1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17 -r|--realm=REALM
19 Set the realm for the domain.
20 Note that specifying this parameter here will override the realm
22 parameter in the smb.conf file.
23 --simple-bind-dn=DN
25 DN to use for a simple bind.
26 --password
28 Specify the password on the commandline.
29 Be cautious about including passwords in scripts or passing
31 user-supplied values onto the command line. For security it is
32 better to let the Samba client tool ask for the password if needed,
33 or obtain the password once with kinit.
34 If --password is not specified, the tool will check the PASSWD
36 environment variable, followed by PASSWD_FD which is expected to
37 contain an open file descriptor (FD) number.
38 Finally it will check PASSWD_FILE (containing a file path to be
40 opened). The file should only contain the password. Make certain
41 that the permissions on the file restrict access from unwanted
42 users!
43 While Samba will attempt to scrub the password from the process
45 title (as seen in ps), this is after startup and so is subject to a
46 race.
47 -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
49 Sets the SMB username or username and password.
50 If %PASSWORD is not specified, the user will be prompted. The
52 client will first check the USER environment variable (which is
53 also permitted to also contain the password seperated by a %), then
54 the LOGNAME variable (which is not permitted to contain a password)
55 and if either exists, the value is used. If these environmental
56 variables are not found, the username found in a Kerberos
57 Credentials cache may be used.
58 A third option is to use a credentials file which contains the
60 plaintext of the username and password. This option is mainly
61 provided for scripts where the admin does not wish to pass the
62 credentials on the command line or via environment variables. If
63 this method is used, make certain that the permissions on the file
64 restrict access from unwanted users. See the -A for more details.
65 Be cautious about including passwords in scripts or passing
67 user-supplied values onto the command line. For security it is
68 better to let the Samba client tool ask for the password if needed,
69 or obtain the password once with kinit.
70 While Samba will attempt to scrub the password from the process
72 title (as seen in ps), this is after startup and so is subject to a
73 race.
74 -W|--workgroup=WORKGROUP
76 Set the SMB domain of the username. This overrides the default
77 domain which is the domain defined in smb.conf. If the domain
78 specified is the same as the servers NetBIOS name, it causes the
79 client to log on using the servers local SAM (as opposed to the
80 Domain SAM).
81 Note that specifying this parameter here will override the
83 workgroup parameter in the smb.conf file.
84 -N|--no-pass
86 If specified, this parameter suppresses the normal password prompt
87 from the client to the user. This is useful when accessing a
88 service that does not require a password.
89 Unless a password is specified on the command line or this
91 parameter is specified, the client will request a password.
92 If a password is specified on the command line and this option is
94 also defined the password on the command line will be silently
95 ignored and no password will be used.
96 --use-kerberos=desired|required|off
98 This parameter determines whether Samba client tools will try to
99 authenticate using Kerberos. For Kerberos authentication you need
100 to use dns names instead of IP addresses when connnecting to a
101 service.
102 Note that specifying this parameter here will override the client
104 use kerberos parameter in the smb.conf file.
105 --use-krb5-ccache=CCACHE
107 Specifies the credential cache location for Kerberos
108 authentication.
109 This will set --use-kerberos=required too.
111 --ipaddress=IPADDRESS
113 IP address of the server
114 -d|--debuglevel=DEBUGLEVEL
116 level is an integer from 0 to 10. The default value if this
117 parameter is not specified is 1 for client applications.
118 The higher this value, the more detail will be logged to the log
120 files about the activities of the server. At level 0, only critical
121 errors and serious warnings will be logged. Level 1 is a reasonable
122 level for day-to-day running - it generates a small amount of
123 information about operations carried out.
124 Levels above 1 will generate considerable amounts of log data, and
126 should only be used when investigating a problem. Levels above 3
127 are designed for use only by developers and generate HUGE amounts
128 of log data, most of which is extremely cryptic.
129 Note that specifying this parameter here will override the log
131 level parameter in the smb.conf file.
132 --debug-stdout
134 This will redirect debug output to STDOUT. By default all clients
135 are logging to STDERR.
136
138 computer
139 Manage computer accounts.
140 computer add computername [options]
142 Add a new computer to the Active Directory Domain.
143 The new computer name specified on the command is the sAMAccountName,
145 with or without the trailing dollar sign.
146 --computerou=COMPUTEROU
148 DN of alternative location (with or without domainDN counterpart)
149 to default CN=Computers in which new computer object will be
150 created. E.g. 'OU=OUname'.
151 --description=DESCRIPTION
153 The new computers's description.
154 --ip-address=IP_ADDRESS_LIST
156 IPv4 address for the computer's A record, or IPv6 address for AAAA
157 record, can be provided multiple times.
158 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
160 Computer's Service Principal Name, can be provided multiple times.
161 --prepare-oldjoin
163 Prepare enabled machine account for oldjoin mechanism.
164 computer create computername [options]
166 Add a new computer. This is a synonym for the samba-tool computer add
167 command and is available for compatibility reasons only. Please use
168 samba-tool computer add instead.
169 computer delete computername [options]
171 Delete an existing computer account.
172 The computer name specified on the command is the sAMAccountName, with
174 or without the trailing dollar sign.
175 computer edit computername
177 Edit a computer AD object.
178 The computer name specified on the command is the sAMAccountName, with
180 or without the trailing dollar sign.
181 --editor=EDITOR
183 Specifies the editor to use instead of the system default, or 'vi'
184 if no system default is set.
185 computer list
187 List all computers.
188 computer move computername new_parent_dn [options]
190 This command moves a computer account into the specified organizational
191 unit or container.
192 The computername specified on the command is the sAMAccountName, with
194 or without the trailing dollar sign.
195 The name of the organizational unit or container can be specified as a
197 full DN or without the domainDN component.
198 computer show computername [options]
200 Display a computer AD object.
201 The computer name specified on the command is the sAMAccountName, with
203 or without the trailing dollar sign.
204 --attributes=USER_ATTRS
206 Comma separated list of attributes, which will be printed.
207 contact
209 Manage contacts.
210 contact add [contactname] [options]
212 Add a new contact to the Active Directory Domain.
213 The name of the new contact can be specified by the first argument
215 'contactname' or the --given-name, --initial and --surname arguments.
216 If no 'contactname' is given, contact's name will be made up of the
217 given arguments by combining the given-name, initials and surname. Each
218 argument is optional. A dot ('.') will be appended to the initials
219 automatically.
220 --ou=OU
222 DN of alternative location (with or without domainDN counterpart)
223 in which the new contact will be created. E.g. 'OU=OUname'. Default
224 is the domain base.
225 --description=DESCRIPTION
227 The new contacts's description.
228 --surname=SURNAME
230 Contact's surname.
231 --given-name=GIVEN_NAME
233 Contact's given name.
234 --initials=INITIALS
236 Contact's initials.
237 --display-name=DISPLAY_NAME
239 Contact's display name.
240 --job-title=JOB_TITLE
242 Contact's job title.
243 --department=DEPARTMENT
245 Contact's department.
246 --company=COMPANY
248 Contact's company.
249 --mail-address=MAIL_ADDRESS
251 Contact's email address.
252 --internet-address=INTERNET_ADDRESS
254 Contact's home page.
255 --telephone-number=TELEPHONE_NUMBER
257 Contact's phone number.
258 --mobile-number=MOBILE_NUMBER
260 Contact's mobile phone number.
261 --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
263 Contact's office location.
264 contact create [contactname] [options]
266 Add a new contact. This is a synonym for the samba-tool contact add
267 command and is available for compatibility reasons only. Please use
268 samba-tool contact add instead.
269 contact delete contactname [options]
271 Delete an existing contact.
272 The contactname specified on the command is the common name or the
274 distinguished name of the contact object. The distinguished name of the
275 contact can be specified with or without the domainDN component.
276 contact edit contactname
278 Modify a contact AD object.
279 The contactname specified on the command is the common name or the
281 distinguished name of the contact object. The distinguished name of the
282 contact can be specified with or without the domainDN component.
283 --editor=EDITOR
285 Specifies the editor to use instead of the system default, or 'vi'
286 if no system default is set.
287 contact list [options]
289 List all contacts.
290 --full-dn
292 Display contact's full DN instead of the name.
293 contact move contactname new_parent_dn [options]
295 This command moves a contact into the specified organizational unit or
296 container.
297 The contactname specified on the command is the common name or the
299 distinguished name of the contact object. The distinguished name of the
300 contact can be specified with or without the domainDN component.
301 contact show contactname [options]
303 Display a contact AD object.
304 The contactname specified on the command is the common name or the
306 distinguished name of the contact object. The distinguished name of the
307 contact can be specified with or without the domainDN component.
308 --attributes=CONTACT_ATTRS
310 Comma separated list of attributes, which will be printed.
311 contact rename contactname [options]
313 Rename a contact and related attributes.
314 This command allows to set the contact's name related attributes. The
316 contact's CN will be renamed automatically. The contact's new CN will
317 be made up by combining the given-name, initials and surname. A dot
318 ('.') will be appended to the initials automatically, if required. Use
319 the --force-new-cn option to specify the new CN manually and --reset-cn
320 to reset this change.
321 Use an empty attribute value to remove the specified attribute.
323 The contact name specified on the command is the CN.
325 --surname=SURNAME
327 New surname.
328 --given-name=GIVEN_NAME
330 New given name.
331 --initials=INITIALS
333 New initials.
334 --force-new-cn=NEW_CN
336 Specify a new CN (RDN) instead of using a combination of the given
337 name, initials and surname.
338 --reset-cn
340 Set the CN to the default combination of given name, initials and
341 surname.
342 --display-name=DISPLAY_NAME
344 New display name.
345 --mail-address=MAIL_ADDRESS
347 New email address.
348 dbcheck
350 Check the local AD database for errors.
351 delegation
353 Manage Delegations.
354 delegation add-service accountname principal [options]
356 Add a service principal as msDS-AllowedToDelegateTo.
357 delegation del-service accountname principal [options]
359 Delete a service principal as msDS-AllowedToDelegateTo.
360 delegation for-any-protocol accountname [(on|off)] [options]
362 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
363 account.
364 delegation for-any-service accountname [(on|off)] [options]
366 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
367 delegation show accountname [options]
369 Show the delegation setting of an account.
370 dns
372 Manage Domain Name Service (DNS).
373 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
375 Add a DNS record.
376 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
378 Delete a DNS record.
379 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
381 data
382 Query a name.
383 dns roothints server [name] [options]
385 Query root hints.
386 dns serverinfo server [options]
388 Query server information.
389 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
391 Update a DNS record.
392 dns zonecreate server zone [options]
394 Create a zone.
395 dns zonedelete server zone [options]
397 Delete a zone.
398 dns zoneinfo server zone [options]
400 Query zone information.
401 dns zonelist server [options]
403 List zones.
404 domain
406 Manage Domain.
407 domain backup
409 Create or restore a backup of the domain.
410 domain backup offline
412 Backup (with proper locking) local domain directories into a tar file.
413 domain backup online
415 Copy a running DC's current DB into a backup tar file.
416 domain backup rename
418 Copy a running DC's DB to backup file, renaming the domain in the
419 process.
420 domain backup restore
422 Restore the domain's DB from a backup-file.
423 domain classicupgrade [options] classic_smb_conf
425 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
426 domain dcpromo dnsdomain [DC|RODC] [options]
428 Promote an existing domain member or NT4 PDC to an AD DC.
429 domain demote
431 Demote ourselves from the role of domain controller.
432 domain exportkeytab keytab [options]
434 Dumps Kerberos keys of the domain into a keytab.
435 domain info ip_address [options]
437 Print basic info about a domain and the specified DC.
438 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
440 Join a domain as either member or backup domain controller.
441 domain level show|raise options [options]
443 Show/raise domain and forest function levels.
444 domain passwordsettings show|set options [options]
446 Show/set password settings.
447 domain passwordsettings pso
449 Manage fine-grained Password Settings Objects (PSOs).
450 domain passwordsettings pso apply pso-name user-or-group-name [options]
452 Applies a PSO's password policy to a user or group.
453 domain passwordsettings pso create pso-name precedence [options]
455 Creates a new Password Settings Object (PSO).
456 domain passwordsettings pso delete pso-name [options]
458 Deletes a Password Settings Object (PSO).
459 domain passwordsettings pso list [options]
461 Lists all Password Settings Objects (PSOs).
462 domain passwordsettings pso set pso-name [options]
464 Modifies a Password Settings Object (PSO).
465 domain passwordsettings pso show user-name [options]
467 Displays a Password Settings Object (PSO).
468 domain passwordsettings pso show-user pso-name [options]
470 Displays the Password Settings that apply to a user.
471 domain passwordsettings pso unapply pso-name user-or-group-name [options]
473 Updates a PSO to no longer apply to a user or group.
474 domain provision
476 Promote an existing domain member or NT4 PDC to an AD DC.
477 domain trust
479 Domain and forest trust management.
480 domain trust create DOMAIN options [options]
482 Create a domain or forest trust.
483 domain trust delete DOMAIN options [options]
485 Delete a domain trust.
486 domain trust list options [options]
488 List domain trusts.
489 domain trust namespaces [DOMAIN] options [options]
491 Manage forest trust namespaces.
492 domain trust show DOMAIN options [options]
494 Show trusted domain details.
495 domain trust validate DOMAIN options [options]
497 Validate a domain trust.
498 drs
500 Manage Directory Replication Services (DRS).
501 drs bind
503 Show DRS capabilities of a server.
504 drs kcc
506 Trigger knowledge consistency center run.
507 drs options
509 Query or change options for NTDS Settings object of a domain
510 controller.
511 drs replicate destination_DC source_DC NC [options]
513 Replicate a naming context between two DCs.
514 drs showrepl
516 Show replication status. The [--json] option results in JSON output,
517 and with the [--summary] option produces very little output when the
518 replication status seems healthy.
519 dsacl
521 Administer DS ACLs
522 dsacl set
524 Modify access list on a directory object.
525 forest
527 Manage Forest configuration.
528 forest directory_service
530 Manage directory_service behaviour for the forest.
531 forest directory_service dsheuristics VALUE
533 Modify dsheuristics directory_service configuration for the forest.
534 forest directory_service show
536 Show current directory_service configuration for the forest.
537 fsmo
539 Manage Flexible Single Master Operations (FSMO).
540 fsmo seize [options]
542 Seize the role.
543 fsmo show
545 Show the roles.
546 fsmo transfer [options]
548 Transfer the role.
549 gpo
551 Manage Group Policy Objects (GPO).
552 gpo create displayname [options]
554 Create an empty GPO.
555 gpo del gpo [options]
557 Delete GPO.
558 gpo dellink container_dn gpo [options]
560 Delete GPO link from a container.
561 gpo fetch gpo [options]
563 Download a GPO.
564 gpo getinheritance container_dn [options]
566 Get inheritance flag for a container.
567 gpo getlink container_dn [options]
569 List GPO Links for a container.
570 gpo list username [options]
572 List GPOs for an account.
573 gpo listall
575 List all GPOs.
576 gpo listcontainers gpo [options]
578 List all linked containers for a GPO.
579 gpo setinheritance container_dn block|inherit [options]
581 Set inheritance flag on a container.
582 gpo setlink container_dn gpo [options]
584 Add or Update a GPO link to a container.
585 gpo show gpo [options]
587 Show information for a GPO.
588 gpo manage symlink list
590 List VGP Symbolic Link Group Policy from the sysvol
591 gpo manage symlink add
593 Adds a VGP Symbolic Link Group Policy to the sysvol
594 gpo manage symlink remove
596 Removes a VGP Symbolic Link Group Policy from the sysvol
597 gpo manage files list
599 List VGP Files Group Policy from the sysvol
600 gpo manage files add
602 Add VGP Files Group Policy to the sysvol
603 gpo manage files remove
605 Remove VGP Files Group Policy from the sysvol
606 gpo manage openssh list
608 List VGP OpenSSH Group Policy from the sysvol
609 gpo manage openssh set
611 Sets a VGP OpenSSH Group Policy to the sysvol
612 gpo manage sudoers add
614 Adds a Samba Sudoers Group Policy to the sysvol.
615 gpo manage sudoers list
617 List Samba Sudoers Group Policy from the sysvol.
618 gpo manage sudoers remove
620 Removes a Samba Sudoers Group Policy from the sysvol.
621 gpo manage scripts startup list
623 List VGP Startup Script Group Policy from the sysvol
624 gpo manage scripts startup add
626 Adds VGP Startup Script Group Policy to the sysvol
627 gpo manage scripts startup remove
629 Removes VGP Startup Script Group Policy from the sysvol
630 gpo manage motd list
632 List VGP MOTD Group Policy from the sysvol.
633 gpo manage motd set
635 Sets a VGP MOTD Group Policy to the sysvol
636 gpo manage issue list
638 List VGP Issue Group Policy from the sysvol.
639 gpo manage issue set
641 Sets a VGP Issue Group Policy to the sysvol
642 gpo manage access add
644 Adds a VGP Host Access Group Policy to the sysvol
645 gpo manage access list
647 List VGP Host Access Group Policy from the sysvol
648 gpo manage access remove
650 Remove a VGP Host Access Group Policy from the sysvol
651 group
653 Manage groups.
654 group add groupname [options]
656 Create a new AD group.
657 group create groupname [options]
659 Add a new AD group. This is a synonym for the samba-tool group add
660 command and is available for compatibility reasons only. Please use
661 samba-tool group add instead.
662 group addmembers groupname members [options]
664 Add members to an AD group.
665 group delete groupname [options]
667 Delete an AD group.
668 group edit groupname
670 Edit a group AD object.
671 --editor=EDITOR
673 Specifies the editor to use instead of the system default, or 'vi'
674 if no system default is set.
675 group list
677 List all groups.
678 group listmembers groupname [options]
680 List all members of the specified AD group.
681 By default the sAMAccountNames are listed. If no sAMAccountName is
683 available, the CN will be used instead.
684 --full-dn
686 List the distinguished names instead of the sAMAccountNames.
687 --hide-expired
689 Do not list expired group members.
690 --hide-disabled
692 Do not list disabled group members.
693 group move groupname new_parent_dn [options]
695 This command moves a group into the specified organizational unit or
696 container.
697 The groupname specified on the command is the sAMAccountName.
699 The name of the organizational unit or container can be specified as a
701 full DN or without the domainDN component.
702 group removemembers groupname members [options]
704 Remove members from the specified AD group.
705 group show groupname [options]
707 Show group object and it's attributes.
708 group stats [options]
710 Show statistics for overall groups and group memberships.
711 group rename groupname [options]
713 Rename a group and related attributes.
714 This command allows to set the group's name related attributes. The
716 group's CN will be renamed automatically. The group's CN will be the
717 sAMAccountName. Use the --force-new-cn option to specify the new CN
718 manually and the --reset-cn to reset this change.
719 Use an empty attribute value to remove the specified attribute.
721 The groupname specified on the command is the sAMAccountName.
723 --force-new-cn=NEW_CN
725 Specify a new CN (RDN) instead of using the sAMAccountName.
726 --reset-cn
728 Set the CN to the sAMAccountName.
729 --mail-address=MAIL_ADDRESS
731 New mail address
732 --samaccountname=SAMACCOUNTNAME
734 New account name (sAMAccountName/logon name)
735 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
737 Compare two LDAP databases.
738 ntacl
740 Manage NT ACLs.
741 ntacl changedomsid original-domain-SID new-domain-SID file [options]
743 Change the domain SID for ACLs. Can be used to change all entries in
744 acl_xattr when the machine's SID has accidentally changed or the data
745 set has been copied to another machine either via backup/restore or
746 rsync.
747 --use-ntvfs
749 Set the ACLs directly to the TDB or xattr. The POSIX permissions
750 will NOT be changed, only the NT ACL will be stored.
751 --service=SERVICE
753 Specify the name of the smb.conf service to use. This option is
754 required in combination with the --use-s3fs option.
755 --use-s3fs
757 Set the ACLs for use with the default s3fs file server via the VFS
758 layer. This option requires a smb.conf service, specified by the
759 --service=SERVICE option.
760 --xattr-backend=[native|tdb]
762 Specify the xattr backend type (native fs or tdb).
763 --eadb-file=EADB_FILE
765 Name of the tdb file where attributes are stored.
766 --recursive
768 Set the ACLs for directories and their contents recursively.
769 --follow-symlinks
771 Follow symlinks when --recursive is specified.
772 --verbose
774 Verbosely list files and ACLs which are being processed.
775 ntacl get file [options]
777 Get ACLs on a file.
778 ntacl set acl file [options]
780 Set ACLs on a file.
781 ntacl sysvolcheck
783 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
784 ntacl sysvolreset
786 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
787 ou
789 Manage organizational units (OUs).
790 ou add ou_dn [options]
792 Add a new organizational unit.
793 The name of the organizational unit can be specified as a full DN or
795 without the domainDN component.
796 --description=DESCRIPTION
798 Specify OU's description.
799 ou create ou_dn [options]
801 Add a new organizational unit. This is a synonym for the samba-tool ou
802 add command and is available for compatibility reasons only. Please use
803 samba-tool ou add instead.
804 ou delete ou_dn [options]
806 Delete an organizational unit.
807 The name of the organizational unit can be specified as a full DN or
809 without the domainDN component.
810 --force-subtree-delete
812 Delete organizational unit and all children reclusively.
813 ou list [options]
815 List all organizational units.
816 --full-dn
818 Display DNs including the base DN.
819 ou listobjects ou_dn [options]
821 List all objects in an organizational unit.
822 The name of the organizational unit can be specified as a full DN or
824 without the domainDN component.
825 --full-dn
827 Display DNs including the base DN.
828 -r|--recursive
830 List objects recursively.
831 ou move old_ou_dn new_parent_dn [options]
833 Move an organizational unit.
834 The name of the organizational units can be specified as a full DN or
836 without the domainDN component.
837 ou rename old_ou_dn new_ou_dn [options]
839 Rename an organizational unit.
840 The name of the organizational units can be specified as a full DN or
842 without the domainDN component.
843 rodc
845 Manage Read-Only Domain Controller (RODC).
846 rodc preload SID|DN|accountname [options]
848 Preload one account for an RODC.
849 schema
851 Manage and query schema.
852 schema attribute modify attribute [options]
854 Modify the behaviour of an attribute in schema.
855 schema attribute show attribute [options]
857 Display an attribute schema definition.
858 schema attribute show_oc attribute [options]
860 Show objectclasses that MAY or MUST contain this attribute.
861 schema objectclass show objectclass [options]
863 Display an objectclass schema definition.
864 sites
866 Manage sites.
867 sites create site [options]
869 Create a new site.
870 sites remove site [options]
872 Delete an existing site.
873 spn
875 Manage Service Principal Names (SPN).
876 spn add name user [options]
878 Create a new SPN.
879 spn delete name [user] [options]
881 Delete an existing SPN.
882 spn list user [options]
884 List SPNs of a given user.
885 testparm
887 Check the syntax of the configuration file.
888 time
890 Retrieve the time on a server.
891 user
893 Manage users.
894 user add username [password]
896 Add a new user to the Active Directory Domain.
897 user create username [password]
899 Add a new user. This is a synonym for the samba-tool user add command
900 and is available for compatibility reasons only. Please use samba-tool
901 user add instead.
902 user delete username [options]
904 Delete an existing user account.
905 user disable username
907 Disable a user account.
908 user edit username
910 Edit a user account AD object.
911 --editor=EDITOR
913 Specifies the editor to use instead of the system default, or 'vi'
914 if no system default is set.
915 user enable username
917 Enable a user account.
918 user list
920 List all users.
921 By default the user's sAMAccountNames are listed.
923 --full-dn
925 List user's distinguished names instead of the sAMAccountNames.
926 -b BASE_DN|--base-dn=BASE_DN
928 Specify base DN to use. Only users under the specified base DN will
929 be listed.
930 --hide-expired
932 Do not list expired user accounts.
933 --hide-disabled
935 Do not list disabled user accounts.
936 user setprimarygroup username primarygroupname
938 Set the primary group a user account.
939 user getgroups username
941 Get the direct group memberships of a user account.
942 user show username [options]
944 Display a user AD object.
945 --attributes=USER_ATTRS
947 Comma separated list of attributes, which will be printed.
948 user move username new_parent_dn [options]
950 This command moves a user account into the specified organizational
951 unit or container.
952 The username specified on the command is the sAMAccountName.
954 The name of the organizational unit or container can be specified as a
956 full DN or without the domainDN component.
957 user password [options]
959 Change password for a user account (the one provided in
960 authentication).
961 user rename username [options]
963 Rename a user and related attributes.
964 This command allows to set the user's name related attributes. The
966 user's CN will be renamed automatically. The user's new CN will be made
967 up by combining the given-name, initials and surname. A dot ('.') will
968 be appended to the initials automatically, if required. Use the
969 --force-new-cn option to specify the new CN manually and --reset-cn to
970 reset this change.
971 Use an empty attribute value to remove the specified attribute.
973 The username specified on the command is the sAMAccountName.
975 --surname=SURNAME
977 New surname
978 --given-name=GIVEN_NAME
980 New given name
981 --initials=INITIALS
983 New initials
984 --force-new-cn=NEW_CN
986 Specify a new CN (RDN) instead of using a combination of the given
987 name, initials and surname.
988 --reset-cn
990 Set the CN to the default combination of given name, initials and
991 surname.
992 --display-name=DISPLAY_NAME
994 New display name
995 --mail-address=MAIL_ADDRESS
997 New email address
998 --samaccountname=SAMACCOUNTNAME
1000 New account name (sAMAccountName/logon name)
1001 --upn=UPN
1003 New user principal name
1004 user setexpiry username [options]
1006 Set the expiration of a user account.
1007 user setpassword username [options]
1009 Sets or resets the password of a user account.
1010 user unlock username [options]
1012 This command unlocks a user account in the Active Directory domain.
1013 user getpassword username [options]
1015 Gets the password of a user account.
1016 user syncpasswords --cache-ldb-initialize [options]
1018 Syncs the passwords of all user accounts, using an optional script.
1019 Note that this command should run on a single domain controller only
1021 (typically the PDC-emulator).
1022 vampire [options] domain
1024 Join and synchronise a remote AD domain to the local server. Please
1025 note that samba-tool vampire is deprecated, please use samba-tool
1026 domain join instead.
1027 visualize [options] subcommand
1029 Produce graphical representations of Samba network state. To work out
1030 what is happening in a replication graph, it is sometimes helpful to
1031 use visualisations.
1032 There are two subcommands, two graphical modes, and (roughly) two modes
1034 of operation with respect to the location of authority.
1035 MODES OF OPERATION
1037 samba-tool visualize ntdsconn
1038 Looks at NTDS connections.
1039 samba-tool visualize reps
1041 Looks at repsTo and repsFrom objects.
1042 samba-tool visualize uptodateness
1044 Looks at replication lag as shown by the uptodateness vectors.
1045 GRAPHICAL MODES
1047 --distance
1048 Distances between DCs are shown in a matrix in the terminal.
1049 --dot
1051 Generate Graphviz dot output (for ntdsconn and reps modes). When
1052 viewed using dot or xdot, this shows the network as a graph with
1053 DCs as vertices and connections edges. Certain types of degenerate
1054 edges are shown in different colours or line-styles.
1055 --xdot
1057 Generate Graphviz dot output as with [--dot] and attempt to view it
1058 immediately using /usr/bin/xdot.
1059 -r
1061 Normally, samba-tool talks to one database; with the [-r] option
1062 attempts are made to contact all the DCs known to the first
1063 database. This is necessary for samba-tool visualize uptodateness
1064 and for samba-tool visualize reps because the repsFrom/To objects
1065 are not replicated, and it can reveal replication issues in other
1066 modes.
1067 help
1069 Gives usage information.
1070
1072 This man page is complete for version 4.16.2 of the Samba suite.
1073
1075 The original Samba software and related utilities were created by
1076 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1077 Source project similar to the way the Linux kernel is developed.
1078Samba 4.16.2 06/13/2022 SAMBA-TOOL(8)