1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17 --realm=REALM
19 Set the realm name
20 --simple-bind-dn=DN
22 DN to use for a simple bind
23 --password=PASSWORD
25 Password
26 -U USERNAME|--username=USERNAME
28 Username
29 -W WORKGROUP|--workgroup=WORKGROUP
31 Workgroup
32 -N|--no-pass
34 Don't ask for a password
35 -k KERBEROS|--kerberos=KERBEROS
37 Use Kerberos
38 --ipaddress=IPADDRESS
40 IP address of the server
41 -d|--debuglevel=level
43 level is an integer from 0 to 10. The default value if this
44 parameter is not specified is 1.
45 The higher this value, the more detail will be logged to the log
47 files about the activities of the server. At level 0, only critical
48 errors and serious warnings will be logged. Level 1 is a reasonable
49 level for day-to-day running - it generates a small amount of
50 information about operations carried out.
51 Levels above 1 will generate considerable amounts of log data, and
53 should only be used when investigating a problem. Levels above 3
54 are designed for use only by developers and generate HUGE amounts
55 of log data, most of which is extremely cryptic.
56 Note that specifying this parameter here will override the log
58 level parameter in the smb.conf file.
59 -V|--version
61 Prints the program version number.
62 -s|--configfile=<configuration file>
64 The file specified contains the configuration details required by
65 the server. The information in this file includes server-specific
66 information such as what printcap file to use, as well as
67 descriptions of all the services that the server is to provide. See
68 smb.conf for more information. The default configuration file name
69 is determined at compile time.
70 -l|--log-basename=logdirectory
72 Base directory name for log/debug files. The extension ".progname"
73 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
74 file is never removed by the client.
75 --option=<name>=<value>
77 Set the smb.conf(5) option "<name>" to value "<value>" from the
78 command line. This overrides compiled-in defaults and options read
79 from the configuration file.
80
82 computer
83 Manage computer accounts.
84 computer create computername [options]
86 Create a new computer in the Active Directory Domain.
87 The new computer name specified on the command is the sAMAccountName,
89 with or without the trailing dollar sign.
90 --computerou=COMPUTEROU
92 DN of alternative location (with or without domainDN counterpart)
93 to default CN=Computers in which new computer object will be
94 created. E.g. 'OU=OUname'.
95 --description=DESCRIPTION
97 The new computers's description.
98 --ip-address=IP_ADDRESS_LIST
100 IPv4 address for the computer's A record, or IPv6 address for AAAA
101 record, can be provided multiple times.
102 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
104 Computer's Service Principal Name, can be provided multiple times.
105 --prepare-oldjoin
107 Prepare enabled machine account for oldjoin mechanism.
108 computer delete computername [options]
110 Delete an existing computer account.
111 The computer name specified on the command is the sAMAccountName, with
113 or without the trailing dollar sign.
114 computer edit computername
116 Edit a computer AD object.
117 The computer name specified on the command is the sAMAccountName, with
119 or without the trailing dollar sign.
120 --editor=EDITOR
122 Specifies the editor to use instead of the system default, or 'vi'
123 if no system default is set.
124 computer list
126 List all computers.
127 computer move computername new_parent_dn [options]
129 This command moves a computer account into the specified organizational
130 unit or container.
131 The computername specified on the command is the sAMAccountName, with
133 or without the trailing dollar sign.
134 The name of the organizational unit or container can be specified as a
136 full DN or without the domainDN component.
137 computer show computername [options]
139 Display a computer AD object.
140 The computer name specified on the command is the sAMAccountName, with
142 or without the trailing dollar sign.
143 --attributes=USER_ATTRS
145 Comma separated list of attributes, which will be printed.
146 contact
148 Manage contacts.
149 contact create [contactname] [options]
151 Create a new contact in the Active Directory Domain.
152 The name of the new contact can be specified by the first argument
154 'contactname' or the --given-name, --initial and --surname arguments.
155 If no 'contactname' is given, contact's name will be made up of the
156 given arguments by combining the given-name, initials and surname. Each
157 argument is optional. A dot ('.') will be appended to the initials
158 automatically.
159 --ou=OU
161 DN of alternative location (with or without domainDN counterpart)
162 in which the new contact will be created. E.g. 'OU=OUname'. Default
163 is the domain base.
164 --description=DESCRIPTION
166 The new contacts's description.
167 --surname=SURNAME
169 Contact's surname.
170 --given-name=GIVEN_NAME
172 Contact's given name.
173 --initials=INITIALS
175 Contact's initials.
176 --display-name=DISPLAY_NAME
178 Contact's display name.
179 --job-title=JOB_TITLE
181 Contact's job title.
182 --department=DEPARTMENT
184 Contact's department.
185 --company=COMPANY
187 Contact's company.
188 --mail-address=MAIL_ADDRESS
190 Contact's email address.
191 --internet-address=INTERNET_ADDRESS
193 Contact's home page.
194 --telephone-number=TELEPHONE_NUMBER
196 Contact's phone number.
197 --mobile-number=MOBILE_NUMBER
199 Contact's mobile phone number.
200 --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
202 Contact's office location.
203 contact delete contactname [options]
205 Delete an existing contact.
206 The contactname specified on the command is the common name or the
208 distinguished name of the contact object. The distinguished name of the
209 contact can be specified with or without the domainDN component.
210 contact edit contactname
212 Modify a contact AD object.
213 The contactname specified on the command is the common name or the
215 distinguished name of the contact object. The distinguished name of the
216 contact can be specified with or without the domainDN component.
217 --editor=EDITOR
219 Specifies the editor to use instead of the system default, or 'vi'
220 if no system default is set.
221 contact list [options]
223 List all contacts.
224 --full-dn
226 Display contact's full DN instead of the name.
227 contact move contactname new_parent_dn [options]
229 This command moves a contact into the specified organizational unit or
230 container.
231 The contactname specified on the command is the common name or the
233 distinguished name of the contact object. The distinguished name of the
234 contact can be specified with or without the domainDN component.
235 contact show contactname [options]
237 Display a contact AD object.
238 The contactname specified on the command is the common name or the
240 distinguished name of the contact object. The distinguished name of the
241 contact can be specified with or without the domainDN component.
242 --attributes=CONTACT_ATTRS
244 Comma separated list of attributes, which will be printed.
245 dbcheck
247 Check the local AD database for errors.
248 delegation
250 Manage Delegations.
251 delegation add-service accountname principal [options]
253 Add a service principal as msDS-AllowedToDelegateTo.
254 delegation del-service accountname principal [options]
256 Delete a service principal as msDS-AllowedToDelegateTo.
257 delegation for-any-protocol accountname [(on|off)] [options]
259 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
260 account.
261 delegation for-any-service accountname [(on|off)] [options]
263 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
264 delegation show accountname [options]
266 Show the delegation setting of an account.
267 dns
269 Manage Domain Name Service (DNS).
270 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
272 Add a DNS record.
273 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
275 Delete a DNS record.
276 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
278 data
279 Query a name.
280 dns roothints server [name] [options]
282 Query root hints.
283 dns serverinfo server [options]
285 Query server information.
286 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
288 Update a DNS record.
289 dns zonecreate server zone [options]
291 Create a zone.
292 dns zonedelete server zone [options]
294 Delete a zone.
295 dns zoneinfo server zone [options]
297 Query zone information.
298 dns zonelist server [options]
300 List zones.
301 domain
303 Manage Domain.
304 domain backup
306 Create or restore a backup of the domain.
307 domain backup offline
309 Backup (with proper locking) local domain directories into a tar file.
310 domain backup online
312 Copy a running DC's current DB into a backup tar file.
313 domain backup rename
315 Copy a running DC's DB to backup file, renaming the domain in the
316 process.
317 domain backup restore
319 Restore the domain's DB from a backup-file.
320 domain classicupgrade [options] classic_smb_conf
322 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
323 domain dcpromo dnsdomain [DC|RODC] [options]
325 Promote an existing domain member or NT4 PDC to an AD DC.
326 domain demote
328 Demote ourselves from the role of domain controller.
329 domain exportkeytab keytab [options]
331 Dumps Kerberos keys of the domain into a keytab.
332 domain info ip_address [options]
334 Print basic info about a domain and the specified DC.
335 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
337 Join a domain as either member or backup domain controller.
338 domain level show|raise options [options]
340 Show/raise domain and forest function levels.
341 domain passwordsettings show|set options [options]
343 Show/set password settings.
344 domain passwordsettings pso
346 Manage fine-grained Password Settings Objects (PSOs).
347 domain passwordsettings pso apply pso-name user-or-group-name [options]
349 Applies a PSO's password policy to a user or group.
350 domain passwordsettings pso create pso-name precedence [options]
352 Creates a new Password Settings Object (PSO).
353 domain passwordsettings pso delete pso-name [options]
355 Deletes a Password Settings Object (PSO).
356 domain passwordsettings pso list [options]
358 Lists all Password Settings Objects (PSOs).
359 domain passwordsettings pso set pso-name [options]
361 Modifies a Password Settings Object (PSO).
362 domain passwordsettings pso show user-name [options]
364 Displays a Password Settings Object (PSO).
365 domain passwordsettings pso show-user pso-name [options]
367 Displays the Password Settings that apply to a user.
368 domain passwordsettings pso unapply pso-name user-or-group-name [options]
370 Updates a PSO to no longer apply to a user or group.
371 domain provision
373 Promote an existing domain member or NT4 PDC to an AD DC.
374 domain trust
376 Domain and forest trust management.
377 domain trust create DOMAIN options [options]
379 Create a domain or forest trust.
380 domain trust delete DOMAIN options [options]
382 Delete a domain trust.
383 domain trust list options [options]
385 List domain trusts.
386 domain trust namespaces [DOMAIN] options [options]
388 Manage forest trust namespaces.
389 domain trust show DOMAIN options [options]
391 Show trusted domain details.
392 domain trust validate DOMAIN options [options]
394 Validate a domain trust.
395 drs
397 Manage Directory Replication Services (DRS).
398 drs bind
400 Show DRS capabilities of a server.
401 drs kcc
403 Trigger knowledge consistency center run.
404 drs options
406 Query or change options for NTDS Settings object of a domain
407 controller.
408 drs replicate destination_DC source_DC NC [options]
410 Replicate a naming context between two DCs.
411 drs showrepl
413 Show replication status. The [--json] option results in JSON output,
414 and with the [--summary] option produces very little output when the
415 replication status seems healthy.
416 dsacl
418 Administer DS ACLs
419 dsacl set
421 Modify access list on a directory object.
422 forest
424 Manage Forest configuration.
425 forest directory_service
427 Manage directory_service behaviour for the forest.
428 forest directory_service dsheuristics VALUE
430 Modify dsheuristics directory_service configuration for the forest.
431 forest directory_service show
433 Show current directory_service configuration for the forest.
434 fsmo
436 Manage Flexible Single Master Operations (FSMO).
437 fsmo seize [options]
439 Seize the role.
440 fsmo show
442 Show the roles.
443 fsmo transfer [options]
445 Transfer the role.
446 gpo
448 Manage Group Policy Objects (GPO).
449 gpo create displayname [options]
451 Create an empty GPO.
452 gpo del gpo [options]
454 Delete GPO.
455 gpo dellink container_dn gpo [options]
457 Delete GPO link from a container.
458 gpo fetch gpo [options]
460 Download a GPO.
461 gpo getinheritance container_dn [options]
463 Get inheritance flag for a container.
464 gpo getlink container_dn [options]
466 List GPO Links for a container.
467 gpo list username [options]
469 List GPOs for an account.
470 gpo listall
472 List all GPOs.
473 gpo listcontainers gpo [options]
475 List all linked containers for a GPO.
476 gpo setinheritance container_dn block|inherit [options]
478 Set inheritance flag on a container.
479 gpo setlink container_dn gpo [options]
481 Add or Update a GPO link to a container.
482 gpo show gpo [options]
484 Show information for a GPO.
485 group
487 Manage groups.
488 group add groupname [options]
490 Create a new AD group.
491 group addmembers groupname members [options]
493 Add members to an AD group.
494 group delete groupname [options]
496 Delete an AD group.
497 group edit groupname
499 Edit a group AD object.
500 --editor=EDITOR
502 Specifies the editor to use instead of the system default, or 'vi'
503 if no system default is set.
504 group list
506 List all groups.
507 group listmembers groupname [options]
509 List all members of the specified AD group.
510 group move groupname new_parent_dn [options]
512 This command moves a group into the specified organizational unit or
513 container.
514 The groupname specified on the command is the sAMAccountName.
516 The name of the organizational unit or container can be specified as a
518 full DN or without the domainDN component.
519 group removemembers groupname members [options]
521 Remove members from the specified AD group.
522 group show groupname [options]
524 Show group object and it's attributes.
525 group stats [options]
527 Show statistics for overall groups and group memberships.
528 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
530 Compare two LDAP databases.
531 ntacl
533 Manage NT ACLs.
534 ntacl changedomsid original-domain-SID new-domain-SID file [options]
536 Change the domain SID for ACLs. Can be used to change all entries in
537 acl_xattr when the machine's SID has accidentially changed or the data
538 set has been copied to another machine either via backup/restore or
539 rsync.
540 --use-ntvfs
542 Set the ACLs directly to the TDB or xattr. The POSIX permissions
543 will NOT be changed, only the NT ACL will be stored.
544 --service=SERVICE
546 Specify the name of the smb.conf service to use. This option is
547 required in combination with the --use-s3fs option.
548 --use-s3fs
550 Set the ACLs for use with the default s3fs file server via the VFS
551 layer. This option requires a smb.conf service, specified by the
552 --service=SERVICE option.
553 --xattr-backend=[native|tdb]
555 Specify the xattr backend type (native fs or tdb).
556 --eadb-file=EADB_FILE
558 Name of the tdb file where attributes are stored.
559 --recursive
561 Set the ACLs for directories and their contents recursively.
562 --follow-symlinks
564 Follow symlinks when --recursive is specified.
565 --verbose
567 Verbosely list files and ACLs which are being processed.
568 ntacl get file [options]
570 Get ACLs on a file.
571 ntacl set acl file [options]
573 Set ACLs on a file.
574 ntacl sysvolcheck
576 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
577 ntacl sysvolreset
579 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
580 ou
582 Manage organizational units (OUs).
583 ou create ou_dn [options]
585 Create an organizational unit.
586 The name of the organizational unit can be specified as a full DN or
588 without the domainDN component.
589 --description=DESCRIPTION
591 Specify OU's description.
592 ou delete ou_dn [options]
594 Delete an organizational unit.
595 The name of the organizational unit can be specified as a full DN or
597 without the domainDN component.
598 --force-subtree-delete
600 Delete organizational unit and all children reclusively.
601 ou list [options]
603 List all organizational units.
604 --full-dn
606 Display DNs including the base DN.
607 ou listobjects ou_dn [options]
609 List all objects in an organizational unit.
610 The name of the organizational unit can be specified as a full DN or
612 without the domainDN component.
613 --full-dn
615 Display DNs including the base DN.
616 -r|--recursive
618 List objects recursively.
619 ou move old_ou_dn new_parent_dn [options]
621 Move an organizational unit.
622 The name of the organizational units can be specified as a full DN or
624 without the domainDN component.
625 ou rename old_ou_dn new_ou_dn [options]
627 Rename an organizational unit.
628 The name of the organizational units can be specified as a full DN or
630 without the domainDN component.
631 rodc
633 Manage Read-Only Domain Controller (RODC).
634 rodc preload SID|DN|accountname [options]
636 Preload one account for an RODC.
637 schema
639 Manage and query schema.
640 schema attribute modify attribute [options]
642 Modify the behaviour of an attribute in schema.
643 schema attribute show attribute [options]
645 Display an attribute schema definition.
646 schema attribute show_oc attribute [options]
648 Show objectclasses that MAY or MUST contain this attribute.
649 schema objectclass show objectclass [options]
651 Display an objectclass schema definition.
652 sites
654 Manage sites.
655 sites create site [options]
657 Create a new site.
658 sites remove site [options]
660 Delete an existing site.
661 spn
663 Manage Service Principal Names (SPN).
664 spn add name user [options]
666 Create a new SPN.
667 spn delete name [user] [options]
669 Delete an existing SPN.
670 spn list user [options]
672 List SPNs of a given user.
673 testparm
675 Check the syntax of the configuration file.
676 time
678 Retrieve the time on a server.
679 user
681 Manage users.
682 user add username [password]
684 Create a new user. Please note that this subcommand is deprecated and
685 available for compatibility reasons only. Please use samba-tool user
686 create instead.
687 user create username [password]
689 Create a new user in the Active Directory Domain.
690 user delete username [options]
692 Delete an existing user account.
693 user disable username
695 Disable a user account.
696 user edit username
698 Edit a user account AD object.
699 --editor=EDITOR
701 Specifies the editor to use instead of the system default, or 'vi'
702 if no system default is set.
703 user enable username
705 Enable a user account.
706 user list
708 List all users.
709 user show username [options]
711 Display a user AD object.
712 --attributes=USER_ATTRS
714 Comma separated list of attributes, which will be printed.
715 user move username new_parent_dn [options]
717 This command moves a user account into the specified organizational
718 unit or container.
719 The username specified on the command is the sAMAccountName.
721 The name of the organizational unit or container can be specified as a
723 full DN or without the domainDN component.
724 user password [options]
726 Change password for a user account (the one provided in
727 authentication).
728 user setexpiry username [options]
730 Set the expiration of a user account.
731 user setpassword username [options]
733 Sets or resets the password of a user account.
734 user getpassword username [options]
736 Gets the password of a user account.
737 user syncpasswords --cache-ldb-initialize [options]
739 Syncs the passwords of all user accounts, using an optional script.
740 Note that this command should run on a single domain controller only
742 (typically the PDC-emulator).
743 vampire [options] domain
745 Join and synchronise a remote AD domain to the local server. Please
746 note that samba-tool vampire is deprecated, please use samba-tool
747 domain join instead.
748 visualize [options] subcommand
750 Produce graphical representations of Samba network state. To work out
751 what is happening in a replication graph, it is sometimes helpful to
752 use visualisations.
753 There are two subcommands, two graphical modes, and (roughly) two modes
755 of operation with respect to the location of authority.
756 MODES OF OPERATION
758 samba-tool visualize ntdsconn
759 Looks at NTDS connections.
760 samba-tool visualize reps
762 Looks at repsTo and repsFrom objects.
763 samba-tool visualize uptodateness
765 Looks at replication lag as shown by the uptodateness vectors.
766 GRAPHICAL MODES
768 --distance
769 Distances between DCs are shown in a matrix in the terminal.
770 --dot
772 Generate Graphviz dot output (for ntdsconn and reps modes). When
773 viewed using dot or xdot, this shows the network as a graph with
774 DCs as vertices and connections edges. Certain types of degenerate
775 edges are shown in different colours or line-styles.
776 --xdot
778 Generate Graphviz dot output as with [--dot] and attempt to view it
779 immediately using /usr/bin/xdot.
780 -r
782 Normally, samba-tool talks to one database; with the [-r] option
783 attempts are made to contact all the DCs known to the first
784 database. This is necessary for samba-tool visualize uptodateness
785 and for samba-tool visualize reps because the repsFrom/To objects
786 are not replicated, and it can reveal replication issues in other
787 modes.
788 help
790 Gives usage information.
791
793 This man page is complete for version 4.11.4 of the Samba suite.
794
796 The original Samba software and related utilities were created by
797 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
798 Source project similar to the way the Linux kernel is developed.
799Samba 4.11.4 12/16/2019 SAMBA-TOOL(8)