1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-A|--authentication-file authfile] [-I|--ipaddress ip-address]
12 [-p|--port port] [-n myname] [-s conffile] [-S|--server server]
13 [-l|--long] [-v|--verbose] [-f|--force] [-P|--machine-pass]
14 [-d debuglevel] [-V] [--request-timeout seconds]
15 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
16
18 This tool is part of the samba(7) suite.
19 The Samba net utility is meant to work just like the net utility
21 available for windows and DOS. The first argument should be used to
22 specify the protocol to use when executing a certain command. ADS is
23 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
24 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
25 net will try to determine it automatically. Not all commands are
26 available on all protocols.
27
29 -?|--help
30 Print a summary of command line options.
31 -k|--kerberos
33 Try to authenticate with kerberos. Only useful in an Active
34 Directory environment.
35 -w|--workgroup target-workgroup
37 Sets target workgroup or domain. You have to specify either this
38 option or the IP address or the name of a server.
39 -W|--myworkgroup workgroup
41 Sets client workgroup or domain
42 -U|--user user
44 User name to use
45 -I|--ipaddress ip-address
47 IP address of target server to use. You have to specify either this
48 option or a target workgroup or a target server.
49 -p|--port port
51 Port on the target server to connect to (usually 139 or 445).
52 Defaults to trying 445 first, then 139.
53 -n|--netbiosname <primary NetBIOS name>
55 This option allows you to override the NetBIOS name that Samba uses
56 for itself. This is identical to setting the netbios name parameter
57 in the smb.conf file. However, a command line setting will take
58 precedence over settings in smb.conf.
59 -S|--server server
61 Name of target server. You should specify either this option or a
62 target workgroup or a target IP address.
63 -l|--long
65 When listing data, give more information on each item.
66 -v|--verbose
68 When listing data, give more verbose information on each item.
69 -f|--force
71 Enforcing a net command.
72 -P|--machine-pass
74 Make queries to the external server using the machine account of
75 the local server.
76 --request-timeout 30
78 Let client requests timeout after 30 seconds the default is 10
79 seconds.
80 -t|--timeout 30
82 Set timeout for client operations to 30 seconds.
83 --use-ccache
85 Try to use the credentials cached by winbind.
86 -i|--stdin
88 Take input for net commands from standard input.
89 --tallocreport
91 Generate a talloc report while processing a net command.
92 -T|--test
94 Only test command sequence, dry-run.
95 -F|--flags FLAGS
97 Pass down integer flags to a net subcommand.
98 -C|--comment COMMENT
100 Pass down a comment string to a net subcommand.
101 -n|--myname MYNAME
103 Use MYNAME as a requester name for a net subcommand.
104 -c|--container CONTAINER
106 Use a specific AD container for net ads operations.
107 -M|--maxusers MAXUSERS
109 Fill in the maxusers field in net rpc share operations.
110 -r|--reboot
112 Reboot a remote machine after a command has been successfully
113 executed (e.g. in remote join operations).
114 --force-full-repl
116 When calling "net rpc vampire keytab" this option enforces a full
117 re-creation of the generated keytab file.
118 --single-obj-repl
120 When calling "net rpc vampire keytab" this option allows one to
121 replicate just a single object to the generated keytab file.
122 --clean-old-entries
124 When calling "net rpc vampire keytab" this option allows one to
125 cleanup old entries from the generated keytab file.
126 --db
128 Define dbfile for "net idmap" commands.
129 --lock
131 Activates locking of the dbfile for "net idmap check" command.
132 -a|--auto
134 Activates noninteractive mode in "net idmap check".
135 --repair
137 Activates repair mode in "net idmap check".
138 --acls
140 Includes ACLs to be copied in "net rpc share migrate".
141 --attrs
143 Includes file attributes to be copied in "net rpc share migrate".
144 --timestamps
146 Includes timestamps to be copied in "net rpc share migrate".
147 -X|--exclude DIRECTORY
149 Allows one to exclude directories when copying with "net rpc share
150 migrate".
151 --destination SERVERNAME
153 Defines the target servername of migration process (defaults to
154 localhost).
155 -L|--local
157 Sets the type of group mapping to local (used in "net groupmap
158 set").
159 -D|--domain
161 Sets the type of group mapping to domain (used in "net groupmap
162 set").
163 -N|--ntname NTNAME
165 Sets the ntname of a group mapping (used in "net groupmap set").
166 -R|--rid RID
168 Sets the rid of a group mapping (used in "net groupmap set").
169 --reg-version REG_VERSION
171 Assume database version {n|1,2,3} (used in "net registry check").
172 -o|--output FILENAME
174 Output database file (used in "net registry check").
175 --wipe
177 Create a new database from scratch (used in "net registry check").
178 --precheck PRECHECK_DB_FILENAME
180 Defines filename for database prechecking (used in "net registry
181 import").
182 --no-dns-updates
184 Do not perform DNS updates as part of "net ads join".
185 --keep-account
187 Prevent the machine account removal as part of "net ads leave".
188 --json
190 Report results in JSON format for "net ads info" and "net ads
191 lookup".
192 -e|--encrypt
194 This command line parameter requires the remote server support the
195 UNIX extensions or that the SMB3 protocol has been selected.
196 Requests that the connection be encrypted. Negotiates SMB
197 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
198 the given credentials for the encryption negotiation (either
199 kerberos or NTLMv1/v2 if given domain/username/password triple.
200 Fails the connection if encryption cannot be negotiated.
201 -d|--debuglevel=level
203 level is an integer from 0 to 10. The default value if this
204 parameter is not specified is 1.
205 The higher this value, the more detail will be logged to the log
207 files about the activities of the server. At level 0, only critical
208 errors and serious warnings will be logged. Level 1 is a reasonable
209 level for day-to-day running - it generates a small amount of
210 information about operations carried out.
211 Levels above 1 will generate considerable amounts of log data, and
213 should only be used when investigating a problem. Levels above 3
214 are designed for use only by developers and generate HUGE amounts
215 of log data, most of which is extremely cryptic.
216 Note that specifying this parameter here will override the log
218 level parameter in the smb.conf file.
219 -V|--version
221 Prints the program version number.
222 -s|--configfile=<configuration file>
224 The file specified contains the configuration details required by
225 the server. The information in this file includes server-specific
226 information such as what printcap file to use, as well as
227 descriptions of all the services that the server is to provide. See
228 smb.conf for more information. The default configuration file name
229 is determined at compile time.
230 -l|--log-basename=logdirectory
232 Base directory name for log/debug files. The extension ".progname"
233 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
234 file is never removed by the client.
235 --option=<name>=<value>
237 Set the smb.conf(5) option "<name>" to value "<value>" from the
238 command line. This overrides compiled-in defaults and options read
239 from the configuration file.
240
242 CHANGESECRETPW
243 This command allows the Samba machine account password to be set from
244 an external application to a machine account password that has already
245 been stored in Active Directory. DO NOT USE this command unless you
246 know exactly what you are doing. The use of this command requires that
247 the force flag (-f) be used also. There will be NO command prompt.
248 Whatever information is piped into stdin, either by typing at the
249 command line or otherwise, will be stored as the literal machine
250 password. Do NOT use this without care and attention as it will
251 overwrite a legitimate machine password without warning. YOU HAVE BEEN
252 WARNED.
253 TIME
255 The NET TIME command allows you to view the time on a remote server or
256 synchronise the time on the local server with the time on the remote
257 server.
258 TIME
260 Without any options, the NET TIME command displays the time on the
261 remote server. The remote server must be specified with the -S option.
262 TIME SYSTEM
264 Displays the time on the remote server in a format ready for /bin/date.
265 The remote server must be specified with the -S option.
266 TIME SET
268 Tries to set the date and time of the local server to that on the
269 remote server using /bin/date. The remote server must be specified with
270 the -S option.
271 TIME ZONE
273 Displays the timezone in hours from GMT on the remote server. The
274 remote server must be specified with the -S option.
275 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
277 [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string
278 osVer=string] [options]
279 Join a domain. If the account already exists on the server, and [TYPE]
280 is MEMBER, the machine will attempt to join automatically. (Assuming
281 that the machine has been created in server manager) Otherwise, a
282 password will be prompted for, and a new account may be created.
283 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
285 the domain.
286 [UPN] (ADS only) set the principalname attribute during the join. The
288 default format is host/netbiosname@REALM.
289 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
291 string reads from top to bottom without RDNs, and is delimited by a
292 '/'. Please note that '\' is used for escape by both the shell and
293 ldap, so it may need to be doubled or quadrupled to pass through, and
294 it is not used as a delimiter.
295 [PASS] (ADS only) Set a specific password on the computer account being
297 created by the join.
298 [osName=string osVer=String] (ADS only) Set the operatingSystem and
300 operatingSystemVersion attribute during the join. Both parameters must
301 be specified for either to take effect.
302 [RPC] OLDJOIN [options]
304 Join a domain. Use the OLDJOIN option to join the domain using the old
305 style of domain joining - you need to create a trust account in server
306 manager first.
307 [RPC|ADS] USER
309 [RPC|ADS] USER
310 List all users
311 [RPC|ADS] USER DELETE target
313 Delete specified user
314 [RPC|ADS] USER INFO target
316 List the domain groups of the specified user.
317 [RPC|ADS] USER RENAME oldname newname
319 Rename specified user.
320 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
322 Add specified user.
323 [RPC|ADS] GROUP
325 [RPC|ADS] GROUP [misc options] [targets]
326 List user groups.
327 [RPC|ADS] GROUP DELETE name [misc. options]
329 Delete specified group.
330 [RPC|ADS] GROUP ADD name [-C comment]
332 Create specified group.
333 [ADS] LOOKUP
335 Lookup the closest Domain Controller in our domain and retrieve server
336 information about it.
337 [RAP|RPC] SHARE
339 [RAP|RPC] SHARE [misc. options] [targets]
340 Enumerates all exported resources (network shares) on target server.
341 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
343 Adds a share from a server (makes the export active). Maxusers
344 specifies the number of users that can be connected to the share
345 simultaneously.
346 SHARE DELETE sharename
348 Delete specified share.
349 [RPC|RAP] FILE
351 [RPC|RAP] FILE
352 List all open files on remote server.
353 [RPC|RAP] FILE CLOSE fileid
355 Close file with specified fileid on remote server.
356 [RPC|RAP] FILE INFO fileid
358 Print information on specified fileid. Currently listed are: file-id,
359 username, locks, path, permissions.
360 [RAP|RPC] FILE USER user
362 List files opened by specified user. Please note that net rap file user
363 does not work against Samba servers.
364 SESSION
366 RAP SESSION
367 Without any other options, SESSION enumerates all active SMB/CIFS
368 sessions on the target server.
369 RAP SESSION DELETE|CLOSE CLIENT_NAME
371 Close the specified sessions.
372 RAP SESSION INFO CLIENT_NAME
374 Give a list with all the open files in specified session.
375 RAP SERVER DOMAIN
377 List all servers in specified domain or workgroup. Defaults to local
378 domain.
379 RAP DOMAIN
381 Lists all domains and workgroups visible on the current network.
382 RAP PRINTQ
384 RAP PRINTQ INFO QUEUE_NAME
385 Lists the specified print queue and print jobs on the server. If the
386 QUEUE_NAME is omitted, all queues are listed.
387 RAP PRINTQ DELETE JOBID
389 Delete job with specified id.
390 RAP VALIDATE user [password]
392 Validate whether the specified user can log in to the remote server. If
393 the password is not specified on the commandline, it will be prompted.
394 Note
396 Currently NOT implemented.
397 RAP GROUPMEMBER
399 RAP GROUPMEMBER LIST GROUP
400 List all members of the specified group.
401 RAP GROUPMEMBER DELETE GROUP USER
403 Delete member from group.
404 RAP GROUPMEMBER ADD GROUP USER
406 Add member to group.
407 RAP ADMIN command
409 Execute the specified command on the remote server. Only works with
410 OS/2 servers.
411 Note
413 Currently NOT implemented.
414 RAP SERVICE
416 RAP SERVICE START NAME [arguments...]
417 Start the specified service on the remote server. Not implemented yet.
418 Note
420 Currently NOT implemented.
421 RAP SERVICE STOP
423 Stop the specified service on the remote server.
424 Note
426 Currently NOT implemented.
427 RAP PASSWORD USER OLDPASS NEWPASS
429 Change password of USER from OLDPASS to NEWPASS.
430 LOOKUP
432 LOOKUP HOST HOSTNAME [TYPE]
433 Lookup the IP address of the given host with the specified type
434 (netbios suffix). The type defaults to 0x20 (workstation).
435 LOOKUP LDAP [DOMAIN]
437 Give IP address of LDAP server of specified DOMAIN. Defaults to local
438 domain.
439 LOOKUP KDC [REALM]
441 Give IP address of KDC for the specified REALM. Defaults to local
442 realm.
443 LOOKUP DC [DOMAIN]
445 Give IP's of Domain Controllers for specified
446 DOMAIN. Defaults to local domain.
447 LOOKUP MASTER DOMAIN
449 Give IP of master browser for specified DOMAIN or workgroup. Defaults
450 to local domain.
451 LOOKUP NAME [NAME]
453 Lookup username's sid and type for specified NAME
454 LOOKUP SID [SID]
456 Give sid's name and type for specified SID
457 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
459 Give Domain Controller information for specified domain NAME
460 CACHE
462 Samba uses a general caching interface called 'gencache'. It can be
463 controlled using 'NET CACHE'.
464 All the timeout parameters support the suffixes:
466 s - Seconds
467 m - Minutes
468 h - Hours
469 d - Days
470 w - Weeks
471 CACHE ADD key data time-out
473 Add specified key+data to the cache with the given timeout.
474 CACHE DEL key
476 Delete key from the cache.
477 CACHE SET key data time-out
479 Update data of existing cache entry.
480 CACHE SEARCH PATTERN
482 Search for the specified pattern in the cache data.
483 CACHE LIST
485 List all current items in the cache.
486 CACHE FLUSH
488 Remove all the current items from the cache.
489 GETLOCALSID [DOMAIN]
491 Prints the SID of the specified domain, or if the parameter is omitted,
492 the SID of the local server.
493 SETLOCALSID S-1-5-21-x-y-z
495 Sets SID for the local server to the specified SID.
496 GETDOMAINSID
498 Prints the local machine SID and the SID of the current domain.
499 SETDOMAINSID
501 Sets the SID of the current domain.
502 GROUPMAP
504 Manage the mappings between Windows group SIDs and UNIX groups. Common
505 options include:
506 · unixgroup - Name of the UNIX group
508 · ntgroup - Name of the Windows NT group (must be resolvable
510 to a SID
511 · rid - Unsigned 32-bit integer
513 · sid - Full SID in the form of "S-1-..."
515 · type - Type of the group; either 'domain', 'local', or
517 'builtin'
518 · comment - Freeform text description of the group
520 GROUPMAP ADD
523 Add a new group mapping entry:
524 net groupmap add {rid=int|sid=string} unixgroup=string \
526 [type={domain|local}] [ntgroup=string] [comment=string]
527 GROUPMAP DELETE
531 Delete a group mapping entry. If more than one group name matches, the
532 first entry found is deleted.
533 net groupmap delete {ntgroup=string|sid=SID}
535 GROUPMAP MODIFY
537 Update an existing group entry.
538 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
540 [comment=string] [type={domain|local}]
541 GROUPMAP LIST
545 List existing group mapping entries.
546 net groupmap list [verbose] [ntgroup=string] [sid=SID]
548 MAXRID
550 Prints out the highest RID currently in use on the local server (by the
551 active 'passdb backend').
552 RPC INFO
554 Print information about the domain of the remote server, such as domain
555 name, domain sid and number of users and groups.
556 [RPC|ADS] TESTJOIN
558 Check whether participation in a domain is still valid.
559 [RPC|ADS] CHANGETRUSTPW
561 Force change of domain trust password.
562 RPC TRUSTDOM
564 RPC TRUSTDOM ADD DOMAIN
565 Add a interdomain trust account for DOMAIN. This is in fact a Samba
566 account named DOMAIN$ with the account flag 'I' (interdomain trust
567 account). This is required for incoming trusts to work. It makes Samba
568 be a trusted domain of the foreign (trusting) domain. Users of the
569 Samba domain will be made available in the foreign domain. If the
570 command is used against localhost it has the same effect as smbpasswd
571 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
572 account.
573 RPC TRUSTDOM DEL DOMAIN
575 Remove interdomain trust account for DOMAIN. If it is used against
576 localhost it has the same effect as smbpasswd -x DOMAIN$.
577 RPC TRUSTDOM ESTABLISH DOMAIN
579 Establish a trust relationship to a trusted domain. Interdomain account
580 must already be created on the remote PDC. This is required for
581 outgoing trusts to work. It makes Samba be a trusting domain of a
582 foreign (trusted) domain. Users of the foreign domain will be made
583 available in our domain. You'll need winbind and a working idmap config
584 to make them appear in your system.
585 RPC TRUSTDOM REVOKE DOMAIN
587 Abandon relationship to trusted domain
588 RPC TRUSTDOM LIST
590 List all interdomain trust relationships.
591 RPC TRUST
593 RPC TRUST CREATE
594 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
595 done on a single server or on two servers at once with the possibility
596 to use a random trust password.
597 Options:
599 otherserver
601 Domain controller of the second domain
602 otheruser
604 Admin user in the second domain
605 otherdomainsid
607 SID of the second domain
608 other_netbios_domain
610 NetBIOS (short) name of the second domain
611 otherdomain
613 DNS (full) name of the second domain
614 trustpw
616 Trust password
617 Examples:
619 Create a trust object on srv1.dom1.dom for the domain dom2
621 net rpc trust create \
623 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
624 other_netbios_domain=dom2 \
625 otherdomain=dom2.dom \
626 trustpw=12345678 \
627 -S srv1.dom1.dom
628 Create a trust relationship between dom1 and dom2
630 net rpc trust create \
632 otherserver=srv2.dom2.test \
633 otheruser=dom2adm \
634 -S srv1.dom1.dom
635 RPC TRUST DELETE
637 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
638 done on a single server or on two servers at once.
639 Options:
641 otherserver
643 Domain controller of the second domain
644 otheruser
646 Admin user in the second domain
647 otherdomainsid
649 SID of the second domain
650 Examples:
652 Delete a trust object on srv1.dom1.dom for the domain dom2
654 net rpc trust delete \
656 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
657 -S srv1.dom1.dom
658 Delete a trust relationship between dom1 and dom2
660 net rpc trust delete \
662 otherserver=srv2.dom2.test \
663 otheruser=dom2adm \
664 -S srv1.dom1.dom
665 RPC RIGHTS
668 This subcommand is used to view and manage Samba's rights assignments
669 (also referred to as privileges). There are three options currently
670 available: list, grant, and revoke. More details on Samba's privilege
671 model and its use can be found in the Samba-HOWTO-Collection.
672 RPC ABORTSHUTDOWN
674 Abort the shutdown of a remote server.
675 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
677 Shut down the remote server.
678 -r
680 Reboot after shutdown.
681 -f
683 Force shutting down all applications.
684 -t timeout
686 Timeout before system will be shut down. An interactive user of the
687 system can use this time to cancel the shutdown.
688 -C message
690 Display the specified message on the screen to announce the
691 shutdown.
692 RPC SAMDUMP
694 Print out sam database of remote server. You need to run this against
695 the PDC, from a Samba machine joined as a BDC.
696 RPC VAMPIRE
698 Export users, aliases and groups from remote server to local server.
699 You need to run this against the PDC, from a Samba machine joined as a
700 BDC. This vampire command cannot be used against an Active Directory,
701 only against an NT4 Domain Controller.
702 RPC VAMPIRE KEYTAB
704 Dump remote SAM database to local Kerberos keytab file.
705 RPC VAMPIRE LDIF
707 Dump remote SAM database to local LDIF file or standard output.
708 RPC GETSID
710 Fetch domain SID and store it in the local secrets.tdb.
711 ADS LEAVE [--keep-account]
713 Make the remote host leave the domain it is part of.
714 ADS STATUS
716 Print out status of machine account of the local machine in ADS. Prints
717 out quite some debug info. Aimed at developers, regular users should
718 use NET ADS TESTJOIN.
719 ADS PRINTER
721 ADS PRINTER INFO [PRINTER] [SERVER]
722 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
723 the server name defaults to the local host.
724 ADS PRINTER PUBLISH PRINTER
726 Publish specified printer using ADS.
727 ADS PRINTER REMOVE PRINTER
729 Remove specified printer from ADS directory.
730 ADS SEARCH EXPRESSION ATTRIBUTES...
732 Perform a raw LDAP search on a ADS server and dump the results. The
733 expression is a standard LDAP search expression, and the attributes are
734 a list of LDAP fields to show in the results.
735 Example: net ads search '(objectCategory=group)' sAMAccountName
737 ADS DN DN (attributes)
739 Perform a raw LDAP search on a ADS server and dump the results. The DN
740 standard LDAP DN, and the attributes are a list of LDAP fields to show
741 in the result.
742 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
744 SAMAccountName
745 ADS KEYTAB CREATE
747 Creates a new keytab file if one doesn't exist with default entries.
748 Default entries are kerberos principals created from the machinename of
749 the client, the UPN (if it exists) and any Windows SPN(s) associated
750 with the computer AD account for the client. If a keytab file already
751 exists then only missing kerberos principals from the default entries
752 are added. No changes are made to the computer AD account.
753 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
755 Adds a new keytab entry, the entry can be either;
756 kerberos principal
758 A kerberos principal (identified by the presence of '@') is just
759 added to the keytab file.
760 machinename
762 A machinename (identified by the trailing '$') is used to create a
763 a kerberos principal 'machinename@realm' which is added to the
764 keytab file.
765 serviceclass
767 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
768 pair of kerberos principals
769 'serviceclass/fully_qualified_dns_name@realm' &
770 'serviceclass/netbios_name@realm' which are added to the keytab
771 file.
772 Windows SPN
774 A Windows SPN is of the format 'serviceclass/host:port', it is used
775 to create a kerberos principal 'serviceclass/host@realm' which will
776 be written to the keytab file.
777 Unlike old versions no computer AD objects are modified by this
779 command. To preserve the bevhaviour of older clients 'net ads keytab
780 ad_update_ads' is available.
781 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
783 Adds a new keytab entry (see section for net ads keytab add). In
784 addition to adding entries to the keytab file corrosponding Windows
785 SPNs are created from the entry passed to this command. These SPN(s)
786 added to the AD computer account object associated with the client
787 machine running this command for the following entry types;
788 serviceclass
790 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
791 pair of Windows SPN(s) 'param/full_qualified_dns' &
792 'param/netbios_name' which are added to the AD computer account
793 object for this client.
794 Windows SPN
796 A Windows SPN is of the format 'serviceclass/host:port', it is
797 added as passed to the AD computer account object for this client.
798 ADS setspn SETSPN LIST [machine]
800 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
801 object. If 'machine' is not specified then computer account for this
802 client is used instead.
803 ADS setspn SETSPN ADD SPN [machine]
805 Adds the specified Windows SPN to the 'machine' Windows AD Computer
806 object. If 'machine' is not specified then computer account for this
807 client is used instead.
808 ADS setspn SETSPN DELETE SPN [machine]
810 DELETE the specified Window SPN from the 'machine' Windows AD Computer
811 object. If 'machine' is not specified then computer account for this
812 client is used instead.
813 ADS WORKGROUP
815 Print out workgroup name for specified kerberos realm.
816 ADS ENCTYPES
818 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
819 attribute of an account in AD.
820 This attribute allows one to control which Kerberos encryption types
822 are used for the generation of initial and service tickets. The value
823 consists of an integer bitmask with the following values:
824 0x00000001 DES-CBC-CRC
826 0x00000002 DES-CBC-MD5
828 0x00000004 RC4-HMAC
830 0x00000008 AES128-CTS-HMAC-SHA1-96
832 0x00000010 AES256-CTS-HMAC-SHA1-96
834 ADS ENCTYPES LIST <ACCOUNTNAME>
836 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
837 given account.
838 Example: net ads enctypes list Computername
840 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
842 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
843 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
844 the value is set to 31 which enables all the currently supported
845 encryption types.
846 Example: net ads enctypes set Computername 24
848 ADS ENCTYPES DELETE <ACCOUNTNAME>
850 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
851 object of ACCOUNTNAME.
852 Example: net ads enctypes set Computername 24
854 SAM CREATEBUILTINGROUP <NAME>
856 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
857 be created with this command. This is the list of currently recognized
858 group names: Administrators, Users, Guests, Power Users, Account
859 Operators, Server Operators, Print Operators, Backup Operators,
860 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
861 command requires a running Winbindd with idmap allocation properly
862 configured. The group gid will be allocated out of the winbindd range.
863 SAM CREATELOCALGROUP <NAME>
865 Create a LOCAL group (also known as Alias). This command requires a
866 running Winbindd with idmap allocation properly configured. The group
867 gid will be allocated out of the winbindd range.
868 SAM DELETELOCALGROUP <NAME>
870 Delete an existing LOCAL group (also known as Alias).
871 SAM MAPUNIXGROUP <NAME>
873 Map an existing Unix group and make it a Domain Group, the domain group
874 will have the same name.
875 SAM UNMAPUNIXGROUP <NAME>
877 Remove an existing group mapping entry.
878 SAM ADDMEM <GROUP> <MEMBER>
880 Add a member to a Local group. The group can be specified only by name,
881 the member can be specified by name or SID.
882 SAM DELMEM <GROUP> <MEMBER>
884 Remove a member from a Local group. The group and the member must be
885 specified by name.
886 SAM LISTMEM <GROUP>
888 List Local group members. The group must be specified by name.
889 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
891 List the specified set of accounts by name. If verbose is specified,
892 the rid and description is also provided for each account.
893 SAM RIGHTS LIST
895 List all available privileges.
896 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
898 Grant one or more privileges to a user.
899 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
901 Revoke one or more privileges from a user.
902 SAM SHOW <NAME>
904 Show the full DOMAIN\\NAME the SID and the type for the corresponding
905 account.
906 SAM SET HOMEDIR <NAME> <DIRECTORY>
908 Set the home directory for a user account.
909 SAM SET PROFILEPATH <NAME> <PATH>
911 Set the profile path for a user account.
912 SAM SET COMMENT <NAME> <COMMENT>
914 Set the comment for a user or group account.
915 SAM SET FULLNAME <NAME> <FULL NAME>
917 Set the full name for a user account.
918 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
920 Set the logon script for a user account.
921 SAM SET HOMEDRIVE <NAME> <DRIVE>
923 Set the home drive for a user account.
924 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
926 Set the workstations a user account is allowed to log in from.
927 SAM SET DISABLE <NAME>
929 Set the "disabled" flag for a user account.
930 SAM SET PWNOTREQ <NAME>
932 Set the "password not required" flag for a user account.
933 SAM SET AUTOLOCK <NAME>
935 Set the "autolock" flag for a user account.
936 SAM SET PWNOEXP <NAME>
938 Set the "password do not expire" flag for a user account.
939 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
941 Set or unset the "password must change" flag for a user account.
942 SAM POLICY LIST
944 List the available account policies.
945 SAM POLICY SHOW <account policy>
947 Show the account policy value.
948 SAM POLICY SET <account policy> <value>
950 Set a value for the account policy. Valid values can be: "forever",
951 "never", "off", or a number.
952 SAM PROVISION
954 Only available if ldapsam:editposix is set and winbindd is running.
955 Properly populates the ldap tree with the basic accounts
956 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
957 on the ldap tree.
958 IDMAP DUMP <local tdb file name>
960 Dumps the mappings contained in the local tdb file specified. This
961 command is useful to dump only the mappings produced by the idmap_tdb
962 backend.
963 IDMAP RESTORE [input file]
965 Restore the mappings from the specified file or stdin.
966 IDMAP SET SECRET <DOMAIN> <secret>
968 Store a secret for the specified domain, used primarily for domains
969 that use idmap_ldap as a backend. In this case the secret is used as
970 the password for the user DN used to bind to the ldap server.
971 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
973 Store a domain-range mapping for a given domain (and index) in autorid
974 database.
975 IDMAP SET CONFIG <config> [--db=<DB>]
977 Update CONFIG entry in autorid database.
978 IDMAP GET RANGE <SID> [index] [--db=<DB>]
980 Get the range for a given domain and index from autorid database.
981 IDMAP GET RANGES [<SID>] [--db=<DB>]
983 Get ranges for all domains or for one identified by given SID.
984 IDMAP GET CONFIG [--db=<DB>]
986 Get CONFIG entry from autorid database.
987 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
989 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
990 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
991 "GID number" or a uid: "UID number". Use -f to delete an invalid
992 partial mapping <ID> -> xx
993 Use "smbcontrol all idmap ..." to notify running smbd instances. See
995 the smbcontrol(1) manpage for details.
996 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
998 Delete a domain range mapping identified by 'RANGE' or "domain SID and
999 INDEX" from autorid database. Use -f to delete invalid mappings.
1000 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1002 Delete all domain range mappings for a domain identified by SID. Use -f
1003 to delete invalid mappings.
1004 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1006 Check and repair the IDMAP database. If no option is given a read only
1007 check of the database is done. Among others an interactive or automatic
1008 repair mode may be chosen with one of the following options:
1009 -r|--repair
1011 Interactive repair mode, ask a lot of questions.
1012 -a|--auto
1014 Noninteractive repair mode, use default answers.
1015 -v|--verbose
1017 Produce more output.
1018 -f|--force
1020 Try to apply changes, even if they do not apply cleanly.
1021 -T|--test
1023 Dry run, show what changes would be made but don't touch anything.
1024 -l|--lock
1026 Lock the database while doing the check.
1027 --db <DB>
1029 Check the specified database.
1030 It reports about the finding of the following errors:
1032 Missing reverse mapping:
1034 A record with mapping A->B where there is no B->A. Default action
1035 in repair mode is to "fix" this by adding the reverse mapping.
1036 Invalid mapping:
1038 A record with mapping A->B where B->C. Default action is to
1039 "delete" this record.
1040 Missing or invalid HWM:
1042 A high water mark is not at least equal to the largest ID in the
1043 database. Default action is to "fix" this by setting it to the
1044 largest ID found +1.
1045 Invalid record:
1047 Something we failed to parse. Default action is to "edit" it in
1048 interactive and "delete" it in automatic mode.
1049 USERSHARE
1051 Starting with version 3.0.23, a Samba server now supports the ability
1052 for non-root users to add user defined shares to be exported using the
1053 "net usershare" commands.
1054 To set this up, first set up your smb.conf by adding to the [global]
1056 section: usershare path = /usr/local/samba/lib/usershares Next create
1057 the directory /usr/local/samba/lib/usershares, change the owner to root
1058 and set the group owner to the UNIX group who should have the ability
1059 to create usershares, for example a group called "serverops". Set the
1060 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1061 group all access, no access for others, plus the sticky bit, which
1062 means that a file in that directory can be renamed or deleted only by
1063 the owner of the file). Finally, tell smbd how many usershares you will
1064 allow by adding to the [global] section of smb.conf a line such as :
1065 usershare max shares = 100. To allow 100 usershare definitions. Now,
1066 members of the UNIX group "serverops" can create user defined shares on
1067 demand using the commands below.
1068 The usershare commands are:
1070 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1071 to add or change a user defined share.
1072 net usershare delete sharename - to delete a user defined share.
1073 net usershare info [-l|--long] [wildcard sharename] - to print info
1074 about a user defined share.
1075 net usershare list [-l|--long] [wildcard sharename] - to list user
1076 defined shares.
1077 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1079 Add or replace a new user defined share, with name "sharename".
1080 "path" specifies the absolute pathname on the system to be exported.
1082 Restrictions may be put on this, see the global smb.conf parameters:
1083 "usershare owner only", "usershare prefix allow list", and "usershare
1084 prefix deny list".
1085 The optional "comment" parameter is the comment that will appear on the
1087 share when browsed to by a client.
1088 The optional "acl" field specifies which users have read and write
1090 access to the entire share. Note that guest connections are not allowed
1091 unless the smb.conf parameter "usershare allow guests" has been set.
1092 The definition of a user defined share acl is: "user:permission", where
1093 user is a valid username on the system and permission can be "F", "R",
1094 or "D". "F" stands for "full permissions", ie. read and write
1095 permissions. "D" stands for "deny" for a user, ie. prevent this user
1096 from accessing this share. "R" stands for "read only", ie. only allow
1097 read access to this share (no creation of new files or directories or
1098 writing to files).
1099 The default if no "acl" is given is "Everyone:R", which means any
1101 authenticated user has read-only access.
1102 The optional "guest_ok" has the same effect as the parameter of the
1104 same name in smb.conf, in that it allows guest access to this user
1105 defined share. This parameter is only allowed if the global parameter
1106 "usershare allow guests" has been set to true in the smb.conf.
1107 There is no separate command to modify an existing user defined share,
1110 just use the "net usershare add [sharename]" command using the same
1111 sharename as the one you wish to modify and specify the new options you
1112 wish. The Samba smbd daemon notices user defined share modifications at
1113 connect time so will see the change immediately, there is no need to
1114 restart smbd on adding, deleting or changing a user defined share.
1115 USERSHARE DELETE sharename
1117 Deletes the user defined share by name. The Samba smbd daemon
1118 immediately notices this change, although it will not disconnect any
1119 users currently connected to the deleted share.
1120 USERSHARE INFO [-l|--long] [wildcard sharename]
1122 Get info on user defined shares owned by the current user matching the
1123 given pattern, or all users.
1124 net usershare info on its own dumps out info on the user defined shares
1126 that were created by the current user, or restricts them to share names
1127 that match the given wildcard pattern ('*' matches one or more
1128 characters, '?' matches only one character). If the '-l' or '--long'
1129 option is also given, it prints out info on user defined shares created
1130 by other users.
1131 The information given about a share looks like: [foobar]
1133 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1134 And is a list of the current settings of the user defined share that
1135 can be modified by the "net usershare add" command.
1136 USERSHARE LIST [-l|--long] wildcard sharename
1138 List all the user defined shares owned by the current user matching the
1139 given pattern, or all users.
1140 net usershare list on its own list out the names of the user defined
1142 shares that were created by the current user, or restricts the list to
1143 share names that match the given wildcard pattern ('*' matches one or
1144 more characters, '?' matches only one character). If the '-l' or
1145 '--long' option is also given, it includes the names of user defined
1146 shares created by other users.
1147 [RPC] CONF
1149 Starting with version 3.2.0, a Samba server can be configured by data
1150 stored in registry. This configuration data can be edited with the new
1151 "net conf" commands. There is also the possibility to configure a
1152 remote Samba server by enabling the RPC conf mode and specifying the
1153 address of the remote server.
1154 The deployment of this configuration data can be activated in two
1156 levels from the smb.conf file: Share definitions from registry are
1157 activated by setting registry shares to “yes” in the [global] section
1158 and global configuration options are activated by setting include =
1159 registry in the [global] section for a mixed configuration or by
1160 setting config backend = registry in the [global] section for a
1161 registry-only configuration. See the smb.conf(5) manpage for details.
1162 The conf commands are:
1164 net [rpc] conf list - Dump the complete configuration in smb.conf
1165 like format.
1166 net [rpc] conf import - Import configuration from file in smb.conf
1167 format.
1168 net [rpc] conf listshares - List the registry shares.
1169 net [rpc] conf drop - Delete the complete configuration from
1170 registry.
1171 net [rpc] conf showshare - Show the definition of a registry share.
1172 net [rpc] conf addshare - Create a new registry share.
1173 net [rpc] conf delshare - Delete a registry share.
1174 net [rpc] conf setparm - Store a parameter.
1175 net [rpc] conf getparm - Retrieve the value of a parameter.
1176 net [rpc] conf delparm - Delete a parameter.
1177 net [rpc] conf getincludes - Show the includes of a share
1178 definition.
1179 net [rpc] conf setincludes - Set includes for a share.
1180 net [rpc] conf delincludes - Delete includes from a share
1181 definition.
1182 [RPC] CONF LIST
1184 Print the configuration data stored in the registry in a smb.conf-like
1185 format to standard output.
1186 [RPC] CONF IMPORT [--test|-T] filename [section]
1188 This command imports configuration from a file in smb.conf format. If a
1189 section encountered in the input file is present in registry, its
1190 contents is replaced. Sections of registry configuration that have no
1191 counterpart in the input file are not affected. If you want to delete
1192 these, you will have to use the "net conf drop" or "net conf delshare"
1193 commands. Optionally, a section may be specified to restrict the effect
1194 of the import command to that specific section. A test mode is enabled
1195 by specifying the parameter "-T" on the commandline. In test mode, no
1196 changes are made to the registry, and the resulting configuration is
1197 printed to standard output instead.
1198 [RPC] CONF LISTSHARES
1200 List the names of the shares defined in registry.
1201 [RPC] CONF DROP
1203 Delete the complete configuration data from registry.
1204 [RPC] CONF SHOWSHARE sharename
1206 Show the definition of the share or section specified. It is valid to
1207 specify "global" as sharename to retrieve the global configuration
1208 options from registry.
1209 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1211 [comment]]]
1212 Create a new share definition in registry. The sharename and path have
1213 to be given. The share name may not be "global". Optionally, values for
1214 the very common options "writeable", "guest ok" and a "comment" may be
1215 specified. The same result may be obtained by a sequence of "net conf
1216 setparm" commands.
1217 [RPC] CONF DELSHARE sharename
1219 Delete a share definition from registry.
1220 [RPC] CONF SETPARM section parameter value
1222 Store a parameter in registry. The section may be global or a
1223 sharename. The section is created if it does not exist yet.
1224 [RPC] CONF GETPARM section parameter
1226 Show a parameter stored in registry.
1227 [RPC] CONF DELPARM section parameter
1229 Delete a parameter stored in registry.
1230 [RPC] CONF GETINCLUDES section
1232 Get the list of includes for the provided section (global or share).
1233 Note that due to the nature of the registry database and the nature of
1235 include directives, the includes need special treatment: Parameters are
1236 stored in registry by the parameter name as valuename, so there is only
1237 ever one instance of a parameter per share. Also, a specific order like
1238 in a text file is not guaranteed. For all real parameters, this is
1239 perfectly ok, but the include directive is rather a meta parameter, for
1240 which, in the smb.conf text file, the place where it is specified
1241 between the other parameters is very important. This can not be
1242 achieved by the simple registry smbconf data model, so there is one
1243 ordered list of includes per share, and this list is evaluated after
1244 all the parameters of the share.
1245 Further note that currently, only files can be included from registry
1247 configuration. In the future, there will be the ability to include
1248 configuration data from other registry keys.
1249 [RPC] CONF SETINCLUDES section [filename]+
1251 Set the list of includes for the provided section (global or share) to
1252 the given list of one or more filenames. The filenames may contain the
1253 usual smb.conf macros like %I.
1254 [RPC] CONF DELINCLUDES section
1256 Delete the list of includes from the provided section (global or
1257 share).
1258 REGISTRY
1260 Manipulate Samba's registry.
1261 The registry commands are:
1263 net registry enumerate - Enumerate registry keys and values.
1264 net registry enumerate_recursive - Enumerate registry key and its
1265 subkeys.
1266 net registry createkey - Create a new registry key.
1267 net registry deletekey - Delete a registry key.
1268 net registry deletekey_recursive - Delete a registry key with
1269 subkeys.
1270 net registry getvalue - Print a registry value.
1271 net registry getvalueraw - Print a registry value (raw format).
1272 net registry setvalue - Set a new registry value.
1273 net registry increment - Increment a DWORD registry value under a
1274 lock.
1275 net registry deletevalue - Delete a registry value.
1276 net registry getsd - Get security descriptor.
1277 net registry getsd_sdd1 - Get security descriptor in sddl format.
1278 net registry setsd_sdd1 - Set security descriptor from sddl format
1279 string.
1280 net registry import - Import a registration entries (.reg)
1281 file.
1282 net registry export - Export a registration entries (.reg)
1283 file.
1284 net registry convert - Convert a registration entries (.reg)
1285 file.
1286 net registry check - Check and repair a registry database.
1287 REGISTRY ENUMERATE key
1289 Enumerate subkeys and values of key.
1290 REGISTRY ENUMERATE_RECURSIVE key
1292 Enumerate values of key and its subkeys.
1293 REGISTRY CREATEKEY key
1295 Create a new key if not yet existing.
1296 REGISTRY DELETEKEY key
1298 Delete the given key and its values from the registry, if it has no
1299 subkeys.
1300 REGISTRY DELETEKEY_RECURSIVE key
1302 Delete the given key and all of its subkeys and values from the
1303 registry.
1304 REGISTRY GETVALUE key name
1306 Output type and actual value of the value name of the given key.
1307 REGISTRY GETVALUERAW key name
1309 Output the actual value of the value name of the given key.
1310 REGISTRY SETVALUE key name type value ...
1312 Set the value name of an existing key. type may be one of sz, multi_sz
1313 or dword. In case of multi_sz value may be given multiple times.
1314 REGISTRY INCREMENT key name [inc]
1316 Increment the DWORD value name of key by inc while holding a g_lock.
1317 inc defaults to 1.
1318 REGISTRY DELETEVALUE key name
1320 Delete the value name of the given key.
1321 REGISTRY GETSD key
1323 Get the security descriptor of the given key.
1324 REGISTRY GETSD_SDDL key
1326 Get the security descriptor of the given key as a Security Descriptor
1327 Definition Language (SDDL) string.
1328 REGISTRY SETSD_SDDL keysd
1330 Set the security descriptor of the given key from a Security Descriptor
1331 Definition Language (SDDL) string sd.
1332 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1334 Import a registration entries (.reg) file.
1335 The following options are available:
1337 --precheck check-file
1339 This is a mechanism to check the existence or non-existence of
1340 certain keys or values specified in a precheck file before applying
1341 the import file. The import file will only be applied if the
1342 precheck succeeds.
1343 The check-file follows the normal registry file syntax with the
1345 following semantics:
1346 · <value name>=<value> checks whether the value exists and
1348 has the given value.
1349 · <value name>=- checks whether the value does not exist.
1351 · [key] checks whether the key exists.
1353 · [-key] checks whether the key does not exist.
1355 REGISTRY EXPORT keyfile[opt]
1358 Export a key to a registration entries (.reg) file.
1359 REGISTRY CONVERT in out [[inopt] outopt]
1361 Convert a registration entries (.reg) file in.
1362 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1364 Check and repair the registry database. If no option is given a read
1365 only check of the database is done. Among others an interactive or
1366 automatic repair mode may be chosen with one of the following options
1367 -r|--repair
1369 Interactive repair mode, ask a lot of questions.
1370 -a|--auto
1372 Noninteractive repair mode, use default answers.
1373 -v|--verbose
1375 Produce more output.
1376 -T|--test
1378 Dry run, show what changes would be made but don't touch anything.
1379 -l|--lock
1381 Lock the database while doing the check.
1382 --reg-version={1,2,3}
1384 Specify the format of the registry database. If not given it
1385 defaults to the value of the binary or, if an registry.tdb is
1386 explizitly stated at the commandline, to the value found in the
1387 INFO/version record.
1388 [--db] <DB>
1390 Check the specified database.
1391 -o|--output <ODB>
1393 Create a new registry database <ODB> instead of modifying the
1394 input. If <ODB> is already existing --wipe may be used to overwrite
1395 it.
1396 --wipe
1398 Replace the registry database instead of modifying the input or
1399 overwrite an existing output database.
1400 EVENTLOG
1402 Starting with version 3.4.0 net can read, dump, import and export
1403 native win32 eventlog files (usually *.evt). evt files are used by the
1404 native Windows eventviewer tools.
1405 The import and export of evt files can only succeed when eventlog list
1407 is used in smb.conf file. See the smb.conf(5) manpage for details.
1408 The eventlog commands are:
1410 net eventlog dump - Dump a eventlog *.evt file on the screen.
1411 net eventlog import - Import a eventlog *.evt into the samba
1412 internal tdb based representation of eventlogs.
1413 net eventlog export - Export the samba internal tdb based
1414 representation of eventlogs into an eventlog *.evt file.
1415 EVENTLOG DUMP filename
1417 Prints a eventlog *.evt file to standard output.
1418 EVENTLOG IMPORT filename eventlog
1420 Imports a eventlog *.evt file defined by filename into the samba
1421 internal tdb representation of eventlog defined by eventlog. eventlog
1422 needs to part of the eventlog list defined in smb.conf. See the
1423 smb.conf(5) manpage for details.
1424 EVENTLOG EXPORT filename eventlog
1426 Exports the samba internal tdb representation of eventlog defined by
1427 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1428 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1429 manpage for details.
1430 DOM
1432 Starting with version 3.2.0 Samba has support for remote join and
1433 unjoin APIs, both client and server-side. Windows supports remote join
1434 capabilities since Windows 2000.
1435 In order for Samba to be joined or unjoined remotely an account must be
1437 used that is either member of the Domain Admins group, a member of the
1438 local Administrators group or a user that is granted the
1439 SeMachineAccountPrivilege privilege.
1440 The client side support for remote join is implemented in the net dom
1442 commands which are:
1443 net dom join - Join a remote computer into a domain.
1444 net dom unjoin - Unjoin a remote computer from a domain.
1445 net dom renamecomputer - Renames a remote computer joined to a
1446 domain.
1447 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1449 Joins a computer into a domain. This command supports the following
1450 additional parameters:
1451 · DOMAIN can be a NetBIOS domain name (also known as short
1453 domain name) or a DNS domain name for Active Directory
1454 Domains. As in Windows, it is also possible to control which
1455 Domain Controller to use. This can be achieved by appending
1456 the DC name using the \ separator character. Example:
1457 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1458 · OU can be set to a RFC 1779 LDAP DN, like
1460 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1461 the machine account in a non-default LDAP container. This
1462 optional parameter is only supported when joining Active
1463 Directory Domains.
1464 · ACCOUNT defines a domain account that will be used to join
1466 the machine to the domain. This domain account needs to have
1467 sufficient privileges to join machines.
1468 · PASSWORD defines the password for the domain account defined
1470 with ACCOUNT.
1471 · REBOOT is an optional parameter that can be set to reboot
1473 the remote machine after successful join to the domain.
1474 Note that you also need to use standard net parameters to connect and
1477 authenticate to the remote machine that you want to join. These
1478 additional parameters include: -S computer and -U user.
1479 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1481 account=MYDOM\\administrator password=topsecret reboot.
1482 This example would connect to a computer named XP as the local
1484 administrator using password secret, and join the computer into a
1485 domain called MYDOM using the MYDOM domain administrator account and
1486 password topsecret. After successful join, the computer would reboot.
1487 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1489 Unjoins a computer from a domain. This command supports the following
1490 additional parameters:
1491 · ACCOUNT defines a domain account that will be used to unjoin
1493 the machine from the domain. This domain account needs to
1494 have sufficient privileges to unjoin machines.
1495 · PASSWORD defines the password for the domain account defined
1497 with ACCOUNT.
1498 · REBOOT is an optional parameter that can be set to reboot
1500 the remote machine after successful unjoin from the domain.
1501 Note that you also need to use standard net parameters to connect and
1504 authenticate to the remote machine that you want to unjoin. These
1505 additional parameters include: -S computer and -U user.
1506 Example: net dom unjoin -S xp -U XP\\administrator%secret
1508 account=MYDOM\\administrator password=topsecret reboot.
1509 This example would connect to a computer named XP as the local
1511 administrator using password secret, and unjoin the computer from the
1512 domain using the MYDOM domain administrator account and password
1513 topsecret. After successful unjoin, the computer would reboot.
1514 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1516 Renames a computer that is joined to a domain. This command supports
1517 the following additional parameters:
1518 · NEWNAME defines the new name of the machine in the domain.
1520 · ACCOUNT defines a domain account that will be used to rename
1522 the machine in the domain. This domain account needs to have
1523 sufficient privileges to rename machines.
1524 · PASSWORD defines the password for the domain account defined
1526 with ACCOUNT.
1527 · REBOOT is an optional parameter that can be set to reboot
1529 the remote machine after successful rename in the domain.
1530 Note that you also need to use standard net parameters to connect and
1533 authenticate to the remote machine that you want to rename in the
1534 domain. These additional parameters include: -S computer and -U user.
1535 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1537 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1538 This example would connect to a computer named XP as the local
1540 administrator using password secret, and rename the joined computer to
1541 XPNEW using the MYDOM domain administrator account and password
1542 topsecret. After successful rename, the computer would reboot.
1543 G_LOCK
1545 Manage global locks.
1546 G_LOCK DO lockname timeout command
1548 Execute a shell command under a global lock. This might be useful to
1549 define the order in which several shell commands will be executed. The
1550 locking information is stored in a file called g_lock.tdb. In setups
1551 with CTDB running, the locking information will be available on all
1552 cluster nodes.
1553 · LOCKNAME defines the name of the global lock.
1555 · TIMEOUT defines the timeout.
1557 · COMMAND defines the shell command to execute.
1559 G_LOCK LOCKS
1561 Print a list of all currently existing locknames.
1562 G_LOCK DUMP lockname
1564 Dump the locking table of a certain global lock.
1565 TDB
1567 Print information from tdb records.
1568 TDB LOCKING key [DUMP]
1570 List sharename, filename and number of share modes for a record from
1571 locking.tdb. With the optional DUMP options, dump the complete record.
1572 · KEY Key of the tdb record as hex string.
1574 HELP [COMMAND]
1576 Gives usage information for the specified command.
1577
1579 This man page is complete for version 3 of the Samba suite.
1580
1582 The original Samba software and related utilities were created by
1583 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1584 Source project similar to the way the Linux kernel is developed.
1585 The net manpage was written by Jelmer Vernooij.
1587Samba 4.11.4 12/16/2019 NET(8)