1NET(8)                    System Administration tools                   NET(8)
2
3
4

NAME

6       net - Tool for administration of Samba and remote CIFS servers.
7

SYNOPSIS

9       net {<ads|rap|rpc>} [-h|--help] [-d|--debuglevel=DEBUGLEVEL]
10        [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value]
11        [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
12        [-R|--name-resolve=NAME-RESOLVE-ORDER]
13        [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]
14        [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE]
15        [-W|--workgroup=WORKGROUP] [--realm=REALM]
16        [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass]
17        [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE]
18        [-P|--machine-pass] [--simple-bind-dn=DN]
19        [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE]
20        [--use-winbind-ccache] [--client-protection=sign|encrypt|off]
21        [-V|--version] [-w|--target-workgroup workgroup]
22        [-I|--ipaddress ip-address] [-p|--port port] [--myname]
23        [-S|--server server] [--long] [-v|--verbose] [-f|--force]
24        [--request-timeout seconds] [-t|--timeout seconds] [-i|--stdin]
25

DESCRIPTION

27       This tool is part of the samba(7) suite.
28
29       The Samba net utility is meant to work just like the net utility
30       available for windows and DOS. The first argument should be used to
31       specify the protocol to use when executing a certain command. ADS is
32       used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
33       RPC can be used for NT4 and Windows 2000. If this argument is omitted,
34       net will try to determine it automatically. Not all commands are
35       available on all protocols.
36

OPTIONS

38       -w|--target-workgroup target-workgroup
39           Sets target workgroup or domain. You have to specify either this
40           option or the IP address or the name of a server.
41
42       -I|--ipaddress ip-address
43           IP address of target server to use. You have to specify either this
44           option or a target workgroup or a target server.
45
46       -p|--port port
47           Port on the target server to connect to (usually 139 or 445).
48           Defaults to trying 445 first, then 139.
49
50       -S|--server server
51           Name of target server. You should specify either this option or a
52           target workgroup or a target IP address.
53
54       -l|--long
55           When listing data, give more information on each item.
56
57       -v|--verbose
58           When listing data, give more verbose information on each item.
59
60       -f|--force
61           Enforcing a net command.
62
63       --request-timeout 30
64           Let client requests timeout after 30 seconds the default is 10
65           seconds.
66
67       -t|--timeout 30
68           Set timeout for client operations to 30 seconds.
69
70       -i|--stdin
71           Take input for net commands from standard input.
72
73       -T|--test
74           Only test command sequence, dry-run.
75
76       -F|--flags FLAGS
77           Pass down integer flags to a net subcommand.
78
79       -C|--comment COMMENT
80           Pass down a comment string to a net subcommand.
81
82       --myname MYNAME
83           Use MYNAME as a requester name for a net subcommand.
84
85       -c|--container CONTAINER
86           Use a specific AD container for net ads operations.
87
88       -M|--maxusers MAXUSERS
89           Fill in the maxusers field in net rpc share operations.
90
91       -r|--reboot
92           Reboot a remote machine after a command has been successfully
93           executed (e.g. in remote join operations).
94
95       --force-full-repl
96           When calling "net rpc vampire keytab" this option enforces a full
97           re-creation of the generated keytab file.
98
99       --single-obj-repl
100           When calling "net rpc vampire keytab" this option allows one to
101           replicate just a single object to the generated keytab file.
102
103       --clean-old-entries
104           When calling "net rpc vampire keytab" this option allows one to
105           cleanup old entries from the generated keytab file.
106
107       --db
108           Define dbfile for "net idmap" commands.
109
110       --lock
111           Activates locking of the dbfile for "net idmap check" command.
112
113       -a|--auto
114           Activates noninteractive mode in "net idmap check".
115
116       --repair
117           Activates repair mode in "net idmap check".
118
119       --acls
120           Includes ACLs to be copied in "net rpc share migrate".
121
122       --attrs
123           Includes file attributes to be copied in "net rpc share migrate".
124
125       --timestamps
126           Includes timestamps to be copied in "net rpc share migrate".
127
128       -X|--exclude DIRECTORY
129           Allows one to exclude directories when copying with "net rpc share
130           migrate".
131
132       --destination SERVERNAME
133           Defines the target servername of migration process (defaults to
134           localhost).
135
136       -L|--local
137           Sets the type of group mapping to local (used in "net groupmap
138           set").
139
140       -D|--domain
141           Sets the type of group mapping to domain (used in "net groupmap
142           set").
143
144       -N|--ntname NTNAME
145           Sets the ntname of a group mapping (used in "net groupmap set").
146
147       --rid RID
148           Sets the rid of a group mapping (used in "net groupmap set").
149
150       --reg-version REG_VERSION
151           Assume database version {n|1,2,3} (used in "net registry check").
152
153       -o|--output FILENAME
154           Output database file (used in "net registry check").
155
156       --wipe
157           Create a new database from scratch (used in "net registry check").
158
159       --precheck PRECHECK_DB_FILENAME
160           Defines filename for database prechecking (used in "net registry
161           import").
162
163       --no-dns-updates
164           Do not perform DNS updates as part of "net ads join".
165
166       --keep-account
167           Prevent the machine account removal as part of "net ads leave".
168
169       --json
170           Report results in JSON format for "net ads info" and "net ads
171           lookup".
172
173       --recursive
174           Traverse a directory hierarchy.
175
176       --continue
177           Continue traversing a directory hierarchy in case conversion of one
178           file fails.
179
180       --follow-symlinks
181           Follow symlinks encountered while traversing a directory.
182
183       -d|--debuglevel=DEBUGLEVEL
184           level is an integer from 0 to 10. The default value if this
185           parameter is not specified is 1 for client applications.
186
187           The higher this value, the more detail will be logged to the log
188           files about the activities of the server. At level 0, only critical
189           errors and serious warnings will be logged. Level 1 is a reasonable
190           level for day-to-day running - it generates a small amount of
191           information about operations carried out.
192
193           Levels above 1 will generate considerable amounts of log data, and
194           should only be used when investigating a problem. Levels above 3
195           are designed for use only by developers and generate HUGE amounts
196           of log data, most of which is extremely cryptic.
197
198           Note that specifying this parameter here will override the log
199           level parameter in the smb.conf file.
200
201       --debug-stdout
202           This will redirect debug output to STDOUT. By default all clients
203           are logging to STDERR.
204
205       --configfile=<configuration file>
206           The file specified contains the configuration details required by
207           the client. The information in this file can be general for client
208           and server or only provide client specific like options such as
209           client smb encrypt. See smb.conf for more information. The default
210           configuration file name is determined at compile time.
211
212       --option=<name>=<value>
213           Set the smb.conf(5) option "<name>" to value "<value>" from the
214           command line. This overrides compiled-in defaults and options read
215           from the configuration file. If a name or a value includes a space,
216           wrap whole --option=name=value into quotes.
217
218       -l|--log-basename=logdirectory
219           Base directory name for log/debug files. The extension ".progname"
220           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
221           file is never removed by the client.
222
223       --leak-report
224           Enable talloc leak reporting on exit.
225
226       --leak-report-full
227           Enable full talloc leak reporting on exit.
228
229       -V|--version
230           Prints the program version number.
231
232       -R|--name-resolve=NAME-RESOLVE-ORDER
233           This option is used to determine what naming services and in what
234           order to resolve host names to IP addresses. The option takes a
235           space-separated string of different name resolution options. The
236           best ist to wrap the whole --name-resolve=NAME-RESOLVE-ORDER into
237           quotes.
238
239           The options are: "lmhosts", "host", "wins" and "bcast". They cause
240           names to be resolved as follows:
241
242lmhosts: Lookup an IP address in the Samba lmhosts file.
243                      If the line in lmhosts has no name type attached to the
244                      NetBIOS name (see the lmhosts(5) for details) then any
245                      name type matches for lookup.
246
247host: Do a standard host name to IP address resolution,
248                      using the system /etc/hosts, NIS, or DNS lookups. This
249                      method of name resolution is operating system dependent,
250                      for instance on IRIX or Solaris this may be controlled
251                      by the /etc/nsswitch.conf file). Note that this method
252                      is only used if the NetBIOS name type being queried is
253                      the 0x20 (server) name type, otherwise it is ignored.
254
255wins: Query a name with the IP address listed in the
256                      wins server parameter. If no WINS server has been
257                      specified this method will be ignored.
258
259bcast: Do a broadcast on each of the known local
260                      interfaces listed in the interfaces parameter. This is
261                      the least reliable of the name resolution methods as it
262                      depends on the target host being on a locally connected
263                      subnet.
264
265           If this parameter is not set then the name resolve order defined in
266           the smb.conf file parameter (name resolve order) will be used.
267
268           The default order is lmhosts, host, wins, bcast. Without this
269           parameter or any entry in the name resolve order parameter of the
270           smb.conf file, the name resolution methods will be attempted in
271           this order.
272
273       -O|--socket-options=SOCKETOPTIONS
274           TCP socket options to set on the client socket. See the socket
275           options parameter in the smb.conf manual page for the list of valid
276           options.
277
278       -m|--max-protocol=MAXPROTOCOL
279           The value of the parameter (a string) is the highest protocol level
280           that will be supported by the client.
281
282           Note that specifying this parameter here will override the client
283           max protocol parameter in the smb.conf file.
284
285       -n|--netbiosname=NETBIOSNAME
286           This option allows you to override the NetBIOS name that Samba uses
287           for itself. This is identical to setting the netbios name parameter
288           in the smb.conf file. However, a command line setting will take
289           precedence over settings in smb.conf.
290
291       --netbios-scope=SCOPE
292           This specifies a NetBIOS scope that nmblookup will use to
293           communicate with when generating NetBIOS names. For details on the
294           use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS
295           scopes are very rarely used, only set this parameter if you are the
296           system administrator in charge of all the NetBIOS systems you
297           communicate with.
298
299       -W|--workgroup=WORKGROUP
300           Set the SMB domain of the username. This overrides the default
301           domain which is the domain defined in smb.conf. If the domain
302           specified is the same as the servers NetBIOS name, it causes the
303           client to log on using the servers local SAM (as opposed to the
304           Domain SAM).
305
306           Note that specifying this parameter here will override the
307           workgroup parameter in the smb.conf file.
308
309       -r|--realm=REALM
310           Set the realm for the domain.
311
312           Note that specifying this parameter here will override the realm
313           parameter in the smb.conf file.
314
315       -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
316           Sets the SMB username or username and password.
317
318           If %PASSWORD is not specified, the user will be prompted. The
319           client will first check the USER environment variable (which is
320           also permitted to also contain the password seperated by a %), then
321           the LOGNAME variable (which is not permitted to contain a password)
322           and if either exists, the value is used. If these environmental
323           variables are not found, the username found in a Kerberos
324           Credentials cache may be used.
325
326           A third option is to use a credentials file which contains the
327           plaintext of the username and password. This option is mainly
328           provided for scripts where the admin does not wish to pass the
329           credentials on the command line or via environment variables. If
330           this method is used, make certain that the permissions on the file
331           restrict access from unwanted users. See the -A for more details.
332
333           Be cautious about including passwords in scripts or passing
334           user-supplied values onto the command line. For security it is
335           better to let the Samba client tool ask for the password if needed,
336           or obtain the password once with kinit.
337
338           While Samba will attempt to scrub the password from the process
339           title (as seen in ps), this is after startup and so is subject to a
340           race.
341
342       -N|--no-pass
343           If specified, this parameter suppresses the normal password prompt
344           from the client to the user. This is useful when accessing a
345           service that does not require a password.
346
347           Unless a password is specified on the command line or this
348           parameter is specified, the client will request a password.
349
350           If a password is specified on the command line and this option is
351           also defined the password on the command line will be silently
352           ignored and no password will be used.
353
354       --password
355           Specify the password on the commandline.
356
357           Be cautious about including passwords in scripts or passing
358           user-supplied values onto the command line. For security it is
359           better to let the Samba client tool ask for the password if needed,
360           or obtain the password once with kinit.
361
362           If --password is not specified, the tool will check the PASSWD
363           environment variable, followed by PASSWD_FD which is expected to
364           contain an open file descriptor (FD) number.
365
366           Finally it will check PASSWD_FILE (containing a file path to be
367           opened). The file should only contain the password. Make certain
368           that the permissions on the file restrict access from unwanted
369           users!
370
371           While Samba will attempt to scrub the password from the process
372           title (as seen in ps), this is after startup and so is subject to a
373           race.
374
375       --pw-nt-hash
376           The supplied password is the NT hash.
377
378       -A|--authentication-file=filename
379           This option allows you to specify a file from which to read the
380           username and password used in the connection. The format of the
381           file is:
382
383                                   username = <value>
384                                   password = <value>
385                                   domain   = <value>
386
387
388           Make certain that the permissions on the file restrict access from
389           unwanted users!
390
391       -P|--machine-pass
392           Use stored machine account password.
393
394       --simple-bind-dn=DN
395           DN to use for a simple bind.
396
397       --use-kerberos=desired|required|off
398           This parameter determines whether Samba client tools will try to
399           authenticate using Kerberos. For Kerberos authentication you need
400           to use dns names instead of IP addresses when connnecting to a
401           service.
402
403           Note that specifying this parameter here will override the client
404           use kerberos parameter in the smb.conf file.
405
406       --use-krb5-ccache=CCACHE
407           Specifies the credential cache location for Kerberos
408           authentication.
409
410           This will set --use-kerberos=required too.
411
412       --use-winbind-ccache
413           Try to use the credential cache by winbind.
414
415       --client-protection=sign|encrypt|off
416           Sets the connection protection the client tool should use.
417
418           Note that specifying this parameter here will override the client
419           protection parameter in the smb.conf file.
420
421           In case you need more fine grained control you can use:
422           --option=clientsmbencrypt=OPTION, --option=clientipcsigning=OPTION,
423           --option=clientsigning=OPTION.
424

COMMANDS

426   CHANGESECRETPW
427       This command allows the Samba machine account password to be set from
428       an external application to a machine account password that has already
429       been stored in Active Directory. DO NOT USE this command unless you
430       know exactly what you are doing. The use of this command requires that
431       the force flag (-f) be used also. There will be NO command prompt.
432       Whatever information is piped into stdin, either by typing at the
433       command line or otherwise, will be stored as the literal machine
434       password. Do NOT use this without care and attention as it will
435       overwrite a legitimate machine password without warning. YOU HAVE BEEN
436       WARNED.
437
438   TIME
439       The NET TIME command allows you to view the time on a remote server or
440       synchronise the time on the local server with the time on the remote
441       server.
442
443   TIME
444       Without any options, the NET TIME command displays the time on the
445       remote server. The remote server must be specified with the -S option.
446
447   TIME SYSTEM
448       Displays the time on the remote server in a format ready for /bin/date.
449       The remote server must be specified with the -S option.
450
451   TIME SET
452       Tries to set the date and time of the local server to that on the
453       remote server using /bin/date. The remote server must be specified with
454       the -S option.
455
456   TIME ZONE
457       Displays the timezone in hours from GMT on the remote server. The
458       remote server must be specified with the -S option.
459
460   [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
461       [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU]
462       [machinepass=PASS] [osName=string osVer=string] [options]
463       Join a domain. If the account already exists on the server, and [TYPE]
464       is MEMBER, the machine will attempt to join automatically. (Assuming
465       that the machine has been created in server manager) Otherwise, a
466       password will be prompted for, and a new account may be created.
467
468       [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
469       the domain.
470
471       [FQDN] (ADS only) set the dnsHostName attribute during the join. The
472       default format is netbiosname.dnsdomain.
473
474       [UPN] (ADS only) set the principalname attribute during the join. The
475       default format is host/netbiosname@REALM.
476
477       [OU] (ADS only) Precreate the computer account in a specific OU. The OU
478       string reads from top to bottom without RDNs, and is delimited by a
479       '/'. Please note that '\' is used for escape by both the shell and
480       ldap, so it may need to be doubled or quadrupled to pass through, and
481       it is not used as a delimiter.
482
483       [PASS] (ADS only) Set a specific password on the computer account being
484       created by the join.
485
486       [osName=string osVer=String] (ADS only) Set the operatingSystem and
487       operatingSystemVersion attribute during the join. Both parameters must
488       be specified for either to take effect.
489
490   [RPC] OLDJOIN [options]
491       Join a domain. Use the OLDJOIN option to join the domain using the old
492       style of domain joining - you need to create a trust account in server
493       manager first.
494
495   [RPC|ADS] USER
496   [RPC|ADS] USER
497       List all users
498
499   [RPC|ADS] USER DELETE target
500       Delete specified user
501
502   [RPC|ADS] USER INFO target
503       List the domain groups of the specified user.
504
505   [RPC|ADS] USER RENAME oldname newname
506       Rename specified user.
507
508   [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
509       Add specified user.
510
511   [RPC|ADS] GROUP
512   [RPC|ADS] GROUP [misc options] [targets]
513       List user groups.
514
515   [RPC|ADS] GROUP DELETE name [misc. options]
516       Delete specified group.
517
518   [RPC|ADS] GROUP ADD name [-C comment]
519       Create specified group.
520
521   [ADS] LOOKUP
522       Lookup the closest Domain Controller in our domain and retrieve server
523       information about it.
524
525   [RAP|RPC] SHARE
526   [RAP|RPC] SHARE [misc. options] [targets]
527       Enumerates all exported resources (network shares) on target server.
528
529   [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
530       Adds a share from a server (makes the export active). Maxusers
531       specifies the number of users that can be connected to the share
532       simultaneously.
533
534   SHARE DELETE sharename
535       Delete specified share.
536
537   [RPC|RAP] FILE
538   [RPC|RAP] FILE
539       List all open files on remote server.
540
541   [RPC|RAP] FILE CLOSE fileid
542       Close file with specified fileid on remote server.
543
544   [RPC|RAP] FILE INFO fileid
545       Print information on specified fileid. Currently listed are: file-id,
546       username, locks, path, permissions.
547
548   [RAP|RPC] FILE USER user
549       List files opened by specified user. Please note that net rap file user
550       does not work against Samba servers.
551
552   SESSION
553   RAP SESSION
554       Without any other options, SESSION enumerates all active SMB/CIFS
555       sessions on the target server.
556
557   RAP SESSION DELETE|CLOSE CLIENT_NAME
558       Close the specified sessions.
559
560   RAP SESSION INFO CLIENT_NAME
561       Give a list with all the open files in specified session.
562
563   RAP SERVER DOMAIN
564       List all servers in specified domain or workgroup. Defaults to local
565       domain.
566
567   RAP DOMAIN
568       Lists all domains and workgroups visible on the current network.
569
570   RAP PRINTQ
571   RAP PRINTQ INFO QUEUE_NAME
572       Lists the specified print queue and print jobs on the server. If the
573       QUEUE_NAME is omitted, all queues are listed.
574
575   RAP PRINTQ DELETE JOBID
576       Delete job with specified id.
577
578   RAP VALIDATE user [password]
579       Validate whether the specified user can log in to the remote server. If
580       the password is not specified on the commandline, it will be prompted.
581
582           Note
583           Currently NOT implemented.
584
585   RAP GROUPMEMBER
586   RAP GROUPMEMBER LIST GROUP
587       List all members of the specified group.
588
589   RAP GROUPMEMBER DELETE GROUP USER
590       Delete member from group.
591
592   RAP GROUPMEMBER ADD GROUP USER
593       Add member to group.
594
595   RAP ADMIN command
596       Execute the specified command on the remote server. Only works with
597       OS/2 servers.
598
599           Note
600           Currently NOT implemented.
601
602   RAP SERVICE
603   RAP SERVICE START NAME [arguments...]
604       Start the specified service on the remote server. Not implemented yet.
605
606           Note
607           Currently NOT implemented.
608
609   RAP SERVICE STOP
610       Stop the specified service on the remote server.
611
612           Note
613           Currently NOT implemented.
614
615   RAP PASSWORD USER OLDPASS NEWPASS
616       Change password of USER from OLDPASS to NEWPASS.
617
618   LOOKUP
619   LOOKUP HOST HOSTNAME [TYPE]
620       Lookup the IP address of the given host with the specified type
621       (netbios suffix). The type defaults to 0x20 (workstation).
622
623   LOOKUP LDAP [DOMAIN]
624       Give IP address of LDAP server of specified DOMAIN. Defaults to local
625       domain.
626
627   LOOKUP KDC [REALM]
628       Give IP address of KDC for the specified REALM. Defaults to local
629       realm.
630
631   LOOKUP DC [DOMAIN]
632       Give IP's of Domain Controllers for specified
633        DOMAIN. Defaults to local domain.
634
635   LOOKUP MASTER DOMAIN
636       Give IP of master browser for specified DOMAIN or workgroup. Defaults
637       to local domain.
638
639   LOOKUP NAME [NAME]
640       Lookup username's sid and type for specified NAME
641
642   LOOKUP SID [SID]
643       Give sid's name and type for specified SID
644
645   LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
646       Give Domain Controller information for specified domain NAME
647
648   CACHE
649       Samba uses a general caching interface called 'gencache'. It can be
650       controlled using 'NET CACHE'.
651
652       All the timeout parameters support the suffixes:
653           s - Seconds
654           m - Minutes
655           h - Hours
656           d - Days
657           w - Weeks
658
659   CACHE ADD key data time-out
660       Add specified key+data to the cache with the given timeout.
661
662   CACHE DEL key
663       Delete key from the cache.
664
665   CACHE SET key data time-out
666       Update data of existing cache entry.
667
668   CACHE SEARCH PATTERN
669       Search for the specified pattern in the cache data.
670
671   CACHE LIST
672       List all current items in the cache.
673
674   CACHE FLUSH
675       Remove all the current items from the cache.
676
677   GETLOCALSID [DOMAIN]
678       Prints the SID of the specified domain, or if the parameter is omitted,
679       the SID of the local server.
680
681   SETLOCALSID S-1-5-21-x-y-z
682       Sets SID for the local server to the specified SID.
683
684   GETDOMAINSID
685       Prints the local machine SID and the SID of the current domain.
686
687   SETDOMAINSID
688       Sets the SID of the current domain.
689
690   GROUPMAP
691       Manage the mappings between Windows group SIDs and UNIX groups. Common
692       options include:
693
694              •   unixgroup - Name of the UNIX group
695
696              •   ntgroup - Name of the Windows NT group (must be resolvable
697                  to a SID
698
699              •   rid - Unsigned 32-bit integer
700
701              •   sid - Full SID in the form of "S-1-..."
702
703              •   type - Type of the group; either 'domain', 'local', or
704                  'builtin'
705
706              •   comment - Freeform text description of the group
707
708
709   GROUPMAP ADD
710       Add a new group mapping entry:
711
712           net groupmap add {rid=int|sid=string} unixgroup=string \
713                [type={domain|local}] [ntgroup=string] [comment=string]
714
715
716
717   GROUPMAP DELETE
718       Delete a group mapping entry. If more than one group name matches, the
719       first entry found is deleted.
720
721       net groupmap delete {ntgroup=string|sid=SID}
722
723   GROUPMAP MODIFY
724       Update an existing group entry.
725
726           net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
727                  [comment=string] [type={domain|local}]
728
729
730
731   GROUPMAP LIST
732       List existing group mapping entries.
733
734       net groupmap list [verbose] [ntgroup=string] [sid=SID]
735
736   MAXRID
737       Prints out the highest RID currently in use on the local server (by the
738       active 'passdb backend').
739
740   RPC INFO
741       Print information about the domain of the remote server, such as domain
742       name, domain sid and number of users and groups.
743
744   [RPC|ADS] TESTJOIN
745       Check whether participation in a domain is still valid.
746
747   [RPC|ADS] CHANGETRUSTPW
748       Force change of domain trust password.
749
750   RPC TRUSTDOM
751   RPC TRUSTDOM ADD DOMAIN
752       Add a interdomain trust account for DOMAIN. This is in fact a Samba
753       account named DOMAIN$ with the account flag 'I' (interdomain trust
754       account). This is required for incoming trusts to work. It makes Samba
755       be a trusted domain of the foreign (trusting) domain. Users of the
756       Samba domain will be made available in the foreign domain. If the
757       command is used against localhost it has the same effect as smbpasswd
758       -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
759       account.
760
761   RPC TRUSTDOM DEL DOMAIN
762       Remove interdomain trust account for DOMAIN. If it is used against
763       localhost it has the same effect as smbpasswd -x DOMAIN$.
764
765   RPC TRUSTDOM ESTABLISH DOMAIN
766       Establish a trust relationship to a trusted domain. Interdomain account
767       must already be created on the remote PDC. This is required for
768       outgoing trusts to work. It makes Samba be a trusting domain of a
769       foreign (trusted) domain. Users of the foreign domain will be made
770       available in our domain. You'll need winbind and a working idmap config
771       to make them appear in your system.
772
773   RPC TRUSTDOM REVOKE DOMAIN
774       Abandon relationship to trusted domain
775
776   RPC TRUSTDOM LIST
777       List all interdomain trust relationships.
778
779   RPC TRUST
780   RPC TRUST CREATE
781       Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
782       done on a single server or on two servers at once with the possibility
783       to use a random trust password.
784
785       Options:
786
787       otherserver
788           Domain controller of the second domain
789
790       otheruser
791           Admin user in the second domain
792
793       otherdomainsid
794           SID of the second domain
795
796       other_netbios_domain
797           NetBIOS (short) name of the second domain
798
799       otherdomain
800           DNS (full) name of the second domain
801
802       trustpw
803           Trust password
804
805       Examples:
806
807       Create a trust object on srv1.dom1.dom for the domain dom2
808
809               net rpc trust create \
810                   otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
811                   other_netbios_domain=dom2 \
812                   otherdomain=dom2.dom \
813                   trustpw=12345678 \
814                   -S srv1.dom1.dom
815
816       Create a trust relationship between dom1 and dom2
817
818               net rpc trust create \
819                   otherserver=srv2.dom2.test \
820                   otheruser=dom2adm \
821                   -S srv1.dom1.dom
822
823   RPC TRUST DELETE
824       Delete a trust object by calling lsaDeleteTrustedDomain. The can be
825       done on a single server or on two servers at once.
826
827       Options:
828
829       otherserver
830           Domain controller of the second domain
831
832       otheruser
833           Admin user in the second domain
834
835       otherdomainsid
836           SID of the second domain
837
838       Examples:
839
840       Delete a trust object on srv1.dom1.dom for the domain dom2
841
842               net rpc trust delete \
843                   otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
844                   -S srv1.dom1.dom
845
846       Delete a trust relationship between dom1 and dom2
847
848               net rpc trust delete \
849                   otherserver=srv2.dom2.test \
850                   otheruser=dom2adm \
851                   -S srv1.dom1.dom
852
853
854   RPC RIGHTS
855       This subcommand is used to view and manage Samba's rights assignments
856       (also referred to as privileges). There are three options currently
857       available: list, grant, and revoke. More details on Samba's privilege
858       model and its use can be found in the Samba-HOWTO-Collection.
859
860   RPC ABORTSHUTDOWN
861       Abort the shutdown of a remote server.
862
863   RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
864       Shut down the remote server.
865
866       -r
867           Reboot after shutdown.
868
869       -f
870           Force shutting down all applications.
871
872       -t timeout
873           Timeout before system will be shut down. An interactive user of the
874           system can use this time to cancel the shutdown.
875
876       -C message
877           Display the specified message on the screen to announce the
878           shutdown.
879
880   RPC SAMDUMP
881       Print out sam database of remote server. You need to run this against
882       the PDC, from a Samba machine joined as a BDC.
883
884   RPC VAMPIRE
885       Export users, aliases and groups from remote server to local server.
886       You need to run this against the PDC, from a Samba machine joined as a
887       BDC. This vampire command cannot be used against an Active Directory,
888       only against an NT4 Domain Controller.
889
890   RPC VAMPIRE KEYTAB
891       Dump remote SAM database to local Kerberos keytab file.
892
893   RPC VAMPIRE LDIF
894       Dump remote SAM database to local LDIF file or standard output.
895
896   RPC GETSID
897       Fetch domain SID and store it in the local secrets.tdb.
898
899   ADS GPO
900   ADS GPO APPLY <USERNAME|MACHINENAME>
901       Apply GPOs for a username or machine name. Either username or machine
902       name should be provided to the command, not both.
903
904   ADS GPO GETGPO [GPO]
905       List specified GPO.
906
907   ADS GPO LINKADD [LINKDN] [GPODN]
908       Link a container to a GPO.  LINKDN Container to link to a GPO.  GPODN
909       GPO to link container to. DNs must be provided properly escaped. See
910       RFC 4514 for details.
911
912   ADS GPO LINKGET [CONTAINER]
913       Lists gPLink of a containter.
914
915   ADS GPO LIST <USERNAME|MACHINENAME>
916       Lists all GPOs for a username or machine name. Either username or
917       machine name should be provided to the command, not both.
918
919   ADS GPO LISTALL
920       Lists all GPOs on a DC.
921
922   ADS GPO REFRESH [USERNAME] [MACHINENAME]
923       Lists all GPOs assigned to an account and download them.  USERNAME User
924       to refresh GPOs for.  MACHINENAME Machine to refresh GPOs for.
925
926   ADS DNS
927   ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
928       Add host dns entry to Active Directory.
929
930   ADS DNS UNREGISTER <HOSTNAME>
931       Remove host dns entry from Active Directory.
932
933   ADS LEAVE [--keep-account]
934       Make the remote host leave the domain it is part of.
935
936   ADS STATUS
937       Print out status of machine account of the local machine in ADS. Prints
938       out quite some debug info. Aimed at developers, regular users should
939       use NET ADS TESTJOIN.
940
941   ADS PRINTER
942   ADS PRINTER INFO [PRINTER] [SERVER]
943       Lookup info for PRINTER on SERVER. The printer name defaults to "*",
944       the server name defaults to the local host.
945
946   ADS PRINTER PUBLISH PRINTER
947       Publish specified printer using ADS.
948
949   ADS PRINTER REMOVE PRINTER
950       Remove specified printer from ADS directory.
951
952   ADS SEARCH EXPRESSION ATTRIBUTES...
953       Perform a raw LDAP search on a ADS server and dump the results. The
954       expression is a standard LDAP search expression, and the attributes are
955       a list of LDAP fields to show in the results.
956
957       Example: net ads search '(objectCategory=group)' sAMAccountName
958
959   ADS DN DN (attributes)
960       Perform a raw LDAP search on a ADS server and dump the results. The DN
961       standard LDAP DN, and the attributes are a list of LDAP fields to show
962       in the result.
963
964       Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
965       SAMAccountName
966
967   ADS KEYTAB CREATE
968       Creates a new keytab file if one doesn't exist with default entries.
969       Default entries are kerberos principals created from the machinename of
970       the client, the UPN (if it exists) and any Windows SPN(s) associated
971       with the computer AD account for the client. If a keytab file already
972       exists then only missing kerberos principals from the default entries
973       are added. No changes are made to the computer AD account.
974
975   ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
976       Adds a new keytab entry, the entry can be either;
977
978       kerberos principal
979           A kerberos principal (identified by the presence of '@') is just
980           added to the keytab file.
981
982       machinename
983           A machinename (identified by the trailing '$') is used to create a
984           a kerberos principal 'machinename@realm' which is added to the
985           keytab file.
986
987       serviceclass
988           A serviceclass (such as 'cifs', 'html' etc.) is used to create a
989           pair of kerberos principals
990           'serviceclass/fully_qualified_dns_name@realm' &
991           'serviceclass/netbios_name@realm' which are added to the keytab
992           file.
993
994       Windows SPN
995           A Windows SPN is of the format 'serviceclass/host:port', it is used
996           to create a kerberos principal 'serviceclass/host@realm' which will
997           be written to the keytab file.
998
999       Unlike old versions no computer AD objects are modified by this
1000       command. To preserve the bevhaviour of older clients 'net ads keytab
1001       ad_update_ads' is available.
1002
1003   ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
1004       Adds a new keytab entry (see section for net ads keytab add). In
1005       addition to adding entries to the keytab file corrosponding Windows
1006       SPNs are created from the entry passed to this command. These SPN(s)
1007       added to the AD computer account object associated with the client
1008       machine running this command for the following entry types;
1009
1010       serviceclass
1011           A serviceclass (such as 'cifs', 'html' etc.) is used to create a
1012           pair of Windows SPN(s) 'param/full_qualified_dns' &
1013           'param/netbios_name' which are added to the AD computer account
1014           object for this client.
1015
1016       Windows SPN
1017           A Windows SPN is of the format 'serviceclass/host:port', it is
1018           added as passed to the AD computer account object for this client.
1019
1020   ADS setspn SETSPN LIST [machine]
1021       Lists the Windows SPNs stored in the 'machine' Windows AD Computer
1022       object. If 'machine' is not specified then computer account for this
1023       client is used instead.
1024
1025   ADS setspn SETSPN ADD SPN [machine]
1026       Adds the specified Windows SPN to the 'machine' Windows AD Computer
1027       object. If 'machine' is not specified then computer account for this
1028       client is used instead.
1029
1030   ADS setspn SETSPN DELETE SPN [machine]
1031       DELETE the specified Window SPN from the 'machine' Windows AD Computer
1032       object. If 'machine' is not specified then computer account for this
1033       client is used instead.
1034
1035   ADS WORKGROUP
1036       Print out workgroup name for specified kerberos realm.
1037
1038   ADS ENCTYPES
1039       List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
1040       attribute of an account in AD.
1041
1042       This attribute allows one to control which Kerberos encryption types
1043       are used for the generation of initial and service tickets. The value
1044       consists of an integer bitmask with the following values:
1045
1046       0x00000001 DES-CBC-CRC
1047
1048       0x00000002 DES-CBC-MD5
1049
1050       0x00000004 RC4-HMAC
1051
1052       0x00000008 AES128-CTS-HMAC-SHA1-96
1053
1054       0x00000010 AES256-CTS-HMAC-SHA1-96
1055
1056   ADS ENCTYPES LIST <ACCOUNTNAME>
1057       List the value of the "msDS-SupportedEncryptionTypes" attribute of a
1058       given account.
1059
1060       Example: net ads enctypes list Computername
1061
1062   ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
1063       Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
1064       LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
1065       the value is set to 31 which enables all the currently supported
1066       encryption types.
1067
1068       Example: net ads enctypes set Computername 24
1069
1070   ADS ENCTYPES DELETE <ACCOUNTNAME>
1071       Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
1072       object of ACCOUNTNAME.
1073
1074       Example: net ads enctypes set Computername 24
1075
1076   SAM CREATEBUILTINGROUP <NAME>
1077       (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
1078       be created with this command. This is the list of currently recognized
1079       group names: Administrators, Users, Guests, Power Users, Account
1080       Operators, Server Operators, Print Operators, Backup Operators,
1081       Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
1082       command requires a running Winbindd with idmap allocation properly
1083       configured. The group gid will be allocated out of the winbindd range.
1084
1085   SAM CREATELOCALGROUP <NAME>
1086       Create a LOCAL group (also known as Alias). This command requires a
1087       running Winbindd with idmap allocation properly configured. The group
1088       gid will be allocated out of the winbindd range.
1089
1090   SAM DELETELOCALGROUP <NAME>
1091       Delete an existing LOCAL group (also known as Alias).
1092
1093   SAM MAPUNIXGROUP <NAME>
1094       Map an existing Unix group and make it a Domain Group, the domain group
1095       will have the same name.
1096
1097   SAM UNMAPUNIXGROUP <NAME>
1098       Remove an existing group mapping entry.
1099
1100   SAM ADDMEM <GROUP> <MEMBER>
1101       Add a member to a Local group. The group can be specified only by name,
1102       the member can be specified by name or SID.
1103
1104   SAM DELMEM <GROUP> <MEMBER>
1105       Remove a member from a Local group. The group and the member must be
1106       specified by name.
1107
1108   SAM LISTMEM <GROUP>
1109       List Local group members. The group must be specified by name.
1110
1111   SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
1112       List the specified set of accounts by name. If verbose is specified,
1113       the rid and description is also provided for each account.
1114
1115   SAM RIGHTS LIST
1116       List all available privileges.
1117
1118   SAM RIGHTS GRANT <NAME> <PRIVILEGE>
1119       Grant one or more privileges to a user.
1120
1121   SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
1122       Revoke one or more privileges from a user.
1123
1124   SAM SHOW <NAME>
1125       Show the full DOMAIN\\NAME the SID and the type for the corresponding
1126       account.
1127
1128   SAM SET HOMEDIR <NAME> <DIRECTORY>
1129       Set the home directory for a user account.
1130
1131   SAM SET PROFILEPATH <NAME> <PATH>
1132       Set the profile path for a user account.
1133
1134   SAM SET COMMENT <NAME> <COMMENT>
1135       Set the comment for a user or group account.
1136
1137   SAM SET FULLNAME <NAME> <FULL NAME>
1138       Set the full name for a user account.
1139
1140   SAM SET LOGONSCRIPT <NAME> <SCRIPT>
1141       Set the logon script for a user account.
1142
1143   SAM SET HOMEDRIVE <NAME> <DRIVE>
1144       Set the home drive for a user account.
1145
1146   SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
1147       Set the workstations a user account is allowed to log in from.
1148
1149   SAM SET DISABLE <NAME>
1150       Set the "disabled" flag for a user account.
1151
1152   SAM SET PWNOTREQ <NAME>
1153       Set the "password not required" flag for a user account.
1154
1155   SAM SET AUTOLOCK <NAME>
1156       Set the "autolock" flag for a user account.
1157
1158   SAM SET PWNOEXP <NAME>
1159       Set the "password do not expire" flag for a user account.
1160
1161   SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
1162       Set or unset the "password must change" flag for a user account.
1163
1164   SAM POLICY LIST
1165       List the available account policies.
1166
1167   SAM POLICY SHOW <account policy>
1168       Show the account policy value.
1169
1170   SAM POLICY SET <account policy> <value>
1171       Set a value for the account policy. Valid values can be: "forever",
1172       "never", "off", or a number.
1173
1174   SAM PROVISION
1175       Only available if ldapsam:editposix is set and winbindd is running.
1176       Properly populates the ldap tree with the basic accounts
1177       (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1178       on the ldap tree.
1179
1180   IDMAP DUMP <local tdb file name>
1181       Dumps the mappings contained in the local tdb file specified. This
1182       command is useful to dump only the mappings produced by the idmap_tdb
1183       backend.
1184
1185   IDMAP RESTORE [input file]
1186       Restore the mappings from the specified file or stdin.
1187
1188   IDMAP SET SECRET <DOMAIN> <secret>
1189       Store a secret for the specified domain, used primarily for domains
1190       that use idmap_ldap as a backend. In this case the secret is used as
1191       the password for the user DN used to bind to the ldap server.
1192
1193   IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1194       Store a domain-range mapping for a given domain (and index) in autorid
1195       database.
1196
1197   IDMAP SET CONFIG <config> [--db=<DB>]
1198       Update CONFIG entry in autorid database.
1199
1200   IDMAP GET RANGE <SID> [index] [--db=<DB>]
1201       Get the range for a given domain and index from autorid database.
1202
1203   IDMAP GET RANGES [<SID>] [--db=<DB>]
1204       Get ranges for all domains or for one identified by given SID.
1205
1206   IDMAP GET CONFIG [--db=<DB>]
1207       Get CONFIG entry from autorid database.
1208
1209   IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1210       Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1211       The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1212       "GID number" or a uid: "UID number". Use -f to delete an invalid
1213       partial mapping <ID> -> xx
1214
1215       Use "smbcontrol all idmap ..." to notify running smbd instances. See
1216       the smbcontrol(1) manpage for details.
1217
1218   IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1219       Delete a domain range mapping identified by 'RANGE' or "domain SID and
1220       INDEX" from autorid database. Use -f to delete invalid mappings.
1221
1222   IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1223       Delete all domain range mappings for a domain identified by SID. Use -f
1224       to delete invalid mappings.
1225
1226   IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1227       Check and repair the IDMAP database. If no option is given a read only
1228       check of the database is done. Among others an interactive or automatic
1229       repair mode may be chosen with one of the following options:
1230
1231       -r|--repair
1232           Interactive repair mode, ask a lot of questions.
1233
1234       -a|--auto
1235           Noninteractive repair mode, use default answers.
1236
1237       -v|--verbose
1238           Produce more output.
1239
1240       -f|--force
1241           Try to apply changes, even if they do not apply cleanly.
1242
1243       -T|--test
1244           Dry run, show what changes would be made but don't touch anything.
1245
1246       -l|--lock
1247           Lock the database while doing the check.
1248
1249       --db <DB>
1250           Check the specified database.
1251
1252       It reports about the finding of the following errors:
1253
1254       Missing reverse mapping:
1255           A record with mapping A->B where there is no B->A. Default action
1256           in repair mode is to "fix" this by adding the reverse mapping.
1257
1258       Invalid mapping:
1259           A record with mapping A->B where B->C. Default action is to
1260           "delete" this record.
1261
1262       Missing or invalid HWM:
1263           A high water mark is not at least equal to the largest ID in the
1264           database. Default action is to "fix" this by setting it to the
1265           largest ID found +1.
1266
1267       Invalid record:
1268           Something we failed to parse. Default action is to "edit" it in
1269           interactive and "delete" it in automatic mode.
1270
1271   USERSHARE
1272       Starting with version 3.0.23, a Samba server now supports the ability
1273       for non-root users to add user defined shares to be exported using the
1274       "net usershare" commands.
1275
1276       To set this up, first set up your smb.conf by adding to the [global]
1277       section: usershare path = /usr/local/samba/lib/usershares Next create
1278       the directory /usr/local/samba/lib/usershares, change the owner to root
1279       and set the group owner to the UNIX group who should have the ability
1280       to create usershares, for example a group called "serverops". Set the
1281       permissions on /usr/local/samba/lib/usershares to 01770. (Owner and
1282       group all access, no access for others, plus the sticky bit, which
1283       means that a file in that directory can be renamed or deleted only by
1284       the owner of the file). Finally, tell smbd how many usershares you will
1285       allow by adding to the [global] section of smb.conf a line such as :
1286       usershare max shares = 100. To allow 100 usershare definitions. Now,
1287       members of the UNIX group "serverops" can create user defined shares on
1288       demand using the commands below.
1289
1290       The usershare commands are:
1291           net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1292           to add or change a user defined share.
1293           net usershare delete sharename - to delete a user defined share.
1294           net usershare info [-l|--long] [wildcard sharename] - to print info
1295           about a user defined share.
1296           net usershare list [-l|--long] [wildcard sharename] - to list user
1297           defined shares.
1298
1299   USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1300       Add or replace a new user defined share, with name "sharename".
1301
1302       "path" specifies the absolute pathname on the system to be exported.
1303       Restrictions may be put on this, see the global smb.conf parameters:
1304       "usershare owner only", "usershare prefix allow list", and "usershare
1305       prefix deny list".
1306
1307       The optional "comment" parameter is the comment that will appear on the
1308       share when browsed to by a client.
1309
1310       The optional "acl" field specifies which users have read and write
1311       access to the entire share. Note that guest connections are not allowed
1312       unless the smb.conf parameter "usershare allow guests" has been set.
1313       The definition of a user defined share acl is: "user:permission", where
1314       user is a valid username on the system and permission can be "F", "R",
1315       or "D". "F" stands for "full permissions", ie. read and write
1316       permissions. "D" stands for "deny" for a user, ie. prevent this user
1317       from accessing this share. "R" stands for "read only", ie. only allow
1318       read access to this share (no creation of new files or directories or
1319       writing to files).
1320
1321       The default if no "acl" is given is "Everyone:R", which means any
1322       authenticated user has read-only access.
1323
1324       The optional "guest_ok" has the same effect as the parameter of the
1325       same name in smb.conf, in that it allows guest access to this user
1326       defined share. This parameter is only allowed if the global parameter
1327       "usershare allow guests" has been set to true in the smb.conf.
1328
1329
1330       There is no separate command to modify an existing user defined share,
1331       just use the "net usershare add [sharename]" command using the same
1332       sharename as the one you wish to modify and specify the new options you
1333       wish. The Samba smbd daemon notices user defined share modifications at
1334       connect time so will see the change immediately, there is no need to
1335       restart smbd on adding, deleting or changing a user defined share.
1336
1337   USERSHARE DELETE sharename
1338       Deletes the user defined share by name. The Samba smbd daemon
1339       immediately notices this change, although it will not disconnect any
1340       users currently connected to the deleted share.
1341
1342   USERSHARE INFO [-l|--long] [wildcard sharename]
1343       Get info on user defined shares owned by the current user matching the
1344       given pattern, or all users.
1345
1346       net usershare info on its own dumps out info on the user defined shares
1347       that were created by the current user, or restricts them to share names
1348       that match the given wildcard pattern ('*' matches one or more
1349       characters, '?' matches only one character). If the '-l' or '--long'
1350       option is also given, it prints out info on user defined shares created
1351       by other users.
1352
1353       The information given about a share looks like: [foobar]
1354       path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1355       And is a list of the current settings of the user defined share that
1356       can be modified by the "net usershare add" command.
1357
1358   USERSHARE LIST [-l|--long] wildcard sharename
1359       List all the user defined shares owned by the current user matching the
1360       given pattern, or all users.
1361
1362       net usershare list on its own list out the names of the user defined
1363       shares that were created by the current user, or restricts the list to
1364       share names that match the given wildcard pattern ('*' matches one or
1365       more characters, '?' matches only one character). If the '-l' or
1366       '--long' option is also given, it includes the names of user defined
1367       shares created by other users.
1368
1369   [RPC] CONF
1370       Starting with version 3.2.0, a Samba server can be configured by data
1371       stored in registry. This configuration data can be edited with the new
1372       "net conf" commands. There is also the possibility to configure a
1373       remote Samba server by enabling the RPC conf mode and specifying the
1374       address of the remote server.
1375
1376       The deployment of this configuration data can be activated in two
1377       levels from the smb.conf file: Share definitions from registry are
1378       activated by setting registry shares to “yes” in the [global] section
1379       and global configuration options are activated by setting include =
1380       registry in the [global] section for a mixed configuration or by
1381       setting config backend = registry in the [global] section for a
1382       registry-only configuration. See the smb.conf(5) manpage for details.
1383
1384       The conf commands are:
1385           net [rpc] conf list - Dump the complete configuration in smb.conf
1386           like format.
1387           net [rpc] conf import - Import configuration from file in smb.conf
1388           format.
1389           net [rpc] conf listshares - List the registry shares.
1390           net [rpc] conf drop - Delete the complete configuration from
1391           registry.
1392           net [rpc] conf showshare - Show the definition of a registry share.
1393           net [rpc] conf addshare - Create a new registry share.
1394           net [rpc] conf delshare - Delete a registry share.
1395           net [rpc] conf setparm - Store a parameter.
1396           net [rpc] conf getparm - Retrieve the value of a parameter.
1397           net [rpc] conf delparm - Delete a parameter.
1398           net [rpc] conf getincludes - Show the includes of a share
1399           definition.
1400           net [rpc] conf setincludes - Set includes for a share.
1401           net [rpc] conf delincludes - Delete includes from a share
1402           definition.
1403
1404   [RPC] CONF LIST
1405       Print the configuration data stored in the registry in a smb.conf-like
1406       format to standard output.
1407
1408   [RPC] CONF IMPORT [--test|-T] filename [section]
1409       This command imports configuration from a file in smb.conf format. If a
1410       section encountered in the input file is present in registry, its
1411       contents is replaced. Sections of registry configuration that have no
1412       counterpart in the input file are not affected. If you want to delete
1413       these, you will have to use the "net conf drop" or "net conf delshare"
1414       commands. Optionally, a section may be specified to restrict the effect
1415       of the import command to that specific section. A test mode is enabled
1416       by specifying the parameter "-T" on the commandline. In test mode, no
1417       changes are made to the registry, and the resulting configuration is
1418       printed to standard output instead.
1419
1420   [RPC] CONF LISTSHARES
1421       List the names of the shares defined in registry.
1422
1423   [RPC] CONF DROP
1424       Delete the complete configuration data from registry.
1425
1426   [RPC] CONF SHOWSHARE sharename
1427       Show the definition of the share or section specified. It is valid to
1428       specify "global" as sharename to retrieve the global configuration
1429       options from registry.
1430
1431   [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1432       [comment]]]
1433       Create a new share definition in registry. The sharename and path have
1434       to be given. The share name may not be "global". Optionally, values for
1435       the very common options "writeable", "guest ok" and a "comment" may be
1436       specified. The same result may be obtained by a sequence of "net conf
1437       setparm" commands.
1438
1439   [RPC] CONF DELSHARE sharename
1440       Delete a share definition from registry.
1441
1442   [RPC] CONF SETPARM section parameter value
1443       Store a parameter in registry. The section may be global or a
1444       sharename. The section is created if it does not exist yet.
1445
1446   [RPC] CONF GETPARM section parameter
1447       Show a parameter stored in registry.
1448
1449   [RPC] CONF DELPARM section parameter
1450       Delete a parameter stored in registry.
1451
1452   [RPC] CONF GETINCLUDES section
1453       Get the list of includes for the provided section (global or share).
1454
1455       Note that due to the nature of the registry database and the nature of
1456       include directives, the includes need special treatment: Parameters are
1457       stored in registry by the parameter name as valuename, so there is only
1458       ever one instance of a parameter per share. Also, a specific order like
1459       in a text file is not guaranteed. For all real parameters, this is
1460       perfectly ok, but the include directive is rather a meta parameter, for
1461       which, in the smb.conf text file, the place where it is specified
1462       between the other parameters is very important. This can not be
1463       achieved by the simple registry smbconf data model, so there is one
1464       ordered list of includes per share, and this list is evaluated after
1465       all the parameters of the share.
1466
1467       Further note that currently, only files can be included from registry
1468       configuration. In the future, there will be the ability to include
1469       configuration data from other registry keys.
1470
1471   [RPC] CONF SETINCLUDES section [filename]+
1472       Set the list of includes for the provided section (global or share) to
1473       the given list of one or more filenames. The filenames may contain the
1474       usual smb.conf macros like %I.
1475
1476   [RPC] CONF DELINCLUDES section
1477       Delete the list of includes from the provided section (global or
1478       share).
1479
1480   REGISTRY
1481       Manipulate Samba's registry.
1482
1483       The registry commands are:
1484           net registry enumerate   - Enumerate registry keys and values.
1485           net registry enumerate_recursive - Enumerate registry key and its
1486           subkeys.
1487           net registry createkey   - Create a new registry key.
1488           net registry deletekey   - Delete a registry key.
1489           net registry deletekey_recursive - Delete a registry key with
1490           subkeys.
1491           net registry getvalue    - Print a registry value.
1492           net registry getvalueraw - Print a registry value (raw format).
1493           net registry setvalue    - Set a new registry value.
1494           net registry increment   - Increment a DWORD registry value under a
1495           lock.
1496           net registry deletevalue - Delete a registry value.
1497           net registry getsd       - Get security descriptor.
1498           net registry getsd_sdd1  - Get security descriptor in sddl format.
1499           net registry setsd_sdd1  - Set security descriptor from sddl format
1500           string.
1501           net registry import      - Import a registration entries (.reg)
1502           file.
1503           net registry export      - Export a registration entries (.reg)
1504           file.
1505           net registry convert     - Convert a registration entries (.reg)
1506           file.
1507           net registry check       - Check and repair a registry database.
1508
1509   REGISTRY ENUMERATE key
1510       Enumerate subkeys and values of key.
1511
1512   REGISTRY ENUMERATE_RECURSIVE key
1513       Enumerate values of key and its subkeys.
1514
1515   REGISTRY CREATEKEY key
1516       Create a new key if not yet existing.
1517
1518   REGISTRY DELETEKEY key
1519       Delete the given key and its values from the registry, if it has no
1520       subkeys.
1521
1522   REGISTRY DELETEKEY_RECURSIVE key
1523       Delete the given key and all of its subkeys and values from the
1524       registry.
1525
1526   REGISTRY GETVALUE key name
1527       Output type and actual value of the value name of the given key.
1528
1529   REGISTRY GETVALUERAW key name
1530       Output the actual value of the value name of the given key.
1531
1532   REGISTRY SETVALUE key name type value ...
1533       Set the value name of an existing key.  type may be one of sz, multi_sz
1534       or dword. In case of multi_sz value may be given multiple times.
1535
1536   REGISTRY INCREMENT key name [inc]
1537       Increment the DWORD value name of key by inc while holding a g_lock.
1538       inc defaults to 1.
1539
1540   REGISTRY DELETEVALUE key name
1541       Delete the value name of the given key.
1542
1543   REGISTRY GETSD key
1544       Get the security descriptor of the given key.
1545
1546   REGISTRY GETSD_SDDL key
1547       Get the security descriptor of the given key as a Security Descriptor
1548       Definition Language (SDDL) string.
1549
1550   REGISTRY SETSD_SDDL keysd
1551       Set the security descriptor of the given key from a Security Descriptor
1552       Definition Language (SDDL) string sd.
1553
1554   REGISTRY IMPORT file [--precheck <check-file>] [opt]
1555       Import a registration entries (.reg) file.
1556
1557       The following options are available:
1558
1559       --precheck check-file
1560           This is a mechanism to check the existence or non-existence of
1561           certain keys or values specified in a precheck file before applying
1562           the import file. The import file will only be applied if the
1563           precheck succeeds.
1564
1565           The check-file follows the normal registry file syntax with the
1566           following semantics:
1567
1568                  •   <value name>=<value> checks whether the value exists and
1569                      has the given value.
1570
1571                  •   <value name>=- checks whether the value does not exist.
1572
1573                  •   [key] checks whether the key exists.
1574
1575                  •   [-key] checks whether the key does not exist.
1576
1577
1578   REGISTRY EXPORT keyfile[opt]
1579       Export a key to a registration entries (.reg) file.
1580
1581   REGISTRY CONVERT in out [[inopt] outopt]
1582       Convert a registration entries (.reg) file in.
1583
1584   REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1585       Check and repair the registry database. If no option is given a read
1586       only check of the database is done. Among others an interactive or
1587       automatic repair mode may be chosen with one of the following options
1588
1589       -r|--repair
1590           Interactive repair mode, ask a lot of questions.
1591
1592       -a|--auto
1593           Noninteractive repair mode, use default answers.
1594
1595       -v|--verbose
1596           Produce more output.
1597
1598       -T|--test
1599           Dry run, show what changes would be made but don't touch anything.
1600
1601       -l|--lock
1602           Lock the database while doing the check.
1603
1604       --reg-version={1,2,3}
1605           Specify the format of the registry database. If not given it
1606           defaults to the value of the binary or, if an registry.tdb is
1607           explicitly stated at the commandline, to the value found in the
1608           INFO/version record.
1609
1610       [--db] <DB>
1611           Check the specified database.
1612
1613       -o|--output <ODB>
1614           Create a new registry database <ODB> instead of modifying the
1615           input. If <ODB> is already existing --wipe may be used to overwrite
1616           it.
1617
1618       --wipe
1619           Replace the registry database instead of modifying the input or
1620           overwrite an existing output database.
1621
1622   EVENTLOG
1623       Starting with version 3.4.0 net can read, dump, import and export
1624       native win32 eventlog files (usually *.evt). evt files are used by the
1625       native Windows eventviewer tools.
1626
1627       The import and export of evt files can only succeed when eventlog list
1628       is used in smb.conf file. See the smb.conf(5) manpage for details.
1629
1630       The eventlog commands are:
1631           net eventlog dump - Dump a eventlog *.evt file on the screen.
1632           net eventlog import - Import a eventlog *.evt into the samba
1633           internal tdb based representation of eventlogs.
1634           net eventlog export - Export the samba internal tdb based
1635           representation of eventlogs into an eventlog *.evt file.
1636
1637   EVENTLOG DUMP filename
1638       Prints a eventlog *.evt file to standard output.
1639
1640   EVENTLOG IMPORT filename eventlog
1641       Imports a eventlog *.evt file defined by filename into the samba
1642       internal tdb representation of eventlog defined by eventlog.  eventlog
1643       needs to part of the eventlog list defined in smb.conf. See the
1644       smb.conf(5) manpage for details.
1645
1646   EVENTLOG EXPORT filename eventlog
1647       Exports the samba internal tdb representation of eventlog defined by
1648       eventlog to a eventlog *.evt file defined by filename.  eventlog needs
1649       to part of the eventlog list defined in smb.conf. See the smb.conf(5)
1650       manpage for details.
1651
1652   DOM
1653       Starting with version 3.2.0 Samba has support for remote join and
1654       unjoin APIs, both client and server-side. Windows supports remote join
1655       capabilities since Windows 2000.
1656
1657       In order for Samba to be joined or unjoined remotely an account must be
1658       used that is either member of the Domain Admins group, a member of the
1659       local Administrators group or a user that is granted the
1660       SeMachineAccountPrivilege privilege.
1661
1662       The client side support for remote join is implemented in the net dom
1663       commands which are:
1664           net dom join - Join a remote computer into a domain.
1665           net dom unjoin - Unjoin a remote computer from a domain.
1666           net dom renamecomputer - Renames a remote computer joined to a
1667           domain.
1668
1669   DOM JOIN  domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1670       Joins a computer into a domain. This command supports the following
1671       additional parameters:
1672
1673DOMAIN can be a NetBIOS domain name (also known as short
1674                  domain name) or a DNS domain name for Active Directory
1675                  Domains. As in Windows, it is also possible to control which
1676                  Domain Controller to use. This can be achieved by appending
1677                  the DC name using the \ separator character. Example:
1678                  MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1679
1680OU can be set to a RFC 1779 LDAP DN, like
1681                  ou=mymachines,cn=Users,dc=example,dc=com in order to create
1682                  the machine account in a non-default LDAP container. This
1683                  optional parameter is only supported when joining Active
1684                  Directory Domains.
1685
1686ACCOUNT defines a domain account that will be used to join
1687                  the machine to the domain. This domain account needs to have
1688                  sufficient privileges to join machines.
1689
1690PASSWORD defines the password for the domain account defined
1691                  with ACCOUNT.
1692
1693REBOOT is an optional parameter that can be set to reboot
1694                  the remote machine after successful join to the domain.
1695
1696
1697       Note that you also need to use standard net parameters to connect and
1698       authenticate to the remote machine that you want to join. These
1699       additional parameters include: -S computer and -U user.
1700
1701       Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1702       account=MYDOM\\administrator password=topsecret reboot.
1703
1704       This example would connect to a computer named XP as the local
1705       administrator using password secret, and join the computer into a
1706       domain called MYDOM using the MYDOM domain administrator account and
1707       password topsecret. After successful join, the computer would reboot.
1708
1709   DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1710       Unjoins a computer from a domain. This command supports the following
1711       additional parameters:
1712
1713ACCOUNT defines a domain account that will be used to unjoin
1714                  the machine from the domain. This domain account needs to
1715                  have sufficient privileges to unjoin machines.
1716
1717PASSWORD defines the password for the domain account defined
1718                  with ACCOUNT.
1719
1720REBOOT is an optional parameter that can be set to reboot
1721                  the remote machine after successful unjoin from the domain.
1722
1723
1724       Note that you also need to use standard net parameters to connect and
1725       authenticate to the remote machine that you want to unjoin. These
1726       additional parameters include: -S computer and -U user.
1727
1728       Example: net dom unjoin -S xp -U XP\\administrator%secret
1729       account=MYDOM\\administrator password=topsecret reboot.
1730
1731       This example would connect to a computer named XP as the local
1732       administrator using password secret, and unjoin the computer from the
1733       domain using the MYDOM domain administrator account and password
1734       topsecret. After successful unjoin, the computer would reboot.
1735
1736   DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1737       Renames a computer that is joined to a domain. This command supports
1738       the following additional parameters:
1739
1740NEWNAME defines the new name of the machine in the domain.
1741
1742ACCOUNT defines a domain account that will be used to rename
1743                  the machine in the domain. This domain account needs to have
1744                  sufficient privileges to rename machines.
1745
1746PASSWORD defines the password for the domain account defined
1747                  with ACCOUNT.
1748
1749REBOOT is an optional parameter that can be set to reboot
1750                  the remote machine after successful rename in the domain.
1751
1752
1753       Note that you also need to use standard net parameters to connect and
1754       authenticate to the remote machine that you want to rename in the
1755       domain. These additional parameters include: -S computer and -U user.
1756
1757       Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1758       newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1759
1760       This example would connect to a computer named XP as the local
1761       administrator using password secret, and rename the joined computer to
1762       XPNEW using the MYDOM domain administrator account and password
1763       topsecret. After successful rename, the computer would reboot.
1764
1765   G_LOCK
1766       Manage global locks.
1767
1768   G_LOCK DO lockname timeout command
1769       Execute a shell command under a global lock. This might be useful to
1770       define the order in which several shell commands will be executed. The
1771       locking information is stored in a file called g_lock.tdb. In setups
1772       with CTDB running, the locking information will be available on all
1773       cluster nodes.
1774
1775LOCKNAME defines the name of the global lock.
1776
1777TIMEOUT defines the timeout.
1778
1779COMMAND defines the shell command to execute.
1780
1781   G_LOCK LOCKS
1782       Print a list of all currently existing locknames.
1783
1784   G_LOCK DUMP lockname
1785       Dump the locking table of a certain global lock.
1786
1787   TDB
1788       Print information from tdb records.
1789
1790   TDB LOCKING key [DUMP]
1791       List sharename, filename and number of share modes for a record from
1792       locking.tdb. With the optional DUMP options, dump the complete record.
1793
1794KEY Key of the tdb record as hex string.
1795
1796   vfs
1797       Access shared filesystem through the VFS.
1798
1799   vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1800       symlinks] share path
1801       Convert file streams to AppleDouble files.
1802
1803share A Samba share.
1804
1805
1806path A relative path of something in the Samba share. "."
1807                  can be used for the root directory of the share.
1808
1809
1810       Options:
1811
1812       --recursive
1813           Traverse a directory hierarchy.
1814
1815       --verbose
1816           Verbose output.
1817
1818       --continue
1819           Continue traversing a directory hierarchy if a single conversion
1820           fails.
1821
1822       --follow-symlinks
1823           Follow symlinks encountered while traversing a directory.
1824
1825   vfs getntacl share path
1826       Display the security descriptor of a file or directory.
1827
1828share A Samba share.
1829
1830
1831path A relative path of something in the Samba share. "."
1832                  can be used for the root directory of the share.
1833
1834   OFFLINEJOIN
1835       Starting with version 4.15 Samba has support for offline join APIs.
1836       Windows supports offline join capabilities since Windows 7 and Windows
1837       2008 R2.
1838
1839       The following offline commands are implemented:
1840           net offlinejoin provision - Provisions a machine account in AD.
1841           net offlinejoin requestodj - Requests a domain offline join.
1842
1843   OFFLINEJOIN PROVISION domain=DOMAIN machine_name=MACHINE_NAME
1844       machine_account_ou=MACHINE_ACCOUNT_OU dcname=DCNAME defpwd reuse
1845       savefile=FILENAME printblob
1846       Provisions a machine account in AD. This command needs network
1847       connectivity to the domain controller to succeed. This command supports
1848       the following additional parameters:
1849
1850DOMAIN can be a NetBIOS domain name (also known as short
1851                  domain name) or a DNS domain name for Active Directory
1852                  Domains. The DOMAIN parameter cannot be NULL.
1853
1854MACHINE_NAME defines the machine account name that will be
1855                  provisioned in AD. The MACHINE_NAME parameter cannot be
1856                  NULL.
1857
1858MACHINE_ACCOUNT_OU can be set to a RFC 1779 LDAP DN, like
1859                  ou=mymachines,cn=Users,dc=example,dc=com in order to create
1860                  the machine account in a non-default LDAP container. This
1861                  optional parameter is only supported when joining Active
1862                  Directory Domains.
1863
1864DCNAME defines a specific domain controller for creating the
1865                  machine account in AD.
1866
1867DEFPWD is an optional parameter that can be set to enforce
1868                  using the default machine account password. The use of this
1869                  parameter is not recommended as the default machine account
1870                  password can be easily guessed.
1871
1872REUSE is an optional parameter that can be set to enforce
1873                  reusing an exisiting machine account in AD.
1874
1875SAVEFILE is an optional parameter to store the generated
1876                  provisioning data on disk.
1877
1878PRINTBLOB is an optional parameter to print the generated
1879                  provisioning data on stdout.
1880
1881
1882       Example: net offlinejoin provision -U administrator%secret domain=MYDOM
1883       machine_name=MYHOST savefile=provisioning.txt
1884
1885   OFFLINEJOIN REQUESTODJ loadfile=FILENAME
1886       Requests an offline domain join by providing file-based provisioning
1887       data. This command supports the following additional parameters:
1888
1889LOADFILE is a required parameter to load the provisioning
1890                  from a file.
1891
1892
1893       Example: net offlinejoin requestodj -U administrator%secret
1894       loadfile=provisioning.txt
1895
1896   HELP [COMMAND]
1897       Gives usage information for the specified command.
1898

VERSION

1900       This man page is complete for version 3 of the Samba suite.
1901

AUTHOR

1903       The original Samba software and related utilities were created by
1904       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1905       Source project similar to the way the Linux kernel is developed.
1906
1907       The net manpage was written by Jelmer Vernooij.
1908
1909
1910
1911Samba 4.16.2                      06/13/2022                            NET(8)
Impressum