1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-d|--debuglevel=DEBUGLEVEL]
10 [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value]
11 [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
12 [-R|--name-resolve=NAME-RESOLVE-ORDER]
13 [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]
14 [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE]
15 [-W|--workgroup=WORKGROUP] [--realm=REALM]
16 [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass]
17 [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE]
18 [-P|--machine-pass] [--simple-bind-dn=DN]
19 [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE]
20 [--use-winbind-ccache] [--client-protection=sign|encrypt|off]
21 [-V|--version] [-w|--target-workgroup workgroup]
22 [-I|--ipaddress ip-address] [-p|--port port] [--myname]
23 [-S|--server server] [--long] [-v|--verbose] [-f|--force]
24 [--request-timeout seconds] [-t|--timeout seconds] [-i|--stdin]
25
27 This tool is part of the samba(7) suite.
28 The Samba net utility is meant to work just like the net utility
30 available for windows and DOS. The first argument should be used to
31 specify the protocol to use when executing a certain command. ADS is
32 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
33 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
34 net will try to determine it automatically. Not all commands are
35 available on all protocols.
36
38 -w|--target-workgroup target-workgroup
39 Sets target workgroup or domain. You have to specify either this
40 option or the IP address or the name of a server.
41 -I|--ipaddress ip-address
43 IP address of target server to use. You have to specify either this
44 option or a target workgroup or a target server.
45 -p|--port port
47 Port on the target server to connect to (usually 139 or 445).
48 Defaults to trying 445 first, then 139.
49 -S|--server server
51 Name of target server. You should specify either this option or a
52 target workgroup or a target IP address.
53 -l|--long
55 When listing data, give more information on each item.
56 -v|--verbose
58 When listing data, give more verbose information on each item.
59 -f|--force
61 Enforcing a net command.
62 --request-timeout 30
64 Let client requests timeout after 30 seconds the default is 10
65 seconds.
66 -t|--timeout 30
68 Set timeout for client operations to 30 seconds.
69 -i|--stdin
71 Take input for net commands from standard input.
72 -T|--test
74 Only test command sequence, dry-run.
75 -F|--flags FLAGS
77 Pass down integer flags to a net subcommand.
78 -C|--comment COMMENT
80 Pass down a comment string to a net subcommand.
81 --myname MYNAME
83 Use MYNAME as a requester name for a net subcommand.
84 -c|--container CONTAINER
86 Use a specific AD container for net ads operations.
87 -M|--maxusers MAXUSERS
89 Fill in the maxusers field in net rpc share operations.
90 -r|--reboot
92 Reboot a remote machine after a command has been successfully
93 executed (e.g. in remote join operations).
94 --force-full-repl
96 When calling "net rpc vampire keytab" this option enforces a full
97 re-creation of the generated keytab file.
98 --single-obj-repl
100 When calling "net rpc vampire keytab" this option allows one to
101 replicate just a single object to the generated keytab file.
102 --clean-old-entries
104 When calling "net rpc vampire keytab" this option allows one to
105 cleanup old entries from the generated keytab file.
106 --db
108 Define dbfile for "net idmap" commands.
109 --lock
111 Activates locking of the dbfile for "net idmap check" command.
112 -a|--auto
114 Activates noninteractive mode in "net idmap check".
115 --repair
117 Activates repair mode in "net idmap check".
118 --acls
120 Includes ACLs to be copied in "net rpc share migrate".
121 --attrs
123 Includes file attributes to be copied in "net rpc share migrate".
124 --timestamps
126 Includes timestamps to be copied in "net rpc share migrate".
127 -X|--exclude DIRECTORY
129 Allows one to exclude directories when copying with "net rpc share
130 migrate".
131 --destination SERVERNAME
133 Defines the target servername of migration process (defaults to
134 localhost).
135 -L|--local
137 Sets the type of group mapping to local (used in "net groupmap
138 set").
139 -D|--domain
141 Sets the type of group mapping to domain (used in "net groupmap
142 set").
143 -N|--ntname NTNAME
145 Sets the ntname of a group mapping (used in "net groupmap set").
146 --rid RID
148 Sets the rid of a group mapping (used in "net groupmap set").
149 --reg-version REG_VERSION
151 Assume database version {n|1,2,3} (used in "net registry check").
152 -o|--output FILENAME
154 Output database file (used in "net registry check").
155 --wipe
157 Create a new database from scratch (used in "net registry check").
158 --precheck PRECHECK_DB_FILENAME
160 Defines filename for database prechecking (used in "net registry
161 import").
162 --no-dns-updates
164 Do not perform DNS updates as part of "net ads join".
165 --keep-account
167 Prevent the machine account removal as part of "net ads leave".
168 --json
170 Report results in JSON format for "net ads info" and "net ads
171 lookup".
172 --recursive
174 Traverse a directory hierarchy.
175 --continue
177 Continue traversing a directory hierarchy in case conversion of one
178 file fails.
179 --follow-symlinks
181 Follow symlinks encountered while traversing a directory.
182 -d|--debuglevel=DEBUGLEVEL
184 level is an integer from 0 to 10. The default value if this
185 parameter is not specified is 1 for client applications.
186 The higher this value, the more detail will be logged to the log
188 files about the activities of the server. At level 0, only critical
189 errors and serious warnings will be logged. Level 1 is a reasonable
190 level for day-to-day running - it generates a small amount of
191 information about operations carried out.
192 Levels above 1 will generate considerable amounts of log data, and
194 should only be used when investigating a problem. Levels above 3
195 are designed for use only by developers and generate HUGE amounts
196 of log data, most of which is extremely cryptic.
197 Note that specifying this parameter here will override the log
199 level parameter in the smb.conf file.
200 --debug-stdout
202 This will redirect debug output to STDOUT. By default all clients
203 are logging to STDERR.
204 --configfile=<configuration file>
206 The file specified contains the configuration details required by
207 the client. The information in this file can be general for client
208 and server or only provide client specific like options such as
209 client smb encrypt. See smb.conf for more information. The default
210 configuration file name is determined at compile time.
211 --option=<name>=<value>
213 Set the smb.conf(5) option "<name>" to value "<value>" from the
214 command line. This overrides compiled-in defaults and options read
215 from the configuration file. If a name or a value includes a space,
216 wrap whole --option=name=value into quotes.
217 -l|--log-basename=logdirectory
219 Base directory name for log/debug files. The extension ".progname"
220 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
221 file is never removed by the client.
222 --leak-report
224 Enable talloc leak reporting on exit.
225 --leak-report-full
227 Enable full talloc leak reporting on exit.
228 -V|--version
230 Prints the program version number.
231 -R|--name-resolve=NAME-RESOLVE-ORDER
233 This option is used to determine what naming services and in what
234 order to resolve host names to IP addresses. The option takes a
235 space-separated string of different name resolution options. The
236 best ist to wrap the whole --name-resolve=NAME-RESOLVE-ORDER into
237 quotes.
238 The options are: "lmhosts", "host", "wins" and "bcast". They cause
240 names to be resolved as follows:
241 • lmhosts: Lookup an IP address in the Samba lmhosts file.
243 If the line in lmhosts has no name type attached to the
244 NetBIOS name (see the lmhosts(5) for details) then any
245 name type matches for lookup.
246 • host: Do a standard host name to IP address resolution,
248 using the system /etc/hosts, NIS, or DNS lookups. This
249 method of name resolution is operating system dependent,
250 for instance on IRIX or Solaris this may be controlled
251 by the /etc/nsswitch.conf file). Note that this method
252 is only used if the NetBIOS name type being queried is
253 the 0x20 (server) name type, otherwise it is ignored.
254 • wins: Query a name with the IP address listed in the
256 wins server parameter. If no WINS server has been
257 specified this method will be ignored.
258 • bcast: Do a broadcast on each of the known local
260 interfaces listed in the interfaces parameter. This is
261 the least reliable of the name resolution methods as it
262 depends on the target host being on a locally connected
263 subnet.
264 If this parameter is not set then the name resolve order defined in
266 the smb.conf file parameter (name resolve order) will be used.
267 The default order is lmhosts, host, wins, bcast. Without this
269 parameter or any entry in the name resolve order parameter of the
270 smb.conf file, the name resolution methods will be attempted in
271 this order.
272 -O|--socket-options=SOCKETOPTIONS
274 TCP socket options to set on the client socket. See the socket
275 options parameter in the smb.conf manual page for the list of valid
276 options.
277 -m|--max-protocol=MAXPROTOCOL
279 The value of the parameter (a string) is the highest protocol level
280 that will be supported by the client.
281 Note that specifying this parameter here will override the client
283 max protocol parameter in the smb.conf file.
284 -n|--netbiosname=NETBIOSNAME
286 This option allows you to override the NetBIOS name that Samba uses
287 for itself. This is identical to setting the netbios name parameter
288 in the smb.conf file. However, a command line setting will take
289 precedence over settings in smb.conf.
290 --netbios-scope=SCOPE
292 This specifies a NetBIOS scope that nmblookup will use to
293 communicate with when generating NetBIOS names. For details on the
294 use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS
295 scopes are very rarely used, only set this parameter if you are the
296 system administrator in charge of all the NetBIOS systems you
297 communicate with.
298 -W|--workgroup=WORKGROUP
300 Set the SMB domain of the username. This overrides the default
301 domain which is the domain defined in smb.conf. If the domain
302 specified is the same as the servers NetBIOS name, it causes the
303 client to log on using the servers local SAM (as opposed to the
304 Domain SAM).
305 Note that specifying this parameter here will override the
307 workgroup parameter in the smb.conf file.
308 -r|--realm=REALM
310 Set the realm for the domain.
311 Note that specifying this parameter here will override the realm
313 parameter in the smb.conf file.
314 -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
316 Sets the SMB username or username and password.
317 If %PASSWORD is not specified, the user will be prompted. The
319 client will first check the USER environment variable (which is
320 also permitted to also contain the password seperated by a %), then
321 the LOGNAME variable (which is not permitted to contain a password)
322 and if either exists, the value is used. If these environmental
323 variables are not found, the username found in a Kerberos
324 Credentials cache may be used.
325 A third option is to use a credentials file which contains the
327 plaintext of the username and password. This option is mainly
328 provided for scripts where the admin does not wish to pass the
329 credentials on the command line or via environment variables. If
330 this method is used, make certain that the permissions on the file
331 restrict access from unwanted users. See the -A for more details.
332 Be cautious about including passwords in scripts or passing
334 user-supplied values onto the command line. For security it is
335 better to let the Samba client tool ask for the password if needed,
336 or obtain the password once with kinit.
337 While Samba will attempt to scrub the password from the process
339 title (as seen in ps), this is after startup and so is subject to a
340 race.
341 -N|--no-pass
343 If specified, this parameter suppresses the normal password prompt
344 from the client to the user. This is useful when accessing a
345 service that does not require a password.
346 Unless a password is specified on the command line or this
348 parameter is specified, the client will request a password.
349 If a password is specified on the command line and this option is
351 also defined the password on the command line will be silently
352 ignored and no password will be used.
353 --password
355 Specify the password on the commandline.
356 Be cautious about including passwords in scripts or passing
358 user-supplied values onto the command line. For security it is
359 better to let the Samba client tool ask for the password if needed,
360 or obtain the password once with kinit.
361 If --password is not specified, the tool will check the PASSWD
363 environment variable, followed by PASSWD_FD which is expected to
364 contain an open file descriptor (FD) number.
365 Finally it will check PASSWD_FILE (containing a file path to be
367 opened). The file should only contain the password. Make certain
368 that the permissions on the file restrict access from unwanted
369 users!
370 While Samba will attempt to scrub the password from the process
372 title (as seen in ps), this is after startup and so is subject to a
373 race.
374 --pw-nt-hash
376 The supplied password is the NT hash.
377 -A|--authentication-file=filename
379 This option allows you to specify a file from which to read the
380 username and password used in the connection. The format of the
381 file is:
382 username = <value>
384 password = <value>
385 domain = <value>
386 Make certain that the permissions on the file restrict access from
389 unwanted users!
390 -P|--machine-pass
392 Use stored machine account password.
393 --simple-bind-dn=DN
395 DN to use for a simple bind.
396 --use-kerberos=desired|required|off
398 This parameter determines whether Samba client tools will try to
399 authenticate using Kerberos. For Kerberos authentication you need
400 to use dns names instead of IP addresses when connnecting to a
401 service.
402 Note that specifying this parameter here will override the client
404 use kerberos parameter in the smb.conf file.
405 --use-krb5-ccache=CCACHE
407 Specifies the credential cache location for Kerberos
408 authentication.
409 This will set --use-kerberos=required too.
411 --use-winbind-ccache
413 Try to use the credential cache by winbind.
414 --client-protection=sign|encrypt|off
416 Sets the connection protection the client tool should use.
417 Note that specifying this parameter here will override the client
419 protection parameter in the smb.conf file.
420 In case you need more fine grained control you can use:
422 --option=clientsmbencrypt=OPTION, --option=clientipcsigning=OPTION,
423 --option=clientsigning=OPTION.
424
426 CHANGESECRETPW
427 This command allows the Samba machine account password to be set from
428 an external application to a machine account password that has already
429 been stored in Active Directory. DO NOT USE this command unless you
430 know exactly what you are doing. The use of this command requires that
431 the force flag (-f) be used also. There will be NO command prompt.
432 Whatever information is piped into stdin, either by typing at the
433 command line or otherwise, will be stored as the literal machine
434 password. Do NOT use this without care and attention as it will
435 overwrite a legitimate machine password without warning. YOU HAVE BEEN
436 WARNED.
437 TIME
439 The NET TIME command allows you to view the time on a remote server or
440 synchronise the time on the local server with the time on the remote
441 server.
442 TIME
444 Without any options, the NET TIME command displays the time on the
445 remote server. The remote server must be specified with the -S option.
446 TIME SYSTEM
448 Displays the time on the remote server in a format ready for /bin/date.
449 The remote server must be specified with the -S option.
450 TIME SET
452 Tries to set the date and time of the local server to that on the
453 remote server using /bin/date. The remote server must be specified with
454 the -S option.
455 TIME ZONE
457 Displays the timezone in hours from GMT on the remote server. The
458 remote server must be specified with the -S option.
459 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
461 [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU]
462 [machinepass=PASS] [osName=string osVer=string] [options]
463 Join a domain. If the account already exists on the server, and [TYPE]
464 is MEMBER, the machine will attempt to join automatically. (Assuming
465 that the machine has been created in server manager) Otherwise, a
466 password will be prompted for, and a new account may be created.
467 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
469 the domain.
470 [FQDN] (ADS only) set the dnsHostName attribute during the join. The
472 default format is netbiosname.dnsdomain.
473 [UPN] (ADS only) set the principalname attribute during the join. The
475 default format is host/netbiosname@REALM.
476 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
478 string reads from top to bottom without RDNs, and is delimited by a
479 '/'. Please note that '\' is used for escape by both the shell and
480 ldap, so it may need to be doubled or quadrupled to pass through, and
481 it is not used as a delimiter.
482 [PASS] (ADS only) Set a specific password on the computer account being
484 created by the join.
485 [osName=string osVer=String] (ADS only) Set the operatingSystem and
487 operatingSystemVersion attribute during the join. Both parameters must
488 be specified for either to take effect.
489 [RPC] OLDJOIN [options]
491 Join a domain. Use the OLDJOIN option to join the domain using the old
492 style of domain joining - you need to create a trust account in server
493 manager first.
494 [RPC|ADS] USER
496 [RPC|ADS] USER
497 List all users
498 [RPC|ADS] USER DELETE target
500 Delete specified user
501 [RPC|ADS] USER INFO target
503 List the domain groups of the specified user.
504 [RPC|ADS] USER RENAME oldname newname
506 Rename specified user.
507 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
509 Add specified user.
510 [RPC|ADS] GROUP
512 [RPC|ADS] GROUP [misc options] [targets]
513 List user groups.
514 [RPC|ADS] GROUP DELETE name [misc. options]
516 Delete specified group.
517 [RPC|ADS] GROUP ADD name [-C comment]
519 Create specified group.
520 [ADS] LOOKUP
522 Lookup the closest Domain Controller in our domain and retrieve server
523 information about it.
524 [RAP|RPC] SHARE
526 [RAP|RPC] SHARE [misc. options] [targets]
527 Enumerates all exported resources (network shares) on target server.
528 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
530 Adds a share from a server (makes the export active). Maxusers
531 specifies the number of users that can be connected to the share
532 simultaneously.
533 SHARE DELETE sharename
535 Delete specified share.
536 [RPC|RAP] FILE
538 [RPC|RAP] FILE
539 List all open files on remote server.
540 [RPC|RAP] FILE CLOSE fileid
542 Close file with specified fileid on remote server.
543 [RPC|RAP] FILE INFO fileid
545 Print information on specified fileid. Currently listed are: file-id,
546 username, locks, path, permissions.
547 [RAP|RPC] FILE USER user
549 List files opened by specified user. Please note that net rap file user
550 does not work against Samba servers.
551 SESSION
553 RAP SESSION
554 Without any other options, SESSION enumerates all active SMB/CIFS
555 sessions on the target server.
556 RAP SESSION DELETE|CLOSE CLIENT_NAME
558 Close the specified sessions.
559 RAP SESSION INFO CLIENT_NAME
561 Give a list with all the open files in specified session.
562 RAP SERVER DOMAIN
564 List all servers in specified domain or workgroup. Defaults to local
565 domain.
566 RAP DOMAIN
568 Lists all domains and workgroups visible on the current network.
569 RAP PRINTQ
571 RAP PRINTQ INFO QUEUE_NAME
572 Lists the specified print queue and print jobs on the server. If the
573 QUEUE_NAME is omitted, all queues are listed.
574 RAP PRINTQ DELETE JOBID
576 Delete job with specified id.
577 RAP VALIDATE user [password]
579 Validate whether the specified user can log in to the remote server. If
580 the password is not specified on the commandline, it will be prompted.
581 Note
583 Currently NOT implemented.
584 RAP GROUPMEMBER
586 RAP GROUPMEMBER LIST GROUP
587 List all members of the specified group.
588 RAP GROUPMEMBER DELETE GROUP USER
590 Delete member from group.
591 RAP GROUPMEMBER ADD GROUP USER
593 Add member to group.
594 RAP ADMIN command
596 Execute the specified command on the remote server. Only works with
597 OS/2 servers.
598 Note
600 Currently NOT implemented.
601 RAP SERVICE
603 RAP SERVICE START NAME [arguments...]
604 Start the specified service on the remote server. Not implemented yet.
605 Note
607 Currently NOT implemented.
608 RAP SERVICE STOP
610 Stop the specified service on the remote server.
611 Note
613 Currently NOT implemented.
614 RAP PASSWORD USER OLDPASS NEWPASS
616 Change password of USER from OLDPASS to NEWPASS.
617 LOOKUP
619 LOOKUP HOST HOSTNAME [TYPE]
620 Lookup the IP address of the given host with the specified type
621 (netbios suffix). The type defaults to 0x20 (workstation).
622 LOOKUP LDAP [DOMAIN]
624 Give IP address of LDAP server of specified DOMAIN. Defaults to local
625 domain.
626 LOOKUP KDC [REALM]
628 Give IP address of KDC for the specified REALM. Defaults to local
629 realm.
630 LOOKUP DC [DOMAIN]
632 Give IP's of Domain Controllers for specified
633 DOMAIN. Defaults to local domain.
634 LOOKUP MASTER DOMAIN
636 Give IP of master browser for specified DOMAIN or workgroup. Defaults
637 to local domain.
638 LOOKUP NAME [NAME]
640 Lookup username's sid and type for specified NAME
641 LOOKUP SID [SID]
643 Give sid's name and type for specified SID
644 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
646 Give Domain Controller information for specified domain NAME
647 CACHE
649 Samba uses a general caching interface called 'gencache'. It can be
650 controlled using 'NET CACHE'.
651 All the timeout parameters support the suffixes:
653 s - Seconds
654 m - Minutes
655 h - Hours
656 d - Days
657 w - Weeks
658 CACHE ADD key data time-out
660 Add specified key+data to the cache with the given timeout.
661 CACHE DEL key
663 Delete key from the cache.
664 CACHE SET key data time-out
666 Update data of existing cache entry.
667 CACHE SEARCH PATTERN
669 Search for the specified pattern in the cache data.
670 CACHE LIST
672 List all current items in the cache.
673 CACHE FLUSH
675 Remove all the current items from the cache.
676 GETLOCALSID [DOMAIN]
678 Prints the SID of the specified domain, or if the parameter is omitted,
679 the SID of the local server.
680 SETLOCALSID S-1-5-21-x-y-z
682 Sets SID for the local server to the specified SID.
683 GETDOMAINSID
685 Prints the local machine SID and the SID of the current domain.
686 SETDOMAINSID
688 Sets the SID of the current domain.
689 GROUPMAP
691 Manage the mappings between Windows group SIDs and UNIX groups. Common
692 options include:
693 • unixgroup - Name of the UNIX group
695 • ntgroup - Name of the Windows NT group (must be resolvable
697 to a SID
698 • rid - Unsigned 32-bit integer
700 • sid - Full SID in the form of "S-1-..."
702 • type - Type of the group; either 'domain', 'local', or
704 'builtin'
705 • comment - Freeform text description of the group
707 GROUPMAP ADD
710 Add a new group mapping entry:
711 net groupmap add {rid=int|sid=string} unixgroup=string \
713 [type={domain|local}] [ntgroup=string] [comment=string]
714 GROUPMAP DELETE
718 Delete a group mapping entry. If more than one group name matches, the
719 first entry found is deleted.
720 net groupmap delete {ntgroup=string|sid=SID}
722 GROUPMAP MODIFY
724 Update an existing group entry.
725 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
727 [comment=string] [type={domain|local}]
728 GROUPMAP LIST
732 List existing group mapping entries.
733 net groupmap list [verbose] [ntgroup=string] [sid=SID]
735 MAXRID
737 Prints out the highest RID currently in use on the local server (by the
738 active 'passdb backend').
739 RPC INFO
741 Print information about the domain of the remote server, such as domain
742 name, domain sid and number of users and groups.
743 [RPC|ADS] TESTJOIN
745 Check whether participation in a domain is still valid.
746 [RPC|ADS] CHANGETRUSTPW
748 Force change of domain trust password.
749 RPC TRUSTDOM
751 RPC TRUSTDOM ADD DOMAIN
752 Add a interdomain trust account for DOMAIN. This is in fact a Samba
753 account named DOMAIN$ with the account flag 'I' (interdomain trust
754 account). This is required for incoming trusts to work. It makes Samba
755 be a trusted domain of the foreign (trusting) domain. Users of the
756 Samba domain will be made available in the foreign domain. If the
757 command is used against localhost it has the same effect as smbpasswd
758 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
759 account.
760 RPC TRUSTDOM DEL DOMAIN
762 Remove interdomain trust account for DOMAIN. If it is used against
763 localhost it has the same effect as smbpasswd -x DOMAIN$.
764 RPC TRUSTDOM ESTABLISH DOMAIN
766 Establish a trust relationship to a trusted domain. Interdomain account
767 must already be created on the remote PDC. This is required for
768 outgoing trusts to work. It makes Samba be a trusting domain of a
769 foreign (trusted) domain. Users of the foreign domain will be made
770 available in our domain. You'll need winbind and a working idmap config
771 to make them appear in your system.
772 RPC TRUSTDOM REVOKE DOMAIN
774 Abandon relationship to trusted domain
775 RPC TRUSTDOM LIST
777 List all interdomain trust relationships.
778 RPC TRUST
780 RPC TRUST CREATE
781 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
782 done on a single server or on two servers at once with the possibility
783 to use a random trust password.
784 Options:
786 otherserver
788 Domain controller of the second domain
789 otheruser
791 Admin user in the second domain
792 otherdomainsid
794 SID of the second domain
795 other_netbios_domain
797 NetBIOS (short) name of the second domain
798 otherdomain
800 DNS (full) name of the second domain
801 trustpw
803 Trust password
804 Examples:
806 Create a trust object on srv1.dom1.dom for the domain dom2
808 net rpc trust create \
810 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
811 other_netbios_domain=dom2 \
812 otherdomain=dom2.dom \
813 trustpw=12345678 \
814 -S srv1.dom1.dom
815 Create a trust relationship between dom1 and dom2
817 net rpc trust create \
819 otherserver=srv2.dom2.test \
820 otheruser=dom2adm \
821 -S srv1.dom1.dom
822 RPC TRUST DELETE
824 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
825 done on a single server or on two servers at once.
826 Options:
828 otherserver
830 Domain controller of the second domain
831 otheruser
833 Admin user in the second domain
834 otherdomainsid
836 SID of the second domain
837 Examples:
839 Delete a trust object on srv1.dom1.dom for the domain dom2
841 net rpc trust delete \
843 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
844 -S srv1.dom1.dom
845 Delete a trust relationship between dom1 and dom2
847 net rpc trust delete \
849 otherserver=srv2.dom2.test \
850 otheruser=dom2adm \
851 -S srv1.dom1.dom
852 RPC RIGHTS
855 This subcommand is used to view and manage Samba's rights assignments
856 (also referred to as privileges). There are three options currently
857 available: list, grant, and revoke. More details on Samba's privilege
858 model and its use can be found in the Samba-HOWTO-Collection.
859 RPC ABORTSHUTDOWN
861 Abort the shutdown of a remote server.
862 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
864 Shut down the remote server.
865 -r
867 Reboot after shutdown.
868 -f
870 Force shutting down all applications.
871 -t timeout
873 Timeout before system will be shut down. An interactive user of the
874 system can use this time to cancel the shutdown.
875 -C message
877 Display the specified message on the screen to announce the
878 shutdown.
879 RPC SAMDUMP
881 Print out sam database of remote server. You need to run this against
882 the PDC, from a Samba machine joined as a BDC.
883 RPC VAMPIRE
885 Export users, aliases and groups from remote server to local server.
886 You need to run this against the PDC, from a Samba machine joined as a
887 BDC. This vampire command cannot be used against an Active Directory,
888 only against an NT4 Domain Controller.
889 RPC VAMPIRE KEYTAB
891 Dump remote SAM database to local Kerberos keytab file.
892 RPC VAMPIRE LDIF
894 Dump remote SAM database to local LDIF file or standard output.
895 RPC GETSID
897 Fetch domain SID and store it in the local secrets.tdb.
898 ADS GPO
900 ADS GPO APPLY <USERNAME|MACHINENAME>
901 Apply GPOs for a username or machine name. Either username or machine
902 name should be provided to the command, not both.
903 ADS GPO GETGPO [GPO]
905 List specified GPO.
906 ADS GPO LINKADD [LINKDN] [GPODN]
908 Link a container to a GPO. LINKDN Container to link to a GPO. GPODN
909 GPO to link container to. DNs must be provided properly escaped. See
910 RFC 4514 for details.
911 ADS GPO LINKGET [CONTAINER]
913 Lists gPLink of a containter.
914 ADS GPO LIST <USERNAME|MACHINENAME>
916 Lists all GPOs for a username or machine name. Either username or
917 machine name should be provided to the command, not both.
918 ADS GPO LISTALL
920 Lists all GPOs on a DC.
921 ADS GPO REFRESH [USERNAME] [MACHINENAME]
923 Lists all GPOs assigned to an account and download them. USERNAME User
924 to refresh GPOs for. MACHINENAME Machine to refresh GPOs for.
925 ADS DNS
927 ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
928 Add host dns entry to Active Directory.
929 ADS DNS UNREGISTER <HOSTNAME>
931 Remove host dns entry from Active Directory.
932 ADS LEAVE [--keep-account]
934 Make the remote host leave the domain it is part of.
935 ADS STATUS
937 Print out status of machine account of the local machine in ADS. Prints
938 out quite some debug info. Aimed at developers, regular users should
939 use NET ADS TESTJOIN.
940 ADS PRINTER
942 ADS PRINTER INFO [PRINTER] [SERVER]
943 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
944 the server name defaults to the local host.
945 ADS PRINTER PUBLISH PRINTER
947 Publish specified printer using ADS.
948 ADS PRINTER REMOVE PRINTER
950 Remove specified printer from ADS directory.
951 ADS SEARCH EXPRESSION ATTRIBUTES...
953 Perform a raw LDAP search on a ADS server and dump the results. The
954 expression is a standard LDAP search expression, and the attributes are
955 a list of LDAP fields to show in the results.
956 Example: net ads search '(objectCategory=group)' sAMAccountName
958 ADS DN DN (attributes)
960 Perform a raw LDAP search on a ADS server and dump the results. The DN
961 standard LDAP DN, and the attributes are a list of LDAP fields to show
962 in the result.
963 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
965 SAMAccountName
966 ADS KEYTAB CREATE
968 Creates a new keytab file if one doesn't exist with default entries.
969 Default entries are kerberos principals created from the machinename of
970 the client, the UPN (if it exists) and any Windows SPN(s) associated
971 with the computer AD account for the client. If a keytab file already
972 exists then only missing kerberos principals from the default entries
973 are added. No changes are made to the computer AD account.
974 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
976 Adds a new keytab entry, the entry can be either;
977 kerberos principal
979 A kerberos principal (identified by the presence of '@') is just
980 added to the keytab file.
981 machinename
983 A machinename (identified by the trailing '$') is used to create a
984 a kerberos principal 'machinename@realm' which is added to the
985 keytab file.
986 serviceclass
988 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
989 pair of kerberos principals
990 'serviceclass/fully_qualified_dns_name@realm' &
991 'serviceclass/netbios_name@realm' which are added to the keytab
992 file.
993 Windows SPN
995 A Windows SPN is of the format 'serviceclass/host:port', it is used
996 to create a kerberos principal 'serviceclass/host@realm' which will
997 be written to the keytab file.
998 Unlike old versions no computer AD objects are modified by this
1000 command. To preserve the bevhaviour of older clients 'net ads keytab
1001 ad_update_ads' is available.
1002 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
1004 Adds a new keytab entry (see section for net ads keytab add). In
1005 addition to adding entries to the keytab file corrosponding Windows
1006 SPNs are created from the entry passed to this command. These SPN(s)
1007 added to the AD computer account object associated with the client
1008 machine running this command for the following entry types;
1009 serviceclass
1011 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
1012 pair of Windows SPN(s) 'param/full_qualified_dns' &
1013 'param/netbios_name' which are added to the AD computer account
1014 object for this client.
1015 Windows SPN
1017 A Windows SPN is of the format 'serviceclass/host:port', it is
1018 added as passed to the AD computer account object for this client.
1019 ADS setspn SETSPN LIST [machine]
1021 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
1022 object. If 'machine' is not specified then computer account for this
1023 client is used instead.
1024 ADS setspn SETSPN ADD SPN [machine]
1026 Adds the specified Windows SPN to the 'machine' Windows AD Computer
1027 object. If 'machine' is not specified then computer account for this
1028 client is used instead.
1029 ADS setspn SETSPN DELETE SPN [machine]
1031 DELETE the specified Window SPN from the 'machine' Windows AD Computer
1032 object. If 'machine' is not specified then computer account for this
1033 client is used instead.
1034 ADS WORKGROUP
1036 Print out workgroup name for specified kerberos realm.
1037 ADS ENCTYPES
1039 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
1040 attribute of an account in AD.
1041 This attribute allows one to control which Kerberos encryption types
1043 are used for the generation of initial and service tickets. The value
1044 consists of an integer bitmask with the following values:
1045 0x00000001 DES-CBC-CRC
1047 0x00000002 DES-CBC-MD5
1049 0x00000004 RC4-HMAC
1051 0x00000008 AES128-CTS-HMAC-SHA1-96
1053 0x00000010 AES256-CTS-HMAC-SHA1-96
1055 ADS ENCTYPES LIST <ACCOUNTNAME>
1057 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
1058 given account.
1059 Example: net ads enctypes list Computername
1061 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
1063 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
1064 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
1065 the value is set to 31 which enables all the currently supported
1066 encryption types.
1067 Example: net ads enctypes set Computername 24
1069 ADS ENCTYPES DELETE <ACCOUNTNAME>
1071 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
1072 object of ACCOUNTNAME.
1073 Example: net ads enctypes set Computername 24
1075 SAM CREATEBUILTINGROUP <NAME>
1077 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
1078 be created with this command. This is the list of currently recognized
1079 group names: Administrators, Users, Guests, Power Users, Account
1080 Operators, Server Operators, Print Operators, Backup Operators,
1081 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
1082 command requires a running Winbindd with idmap allocation properly
1083 configured. The group gid will be allocated out of the winbindd range.
1084 SAM CREATELOCALGROUP <NAME>
1086 Create a LOCAL group (also known as Alias). This command requires a
1087 running Winbindd with idmap allocation properly configured. The group
1088 gid will be allocated out of the winbindd range.
1089 SAM DELETELOCALGROUP <NAME>
1091 Delete an existing LOCAL group (also known as Alias).
1092 SAM MAPUNIXGROUP <NAME>
1094 Map an existing Unix group and make it a Domain Group, the domain group
1095 will have the same name.
1096 SAM UNMAPUNIXGROUP <NAME>
1098 Remove an existing group mapping entry.
1099 SAM ADDMEM <GROUP> <MEMBER>
1101 Add a member to a Local group. The group can be specified only by name,
1102 the member can be specified by name or SID.
1103 SAM DELMEM <GROUP> <MEMBER>
1105 Remove a member from a Local group. The group and the member must be
1106 specified by name.
1107 SAM LISTMEM <GROUP>
1109 List Local group members. The group must be specified by name.
1110 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
1112 List the specified set of accounts by name. If verbose is specified,
1113 the rid and description is also provided for each account.
1114 SAM RIGHTS LIST
1116 List all available privileges.
1117 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
1119 Grant one or more privileges to a user.
1120 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
1122 Revoke one or more privileges from a user.
1123 SAM SHOW <NAME>
1125 Show the full DOMAIN\\NAME the SID and the type for the corresponding
1126 account.
1127 SAM SET HOMEDIR <NAME> <DIRECTORY>
1129 Set the home directory for a user account.
1130 SAM SET PROFILEPATH <NAME> <PATH>
1132 Set the profile path for a user account.
1133 SAM SET COMMENT <NAME> <COMMENT>
1135 Set the comment for a user or group account.
1136 SAM SET FULLNAME <NAME> <FULL NAME>
1138 Set the full name for a user account.
1139 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
1141 Set the logon script for a user account.
1142 SAM SET HOMEDRIVE <NAME> <DRIVE>
1144 Set the home drive for a user account.
1145 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
1147 Set the workstations a user account is allowed to log in from.
1148 SAM SET DISABLE <NAME>
1150 Set the "disabled" flag for a user account.
1151 SAM SET PWNOTREQ <NAME>
1153 Set the "password not required" flag for a user account.
1154 SAM SET AUTOLOCK <NAME>
1156 Set the "autolock" flag for a user account.
1157 SAM SET PWNOEXP <NAME>
1159 Set the "password do not expire" flag for a user account.
1160 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
1162 Set or unset the "password must change" flag for a user account.
1163 SAM POLICY LIST
1165 List the available account policies.
1166 SAM POLICY SHOW <account policy>
1168 Show the account policy value.
1169 SAM POLICY SET <account policy> <value>
1171 Set a value for the account policy. Valid values can be: "forever",
1172 "never", "off", or a number.
1173 SAM PROVISION
1175 Only available if ldapsam:editposix is set and winbindd is running.
1176 Properly populates the ldap tree with the basic accounts
1177 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1178 on the ldap tree.
1179 IDMAP DUMP <local tdb file name>
1181 Dumps the mappings contained in the local tdb file specified. This
1182 command is useful to dump only the mappings produced by the idmap_tdb
1183 backend.
1184 IDMAP RESTORE [input file]
1186 Restore the mappings from the specified file or stdin.
1187 IDMAP SET SECRET <DOMAIN> <secret>
1189 Store a secret for the specified domain, used primarily for domains
1190 that use idmap_ldap as a backend. In this case the secret is used as
1191 the password for the user DN used to bind to the ldap server.
1192 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1194 Store a domain-range mapping for a given domain (and index) in autorid
1195 database.
1196 IDMAP SET CONFIG <config> [--db=<DB>]
1198 Update CONFIG entry in autorid database.
1199 IDMAP GET RANGE <SID> [index] [--db=<DB>]
1201 Get the range for a given domain and index from autorid database.
1202 IDMAP GET RANGES [<SID>] [--db=<DB>]
1204 Get ranges for all domains or for one identified by given SID.
1205 IDMAP GET CONFIG [--db=<DB>]
1207 Get CONFIG entry from autorid database.
1208 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1210 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1211 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1212 "GID number" or a uid: "UID number". Use -f to delete an invalid
1213 partial mapping <ID> -> xx
1214 Use "smbcontrol all idmap ..." to notify running smbd instances. See
1216 the smbcontrol(1) manpage for details.
1217 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1219 Delete a domain range mapping identified by 'RANGE' or "domain SID and
1220 INDEX" from autorid database. Use -f to delete invalid mappings.
1221 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1223 Delete all domain range mappings for a domain identified by SID. Use -f
1224 to delete invalid mappings.
1225 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1227 Check and repair the IDMAP database. If no option is given a read only
1228 check of the database is done. Among others an interactive or automatic
1229 repair mode may be chosen with one of the following options:
1230 -r|--repair
1232 Interactive repair mode, ask a lot of questions.
1233 -a|--auto
1235 Noninteractive repair mode, use default answers.
1236 -v|--verbose
1238 Produce more output.
1239 -f|--force
1241 Try to apply changes, even if they do not apply cleanly.
1242 -T|--test
1244 Dry run, show what changes would be made but don't touch anything.
1245 -l|--lock
1247 Lock the database while doing the check.
1248 --db <DB>
1250 Check the specified database.
1251 It reports about the finding of the following errors:
1253 Missing reverse mapping:
1255 A record with mapping A->B where there is no B->A. Default action
1256 in repair mode is to "fix" this by adding the reverse mapping.
1257 Invalid mapping:
1259 A record with mapping A->B where B->C. Default action is to
1260 "delete" this record.
1261 Missing or invalid HWM:
1263 A high water mark is not at least equal to the largest ID in the
1264 database. Default action is to "fix" this by setting it to the
1265 largest ID found +1.
1266 Invalid record:
1268 Something we failed to parse. Default action is to "edit" it in
1269 interactive and "delete" it in automatic mode.
1270 USERSHARE
1272 Starting with version 3.0.23, a Samba server now supports the ability
1273 for non-root users to add user defined shares to be exported using the
1274 "net usershare" commands.
1275 To set this up, first set up your smb.conf by adding to the [global]
1277 section: usershare path = /usr/local/samba/lib/usershares Next create
1278 the directory /usr/local/samba/lib/usershares, change the owner to root
1279 and set the group owner to the UNIX group who should have the ability
1280 to create usershares, for example a group called "serverops". Set the
1281 permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1282 group all access, no access for others, plus the sticky bit, which
1283 means that a file in that directory can be renamed or deleted only by
1284 the owner of the file). Finally, tell smbd how many usershares you will
1285 allow by adding to the [global] section of smb.conf a line such as :
1286 usershare max shares = 100. To allow 100 usershare definitions. Now,
1287 members of the UNIX group "serverops" can create user defined shares on
1288 demand using the commands below.
1289 The usershare commands are:
1291 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1292 to add or change a user defined share.
1293 net usershare delete sharename - to delete a user defined share.
1294 net usershare info [-l|--long] [wildcard sharename] - to print info
1295 about a user defined share.
1296 net usershare list [-l|--long] [wildcard sharename] - to list user
1297 defined shares.
1298 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1300 Add or replace a new user defined share, with name "sharename".
1301 "path" specifies the absolute pathname on the system to be exported.
1303 Restrictions may be put on this, see the global smb.conf parameters:
1304 "usershare owner only", "usershare prefix allow list", and "usershare
1305 prefix deny list".
1306 The optional "comment" parameter is the comment that will appear on the
1308 share when browsed to by a client.
1309 The optional "acl" field specifies which users have read and write
1311 access to the entire share. Note that guest connections are not allowed
1312 unless the smb.conf parameter "usershare allow guests" has been set.
1313 The definition of a user defined share acl is: "user:permission", where
1314 user is a valid username on the system and permission can be "F", "R",
1315 or "D". "F" stands for "full permissions", ie. read and write
1316 permissions. "D" stands for "deny" for a user, ie. prevent this user
1317 from accessing this share. "R" stands for "read only", ie. only allow
1318 read access to this share (no creation of new files or directories or
1319 writing to files).
1320 The default if no "acl" is given is "Everyone:R", which means any
1322 authenticated user has read-only access.
1323 The optional "guest_ok" has the same effect as the parameter of the
1325 same name in smb.conf, in that it allows guest access to this user
1326 defined share. This parameter is only allowed if the global parameter
1327 "usershare allow guests" has been set to true in the smb.conf.
1328 There is no separate command to modify an existing user defined share,
1331 just use the "net usershare add [sharename]" command using the same
1332 sharename as the one you wish to modify and specify the new options you
1333 wish. The Samba smbd daemon notices user defined share modifications at
1334 connect time so will see the change immediately, there is no need to
1335 restart smbd on adding, deleting or changing a user defined share.
1336 USERSHARE DELETE sharename
1338 Deletes the user defined share by name. The Samba smbd daemon
1339 immediately notices this change, although it will not disconnect any
1340 users currently connected to the deleted share.
1341 USERSHARE INFO [-l|--long] [wildcard sharename]
1343 Get info on user defined shares owned by the current user matching the
1344 given pattern, or all users.
1345 net usershare info on its own dumps out info on the user defined shares
1347 that were created by the current user, or restricts them to share names
1348 that match the given wildcard pattern ('*' matches one or more
1349 characters, '?' matches only one character). If the '-l' or '--long'
1350 option is also given, it prints out info on user defined shares created
1351 by other users.
1352 The information given about a share looks like: [foobar]
1354 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1355 And is a list of the current settings of the user defined share that
1356 can be modified by the "net usershare add" command.
1357 USERSHARE LIST [-l|--long] wildcard sharename
1359 List all the user defined shares owned by the current user matching the
1360 given pattern, or all users.
1361 net usershare list on its own list out the names of the user defined
1363 shares that were created by the current user, or restricts the list to
1364 share names that match the given wildcard pattern ('*' matches one or
1365 more characters, '?' matches only one character). If the '-l' or
1366 '--long' option is also given, it includes the names of user defined
1367 shares created by other users.
1368 [RPC] CONF
1370 Starting with version 3.2.0, a Samba server can be configured by data
1371 stored in registry. This configuration data can be edited with the new
1372 "net conf" commands. There is also the possibility to configure a
1373 remote Samba server by enabling the RPC conf mode and specifying the
1374 address of the remote server.
1375 The deployment of this configuration data can be activated in two
1377 levels from the smb.conf file: Share definitions from registry are
1378 activated by setting registry shares to “yes” in the [global] section
1379 and global configuration options are activated by setting include =
1380 registry in the [global] section for a mixed configuration or by
1381 setting config backend = registry in the [global] section for a
1382 registry-only configuration. See the smb.conf(5) manpage for details.
1383 The conf commands are:
1385 net [rpc] conf list - Dump the complete configuration in smb.conf
1386 like format.
1387 net [rpc] conf import - Import configuration from file in smb.conf
1388 format.
1389 net [rpc] conf listshares - List the registry shares.
1390 net [rpc] conf drop - Delete the complete configuration from
1391 registry.
1392 net [rpc] conf showshare - Show the definition of a registry share.
1393 net [rpc] conf addshare - Create a new registry share.
1394 net [rpc] conf delshare - Delete a registry share.
1395 net [rpc] conf setparm - Store a parameter.
1396 net [rpc] conf getparm - Retrieve the value of a parameter.
1397 net [rpc] conf delparm - Delete a parameter.
1398 net [rpc] conf getincludes - Show the includes of a share
1399 definition.
1400 net [rpc] conf setincludes - Set includes for a share.
1401 net [rpc] conf delincludes - Delete includes from a share
1402 definition.
1403 [RPC] CONF LIST
1405 Print the configuration data stored in the registry in a smb.conf-like
1406 format to standard output.
1407 [RPC] CONF IMPORT [--test|-T] filename [section]
1409 This command imports configuration from a file in smb.conf format. If a
1410 section encountered in the input file is present in registry, its
1411 contents is replaced. Sections of registry configuration that have no
1412 counterpart in the input file are not affected. If you want to delete
1413 these, you will have to use the "net conf drop" or "net conf delshare"
1414 commands. Optionally, a section may be specified to restrict the effect
1415 of the import command to that specific section. A test mode is enabled
1416 by specifying the parameter "-T" on the commandline. In test mode, no
1417 changes are made to the registry, and the resulting configuration is
1418 printed to standard output instead.
1419 [RPC] CONF LISTSHARES
1421 List the names of the shares defined in registry.
1422 [RPC] CONF DROP
1424 Delete the complete configuration data from registry.
1425 [RPC] CONF SHOWSHARE sharename
1427 Show the definition of the share or section specified. It is valid to
1428 specify "global" as sharename to retrieve the global configuration
1429 options from registry.
1430 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1432 [comment]]]
1433 Create a new share definition in registry. The sharename and path have
1434 to be given. The share name may not be "global". Optionally, values for
1435 the very common options "writeable", "guest ok" and a "comment" may be
1436 specified. The same result may be obtained by a sequence of "net conf
1437 setparm" commands.
1438 [RPC] CONF DELSHARE sharename
1440 Delete a share definition from registry.
1441 [RPC] CONF SETPARM section parameter value
1443 Store a parameter in registry. The section may be global or a
1444 sharename. The section is created if it does not exist yet.
1445 [RPC] CONF GETPARM section parameter
1447 Show a parameter stored in registry.
1448 [RPC] CONF DELPARM section parameter
1450 Delete a parameter stored in registry.
1451 [RPC] CONF GETINCLUDES section
1453 Get the list of includes for the provided section (global or share).
1454 Note that due to the nature of the registry database and the nature of
1456 include directives, the includes need special treatment: Parameters are
1457 stored in registry by the parameter name as valuename, so there is only
1458 ever one instance of a parameter per share. Also, a specific order like
1459 in a text file is not guaranteed. For all real parameters, this is
1460 perfectly ok, but the include directive is rather a meta parameter, for
1461 which, in the smb.conf text file, the place where it is specified
1462 between the other parameters is very important. This can not be
1463 achieved by the simple registry smbconf data model, so there is one
1464 ordered list of includes per share, and this list is evaluated after
1465 all the parameters of the share.
1466 Further note that currently, only files can be included from registry
1468 configuration. In the future, there will be the ability to include
1469 configuration data from other registry keys.
1470 [RPC] CONF SETINCLUDES section [filename]+
1472 Set the list of includes for the provided section (global or share) to
1473 the given list of one or more filenames. The filenames may contain the
1474 usual smb.conf macros like %I.
1475 [RPC] CONF DELINCLUDES section
1477 Delete the list of includes from the provided section (global or
1478 share).
1479 REGISTRY
1481 Manipulate Samba's registry.
1482 The registry commands are:
1484 net registry enumerate - Enumerate registry keys and values.
1485 net registry enumerate_recursive - Enumerate registry key and its
1486 subkeys.
1487 net registry createkey - Create a new registry key.
1488 net registry deletekey - Delete a registry key.
1489 net registry deletekey_recursive - Delete a registry key with
1490 subkeys.
1491 net registry getvalue - Print a registry value.
1492 net registry getvalueraw - Print a registry value (raw format).
1493 net registry setvalue - Set a new registry value.
1494 net registry increment - Increment a DWORD registry value under a
1495 lock.
1496 net registry deletevalue - Delete a registry value.
1497 net registry getsd - Get security descriptor.
1498 net registry getsd_sdd1 - Get security descriptor in sddl format.
1499 net registry setsd_sdd1 - Set security descriptor from sddl format
1500 string.
1501 net registry import - Import a registration entries (.reg)
1502 file.
1503 net registry export - Export a registration entries (.reg)
1504 file.
1505 net registry convert - Convert a registration entries (.reg)
1506 file.
1507 net registry check - Check and repair a registry database.
1508 REGISTRY ENUMERATE key
1510 Enumerate subkeys and values of key.
1511 REGISTRY ENUMERATE_RECURSIVE key
1513 Enumerate values of key and its subkeys.
1514 REGISTRY CREATEKEY key
1516 Create a new key if not yet existing.
1517 REGISTRY DELETEKEY key
1519 Delete the given key and its values from the registry, if it has no
1520 subkeys.
1521 REGISTRY DELETEKEY_RECURSIVE key
1523 Delete the given key and all of its subkeys and values from the
1524 registry.
1525 REGISTRY GETVALUE key name
1527 Output type and actual value of the value name of the given key.
1528 REGISTRY GETVALUERAW key name
1530 Output the actual value of the value name of the given key.
1531 REGISTRY SETVALUE key name type value ...
1533 Set the value name of an existing key. type may be one of sz, multi_sz
1534 or dword. In case of multi_sz value may be given multiple times.
1535 REGISTRY INCREMENT key name [inc]
1537 Increment the DWORD value name of key by inc while holding a g_lock.
1538 inc defaults to 1.
1539 REGISTRY DELETEVALUE key name
1541 Delete the value name of the given key.
1542 REGISTRY GETSD key
1544 Get the security descriptor of the given key.
1545 REGISTRY GETSD_SDDL key
1547 Get the security descriptor of the given key as a Security Descriptor
1548 Definition Language (SDDL) string.
1549 REGISTRY SETSD_SDDL keysd
1551 Set the security descriptor of the given key from a Security Descriptor
1552 Definition Language (SDDL) string sd.
1553 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1555 Import a registration entries (.reg) file.
1556 The following options are available:
1558 --precheck check-file
1560 This is a mechanism to check the existence or non-existence of
1561 certain keys or values specified in a precheck file before applying
1562 the import file. The import file will only be applied if the
1563 precheck succeeds.
1564 The check-file follows the normal registry file syntax with the
1566 following semantics:
1567 • <value name>=<value> checks whether the value exists and
1569 has the given value.
1570 • <value name>=- checks whether the value does not exist.
1572 • [key] checks whether the key exists.
1574 • [-key] checks whether the key does not exist.
1576 REGISTRY EXPORT keyfile[opt]
1579 Export a key to a registration entries (.reg) file.
1580 REGISTRY CONVERT in out [[inopt] outopt]
1582 Convert a registration entries (.reg) file in.
1583 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1585 Check and repair the registry database. If no option is given a read
1586 only check of the database is done. Among others an interactive or
1587 automatic repair mode may be chosen with one of the following options
1588 -r|--repair
1590 Interactive repair mode, ask a lot of questions.
1591 -a|--auto
1593 Noninteractive repair mode, use default answers.
1594 -v|--verbose
1596 Produce more output.
1597 -T|--test
1599 Dry run, show what changes would be made but don't touch anything.
1600 -l|--lock
1602 Lock the database while doing the check.
1603 --reg-version={1,2,3}
1605 Specify the format of the registry database. If not given it
1606 defaults to the value of the binary or, if an registry.tdb is
1607 explicitly stated at the commandline, to the value found in the
1608 INFO/version record.
1609 [--db] <DB>
1611 Check the specified database.
1612 -o|--output <ODB>
1614 Create a new registry database <ODB> instead of modifying the
1615 input. If <ODB> is already existing --wipe may be used to overwrite
1616 it.
1617 --wipe
1619 Replace the registry database instead of modifying the input or
1620 overwrite an existing output database.
1621 EVENTLOG
1623 Starting with version 3.4.0 net can read, dump, import and export
1624 native win32 eventlog files (usually *.evt). evt files are used by the
1625 native Windows eventviewer tools.
1626 The import and export of evt files can only succeed when eventlog list
1628 is used in smb.conf file. See the smb.conf(5) manpage for details.
1629 The eventlog commands are:
1631 net eventlog dump - Dump a eventlog *.evt file on the screen.
1632 net eventlog import - Import a eventlog *.evt into the samba
1633 internal tdb based representation of eventlogs.
1634 net eventlog export - Export the samba internal tdb based
1635 representation of eventlogs into an eventlog *.evt file.
1636 EVENTLOG DUMP filename
1638 Prints a eventlog *.evt file to standard output.
1639 EVENTLOG IMPORT filename eventlog
1641 Imports a eventlog *.evt file defined by filename into the samba
1642 internal tdb representation of eventlog defined by eventlog. eventlog
1643 needs to part of the eventlog list defined in smb.conf. See the
1644 smb.conf(5) manpage for details.
1645 EVENTLOG EXPORT filename eventlog
1647 Exports the samba internal tdb representation of eventlog defined by
1648 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1649 to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1650 manpage for details.
1651 DOM
1653 Starting with version 3.2.0 Samba has support for remote join and
1654 unjoin APIs, both client and server-side. Windows supports remote join
1655 capabilities since Windows 2000.
1656 In order for Samba to be joined or unjoined remotely an account must be
1658 used that is either member of the Domain Admins group, a member of the
1659 local Administrators group or a user that is granted the
1660 SeMachineAccountPrivilege privilege.
1661 The client side support for remote join is implemented in the net dom
1663 commands which are:
1664 net dom join - Join a remote computer into a domain.
1665 net dom unjoin - Unjoin a remote computer from a domain.
1666 net dom renamecomputer - Renames a remote computer joined to a
1667 domain.
1668 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1670 Joins a computer into a domain. This command supports the following
1671 additional parameters:
1672 • DOMAIN can be a NetBIOS domain name (also known as short
1674 domain name) or a DNS domain name for Active Directory
1675 Domains. As in Windows, it is also possible to control which
1676 Domain Controller to use. This can be achieved by appending
1677 the DC name using the \ separator character. Example:
1678 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1679 • OU can be set to a RFC 1779 LDAP DN, like
1681 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1682 the machine account in a non-default LDAP container. This
1683 optional parameter is only supported when joining Active
1684 Directory Domains.
1685 • ACCOUNT defines a domain account that will be used to join
1687 the machine to the domain. This domain account needs to have
1688 sufficient privileges to join machines.
1689 • PASSWORD defines the password for the domain account defined
1691 with ACCOUNT.
1692 • REBOOT is an optional parameter that can be set to reboot
1694 the remote machine after successful join to the domain.
1695 Note that you also need to use standard net parameters to connect and
1698 authenticate to the remote machine that you want to join. These
1699 additional parameters include: -S computer and -U user.
1700 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1702 account=MYDOM\\administrator password=topsecret reboot.
1703 This example would connect to a computer named XP as the local
1705 administrator using password secret, and join the computer into a
1706 domain called MYDOM using the MYDOM domain administrator account and
1707 password topsecret. After successful join, the computer would reboot.
1708 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1710 Unjoins a computer from a domain. This command supports the following
1711 additional parameters:
1712 • ACCOUNT defines a domain account that will be used to unjoin
1714 the machine from the domain. This domain account needs to
1715 have sufficient privileges to unjoin machines.
1716 • PASSWORD defines the password for the domain account defined
1718 with ACCOUNT.
1719 • REBOOT is an optional parameter that can be set to reboot
1721 the remote machine after successful unjoin from the domain.
1722 Note that you also need to use standard net parameters to connect and
1725 authenticate to the remote machine that you want to unjoin. These
1726 additional parameters include: -S computer and -U user.
1727 Example: net dom unjoin -S xp -U XP\\administrator%secret
1729 account=MYDOM\\administrator password=topsecret reboot.
1730 This example would connect to a computer named XP as the local
1732 administrator using password secret, and unjoin the computer from the
1733 domain using the MYDOM domain administrator account and password
1734 topsecret. After successful unjoin, the computer would reboot.
1735 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1737 Renames a computer that is joined to a domain. This command supports
1738 the following additional parameters:
1739 • NEWNAME defines the new name of the machine in the domain.
1741 • ACCOUNT defines a domain account that will be used to rename
1743 the machine in the domain. This domain account needs to have
1744 sufficient privileges to rename machines.
1745 • PASSWORD defines the password for the domain account defined
1747 with ACCOUNT.
1748 • REBOOT is an optional parameter that can be set to reboot
1750 the remote machine after successful rename in the domain.
1751 Note that you also need to use standard net parameters to connect and
1754 authenticate to the remote machine that you want to rename in the
1755 domain. These additional parameters include: -S computer and -U user.
1756 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1758 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1759 This example would connect to a computer named XP as the local
1761 administrator using password secret, and rename the joined computer to
1762 XPNEW using the MYDOM domain administrator account and password
1763 topsecret. After successful rename, the computer would reboot.
1764 G_LOCK
1766 Manage global locks.
1767 G_LOCK DO lockname timeout command
1769 Execute a shell command under a global lock. This might be useful to
1770 define the order in which several shell commands will be executed. The
1771 locking information is stored in a file called g_lock.tdb. In setups
1772 with CTDB running, the locking information will be available on all
1773 cluster nodes.
1774 • LOCKNAME defines the name of the global lock.
1776 • TIMEOUT defines the timeout.
1778 • COMMAND defines the shell command to execute.
1780 G_LOCK LOCKS
1782 Print a list of all currently existing locknames.
1783 G_LOCK DUMP lockname
1785 Dump the locking table of a certain global lock.
1786 TDB
1788 Print information from tdb records.
1789 TDB LOCKING key [DUMP]
1791 List sharename, filename and number of share modes for a record from
1792 locking.tdb. With the optional DUMP options, dump the complete record.
1793 • KEY Key of the tdb record as hex string.
1795 vfs
1797 Access shared filesystem through the VFS.
1798 vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1800 symlinks] share path
1801 Convert file streams to AppleDouble files.
1802 • share A Samba share.
1804 • path A relative path of something in the Samba share. "."
1807 can be used for the root directory of the share.
1808 Options:
1811 --recursive
1813 Traverse a directory hierarchy.
1814 --verbose
1816 Verbose output.
1817 --continue
1819 Continue traversing a directory hierarchy if a single conversion
1820 fails.
1821 --follow-symlinks
1823 Follow symlinks encountered while traversing a directory.
1824 vfs getntacl share path
1826 Display the security descriptor of a file or directory.
1827 • share A Samba share.
1829 • path A relative path of something in the Samba share. "."
1832 can be used for the root directory of the share.
1833 OFFLINEJOIN
1835 Starting with version 4.15 Samba has support for offline join APIs.
1836 Windows supports offline join capabilities since Windows 7 and Windows
1837 2008 R2.
1838 The following offline commands are implemented:
1840 net offlinejoin provision - Provisions a machine account in AD.
1841 net offlinejoin requestodj - Requests a domain offline join.
1842 OFFLINEJOIN PROVISION domain=DOMAIN machine_name=MACHINE_NAME
1844 machine_account_ou=MACHINE_ACCOUNT_OU dcname=DCNAME defpwd reuse
1845 savefile=FILENAME printblob
1846 Provisions a machine account in AD. This command needs network
1847 connectivity to the domain controller to succeed. This command supports
1848 the following additional parameters:
1849 • DOMAIN can be a NetBIOS domain name (also known as short
1851 domain name) or a DNS domain name for Active Directory
1852 Domains. The DOMAIN parameter cannot be NULL.
1853 • MACHINE_NAME defines the machine account name that will be
1855 provisioned in AD. The MACHINE_NAME parameter cannot be
1856 NULL.
1857 • MACHINE_ACCOUNT_OU can be set to a RFC 1779 LDAP DN, like
1859 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1860 the machine account in a non-default LDAP container. This
1861 optional parameter is only supported when joining Active
1862 Directory Domains.
1863 • DCNAME defines a specific domain controller for creating the
1865 machine account in AD.
1866 • DEFPWD is an optional parameter that can be set to enforce
1868 using the default machine account password. The use of this
1869 parameter is not recommended as the default machine account
1870 password can be easily guessed.
1871 • REUSE is an optional parameter that can be set to enforce
1873 reusing an exisiting machine account in AD.
1874 • SAVEFILE is an optional parameter to store the generated
1876 provisioning data on disk.
1877 • PRINTBLOB is an optional parameter to print the generated
1879 provisioning data on stdout.
1880 Example: net offlinejoin provision -U administrator%secret domain=MYDOM
1883 machine_name=MYHOST savefile=provisioning.txt
1884 OFFLINEJOIN REQUESTODJ loadfile=FILENAME
1886 Requests an offline domain join by providing file-based provisioning
1887 data. This command supports the following additional parameters:
1888 • LOADFILE is a required parameter to load the provisioning
1890 from a file.
1891 Example: net offlinejoin requestodj -U administrator%secret
1894 loadfile=provisioning.txt
1895 HELP [COMMAND]
1897 Gives usage information for the specified command.
1898
1900 This man page is complete for version 3 of the Samba suite.
1901
1903 The original Samba software and related utilities were created by
1904 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1905 Source project similar to the way the Linux kernel is developed.
1906 The net manpage was written by Jelmer Vernooij.
1908Samba 4.15.2 11/13/2021 NET(8)