1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-w|--workgroup workgroup]
10 [-W|--myworkgroup myworkgroup] [-U|--user user]
11 [-A|--authentication-file authfile] [-I|--ipaddress ip-address]
12 [-p|--port port] [-n myname] [-s conffile] [-S|--server server]
13 [-l|--long] [-v|--verbose] [-f|--force] [-P|--machine-pass]
14 [-d debuglevel] [-V] [--request-timeout seconds]
15 [-t|--timeout seconds] [-i|--stdin] [--tallocreport]
16
18 This tool is part of the samba(7) suite.
19 The Samba net utility is meant to work just like the net utility
21 available for windows and DOS. The first argument should be used to
22 specify the protocol to use when executing a certain command. ADS is
23 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
24 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
25 net will try to determine it automatically. Not all commands are
26 available on all protocols.
27
29 -?|--help
30 Print a summary of command line options.
31 -k|--kerberos
33 Try to authenticate with kerberos. Only useful in an Active
34 Directory environment.
35 -w|--workgroup target-workgroup
37 Sets target workgroup or domain. You have to specify either this
38 option or the IP address or the name of a server.
39 -W|--myworkgroup workgroup
41 Sets client workgroup or domain
42 -U|--user user
44 User name to use
45 -I|--ipaddress ip-address
47 IP address of target server to use. You have to specify either this
48 option or a target workgroup or a target server.
49 -p|--port port
51 Port on the target server to connect to (usually 139 or 445).
52 Defaults to trying 445 first, then 139.
53 -n|--netbiosname <primary NetBIOS name>
55 This option allows you to override the NetBIOS name that Samba uses
56 for itself. This is identical to setting the netbios name parameter
57 in the smb.conf file. However, a command line setting will take
58 precedence over settings in smb.conf.
59 -S|--server server
61 Name of target server. You should specify either this option or a
62 target workgroup or a target IP address.
63 -l|--long
65 When listing data, give more information on each item.
66 -v|--verbose
68 When listing data, give more verbose information on each item.
69 -f|--force
71 Enforcing a net command.
72 -P|--machine-pass
74 Make queries to the external server using the machine account of
75 the local server.
76 --request-timeout 30
78 Let client requests timeout after 30 seconds the default is 10
79 seconds.
80 -t|--timeout 30
82 Set timeout for client operations to 30 seconds.
83 --use-ccache
85 Try to use the credentials cached by winbind.
86 -i|--stdin
88 Take input for net commands from standard input.
89 --tallocreport
91 Generate a talloc report while processing a net command.
92 -T|--test
94 Only test command sequence, dry-run.
95 -F|--flags FLAGS
97 Pass down integer flags to a net subcommand.
98 -C|--comment COMMENT
100 Pass down a comment string to a net subcommand.
101 -n|--myname MYNAME
103 Use MYNAME as a requester name for a net subcommand.
104 -c|--container CONTAINER
106 Use a specific AD container for net ads operations.
107 -M|--maxusers MAXUSERS
109 Fill in the maxusers field in net rpc share operations.
110 -r|--reboot
112 Reboot a remote machine after a command has been successfully
113 executed (e.g. in remote join operations).
114 --force-full-repl
116 When calling "net rpc vampire keytab" this option enforces a full
117 re-creation of the generated keytab file.
118 --single-obj-repl
120 When calling "net rpc vampire keytab" this option allows one to
121 replicate just a single object to the generated keytab file.
122 --clean-old-entries
124 When calling "net rpc vampire keytab" this option allows one to
125 cleanup old entries from the generated keytab file.
126 --db
128 Define dbfile for "net idmap" commands.
129 --lock
131 Activates locking of the dbfile for "net idmap check" command.
132 -a|--auto
134 Activates noninteractive mode in "net idmap check".
135 --repair
137 Activates repair mode in "net idmap check".
138 --acls
140 Includes ACLs to be copied in "net rpc share migrate".
141 --attrs
143 Includes file attributes to be copied in "net rpc share migrate".
144 --timestamps
146 Includes timestamps to be copied in "net rpc share migrate".
147 -X|--exclude DIRECTORY
149 Allows one to exclude directories when copying with "net rpc share
150 migrate".
151 --destination SERVERNAME
153 Defines the target servername of migration process (defaults to
154 localhost).
155 -L|--local
157 Sets the type of group mapping to local (used in "net groupmap
158 set").
159 -D|--domain
161 Sets the type of group mapping to domain (used in "net groupmap
162 set").
163 -N|--ntname NTNAME
165 Sets the ntname of a group mapping (used in "net groupmap set").
166 -R|--rid RID
168 Sets the rid of a group mapping (used in "net groupmap set").
169 --reg-version REG_VERSION
171 Assume database version {n|1,2,3} (used in "net registry check").
172 -o|--output FILENAME
174 Output database file (used in "net registry check").
175 --wipe
177 Create a new database from scratch (used in "net registry check").
178 --precheck PRECHECK_DB_FILENAME
180 Defines filename for database prechecking (used in "net registry
181 import").
182 --no-dns-updates
184 Do not perform DNS updates as part of "net ads join".
185 --keep-account
187 Prevent the machine account removal as part of "net ads leave".
188 --json
190 Report results in JSON format for "net ads info" and "net ads
191 lookup".
192 --recursive
194 Traverse a directory hierarchy.
195 --continue
197 Continue traversing a directory hierarchy in case conversion of one
198 file fails.
199 --follow-symlinks
201 Follow symlinks encountered while traversing a directory.
202 -e|--encrypt
204 This command line parameter requires the remote server support the
205 UNIX extensions or that the SMB3 protocol has been selected.
206 Requests that the connection be encrypted. Negotiates SMB
207 encryption using either SMB3 or POSIX extensions via GSSAPI. Uses
208 the given credentials for the encryption negotiation (either
209 kerberos or NTLMv1/v2 if given domain/username/password triple.
210 Fails the connection if encryption cannot be negotiated.
211 -d|--debuglevel=level
213 level is an integer from 0 to 10. The default value if this
214 parameter is not specified is 1.
215 The higher this value, the more detail will be logged to the log
217 files about the activities of the server. At level 0, only critical
218 errors and serious warnings will be logged. Level 1 is a reasonable
219 level for day-to-day running - it generates a small amount of
220 information about operations carried out.
221 Levels above 1 will generate considerable amounts of log data, and
223 should only be used when investigating a problem. Levels above 3
224 are designed for use only by developers and generate HUGE amounts
225 of log data, most of which is extremely cryptic.
226 Note that specifying this parameter here will override the log
228 level parameter in the smb.conf file.
229 -V|--version
231 Prints the program version number.
232 -s|--configfile=<configuration file>
234 The file specified contains the configuration details required by
235 the server. The information in this file includes server-specific
236 information such as what printcap file to use, as well as
237 descriptions of all the services that the server is to provide. See
238 smb.conf for more information. The default configuration file name
239 is determined at compile time.
240 -l|--log-basename=logdirectory
242 Base directory name for log/debug files. The extension ".progname"
243 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
244 file is never removed by the client.
245 --option=<name>=<value>
247 Set the smb.conf(5) option "<name>" to value "<value>" from the
248 command line. This overrides compiled-in defaults and options read
249 from the configuration file.
250
252 CHANGESECRETPW
253 This command allows the Samba machine account password to be set from
254 an external application to a machine account password that has already
255 been stored in Active Directory. DO NOT USE this command unless you
256 know exactly what you are doing. The use of this command requires that
257 the force flag (-f) be used also. There will be NO command prompt.
258 Whatever information is piped into stdin, either by typing at the
259 command line or otherwise, will be stored as the literal machine
260 password. Do NOT use this without care and attention as it will
261 overwrite a legitimate machine password without warning. YOU HAVE BEEN
262 WARNED.
263 TIME
265 The NET TIME command allows you to view the time on a remote server or
266 synchronise the time on the local server with the time on the remote
267 server.
268 TIME
270 Without any options, the NET TIME command displays the time on the
271 remote server. The remote server must be specified with the -S option.
272 TIME SYSTEM
274 Displays the time on the remote server in a format ready for /bin/date.
275 The remote server must be specified with the -S option.
276 TIME SET
278 Tries to set the date and time of the local server to that on the
279 remote server using /bin/date. The remote server must be specified with
280 the -S option.
281 TIME ZONE
283 Displays the timezone in hours from GMT on the remote server. The
284 remote server must be specified with the -S option.
285 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
287 [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU]
288 [machinepass=PASS] [osName=string osVer=string] [options]
289 Join a domain. If the account already exists on the server, and [TYPE]
290 is MEMBER, the machine will attempt to join automatically. (Assuming
291 that the machine has been created in server manager) Otherwise, a
292 password will be prompted for, and a new account may be created.
293 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
295 the domain.
296 [FQDN] (ADS only) set the dnsHostName attribute during the join. The
298 default format is netbiosname.dnsdomain.
299 [UPN] (ADS only) set the principalname attribute during the join. The
301 default format is host/netbiosname@REALM.
302 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
304 string reads from top to bottom without RDNs, and is delimited by a
305 '/'. Please note that '\' is used for escape by both the shell and
306 ldap, so it may need to be doubled or quadrupled to pass through, and
307 it is not used as a delimiter.
308 [PASS] (ADS only) Set a specific password on the computer account being
310 created by the join.
311 [osName=string osVer=String] (ADS only) Set the operatingSystem and
313 operatingSystemVersion attribute during the join. Both parameters must
314 be specified for either to take effect.
315 [RPC] OLDJOIN [options]
317 Join a domain. Use the OLDJOIN option to join the domain using the old
318 style of domain joining - you need to create a trust account in server
319 manager first.
320 [RPC|ADS] USER
322 [RPC|ADS] USER
323 List all users
324 [RPC|ADS] USER DELETE target
326 Delete specified user
327 [RPC|ADS] USER INFO target
329 List the domain groups of the specified user.
330 [RPC|ADS] USER RENAME oldname newname
332 Rename specified user.
333 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
335 Add specified user.
336 [RPC|ADS] GROUP
338 [RPC|ADS] GROUP [misc options] [targets]
339 List user groups.
340 [RPC|ADS] GROUP DELETE name [misc. options]
342 Delete specified group.
343 [RPC|ADS] GROUP ADD name [-C comment]
345 Create specified group.
346 [ADS] LOOKUP
348 Lookup the closest Domain Controller in our domain and retrieve server
349 information about it.
350 [RAP|RPC] SHARE
352 [RAP|RPC] SHARE [misc. options] [targets]
353 Enumerates all exported resources (network shares) on target server.
354 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
356 Adds a share from a server (makes the export active). Maxusers
357 specifies the number of users that can be connected to the share
358 simultaneously.
359 SHARE DELETE sharename
361 Delete specified share.
362 [RPC|RAP] FILE
364 [RPC|RAP] FILE
365 List all open files on remote server.
366 [RPC|RAP] FILE CLOSE fileid
368 Close file with specified fileid on remote server.
369 [RPC|RAP] FILE INFO fileid
371 Print information on specified fileid. Currently listed are: file-id,
372 username, locks, path, permissions.
373 [RAP|RPC] FILE USER user
375 List files opened by specified user. Please note that net rap file user
376 does not work against Samba servers.
377 SESSION
379 RAP SESSION
380 Without any other options, SESSION enumerates all active SMB/CIFS
381 sessions on the target server.
382 RAP SESSION DELETE|CLOSE CLIENT_NAME
384 Close the specified sessions.
385 RAP SESSION INFO CLIENT_NAME
387 Give a list with all the open files in specified session.
388 RAP SERVER DOMAIN
390 List all servers in specified domain or workgroup. Defaults to local
391 domain.
392 RAP DOMAIN
394 Lists all domains and workgroups visible on the current network.
395 RAP PRINTQ
397 RAP PRINTQ INFO QUEUE_NAME
398 Lists the specified print queue and print jobs on the server. If the
399 QUEUE_NAME is omitted, all queues are listed.
400 RAP PRINTQ DELETE JOBID
402 Delete job with specified id.
403 RAP VALIDATE user [password]
405 Validate whether the specified user can log in to the remote server. If
406 the password is not specified on the commandline, it will be prompted.
407 Note
409 Currently NOT implemented.
410 RAP GROUPMEMBER
412 RAP GROUPMEMBER LIST GROUP
413 List all members of the specified group.
414 RAP GROUPMEMBER DELETE GROUP USER
416 Delete member from group.
417 RAP GROUPMEMBER ADD GROUP USER
419 Add member to group.
420 RAP ADMIN command
422 Execute the specified command on the remote server. Only works with
423 OS/2 servers.
424 Note
426 Currently NOT implemented.
427 RAP SERVICE
429 RAP SERVICE START NAME [arguments...]
430 Start the specified service on the remote server. Not implemented yet.
431 Note
433 Currently NOT implemented.
434 RAP SERVICE STOP
436 Stop the specified service on the remote server.
437 Note
439 Currently NOT implemented.
440 RAP PASSWORD USER OLDPASS NEWPASS
442 Change password of USER from OLDPASS to NEWPASS.
443 LOOKUP
445 LOOKUP HOST HOSTNAME [TYPE]
446 Lookup the IP address of the given host with the specified type
447 (netbios suffix). The type defaults to 0x20 (workstation).
448 LOOKUP LDAP [DOMAIN]
450 Give IP address of LDAP server of specified DOMAIN. Defaults to local
451 domain.
452 LOOKUP KDC [REALM]
454 Give IP address of KDC for the specified REALM. Defaults to local
455 realm.
456 LOOKUP DC [DOMAIN]
458 Give IP's of Domain Controllers for specified
459 DOMAIN. Defaults to local domain.
460 LOOKUP MASTER DOMAIN
462 Give IP of master browser for specified DOMAIN or workgroup. Defaults
463 to local domain.
464 LOOKUP NAME [NAME]
466 Lookup username's sid and type for specified NAME
467 LOOKUP SID [SID]
469 Give sid's name and type for specified SID
470 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
472 Give Domain Controller information for specified domain NAME
473 CACHE
475 Samba uses a general caching interface called 'gencache'. It can be
476 controlled using 'NET CACHE'.
477 All the timeout parameters support the suffixes:
479 s - Seconds
480 m - Minutes
481 h - Hours
482 d - Days
483 w - Weeks
484 CACHE ADD key data time-out
486 Add specified key+data to the cache with the given timeout.
487 CACHE DEL key
489 Delete key from the cache.
490 CACHE SET key data time-out
492 Update data of existing cache entry.
493 CACHE SEARCH PATTERN
495 Search for the specified pattern in the cache data.
496 CACHE LIST
498 List all current items in the cache.
499 CACHE FLUSH
501 Remove all the current items from the cache.
502 GETLOCALSID [DOMAIN]
504 Prints the SID of the specified domain, or if the parameter is omitted,
505 the SID of the local server.
506 SETLOCALSID S-1-5-21-x-y-z
508 Sets SID for the local server to the specified SID.
509 GETDOMAINSID
511 Prints the local machine SID and the SID of the current domain.
512 SETDOMAINSID
514 Sets the SID of the current domain.
515 GROUPMAP
517 Manage the mappings between Windows group SIDs and UNIX groups. Common
518 options include:
519 • unixgroup - Name of the UNIX group
521 • ntgroup - Name of the Windows NT group (must be resolvable
523 to a SID
524 • rid - Unsigned 32-bit integer
526 • sid - Full SID in the form of "S-1-..."
528 • type - Type of the group; either 'domain', 'local', or
530 'builtin'
531 • comment - Freeform text description of the group
533 GROUPMAP ADD
536 Add a new group mapping entry:
537 net groupmap add {rid=int|sid=string} unixgroup=string \
539 [type={domain|local}] [ntgroup=string] [comment=string]
540 GROUPMAP DELETE
544 Delete a group mapping entry. If more than one group name matches, the
545 first entry found is deleted.
546 net groupmap delete {ntgroup=string|sid=SID}
548 GROUPMAP MODIFY
550 Update an existing group entry.
551 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
553 [comment=string] [type={domain|local}]
554 GROUPMAP LIST
558 List existing group mapping entries.
559 net groupmap list [verbose] [ntgroup=string] [sid=SID]
561 MAXRID
563 Prints out the highest RID currently in use on the local server (by the
564 active 'passdb backend').
565 RPC INFO
567 Print information about the domain of the remote server, such as domain
568 name, domain sid and number of users and groups.
569 [RPC|ADS] TESTJOIN
571 Check whether participation in a domain is still valid.
572 [RPC|ADS] CHANGETRUSTPW
574 Force change of domain trust password.
575 RPC TRUSTDOM
577 RPC TRUSTDOM ADD DOMAIN
578 Add a interdomain trust account for DOMAIN. This is in fact a Samba
579 account named DOMAIN$ with the account flag 'I' (interdomain trust
580 account). This is required for incoming trusts to work. It makes Samba
581 be a trusted domain of the foreign (trusting) domain. Users of the
582 Samba domain will be made available in the foreign domain. If the
583 command is used against localhost it has the same effect as smbpasswd
584 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
585 account.
586 RPC TRUSTDOM DEL DOMAIN
588 Remove interdomain trust account for DOMAIN. If it is used against
589 localhost it has the same effect as smbpasswd -x DOMAIN$.
590 RPC TRUSTDOM ESTABLISH DOMAIN
592 Establish a trust relationship to a trusted domain. Interdomain account
593 must already be created on the remote PDC. This is required for
594 outgoing trusts to work. It makes Samba be a trusting domain of a
595 foreign (trusted) domain. Users of the foreign domain will be made
596 available in our domain. You'll need winbind and a working idmap config
597 to make them appear in your system.
598 RPC TRUSTDOM REVOKE DOMAIN
600 Abandon relationship to trusted domain
601 RPC TRUSTDOM LIST
603 List all interdomain trust relationships.
604 RPC TRUST
606 RPC TRUST CREATE
607 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
608 done on a single server or on two servers at once with the possibility
609 to use a random trust password.
610 Options:
612 otherserver
614 Domain controller of the second domain
615 otheruser
617 Admin user in the second domain
618 otherdomainsid
620 SID of the second domain
621 other_netbios_domain
623 NetBIOS (short) name of the second domain
624 otherdomain
626 DNS (full) name of the second domain
627 trustpw
629 Trust password
630 Examples:
632 Create a trust object on srv1.dom1.dom for the domain dom2
634 net rpc trust create \
636 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
637 other_netbios_domain=dom2 \
638 otherdomain=dom2.dom \
639 trustpw=12345678 \
640 -S srv1.dom1.dom
641 Create a trust relationship between dom1 and dom2
643 net rpc trust create \
645 otherserver=srv2.dom2.test \
646 otheruser=dom2adm \
647 -S srv1.dom1.dom
648 RPC TRUST DELETE
650 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
651 done on a single server or on two servers at once.
652 Options:
654 otherserver
656 Domain controller of the second domain
657 otheruser
659 Admin user in the second domain
660 otherdomainsid
662 SID of the second domain
663 Examples:
665 Delete a trust object on srv1.dom1.dom for the domain dom2
667 net rpc trust delete \
669 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
670 -S srv1.dom1.dom
671 Delete a trust relationship between dom1 and dom2
673 net rpc trust delete \
675 otherserver=srv2.dom2.test \
676 otheruser=dom2adm \
677 -S srv1.dom1.dom
678 RPC RIGHTS
681 This subcommand is used to view and manage Samba's rights assignments
682 (also referred to as privileges). There are three options currently
683 available: list, grant, and revoke. More details on Samba's privilege
684 model and its use can be found in the Samba-HOWTO-Collection.
685 RPC ABORTSHUTDOWN
687 Abort the shutdown of a remote server.
688 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
690 Shut down the remote server.
691 -r
693 Reboot after shutdown.
694 -f
696 Force shutting down all applications.
697 -t timeout
699 Timeout before system will be shut down. An interactive user of the
700 system can use this time to cancel the shutdown.
701 -C message
703 Display the specified message on the screen to announce the
704 shutdown.
705 RPC SAMDUMP
707 Print out sam database of remote server. You need to run this against
708 the PDC, from a Samba machine joined as a BDC.
709 RPC VAMPIRE
711 Export users, aliases and groups from remote server to local server.
712 You need to run this against the PDC, from a Samba machine joined as a
713 BDC. This vampire command cannot be used against an Active Directory,
714 only against an NT4 Domain Controller.
715 RPC VAMPIRE KEYTAB
717 Dump remote SAM database to local Kerberos keytab file.
718 RPC VAMPIRE LDIF
720 Dump remote SAM database to local LDIF file or standard output.
721 RPC GETSID
723 Fetch domain SID and store it in the local secrets.tdb.
724 ADS GPO
726 ADS GPO APPLY <USERNAME|MACHINENAME>
727 Apply GPOs for a username or machine name. Either username or machine
728 name should be provided to the command, not both.
729 ADS GPO GETGPO [GPO]
731 List specified GPO.
732 ADS GPO LINKADD [LINKDN] [GPODN]
734 Link a container to a GPO. LINKDN Container to link to a GPO. GPODN
735 GPO to link container to. DNs must be provided properly escaped. See
736 RFC 4514 for details.
737 ADS GPO LINKGET [CONTAINER]
739 Lists gPLink of a containter.
740 ADS GPO LIST <USERNAME|MACHINENAME>
742 Lists all GPOs for a username or machine name. Either username or
743 machine name should be provided to the command, not both.
744 ADS GPO LISTALL
746 Lists all GPOs on a DC.
747 ADS GPO REFRESH [USERNAME] [MACHINENAME]
749 Lists all GPOs assigned to an account and download them. USERNAME User
750 to refresh GPOs for. MACHINENAME Machine to refresh GPOs for.
751 ADS DNS
753 ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
754 Add host dns entry to Active Directory.
755 ADS DNS UNREGISTER <HOSTNAME>
757 Remove host dns entry from Active Directory.
758 ADS LEAVE [--keep-account]
760 Make the remote host leave the domain it is part of.
761 ADS STATUS
763 Print out status of machine account of the local machine in ADS. Prints
764 out quite some debug info. Aimed at developers, regular users should
765 use NET ADS TESTJOIN.
766 ADS PRINTER
768 ADS PRINTER INFO [PRINTER] [SERVER]
769 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
770 the server name defaults to the local host.
771 ADS PRINTER PUBLISH PRINTER
773 Publish specified printer using ADS.
774 ADS PRINTER REMOVE PRINTER
776 Remove specified printer from ADS directory.
777 ADS SEARCH EXPRESSION ATTRIBUTES...
779 Perform a raw LDAP search on a ADS server and dump the results. The
780 expression is a standard LDAP search expression, and the attributes are
781 a list of LDAP fields to show in the results.
782 Example: net ads search '(objectCategory=group)' sAMAccountName
784 ADS DN DN (attributes)
786 Perform a raw LDAP search on a ADS server and dump the results. The DN
787 standard LDAP DN, and the attributes are a list of LDAP fields to show
788 in the result.
789 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
791 SAMAccountName
792 ADS KEYTAB CREATE
794 Creates a new keytab file if one doesn't exist with default entries.
795 Default entries are kerberos principals created from the machinename of
796 the client, the UPN (if it exists) and any Windows SPN(s) associated
797 with the computer AD account for the client. If a keytab file already
798 exists then only missing kerberos principals from the default entries
799 are added. No changes are made to the computer AD account.
800 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
802 Adds a new keytab entry, the entry can be either;
803 kerberos principal
805 A kerberos principal (identified by the presence of '@') is just
806 added to the keytab file.
807 machinename
809 A machinename (identified by the trailing '$') is used to create a
810 a kerberos principal 'machinename@realm' which is added to the
811 keytab file.
812 serviceclass
814 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
815 pair of kerberos principals
816 'serviceclass/fully_qualified_dns_name@realm' &
817 'serviceclass/netbios_name@realm' which are added to the keytab
818 file.
819 Windows SPN
821 A Windows SPN is of the format 'serviceclass/host:port', it is used
822 to create a kerberos principal 'serviceclass/host@realm' which will
823 be written to the keytab file.
824 Unlike old versions no computer AD objects are modified by this
826 command. To preserve the bevhaviour of older clients 'net ads keytab
827 ad_update_ads' is available.
828 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
830 Adds a new keytab entry (see section for net ads keytab add). In
831 addition to adding entries to the keytab file corrosponding Windows
832 SPNs are created from the entry passed to this command. These SPN(s)
833 added to the AD computer account object associated with the client
834 machine running this command for the following entry types;
835 serviceclass
837 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
838 pair of Windows SPN(s) 'param/full_qualified_dns' &
839 'param/netbios_name' which are added to the AD computer account
840 object for this client.
841 Windows SPN
843 A Windows SPN is of the format 'serviceclass/host:port', it is
844 added as passed to the AD computer account object for this client.
845 ADS setspn SETSPN LIST [machine]
847 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
848 object. If 'machine' is not specified then computer account for this
849 client is used instead.
850 ADS setspn SETSPN ADD SPN [machine]
852 Adds the specified Windows SPN to the 'machine' Windows AD Computer
853 object. If 'machine' is not specified then computer account for this
854 client is used instead.
855 ADS setspn SETSPN DELETE SPN [machine]
857 DELETE the specified Window SPN from the 'machine' Windows AD Computer
858 object. If 'machine' is not specified then computer account for this
859 client is used instead.
860 ADS WORKGROUP
862 Print out workgroup name for specified kerberos realm.
863 ADS ENCTYPES
865 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
866 attribute of an account in AD.
867 This attribute allows one to control which Kerberos encryption types
869 are used for the generation of initial and service tickets. The value
870 consists of an integer bitmask with the following values:
871 0x00000001 DES-CBC-CRC
873 0x00000002 DES-CBC-MD5
875 0x00000004 RC4-HMAC
877 0x00000008 AES128-CTS-HMAC-SHA1-96
879 0x00000010 AES256-CTS-HMAC-SHA1-96
881 ADS ENCTYPES LIST <ACCOUNTNAME>
883 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
884 given account.
885 Example: net ads enctypes list Computername
887 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
889 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
890 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
891 the value is set to 31 which enables all the currently supported
892 encryption types.
893 Example: net ads enctypes set Computername 24
895 ADS ENCTYPES DELETE <ACCOUNTNAME>
897 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
898 object of ACCOUNTNAME.
899 Example: net ads enctypes set Computername 24
901 SAM CREATEBUILTINGROUP <NAME>
903 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
904 be created with this command. This is the list of currently recognized
905 group names: Administrators, Users, Guests, Power Users, Account
906 Operators, Server Operators, Print Operators, Backup Operators,
907 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
908 command requires a running Winbindd with idmap allocation properly
909 configured. The group gid will be allocated out of the winbindd range.
910 SAM CREATELOCALGROUP <NAME>
912 Create a LOCAL group (also known as Alias). This command requires a
913 running Winbindd with idmap allocation properly configured. The group
914 gid will be allocated out of the winbindd range.
915 SAM DELETELOCALGROUP <NAME>
917 Delete an existing LOCAL group (also known as Alias).
918 SAM MAPUNIXGROUP <NAME>
920 Map an existing Unix group and make it a Domain Group, the domain group
921 will have the same name.
922 SAM UNMAPUNIXGROUP <NAME>
924 Remove an existing group mapping entry.
925 SAM ADDMEM <GROUP> <MEMBER>
927 Add a member to a Local group. The group can be specified only by name,
928 the member can be specified by name or SID.
929 SAM DELMEM <GROUP> <MEMBER>
931 Remove a member from a Local group. The group and the member must be
932 specified by name.
933 SAM LISTMEM <GROUP>
935 List Local group members. The group must be specified by name.
936 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
938 List the specified set of accounts by name. If verbose is specified,
939 the rid and description is also provided for each account.
940 SAM RIGHTS LIST
942 List all available privileges.
943 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
945 Grant one or more privileges to a user.
946 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
948 Revoke one or more privileges from a user.
949 SAM SHOW <NAME>
951 Show the full DOMAIN\\NAME the SID and the type for the corresponding
952 account.
953 SAM SET HOMEDIR <NAME> <DIRECTORY>
955 Set the home directory for a user account.
956 SAM SET PROFILEPATH <NAME> <PATH>
958 Set the profile path for a user account.
959 SAM SET COMMENT <NAME> <COMMENT>
961 Set the comment for a user or group account.
962 SAM SET FULLNAME <NAME> <FULL NAME>
964 Set the full name for a user account.
965 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
967 Set the logon script for a user account.
968 SAM SET HOMEDRIVE <NAME> <DRIVE>
970 Set the home drive for a user account.
971 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
973 Set the workstations a user account is allowed to log in from.
974 SAM SET DISABLE <NAME>
976 Set the "disabled" flag for a user account.
977 SAM SET PWNOTREQ <NAME>
979 Set the "password not required" flag for a user account.
980 SAM SET AUTOLOCK <NAME>
982 Set the "autolock" flag for a user account.
983 SAM SET PWNOEXP <NAME>
985 Set the "password do not expire" flag for a user account.
986 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
988 Set or unset the "password must change" flag for a user account.
989 SAM POLICY LIST
991 List the available account policies.
992 SAM POLICY SHOW <account policy>
994 Show the account policy value.
995 SAM POLICY SET <account policy> <value>
997 Set a value for the account policy. Valid values can be: "forever",
998 "never", "off", or a number.
999 SAM PROVISION
1001 Only available if ldapsam:editposix is set and winbindd is running.
1002 Properly populates the ldap tree with the basic accounts
1003 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1004 on the ldap tree.
1005 IDMAP DUMP <local tdb file name>
1007 Dumps the mappings contained in the local tdb file specified. This
1008 command is useful to dump only the mappings produced by the idmap_tdb
1009 backend.
1010 IDMAP RESTORE [input file]
1012 Restore the mappings from the specified file or stdin.
1013 IDMAP SET SECRET <DOMAIN> <secret>
1015 Store a secret for the specified domain, used primarily for domains
1016 that use idmap_ldap as a backend. In this case the secret is used as
1017 the password for the user DN used to bind to the ldap server.
1018 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1020 Store a domain-range mapping for a given domain (and index) in autorid
1021 database.
1022 IDMAP SET CONFIG <config> [--db=<DB>]
1024 Update CONFIG entry in autorid database.
1025 IDMAP GET RANGE <SID> [index] [--db=<DB>]
1027 Get the range for a given domain and index from autorid database.
1028 IDMAP GET RANGES [<SID>] [--db=<DB>]
1030 Get ranges for all domains or for one identified by given SID.
1031 IDMAP GET CONFIG [--db=<DB>]
1033 Get CONFIG entry from autorid database.
1034 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1036 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1037 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1038 "GID number" or a uid: "UID number". Use -f to delete an invalid
1039 partial mapping <ID> -> xx
1040 Use "smbcontrol all idmap ..." to notify running smbd instances. See
1042 the smbcontrol(1) manpage for details.
1043 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1045 Delete a domain range mapping identified by 'RANGE' or "domain SID and
1046 INDEX" from autorid database. Use -f to delete invalid mappings.
1047 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1049 Delete all domain range mappings for a domain identified by SID. Use -f
1050 to delete invalid mappings.
1051 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1053 Check and repair the IDMAP database. If no option is given a read only
1054 check of the database is done. Among others an interactive or automatic
1055 repair mode may be chosen with one of the following options:
1056 -r|--repair
1058 Interactive repair mode, ask a lot of questions.
1059 -a|--auto
1061 Noninteractive repair mode, use default answers.
1062 -v|--verbose
1064 Produce more output.
1065 -f|--force
1067 Try to apply changes, even if they do not apply cleanly.
1068 -T|--test
1070 Dry run, show what changes would be made but don't touch anything.
1071 -l|--lock
1073 Lock the database while doing the check.
1074 --db <DB>
1076 Check the specified database.
1077 It reports about the finding of the following errors:
1079 Missing reverse mapping:
1081 A record with mapping A->B where there is no B->A. Default action
1082 in repair mode is to "fix" this by adding the reverse mapping.
1083 Invalid mapping:
1085 A record with mapping A->B where B->C. Default action is to
1086 "delete" this record.
1087 Missing or invalid HWM:
1089 A high water mark is not at least equal to the largest ID in the
1090 database. Default action is to "fix" this by setting it to the
1091 largest ID found +1.
1092 Invalid record:
1094 Something we failed to parse. Default action is to "edit" it in
1095 interactive and "delete" it in automatic mode.
1096 USERSHARE
1098 Starting with version 3.0.23, a Samba server now supports the ability
1099 for non-root users to add user defined shares to be exported using the
1100 "net usershare" commands.
1101 To set this up, first set up your smb.conf by adding to the [global]
1103 section: usershare path = /usr/local/samba/lib/usershares Next create
1104 the directory /usr/local/samba/lib/usershares, change the owner to root
1105 and set the group owner to the UNIX group who should have the ability
1106 to create usershares, for example a group called "serverops". Set the
1107 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1108 group all access, no access for others, plus the sticky bit, which
1109 means that a file in that directory can be renamed or deleted only by
1110 the owner of the file). Finally, tell smbd how many usershares you will
1111 allow by adding to the [global] section of smb.conf a line such as :
1112 usershare max shares = 100. To allow 100 usershare definitions. Now,
1113 members of the UNIX group "serverops" can create user defined shares on
1114 demand using the commands below.
1115 The usershare commands are:
1117 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1118 to add or change a user defined share.
1119 net usershare delete sharename - to delete a user defined share.
1120 net usershare info [-l|--long] [wildcard sharename] - to print info
1121 about a user defined share.
1122 net usershare list [-l|--long] [wildcard sharename] - to list user
1123 defined shares.
1124 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1126 Add or replace a new user defined share, with name "sharename".
1127 "path" specifies the absolute pathname on the system to be exported.
1129 Restrictions may be put on this, see the global smb.conf parameters:
1130 "usershare owner only", "usershare prefix allow list", and "usershare
1131 prefix deny list".
1132 The optional "comment" parameter is the comment that will appear on the
1134 share when browsed to by a client.
1135 The optional "acl" field specifies which users have read and write
1137 access to the entire share. Note that guest connections are not allowed
1138 unless the smb.conf parameter "usershare allow guests" has been set.
1139 The definition of a user defined share acl is: "user:permission", where
1140 user is a valid username on the system and permission can be "F", "R",
1141 or "D". "F" stands for "full permissions", ie. read and write
1142 permissions. "D" stands for "deny" for a user, ie. prevent this user
1143 from accessing this share. "R" stands for "read only", ie. only allow
1144 read access to this share (no creation of new files or directories or
1145 writing to files).
1146 The default if no "acl" is given is "Everyone:R", which means any
1148 authenticated user has read-only access.
1149 The optional "guest_ok" has the same effect as the parameter of the
1151 same name in smb.conf, in that it allows guest access to this user
1152 defined share. This parameter is only allowed if the global parameter
1153 "usershare allow guests" has been set to true in the smb.conf.
1154 There is no separate command to modify an existing user defined share,
1157 just use the "net usershare add [sharename]" command using the same
1158 sharename as the one you wish to modify and specify the new options you
1159 wish. The Samba smbd daemon notices user defined share modifications at
1160 connect time so will see the change immediately, there is no need to
1161 restart smbd on adding, deleting or changing a user defined share.
1162 USERSHARE DELETE sharename
1164 Deletes the user defined share by name. The Samba smbd daemon
1165 immediately notices this change, although it will not disconnect any
1166 users currently connected to the deleted share.
1167 USERSHARE INFO [-l|--long] [wildcard sharename]
1169 Get info on user defined shares owned by the current user matching the
1170 given pattern, or all users.
1171 net usershare info on its own dumps out info on the user defined shares
1173 that were created by the current user, or restricts them to share names
1174 that match the given wildcard pattern ('*' matches one or more
1175 characters, '?' matches only one character). If the '-l' or '--long'
1176 option is also given, it prints out info on user defined shares created
1177 by other users.
1178 The information given about a share looks like: [foobar]
1180 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1181 And is a list of the current settings of the user defined share that
1182 can be modified by the "net usershare add" command.
1183 USERSHARE LIST [-l|--long] wildcard sharename
1185 List all the user defined shares owned by the current user matching the
1186 given pattern, or all users.
1187 net usershare list on its own list out the names of the user defined
1189 shares that were created by the current user, or restricts the list to
1190 share names that match the given wildcard pattern ('*' matches one or
1191 more characters, '?' matches only one character). If the '-l' or
1192 '--long' option is also given, it includes the names of user defined
1193 shares created by other users.
1194 [RPC] CONF
1196 Starting with version 3.2.0, a Samba server can be configured by data
1197 stored in registry. This configuration data can be edited with the new
1198 "net conf" commands. There is also the possibility to configure a
1199 remote Samba server by enabling the RPC conf mode and specifying the
1200 address of the remote server.
1201 The deployment of this configuration data can be activated in two
1203 levels from the smb.conf file: Share definitions from registry are
1204 activated by setting registry shares to “yes” in the [global] section
1205 and global configuration options are activated by setting include =
1206 registry in the [global] section for a mixed configuration or by
1207 setting config backend = registry in the [global] section for a
1208 registry-only configuration. See the smb.conf(5) manpage for details.
1209 The conf commands are:
1211 net [rpc] conf list - Dump the complete configuration in smb.conf
1212 like format.
1213 net [rpc] conf import - Import configuration from file in smb.conf
1214 format.
1215 net [rpc] conf listshares - List the registry shares.
1216 net [rpc] conf drop - Delete the complete configuration from
1217 registry.
1218 net [rpc] conf showshare - Show the definition of a registry share.
1219 net [rpc] conf addshare - Create a new registry share.
1220 net [rpc] conf delshare - Delete a registry share.
1221 net [rpc] conf setparm - Store a parameter.
1222 net [rpc] conf getparm - Retrieve the value of a parameter.
1223 net [rpc] conf delparm - Delete a parameter.
1224 net [rpc] conf getincludes - Show the includes of a share
1225 definition.
1226 net [rpc] conf setincludes - Set includes for a share.
1227 net [rpc] conf delincludes - Delete includes from a share
1228 definition.
1229 [RPC] CONF LIST
1231 Print the configuration data stored in the registry in a smb.conf-like
1232 format to standard output.
1233 [RPC] CONF IMPORT [--test|-T] filename [section]
1235 This command imports configuration from a file in smb.conf format. If a
1236 section encountered in the input file is present in registry, its
1237 contents is replaced. Sections of registry configuration that have no
1238 counterpart in the input file are not affected. If you want to delete
1239 these, you will have to use the "net conf drop" or "net conf delshare"
1240 commands. Optionally, a section may be specified to restrict the effect
1241 of the import command to that specific section. A test mode is enabled
1242 by specifying the parameter "-T" on the commandline. In test mode, no
1243 changes are made to the registry, and the resulting configuration is
1244 printed to standard output instead.
1245 [RPC] CONF LISTSHARES
1247 List the names of the shares defined in registry.
1248 [RPC] CONF DROP
1250 Delete the complete configuration data from registry.
1251 [RPC] CONF SHOWSHARE sharename
1253 Show the definition of the share or section specified. It is valid to
1254 specify "global" as sharename to retrieve the global configuration
1255 options from registry.
1256 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1258 [comment]]]
1259 Create a new share definition in registry. The sharename and path have
1260 to be given. The share name may not be "global". Optionally, values for
1261 the very common options "writeable", "guest ok" and a "comment" may be
1262 specified. The same result may be obtained by a sequence of "net conf
1263 setparm" commands.
1264 [RPC] CONF DELSHARE sharename
1266 Delete a share definition from registry.
1267 [RPC] CONF SETPARM section parameter value
1269 Store a parameter in registry. The section may be global or a
1270 sharename. The section is created if it does not exist yet.
1271 [RPC] CONF GETPARM section parameter
1273 Show a parameter stored in registry.
1274 [RPC] CONF DELPARM section parameter
1276 Delete a parameter stored in registry.
1277 [RPC] CONF GETINCLUDES section
1279 Get the list of includes for the provided section (global or share).
1280 Note that due to the nature of the registry database and the nature of
1282 include directives, the includes need special treatment: Parameters are
1283 stored in registry by the parameter name as valuename, so there is only
1284 ever one instance of a parameter per share. Also, a specific order like
1285 in a text file is not guaranteed. For all real parameters, this is
1286 perfectly ok, but the include directive is rather a meta parameter, for
1287 which, in the smb.conf text file, the place where it is specified
1288 between the other parameters is very important. This can not be
1289 achieved by the simple registry smbconf data model, so there is one
1290 ordered list of includes per share, and this list is evaluated after
1291 all the parameters of the share.
1292 Further note that currently, only files can be included from registry
1294 configuration. In the future, there will be the ability to include
1295 configuration data from other registry keys.
1296 [RPC] CONF SETINCLUDES section [filename]+
1298 Set the list of includes for the provided section (global or share) to
1299 the given list of one or more filenames. The filenames may contain the
1300 usual smb.conf macros like %I.
1301 [RPC] CONF DELINCLUDES section
1303 Delete the list of includes from the provided section (global or
1304 share).
1305 REGISTRY
1307 Manipulate Samba's registry.
1308 The registry commands are:
1310 net registry enumerate - Enumerate registry keys and values.
1311 net registry enumerate_recursive - Enumerate registry key and its
1312 subkeys.
1313 net registry createkey - Create a new registry key.
1314 net registry deletekey - Delete a registry key.
1315 net registry deletekey_recursive - Delete a registry key with
1316 subkeys.
1317 net registry getvalue - Print a registry value.
1318 net registry getvalueraw - Print a registry value (raw format).
1319 net registry setvalue - Set a new registry value.
1320 net registry increment - Increment a DWORD registry value under a
1321 lock.
1322 net registry deletevalue - Delete a registry value.
1323 net registry getsd - Get security descriptor.
1324 net registry getsd_sdd1 - Get security descriptor in sddl format.
1325 net registry setsd_sdd1 - Set security descriptor from sddl format
1326 string.
1327 net registry import - Import a registration entries (.reg)
1328 file.
1329 net registry export - Export a registration entries (.reg)
1330 file.
1331 net registry convert - Convert a registration entries (.reg)
1332 file.
1333 net registry check - Check and repair a registry database.
1334 REGISTRY ENUMERATE key
1336 Enumerate subkeys and values of key.
1337 REGISTRY ENUMERATE_RECURSIVE key
1339 Enumerate values of key and its subkeys.
1340 REGISTRY CREATEKEY key
1342 Create a new key if not yet existing.
1343 REGISTRY DELETEKEY key
1345 Delete the given key and its values from the registry, if it has no
1346 subkeys.
1347 REGISTRY DELETEKEY_RECURSIVE key
1349 Delete the given key and all of its subkeys and values from the
1350 registry.
1351 REGISTRY GETVALUE key name
1353 Output type and actual value of the value name of the given key.
1354 REGISTRY GETVALUERAW key name
1356 Output the actual value of the value name of the given key.
1357 REGISTRY SETVALUE key name type value ...
1359 Set the value name of an existing key. type may be one of sz, multi_sz
1360 or dword. In case of multi_sz value may be given multiple times.
1361 REGISTRY INCREMENT key name [inc]
1363 Increment the DWORD value name of key by inc while holding a g_lock.
1364 inc defaults to 1.
1365 REGISTRY DELETEVALUE key name
1367 Delete the value name of the given key.
1368 REGISTRY GETSD key
1370 Get the security descriptor of the given key.
1371 REGISTRY GETSD_SDDL key
1373 Get the security descriptor of the given key as a Security Descriptor
1374 Definition Language (SDDL) string.
1375 REGISTRY SETSD_SDDL keysd
1377 Set the security descriptor of the given key from a Security Descriptor
1378 Definition Language (SDDL) string sd.
1379 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1381 Import a registration entries (.reg) file.
1382 The following options are available:
1384 --precheck check-file
1386 This is a mechanism to check the existence or non-existence of
1387 certain keys or values specified in a precheck file before applying
1388 the import file. The import file will only be applied if the
1389 precheck succeeds.
1390 The check-file follows the normal registry file syntax with the
1392 following semantics:
1393 • <value name>=<value> checks whether the value exists and
1395 has the given value.
1396 • <value name>=- checks whether the value does not exist.
1398 • [key] checks whether the key exists.
1400 • [-key] checks whether the key does not exist.
1402 REGISTRY EXPORT keyfile[opt]
1405 Export a key to a registration entries (.reg) file.
1406 REGISTRY CONVERT in out [[inopt] outopt]
1408 Convert a registration entries (.reg) file in.
1409 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1411 Check and repair the registry database. If no option is given a read
1412 only check of the database is done. Among others an interactive or
1413 automatic repair mode may be chosen with one of the following options
1414 -r|--repair
1416 Interactive repair mode, ask a lot of questions.
1417 -a|--auto
1419 Noninteractive repair mode, use default answers.
1420 -v|--verbose
1422 Produce more output.
1423 -T|--test
1425 Dry run, show what changes would be made but don't touch anything.
1426 -l|--lock
1428 Lock the database while doing the check.
1429 --reg-version={1,2,3}
1431 Specify the format of the registry database. If not given it
1432 defaults to the value of the binary or, if an registry.tdb is
1433 explicitly stated at the commandline, to the value found in the
1434 INFO/version record.
1435 [--db] <DB>
1437 Check the specified database.
1438 -o|--output <ODB>
1440 Create a new registry database <ODB> instead of modifying the
1441 input. If <ODB> is already existing --wipe may be used to overwrite
1442 it.
1443 --wipe
1445 Replace the registry database instead of modifying the input or
1446 overwrite an existing output database.
1447 EVENTLOG
1449 Starting with version 3.4.0 net can read, dump, import and export
1450 native win32 eventlog files (usually *.evt). evt files are used by the
1451 native Windows eventviewer tools.
1452 The import and export of evt files can only succeed when eventlog list
1454 is used in smb.conf file. See the smb.conf(5) manpage for details.
1455 The eventlog commands are:
1457 net eventlog dump - Dump a eventlog *.evt file on the screen.
1458 net eventlog import - Import a eventlog *.evt into the samba
1459 internal tdb based representation of eventlogs.
1460 net eventlog export - Export the samba internal tdb based
1461 representation of eventlogs into an eventlog *.evt file.
1462 EVENTLOG DUMP filename
1464 Prints a eventlog *.evt file to standard output.
1465 EVENTLOG IMPORT filename eventlog
1467 Imports a eventlog *.evt file defined by filename into the samba
1468 internal tdb representation of eventlog defined by eventlog. eventlog
1469 needs to part of the eventlog list defined in smb.conf. See the
1470 smb.conf(5) manpage for details.
1471 EVENTLOG EXPORT filename eventlog
1473 Exports the samba internal tdb representation of eventlog defined by
1474 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1475 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1476 manpage for details.
1477 DOM
1479 Starting with version 3.2.0 Samba has support for remote join and
1480 unjoin APIs, both client and server-side. Windows supports remote join
1481 capabilities since Windows 2000.
1482 In order for Samba to be joined or unjoined remotely an account must be
1484 used that is either member of the Domain Admins group, a member of the
1485 local Administrators group or a user that is granted the
1486 SeMachineAccountPrivilege privilege.
1487 The client side support for remote join is implemented in the net dom
1489 commands which are:
1490 net dom join - Join a remote computer into a domain.
1491 net dom unjoin - Unjoin a remote computer from a domain.
1492 net dom renamecomputer - Renames a remote computer joined to a
1493 domain.
1494 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1496 Joins a computer into a domain. This command supports the following
1497 additional parameters:
1498 • DOMAIN can be a NetBIOS domain name (also known as short
1500 domain name) or a DNS domain name for Active Directory
1501 Domains. As in Windows, it is also possible to control which
1502 Domain Controller to use. This can be achieved by appending
1503 the DC name using the \ separator character. Example:
1504 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1505 • OU can be set to a RFC 1779 LDAP DN, like
1507 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1508 the machine account in a non-default LDAP container. This
1509 optional parameter is only supported when joining Active
1510 Directory Domains.
1511 • ACCOUNT defines a domain account that will be used to join
1513 the machine to the domain. This domain account needs to have
1514 sufficient privileges to join machines.
1515 • PASSWORD defines the password for the domain account defined
1517 with ACCOUNT.
1518 • REBOOT is an optional parameter that can be set to reboot
1520 the remote machine after successful join to the domain.
1521 Note that you also need to use standard net parameters to connect and
1524 authenticate to the remote machine that you want to join. These
1525 additional parameters include: -S computer and -U user.
1526 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1528 account=MYDOM\\administrator password=topsecret reboot.
1529 This example would connect to a computer named XP as the local
1531 administrator using password secret, and join the computer into a
1532 domain called MYDOM using the MYDOM domain administrator account and
1533 password topsecret. After successful join, the computer would reboot.
1534 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1536 Unjoins a computer from a domain. This command supports the following
1537 additional parameters:
1538 • ACCOUNT defines a domain account that will be used to unjoin
1540 the machine from the domain. This domain account needs to
1541 have sufficient privileges to unjoin machines.
1542 • PASSWORD defines the password for the domain account defined
1544 with ACCOUNT.
1545 • REBOOT is an optional parameter that can be set to reboot
1547 the remote machine after successful unjoin from the domain.
1548 Note that you also need to use standard net parameters to connect and
1551 authenticate to the remote machine that you want to unjoin. These
1552 additional parameters include: -S computer and -U user.
1553 Example: net dom unjoin -S xp -U XP\\administrator%secret
1555 account=MYDOM\\administrator password=topsecret reboot.
1556 This example would connect to a computer named XP as the local
1558 administrator using password secret, and unjoin the computer from the
1559 domain using the MYDOM domain administrator account and password
1560 topsecret. After successful unjoin, the computer would reboot.
1561 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1563 Renames a computer that is joined to a domain. This command supports
1564 the following additional parameters:
1565 • NEWNAME defines the new name of the machine in the domain.
1567 • ACCOUNT defines a domain account that will be used to rename
1569 the machine in the domain. This domain account needs to have
1570 sufficient privileges to rename machines.
1571 • PASSWORD defines the password for the domain account defined
1573 with ACCOUNT.
1574 • REBOOT is an optional parameter that can be set to reboot
1576 the remote machine after successful rename in the domain.
1577 Note that you also need to use standard net parameters to connect and
1580 authenticate to the remote machine that you want to rename in the
1581 domain. These additional parameters include: -S computer and -U user.
1582 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1584 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1585 This example would connect to a computer named XP as the local
1587 administrator using password secret, and rename the joined computer to
1588 XPNEW using the MYDOM domain administrator account and password
1589 topsecret. After successful rename, the computer would reboot.
1590 G_LOCK
1592 Manage global locks.
1593 G_LOCK DO lockname timeout command
1595 Execute a shell command under a global lock. This might be useful to
1596 define the order in which several shell commands will be executed. The
1597 locking information is stored in a file called g_lock.tdb. In setups
1598 with CTDB running, the locking information will be available on all
1599 cluster nodes.
1600 • LOCKNAME defines the name of the global lock.
1602 • TIMEOUT defines the timeout.
1604 • COMMAND defines the shell command to execute.
1606 G_LOCK LOCKS
1608 Print a list of all currently existing locknames.
1609 G_LOCK DUMP lockname
1611 Dump the locking table of a certain global lock.
1612 TDB
1614 Print information from tdb records.
1615 TDB LOCKING key [DUMP]
1617 List sharename, filename and number of share modes for a record from
1618 locking.tdb. With the optional DUMP options, dump the complete record.
1619 • KEY Key of the tdb record as hex string.
1621 vfs
1623 Access shared filesystem through the VFS.
1624 vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1626 symlinks] share path
1627 Convert file streams to AppleDouble files.
1628 • share A Samba share.
1630 • path A relative path of something in the Samba share. "."
1633 can be used for the root directory of the share.
1634 Options:
1637 --recursive
1639 Traverse a directory hierarchy.
1640 --verbose
1642 Verbose output.
1643 --continue
1645 Continue traversing a directory hierarchy if a single conversion
1646 fails.
1647 --follow-symlinks
1649 Follow symlinks encountered while traversing a directory.
1650 vfs getntacl share path
1652 Display the security descriptor of a file or directory.
1653 • share A Samba share.
1655 • path A relative path of something in the Samba share. "."
1658 can be used for the root directory of the share.
1659 HELP [COMMAND]
1661 Gives usage information for the specified command.
1662
1664 This man page is complete for version 3 of the Samba suite.
1665
1667 The original Samba software and related utilities were created by
1668 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1669 Source project similar to the way the Linux kernel is developed.
1670 The net manpage was written by Jelmer Vernooij.
1672Samba 4.14.5 06/01/2021 NET(8)