made
579 available in our domain. You'll need winbind and a working idmap config
580 to make them appear in your system.
581 RPC TRUSTDOM REVOKE DOMAIN
583 Abandon relationship to trusted domain
584 RPC TRUSTDOM LIST
586 List all interdomain trust relationships.
587 RPC TRUST
589 RPC TRUST CREATE
590 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
591 done on a single server or on two servers at once with the possibility
592 to use a random trust password.
593 Options:
595 otherserver
597 Domain controller of the second domain
598 otheruser
600 Admin user in the second domain
601 otherdomainsid
603 SID of the second domain
604 other_netbios_domain
606 NetBIOS (short) name of the second domain
607 otherdomain
609 DNS (full) name of the second domain
610 trustpw
612 Trust password
613 Examples:
615 Create a trust object on srv1.dom1.dom for the domain dom2
617 net rpc trust create \
619 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
620 other_netbios_domain=dom2 \
621 otherdomain=dom2.dom \
622 trustpw=12345678 \
623 -S srv1.dom1.dom
624 Create a trust relationship between dom1 and dom2
626 net rpc trust create \
628 otherserver=srv2.dom2.test \
629 otheruser=dom2adm \
630 -S srv1.dom1.dom
631 RPC TRUST DELETE
633 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
634 done on a single server or on two servers at once.
635 Options:
637 otherserver
639 Domain controller of the second domain
640 otheruser
642 Admin user in the second domain
643 otherdomainsid
645 SID of the second domain
646 Examples:
648 Delete a trust object on srv1.dom1.dom for the domain dom2
650 net rpc trust delete \
652 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
653 -S srv1.dom1.dom
654 Delete a trust relationship between dom1 and dom2
656 net rpc trust delete \
658 otherserver=srv2.dom2.test \
659 otheruser=dom2adm \
660 -S srv1.dom1.dom
661 RPC RIGHTS
664 This subcommand is used to view and manage Samba's rights assignments
665 (also referred to as privileges). There are three options currently
666 available: list, grant, and revoke. More details on Samba's privilege
667 model and its use can be found in the Samba-HOWTO-Collection.
668 RPC ABORTSHUTDOWN
670 Abort the shutdown of a remote server.
671 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
673 Shut down the remote server.
674 -r
676 Reboot after shutdown.
677 -f
679 Force shutting down all applications.
680 -t timeout
682 Timeout before system will be shut down. An interactive user of the
683 system can use this time to cancel the shutdown.
684 -C message
686 Display the specified message on the screen to announce the
687 shutdown.
688 RPC SAMDUMP
690 Print out sam database of remote server. You need to run this against
691 the PDC, from a Samba machine joined as a BDC.
692 RPC VAMPIRE
694 Export users, aliases and groups from remote server to local server.
695 You need to run this against the PDC, from a Samba machine joined as a
696 BDC. This vampire command cannot be used against an Active Directory,
697 only against an NT4 Domain Controller.
698 RPC VAMPIRE KEYTAB
700 Dump remote SAM database to local Kerberos keytab file.
701 RPC VAMPIRE LDIF
703 Dump remote SAM database to local LDIF file or standard output.
704 RPC GETSID
706 Fetch domain SID and store it in the local secrets.tdb.
707 ADS LEAVE [--keep-account]
709 Make the remote host leave the domain it is part of.
710 ADS STATUS
712 Print out status of machine account of the local machine in ADS. Prints
713 out quite some debug info. Aimed at developers, regular users should
714 use NET ADS TESTJOIN.
715 ADS PRINTER
717 ADS PRINTER INFO [PRINTER] [SERVER]
718 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
719 the server name defaults to the local host.
720 ADS PRINTER PUBLISH PRINTER
722 Publish specified printer using ADS.
723 ADS PRINTER REMOVE PRINTER
725 Remove specified printer from ADS directory.
726 ADS SEARCH EXPRESSION ATTRIBUTES...
728 Perform a raw LDAP search on a ADS server and dump the results. The
729 expression is a standard LDAP search expression, and the attributes are
730 a list of LDAP fields to show in the results.
731 Example: net ads search '(objectCategory=group)' sAMAccountName
733 ADS DN DN (attributes)
735 Perform a raw LDAP search on a ADS server and dump the results. The DN
736 standard LDAP DN, and the attributes are a list of LDAP fields to show
737 in the result.
738 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
740 SAMAccountName
741 ADS KEYTAB CREATE
743 Creates a new keytab file if one doesn't exist with default entries.
744 Default entries are kerberos principals created from the machinename of
745 the client, the UPN (if it exists) and any Windows SPN(s) associated
746 with the computer AD account for the client. If a keytab file already
747 exists then only missing kerberos principals from the default entries
748 are added. No changes are made to the computer AD account.
749 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
751 Adds a new keytab entry, the entry can be either;
752 kerberos principal
754 A kerberos principal (identified by the presence of '@') is just
755 added to the keytab file.
756 machinename
758 A machinename (identified by the trailing '$') is used to create a
759 a kerberos principal 'machinename@realm' which is added to the
760 keytab file.
761 serviceclass
763 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
764 pair of kerberos principals
765 'serviceclass/fully_qualified_dns_name@realm' &
766 'serviceclass/netbios_name@realm' which are added to the keytab
767 file.
768 Windows SPN
770 A Windows SPN is of the format 'serviceclass/host:port', it is used
771 to create a kerberos principal 'serviceclass/host@realm' which will
772 be written to the keytab file.
773 Unlike old versions no computer AD objects are modified by this
775 command. To preserve the bevhaviour of older clients 'net ads keytab
776 ad_update_ads' is available.
777 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
779 Adds a new keytab entry (see section for net ads keytab add). In
780 addition to adding entries to the keytab file corrosponding Windows
781 SPNs are created from the entry passed to this command. These SPN(s)
782 added to the AD computer account object associated with the client
783 machine running this command for the following entry types;
784 serviceclass
786 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
787 pair of Windows SPN(s) 'param/full_qualified_dns' &
788 'param/netbios_name' which are added to the AD computer account
789 object for this client.
790 Windows SPN
792 A Windows SPN is of the format 'serviceclass/host:port', it is
793 added as passed to the AD computer account object for this client.
794 ADS setspn SETSPN LIST [machine]
796 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
797 object. If 'machine' is not specified then computer account for this
798 client is used instead.
799 ADS setspn SETSPN ADD SPN [machine]
801 Adds the specified Windows SPN to the 'machine' Windows AD Computer
802 object. If 'machine' is not specified then computer account for this
803 client is used instead.
804 ADS setspn SETSPN DELETE SPN [machine]
806 DELETE the specified Window SPN from the 'machine' Windows AD Computer
807 object. If 'machine' is not specified then computer account for this
808 client is used instead.
809 ADS WORKGROUP
811 Print out workgroup name for specified kerberos realm.
812 ADS ENCTYPES
814 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
815 attribute of an account in AD.
816 This attribute allows one to control which Kerberos encryption types
818 are used for the generation of initial and service tickets. The value
819 consists of an integer bitmask with the following values:
820 0x00000001 DES-CBC-CRC
822 0x00000002 DES-CBC-MD5
824 0x00000004 RC4-HMAC
826 0x00000008 AES128-CTS-HMAC-SHA1-96
828 0x00000010 AES256-CTS-HMAC-SHA1-96
830 ADS ENCTYPES LIST <ACCOUNTNAME>
832 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
833 given account.
834 Example: net ads enctypes list Computername
836 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
838 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
839 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
840 the value is set to 31 which enables all the currently supported
841 encryption types.
842 Example: net ads enctypes set Computername 24
844 ADS ENCTYPES DELETE <ACCOUNTNAME>
846 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
847 object of ACCOUNTNAME.
848 Example: net ads enctypes set Computername 24
850 SAM CREATEBUILTINGROUP <NAME>
852 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
853 be created with this command. This is the list of currently recognized
854 group names: Administrators, Users, Guests, Power Users, Account
855 Operators, Server Operators, Print Operators, Backup Operators,
856 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
857 command requires a running Winbindd with idmap allocation properly
858 configured. The group gid will be allocated out of the winbindd range.
859 SAM CREATELOCALGROUP <NAME>
861 Create a LOCAL group (also known as Alias). This command requires a
862 running Winbindd with idmap allocation properly configured. The group
863 gid will be allocated out of the winbindd range.
864 SAM DELETELOCALGROUP <NAME>
866 Delete an existing LOCAL group (also known as Alias).
867 SAM MAPUNIXGROUP <NAME>
869 Map an existing Unix group and make it a Domain Group, the domain group
870 will have the same name.
871 SAM UNMAPUNIXGROUP <NAME>
873 Remove an existing group mapping entry.
874 SAM ADDMEM <GROUP> <MEMBER>
876 Add a member to a Local group. The group can be specified only by name,
877 the member can be specified by name or SID.
878 SAM DELMEM <GROUP> <MEMBER>
880 Remove a member from a Local group. The group and the member must be
881 specified by name.
882 SAM LISTMEM <GROUP>
884 List Local group members. The group must be specified by name.
885 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
887 List the specified set of accounts by name. If verbose is specified,
888 the rid and description is also provided for each account.
889 SAM RIGHTS LIST
891 List all available privileges.
892 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
894 Grant one or more privileges to a user.
895 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
897 Revoke one or more privileges from a user.
898 SAM SHOW <NAME>
900 Show the full DOMAIN\\NAME the SID and the type for the corresponding
901 account.
902 SAM SET HOMEDIR <NAME> <DIRECTORY>
904 Set the home directory for a user account.
905 SAM SET PROFILEPATH <NAME> <PATH>
907 Set the profile path for a user account.
908 SAM SET COMMENT <NAME> <COMMENT>
910 Set the comment for a user or group account.
911 SAM SET FULLNAME <NAME> <FULL NAME>
913 Set the full name for a user account.
914 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
916 Set the logon script for a user account.
917 SAM SET HOMEDRIVE <NAME> <DRIVE>
919 Set the home drive for a user account.
920 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
922 Set the workstations a user account is allowed to log in from.
923 SAM SET DISABLE <NAME>
925 Set the "disabled" flag for a user account.
926 SAM SET PWNOTREQ <NAME>
928 Set the "password not required" flag for a user account.
929 SAM SET AUTOLOCK <NAME>
931 Set the "autolock" flag for a user account.
932 SAM SET PWNOEXP <NAME>
934 Set the "password do not expire" flag for a user account.
935 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
937 Set or unset the "password must change" flag for a user account.
938 SAM POLICY LIST
940 List the available account policies.
941 SAM POLICY SHOW <account policy>
943 Show the account policy value.
944 SAM POLICY SET <account policy> <value>
946 Set a value for the account policy. Valid values can be: "forever",
947 "never", "off", or a number.
948 SAM PROVISION
950 Only available if ldapsam:editposix is set and winbindd is running.
951 Properly populates the ldap tree with the basic accounts
952 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
953 on the ldap tree.
954 IDMAP DUMP <local tdb file name>
956 Dumps the mappings contained in the local tdb file specified. This
957 command is useful to dump only the mappings produced by the idmap_tdb
958 backend.
959 IDMAP RESTORE [input file]
961 Restore the mappings from the specified file or stdin.
962 IDMAP SET SECRET <DOMAIN> <secret>
964 Store a secret for the specified domain, used primarily for domains
965 that use idmap_ldap as a backend. In this case the secret is used as
966 the password for the user DN used to bind to the ldap server.
967 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
969 Store a domain-range mapping for a given domain (and index) in autorid
970 database.
971 IDMAP SET CONFIG <config> [--db=<DB>]
973 Update CONFIG entry in autorid database.
974 IDMAP GET RANGE <SID> [index] [--db=<DB>]
976 Get the range for a given domain and index from autorid database.
977 IDMAP GET RANGES [<SID>] [--db=<DB>]
979 Get ranges for all domains or for one identified by given SID.
980 IDMAP GET CONFIG [--db=<DB>]
982 Get CONFIG entry from autorid database.
983 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
985 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
986 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
987 "GID number" or a uid: "UID number". Use -f to delete an invalid
988 partial mapping <ID> -> xx
989 Use "smbcontrol all idmap ..." to notify running smbd instances. See
991 the smbcontrol(1) manpage for details.
992 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
994 Delete a domain range mapping identified by 'RANGE' or "domain SID and
995 INDEX" from autorid database. Use -f to delete invalid mappings.
996 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
998 Delete all domain range mappings for a domain identified by SID. Use -f
999 to delete invalid mappings.
1000 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1002 Check and repair the IDMAP database. If no option is given a read only
1003 check of the database is done. Among others an interactive or automatic
1004 repair mode may be chosen with one of the following options:
1005 -r|--repair
1007 Interactive repair mode, ask a lot of questions.
1008 -a|--auto
1010 Noninteractive repair mode, use default answers.
1011 -v|--verbose
1013 Produce more output.
1014 -f|--force
1016 Try to apply changes, even if they do not apply cleanly.
1017 -T|--test
1019 Dry run, show what changes would be made but don't touch anything.
1020 -l|--lock
1022 Lock the database while doing the check.
1023 --db <DB>
1025 Check the specified database.
1026 It reports about the finding of the following errors:
1028 Missing reverse mapping:
1030 A record with mapping A->B where there is no B->A. Default action
1031 in repair mode is to "fix" this by adding the reverse mapping.
1032 Invalid mapping:
1034 A record with mapping A->B where B->C. Default action is to
1035 "delete" this record.
1036 Missing or invalid HWM:
1038 A high water mark is not at least equal to the largest ID in the
1039 database. Default action is to "fix" this by setting it to the
1040 largest ID found +1.
1041 Invalid record:
1043 Something we failed to parse. Default action is to "edit" it in
1044 interactive and "delete" it in automatic mode.
1045 USERSHARE
1047 Starting with version 3.0.23, a Samba server now supports the ability
1048 for non-root users to add user defined shares to be exported using the
1049 "net usershare" commands.
1050 To set this up, first set up your smb.conf by adding to the [global]
1052 section: usershare path = /usr/local/samba/lib/usershares Next create
1053 the directory /usr/local/samba/lib/usershares, change the owner to root
1054 and set the group owner to the UNIX group who should have the ability
1055 to create usershares, for example a group called "serverops". Set the
1056 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1057 group all access, no access for others, plus the sticky bit, which
1058 means that a file in that directory can be renamed or deleted only by
1059 the owner of the file). Finally, tell smbd how many usershares you will
1060 allow by adding to the [global] section of smb.conf a line such as :
1061 usershare max shares = 100. To allow 100 usershare definitions. Now,
1062 members of the UNIX group "serverops" can create user defined shares on
1063 demand using the commands below.
1064 The usershare commands are:
1066 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1067 to add or change a user defined share.
1068 net usershare delete sharename - to delete a user defined share.
1069 net usershare info [-l|--long] [wildcard sharename] - to print info
1070 about a user defined share.
1071 net usershare list [-l|--long] [wildcard sharename] - to list user
1072 defined shares.
1073 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1075 Add or replace a new user defined share, with name "sharename".
1076 "path" specifies the absolute pathname on the system to be exported.
1078 Restrictions may be put on this, see the global smb.conf parameters:
1079 "usershare owner only", "usershare prefix allow list", and "usershare
1080 prefix deny list".
1081 The optional "comment" parameter is the comment that will appear on the
1083 share when browsed to by a client.
1084 The optional "acl" field specifies which users have read and write
1086 access to the entire share. Note that guest connections are not allowed
1087 unless the smb.conf parameter "usershare allow guests" has been set.
1088 The definition of a user defined share acl is: "user:permission", where
1089 user is a valid username on the system and permission can be "F", "R",
1090 or "D". "F" stands for "full permissions", ie. read and write
1091 permissions. "D" stands for "deny" for a user, ie. prevent this user
1092 from accessing this share. "R" stands for "read only", ie. only allow
1093 read access to this share (no creation of new files or directories or
1094 writing to files).
1095 The default if no "acl" is given is "Everyone:R", which means any
1097 authenticated user has read-only access.
1098 The optional "guest_ok" has the same effect as the parameter of the
1100 same name in smb.conf, in that it allows guest access to this user
1101 defined share. This parameter is only allowed if the global parameter
1102 "usershare allow guests" has been set to true in the smb.conf.
1103 There is no separate command to modify an existing user defined share,
1106 just use the "net usershare add [sharename]" command using the same
1107 sharename as the one you wish to modify and specify the new options you
1108 wish. The Samba smbd daemon notices user defined share modifications at
1109 connect time so will see the change immediately, there is no need to
1110 restart smbd on adding, deleting or changing a user defined share.
1111 USERSHARE DELETE sharename
1113 Deletes the user defined share by name. The Samba smbd daemon
1114 immediately notices this change, although it will not disconnect any
1115 users currently connected to the deleted share.
1116 USERSHARE INFO [-l|--long] [wildcard sharename]
1118 Get info on user defined shares owned by the current user matching the
1119 given pattern, or all users.
1120 net usershare info on its own dumps out info on the user defined shares
1122 that were created by the current user, or restricts them to share names
1123 that match the given wildcard pattern ('*' matches one or more
1124 characters, '?' matches only one character). If the '-l' or '--long'
1125 option is also given, it prints out info on user defined shares created
1126 by other users.
1127 The information given about a share looks like: [foobar]
1129 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1130 And is a list of the current settings of the user defined share that
1131 can be modified by the "net usershare add" command.
1132 USERSHARE LIST [-l|--long] wildcard sharename
1134 List all the user defined shares owned by the current user matching the
1135 given pattern, or all users.
1136 net usershare list on its own list out the names of the user defined
1138 shares that were created by the current user, or restricts the list to
1139 share names that match the given wildcard pattern ('*' matches one or
1140 more characters, '?' matches only one character). If the '-l' or
1141 '--long' option is also given, it includes the names of user defined
1142 shares created by other users.
1143 [RPC] CONF
1145 Starting with version 3.2.0, a Samba server can be configured by data
1146 stored in registry. This configuration data can be edited with the new
1147 "net conf" commands. There is also the possibility to configure a
1148 remote Samba server by enabling the RPC conf mode and specifying the
1149 address of the remote server.
1150 The deployment of this configuration data can be activated in two
1152 levels from the smb.conf file: Share definitions from registry are
1153 activated by setting registry shares to “yes” in the [global] section
1154 and global configuration options are activated by setting include =
1155 registry in the [global] section for a mixed configuration or by
1156 setting config backend = registry in the [global] section for a
1157 registry-only configuration. See the smb.conf(5) manpage for details.
1158 The conf commands are:
1160 net [rpc] conf list - Dump the complete configuration in smb.conf
1161 like format.
1162 net [rpc] conf import - Import configuration from file in smb.conf
1163 format.
1164 net [rpc] conf listshares - List the registry shares.
1165 net [rpc] conf drop - Delete the complete configuration from
1166 registry.
1167 net [rpc] conf showshare - Show the definition of a registry share.
1168 net [rpc] conf addshare - Create a new registry share.
1169 net [rpc] conf delshare - Delete a registry share.
1170 net [rpc] conf setparm - Store a parameter.
1171 net [rpc] conf getparm - Retrieve the value of a parameter.
1172 net [rpc] conf delparm - Delete a parameter.
1173 net [rpc] conf getincludes - Show the includes of a share
1174 definition.
1175 net [rpc] conf setincludes - Set includes for a share.
1176 net [rpc] conf delincludes - Delete includes from a share
1177 definition.
1178 [RPC] CONF LIST
1180 Print the configuration data stored in the registry in a smb.conf-like
1181 format to standard output.
1182 [RPC] CONF IMPORT [--test|-T] filename [section]
1184 This command imports configuration from a file in smb.conf format. If a
1185 section encountered in the input file is present in registry, its
1186 contents is replaced. Sections of registry configuration that have no
1187 counterpart in the input file are not affected. If you want to delete
1188 these, you will have to use the "net conf drop" or "net conf delshare"
1189 commands. Optionally, a section may be specified to restrict the effect
1190 of the import command to that specific section. A test mode is enabled
1191 by specifying the parameter "-T" on the commandline. In test mode, no
1192 changes are made to the registry, and the resulting configuration is
1193 printed to standard output instead.
1194 [RPC] CONF LISTSHARES
1196 List the names of the shares defined in registry.
1197 [RPC] CONF DROP
1199 Delete the complete configuration data from registry.
1200 [RPC] CONF SHOWSHARE sharename
1202 Show the definition of the share or section specified. It is valid to
1203 specify "global" as sharename to retrieve the global configuration
1204 options from registry.
1205 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1207 [comment]]]
1208 Create a new share definition in registry. The sharename and path have
1209 to be given. The share name may not be "global". Optionally, values for
1210 the very common options "writeable", "guest ok" and a "comment" may be
1211 specified. The same result may be obtained by a sequence of "net conf
1212 setparm" commands.
1213 [RPC] CONF DELSHARE sharename
1215 Delete a share definition from registry.
1216 [RPC] CONF SETPARM section parameter value
1218 Store a parameter in registry. The section may be global or a
1219 sharename. The section is created if it does not exist yet.
1220 [RPC] CONF GETPARM section parameter
1222 Show a parameter stored in registry.
1223 [RPC] CONF DELPARM section parameter
1225 Delete a parameter stored in registry.
1226 [RPC] CONF GETINCLUDES section
1228 Get the list of includes for the provided section (global or share).
1229 Note that due to the nature of the registry database and the nature of
1231 include directives, the includes need special treatment: Parameters are
1232 stored in registry by the parameter name as valuename, so there is only
1233 ever one instance of a parameter per share. Also, a specific order like
1234 in a text file is not guaranteed. For all real parameters, this is
1235 perfectly ok, but the include directive is rather a meta parameter, for
1236 which, in the smb.conf text file, the place where it is specified
1237 between the other parameters is very important. This can not be
1238 achieved by the simple registry smbconf data model, so there is one
1239 ordered list of includes per share, and this list is evaluated after
1240 all the parameters of the share.
1241 Further note that currently, only files can be included from registry
1243 configuration. In the future, there will be the ability to include
1244 configuration data from other registry keys.
1245 [RPC] CONF SETINCLUDES section [filename]+
1247 Set the list of includes for the provided section (global or share) to
1248 the given list of one or more filenames. The filenames may contain the
1249 usual smb.conf macros like %I.
1250 [RPC] CONF DELINCLUDES section
1252 Delete the list of includes from the provided section (global or
1253 share).
1254 REGISTRY
1256 Manipulate Samba's registry.
1257 The registry commands are:
1259 net registry enumerate - Enumerate registry keys and values.
1260 net registry enumerate_recursive - Enumerate registry key and its
1261 subkeys.
1262 net registry createkey - Create a new registry key.
1263 net registry deletekey - Delete a registry key.
1264 net registry deletekey_recursive - Delete a registry key with
1265 subkeys.
1266 net registry getvalue - Print a registry value.
1267 net registry getvalueraw - Print a registry value (raw format).
1268 net registry setvalue - Set a new registry value.
1269 net registry increment - Increment a DWORD registry value under a
1270 lock.
1271 net registry deletevalue - Delete a registry value.
1272 net registry getsd - Get security descriptor.
1273 net registry getsd_sdd1 - Get security descriptor in sddl format.
1274 net registry setsd_sdd1 - Set security descriptor from sddl format
1275 string.
1276 net registry import - Import a registration entries (.reg)
1277 file.
1278 net registry export - Export a registration entries (.reg)
1279 file.
1280 net registry convert - Convert a registration entries (.reg)
1281 file.
1282 net registry check - Check and repair a registry database.
1283 REGISTRY ENUMERATE key
1285 Enumerate subkeys and values of key.
1286 REGISTRY ENUMERATE_RECURSIVE key
1288 Enumerate values of key and its subkeys.
1289 REGISTRY CREATEKEY key
1291 Create a new key if not yet existing.
1292 REGISTRY DELETEKEY key
1294 Delete the given key and its values from the registry, if it has no
1295 subkeys.
1296 REGISTRY DELETEKEY_RECURSIVE key
1298 Delete the given key and all of its subkeys and values from the
1299 registry.
1300 REGISTRY GETVALUE key name
1302 Output type and actual value of the value name of the given key.
1303 REGISTRY GETVALUERAW key name
1305 Output the actual value of the value name of the given key.
1306 REGISTRY SETVALUE key name type value ...
1308 Set the value name of an existing key. type may be one of sz, multi_sz
1309 or dword. In case of multi_sz value may be given multiple times.
1310 REGISTRY INCREMENT key name [inc]
1312 Increment the DWORD value name of key by inc while holding a g_lock.
1313 inc defaults to 1.
1314 REGISTRY DELETEVALUE key name
1316 Delete the value name of the given key.
1317 REGISTRY GETSD key
1319 Get the security descriptor of the given key.
1320 REGISTRY GETSD_SDDL key
1322 Get the security descriptor of the given key as a Security Descriptor
1323 Definition Language (SDDL) string.
1324 REGISTRY SETSD_SDDL keysd
1326 Set the security descriptor of the given key from a Security Descriptor
1327 Definition Language (SDDL) string sd.
1328 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1330 Import a registration entries (.reg) file.
1331 The following options are available:
1333 --precheck check-file
1335 This is a mechanism to check the existence or non-existence of
1336 certain keys or values specified in a precheck file before applying
1337 the import file. The import file will only be applied if the
1338 precheck succeeds.
1339 The check-file follows the normal registry file syntax with the
1341 following semantics:
1342 · <value name>=<value> checks whether the value exists and
1344 has the given value.
1345 · <value name>=- checks whether the value does not exist.
1347 · [key] checks whether the key exists.
1349 · [-key] checks whether the key does not exist.
1351 REGISTRY EXPORT keyfile[opt]
1354 Export a key to a registration entries (.reg) file.
1355 REGISTRY CONVERT in out [[inopt] outopt]
1357 Convert a registration entries (.reg) file in.
1358 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1360 Check and repair the registry database. If no option is given a read
1361 only check of the database is done. Among others an interactive or
1362 automatic repair mode may be chosen with one of the following options
1363 -r|--repair
1365 Interactive repair mode, ask a lot of questions.
1366 -a|--auto
1368 Noninteractive repair mode, use default answers.
1369 -v|--verbose
1371 Produce more output.
1372 -T|--test
1374 Dry run, show what changes would be made but don't touch anything.
1375 -l|--lock
1377 Lock the database while doing the check.
1378 --reg-version={1,2,3}
1380 Specify the format of the registry database. If not given it
1381 defaults to the value of the binary or, if an registry.tdb is
1382 explizitly stated at the commandline, to the value found in the
1383 INFO/version record.
1384 [--db] <DB>
1386 Check the specified database.
1387 -o|--output <ODB>
1389 Create a new registry database <ODB> instead of modifying the
1390 input. If <ODB> is already existing --wipe may be used to overwrite
1391 it.
1392 --wipe
1394 Replace the registry database instead of modifying the input or
1395 overwrite an existing output database.
1396 EVENTLOG
1398 Starting with version 3.4.0 net can read, dump, import and export
1399 native win32 eventlog files (usually *.evt). evt files are used by the
1400 native Windows eventviewer tools.
1401 The import and export of evt files can only succeed when eventlog list
1403 is used in smb.conf file. See the smb.conf(5) manpage for details.
1404 The eventlog commands are:
1406 net eventlog dump - Dump a eventlog *.evt file on the screen.
1407 net eventlog import - Import a eventlog *.evt into the samba
1408 internal tdb based representation of eventlogs.
1409 net eventlog export - Export the samba internal tdb based
1410 representation of eventlogs into an eventlog *.evt file.
1411 EVENTLOG DUMP filename
1413 Prints a eventlog *.evt file to standard output.
1414 EVENTLOG IMPORT filename eventlog
1416 Imports a eventlog *.evt file defined by filename into the samba
1417 internal tdb representation of eventlog defined by eventlog. eventlog
1418 needs to part of the eventlog list defined in smb.conf. See the
1419 smb.conf(5) manpage for details.
1420 EVENTLOG EXPORT filename eventlog
1422 Exports the samba internal tdb representation of eventlog defined by
1423 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1424 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1425 manpage for details.
1426 DOM
1428 Starting with version 3.2.0 Samba has support for remote join and
1429 unjoin APIs, both client and server-side. Windows supports remote join
1430 capabilities since Windows 2000.
1431 In order for Samba to be joined or unjoined remotely an account must be
1433 used that is either member of the Domain Admins group, a member of the
1434 local Administrators group or a user that is granted the
1435 SeMachineAccountPrivilege privilege.
1436 The client side support for remote join is implemented in the net dom
1438 commands which are:
1439 net dom join - Join a remote computer into a domain.
1440 net dom unjoin - Unjoin a remote computer from a domain.
1441 net dom renamecomputer - Renames a remote computer joined to a
1442 domain.
1443 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1445 Joins a computer into a domain. This command supports the following
1446 additional parameters:
1447 · DOMAIN can be a NetBIOS domain name (also known as short
1449 domain name) or a DNS domain name for Active Directory
1450 Domains. As in Windows, it is also possible to control which
1451 Domain Controller to use. This can be achieved by appending
1452 the DC name using the \ separator character. Example:
1453 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1454 · OU can be set to a RFC 1779 LDAP DN, like
1456 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1457 the machine account in a non-default LDAP container. This
1458 optional parameter is only supported when joining Active
1459 Directory Domains.
1460 · ACCOUNT defines a domain account that will be used to join
1462 the machine to the domain. This domain account needs to have
1463 sufficient privileges to join machines.
1464 · PASSWORD defines the password for the domain account defined
1466 with ACCOUNT.
1467 · REBOOT is an optional parameter that can be set to reboot
1469 the remote machine after successful join to the domain.
1470 Note that you also need to use standard net parameters to connect and
1473 authenticate to the remote machine that you want to join. These
1474 additional parameters include: -S computer and -U user.
1475 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1477 account=MYDOM\\administrator password=topsecret reboot.
1478 This example would connect to a computer named XP as the local
1480 administrator using password secret, and join the computer into a
1481 domain called MYDOM using the MYDOM domain administrator account and
1482 password topsecret. After successful join, the computer would reboot.
1483 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1485 Unjoins a computer from a domain. This command supports the following
1486 additional parameters:
1487 · ACCOUNT defines a domain account that will be used to unjoin
1489 the machine from the domain. This domain account needs to
1490 have sufficient privileges to unjoin machines.
1491 · PASSWORD defines the password for the domain account defined
1493 with ACCOUNT.
1494 · REBOOT is an optional parameter that can be set to reboot
1496 the remote machine after successful unjoin from the domain.
1497 Note that you also need to use standard net parameters to connect and
1500 authenticate to the remote machine that you want to unjoin. These
1501 additional parameters include: -S computer and -U user.
1502 Example: net dom unjoin -S xp -U XP\\administrator%secret
1504 account=MYDOM\\administrator password=topsecret reboot.
1505 This example would connect to a computer named XP as the local
1507 administrator using password secret, and unjoin the computer from the
1508 domain using the MYDOM domain administrator account and password
1509 topsecret. After successful unjoin, the computer would reboot.
1510 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1512 Renames a computer that is joined to a domain. This command supports
1513 the following additional parameters:
1514 · NEWNAME defines the new name of the machine in the domain.
1516 · ACCOUNT defines a domain account that will be used to rename
1518 the machine in the domain. This domain account needs to have
1519 sufficient privileges to rename machines.
1520 · PASSWORD defines the password for the domain account defined
1522 with ACCOUNT.
1523 · REBOOT is an optional parameter that can be set to reboot
1525 the remote machine after successful rename in the domain.
1526 Note that you also need to use standard net parameters to connect and
1529 authenticate to the remote machine that you want to rename in the
1530 domain. These additional parameters include: -S computer and -U user.
1531 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1533 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1534 This example would connect to a computer named XP as the local
1536 administrator using password secret, and rename the joined computer to
1537 XPNEW using the MYDOM domain administrator account and password
1538 topsecret. After successful rename, the computer would reboot.
1539 G_LOCK
1541 Manage global locks.
1542 G_LOCK DO lockname timeout command
1544 Execute a shell command under a global lock. This might be useful to
1545 define the order in which several shell commands will be executed. The
1546 locking information is stored in a file called g_lock.tdb. In setups
1547 with CTDB running, the locking information will be available on all
1548 cluster nodes.
1549 · LOCKNAME defines the name of the global lock.
1551 · TIMEOUT defines the timeout.
1553 · COMMAND defines the shell command to execute.
1555 G_LOCK LOCKS
1557 Print a list of all currently existing locknames.
1558 G_LOCK DUMP lockname
1560 Dump the locking table of a certain global lock.
1561 TDB
1563 Print information from tdb records.
1564 TDB LOCKING key [DUMP]
1566 List sharename, filename and number of share modes for a record from
1567 locking.tdb. With the optional DUMP options, dump the complete record.
1568 · KEY Key of the tdb record as hex string.
1570 HELP [COMMAND]
1572 Gives usage information for the specified command.
1573
1575 This man page is complete for version 3 of the Samba suite.
1576
1578 The original Samba software and related utilities were created by
1579 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1580 Source project similar to the way the Linux kernel is developed.
1581 The net manpage was written by Jelmer Vernooij.
1583Samba 4.10.4 05/28/2019 NET(8)