1NET(8)                    System Administration tools                   NET(8)
2
3
4

NAME

6       net - Tool for administration of Samba and remote CIFS servers.
7

SYNOPSIS

9       net {<ads|rap|rpc>} [-h|--help] [-d|--debuglevel=DEBUGLEVEL]
10        [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value]
11        [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
12        [-R|--name-resolve=NAME-RESOLVE-ORDER]
13        [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]
14        [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE]
15        [-W|--workgroup=WORKGROUP] [--realm=REALM]
16        [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass]
17        [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE]
18        [-P|--machine-pass] [--simple-bind-dn=DN]
19        [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE]
20        [--use-winbind-ccache] [--client-protection=sign|encrypt|off]
21        [-V|--version] [-w|--target-workgroup workgroup]
22        [-I|--ipaddress ip-address] [-p|--port port] [--myname]
23        [-S|--server server] [--long] [-v|--verbose] [-f|--force]
24        [--request-timeout seconds] [-t|--timeout seconds] [-i|--stdin]
25

DESCRIPTION

27       This tool is part of the samba(7) suite.
28
29       The Samba net utility is meant to work just like the net utility
30       available for windows and DOS. The first argument should be used to
31       specify the protocol to use when executing a certain command. ADS is
32       used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
33       RPC can be used for NT4 and Windows 2000. If this argument is omitted,
34       net will try to determine it automatically. Not all commands are
35       available on all protocols.
36

OPTIONS

38       -w|--target-workgroup target-workgroup
39           Sets target workgroup or domain. You have to specify either this
40           option or the IP address or the name of a server.
41
42       -I|--ipaddress ip-address
43           IP address of target server to use. You have to specify either this
44           option or a target workgroup or a target server.
45
46       -p|--port port
47           Port on the target server to connect to (usually 139 or 445).
48           Defaults to trying 445 first, then 139.
49
50       -S|--server server
51           Name of target server. You should specify either this option or a
52           target workgroup or a target IP address.
53
54       --long
55           When listing data, give more information on each item.
56
57       -v|--verbose
58           When listing data, give more verbose information on each item.
59
60       -f|--force
61           Enforcing a net command.
62
63       --request-timeout 30
64           Let client requests timeout after 30 seconds the default is 10
65           seconds.
66
67       -t|--timeout 30
68           Set timeout for client operations to 30 seconds.
69
70       -i|--stdin
71           Take input for net commands from standard input.
72
73       -T|--test
74           Only test command sequence, dry-run.
75
76       -F|--flags FLAGS
77           Pass down integer flags to a net subcommand.
78
79       -C|--comment COMMENT
80           Pass down a comment string to a net subcommand.
81
82       --myname MYNAME
83           Use MYNAME as a requester name for a net subcommand.
84
85       -c|--container CONTAINER
86           Use a specific AD container for net ads operations.
87
88       -M|--maxusers MAXUSERS
89           Fill in the maxusers field in net rpc share operations.
90
91       -r|--reboot
92           Reboot a remote machine after a command has been successfully
93           executed (e.g. in remote join operations).
94
95       --force-full-repl
96           When calling "net rpc vampire keytab" this option enforces a full
97           re-creation of the generated keytab file.
98
99       --single-obj-repl
100           When calling "net rpc vampire keytab" this option allows one to
101           replicate just a single object to the generated keytab file.
102
103       --clean-old-entries
104           When calling "net rpc vampire keytab" this option allows one to
105           cleanup old entries from the generated keytab file.
106
107       --db
108           Define dbfile for "net idmap" commands.
109
110       --lock
111           Activates locking of the dbfile for "net idmap check" command.
112
113       -a|--auto
114           Activates noninteractive mode in "net idmap check".
115
116       --repair
117           Activates repair mode in "net idmap check".
118
119       --acls
120           Includes ACLs to be copied in "net rpc share migrate".
121
122       --attrs
123           Includes file attributes to be copied in "net rpc share migrate".
124
125       --timestamps
126           Includes timestamps to be copied in "net rpc share migrate".
127
128       -X|--exclude DIRECTORY
129           Allows one to exclude directories when copying with "net rpc share
130           migrate".
131
132       --destination SERVERNAME
133           Defines the target servername of migration process (defaults to
134           localhost).
135
136       -L|--local
137           Sets the type of group mapping to local (used in "net groupmap
138           set").
139
140       -D|--domain
141           Sets the type of group mapping to domain (used in "net groupmap
142           set").
143
144       -N|--ntname NTNAME
145           Sets the ntname of a group mapping (used in "net groupmap set").
146
147       --rid RID
148           Sets the rid of a group mapping (used in "net groupmap set").
149
150       --reg-version REG_VERSION
151           Assume database version {n|1,2,3} (used in "net registry check").
152
153       -o|--output FILENAME
154           Output database file (used in "net registry check").
155
156       --wipe
157           Create a new database from scratch (used in "net registry check").
158
159       --precheck PRECHECK_DB_FILENAME
160           Defines filename for database prechecking (used in "net registry
161           import").
162
163       --no-dns-updates
164           Do not perform DNS updates as part of "net ads join".
165
166       --keep-account
167           Prevent the machine account removal as part of "net ads leave".
168
169       --json
170           Report results in JSON format for "net ads info" and "net ads
171           lookup".
172
173       --recursive
174           Traverse a directory hierarchy.
175
176       --continue
177           Continue traversing a directory hierarchy in case conversion of one
178           file fails.
179
180       --follow-symlinks
181           Follow symlinks encountered while traversing a directory.
182
183       -d|--debuglevel=DEBUGLEVEL
184           level is an integer from 0 to 10. The default value if this
185           parameter is not specified is 1 for client applications.
186
187           The higher this value, the more detail will be logged to the log
188           files about the activities of the server. At level 0, only critical
189           errors and serious warnings will be logged. Level 1 is a reasonable
190           level for day-to-day running - it generates a small amount of
191           information about operations carried out.
192
193           Levels above 1 will generate considerable amounts of log data, and
194           should only be used when investigating a problem. Levels above 3
195           are designed for use only by developers and generate HUGE amounts
196           of log data, most of which is extremely cryptic.
197
198           Note that specifying this parameter here will override the log
199           level parameter in the /etc/samba/smb.conf file.
200
201       --debug-stdout
202           This will redirect debug output to STDOUT. By default all clients
203           are logging to STDERR.
204
205       --configfile=<configuration file>
206           The file specified contains the configuration details required by
207           the client. The information in this file can be general for client
208           and server or only provide client specific like options such as
209           client smb encrypt. See /etc/samba/smb.conf for more information.
210           The default configuration file name is determined at compile time.
211
212       --option=<name>=<value>
213           Set the smb.conf(5) option "<name>" to value "<value>" from the
214           command line. This overrides compiled-in defaults and options read
215           from the configuration file. If a name or a value includes a space,
216           wrap whole --option=name=value into quotes.
217
218       -l|--log-basename=logdirectory
219           Base directory name for log/debug files. The extension ".progname"
220           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
221           file is never removed by the client.
222
223       --leak-report
224           Enable talloc leak reporting on exit.
225
226       --leak-report-full
227           Enable full talloc leak reporting on exit.
228
229       -V|--version
230           Prints the program version number.
231
232       -R|--name-resolve=NAME-RESOLVE-ORDER
233           This option is used to determine what naming services and in what
234           order to resolve host names to IP addresses. The option takes a
235           space-separated string of different name resolution options. The
236           best ist to wrap the whole --name-resolve=NAME-RESOLVE-ORDER into
237           quotes.
238
239           The options are: "lmhosts", "host", "wins" and "bcast". They cause
240           names to be resolved as follows:
241
242lmhosts: Lookup an IP address in the Samba lmhosts file.
243                      If the line in lmhosts has no name type attached to the
244                      NetBIOS name (see the lmhosts(5) for details) then any
245                      name type matches for lookup.
246
247host: Do a standard host name to IP address resolution,
248                      using the system /etc/hosts, NIS, or DNS lookups. This
249                      method of name resolution is operating system dependent,
250                      for instance on IRIX or Solaris this may be controlled
251                      by the /etc/nsswitch.conf file). Note that this method
252                      is only used if the NetBIOS name type being queried is
253                      the 0x20 (server) name type, otherwise it is ignored.
254
255wins: Query a name with the IP address listed in the
256                      wins server parameter. If no WINS server has been
257                      specified this method will be ignored.
258
259bcast: Do a broadcast on each of the known local
260                      interfaces listed in the interfaces parameter. This is
261                      the least reliable of the name resolution methods as it
262                      depends on the target host being on a locally connected
263                      subnet.
264
265           If this parameter is not set then the name resolve order defined in
266           the /etc/samba/smb.conf file parameter (name resolve order) will be
267           used.
268
269           The default order is lmhosts, host, wins, bcast. Without this
270           parameter or any entry in the name resolve order parameter of the
271           /etc/samba/smb.conf file, the name resolution methods will be
272           attempted in this order.
273
274       -O|--socket-options=SOCKETOPTIONS
275           TCP socket options to set on the client socket. See the socket
276           options parameter in the /etc/samba/smb.conf manual page for the
277           list of valid options.
278
279       -m|--max-protocol=MAXPROTOCOL
280           The value of the parameter (a string) is the highest protocol level
281           that will be supported by the client.
282
283           Note that specifying this parameter here will override the client
284           max protocol parameter in the /etc/samba/smb.conf file.
285
286       -n|--netbiosname=NETBIOSNAME
287           This option allows you to override the NetBIOS name that Samba uses
288           for itself. This is identical to setting the netbios name parameter
289           in the /etc/samba/smb.conf file. However, a command line setting
290           will take precedence over settings in /etc/samba/smb.conf.
291
292       --netbios-scope=SCOPE
293           This specifies a NetBIOS scope that nmblookup will use to
294           communicate with when generating NetBIOS names. For details on the
295           use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS
296           scopes are very rarely used, only set this parameter if you are the
297           system administrator in charge of all the NetBIOS systems you
298           communicate with.
299
300       -W|--workgroup=WORKGROUP
301           Set the SMB domain of the username. This overrides the default
302           domain which is the domain defined in smb.conf. If the domain
303           specified is the same as the servers NetBIOS name, it causes the
304           client to log on using the servers local SAM (as opposed to the
305           Domain SAM).
306
307           Note that specifying this parameter here will override the
308           workgroup parameter in the /etc/samba/smb.conf file.
309
310       -r|--realm=REALM
311           Set the realm for the domain.
312
313           Note that specifying this parameter here will override the realm
314           parameter in the /etc/samba/smb.conf file.
315
316       -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
317           Sets the SMB username or username and password.
318
319           If %PASSWORD is not specified, the user will be prompted. The
320           client will first check the USER environment variable (which is
321           also permitted to also contain the password separated by a %), then
322           the LOGNAME variable (which is not permitted to contain a password)
323           and if either exists, the value is used. If these environmental
324           variables are not found, the username found in a Kerberos
325           Credentials cache may be used.
326
327           A third option is to use a credentials file which contains the
328           plaintext of the username and password. This option is mainly
329           provided for scripts where the admin does not wish to pass the
330           credentials on the command line or via environment variables. If
331           this method is used, make certain that the permissions on the file
332           restrict access from unwanted users. See the -A for more details.
333
334           Be cautious about including passwords in scripts or passing
335           user-supplied values onto the command line. For security it is
336           better to let the Samba client tool ask for the password if needed,
337           or obtain the password once with kinit.
338
339           While Samba will attempt to scrub the password from the process
340           title (as seen in ps), this is after startup and so is subject to a
341           race.
342
343       -N|--no-pass
344           If specified, this parameter suppresses the normal password prompt
345           from the client to the user. This is useful when accessing a
346           service that does not require a password.
347
348           Unless a password is specified on the command line or this
349           parameter is specified, the client will request a password.
350
351           If a password is specified on the command line and this option is
352           also defined the password on the command line will be silently
353           ignored and no password will be used.
354
355       --password
356           Specify the password on the commandline.
357
358           Be cautious about including passwords in scripts or passing
359           user-supplied values onto the command line. For security it is
360           better to let the Samba client tool ask for the password if needed,
361           or obtain the password once with kinit.
362
363           If --password is not specified, the tool will check the PASSWD
364           environment variable, followed by PASSWD_FD which is expected to
365           contain an open file descriptor (FD) number.
366
367           Finally it will check PASSWD_FILE (containing a file path to be
368           opened). The file should only contain the password. Make certain
369           that the permissions on the file restrict access from unwanted
370           users!
371
372           While Samba will attempt to scrub the password from the process
373           title (as seen in ps), this is after startup and so is subject to a
374           race.
375
376       --pw-nt-hash
377           The supplied password is the NT hash.
378
379       -A|--authentication-file=filename
380           This option allows you to specify a file from which to read the
381           username and password used in the connection. The format of the
382           file is:
383
384                                   username = <value>
385                                   password = <value>
386                                   domain   = <value>
387
388
389           Make certain that the permissions on the file restrict access from
390           unwanted users!
391
392       -P|--machine-pass
393           Use stored machine account password.
394
395       --simple-bind-dn=DN
396           DN to use for a simple bind.
397
398       --use-kerberos=desired|required|off
399           This parameter determines whether Samba client tools will try to
400           authenticate using Kerberos. For Kerberos authentication you need
401           to use dns names instead of IP addresses when connecting to a
402           service.
403
404           Note that specifying this parameter here will override the client
405           use kerberos parameter in the /etc/samba/smb.conf file.
406
407       --use-krb5-ccache=CCACHE
408           Specifies the credential cache location for Kerberos
409           authentication.
410
411           This will set --use-kerberos=required too.
412
413       --use-winbind-ccache
414           Try to use the credential cache by winbind.
415
416       --client-protection=sign|encrypt|off
417           Sets the connection protection the client tool should use.
418
419           Note that specifying this parameter here will override the client
420           protection parameter in the /etc/samba/smb.conf file.
421
422           In case you need more fine grained control you can use:
423           --option=clientsmbencrypt=OPTION, --option=clientipcsigning=OPTION,
424           --option=clientsigning=OPTION.
425

COMMANDS

427   CHANGESECRETPW
428       This command allows the Samba machine account password to be set from
429       an external application to a machine account password that has already
430       been stored in Active Directory. DO NOT USE this command unless you
431       know exactly what you are doing. The use of this command requires that
432       the force flag (-f) be used also. There will be NO command prompt.
433       Whatever information is piped into stdin, either by typing at the
434       command line or otherwise, will be stored as the literal machine
435       password. Do NOT use this without care and attention as it will
436       overwrite a legitimate machine password without warning. YOU HAVE BEEN
437       WARNED.
438
439   TIME
440       The NET TIME command allows you to view the time on a remote server or
441       synchronise the time on the local server with the time on the remote
442       server.
443
444   TIME
445       Without any options, the NET TIME command displays the time on the
446       remote server. The remote server must be specified with the -S option.
447
448   TIME SYSTEM
449       Displays the time on the remote server in a format ready for /bin/date.
450       The remote server must be specified with the -S option.
451
452   TIME SET
453       Tries to set the date and time of the local server to that on the
454       remote server using /bin/date. The remote server must be specified with
455       the -S option.
456
457   TIME ZONE
458       Displays the timezone in hours from GMT on the remote server. The
459       remote server must be specified with the -S option.
460
461   [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
462       [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU]
463       [machinepass=PASS] [osName=string osVer=string] [options]
464       Join a domain. If the account already exists on the server, and [TYPE]
465       is MEMBER, the machine will attempt to join automatically. (Assuming
466       that the machine has been created in server manager) Otherwise, a
467       password will be prompted for, and a new account may be created.
468
469       [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
470       the domain.
471
472       [FQDN] (ADS only) set the dnsHostName attribute during the join. The
473       default format is netbiosname.dnsdomain.
474
475       [UPN] (ADS only) set the principalname attribute during the join. The
476       default format is host/netbiosname@REALM.
477
478       [OU] (ADS only) Precreate the computer account in a specific OU. The OU
479       string reads from top to bottom without RDNs, and is delimited by a
480       '/'. Please note that '\' is used for escape by both the shell and
481       ldap, so it may need to be doubled or quadrupled to pass through, and
482       it is not used as a delimiter.
483
484       [PASS] (ADS only) Set a specific password on the computer account being
485       created by the join.
486
487       [osName=string osVer=String] (ADS only) Set the operatingSystem and
488       operatingSystemVersion attribute during the join. Both parameters must
489       be specified for either to take effect.
490
491   [RPC] OLDJOIN [options]
492       Join a domain. Use the OLDJOIN option to join the domain using the old
493       style of domain joining - you need to create a trust account in server
494       manager first.
495
496   [RPC|ADS] USER
497   [RPC|ADS] USER
498       List all users
499
500   [RPC|ADS] USER DELETE target
501       Delete specified user
502
503   [RPC|ADS] USER INFO target
504       List the domain groups of the specified user.
505
506   [RPC|ADS] USER RENAME oldname newname
507       Rename specified user.
508
509   [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
510       Add specified user.
511
512   [RPC|ADS] GROUP
513   [RPC|ADS] GROUP [misc options] [targets]
514       List user groups.
515
516   [RPC|ADS] GROUP DELETE name [misc. options]
517       Delete specified group.
518
519   [RPC|ADS] GROUP ADD name [-C comment]
520       Create specified group.
521
522   [ADS] LOOKUP
523       Lookup the closest Domain Controller in our domain and retrieve server
524       information about it.
525
526   [RAP|RPC] SHARE
527   [RAP|RPC] SHARE [misc. options] [targets]
528       Enumerates all exported resources (network shares) on target server.
529
530   [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
531       Adds a share from a server (makes the export active). Maxusers
532       specifies the number of users that can be connected to the share
533       simultaneously.
534
535   SHARE DELETE sharename
536       Delete specified share.
537
538   [RPC|RAP] FILE
539   [RPC|RAP] FILE
540       List all open files on remote server.
541
542   [RPC|RAP] FILE CLOSE fileid
543       Close file with specified fileid on remote server.
544
545   [RPC|RAP] FILE INFO fileid
546       Print information on specified fileid. Currently listed are: file-id,
547       username, locks, path, permissions.
548
549   [RAP|RPC] FILE USER user
550       List files opened by specified user. Please note that net rap file user
551       does not work against Samba servers.
552
553   SESSION
554   RAP SESSION
555       Without any other options, SESSION enumerates all active SMB/CIFS
556       sessions on the target server.
557
558   RAP SESSION DELETE|CLOSE CLIENT_NAME
559       Close the specified sessions.
560
561   RAP SESSION INFO CLIENT_NAME
562       Give a list with all the open files in specified session.
563
564   RAP SERVER DOMAIN
565       List all servers in specified domain or workgroup. Defaults to local
566       domain.
567
568   RAP DOMAIN
569       Lists all domains and workgroups visible on the current network.
570
571   RAP PRINTQ
572   RAP PRINTQ INFO QUEUE_NAME
573       Lists the specified print queue and print jobs on the server. If the
574       QUEUE_NAME is omitted, all queues are listed.
575
576   RAP PRINTQ DELETE JOBID
577       Delete job with specified id.
578
579   RAP VALIDATE user [password]
580       Validate whether the specified user can log in to the remote server. If
581       the password is not specified on the commandline, it will be prompted.
582
583           Note
584           Currently NOT implemented.
585
586   RAP GROUPMEMBER
587   RAP GROUPMEMBER LIST GROUP
588       List all members of the specified group.
589
590   RAP GROUPMEMBER DELETE GROUP USER
591       Delete member from group.
592
593   RAP GROUPMEMBER ADD GROUP USER
594       Add member to group.
595
596   RAP ADMIN command
597       Execute the specified command on the remote server. Only works with
598       OS/2 servers.
599
600           Note
601           Currently NOT implemented.
602
603   RAP SERVICE
604   RAP SERVICE START NAME [arguments...]
605       Start the specified service on the remote server. Not implemented yet.
606
607           Note
608           Currently NOT implemented.
609
610   RAP SERVICE STOP
611       Stop the specified service on the remote server.
612
613           Note
614           Currently NOT implemented.
615
616   RAP PASSWORD USER OLDPASS NEWPASS
617       Change password of USER from OLDPASS to NEWPASS.
618
619   LOOKUP
620   LOOKUP HOST HOSTNAME [TYPE]
621       Lookup the IP address of the given host with the specified type
622       (netbios suffix). The type defaults to 0x20 (workstation).
623
624   LOOKUP LDAP [DOMAIN]
625       Give IP address of LDAP server of specified DOMAIN. Defaults to local
626       domain.
627
628   LOOKUP KDC [REALM]
629       Give IP address of KDC for the specified REALM. Defaults to local
630       realm.
631
632   LOOKUP DC [DOMAIN]
633       Give IP's of Domain Controllers for specified
634        DOMAIN. Defaults to local domain.
635
636   LOOKUP MASTER DOMAIN
637       Give IP of master browser for specified DOMAIN or workgroup. Defaults
638       to local domain.
639
640   LOOKUP NAME [NAME]
641       Lookup username's sid and type for specified NAME
642
643   LOOKUP SID [SID]
644       Give sid's name and type for specified SID
645
646   LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
647       Give Domain Controller information for specified domain NAME
648
649   CACHE
650       Samba uses a general caching interface called 'gencache'. It can be
651       controlled using 'NET CACHE'.
652
653       All the timeout parameters support the suffixes:
654           s - Seconds
655           m - Minutes
656           h - Hours
657           d - Days
658           w - Weeks
659
660   CACHE ADD key data time-out
661       Add specified key+data to the cache with the given timeout.
662
663   CACHE DEL key
664       Delete key from the cache.
665
666   CACHE SET key data time-out
667       Update data of existing cache entry.
668
669   CACHE SEARCH PATTERN
670       Search for the specified pattern in the cache data.
671
672   CACHE LIST
673       List all current items in the cache.
674
675   CACHE FLUSH
676       Remove all the current items from the cache.
677
678   GETLOCALSID [DOMAIN]
679       Prints the SID of the specified domain, or if the parameter is omitted,
680       the SID of the local server.
681
682   SETLOCALSID S-1-5-21-x-y-z
683       Sets SID for the local server to the specified SID.
684
685   GETDOMAINSID
686       Prints the local machine SID and the SID of the current domain.
687
688   SETDOMAINSID
689       Sets the SID of the current domain.
690
691   GROUPMAP
692       Manage the mappings between Windows group SIDs and UNIX groups. Common
693       options include:
694
695              •   unixgroup - Name of the UNIX group
696
697              •   ntgroup - Name of the Windows NT group (must be resolvable
698                  to a SID
699
700              •   rid - Unsigned 32-bit integer
701
702              •   sid - Full SID in the form of "S-1-..."
703
704              •   type - Type of the group; either 'domain', 'local', or
705                  'builtin'
706
707              •   comment - Freeform text description of the group
708
709
710   GROUPMAP ADD
711       Add a new group mapping entry:
712
713           net groupmap add {rid=int|sid=string} unixgroup=string \
714                [type={domain|local}] [ntgroup=string] [comment=string]
715
716
717
718   GROUPMAP DELETE
719       Delete a group mapping entry. If more than one group name matches, the
720       first entry found is deleted.
721
722       net groupmap delete {ntgroup=string|sid=SID}
723
724   GROUPMAP MODIFY
725       Update an existing group entry.
726
727           net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
728                  [comment=string] [type={domain|local}]
729
730
731
732   GROUPMAP LIST
733       List existing group mapping entries.
734
735       net groupmap list [verbose] [ntgroup=string] [sid=SID]
736
737   MAXRID
738       Prints out the highest RID currently in use on the local server (by the
739       active 'passdb backend').
740
741   RPC INFO
742       Print information about the domain of the remote server, such as domain
743       name, domain sid and number of users and groups.
744
745   [RPC|ADS] TESTJOIN
746       Check whether participation in a domain is still valid.
747
748   [RPC|ADS] CHANGETRUSTPW
749       Force change of domain trust password.
750
751   RPC TRUSTDOM
752   RPC TRUSTDOM ADD DOMAIN
753       Add a interdomain trust account for DOMAIN. This is in fact a Samba
754       account named DOMAIN$ with the account flag 'I' (interdomain trust
755       account). This is required for incoming trusts to work. It makes Samba
756       be a trusted domain of the foreign (trusting) domain. Users of the
757       Samba domain will be made available in the foreign domain. If the
758       command is used against localhost it has the same effect as smbpasswd
759       -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
760       account.
761
762   RPC TRUSTDOM DEL DOMAIN
763       Remove interdomain trust account for DOMAIN. If it is used against
764       localhost it has the same effect as smbpasswd -x DOMAIN$.
765
766   RPC TRUSTDOM ESTABLISH DOMAIN
767       Establish a trust relationship to a trusted domain. Interdomain account
768       must already be created on the remote PDC. This is required for
769       outgoing trusts to work. It makes Samba be a trusting domain of a
770       foreign (trusted) domain. Users of the foreign domain will be made
771       available in our domain. You'll need winbind and a working idmap config
772       to make them appear in your system.
773
774   RPC TRUSTDOM REVOKE DOMAIN
775       Abandon relationship to trusted domain
776
777   RPC TRUSTDOM LIST
778       List all interdomain trust relationships.
779
780   RPC TRUST
781   RPC TRUST CREATE
782       Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
783       done on a single server or on two servers at once with the possibility
784       to use a random trust password.
785
786       Options:
787
788       otherserver
789           Domain controller of the second domain
790
791       otheruser
792           Admin user in the second domain
793
794       otherdomainsid
795           SID of the second domain
796
797       other_netbios_domain
798           NetBIOS (short) name of the second domain
799
800       otherdomain
801           DNS (full) name of the second domain
802
803       trustpw
804           Trust password
805
806       Examples:
807
808       Create a trust object on srv1.dom1.dom for the domain dom2
809
810               net rpc trust create \
811                   otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
812                   other_netbios_domain=dom2 \
813                   otherdomain=dom2.dom \
814                   trustpw=12345678 \
815                   -S srv1.dom1.dom
816
817       Create a trust relationship between dom1 and dom2
818
819               net rpc trust create \
820                   otherserver=srv2.dom2.test \
821                   otheruser=dom2adm \
822                   -S srv1.dom1.dom
823
824   RPC TRUST DELETE
825       Delete a trust object by calling lsaDeleteTrustedDomain. The can be
826       done on a single server or on two servers at once.
827
828       Options:
829
830       otherserver
831           Domain controller of the second domain
832
833       otheruser
834           Admin user in the second domain
835
836       otherdomainsid
837           SID of the second domain
838
839       Examples:
840
841       Delete a trust object on srv1.dom1.dom for the domain dom2
842
843               net rpc trust delete \
844                   otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
845                   -S srv1.dom1.dom
846
847       Delete a trust relationship between dom1 and dom2
848
849               net rpc trust delete \
850                   otherserver=srv2.dom2.test \
851                   otheruser=dom2adm \
852                   -S srv1.dom1.dom
853
854
855   RPC RIGHTS
856       This subcommand is used to view and manage Samba's rights assignments
857       (also referred to as privileges). There are three options currently
858       available: list, grant, and revoke. More details on Samba's privilege
859       model and its use can be found in the Samba-HOWTO-Collection.
860
861   RPC ABORTSHUTDOWN
862       Abort the shutdown of a remote server.
863
864   RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
865       Shut down the remote server.
866
867       -r
868           Reboot after shutdown.
869
870       -f
871           Force shutting down all applications.
872
873       -t timeout
874           Timeout before system will be shut down. An interactive user of the
875           system can use this time to cancel the shutdown.
876
877       -C message
878           Display the specified message on the screen to announce the
879           shutdown.
880
881   RPC SAMDUMP
882       Print out sam database of remote server. You need to run this against
883       the PDC, from a Samba machine joined as a BDC.
884
885   RPC VAMPIRE
886       Export users, aliases and groups from remote server to local server.
887       You need to run this against the PDC, from a Samba machine joined as a
888       BDC. This vampire command cannot be used against an Active Directory,
889       only against an NT4 Domain Controller.
890
891   RPC VAMPIRE KEYTAB
892       Dump remote SAM database to local Kerberos keytab file.
893
894   RPC VAMPIRE LDIF
895       Dump remote SAM database to local LDIF file or standard output.
896
897   RPC GETSID
898       Fetch domain SID and store it in the local secrets.tdb.
899
900   ADS GPO
901   ADS GPO APPLY <USERNAME|MACHINENAME>
902       Apply GPOs for a username or machine name. Either username or machine
903       name should be provided to the command, not both.
904
905   ADS GPO GETGPO [GPO]
906       List specified GPO.
907
908   ADS GPO LINKADD [LINKDN] [GPODN]
909       Link a container to a GPO.  LINKDN Container to link to a GPO.  GPODN
910       GPO to link container to. DNs must be provided properly escaped. See
911       RFC 4514 for details.
912
913   ADS GPO LINKGET [CONTAINER]
914       Lists gPLink of a containter.
915
916   ADS GPO LIST <USERNAME|MACHINENAME>
917       Lists all GPOs for a username or machine name. Either username or
918       machine name should be provided to the command, not both.
919
920   ADS GPO LISTALL
921       Lists all GPOs on a DC.
922
923   ADS GPO REFRESH [USERNAME] [MACHINENAME]
924       Lists all GPOs assigned to an account and download them.  USERNAME User
925       to refresh GPOs for.  MACHINENAME Machine to refresh GPOs for.
926
927   ADS DNS
928   ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
929       Add host dns entry to Active Directory.
930
931   ADS DNS UNREGISTER <HOSTNAME>
932       Remove host dns entry from Active Directory.
933
934   ADS LEAVE [--keep-account]
935       Make the remote host leave the domain it is part of.
936
937   ADS STATUS
938       Print out status of machine account of the local machine in ADS. Prints
939       out quite some debug info. Aimed at developers, regular users should
940       use NET ADS TESTJOIN.
941
942   ADS PRINTER
943   ADS PRINTER INFO [PRINTER] [SERVER]
944       Lookup info for PRINTER on SERVER. The printer name defaults to "*",
945       the server name defaults to the local host.
946
947   ADS PRINTER PUBLISH PRINTER
948       Publish specified printer using ADS.
949
950   ADS PRINTER REMOVE PRINTER
951       Remove specified printer from ADS directory.
952
953   ADS SEARCH EXPRESSION ATTRIBUTES...
954       Perform a raw LDAP search on a ADS server and dump the results. The
955       expression is a standard LDAP search expression, and the attributes are
956       a list of LDAP fields to show in the results.
957
958       Example: net ads search '(objectCategory=group)' sAMAccountName
959
960   ADS DN DN (attributes)
961       Perform a raw LDAP search on a ADS server and dump the results. The DN
962       standard LDAP DN, and the attributes are a list of LDAP fields to show
963       in the result.
964
965       Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
966       SAMAccountName
967
968   ADS KEYTAB CREATE
969       Creates a new keytab file if one doesn't exist with default entries.
970       Default entries are kerberos principals created from the machinename of
971       the client, the UPN (if it exists) and any Windows SPN(s) associated
972       with the computer AD account for the client. If a keytab file already
973       exists then only missing kerberos principals from the default entries
974       are added. No changes are made to the computer AD account.
975
976   ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
977       Adds a new keytab entry, the entry can be either;
978
979       kerberos principal
980           A kerberos principal (identified by the presence of '@') is just
981           added to the keytab file.
982
983       machinename
984           A machinename (identified by the trailing '$') is used to create a
985           a kerberos principal 'machinename@realm' which is added to the
986           keytab file.
987
988       serviceclass
989           A serviceclass (such as 'cifs', 'html' etc.) is used to create a
990           pair of kerberos principals
991           'serviceclass/fully_qualified_dns_name@realm' &
992           'serviceclass/netbios_name@realm' which are added to the keytab
993           file.
994
995       Windows SPN
996           A Windows SPN is of the format 'serviceclass/host:port', it is used
997           to create a kerberos principal 'serviceclass/host@realm' which will
998           be written to the keytab file.
999
1000       Unlike old versions no computer AD objects are modified by this
1001       command. To preserve the bevhaviour of older clients 'net ads keytab
1002       ad_update_ads' is available.
1003
1004   ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
1005       Adds a new keytab entry (see section for net ads keytab add). In
1006       addition to adding entries to the keytab file corrosponding Windows
1007       SPNs are created from the entry passed to this command. These SPN(s)
1008       added to the AD computer account object associated with the client
1009       machine running this command for the following entry types;
1010
1011       serviceclass
1012           A serviceclass (such as 'cifs', 'html' etc.) is used to create a
1013           pair of Windows SPN(s) 'param/full_qualified_dns' &
1014           'param/netbios_name' which are added to the AD computer account
1015           object for this client.
1016
1017       Windows SPN
1018           A Windows SPN is of the format 'serviceclass/host:port', it is
1019           added as passed to the AD computer account object for this client.
1020
1021   ADS setspn SETSPN LIST [machine]
1022       Lists the Windows SPNs stored in the 'machine' Windows AD Computer
1023       object. If 'machine' is not specified then computer account for this
1024       client is used instead.
1025
1026   ADS setspn SETSPN ADD SPN [machine]
1027       Adds the specified Windows SPN to the 'machine' Windows AD Computer
1028       object. If 'machine' is not specified then computer account for this
1029       client is used instead.
1030
1031   ADS setspn SETSPN DELETE SPN [machine]
1032       DELETE the specified Window SPN from the 'machine' Windows AD Computer
1033       object. If 'machine' is not specified then computer account for this
1034       client is used instead.
1035
1036   ADS WORKGROUP
1037       Print out workgroup name for specified kerberos realm.
1038
1039   ADS ENCTYPES
1040       List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
1041       attribute of an account in AD.
1042
1043       This attribute allows one to control which Kerberos encryption types
1044       are used for the generation of initial and service tickets. The value
1045       consists of an integer bitmask with the following values:
1046
1047       0x00000001 DES-CBC-CRC
1048
1049       0x00000002 DES-CBC-MD5
1050
1051       0x00000004 RC4-HMAC
1052
1053       0x00000008 AES128-CTS-HMAC-SHA1-96
1054
1055       0x00000010 AES256-CTS-HMAC-SHA1-96
1056
1057   ADS ENCTYPES LIST <ACCOUNTNAME>
1058       List the value of the "msDS-SupportedEncryptionTypes" attribute of a
1059       given account.
1060
1061       Example: net ads enctypes list Computername
1062
1063   ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
1064       Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
1065       LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
1066       the value is set to 31 which enables all the currently supported
1067       encryption types.
1068
1069       Example: net ads enctypes set Computername 24
1070
1071   ADS ENCTYPES DELETE <ACCOUNTNAME>
1072       Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
1073       object of ACCOUNTNAME.
1074
1075       Example: net ads enctypes set Computername 24
1076
1077   SAM CREATEBUILTINGROUP <NAME>
1078       (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
1079       be created with this command. This is the list of currently recognized
1080       group names: Administrators, Users, Guests, Power Users, Account
1081       Operators, Server Operators, Print Operators, Backup Operators,
1082       Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
1083       command requires a running Winbindd with idmap allocation properly
1084       configured. The group gid will be allocated out of the winbindd range.
1085
1086   SAM CREATELOCALGROUP <NAME>
1087       Create a LOCAL group (also known as Alias). This command requires a
1088       running Winbindd with idmap allocation properly configured. The group
1089       gid will be allocated out of the winbindd range.
1090
1091   SAM DELETELOCALGROUP <NAME>
1092       Delete an existing LOCAL group (also known as Alias).
1093
1094   SAM MAPUNIXGROUP <NAME>
1095       Map an existing Unix group and make it a Domain Group, the domain group
1096       will have the same name.
1097
1098   SAM UNMAPUNIXGROUP <NAME>
1099       Remove an existing group mapping entry.
1100
1101   SAM ADDMEM <GROUP> <MEMBER>
1102       Add a member to a Local group. The group can be specified only by name,
1103       the member can be specified by name or SID.
1104
1105   SAM DELMEM <GROUP> <MEMBER>
1106       Remove a member from a Local group. The group and the member must be
1107       specified by name.
1108
1109   SAM LISTMEM <GROUP>
1110       List Local group members. The group must be specified by name.
1111
1112   SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
1113       List the specified set of accounts by name. If verbose is specified,
1114       the rid and description is also provided for each account.
1115
1116   SAM RIGHTS LIST
1117       List all available privileges.
1118
1119   SAM RIGHTS GRANT <NAME> <PRIVILEGE>
1120       Grant one or more privileges to a user.
1121
1122   SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
1123       Revoke one or more privileges from a user.
1124
1125   SAM SHOW <NAME>
1126       Show the full DOMAIN\\NAME the SID and the type for the corresponding
1127       account.
1128
1129   SAM SET HOMEDIR <NAME> <DIRECTORY>
1130       Set the home directory for a user account.
1131
1132   SAM SET PROFILEPATH <NAME> <PATH>
1133       Set the profile path for a user account.
1134
1135   SAM SET COMMENT <NAME> <COMMENT>
1136       Set the comment for a user or group account.
1137
1138   SAM SET FULLNAME <NAME> <FULL NAME>
1139       Set the full name for a user account.
1140
1141   SAM SET LOGONSCRIPT <NAME> <SCRIPT>
1142       Set the logon script for a user account.
1143
1144   SAM SET HOMEDRIVE <NAME> <DRIVE>
1145       Set the home drive for a user account.
1146
1147   SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
1148       Set the workstations a user account is allowed to log in from.
1149
1150   SAM SET DISABLE <NAME>
1151       Set the "disabled" flag for a user account.
1152
1153   SAM SET PWNOTREQ <NAME>
1154       Set the "password not required" flag for a user account.
1155
1156   SAM SET AUTOLOCK <NAME>
1157       Set the "autolock" flag for a user account.
1158
1159   SAM SET PWNOEXP <NAME>
1160       Set the "password do not expire" flag for a user account.
1161
1162   SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
1163       Set or unset the "password must change" flag for a user account.
1164
1165   SAM POLICY LIST
1166       List the available account policies.
1167
1168   SAM POLICY SHOW <account policy>
1169       Show the account policy value.
1170
1171   SAM POLICY SET <account policy> <value>
1172       Set a value for the account policy. Valid values can be: "forever",
1173       "never", "off", or a number.
1174
1175   SAM PROVISION
1176       Only available if ldapsam:editposix is set and winbindd is running.
1177       Properly populates the ldap tree with the basic accounts
1178       (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1179       on the ldap tree.
1180
1181   IDMAP DUMP <local tdb file name>
1182       Dumps the mappings contained in the local tdb file specified. This
1183       command is useful to dump only the mappings produced by the idmap_tdb
1184       backend.
1185
1186   IDMAP RESTORE [input file]
1187       Restore the mappings from the specified file or stdin.
1188
1189   IDMAP SET SECRET <DOMAIN> <secret>
1190       Store a secret for the specified domain, used primarily for domains
1191       that use idmap_ldap as a backend. In this case the secret is used as
1192       the password for the user DN used to bind to the ldap server.
1193
1194   IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1195       Store a domain-range mapping for a given domain (and index) in autorid
1196       database.
1197
1198   IDMAP SET CONFIG <config> [--db=<DB>]
1199       Update CONFIG entry in autorid database.
1200
1201   IDMAP GET RANGE <SID> [index] [--db=<DB>]
1202       Get the range for a given domain and index from autorid database.
1203
1204   IDMAP GET RANGES [<SID>] [--db=<DB>]
1205       Get ranges for all domains or for one identified by given SID.
1206
1207   IDMAP GET CONFIG [--db=<DB>]
1208       Get CONFIG entry from autorid database.
1209
1210   IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1211       Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1212       The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1213       "GID number" or a uid: "UID number". Use -f to delete an invalid
1214       partial mapping <ID> -> xx
1215
1216       Use "smbcontrol all idmap ..." to notify running smbd instances. See
1217       the smbcontrol(1) manpage for details.
1218
1219   IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1220       Delete a domain range mapping identified by 'RANGE' or "domain SID and
1221       INDEX" from autorid database. Use -f to delete invalid mappings.
1222
1223   IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1224       Delete all domain range mappings for a domain identified by SID. Use -f
1225       to delete invalid mappings.
1226
1227   IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1228       Check and repair the IDMAP database. If no option is given a read only
1229       check of the database is done. Among others an interactive or automatic
1230       repair mode may be chosen with one of the following options:
1231
1232       -r|--repair
1233           Interactive repair mode, ask a lot of questions.
1234
1235       -a|--auto
1236           Noninteractive repair mode, use default answers.
1237
1238       -v|--verbose
1239           Produce more output.
1240
1241       -f|--force
1242           Try to apply changes, even if they do not apply cleanly.
1243
1244       -T|--test
1245           Dry run, show what changes would be made but don't touch anything.
1246
1247       -l|--lock
1248           Lock the database while doing the check.
1249
1250       --db <DB>
1251           Check the specified database.
1252
1253       It reports about the finding of the following errors:
1254
1255       Missing reverse mapping:
1256           A record with mapping A->B where there is no B->A. Default action
1257           in repair mode is to "fix" this by adding the reverse mapping.
1258
1259       Invalid mapping:
1260           A record with mapping A->B where B->C. Default action is to
1261           "delete" this record.
1262
1263       Missing or invalid HWM:
1264           A high water mark is not at least equal to the largest ID in the
1265           database. Default action is to "fix" this by setting it to the
1266           largest ID found +1.
1267
1268       Invalid record:
1269           Something we failed to parse. Default action is to "edit" it in
1270           interactive and "delete" it in automatic mode.
1271
1272   USERSHARE
1273       Starting with version 3.0.23, a Samba server now supports the ability
1274       for non-root users to add user defined shares to be exported using the
1275       "net usershare" commands.
1276
1277       To set this up, first set up your /etc/samba/smb.conf by adding to the
1278       [global] section: usershare path = /usr/local/samba/lib/usershares Next
1279       create the directory /usr/local/samba/lib/usershares, change the owner
1280       to root and set the group owner to the UNIX group who should have the
1281       ability to create usershares, for example a group called "serverops".
1282       Set the permissions on /usr/local/samba/lib/usershares to 01770. (Owner
1283       and group all access, no access for others, plus the sticky bit, which
1284       means that a file in that directory can be renamed or deleted only by
1285       the owner of the file). Finally, tell smbd how many usershares you will
1286       allow by adding to the [global] section of /etc/samba/smb.conf a line
1287       such as : usershare max shares = 100. To allow 100 usershare
1288       definitions. Now, members of the UNIX group "serverops" can create user
1289       defined shares on demand using the commands below.
1290
1291       The usershare commands are:
1292           net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1293           to add or change a user defined share.
1294           net usershare delete sharename - to delete a user defined share.
1295           net usershare info [--long] [wildcard sharename] - to print info
1296           about a user defined share.
1297           net usershare list [--long] [wildcard sharename] - to list user
1298           defined shares.
1299
1300   USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1301       Add or replace a new user defined share, with name "sharename".
1302
1303       "path" specifies the absolute pathname on the system to be exported.
1304       Restrictions may be put on this, see the global /etc/samba/smb.conf
1305       parameters: "usershare owner only", "usershare prefix allow list", and
1306       "usershare prefix deny list".
1307
1308       The optional "comment" parameter is the comment that will appear on the
1309       share when browsed to by a client.
1310
1311       The optional "acl" field specifies which users have read and write
1312       access to the entire share. Note that guest connections are not allowed
1313       unless the /etc/samba/smb.conf parameter "usershare allow guests" has
1314       been set. The definition of a user defined share acl is:
1315       "user:permission", where user is a valid username on the system and
1316       permission can be "F", "R", or "D". "F" stands for "full permissions",
1317       ie. read and write permissions. "D" stands for "deny" for a user, ie.
1318       prevent this user from accessing this share. "R" stands for "read
1319       only", ie. only allow read access to this share (no creation of new
1320       files or directories or writing to files).
1321
1322       The default if no "acl" is given is "Everyone:R", which means any
1323       authenticated user has read-only access.
1324
1325       The optional "guest_ok" has the same effect as the parameter of the
1326       same name in /etc/samba/smb.conf, in that it allows guest access to
1327       this user defined share. This parameter is only allowed if the global
1328       parameter "usershare allow guests" has been set to true in the
1329       /etc/samba/smb.conf.
1330
1331
1332       There is no separate command to modify an existing user defined share,
1333       just use the "net usershare add [sharename]" command using the same
1334       sharename as the one you wish to modify and specify the new options you
1335       wish. The Samba smbd daemon notices user defined share modifications at
1336       connect time so will see the change immediately, there is no need to
1337       restart smbd on adding, deleting or changing a user defined share.
1338
1339   USERSHARE DELETE sharename
1340       Deletes the user defined share by name. The Samba smbd daemon
1341       immediately notices this change, although it will not disconnect any
1342       users currently connected to the deleted share.
1343
1344   USERSHARE INFO [--long] [wildcard sharename]
1345       Get info on user defined shares owned by the current user matching the
1346       given pattern, or all users.
1347
1348       net usershare info on its own dumps out info on the user defined shares
1349       that were created by the current user, or restricts them to share names
1350       that match the given wildcard pattern ('*' matches one or more
1351       characters, '?' matches only one character). If the '--long' option is
1352       also given, it prints out info on user defined shares created by other
1353       users.
1354
1355       The information given about a share looks like: [foobar]
1356       path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1357       And is a list of the current settings of the user defined share that
1358       can be modified by the "net usershare add" command.
1359
1360   USERSHARE LIST [--long] wildcard sharename
1361       List all the user defined shares owned by the current user matching the
1362       given pattern, or all users.
1363
1364       net usershare list on its own list out the names of the user defined
1365       shares that were created by the current user, or restricts the list to
1366       share names that match the given wildcard pattern ('*' matches one or
1367       more characters, '?' matches only one character). If the '--long'
1368       option is also given, it includes the names of user defined shares
1369       created by other users.
1370
1371   [RPC] CONF
1372       Starting with version 3.2.0, a Samba server can be configured by data
1373       stored in registry. This configuration data can be edited with the new
1374       "net conf" commands. There is also the possibility to configure a
1375       remote Samba server by enabling the RPC conf mode and specifying the
1376       address of the remote server.
1377
1378       The deployment of this configuration data can be activated in two
1379       levels from the /etc/samba/smb.conf file: Share definitions from
1380       registry are activated by setting registry shares to “yes” in the
1381       [global] section and global configuration options are activated by
1382       setting include = registry in the [global] section for a mixed
1383       configuration or by setting config backend = registry in the [global]
1384       section for a registry-only configuration. See the smb.conf(5) manpage
1385       for details.
1386
1387       The conf commands are:
1388           net [rpc] conf list - Dump the complete configuration in smb.conf
1389           like format.
1390           net [rpc] conf import - Import configuration from file in smb.conf
1391           format.
1392           net [rpc] conf listshares - List the registry shares.
1393           net [rpc] conf drop - Delete the complete configuration from
1394           registry.
1395           net [rpc] conf showshare - Show the definition of a registry share.
1396           net [rpc] conf addshare - Create a new registry share.
1397           net [rpc] conf delshare - Delete a registry share.
1398           net [rpc] conf setparm - Store a parameter.
1399           net [rpc] conf getparm - Retrieve the value of a parameter.
1400           net [rpc] conf delparm - Delete a parameter.
1401           net [rpc] conf getincludes - Show the includes of a share
1402           definition.
1403           net [rpc] conf setincludes - Set includes for a share.
1404           net [rpc] conf delincludes - Delete includes from a share
1405           definition.
1406
1407   [RPC] CONF LIST
1408       Print the configuration data stored in the registry in a smb.conf-like
1409       format to standard output.
1410
1411   [RPC] CONF IMPORT [--test|-T] filename [section]
1412       This command imports configuration from a file in smb.conf format. If a
1413       section encountered in the input file is present in registry, its
1414       contents is replaced. Sections of registry configuration that have no
1415       counterpart in the input file are not affected. If you want to delete
1416       these, you will have to use the "net conf drop" or "net conf delshare"
1417       commands. Optionally, a section may be specified to restrict the effect
1418       of the import command to that specific section. A test mode is enabled
1419       by specifying the parameter "-T" on the commandline. In test mode, no
1420       changes are made to the registry, and the resulting configuration is
1421       printed to standard output instead.
1422
1423   [RPC] CONF LISTSHARES
1424       List the names of the shares defined in registry.
1425
1426   [RPC] CONF DROP
1427       Delete the complete configuration data from registry.
1428
1429   [RPC] CONF SHOWSHARE sharename
1430       Show the definition of the share or section specified. It is valid to
1431       specify "global" as sharename to retrieve the global configuration
1432       options from registry.
1433
1434   [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1435       [comment]]]
1436       Create a new share definition in registry. The sharename and path have
1437       to be given. The share name may not be "global". Optionally, values for
1438       the very common options "writeable", "guest ok" and a "comment" may be
1439       specified. The same result may be obtained by a sequence of "net conf
1440       setparm" commands.
1441
1442   [RPC] CONF DELSHARE sharename
1443       Delete a share definition from registry.
1444
1445   [RPC] CONF SETPARM section parameter value
1446       Store a parameter in registry. The section may be global or a
1447       sharename. The section is created if it does not exist yet.
1448
1449   [RPC] CONF GETPARM section parameter
1450       Show a parameter stored in registry.
1451
1452   [RPC] CONF DELPARM section parameter
1453       Delete a parameter stored in registry.
1454
1455   [RPC] CONF GETINCLUDES section
1456       Get the list of includes for the provided section (global or share).
1457
1458       Note that due to the nature of the registry database and the nature of
1459       include directives, the includes need special treatment: Parameters are
1460       stored in registry by the parameter name as valuename, so there is only
1461       ever one instance of a parameter per share. Also, a specific order like
1462       in a text file is not guaranteed. For all real parameters, this is
1463       perfectly ok, but the include directive is rather a meta parameter, for
1464       which, in the smb.conf text file, the place where it is specified
1465       between the other parameters is very important. This can not be
1466       achieved by the simple registry smbconf data model, so there is one
1467       ordered list of includes per share, and this list is evaluated after
1468       all the parameters of the share.
1469
1470       Further note that currently, only files can be included from registry
1471       configuration. In the future, there will be the ability to include
1472       configuration data from other registry keys.
1473
1474   [RPC] CONF SETINCLUDES section [filename]+
1475       Set the list of includes for the provided section (global or share) to
1476       the given list of one or more filenames. The filenames may contain the
1477       usual smb.conf macros like %I.
1478
1479   [RPC] CONF DELINCLUDES section
1480       Delete the list of includes from the provided section (global or
1481       share).
1482
1483   REGISTRY
1484       Manipulate Samba's registry.
1485
1486       The registry commands are:
1487           net registry enumerate   - Enumerate registry keys and values.
1488           net registry enumerate_recursive - Enumerate registry key and its
1489           subkeys.
1490           net registry createkey   - Create a new registry key.
1491           net registry deletekey   - Delete a registry key.
1492           net registry deletekey_recursive - Delete a registry key with
1493           subkeys.
1494           net registry getvalue    - Print a registry value.
1495           net registry getvalueraw - Print a registry value (raw format).
1496           net registry setvalue    - Set a new registry value.
1497           net registry increment   - Increment a DWORD registry value under a
1498           lock.
1499           net registry deletevalue - Delete a registry value.
1500           net registry getsd       - Get security descriptor.
1501           net registry getsd_sdd1  - Get security descriptor in sddl format.
1502           net registry setsd_sdd1  - Set security descriptor from sddl format
1503           string.
1504           net registry import      - Import a registration entries (.reg)
1505           file.
1506           net registry export      - Export a registration entries (.reg)
1507           file.
1508           net registry convert     - Convert a registration entries (.reg)
1509           file.
1510           net registry check       - Check and repair a registry database.
1511
1512   REGISTRY ENUMERATE key
1513       Enumerate subkeys and values of key.
1514
1515   REGISTRY ENUMERATE_RECURSIVE key
1516       Enumerate values of key and its subkeys.
1517
1518   REGISTRY CREATEKEY key
1519       Create a new key if not yet existing.
1520
1521   REGISTRY DELETEKEY key
1522       Delete the given key and its values from the registry, if it has no
1523       subkeys.
1524
1525   REGISTRY DELETEKEY_RECURSIVE key
1526       Delete the given key and all of its subkeys and values from the
1527       registry.
1528
1529   REGISTRY GETVALUE key name
1530       Output type and actual value of the value name of the given key.
1531
1532   REGISTRY GETVALUERAW key name
1533       Output the actual value of the value name of the given key.
1534
1535   REGISTRY SETVALUE key name type value ...
1536       Set the value name of an existing key.  type may be one of sz, multi_sz
1537       or dword. In case of multi_sz value may be given multiple times.
1538
1539   REGISTRY INCREMENT key name [inc]
1540       Increment the DWORD value name of key by inc while holding a g_lock.
1541       inc defaults to 1.
1542
1543   REGISTRY DELETEVALUE key name
1544       Delete the value name of the given key.
1545
1546   REGISTRY GETSD key
1547       Get the security descriptor of the given key.
1548
1549   REGISTRY GETSD_SDDL key
1550       Get the security descriptor of the given key as a Security Descriptor
1551       Definition Language (SDDL) string.
1552
1553   REGISTRY SETSD_SDDL keysd
1554       Set the security descriptor of the given key from a Security Descriptor
1555       Definition Language (SDDL) string sd.
1556
1557   REGISTRY IMPORT file [--precheck <check-file>] [opt]
1558       Import a registration entries (.reg) file.
1559
1560       The following options are available:
1561
1562       --precheck check-file
1563           This is a mechanism to check the existence or non-existence of
1564           certain keys or values specified in a precheck file before applying
1565           the import file. The import file will only be applied if the
1566           precheck succeeds.
1567
1568           The check-file follows the normal registry file syntax with the
1569           following semantics:
1570
1571                  •   <value name>=<value> checks whether the value exists and
1572                      has the given value.
1573
1574                  •   <value name>=- checks whether the value does not exist.
1575
1576                  •   [key] checks whether the key exists.
1577
1578                  •   [-key] checks whether the key does not exist.
1579
1580
1581   REGISTRY EXPORT keyfile[opt]
1582       Export a key to a registration entries (.reg) file.
1583
1584   REGISTRY CONVERT in out [[inopt] outopt]
1585       Convert a registration entries (.reg) file in.
1586
1587   REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1588       Check and repair the registry database. If no option is given a read
1589       only check of the database is done. Among others an interactive or
1590       automatic repair mode may be chosen with one of the following options
1591
1592       -r|--repair
1593           Interactive repair mode, ask a lot of questions.
1594
1595       -a|--auto
1596           Noninteractive repair mode, use default answers.
1597
1598       -v|--verbose
1599           Produce more output.
1600
1601       -T|--test
1602           Dry run, show what changes would be made but don't touch anything.
1603
1604       -l|--lock
1605           Lock the database while doing the check.
1606
1607       --reg-version={1,2,3}
1608           Specify the format of the registry database. If not given it
1609           defaults to the value of the binary or, if an registry.tdb is
1610           explicitly stated at the commandline, to the value found in the
1611           INFO/version record.
1612
1613       [--db] <DB>
1614           Check the specified database.
1615
1616       -o|--output <ODB>
1617           Create a new registry database <ODB> instead of modifying the
1618           input. If <ODB> is already existing --wipe may be used to overwrite
1619           it.
1620
1621       --wipe
1622           Replace the registry database instead of modifying the input or
1623           overwrite an existing output database.
1624
1625   EVENTLOG
1626       Starting with version 3.4.0 net can read, dump, import and export
1627       native win32 eventlog files (usually *.evt). evt files are used by the
1628       native Windows eventviewer tools.
1629
1630       The import and export of evt files can only succeed when eventlog list
1631       is used in /etc/samba/smb.conf file. See the smb.conf(5) manpage for
1632       details.
1633
1634       The eventlog commands are:
1635           net eventlog dump - Dump a eventlog *.evt file on the screen.
1636           net eventlog import - Import a eventlog *.evt into the samba
1637           internal tdb based representation of eventlogs.
1638           net eventlog export - Export the samba internal tdb based
1639           representation of eventlogs into an eventlog *.evt file.
1640
1641   EVENTLOG DUMP filename
1642       Prints a eventlog *.evt file to standard output.
1643
1644   EVENTLOG IMPORT filename eventlog
1645       Imports a eventlog *.evt file defined by filename into the samba
1646       internal tdb representation of eventlog defined by eventlog.  eventlog
1647       needs to part of the eventlog list defined in /etc/samba/smb.conf. See
1648       the smb.conf(5) manpage for details.
1649
1650   EVENTLOG EXPORT filename eventlog
1651       Exports the samba internal tdb representation of eventlog defined by
1652       eventlog to a eventlog *.evt file defined by filename.  eventlog needs
1653       to part of the eventlog list defined in /etc/samba/smb.conf. See the
1654       smb.conf(5) manpage for details.
1655
1656   DOM
1657       Starting with version 3.2.0 Samba has support for remote join and
1658       unjoin APIs, both client and server-side. Windows supports remote join
1659       capabilities since Windows 2000.
1660
1661       In order for Samba to be joined or unjoined remotely an account must be
1662       used that is either member of the Domain Admins group, a member of the
1663       local Administrators group or a user that is granted the
1664       SeMachineAccountPrivilege privilege.
1665
1666       The client side support for remote join is implemented in the net dom
1667       commands which are:
1668           net dom join - Join a remote computer into a domain.
1669           net dom unjoin - Unjoin a remote computer from a domain.
1670           net dom renamecomputer - Renames a remote computer joined to a
1671           domain.
1672
1673   DOM JOIN  domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1674       Joins a computer into a domain. This command supports the following
1675       additional parameters:
1676
1677DOMAIN can be a NetBIOS domain name (also known as short
1678                  domain name) or a DNS domain name for Active Directory
1679                  Domains. As in Windows, it is also possible to control which
1680                  Domain Controller to use. This can be achieved by appending
1681                  the DC name using the \ separator character. Example:
1682                  MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1683
1684OU can be set to a RFC 1779 LDAP DN, like
1685                  ou=mymachines,cn=Users,dc=example,dc=com in order to create
1686                  the machine account in a non-default LDAP container. This
1687                  optional parameter is only supported when joining Active
1688                  Directory Domains.
1689
1690ACCOUNT defines a domain account that will be used to join
1691                  the machine to the domain. This domain account needs to have
1692                  sufficient privileges to join machines.
1693
1694PASSWORD defines the password for the domain account defined
1695                  with ACCOUNT.
1696
1697REBOOT is an optional parameter that can be set to reboot
1698                  the remote machine after successful join to the domain.
1699
1700
1701       Note that you also need to use standard net parameters to connect and
1702       authenticate to the remote machine that you want to join. These
1703       additional parameters include: -S computer and -U user.
1704
1705       Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1706       account=MYDOM\\administrator password=topsecret reboot.
1707
1708       This example would connect to a computer named XP as the local
1709       administrator using password secret, and join the computer into a
1710       domain called MYDOM using the MYDOM domain administrator account and
1711       password topsecret. After successful join, the computer would reboot.
1712
1713   DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1714       Unjoins a computer from a domain. This command supports the following
1715       additional parameters:
1716
1717ACCOUNT defines a domain account that will be used to unjoin
1718                  the machine from the domain. This domain account needs to
1719                  have sufficient privileges to unjoin machines.
1720
1721PASSWORD defines the password for the domain account defined
1722                  with ACCOUNT.
1723
1724REBOOT is an optional parameter that can be set to reboot
1725                  the remote machine after successful unjoin from the domain.
1726
1727
1728       Note that you also need to use standard net parameters to connect and
1729       authenticate to the remote machine that you want to unjoin. These
1730       additional parameters include: -S computer and -U user.
1731
1732       Example: net dom unjoin -S xp -U XP\\administrator%secret
1733       account=MYDOM\\administrator password=topsecret reboot.
1734
1735       This example would connect to a computer named XP as the local
1736       administrator using password secret, and unjoin the computer from the
1737       domain using the MYDOM domain administrator account and password
1738       topsecret. After successful unjoin, the computer would reboot.
1739
1740   DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1741       Renames a computer that is joined to a domain. This command supports
1742       the following additional parameters:
1743
1744NEWNAME defines the new name of the machine in the domain.
1745
1746ACCOUNT defines a domain account that will be used to rename
1747                  the machine in the domain. This domain account needs to have
1748                  sufficient privileges to rename machines.
1749
1750PASSWORD defines the password for the domain account defined
1751                  with ACCOUNT.
1752
1753REBOOT is an optional parameter that can be set to reboot
1754                  the remote machine after successful rename in the domain.
1755
1756
1757       Note that you also need to use standard net parameters to connect and
1758       authenticate to the remote machine that you want to rename in the
1759       domain. These additional parameters include: -S computer and -U user.
1760
1761       Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1762       newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1763
1764       This example would connect to a computer named XP as the local
1765       administrator using password secret, and rename the joined computer to
1766       XPNEW using the MYDOM domain administrator account and password
1767       topsecret. After successful rename, the computer would reboot.
1768
1769   G_LOCK
1770       Manage global locks.
1771
1772   G_LOCK DO lockname timeout command
1773       Execute a shell command under a global lock. This might be useful to
1774       define the order in which several shell commands will be executed. The
1775       locking information is stored in a file called g_lock.tdb. In setups
1776       with CTDB running, the locking information will be available on all
1777       cluster nodes.
1778
1779LOCKNAME defines the name of the global lock.
1780
1781TIMEOUT defines the timeout.
1782
1783COMMAND defines the shell command to execute.
1784
1785   G_LOCK LOCKS
1786       Print a list of all currently existing locknames.
1787
1788   G_LOCK DUMP lockname
1789       Dump the locking table of a certain global lock.
1790
1791   TDB
1792       Print information from tdb records.
1793
1794   TDB LOCKING key [DUMP]
1795       List sharename, filename and number of share modes for a record from
1796       locking.tdb. With the optional DUMP options, dump the complete record.
1797
1798KEY Key of the tdb record as hex string.
1799
1800   vfs
1801       Access shared filesystem through the VFS.
1802
1803   vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1804       symlinks] share path
1805       Convert file streams to AppleDouble files.
1806
1807share A Samba share.
1808
1809
1810path A relative path of something in the Samba share. "."
1811                  can be used for the root directory of the share.
1812
1813
1814       Options:
1815
1816       --recursive
1817           Traverse a directory hierarchy.
1818
1819       --verbose
1820           Verbose output.
1821
1822       --continue
1823           Continue traversing a directory hierarchy if a single conversion
1824           fails.
1825
1826       --follow-symlinks
1827           Follow symlinks encountered while traversing a directory.
1828
1829   vfs getntacl share path
1830       Display the security descriptor of a file or directory.
1831
1832share A Samba share.
1833
1834
1835path A relative path of something in the Samba share. "."
1836                  can be used for the root directory of the share.
1837
1838   OFFLINEJOIN
1839       Starting with version 4.15 Samba has support for offline join APIs.
1840       Windows supports offline join capabilities since Windows 7 and Windows
1841       2008 R2.
1842
1843       The following offline commands are implemented:
1844           net offlinejoin provision - Provisions a machine account in AD.
1845           net offlinejoin requestodj - Requests a domain offline join.
1846
1847   OFFLINEJOIN PROVISION domain=DOMAIN machine_name=MACHINE_NAME
1848       machine_account_ou=MACHINE_ACCOUNT_OU dcname=DCNAME defpwd reuse
1849       savefile=FILENAME printblob
1850       Provisions a machine account in AD. This command needs network
1851       connectivity to the domain controller to succeed. This command supports
1852       the following additional parameters:
1853
1854DOMAIN can be a NetBIOS domain name (also known as short
1855                  domain name) or a DNS domain name for Active Directory
1856                  Domains. The DOMAIN parameter cannot be NULL.
1857
1858MACHINE_NAME defines the machine account name that will be
1859                  provisioned in AD. The MACHINE_NAME parameter cannot be
1860                  NULL.
1861
1862MACHINE_ACCOUNT_OU can be set to a RFC 1779 LDAP DN, like
1863                  ou=mymachines,cn=Users,dc=example,dc=com in order to create
1864                  the machine account in a non-default LDAP container. This
1865                  optional parameter is only supported when joining Active
1866                  Directory Domains.
1867
1868DCNAME defines a specific domain controller for creating the
1869                  machine account in AD.
1870
1871DEFPWD is an optional parameter that can be set to enforce
1872                  using the default machine account password. The use of this
1873                  parameter is not recommended as the default machine account
1874                  password can be easily guessed.
1875
1876REUSE is an optional parameter that can be set to enforce
1877                  reusing an existing machine account in AD.
1878
1879SAVEFILE is an optional parameter to store the generated
1880                  provisioning data on disk.
1881
1882PRINTBLOB is an optional parameter to print the generated
1883                  provisioning data on stdout.
1884
1885
1886       Example: net offlinejoin provision -U administrator%secret domain=MYDOM
1887       machine_name=MYHOST savefile=provisioning.txt
1888
1889   OFFLINEJOIN REQUESTODJ loadfile=FILENAME
1890       Requests an offline domain join by providing file-based provisioning
1891       data. This command supports the following additional parameters:
1892
1893LOADFILE is a required parameter to load the provisioning
1894                  from a file.
1895
1896
1897       Example: net offlinejoin requestodj -U administrator%secret
1898       loadfile=provisioning.txt
1899
1900   HELP [COMMAND]
1901       Gives usage information for the specified command.
1902

VERSION

1904       This man page is complete for version 3 of the Samba suite.
1905

AUTHOR

1907       The original Samba software and related utilities were created by
1908       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1909       Source project similar to the way the Linux kernel is developed.
1910
1911       The net manpage was written by Jelmer Vernooij.
1912
1913
1914
1915Samba 4.17.5                      01/26/2023                            NET(8)
Impressum