1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-d|--debuglevel=DEBUGLEVEL]
10 [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value]
11 [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
12 [-R|--name-resolve=NAME-RESOLVE-ORDER]
13 [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]
14 [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE]
15 [-W|--workgroup=WORKGROUP] [--realm=REALM]
16 [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass]
17 [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE]
18 [-P|--machine-pass] [--simple-bind-dn=DN]
19 [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE]
20 [--use-winbind-ccache] [--client-protection=sign|encrypt|off]
21 [-V|--version] [-w|--target-workgroup workgroup]
22 [-I|--ipaddress ip-address] [-p|--port port] [--myname]
23 [-S|--server server] [--long] [-v|--verbose] [-f|--force]
24 [--request-timeout seconds] [-t|--timeout seconds] [-i|--stdin]
25
27 This tool is part of the samba(7) suite.
28 The Samba net utility is meant to work just like the net utility
30 available for windows and DOS. The first argument should be used to
31 specify the protocol to use when executing a certain command. ADS is
32 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
33 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
34 net will try to determine it automatically. Not all commands are
35 available on all protocols.
36
38 -w|--target-workgroup target-workgroup
39 Sets target workgroup or domain. You have to specify either this
40 option or the IP address or the name of a server.
41 -I|--ipaddress ip-address
43 IP address of target server to use. You have to specify either this
44 option or a target workgroup or a target server.
45 -p|--port port
47 Port on the target server to connect to (usually 139 or 445).
48 Defaults to trying 445 first, then 139.
49 -S|--server server
51 Name of target server. You should specify either this option or a
52 target workgroup or a target IP address.
53 --long
55 When listing data, give more information on each item.
56 -v|--verbose
58 When listing data, give more verbose information on each item.
59 -f|--force
61 Enforcing a net command.
62 --request-timeout 30
64 Let client requests timeout after 30 seconds the default is 10
65 seconds.
66 -t|--timeout 30
68 Set timeout for client operations to 30 seconds.
69 -i|--stdin
71 Take input for net commands from standard input.
72 -T|--test
74 Only test command sequence, dry-run.
75 -F|--flags FLAGS
77 Pass down integer flags to a net subcommand.
78 -C|--comment COMMENT
80 Pass down a comment string to a net subcommand.
81 --myname MYNAME
83 Use MYNAME as a requester name for a net subcommand.
84 -c|--container CONTAINER
86 Use a specific AD container for net ads operations.
87 -M|--maxusers MAXUSERS
89 Fill in the maxusers field in net rpc share operations.
90 -r|--reboot
92 Reboot a remote machine after a command has been successfully
93 executed (e.g. in remote join operations).
94 --force-full-repl
96 When calling "net rpc vampire keytab" this option enforces a full
97 re-creation of the generated keytab file.
98 --single-obj-repl
100 When calling "net rpc vampire keytab" this option allows one to
101 replicate just a single object to the generated keytab file.
102 --clean-old-entries
104 When calling "net rpc vampire keytab" this option allows one to
105 cleanup old entries from the generated keytab file.
106 --db
108 Define dbfile for "net idmap" commands.
109 --lock
111 Activates locking of the dbfile for "net idmap check" command.
112 -a|--auto
114 Activates noninteractive mode in "net idmap check".
115 --repair
117 Activates repair mode in "net idmap check".
118 --acls
120 Includes ACLs to be copied in "net rpc share migrate".
121 --attrs
123 Includes file attributes to be copied in "net rpc share migrate".
124 --timestamps
126 Includes timestamps to be copied in "net rpc share migrate".
127 -X|--exclude DIRECTORY
129 Allows one to exclude directories when copying with "net rpc share
130 migrate".
131 --destination SERVERNAME
133 Defines the target servername of migration process (defaults to
134 localhost).
135 -L|--local
137 Sets the type of group mapping to local (used in "net groupmap
138 set").
139 -D|--domain
141 Sets the type of group mapping to domain (used in "net groupmap
142 set").
143 -N|--ntname NTNAME
145 Sets the ntname of a group mapping (used in "net groupmap set").
146 --rid RID
148 Sets the rid of a group mapping (used in "net groupmap set").
149 --reg-version REG_VERSION
151 Assume database version {n|1,2,3} (used in "net registry check").
152 -o|--output FILENAME
154 Output database file (used in "net registry check").
155 --wipe
157 Create a new database from scratch (used in "net registry check").
158 --precheck PRECHECK_DB_FILENAME
160 Defines filename for database prechecking (used in "net registry
161 import").
162 --no-dns-updates
164 Do not perform DNS updates as part of "net ads join".
165 --keep-account
167 Prevent the machine account removal as part of "net ads leave".
168 --json
170 Report results in JSON format for "net ads info" and "net ads
171 lookup".
172 --recursive
174 Traverse a directory hierarchy.
175 --continue
177 Continue traversing a directory hierarchy in case conversion of one
178 file fails.
179 --follow-symlinks
181 Follow symlinks encountered while traversing a directory.
182 -d|--debuglevel=DEBUGLEVEL
184 level is an integer from 0 to 10. The default value if this
185 parameter is not specified is 1 for client applications.
186 The higher this value, the more detail will be logged to the log
188 files about the activities of the server. At level 0, only critical
189 errors and serious warnings will be logged. Level 1 is a reasonable
190 level for day-to-day running - it generates a small amount of
191 information about operations carried out.
192 Levels above 1 will generate considerable amounts of log data, and
194 should only be used when investigating a problem. Levels above 3
195 are designed for use only by developers and generate HUGE amounts
196 of log data, most of which is extremely cryptic.
197 Note that specifying this parameter here will override the log
199 level parameter in the /etc/samba/smb.conf file.
200 --debug-stdout
202 This will redirect debug output to STDOUT. By default all clients
203 are logging to STDERR.
204 --configfile=<configuration file>
206 The file specified contains the configuration details required by
207 the client. The information in this file can be general for client
208 and server or only provide client specific like options such as
209 client smb encrypt. See /etc/samba/smb.conf for more information.
210 The default configuration file name is determined at compile time.
211 --option=<name>=<value>
213 Set the smb.conf(5) option "<name>" to value "<value>" from the
214 command line. This overrides compiled-in defaults and options read
215 from the configuration file. If a name or a value includes a space,
216 wrap whole --option=name=value into quotes.
217 -l|--log-basename=logdirectory
219 Base directory name for log/debug files. The extension ".progname"
220 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
221 file is never removed by the client.
222 --leak-report
224 Enable talloc leak reporting on exit.
225 --leak-report-full
227 Enable full talloc leak reporting on exit.
228 -V|--version
230 Prints the program version number.
231 -R|--name-resolve=NAME-RESOLVE-ORDER
233 This option is used to determine what naming services and in what
234 order to resolve host names to IP addresses. The option takes a
235 space-separated string of different name resolution options. The
236 best ist to wrap the whole --name-resolve=NAME-RESOLVE-ORDER into
237 quotes.
238 The options are: "lmhosts", "host", "wins" and "bcast". They cause
240 names to be resolved as follows:
241 • lmhosts: Lookup an IP address in the Samba lmhosts file.
243 If the line in lmhosts has no name type attached to the
244 NetBIOS name (see the lmhosts(5) for details) then any
245 name type matches for lookup.
246 • host: Do a standard host name to IP address resolution,
248 using the system /etc/hosts, NIS, or DNS lookups. This
249 method of name resolution is operating system dependent,
250 for instance on IRIX or Solaris this may be controlled
251 by the /etc/nsswitch.conf file). Note that this method
252 is only used if the NetBIOS name type being queried is
253 the 0x20 (server) name type, otherwise it is ignored.
254 • wins: Query a name with the IP address listed in the
256 wins server parameter. If no WINS server has been
257 specified this method will be ignored.
258 • bcast: Do a broadcast on each of the known local
260 interfaces listed in the interfaces parameter. This is
261 the least reliable of the name resolution methods as it
262 depends on the target host being on a locally connected
263 subnet.
264 If this parameter is not set then the name resolve order defined in
266 the /etc/samba/smb.conf file parameter (name resolve order) will be
267 used.
268 The default order is lmhosts, host, wins, bcast. Without this
270 parameter or any entry in the name resolve order parameter of the
271 /etc/samba/smb.conf file, the name resolution methods will be
272 attempted in this order.
273 -O|--socket-options=SOCKETOPTIONS
275 TCP socket options to set on the client socket. See the socket
276 options parameter in the /etc/samba/smb.conf manual page for the
277 list of valid options.
278 -m|--max-protocol=MAXPROTOCOL
280 The value of the parameter (a string) is the highest protocol level
281 that will be supported by the client.
282 Note that specifying this parameter here will override the client
284 max protocol parameter in the /etc/samba/smb.conf file.
285 -n|--netbiosname=NETBIOSNAME
287 This option allows you to override the NetBIOS name that Samba uses
288 for itself. This is identical to setting the netbios name parameter
289 in the /etc/samba/smb.conf file. However, a command line setting
290 will take precedence over settings in /etc/samba/smb.conf.
291 --netbios-scope=SCOPE
293 This specifies a NetBIOS scope that nmblookup will use to
294 communicate with when generating NetBIOS names. For details on the
295 use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS
296 scopes are very rarely used, only set this parameter if you are the
297 system administrator in charge of all the NetBIOS systems you
298 communicate with.
299 -W|--workgroup=WORKGROUP
301 Set the SMB domain of the username. This overrides the default
302 domain which is the domain defined in smb.conf. If the domain
303 specified is the same as the servers NetBIOS name, it causes the
304 client to log on using the servers local SAM (as opposed to the
305 Domain SAM).
306 Note that specifying this parameter here will override the
308 workgroup parameter in the /etc/samba/smb.conf file.
309 -r|--realm=REALM
311 Set the realm for the domain.
312 Note that specifying this parameter here will override the realm
314 parameter in the /etc/samba/smb.conf file.
315 -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
317 Sets the SMB username or username and password.
318 If %PASSWORD is not specified, the user will be prompted. The
320 client will first check the USER environment variable (which is
321 also permitted to also contain the password separated by a %), then
322 the LOGNAME variable (which is not permitted to contain a password)
323 and if either exists, the value is used. If these environmental
324 variables are not found, the username found in a Kerberos
325 Credentials cache may be used.
326 A third option is to use a credentials file which contains the
328 plaintext of the username and password. This option is mainly
329 provided for scripts where the admin does not wish to pass the
330 credentials on the command line or via environment variables. If
331 this method is used, make certain that the permissions on the file
332 restrict access from unwanted users. See the -A for more details.
333 Be cautious about including passwords in scripts or passing
335 user-supplied values onto the command line. For security it is
336 better to let the Samba client tool ask for the password if needed,
337 or obtain the password once with kinit.
338 While Samba will attempt to scrub the password from the process
340 title (as seen in ps), this is after startup and so is subject to a
341 race.
342 -N|--no-pass
344 If specified, this parameter suppresses the normal password prompt
345 from the client to the user. This is useful when accessing a
346 service that does not require a password.
347 Unless a password is specified on the command line or this
349 parameter is specified, the client will request a password.
350 If a password is specified on the command line and this option is
352 also defined the password on the command line will be silently
353 ignored and no password will be used.
354 --password
356 Specify the password on the commandline.
357 Be cautious about including passwords in scripts or passing
359 user-supplied values onto the command line. For security it is
360 better to let the Samba client tool ask for the password if needed,
361 or obtain the password once with kinit.
362 If --password is not specified, the tool will check the PASSWD
364 environment variable, followed by PASSWD_FD which is expected to
365 contain an open file descriptor (FD) number.
366 Finally it will check PASSWD_FILE (containing a file path to be
368 opened). The file should only contain the password. Make certain
369 that the permissions on the file restrict access from unwanted
370 users!
371 While Samba will attempt to scrub the password from the process
373 title (as seen in ps), this is after startup and so is subject to a
374 race.
375 --pw-nt-hash
377 The supplied password is the NT hash.
378 -A|--authentication-file=filename
380 This option allows you to specify a file from which to read the
381 username and password used in the connection. The format of the
382 file is:
383 username = <value>
385 password = <value>
386 domain = <value>
387 Make certain that the permissions on the file restrict access from
390 unwanted users!
391 -P|--machine-pass
393 Use stored machine account password.
394 --simple-bind-dn=DN
396 DN to use for a simple bind.
397 --use-kerberos=desired|required|off
399 This parameter determines whether Samba client tools will try to
400 authenticate using Kerberos. For Kerberos authentication you need
401 to use dns names instead of IP addresses when connecting to a
402 service.
403 Note that specifying this parameter here will override the client
405 use kerberos parameter in the /etc/samba/smb.conf file.
406 --use-krb5-ccache=CCACHE
408 Specifies the credential cache location for Kerberos
409 authentication.
410 This will set --use-kerberos=required too.
412 --use-winbind-ccache
414 Try to use the credential cache by winbind.
415 --client-protection=sign|encrypt|off
417 Sets the connection protection the client tool should use.
418 Note that specifying this parameter here will override the client
420 protection parameter in the /etc/samba/smb.conf file.
421 In case you need more fine grained control you can use:
423 --option=clientsmbencrypt=OPTION, --option=clientipcsigning=OPTION,
424 --option=clientsigning=OPTION.
425
427 CHANGESECRETPW
428 This command allows the Samba machine account password to be set from
429 an external application to a machine account password that has already
430 been stored in Active Directory. DO NOT USE this command unless you
431 know exactly what you are doing. The use of this command requires that
432 the force flag (-f) be used also. There will be NO command prompt.
433 Whatever information is piped into stdin, either by typing at the
434 command line or otherwise, will be stored as the literal machine
435 password. Do NOT use this without care and attention as it will
436 overwrite a legitimate machine password without warning. YOU HAVE BEEN
437 WARNED.
438 TIME
440 The NET TIME command allows you to view the time on a remote server or
441 synchronise the time on the local server with the time on the remote
442 server.
443 TIME
445 Without any options, the NET TIME command displays the time on the
446 remote server. The remote server must be specified with the -S option.
447 TIME SYSTEM
449 Displays the time on the remote server in a format ready for /bin/date.
450 The remote server must be specified with the -S option.
451 TIME SET
453 Tries to set the date and time of the local server to that on the
454 remote server using /bin/date. The remote server must be specified with
455 the -S option.
456 TIME ZONE
458 Displays the timezone in hours from GMT on the remote server. The
459 remote server must be specified with the -S option.
460 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
462 [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU]
463 [machinepass=PASS] [osName=string osVer=string] [options]
464 Join a domain. If the account already exists on the server, and [TYPE]
465 is MEMBER, the machine will attempt to join automatically. (Assuming
466 that the machine has been created in server manager) Otherwise, a
467 password will be prompted for, and a new account may be created.
468 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
470 the domain.
471 [FQDN] (ADS only) set the dnsHostName attribute during the join. The
473 default format is netbiosname.dnsdomain.
474 [UPN] (ADS only) set the principalname attribute during the join. The
476 default format is host/netbiosname@REALM.
477 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
479 string reads from top to bottom without RDNs, and is delimited by a
480 '/'. Please note that '\' is used for escape by both the shell and
481 ldap, so it may need to be doubled or quadrupled to pass through, and
482 it is not used as a delimiter.
483 [PASS] (ADS only) Set a specific password on the computer account being
485 created by the join.
486 [osName=string osVer=String] (ADS only) Set the operatingSystem and
488 operatingSystemVersion attribute during the join. Both parameters must
489 be specified for either to take effect.
490 [RPC] OLDJOIN [options]
492 Join a domain. Use the OLDJOIN option to join the domain using the old
493 style of domain joining - you need to create a trust account in server
494 manager first.
495 [RPC|ADS] USER
497 [RPC|ADS] USER
498 List all users
499 [RPC|ADS] USER DELETE target
501 Delete specified user
502 [RPC|ADS] USER INFO target
504 List the domain groups of the specified user.
505 [RPC|ADS] USER RENAME oldname newname
507 Rename specified user.
508 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
510 Add specified user.
511 [RPC|ADS] GROUP
513 [RPC|ADS] GROUP [misc options] [targets]
514 List user groups.
515 [RPC|ADS] GROUP DELETE name [misc. options]
517 Delete specified group.
518 [RPC|ADS] GROUP ADD name [-C comment]
520 Create specified group.
521 [ADS] LOOKUP
523 Lookup the closest Domain Controller in our domain and retrieve server
524 information about it.
525 [RAP|RPC] SHARE
527 [RAP|RPC] SHARE [misc. options] [targets]
528 Enumerates all exported resources (network shares) on target server.
529 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
531 Adds a share from a server (makes the export active). Maxusers
532 specifies the number of users that can be connected to the share
533 simultaneously.
534 SHARE DELETE sharename
536 Delete specified share.
537 [RPC|RAP] FILE
539 [RPC|RAP] FILE
540 List all open files on remote server.
541 [RPC|RAP] FILE CLOSE fileid
543 Close file with specified fileid on remote server.
544 [RPC|RAP] FILE INFO fileid
546 Print information on specified fileid. Currently listed are: file-id,
547 username, locks, path, permissions.
548 [RAP|RPC] FILE USER user
550 List files opened by specified user. Please note that net rap file user
551 does not work against Samba servers.
552 SESSION
554 RAP SESSION
555 Without any other options, SESSION enumerates all active SMB/CIFS
556 sessions on the target server.
557 RAP SESSION DELETE|CLOSE CLIENT_NAME
559 Close the specified sessions.
560 RAP SESSION INFO CLIENT_NAME
562 Give a list with all the open files in specified session.
563 RAP SERVER DOMAIN
565 List all servers in specified domain or workgroup. Defaults to local
566 domain.
567 RAP DOMAIN
569 Lists all domains and workgroups visible on the current network.
570 RAP PRINTQ
572 RAP PRINTQ INFO QUEUE_NAME
573 Lists the specified print queue and print jobs on the server. If the
574 QUEUE_NAME is omitted, all queues are listed.
575 RAP PRINTQ DELETE JOBID
577 Delete job with specified id.
578 RAP VALIDATE user [password]
580 Validate whether the specified user can log in to the remote server. If
581 the password is not specified on the commandline, it will be prompted.
582 Note
584 Currently NOT implemented.
585 RAP GROUPMEMBER
587 RAP GROUPMEMBER LIST GROUP
588 List all members of the specified group.
589 RAP GROUPMEMBER DELETE GROUP USER
591 Delete member from group.
592 RAP GROUPMEMBER ADD GROUP USER
594 Add member to group.
595 RAP ADMIN command
597 Execute the specified command on the remote server. Only works with
598 OS/2 servers.
599 Note
601 Currently NOT implemented.
602 RAP SERVICE
604 RAP SERVICE START NAME [arguments...]
605 Start the specified service on the remote server. Not implemented yet.
606 Note
608 Currently NOT implemented.
609 RAP SERVICE STOP
611 Stop the specified service on the remote server.
612 Note
614 Currently NOT implemented.
615 RAP PASSWORD USER OLDPASS NEWPASS
617 Change password of USER from OLDPASS to NEWPASS.
618 LOOKUP
620 LOOKUP HOST HOSTNAME [TYPE]
621 Lookup the IP address of the given host with the specified type
622 (netbios suffix). The type defaults to 0x20 (workstation).
623 LOOKUP LDAP [DOMAIN]
625 Give IP address of LDAP server of specified DOMAIN. Defaults to local
626 domain.
627 LOOKUP KDC [REALM]
629 Give IP address of KDC for the specified REALM. Defaults to local
630 realm.
631 LOOKUP DC [DOMAIN]
633 Give IP's of Domain Controllers for specified
634 DOMAIN. Defaults to local domain.
635 LOOKUP MASTER DOMAIN
637 Give IP of master browser for specified DOMAIN or workgroup. Defaults
638 to local domain.
639 LOOKUP NAME [NAME]
641 Lookup username's sid and type for specified NAME
642 LOOKUP SID [SID]
644 Give sid's name and type for specified SID
645 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
647 Give Domain Controller information for specified domain NAME
648 CACHE
650 Samba uses a general caching interface called 'gencache'. It can be
651 controlled using 'NET CACHE'.
652 All the timeout parameters support the suffixes:
654 s - Seconds
655 m - Minutes
656 h - Hours
657 d - Days
658 w - Weeks
659 CACHE ADD key data time-out
661 Add specified key+data to the cache with the given timeout.
662 CACHE DEL key
664 Delete key from the cache.
665 CACHE SET key data time-out
667 Update data of existing cache entry.
668 CACHE SEARCH PATTERN
670 Search for the specified pattern in the cache data.
671 CACHE LIST
673 List all current items in the cache.
674 CACHE FLUSH
676 Remove all the current items from the cache.
677 GETLOCALSID [DOMAIN]
679 Prints the SID of the specified domain, or if the parameter is omitted,
680 the SID of the local server.
681 SETLOCALSID S-1-5-21-x-y-z
683 Sets SID for the local server to the specified SID.
684 GETDOMAINSID
686 Prints the local machine SID and the SID of the current domain.
687 SETDOMAINSID
689 Sets the SID of the current domain.
690 GROUPMAP
692 Manage the mappings between Windows group SIDs and UNIX groups. Common
693 options include:
694 • unixgroup - Name of the UNIX group
696 • ntgroup - Name of the Windows NT group (must be resolvable
698 to a SID
699 • rid - Unsigned 32-bit integer
701 • sid - Full SID in the form of "S-1-..."
703 • type - Type of the group; either 'domain', 'local', or
705 'builtin'
706 • comment - Freeform text description of the group
708 GROUPMAP ADD
711 Add a new group mapping entry:
712 net groupmap add {rid=int|sid=string} unixgroup=string \
714 [type={domain|local}] [ntgroup=string] [comment=string]
715 GROUPMAP DELETE
719 Delete a group mapping entry. If more than one group name matches, the
720 first entry found is deleted.
721 net groupmap delete {ntgroup=string|sid=SID}
723 GROUPMAP MODIFY
725 Update an existing group entry.
726 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
728 [comment=string] [type={domain|local}]
729 GROUPMAP LIST
733 List existing group mapping entries.
734 net groupmap list [verbose] [ntgroup=string] [sid=SID]
736 MAXRID
738 Prints out the highest RID currently in use on the local server (by the
739 active 'passdb backend').
740 RPC INFO
742 Print information about the domain of the remote server, such as domain
743 name, domain sid and number of users and groups.
744 [RPC|ADS] TESTJOIN
746 Check whether participation in a domain is still valid.
747 [RPC|ADS] CHANGETRUSTPW
749 Force change of domain trust password.
750 RPC TRUSTDOM
752 RPC TRUSTDOM ADD DOMAIN
753 Add a interdomain trust account for DOMAIN. This is in fact a Samba
754 account named DOMAIN$ with the account flag 'I' (interdomain trust
755 account). This is required for incoming trusts to work. It makes Samba
756 be a trusted domain of the foreign (trusting) domain. Users of the
757 Samba domain will be made available in the foreign domain. If the
758 command is used against localhost it has the same effect as smbpasswd
759 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
760 account.
761 RPC TRUSTDOM DEL DOMAIN
763 Remove interdomain trust account for DOMAIN. If it is used against
764 localhost it has the same effect as smbpasswd -x DOMAIN$.
765 RPC TRUSTDOM ESTABLISH DOMAIN
767 Establish a trust relationship to a trusted domain. Interdomain account
768 must already be created on the remote PDC. This is required for
769 outgoing trusts to work. It makes Samba be a trusting domain of a
770 foreign (trusted) domain. Users of the foreign domain will be made
771 available in our domain. You'll need winbind and a working idmap config
772 to make them appear in your system.
773 RPC TRUSTDOM REVOKE DOMAIN
775 Abandon relationship to trusted domain
776 RPC TRUSTDOM LIST
778 List all interdomain trust relationships.
779 RPC TRUST
781 RPC TRUST CREATE
782 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
783 done on a single server or on two servers at once with the possibility
784 to use a random trust password.
785 Options:
787 otherserver
789 Domain controller of the second domain
790 otheruser
792 Admin user in the second domain
793 otherdomainsid
795 SID of the second domain
796 other_netbios_domain
798 NetBIOS (short) name of the second domain
799 otherdomain
801 DNS (full) name of the second domain
802 trustpw
804 Trust password
805 Examples:
807 Create a trust object on srv1.dom1.dom for the domain dom2
809 net rpc trust create \
811 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
812 other_netbios_domain=dom2 \
813 otherdomain=dom2.dom \
814 trustpw=12345678 \
815 -S srv1.dom1.dom
816 Create a trust relationship between dom1 and dom2
818 net rpc trust create \
820 otherserver=srv2.dom2.test \
821 otheruser=dom2adm \
822 -S srv1.dom1.dom
823 RPC TRUST DELETE
825 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
826 done on a single server or on two servers at once.
827 Options:
829 otherserver
831 Domain controller of the second domain
832 otheruser
834 Admin user in the second domain
835 otherdomainsid
837 SID of the second domain
838 Examples:
840 Delete a trust object on srv1.dom1.dom for the domain dom2
842 net rpc trust delete \
844 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
845 -S srv1.dom1.dom
846 Delete a trust relationship between dom1 and dom2
848 net rpc trust delete \
850 otherserver=srv2.dom2.test \
851 otheruser=dom2adm \
852 -S srv1.dom1.dom
853 RPC RIGHTS
856 This subcommand is used to view and manage Samba's rights assignments
857 (also referred to as privileges). There are three options currently
858 available: list, grant, and revoke. More details on Samba's privilege
859 model and its use can be found in the Samba-HOWTO-Collection.
860 RPC ABORTSHUTDOWN
862 Abort the shutdown of a remote server.
863 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
865 Shut down the remote server.
866 -r
868 Reboot after shutdown.
869 -f
871 Force shutting down all applications.
872 -t timeout
874 Timeout before system will be shut down. An interactive user of the
875 system can use this time to cancel the shutdown.
876 -C message
878 Display the specified message on the screen to announce the
879 shutdown.
880 RPC SAMDUMP
882 Print out sam database of remote server. You need to run this against
883 the PDC, from a Samba machine joined as a BDC.
884 RPC VAMPIRE
886 Export users, aliases and groups from remote server to local server.
887 You need to run this against the PDC, from a Samba machine joined as a
888 BDC. This vampire command cannot be used against an Active Directory,
889 only against an NT4 Domain Controller.
890 RPC VAMPIRE KEYTAB
892 Dump remote SAM database to local Kerberos keytab file.
893 RPC VAMPIRE LDIF
895 Dump remote SAM database to local LDIF file or standard output.
896 RPC GETSID
898 Fetch domain SID and store it in the local secrets.tdb.
899 ADS GPO
901 ADS GPO APPLY <USERNAME|MACHINENAME>
902 Apply GPOs for a username or machine name. Either username or machine
903 name should be provided to the command, not both.
904 ADS GPO GETGPO [GPO]
906 List specified GPO.
907 ADS GPO LINKADD [LINKDN] [GPODN]
909 Link a container to a GPO. LINKDN Container to link to a GPO. GPODN
910 GPO to link container to. DNs must be provided properly escaped. See
911 RFC 4514 for details.
912 ADS GPO LINKGET [CONTAINER]
914 Lists gPLink of a containter.
915 ADS GPO LIST <USERNAME|MACHINENAME>
917 Lists all GPOs for a username or machine name. Either username or
918 machine name should be provided to the command, not both.
919 ADS GPO LISTALL
921 Lists all GPOs on a DC.
922 ADS GPO REFRESH [USERNAME] [MACHINENAME]
924 Lists all GPOs assigned to an account and download them. USERNAME User
925 to refresh GPOs for. MACHINENAME Machine to refresh GPOs for.
926 ADS DNS
928 ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
929 Add host dns entry to Active Directory.
930 ADS DNS UNREGISTER <HOSTNAME>
932 Remove host dns entry from Active Directory.
933 ADS LEAVE [--keep-account]
935 Make the remote host leave the domain it is part of.
936 ADS STATUS
938 Print out status of machine account of the local machine in ADS. Prints
939 out quite some debug info. Aimed at developers, regular users should
940 use NET ADS TESTJOIN.
941 ADS PRINTER
943 ADS PRINTER INFO [PRINTER] [SERVER]
944 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
945 the server name defaults to the local host.
946 ADS PRINTER PUBLISH PRINTER
948 Publish specified printer using ADS.
949 ADS PRINTER REMOVE PRINTER
951 Remove specified printer from ADS directory.
952 ADS SEARCH EXPRESSION ATTRIBUTES...
954 Perform a raw LDAP search on a ADS server and dump the results. The
955 expression is a standard LDAP search expression, and the attributes are
956 a list of LDAP fields to show in the results.
957 Example: net ads search '(objectCategory=group)' sAMAccountName
959 ADS DN DN (attributes)
961 Perform a raw LDAP search on a ADS server and dump the results. The DN
962 standard LDAP DN, and the attributes are a list of LDAP fields to show
963 in the result.
964 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
966 SAMAccountName
967 ADS KEYTAB CREATE
969 Creates a new keytab file if one doesn't exist with default entries.
970 Default entries are kerberos principals created from the machinename of
971 the client, the UPN (if it exists) and any Windows SPN(s) associated
972 with the computer AD account for the client. If a keytab file already
973 exists then only missing kerberos principals from the default entries
974 are added. No changes are made to the computer AD account.
975 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
977 Adds a new keytab entry, the entry can be either;
978 kerberos principal
980 A kerberos principal (identified by the presence of '@') is just
981 added to the keytab file.
982 machinename
984 A machinename (identified by the trailing '$') is used to create a
985 a kerberos principal 'machinename@realm' which is added to the
986 keytab file.
987 serviceclass
989 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
990 pair of kerberos principals
991 'serviceclass/fully_qualified_dns_name@realm' &
992 'serviceclass/netbios_name@realm' which are added to the keytab
993 file.
994 Windows SPN
996 A Windows SPN is of the format 'serviceclass/host:port', it is used
997 to create a kerberos principal 'serviceclass/host@realm' which will
998 be written to the keytab file.
999 Unlike old versions no computer AD objects are modified by this
1001 command. To preserve the bevhaviour of older clients 'net ads keytab
1002 ad_update_ads' is available.
1003 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
1005 Adds a new keytab entry (see section for net ads keytab add). In
1006 addition to adding entries to the keytab file corrosponding Windows
1007 SPNs are created from the entry passed to this command. These SPN(s)
1008 added to the AD computer account object associated with the client
1009 machine running this command for the following entry types;
1010 serviceclass
1012 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
1013 pair of Windows SPN(s) 'param/full_qualified_dns' &
1014 'param/netbios_name' which are added to the AD computer account
1015 object for this client.
1016 Windows SPN
1018 A Windows SPN is of the format 'serviceclass/host:port', it is
1019 added as passed to the AD computer account object for this client.
1020 ADS setspn SETSPN LIST [machine]
1022 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
1023 object. If 'machine' is not specified then computer account for this
1024 client is used instead.
1025 ADS setspn SETSPN ADD SPN [machine]
1027 Adds the specified Windows SPN to the 'machine' Windows AD Computer
1028 object. If 'machine' is not specified then computer account for this
1029 client is used instead.
1030 ADS setspn SETSPN DELETE SPN [machine]
1032 DELETE the specified Window SPN from the 'machine' Windows AD Computer
1033 object. If 'machine' is not specified then computer account for this
1034 client is used instead.
1035 ADS WORKGROUP
1037 Print out workgroup name for specified kerberos realm.
1038 ADS ENCTYPES
1040 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
1041 attribute of an account in AD.
1042 This attribute allows one to control which Kerberos encryption types
1044 are used for the generation of initial and service tickets. The value
1045 consists of an integer bitmask with the following values:
1046 0x00000001 DES-CBC-CRC
1048 0x00000002 DES-CBC-MD5
1050 0x00000004 RC4-HMAC
1052 0x00000008 AES128-CTS-HMAC-SHA1-96
1054 0x00000010 AES256-CTS-HMAC-SHA1-96
1056 ADS ENCTYPES LIST <ACCOUNTNAME>
1058 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
1059 given account.
1060 Example: net ads enctypes list Computername
1062 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
1064 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
1065 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
1066 the value is set to 31 which enables all the currently supported
1067 encryption types.
1068 Example: net ads enctypes set Computername 24
1070 ADS ENCTYPES DELETE <ACCOUNTNAME>
1072 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
1073 object of ACCOUNTNAME.
1074 Example: net ads enctypes set Computername 24
1076 SAM CREATEBUILTINGROUP <NAME>
1078 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
1079 be created with this command. This is the list of currently recognized
1080 group names: Administrators, Users, Guests, Power Users, Account
1081 Operators, Server Operators, Print Operators, Backup Operators,
1082 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
1083 command requires a running Winbindd with idmap allocation properly
1084 configured. The group gid will be allocated out of the winbindd range.
1085 SAM CREATELOCALGROUP <NAME>
1087 Create a LOCAL group (also known as Alias). This command requires a
1088 running Winbindd with idmap allocation properly configured. The group
1089 gid will be allocated out of the winbindd range.
1090 SAM DELETELOCALGROUP <NAME>
1092 Delete an existing LOCAL group (also known as Alias).
1093 SAM MAPUNIXGROUP <NAME>
1095 Map an existing Unix group and make it a Domain Group, the domain group
1096 will have the same name.
1097 SAM UNMAPUNIXGROUP <NAME>
1099 Remove an existing group mapping entry.
1100 SAM ADDMEM <GROUP> <MEMBER>
1102 Add a member to a Local group. The group can be specified only by name,
1103 the member can be specified by name or SID.
1104 SAM DELMEM <GROUP> <MEMBER>
1106 Remove a member from a Local group. The group and the member must be
1107 specified by name.
1108 SAM LISTMEM <GROUP>
1110 List Local group members. The group must be specified by name.
1111 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
1113 List the specified set of accounts by name. If verbose is specified,
1114 the rid and description is also provided for each account.
1115 SAM RIGHTS LIST
1117 List all available privileges.
1118 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
1120 Grant one or more privileges to a user.
1121 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
1123 Revoke one or more privileges from a user.
1124 SAM SHOW <NAME>
1126 Show the full DOMAIN\\NAME the SID and the type for the corresponding
1127 account.
1128 SAM SET HOMEDIR <NAME> <DIRECTORY>
1130 Set the home directory for a user account.
1131 SAM SET PROFILEPATH <NAME> <PATH>
1133 Set the profile path for a user account.
1134 SAM SET COMMENT <NAME> <COMMENT>
1136 Set the comment for a user or group account.
1137 SAM SET FULLNAME <NAME> <FULL NAME>
1139 Set the full name for a user account.
1140 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
1142 Set the logon script for a user account.
1143 SAM SET HOMEDRIVE <NAME> <DRIVE>
1145 Set the home drive for a user account.
1146 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
1148 Set the workstations a user account is allowed to log in from.
1149 SAM SET DISABLE <NAME>
1151 Set the "disabled" flag for a user account.
1152 SAM SET PWNOTREQ <NAME>
1154 Set the "password not required" flag for a user account.
1155 SAM SET AUTOLOCK <NAME>
1157 Set the "autolock" flag for a user account.
1158 SAM SET PWNOEXP <NAME>
1160 Set the "password do not expire" flag for a user account.
1161 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
1163 Set or unset the "password must change" flag for a user account.
1164 SAM POLICY LIST
1166 List the available account policies.
1167 SAM POLICY SHOW <account policy>
1169 Show the account policy value.
1170 SAM POLICY SET <account policy> <value>
1172 Set a value for the account policy. Valid values can be: "forever",
1173 "never", "off", or a number.
1174 SAM PROVISION
1176 Only available if ldapsam:editposix is set and winbindd is running.
1177 Properly populates the ldap tree with the basic accounts
1178 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1179 on the ldap tree.
1180 IDMAP DUMP <local tdb file name>
1182 Dumps the mappings contained in the local tdb file specified. This
1183 command is useful to dump only the mappings produced by the idmap_tdb
1184 backend.
1185 IDMAP RESTORE [input file]
1187 Restore the mappings from the specified file or stdin.
1188 IDMAP SET SECRET <DOMAIN> <secret>
1190 Store a secret for the specified domain, used primarily for domains
1191 that use idmap_ldap as a backend. In this case the secret is used as
1192 the password for the user DN used to bind to the ldap server.
1193 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1195 Store a domain-range mapping for a given domain (and index) in autorid
1196 database.
1197 IDMAP SET CONFIG <config> [--db=<DB>]
1199 Update CONFIG entry in autorid database.
1200 IDMAP GET RANGE <SID> [index] [--db=<DB>]
1202 Get the range for a given domain and index from autorid database.
1203 IDMAP GET RANGES [<SID>] [--db=<DB>]
1205 Get ranges for all domains or for one identified by given SID.
1206 IDMAP GET CONFIG [--db=<DB>]
1208 Get CONFIG entry from autorid database.
1209 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1211 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1212 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1213 "GID number" or a uid: "UID number". Use -f to delete an invalid
1214 partial mapping <ID> -> xx
1215 Use "smbcontrol all idmap ..." to notify running smbd instances. See
1217 the smbcontrol(1) manpage for details.
1218 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1220 Delete a domain range mapping identified by 'RANGE' or "domain SID and
1221 INDEX" from autorid database. Use -f to delete invalid mappings.
1222 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1224 Delete all domain range mappings for a domain identified by SID. Use -f
1225 to delete invalid mappings.
1226 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1228 Check and repair the IDMAP database. If no option is given a read only
1229 check of the database is done. Among others an interactive or automatic
1230 repair mode may be chosen with one of the following options:
1231 -r|--repair
1233 Interactive repair mode, ask a lot of questions.
1234 -a|--auto
1236 Noninteractive repair mode, use default answers.
1237 -v|--verbose
1239 Produce more output.
1240 -f|--force
1242 Try to apply changes, even if they do not apply cleanly.
1243 -T|--test
1245 Dry run, show what changes would be made but don't touch anything.
1246 -l|--lock
1248 Lock the database while doing the check.
1249 --db <DB>
1251 Check the specified database.
1252 It reports about the finding of the following errors:
1254 Missing reverse mapping:
1256 A record with mapping A->B where there is no B->A. Default action
1257 in repair mode is to "fix" this by adding the reverse mapping.
1258 Invalid mapping:
1260 A record with mapping A->B where B->C. Default action is to
1261 "delete" this record.
1262 Missing or invalid HWM:
1264 A high water mark is not at least equal to the largest ID in the
1265 database. Default action is to "fix" this by setting it to the
1266 largest ID found +1.
1267 Invalid record:
1269 Something we failed to parse. Default action is to "edit" it in
1270 interactive and "delete" it in automatic mode.
1271 USERSHARE
1273 Starting with version 3.0.23, a Samba server now supports the ability
1274 for non-root users to add user defined shares to be exported using the
1275 "net usershare" commands.
1276 To set this up, first set up your /etc/samba/smb.conf by adding to the
1278 [global] section: usershare path = /usr/local/samba/lib/usershares Next
1279 create the directory /usr/local/samba/lib/usershares, change the owner
1280 to root and set the group owner to the UNIX group who should have the
1281 ability to create usershares, for example a group called "serverops".
1282 Set the permissions on /usr/local/samba/lib/usershares to 01770. (Owner
1283 and group all access, no access for others, plus the sticky bit, which
1284 means that a file in that directory can be renamed or deleted only by
1285 the owner of the file). Finally, tell smbd how many usershares you will
1286 allow by adding to the [global] section of /etc/samba/smb.conf a line
1287 such as : usershare max shares = 100. To allow 100 usershare
1288 definitions. Now, members of the UNIX group "serverops" can create user
1289 defined shares on demand using the commands below.
1290 The usershare commands are:
1292 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1293 to add or change a user defined share.
1294 net usershare delete sharename - to delete a user defined share.
1295 net usershare info [--long] [wildcard sharename] - to print info
1296 about a user defined share.
1297 net usershare list [--long] [wildcard sharename] - to list user
1298 defined shares.
1299 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1301 Add or replace a new user defined share, with name "sharename".
1302 "path" specifies the absolute pathname on the system to be exported.
1304 Restrictions may be put on this, see the global /etc/samba/smb.conf
1305 parameters: "usershare owner only", "usershare prefix allow list", and
1306 "usershare prefix deny list".
1307 The optional "comment" parameter is the comment that will appear on the
1309 share when browsed to by a client.
1310 The optional "acl" field specifies which users have read and write
1312 access to the entire share. Note that guest connections are not allowed
1313 unless the /etc/samba/smb.conf parameter "usershare allow guests" has
1314 been set. The definition of a user defined share acl is:
1315 "user:permission", where user is a valid username on the system and
1316 permission can be "F", "R", or "D". "F" stands for "full permissions",
1317 ie. read and write permissions. "D" stands for "deny" for a user, ie.
1318 prevent this user from accessing this share. "R" stands for "read
1319 only", ie. only allow read access to this share (no creation of new
1320 files or directories or writing to files).
1321 The default if no "acl" is given is "Everyone:R", which means any
1323 authenticated user has read-only access.
1324 The optional "guest_ok" has the same effect as the parameter of the
1326 same name in /etc/samba/smb.conf, in that it allows guest access to
1327 this user defined share. This parameter is only allowed if the global
1328 parameter "usershare allow guests" has been set to true in the
1329 /etc/samba/smb.conf.
1330 There is no separate command to modify an existing user defined share,
1333 just use the "net usershare add [sharename]" command using the same
1334 sharename as the one you wish to modify and specify the new options you
1335 wish. The Samba smbd daemon notices user defined share modifications at
1336 connect time so will see the change immediately, there is no need to
1337 restart smbd on adding, deleting or changing a user defined share.
1338 USERSHARE DELETE sharename
1340 Deletes the user defined share by name. The Samba smbd daemon
1341 immediately notices this change, although it will not disconnect any
1342 users currently connected to the deleted share.
1343 USERSHARE INFO [--long] [wildcard sharename]
1345 Get info on user defined shares owned by the current user matching the
1346 given pattern, or all users.
1347 net usershare info on its own dumps out info on the user defined shares
1349 that were created by the current user, or restricts them to share names
1350 that match the given wildcard pattern ('*' matches one or more
1351 characters, '?' matches only one character). If the '--long' option is
1352 also given, it prints out info on user defined shares created by other
1353 users.
1354 The information given about a share looks like: [foobar]
1356 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1357 And is a list of the current settings of the user defined share that
1358 can be modified by the "net usershare add" command.
1359 USERSHARE LIST [--long] wildcard sharename
1361 List all the user defined shares owned by the current user matching the
1362 given pattern, or all users.
1363 net usershare list on its own list out the names of the user defined
1365 shares that were created by the current user, or restricts the list to
1366 share names that match the given wildcard pattern ('*' matches one or
1367 more characters, '?' matches only one character). If the '--long'
1368 option is also given, it includes the names of user defined shares
1369 created by other users.
1370 [RPC] CONF
1372 Starting with version 3.2.0, a Samba server can be configured by data
1373 stored in registry. This configuration data can be edited with the new
1374 "net conf" commands. There is also the possibility to configure a
1375 remote Samba server by enabling the RPC conf mode and specifying the
1376 address of the remote server.
1377 The deployment of this configuration data can be activated in two
1379 levels from the /etc/samba/smb.conf file: Share definitions from
1380 registry are activated by setting registry shares to “yes” in the
1381 [global] section and global configuration options are activated by
1382 setting include = registry in the [global] section for a mixed
1383 configuration or by setting config backend = registry in the [global]
1384 section for a registry-only configuration. See the smb.conf(5) manpage
1385 for details.
1386 The conf commands are:
1388 net [rpc] conf list - Dump the complete configuration in smb.conf
1389 like format.
1390 net [rpc] conf import - Import configuration from file in smb.conf
1391 format.
1392 net [rpc] conf listshares - List the registry shares.
1393 net [rpc] conf drop - Delete the complete configuration from
1394 registry.
1395 net [rpc] conf showshare - Show the definition of a registry share.
1396 net [rpc] conf addshare - Create a new registry share.
1397 net [rpc] conf delshare - Delete a registry share.
1398 net [rpc] conf setparm - Store a parameter.
1399 net [rpc] conf getparm - Retrieve the value of a parameter.
1400 net [rpc] conf delparm - Delete a parameter.
1401 net [rpc] conf getincludes - Show the includes of a share
1402 definition.
1403 net [rpc] conf setincludes - Set includes for a share.
1404 net [rpc] conf delincludes - Delete includes from a share
1405 definition.
1406 [RPC] CONF LIST
1408 Print the configuration data stored in the registry in a smb.conf-like
1409 format to standard output.
1410 [RPC] CONF IMPORT [--test|-T] filename [section]
1412 This command imports configuration from a file in smb.conf format. If a
1413 section encountered in the input file is present in registry, its
1414 contents is replaced. Sections of registry configuration that have no
1415 counterpart in the input file are not affected. If you want to delete
1416 these, you will have to use the "net conf drop" or "net conf delshare"
1417 commands. Optionally, a section may be specified to restrict the effect
1418 of the import command to that specific section. A test mode is enabled
1419 by specifying the parameter "-T" on the commandline. In test mode, no
1420 changes are made to the registry, and the resulting configuration is
1421 printed to standard output instead.
1422 [RPC] CONF LISTSHARES
1424 List the names of the shares defined in registry.
1425 [RPC] CONF DROP
1427 Delete the complete configuration data from registry.
1428 [RPC] CONF SHOWSHARE sharename
1430 Show the definition of the share or section specified. It is valid to
1431 specify "global" as sharename to retrieve the global configuration
1432 options from registry.
1433 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1435 [comment]]]
1436 Create a new share definition in registry. The sharename and path have
1437 to be given. The share name may not be "global". Optionally, values for
1438 the very common options "writeable", "guest ok" and a "comment" may be
1439 specified. The same result may be obtained by a sequence of "net conf
1440 setparm" commands.
1441 [RPC] CONF DELSHARE sharename
1443 Delete a share definition from registry.
1444 [RPC] CONF SETPARM section parameter value
1446 Store a parameter in registry. The section may be global or a
1447 sharename. The section is created if it does not exist yet.
1448 [RPC] CONF GETPARM section parameter
1450 Show a parameter stored in registry.
1451 [RPC] CONF DELPARM section parameter
1453 Delete a parameter stored in registry.
1454 [RPC] CONF GETINCLUDES section
1456 Get the list of includes for the provided section (global or share).
1457 Note that due to the nature of the registry database and the nature of
1459 include directives, the includes need special treatment: Parameters are
1460 stored in registry by the parameter name as valuename, so there is only
1461 ever one instance of a parameter per share. Also, a specific order like
1462 in a text file is not guaranteed. For all real parameters, this is
1463 perfectly ok, but the include directive is rather a meta parameter, for
1464 which, in the smb.conf text file, the place where it is specified
1465 between the other parameters is very important. This can not be
1466 achieved by the simple registry smbconf data model, so there is one
1467 ordered list of includes per share, and this list is evaluated after
1468 all the parameters of the share.
1469 Further note that currently, only files can be included from registry
1471 configuration. In the future, there will be the ability to include
1472 configuration data from other registry keys.
1473 [RPC] CONF SETINCLUDES section [filename]+
1475 Set the list of includes for the provided section (global or share) to
1476 the given list of one or more filenames. The filenames may contain the
1477 usual smb.conf macros like %I.
1478 [RPC] CONF DELINCLUDES section
1480 Delete the list of includes from the provided section (global or
1481 share).
1482 REGISTRY
1484 Manipulate Samba's registry.
1485 The registry commands are:
1487 net registry enumerate - Enumerate registry keys and values.
1488 net registry enumerate_recursive - Enumerate registry key and its
1489 subkeys.
1490 net registry createkey - Create a new registry key.
1491 net registry deletekey - Delete a registry key.
1492 net registry deletekey_recursive - Delete a registry key with
1493 subkeys.
1494 net registry getvalue - Print a registry value.
1495 net registry getvalueraw - Print a registry value (raw format).
1496 net registry setvalue - Set a new registry value.
1497 net registry increment - Increment a DWORD registry value under a
1498 lock.
1499 net registry deletevalue - Delete a registry value.
1500 net registry getsd - Get security descriptor.
1501 net registry getsd_sdd1 - Get security descriptor in sddl format.
1502 net registry setsd_sdd1 - Set security descriptor from sddl format
1503 string.
1504 net registry import - Import a registration entries (.reg)
1505 file.
1506 net registry export - Export a registration entries (.reg)
1507 file.
1508 net registry convert - Convert a registration entries (.reg)
1509 file.
1510 net registry check - Check and repair a registry database.
1511 REGISTRY ENUMERATE key
1513 Enumerate subkeys and values of key.
1514 REGISTRY ENUMERATE_RECURSIVE key
1516 Enumerate values of key and its subkeys.
1517 REGISTRY CREATEKEY key
1519 Create a new key if not yet existing.
1520 REGISTRY DELETEKEY key
1522 Delete the given key and its values from the registry, if it has no
1523 subkeys.
1524 REGISTRY DELETEKEY_RECURSIVE key
1526 Delete the given key and all of its subkeys and values from the
1527 registry.
1528 REGISTRY GETVALUE key name
1530 Output type and actual value of the value name of the given key.
1531 REGISTRY GETVALUERAW key name
1533 Output the actual value of the value name of the given key.
1534 REGISTRY SETVALUE key name type value ...
1536 Set the value name of an existing key. type may be one of sz, multi_sz
1537 or dword. In case of multi_sz value may be given multiple times.
1538 REGISTRY INCREMENT key name [inc]
1540 Increment the DWORD value name of key by inc while holding a g_lock.
1541 inc defaults to 1.
1542 REGISTRY DELETEVALUE key name
1544 Delete the value name of the given key.
1545 REGISTRY GETSD key
1547 Get the security descriptor of the given key.
1548 REGISTRY GETSD_SDDL key
1550 Get the security descriptor of the given key as a Security Descriptor
1551 Definition Language (SDDL) string.
1552 REGISTRY SETSD_SDDL keysd
1554 Set the security descriptor of the given key from a Security Descriptor
1555 Definition Language (SDDL) string sd.
1556 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1558 Import a registration entries (.reg) file.
1559 The following options are available:
1561 --precheck check-file
1563 This is a mechanism to check the existence or non-existence of
1564 certain keys or values specified in a precheck file before applying
1565 the import file. The import file will only be applied if the
1566 precheck succeeds.
1567 The check-file follows the normal registry file syntax with the
1569 following semantics:
1570 • <value name>=<value> checks whether the value exists and
1572 has the given value.
1573 • <value name>=- checks whether the value does not exist.
1575 • [key] checks whether the key exists.
1577 • [-key] checks whether the key does not exist.
1579 REGISTRY EXPORT keyfile[opt]
1582 Export a key to a registration entries (.reg) file.
1583 REGISTRY CONVERT in out [[inopt] outopt]
1585 Convert a registration entries (.reg) file in.
1586 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1588 Check and repair the registry database. If no option is given a read
1589 only check of the database is done. Among others an interactive or
1590 automatic repair mode may be chosen with one of the following options
1591 -r|--repair
1593 Interactive repair mode, ask a lot of questions.
1594 -a|--auto
1596 Noninteractive repair mode, use default answers.
1597 -v|--verbose
1599 Produce more output.
1600 -T|--test
1602 Dry run, show what changes would be made but don't touch anything.
1603 -l|--lock
1605 Lock the database while doing the check.
1606 --reg-version={1,2,3}
1608 Specify the format of the registry database. If not given it
1609 defaults to the value of the binary or, if an registry.tdb is
1610 explicitly stated at the commandline, to the value found in the
1611 INFO/version record.
1612 [--db] <DB>
1614 Check the specified database.
1615 -o|--output <ODB>
1617 Create a new registry database <ODB> instead of modifying the
1618 input. If <ODB> is already existing --wipe may be used to overwrite
1619 it.
1620 --wipe
1622 Replace the registry database instead of modifying the input or
1623 overwrite an existing output database.
1624 EVENTLOG
1626 Starting with version 3.4.0 net can read, dump, import and export
1627 native win32 eventlog files (usually *.evt). evt files are used by the
1628 native Windows eventviewer tools.
1629 The import and export of evt files can only succeed when eventlog list
1631 is used in /etc/samba/smb.conf file. See the smb.conf(5) manpage for
1632 details.
1633 The eventlog commands are:
1635 net eventlog dump - Dump a eventlog *.evt file on the screen.
1636 net eventlog import - Import a eventlog *.evt into the samba
1637 internal tdb based representation of eventlogs.
1638 net eventlog export - Export the samba internal tdb based
1639 representation of eventlogs into an eventlog *.evt file.
1640 EVENTLOG DUMP filename
1642 Prints a eventlog *.evt file to standard output.
1643 EVENTLOG IMPORT filename eventlog
1645 Imports a eventlog *.evt file defined by filename into the samba
1646 internal tdb representation of eventlog defined by eventlog. eventlog
1647 needs to part of the eventlog list defined in /etc/samba/smb.conf. See
1648 the smb.conf(5) manpage for details.
1649 EVENTLOG EXPORT filename eventlog
1651 Exports the samba internal tdb representation of eventlog defined by
1652 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1653 to part of the eventlog list defined in /etc/samba/smb.conf. See the
1654 smb.conf(5) manpage for details.
1655 DOM
1657 Starting with version 3.2.0 Samba has support for remote join and
1658 unjoin APIs, both client and server-side. Windows supports remote join
1659 capabilities since Windows 2000.
1660 In order for Samba to be joined or unjoined remotely an account must be
1662 used that is either member of the Domain Admins group, a member of the
1663 local Administrators group or a user that is granted the
1664 SeMachineAccountPrivilege privilege.
1665 The client side support for remote join is implemented in the net dom
1667 commands which are:
1668 net dom join - Join a remote computer into a domain.
1669 net dom unjoin - Unjoin a remote computer from a domain.
1670 net dom renamecomputer - Renames a remote computer joined to a
1671 domain.
1672 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1674 Joins a computer into a domain. This command supports the following
1675 additional parameters:
1676 • DOMAIN can be a NetBIOS domain name (also known as short
1678 domain name) or a DNS domain name for Active Directory
1679 Domains. As in Windows, it is also possible to control which
1680 Domain Controller to use. This can be achieved by appending
1681 the DC name using the \ separator character. Example:
1682 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1683 • OU can be set to a RFC 1779 LDAP DN, like
1685 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1686 the machine account in a non-default LDAP container. This
1687 optional parameter is only supported when joining Active
1688 Directory Domains.
1689 • ACCOUNT defines a domain account that will be used to join
1691 the machine to the domain. This domain account needs to have
1692 sufficient privileges to join machines.
1693 • PASSWORD defines the password for the domain account defined
1695 with ACCOUNT.
1696 • REBOOT is an optional parameter that can be set to reboot
1698 the remote machine after successful join to the domain.
1699 Note that you also need to use standard net parameters to connect and
1702 authenticate to the remote machine that you want to join. These
1703 additional parameters include: -S computer and -U user.
1704 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1706 account=MYDOM\\administrator password=topsecret reboot.
1707 This example would connect to a computer named XP as the local
1709 administrator using password secret, and join the computer into a
1710 domain called MYDOM using the MYDOM domain administrator account and
1711 password topsecret. After successful join, the computer would reboot.
1712 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1714 Unjoins a computer from a domain. This command supports the following
1715 additional parameters:
1716 • ACCOUNT defines a domain account that will be used to unjoin
1718 the machine from the domain. This domain account needs to
1719 have sufficient privileges to unjoin machines.
1720 • PASSWORD defines the password for the domain account defined
1722 with ACCOUNT.
1723 • REBOOT is an optional parameter that can be set to reboot
1725 the remote machine after successful unjoin from the domain.
1726 Note that you also need to use standard net parameters to connect and
1729 authenticate to the remote machine that you want to unjoin. These
1730 additional parameters include: -S computer and -U user.
1731 Example: net dom unjoin -S xp -U XP\\administrator%secret
1733 account=MYDOM\\administrator password=topsecret reboot.
1734 This example would connect to a computer named XP as the local
1736 administrator using password secret, and unjoin the computer from the
1737 domain using the MYDOM domain administrator account and password
1738 topsecret. After successful unjoin, the computer would reboot.
1739 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1741 Renames a computer that is joined to a domain. This command supports
1742 the following additional parameters:
1743 • NEWNAME defines the new name of the machine in the domain.
1745 • ACCOUNT defines a domain account that will be used to rename
1747 the machine in the domain. This domain account needs to have
1748 sufficient privileges to rename machines.
1749 • PASSWORD defines the password for the domain account defined
1751 with ACCOUNT.
1752 • REBOOT is an optional parameter that can be set to reboot
1754 the remote machine after successful rename in the domain.
1755 Note that you also need to use standard net parameters to connect and
1758 authenticate to the remote machine that you want to rename in the
1759 domain. These additional parameters include: -S computer and -U user.
1760 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1762 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1763 This example would connect to a computer named XP as the local
1765 administrator using password secret, and rename the joined computer to
1766 XPNEW using the MYDOM domain administrator account and password
1767 topsecret. After successful rename, the computer would reboot.
1768 G_LOCK
1770 Manage global locks.
1771 G_LOCK DO lockname timeout command
1773 Execute a shell command under a global lock. This might be useful to
1774 define the order in which several shell commands will be executed. The
1775 locking information is stored in a file called g_lock.tdb. In setups
1776 with CTDB running, the locking information will be available on all
1777 cluster nodes.
1778 • LOCKNAME defines the name of the global lock.
1780 • TIMEOUT defines the timeout.
1782 • COMMAND defines the shell command to execute.
1784 G_LOCK LOCKS
1786 Print a list of all currently existing locknames.
1787 G_LOCK DUMP lockname
1789 Dump the locking table of a certain global lock.
1790 TDB
1792 Print information from tdb records.
1793 TDB LOCKING key [DUMP]
1795 List sharename, filename and number of share modes for a record from
1796 locking.tdb. With the optional DUMP options, dump the complete record.
1797 • KEY Key of the tdb record as hex string.
1799 vfs
1801 Access shared filesystem through the VFS.
1802 vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1804 symlinks] share path
1805 Convert file streams to AppleDouble files.
1806 • share A Samba share.
1808 • path A relative path of something in the Samba share. "."
1811 can be used for the root directory of the share.
1812 Options:
1815 --recursive
1817 Traverse a directory hierarchy.
1818 --verbose
1820 Verbose output.
1821 --continue
1823 Continue traversing a directory hierarchy if a single conversion
1824 fails.
1825 --follow-symlinks
1827 Follow symlinks encountered while traversing a directory.
1828 vfs getntacl share path
1830 Display the security descriptor of a file or directory.
1831 • share A Samba share.
1833 • path A relative path of something in the Samba share. "."
1836 can be used for the root directory of the share.
1837 OFFLINEJOIN
1839 Starting with version 4.15 Samba has support for offline join APIs.
1840 Windows supports offline join capabilities since Windows 7 and Windows
1841 2008 R2.
1842 The following offline commands are implemented:
1844 net offlinejoin provision - Provisions a machine account in AD.
1845 net offlinejoin requestodj - Requests a domain offline join.
1846 OFFLINEJOIN PROVISION domain=DOMAIN machine_name=MACHINE_NAME
1848 machine_account_ou=MACHINE_ACCOUNT_OU dcname=DCNAME defpwd reuse
1849 savefile=FILENAME printblob
1850 Provisions a machine account in AD. This command needs network
1851 connectivity to the domain controller to succeed. This command supports
1852 the following additional parameters:
1853 • DOMAIN can be a NetBIOS domain name (also known as short
1855 domain name) or a DNS domain name for Active Directory
1856 Domains. The DOMAIN parameter cannot be NULL.
1857 • MACHINE_NAME defines the machine account name that will be
1859 provisioned in AD. The MACHINE_NAME parameter cannot be
1860 NULL.
1861 • MACHINE_ACCOUNT_OU can be set to a RFC 1779 LDAP DN, like
1863 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1864 the machine account in a non-default LDAP container. This
1865 optional parameter is only supported when joining Active
1866 Directory Domains.
1867 • DCNAME defines a specific domain controller for creating the
1869 machine account in AD.
1870 • DEFPWD is an optional parameter that can be set to enforce
1872 using the default machine account password. The use of this
1873 parameter is not recommended as the default machine account
1874 password can be easily guessed.
1875 • REUSE is an optional parameter that can be set to enforce
1877 reusing an existing machine account in AD.
1878 • SAVEFILE is an optional parameter to store the generated
1880 provisioning data on disk.
1881 • PRINTBLOB is an optional parameter to print the generated
1883 provisioning data on stdout.
1884 Example: net offlinejoin provision -U administrator%secret domain=MYDOM
1887 machine_name=MYHOST savefile=provisioning.txt
1888 OFFLINEJOIN REQUESTODJ loadfile=FILENAME
1890 Requests an offline domain join by providing file-based provisioning
1891 data. This command supports the following additional parameters:
1892 • LOADFILE is a required parameter to load the provisioning
1894 from a file.
1895 Example: net offlinejoin requestodj -U administrator%secret
1898 loadfile=provisioning.txt
1899 HELP [COMMAND]
1901 Gives usage information for the specified command.
1902
1904 This man page is complete for version 3 of the Samba suite.
1905
1907 The original Samba software and related utilities were created by
1908 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1909 Source project similar to the way the Linux kernel is developed.
1910 The net manpage was written by Jelmer Vernooij.
1912Samba 4.17.5 01/26/2023 NET(8)