1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
3
4
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17
18 --realm=REALM
19 Set the realm name
20
21 --simple-bind-dn=DN
22 DN to use for a simple bind
23
24 --password=PASSWORD
25 Password
26
27 -U USERNAME|--username=USERNAME
28 Username
29
30 -W WORKGROUP|--workgroup=WORKGROUP
31 Workgroup
32
33 -N|--no-pass
34 Don't ask for a password
35
36 -k KERBEROS|--kerberos=KERBEROS
37 Use Kerberos
38
39 --ipaddress=IPADDRESS
40 IP address of the server
41
42 -d|--debuglevel=level
43 level is an integer from 0 to 10. The default value if this
44 parameter is not specified is 1.
45
46 The higher this value, the more detail will be logged to the log
47 files about the activities of the server. At level 0, only critical
48 errors and serious warnings will be logged. Level 1 is a reasonable
49 level for day-to-day running - it generates a small amount of
50 information about operations carried out.
51
52 Levels above 1 will generate considerable amounts of log data, and
53 should only be used when investigating a problem. Levels above 3
54 are designed for use only by developers and generate HUGE amounts
55 of log data, most of which is extremely cryptic.
56
57 Note that specifying this parameter here will override the log
58 level parameter in the smb.conf file.
59
60 -V|--version
61 Prints the program version number.
62
63 -s|--configfile=<configuration file>
64 The file specified contains the configuration details required by
65 the server. The information in this file includes server-specific
66 information such as what printcap file to use, as well as
67 descriptions of all the services that the server is to provide. See
68 smb.conf for more information. The default configuration file name
69 is determined at compile time.
70
71 -l|--log-basename=logdirectory
72 Base directory name for log/debug files. The extension ".progname"
73 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
74 file is never removed by the client.
75
76 --option=<name>=<value>
77 Set the smb.conf(5) option "<name>" to value "<value>" from the
78 command line. This overrides compiled-in defaults and options read
79 from the configuration file.
80
82 computer
83 Manage computer accounts.
84
85 computer create computername [options]
86 Create a new computer in the Active Directory Domain.
87
88 The new computer name specified on the command is the sAMAccountName,
89 with or without the trailing dollar sign.
90
91 --computerou=COMPUTEROU
92 DN of alternative location (with or without domainDN counterpart)
93 to default CN=Computers in which new computer object will be
94 created. E.g. 'OU=OUname'.
95
96 --description=DESCRIPTION
97 The new computers's description.
98
99 --ip-address=IP_ADDRESS_LIST
100 IPv4 address for the computer's A record, or IPv6 address for AAAA
101 record, can be provided multiple times.
102
103 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
104 Computer's Service Principal Name, can be provided multiple times.
105
106 --prepare-oldjoin
107 Prepare enabled machine account for oldjoin mechanism.
108
109 computer delete computername [options]
110 Delete an existing computer account.
111
112 The computer name specified on the command is the sAMAccountName, with
113 or without the trailing dollar sign.
114
115 computer edit computername
116 Edit a computer AD object.
117
118 The computer name specified on the command is the sAMAccountName, with
119 or without the trailing dollar sign.
120
121 --editor=EDITOR
122 Specifies the editor to use instead of the system default, or 'vi'
123 if no system default is set.
124
125 computer list
126 List all computers.
127
128 computer move computername new_parent_dn [options]
129 This command moves a computer account into the specified organizational
130 unit or container.
131
132 The computername specified on the command is the sAMAccountName, with
133 or without the trailing dollar sign.
134
135 The name of the organizational unit or container can be specified as a
136 full DN or without the domainDN component.
137
138 computer show computername [options]
139 Display a computer AD object.
140
141 The computer name specified on the command is the sAMAccountName, with
142 or without the trailing dollar sign.
143
144 --attributes=USER_ATTRS
145 Comma separated list of attributes, which will be printed.
146
147 contact
148 Manage contacts.
149
150 contact create [contactname] [options]
151 Create a new contact in the Active Directory Domain.
152
153 The name of the new contact can be specified by the first argument
154 'contactname' or the --given-name, --initial and --surname arguments.
155 If no 'contactname' is given, contact's name will be made up of the
156 given arguments by combining the given-name, initials and surname. Each
157 argument is optional. A dot ('.') will be appended to the initials
158 automatically.
159
160 --ou=OU
161 DN of alternative location (with or without domainDN counterpart)
162 in which the new contact will be created. E.g. 'OU=OUname'. Default
163 is the domain base.
164
165 --description=DESCRIPTION
166 The new contacts's description.
167
168 --surname=SURNAME
169 Contact's surname.
170
171 --given-name=GIVEN_NAME
172 Contact's given name.
173
174 --initials=INITIALS
175 Contact's initials.
176
177 --display-name=DISPLAY_NAME
178 Contact's display name.
179
180 --job-title=JOB_TITLE
181 Contact's job title.
182
183 --department=DEPARTMENT
184 Contact's department.
185
186 --company=COMPANY
187 Contact's company.
188
189 --mail-address=MAIL_ADDRESS
190 Contact's email address.
191
192 --internet-address=INTERNET_ADDRESS
193 Contact's home page.
194
195 --telephone-number=TELEPHONE_NUMBER
196 Contact's phone number.
197
198 --mobile-number=MOBILE_NUMBER
199 Contact's mobile phone number.
200
201 --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
202 Contact's office location.
203
204 contact delete contactname [options]
205 Delete an existing contact.
206
207 The contactname specified on the command is the common name or the
208 distinguished name of the contact object. The distinguished name of the
209 contact can be specified with or without the domainDN component.
210
211 contact edit contactname
212 Modify a contact AD object.
213
214 The contactname specified on the command is the common name or the
215 distinguished name of the contact object. The distinguished name of the
216 contact can be specified with or without the domainDN component.
217
218 --editor=EDITOR
219 Specifies the editor to use instead of the system default, or 'vi'
220 if no system default is set.
221
222 contact list [options]
223 List all contacts.
224
225 --full-dn
226 Display contact's full DN instead of the name.
227
228 contact move contactname new_parent_dn [options]
229 This command moves a contact into the specified organizational unit or
230 container.
231
232 The contactname specified on the command is the common name or the
233 distinguished name of the contact object. The distinguished name of the
234 contact can be specified with or without the domainDN component.
235
236 contact show contactname [options]
237 Display a contact AD object.
238
239 The contactname specified on the command is the common name or the
240 distinguished name of the contact object. The distinguished name of the
241 contact can be specified with or without the domainDN component.
242
243 --attributes=CONTACT_ATTRS
244 Comma separated list of attributes, which will be printed.
245
246 dbcheck
247 Check the local AD database for errors.
248
249 delegation
250 Manage Delegations.
251
252 delegation add-service accountname principal [options]
253 Add a service principal as msDS-AllowedToDelegateTo.
254
255 delegation del-service accountname principal [options]
256 Delete a service principal as msDS-AllowedToDelegateTo.
257
258 delegation for-any-protocol accountname [(on|off)] [options]
259 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
260 account.
261
262 delegation for-any-service accountname [(on|off)] [options]
263 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
264
265 delegation show accountname [options]
266 Show the delegation setting of an account.
267
268 dns
269 Manage Domain Name Service (DNS).
270
271 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
272 Add a DNS record.
273
274 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
275 Delete a DNS record.
276
277 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
278 data
279 Query a name.
280
281 dns roothints server [name] [options]
282 Query root hints.
283
284 dns serverinfo server [options]
285 Query server information.
286
287 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
288 Update a DNS record.
289
290 dns zonecreate server zone [options]
291 Create a zone.
292
293 dns zonedelete server zone [options]
294 Delete a zone.
295
296 dns zoneinfo server zone [options]
297 Query zone information.
298
299 dns zonelist server [options]
300 List zones.
301
302 domain
303 Manage Domain.
304
305 domain backup
306 Create or restore a backup of the domain.
307
308 domain backup offline
309 Backup (with proper locking) local domain directories into a tar file.
310
311 domain backup online
312 Copy a running DC's current DB into a backup tar file.
313
314 domain backup rename
315 Copy a running DC's DB to backup file, renaming the domain in the
316 process.
317
318 domain backup restore
319 Restore the domain's DB from a backup-file.
320
321 domain classicupgrade [options] classic_smb_conf
322 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
323
324 domain dcpromo dnsdomain [DC|RODC] [options]
325 Promote an existing domain member or NT4 PDC to an AD DC.
326
327 domain demote
328 Demote ourselves from the role of domain controller.
329
330 domain exportkeytab keytab [options]
331 Dumps Kerberos keys of the domain into a keytab.
332
333 domain info ip_address [options]
334 Print basic info about a domain and the specified DC.
335
336 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
337 Join a domain as either member or backup domain controller.
338
339 domain level show|raise options [options]
340 Show/raise domain and forest function levels.
341
342 domain passwordsettings show|set options [options]
343 Show/set password settings.
344
345 domain passwordsettings pso
346 Manage fine-grained Password Settings Objects (PSOs).
347
348 domain passwordsettings pso apply pso-name user-or-group-name [options]
349 Applies a PSO's password policy to a user or group.
350
351 domain passwordsettings pso create pso-name precedence [options]
352 Creates a new Password Settings Object (PSO).
353
354 domain passwordsettings pso delete pso-name [options]
355 Deletes a Password Settings Object (PSO).
356
357 domain passwordsettings pso list [options]
358 Lists all Password Settings Objects (PSOs).
359
360 domain passwordsettings pso set pso-name [options]
361 Modifies a Password Settings Object (PSO).
362
363 domain passwordsettings pso show user-name [options]
364 Displays a Password Settings Object (PSO).
365
366 domain passwordsettings pso show-user pso-name [options]
367 Displays the Password Settings that apply to a user.
368
369 domain passwordsettings pso unapply pso-name user-or-group-name [options]
370 Updates a PSO to no longer apply to a user or group.
371
372 domain provision
373 Promote an existing domain member or NT4 PDC to an AD DC.
374
375 domain trust
376 Domain and forest trust management.
377
378 domain trust create DOMAIN options [options]
379 Create a domain or forest trust.
380
381 domain trust delete DOMAIN options [options]
382 Delete a domain trust.
383
384 domain trust list options [options]
385 List domain trusts.
386
387 domain trust namespaces [DOMAIN] options [options]
388 Manage forest trust namespaces.
389
390 domain trust show DOMAIN options [options]
391 Show trusted domain details.
392
393 domain trust validate DOMAIN options [options]
394 Validate a domain trust.
395
396 drs
397 Manage Directory Replication Services (DRS).
398
399 drs bind
400 Show DRS capabilities of a server.
401
402 drs kcc
403 Trigger knowledge consistency center run.
404
405 drs options
406 Query or change options for NTDS Settings object of a domain
407 controller.
408
409 drs replicate destination_DC source_DC NC [options]
410 Replicate a naming context between two DCs.
411
412 drs showrepl
413 Show replication status. The [--json] option results in JSON output,
414 and with the [--summary] option produces very little output when the
415 replication status seems healthy.
416
417 dsacl
418 Administer DS ACLs
419
420 dsacl set
421 Modify access list on a directory object.
422
423 forest
424 Manage Forest configuration.
425
426 forest directory_service
427 Manage directory_service behaviour for the forest.
428
429 forest directory_service dsheuristics VALUE
430 Modify dsheuristics directory_service configuration for the forest.
431
432 forest directory_service show
433 Show current directory_service configuration for the forest.
434
435 fsmo
436 Manage Flexible Single Master Operations (FSMO).
437
438 fsmo seize [options]
439 Seize the role.
440
441 fsmo show
442 Show the roles.
443
444 fsmo transfer [options]
445 Transfer the role.
446
447 gpo
448 Manage Group Policy Objects (GPO).
449
450 gpo create displayname [options]
451 Create an empty GPO.
452
453 gpo del gpo [options]
454 Delete GPO.
455
456 gpo dellink container_dn gpo [options]
457 Delete GPO link from a container.
458
459 gpo fetch gpo [options]
460 Download a GPO.
461
462 gpo getinheritance container_dn [options]
463 Get inheritance flag for a container.
464
465 gpo getlink container_dn [options]
466 List GPO Links for a container.
467
468 gpo list username [options]
469 List GPOs for an account.
470
471 gpo listall
472 List all GPOs.
473
474 gpo listcontainers gpo [options]
475 List all linked containers for a GPO.
476
477 gpo setinheritance container_dn block|inherit [options]
478 Set inheritance flag on a container.
479
480 gpo setlink container_dn gpo [options]
481 Add or Update a GPO link to a container.
482
483 gpo show gpo [options]
484 Show information for a GPO.
485
486 group
487 Manage groups.
488
489 group add groupname [options]
490 Create a new AD group.
491
492 group addmembers groupname members [options]
493 Add members to an AD group.
494
495 group delete groupname [options]
496 Delete an AD group.
497
498 group edit groupname
499 Edit a group AD object.
500
501 --editor=EDITOR
502 Specifies the editor to use instead of the system default, or 'vi'
503 if no system default is set.
504
505 group list
506 List all groups.
507
508 group listmembers groupname [options]
509 List all members of the specified AD group.
510
511 group move groupname new_parent_dn [options]
512 This command moves a group into the specified organizational unit or
513 container.
514
515 The groupname specified on the command is the sAMAccountName.
516
517 The name of the organizational unit or container can be specified as a
518 full DN or without the domainDN component.
519
520 group removemembers groupname members [options]
521 Remove members from the specified AD group.
522
523 group show groupname [options]
524 Show group object and it's attributes.
525
526 group stats [options]
527 Show statistics for overall groups and group memberships.
528
529 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
530 Compare two LDAP databases.
531
532 ntacl
533 Manage NT ACLs.
534
535 ntacl changedomsid original-domain-SID new-domain-SID file [options]
536 Change the domain SID for ACLs. Can be used to change all entries in
537 acl_xattr when the machine's SID has accidentially changed or the data
538 set has been copied to another machine either via backup/restore or
539 rsync.
540
541 --use-ntvfs
542 Set the ACLs directly to the TDB or xattr. The POSIX permissions
543 will NOT be changed, only the NT ACL will be stored.
544
545 --service=SERVICE
546 Specify the name of the smb.conf service to use. This option is
547 required in combination with the --use-s3fs option.
548
549 --use-s3fs
550 Set the ACLs for use with the default s3fs file server via the VFS
551 layer. This option requires a smb.conf service, specified by the
552 --service=SERVICE option.
553
554 --xattr-backend=[native|tdb]
555 Specify the xattr backend type (native fs or tdb).
556
557 --eadb-file=EADB_FILE
558 Name of the tdb file where attributes are stored.
559
560 --recursive
561 Set the ACLs for directories and their contents recursively.
562
563 --follow-symlinks
564 Follow symlinks when --recursive is specified.
565
566 --verbose
567 Verbosely list files and ACLs which are being processed.
568
569 ntacl get file [options]
570 Get ACLs on a file.
571
572 ntacl set acl file [options]
573 Set ACLs on a file.
574
575 ntacl sysvolcheck
576 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
577
578 ntacl sysvolreset
579 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
580
581 ou
582 Manage organizational units (OUs).
583
584 ou create ou_dn [options]
585 Create an organizational unit.
586
587 The name of the organizational unit can be specified as a full DN or
588 without the domainDN component.
589
590 --description=DESCRIPTION
591 Specify OU's description.
592
593 ou delete ou_dn [options]
594 Delete an organizational unit.
595
596 The name of the organizational unit can be specified as a full DN or
597 without the domainDN component.
598
599 --force-subtree-delete
600 Delete organizational unit and all children reclusively.
601
602 ou list [options]
603 List all organizational units.
604
605 --full-dn
606 Display DNs including the base DN.
607
608 ou listobjects ou_dn [options]
609 List all objects in an organizational unit.
610
611 The name of the organizational unit can be specified as a full DN or
612 without the domainDN component.
613
614 --full-dn
615 Display DNs including the base DN.
616
617 -r|--recursive
618 List objects recursively.
619
620 ou move old_ou_dn new_parent_dn [options]
621 Move an organizational unit.
622
623 The name of the organizational units can be specified as a full DN or
624 without the domainDN component.
625
626 ou rename old_ou_dn new_ou_dn [options]
627 Rename an organizational unit.
628
629 The name of the organizational units can be specified as a full DN or
630 without the domainDN component.
631
632 rodc
633 Manage Read-Only Domain Controller (RODC).
634
635 rodc preload SID|DN|accountname [options]
636 Preload one account for an RODC.
637
638 schema
639 Manage and query schema.
640
641 schema attribute modify attribute [options]
642 Modify the behaviour of an attribute in schema.
643
644 schema attribute show attribute [options]
645 Display an attribute schema definition.
646
647 schema attribute show_oc attribute [options]
648 Show objectclasses that MAY or MUST contain this attribute.
649
650 schema objectclass show objectclass [options]
651 Display an objectclass schema definition.
652
653 sites
654 Manage sites.
655
656 sites create site [options]
657 Create a new site.
658
659 sites remove site [options]
660 Delete an existing site.
661
662 spn
663 Manage Service Principal Names (SPN).
664
665 spn add name user [options]
666 Create a new SPN.
667
668 spn delete name [user] [options]
669 Delete an existing SPN.
670
671 spn list user [options]
672 List SPNs of a given user.
673
674 testparm
675 Check the syntax of the configuration file.
676
677 time
678 Retrieve the time on a server.
679
680 user
681 Manage users.
682
683 user add username [password]
684 Create a new user. Please note that this subcommand is deprecated and
685 available for compatibility reasons only. Please use samba-tool user
686 create instead.
687
688 user create username [password]
689 Create a new user in the Active Directory Domain.
690
691 user delete username [options]
692 Delete an existing user account.
693
694 user disable username
695 Disable a user account.
696
697 user edit username
698 Edit a user account AD object.
699
700 --editor=EDITOR
701 Specifies the editor to use instead of the system default, or 'vi'
702 if no system default is set.
703
704 user enable username
705 Enable a user account.
706
707 user list
708 List all users.
709
710 user show username [options]
711 Display a user AD object.
712
713 --attributes=USER_ATTRS
714 Comma separated list of attributes, which will be printed.
715
716 user move username new_parent_dn [options]
717 This command moves a user account into the specified organizational
718 unit or container.
719
720 The username specified on the command is the sAMAccountName.
721
722 The name of the organizational unit or container can be specified as a
723 full DN or without the domainDN component.
724
725 user password [options]
726 Change password for a user account (the one provided in
727 authentication).
728
729 user setexpiry username [options]
730 Set the expiration of a user account.
731
732 user setpassword username [options]
733 Sets or resets the password of a user account.
734
735 user getpassword username [options]
736 Gets the password of a user account.
737
738 user syncpasswords --cache-ldb-initialize [options]
739 Syncs the passwords of all user accounts, using an optional script.
740
741 Note that this command should run on a single domain controller only
742 (typically the PDC-emulator).
743
744 vampire [options] domain
745 Join and synchronise a remote AD domain to the local server. Please
746 note that samba-tool vampire is deprecated, please use samba-tool
747 domain join instead.
748
749 visualize [options] subcommand
750 Produce graphical representations of Samba network state. To work out
751 what is happening in a replication graph, it is sometimes helpful to
752 use visualisations.
753
754 There are two subcommands, two graphical modes, and (roughly) two modes
755 of operation with respect to the location of authority.
756
757 MODES OF OPERATION
758 samba-tool visualize ntdsconn
759 Looks at NTDS connections.
760
761 samba-tool visualize reps
762 Looks at repsTo and repsFrom objects.
763
764 samba-tool visualize uptodateness
765 Looks at replication lag as shown by the uptodateness vectors.
766
767 GRAPHICAL MODES
768 --distance
769 Distances between DCs are shown in a matrix in the terminal.
770
771 --dot
772 Generate Graphviz dot output (for ntdsconn and reps modes). When
773 viewed using dot or xdot, this shows the network as a graph with
774 DCs as vertices and connections edges. Certain types of degenerate
775 edges are shown in different colours or line-styles.
776
777 --xdot
778 Generate Graphviz dot output as with [--dot] and attempt to view it
779 immediately using /usr/bin/xdot.
780
781 -r
782 Normally, samba-tool talks to one database; with the [-r] option
783 attempts are made to contact all the DCs known to the first
784 database. This is necessary for samba-tool visualize uptodateness
785 and for samba-tool visualize reps because the repsFrom/To objects
786 are not replicated, and it can reveal replication issues in other
787 modes.
788
789 help
790 Gives usage information.
791
793 This man page is complete for version 4.11.4 of the Samba suite.
794
796 The original Samba software and related utilities were created by
797 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
798 Source project similar to the way the Linux kernel is developed.
799
800
801
802Samba 4.11.4 12/16/2019 SAMBA-TOOL(8)