1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17 -r|--realm=REALM
19 Set the realm for the domain.
20 Note that specifying this parameter here will override the realm
22 parameter in the /etc/samba/smb.conf file.
23 --simple-bind-dn=DN
25 DN to use for a simple bind.
26 --password
28 Specify the password on the commandline.
29 Be cautious about including passwords in scripts or passing
31 user-supplied values onto the command line. For security it is
32 better to let the Samba client tool ask for the password if needed,
33 or obtain the password once with kinit.
34 If --password is not specified, the tool will check the PASSWD
36 environment variable, followed by PASSWD_FD which is expected to
37 contain an open file descriptor (FD) number.
38 Finally it will check PASSWD_FILE (containing a file path to be
40 opened). The file should only contain the password. Make certain
41 that the permissions on the file restrict access from unwanted
42 users!
43 While Samba will attempt to scrub the password from the process
45 title (as seen in ps), this is after startup and so is subject to a
46 race.
47 -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
49 Sets the SMB username or username and password.
50 If %PASSWORD is not specified, the user will be prompted. The
52 client will first check the USER environment variable (which is
53 also permitted to also contain the password separated by a %), then
54 the LOGNAME variable (which is not permitted to contain a password)
55 and if either exists, the value is used. If these environmental
56 variables are not found, the username found in a Kerberos
57 Credentials cache may be used.
58 A third option is to use a credentials file which contains the
60 plaintext of the username and password. This option is mainly
61 provided for scripts where the admin does not wish to pass the
62 credentials on the command line or via environment variables. If
63 this method is used, make certain that the permissions on the file
64 restrict access from unwanted users. See the -A for more details.
65 Be cautious about including passwords in scripts or passing
67 user-supplied values onto the command line. For security it is
68 better to let the Samba client tool ask for the password if needed,
69 or obtain the password once with kinit.
70 While Samba will attempt to scrub the password from the process
72 title (as seen in ps), this is after startup and so is subject to a
73 race.
74 -W|--workgroup=WORKGROUP
76 Set the SMB domain of the username. This overrides the default
77 domain which is the domain defined in smb.conf. If the domain
78 specified is the same as the servers NetBIOS name, it causes the
79 client to log on using the servers local SAM (as opposed to the
80 Domain SAM).
81 Note that specifying this parameter here will override the
83 workgroup parameter in the /etc/samba/smb.conf file.
84 -N|--no-pass
86 If specified, this parameter suppresses the normal password prompt
87 from the client to the user. This is useful when accessing a
88 service that does not require a password.
89 Unless a password is specified on the command line or this
91 parameter is specified, the client will request a password.
92 If a password is specified on the command line and this option is
94 also defined the password on the command line will be silently
95 ignored and no password will be used.
96 --use-kerberos=desired|required|off
98 This parameter determines whether Samba client tools will try to
99 authenticate using Kerberos. For Kerberos authentication you need
100 to use dns names instead of IP addresses when connecting to a
101 service.
102 Note that specifying this parameter here will override the client
104 use kerberos parameter in the /etc/samba/smb.conf file.
105 --use-krb5-ccache=CCACHE
107 Specifies the credential cache location for Kerberos
108 authentication.
109 This will set --use-kerberos=required too.
111 --ipaddress=IPADDRESS
113 IP address of the server
114 -d|--debuglevel=DEBUGLEVEL
116 level is an integer from 0 to 10. The default value if this
117 parameter is not specified is 1 for client applications.
118 The higher this value, the more detail will be logged to the log
120 files about the activities of the server. At level 0, only critical
121 errors and serious warnings will be logged. Level 1 is a reasonable
122 level for day-to-day running - it generates a small amount of
123 information about operations carried out.
124 Levels above 1 will generate considerable amounts of log data, and
126 should only be used when investigating a problem. Levels above 3
127 are designed for use only by developers and generate HUGE amounts
128 of log data, most of which is extremely cryptic.
129 Note that specifying this parameter here will override the log
131 level parameter in the /etc/samba/smb.conf file.
132 --debug-stdout
134 This will redirect debug output to STDOUT. By default all clients
135 are logging to STDERR.
136
138 computer
139 Manage computer accounts.
140 computer add computername [options]
142 Add a new computer to the Active Directory Domain.
143 The new computer name specified on the command is the sAMAccountName,
145 with or without the trailing dollar sign.
146 --computerou=COMPUTEROU
148 DN of alternative location (with or without domainDN counterpart)
149 to default CN=Computers in which new computer object will be
150 created. E.g. 'OU=OUname'.
151 --description=DESCRIPTION
153 The new computers's description.
154 --ip-address=IP_ADDRESS_LIST
156 IPv4 address for the computer's A record, or IPv6 address for AAAA
157 record, can be provided multiple times.
158 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
160 Computer's Service Principal Name, can be provided multiple times.
161 --prepare-oldjoin
163 Prepare enabled machine account for oldjoin mechanism.
164 computer create computername [options]
166 Add a new computer. This is a synonym for the samba-tool computer add
167 command and is available for compatibility reasons only. Please use
168 samba-tool computer add instead.
169 computer delete computername [options]
171 Delete an existing computer account.
172 The computer name specified on the command is the sAMAccountName, with
174 or without the trailing dollar sign.
175 computer edit computername
177 Edit a computer AD object.
178 The computer name specified on the command is the sAMAccountName, with
180 or without the trailing dollar sign.
181 --editor=EDITOR
183 Specifies the editor to use instead of the system default, or 'vi'
184 if no system default is set.
185 computer list
187 List all computers.
188 computer move computername new_parent_dn [options]
190 This command moves a computer account into the specified organizational
191 unit or container.
192 The computername specified on the command is the sAMAccountName, with
194 or without the trailing dollar sign.
195 The name of the organizational unit or container can be specified as a
197 full DN or without the domainDN component.
198 computer show computername [options]
200 Display a computer AD object.
201 The computer name specified on the command is the sAMAccountName, with
203 or without the trailing dollar sign.
204 --attributes=USER_ATTRS
206 Comma separated list of attributes, which will be printed.
207 contact
209 Manage contacts.
210 contact add [contactname] [options]
212 Add a new contact to the Active Directory Domain.
213 The name of the new contact can be specified by the first argument
215 'contactname' or the --given-name, --initial and --surname arguments.
216 If no 'contactname' is given, contact's name will be made up of the
217 given arguments by combining the given-name, initials and surname. Each
218 argument is optional. A dot ('.') will be appended to the initials
219 automatically.
220 --ou=OU
222 DN of alternative location (with or without domainDN counterpart)
223 in which the new contact will be created. E.g. 'OU=OUname'. Default
224 is the domain base.
225 --description=DESCRIPTION
227 The new contacts's description.
228 --surname=SURNAME
230 Contact's surname.
231 --given-name=GIVEN_NAME
233 Contact's given name.
234 --initials=INITIALS
236 Contact's initials.
237 --display-name=DISPLAY_NAME
239 Contact's display name.
240 --job-title=JOB_TITLE
242 Contact's job title.
243 --department=DEPARTMENT
245 Contact's department.
246 --company=COMPANY
248 Contact's company.
249 --mail-address=MAIL_ADDRESS
251 Contact's email address.
252 --internet-address=INTERNET_ADDRESS
254 Contact's home page.
255 --telephone-number=TELEPHONE_NUMBER
257 Contact's phone number.
258 --mobile-number=MOBILE_NUMBER
260 Contact's mobile phone number.
261 --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
263 Contact's office location.
264 contact create [contactname] [options]
266 Add a new contact. This is a synonym for the samba-tool contact add
267 command and is available for compatibility reasons only. Please use
268 samba-tool contact add instead.
269 contact delete contactname [options]
271 Delete an existing contact.
272 The contactname specified on the command is the common name or the
274 distinguished name of the contact object. The distinguished name of the
275 contact can be specified with or without the domainDN component.
276 contact edit contactname
278 Modify a contact AD object.
279 The contactname specified on the command is the common name or the
281 distinguished name of the contact object. The distinguished name of the
282 contact can be specified with or without the domainDN component.
283 --editor=EDITOR
285 Specifies the editor to use instead of the system default, or 'vi'
286 if no system default is set.
287 contact list [options]
289 List all contacts.
290 --full-dn
292 Display contact's full DN instead of the name.
293 contact move contactname new_parent_dn [options]
295 This command moves a contact into the specified organizational unit or
296 container.
297 The contactname specified on the command is the common name or the
299 distinguished name of the contact object. The distinguished name of the
300 contact can be specified with or without the domainDN component.
301 contact show contactname [options]
303 Display a contact AD object.
304 The contactname specified on the command is the common name or the
306 distinguished name of the contact object. The distinguished name of the
307 contact can be specified with or without the domainDN component.
308 --attributes=CONTACT_ATTRS
310 Comma separated list of attributes, which will be printed.
311 contact rename contactname [options]
313 Rename a contact and related attributes.
314 This command allows to set the contact's name related attributes. The
316 contact's CN will be renamed automatically. The contact's new CN will
317 be made up by combining the given-name, initials and surname. A dot
318 ('.') will be appended to the initials automatically, if required. Use
319 the --force-new-cn option to specify the new CN manually and --reset-cn
320 to reset this change.
321 Use an empty attribute value to remove the specified attribute.
323 The contact name specified on the command is the CN.
325 --surname=SURNAME
327 New surname.
328 --given-name=GIVEN_NAME
330 New given name.
331 --initials=INITIALS
333 New initials.
334 --force-new-cn=NEW_CN
336 Specify a new CN (RDN) instead of using a combination of the given
337 name, initials and surname.
338 --reset-cn
340 Set the CN to the default combination of given name, initials and
341 surname.
342 --display-name=DISPLAY_NAME
344 New display name.
345 --mail-address=MAIL_ADDRESS
347 New email address.
348 dbcheck
350 Check the local AD database for errors.
351 delegation
353 Manage Delegations.
354 delegation add-service accountname principal [options]
356 Add a service principal as msDS-AllowedToDelegateTo.
357 delegation del-service accountname principal [options]
359 Delete a service principal as msDS-AllowedToDelegateTo.
360 delegation for-any-protocol accountname [(on|off)] [options]
362 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
363 account.
364 delegation for-any-service accountname [(on|off)] [options]
366 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
367 delegation show accountname [options]
369 Show the delegation setting of an account.
370 dns
372 Manage Domain Name Service (DNS).
373 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
375 Add a DNS record.
376 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
378 Delete a DNS record.
379 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
381 data
382 Query a name.
383 dns roothints server [name] [options]
385 Query root hints.
386 dns serverinfo server [options]
388 Query server information.
389 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
391 Update a DNS record.
392 dns zonecreate server zone [options]
394 Create a zone.
395 dns zonedelete server zone [options]
397 Delete a zone.
398 dns zoneinfo server zone [options]
400 Query zone information.
401 dns zonelist server [options]
403 List zones.
404 domain
406 Manage Domain.
407 domain backup
409 Create or restore a backup of the domain.
410 domain backup offline
412 Backup (with proper locking) local domain directories into a tar file.
413 domain backup online
415 Copy a running DC's current DB into a backup tar file.
416 domain backup rename
418 Copy a running DC's DB to backup file, renaming the domain in the
419 process.
420 domain backup restore
422 Restore the domain's DB from a backup-file.
423 domain classicupgrade [options] classic_smb_conf
425 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
426 domain dcpromo dnsdomain [DC|RODC] [options]
428 Promote an existing domain member or NT4 PDC to an AD DC.
429 domain demote
431 Demote ourselves from the role of domain controller.
432 domain exportkeytab keytab [options]
434 Dumps Kerberos keys of the domain into a keytab.
435 domain info ip_address [options]
437 Print basic info about a domain and the specified DC.
438 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
440 Join a domain as either member or backup domain controller.
441 domain level show|raise options [options]
443 Show/raise domain and forest function levels.
444 domain passwordsettings show|set options [options]
446 Show/set password settings.
447 domain passwordsettings pso
449 Manage fine-grained Password Settings Objects (PSOs).
450 domain passwordsettings pso apply pso-name user-or-group-name [options]
452 Applies a PSO's password policy to a user or group.
453 domain passwordsettings pso create pso-name precedence [options]
455 Creates a new Password Settings Object (PSO).
456 domain passwordsettings pso delete pso-name [options]
458 Deletes a Password Settings Object (PSO).
459 domain passwordsettings pso list [options]
461 Lists all Password Settings Objects (PSOs).
462 domain passwordsettings pso set pso-name [options]
464 Modifies a Password Settings Object (PSO).
465 domain passwordsettings pso show user-name [options]
467 Displays a Password Settings Object (PSO).
468 domain passwordsettings pso show-user pso-name [options]
470 Displays the Password Settings that apply to a user.
471 domain passwordsettings pso unapply pso-name user-or-group-name [options]
473 Updates a PSO to no longer apply to a user or group.
474 domain provision
476 Promote an existing domain member or NT4 PDC to an AD DC.
477 domain trust
479 Domain and forest trust management.
480 domain trust create DOMAIN options [options]
482 Create a domain or forest trust.
483 domain trust modify DOMAIN options [options]
485 Modify a domain or forest trust.
486 domain trust delete DOMAIN options [options]
488 Delete a domain trust.
489 domain trust list options [options]
491 List domain trusts.
492 domain trust namespaces [DOMAIN] options [options]
494 Manage forest trust namespaces.
495 domain trust show DOMAIN options [options]
497 Show trusted domain details.
498 domain trust validate DOMAIN options [options]
500 Validate a domain trust.
501 drs
503 Manage Directory Replication Services (DRS).
504 drs bind
506 Show DRS capabilities of a server.
507 drs kcc
509 Trigger knowledge consistency center run.
510 drs options
512 Query or change options for NTDS Settings object of a domain
513 controller.
514 drs replicate destination_DC source_DC NC [options]
516 Replicate a naming context between two DCs.
517 drs showrepl
519 Show replication status. The [--json] option results in JSON output,
520 and with the [--summary] option produces very little output when the
521 replication status seems healthy.
522 dsacl
524 Administer DS ACLs
525 dsacl set
527 Modify access list on a directory object.
528 forest
530 Manage Forest configuration.
531 forest directory_service
533 Manage directory_service behaviour for the forest.
534 forest directory_service dsheuristics VALUE
536 Modify dsheuristics directory_service configuration for the forest.
537 forest directory_service show
539 Show current directory_service configuration for the forest.
540 fsmo
542 Manage Flexible Single Master Operations (FSMO).
543 fsmo seize [options]
545 Seize the role.
546 fsmo show
548 Show the roles.
549 fsmo transfer [options]
551 Transfer the role.
552 gpo
554 Manage Group Policy Objects (GPO).
555 gpo create displayname [options]
557 Create an empty GPO.
558 gpo del gpo [options]
560 Delete GPO.
561 gpo dellink container_dn gpo [options]
563 Delete GPO link from a container.
564 gpo fetch gpo [options]
566 Download a GPO.
567 gpo getinheritance container_dn [options]
569 Get inheritance flag for a container.
570 gpo getlink container_dn [options]
572 List GPO Links for a container.
573 gpo list username [options]
575 List GPOs for an account.
576 gpo listall
578 List all GPOs.
579 gpo listcontainers gpo [options]
581 List all linked containers for a GPO.
582 gpo setinheritance container_dn block|inherit [options]
584 Set inheritance flag on a container.
585 gpo setlink container_dn gpo [options]
587 Add or Update a GPO link to a container.
588 gpo show gpo [options]
590 Show information for a GPO.
591 gpo manage symlink list
593 List VGP Symbolic Link Group Policy from the sysvol
594 gpo manage symlink add
596 Adds a VGP Symbolic Link Group Policy to the sysvol
597 gpo manage symlink remove
599 Removes a VGP Symbolic Link Group Policy from the sysvol
600 gpo manage files list
602 List VGP Files Group Policy from the sysvol
603 gpo manage files add
605 Add VGP Files Group Policy to the sysvol
606 gpo manage files remove
608 Remove VGP Files Group Policy from the sysvol
609 gpo manage openssh list
611 List VGP OpenSSH Group Policy from the sysvol
612 gpo manage openssh set
614 Sets a VGP OpenSSH Group Policy to the sysvol
615 gpo manage sudoers add
617 Adds a Samba Sudoers Group Policy to the sysvol.
618 gpo manage sudoers list
620 List Samba Sudoers Group Policy from the sysvol.
621 gpo manage sudoers remove
623 Removes a Samba Sudoers Group Policy from the sysvol.
624 gpo manage scripts startup list
626 List VGP Startup Script Group Policy from the sysvol
627 gpo manage scripts startup add
629 Adds VGP Startup Script Group Policy to the sysvol
630 gpo manage scripts startup remove
632 Removes VGP Startup Script Group Policy from the sysvol
633 gpo manage motd list
635 List VGP MOTD Group Policy from the sysvol.
636 gpo manage motd set
638 Sets a VGP MOTD Group Policy to the sysvol
639 gpo manage issue list
641 List VGP Issue Group Policy from the sysvol.
642 gpo manage issue set
644 Sets a VGP Issue Group Policy to the sysvol
645 gpo manage access add
647 Adds a VGP Host Access Group Policy to the sysvol
648 gpo manage access list
650 List VGP Host Access Group Policy from the sysvol
651 gpo manage access remove
653 Remove a VGP Host Access Group Policy from the sysvol
654 group
656 Manage groups.
657 group add groupname [options]
659 Create a new AD group.
660 group create groupname [options]
662 Add a new AD group. This is a synonym for the samba-tool group add
663 command and is available for compatibility reasons only. Please use
664 samba-tool group add instead.
665 group addmembers groupname members [options]
667 Add members to an AD group.
668 group delete groupname [options]
670 Delete an AD group.
671 group edit groupname
673 Edit a group AD object.
674 --editor=EDITOR
676 Specifies the editor to use instead of the system default, or 'vi'
677 if no system default is set.
678 group list
680 List all groups.
681 group listmembers groupname [options]
683 List all members of the specified AD group.
684 By default the sAMAccountNames are listed. If no sAMAccountName is
686 available, the CN will be used instead.
687 --full-dn
689 List the distinguished names instead of the sAMAccountNames.
690 --hide-expired
692 Do not list expired group members.
693 --hide-disabled
695 Do not list disabled group members.
696 group move groupname new_parent_dn [options]
698 This command moves a group into the specified organizational unit or
699 container.
700 The groupname specified on the command is the sAMAccountName.
702 The name of the organizational unit or container can be specified as a
704 full DN or without the domainDN component.
705 group removemembers groupname members [options]
707 Remove members from the specified AD group.
708 group show groupname [options]
710 Show group object and it's attributes.
711 group stats [options]
713 Show statistics for overall groups and group memberships.
714 group rename groupname [options]
716 Rename a group and related attributes.
717 This command allows to set the group's name related attributes. The
719 group's CN will be renamed automatically. The group's CN will be the
720 sAMAccountName. Use the --force-new-cn option to specify the new CN
721 manually and the --reset-cn to reset this change.
722 Use an empty attribute value to remove the specified attribute.
724 The groupname specified on the command is the sAMAccountName.
726 --force-new-cn=NEW_CN
728 Specify a new CN (RDN) instead of using the sAMAccountName.
729 --reset-cn
731 Set the CN to the sAMAccountName.
732 --mail-address=MAIL_ADDRESS
734 New mail address
735 --samaccountname=SAMACCOUNTNAME
737 New account name (sAMAccountName/logon name)
738 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
740 Compare two LDAP databases.
741 ntacl
743 Manage NT ACLs.
744 ntacl changedomsid original-domain-SID new-domain-SID file [options]
746 Change the domain SID for ACLs. Can be used to change all entries in
747 acl_xattr when the machine's SID has accidentally changed or the data
748 set has been copied to another machine either via backup/restore or
749 rsync.
750 --use-ntvfs
752 Set the ACLs directly to the TDB or xattr. The POSIX permissions
753 will NOT be changed, only the NT ACL will be stored.
754 --service=SERVICE
756 Specify the name of the smb.conf service to use. This option is
757 required in combination with the --use-s3fs option.
758 --use-s3fs
760 Set the ACLs for use with the default s3fs file server via the VFS
761 layer. This option requires a smb.conf service, specified by the
762 --service=SERVICE option.
763 --xattr-backend=[native|tdb]
765 Specify the xattr backend type (native fs or tdb).
766 --eadb-file=EADB_FILE
768 Name of the tdb file where attributes are stored.
769 --recursive
771 Set the ACLs for directories and their contents recursively.
772 --follow-symlinks
774 Follow symlinks when --recursive is specified.
775 --verbose
777 Verbosely list files and ACLs which are being processed.
778 ntacl get file [options]
780 Get ACLs on a file.
781 ntacl set acl file [options]
783 Set ACLs on a file.
784 ntacl sysvolcheck
786 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
787 ntacl sysvolreset
789 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
790 ou
792 Manage organizational units (OUs).
793 ou add ou_dn [options]
795 Add a new organizational unit.
796 The name of the organizational unit can be specified as a full DN or
798 without the domainDN component.
799 --description=DESCRIPTION
801 Specify OU's description.
802 ou create ou_dn [options]
804 Add a new organizational unit. This is a synonym for the samba-tool ou
805 add command and is available for compatibility reasons only. Please use
806 samba-tool ou add instead.
807 ou delete ou_dn [options]
809 Delete an organizational unit.
810 The name of the organizational unit can be specified as a full DN or
812 without the domainDN component.
813 --force-subtree-delete
815 Delete organizational unit and all children reclusively.
816 ou list [options]
818 List all organizational units.
819 --full-dn
821 Display DNs including the base DN.
822 ou listobjects ou_dn [options]
824 List all objects in an organizational unit.
825 The name of the organizational unit can be specified as a full DN or
827 without the domainDN component.
828 --full-dn
830 Display DNs including the base DN.
831 -r|--recursive
833 List objects recursively.
834 ou move old_ou_dn new_parent_dn [options]
836 Move an organizational unit.
837 The name of the organizational units can be specified as a full DN or
839 without the domainDN component.
840 ou rename old_ou_dn new_ou_dn [options]
842 Rename an organizational unit.
843 The name of the organizational units can be specified as a full DN or
845 without the domainDN component.
846 rodc
848 Manage Read-Only Domain Controller (RODC).
849 rodc preload SID|DN|accountname [options]
851 Preload one account for an RODC.
852 schema
854 Manage and query schema.
855 schema attribute modify attribute [options]
857 Modify the behaviour of an attribute in schema.
858 schema attribute show attribute [options]
860 Display an attribute schema definition.
861 schema attribute show_oc attribute [options]
863 Show objectclasses that MAY or MUST contain this attribute.
864 schema objectclass show objectclass [options]
866 Display an objectclass schema definition.
867 sites
869 Manage sites.
870 sites create site [options]
872 Create a new site.
873 sites remove site [options]
875 Delete an existing site.
876 spn
878 Manage Service Principal Names (SPN).
879 spn add name user [options]
881 Create a new SPN.
882 spn delete name [user] [options]
884 Delete an existing SPN.
885 spn list user [options]
887 List SPNs of a given user.
888 testparm
890 Check the syntax of the configuration file.
891 time
893 Retrieve the time on a server.
894 user
896 Manage users.
897 user add username [password]
899 Add a new user to the Active Directory Domain.
900 user create username [password]
902 Add a new user. This is a synonym for the samba-tool user add command
903 and is available for compatibility reasons only. Please use samba-tool
904 user add instead.
905 user delete username [options]
907 Delete an existing user account.
908 user disable username
910 Disable a user account.
911 user edit username
913 Edit a user account AD object.
914 --editor=EDITOR
916 Specifies the editor to use instead of the system default, or 'vi'
917 if no system default is set.
918 user enable username
920 Enable a user account.
921 user list
923 List all users.
924 By default the user's sAMAccountNames are listed.
926 --full-dn
928 List user's distinguished names instead of the sAMAccountNames.
929 -b BASE_DN|--base-dn=BASE_DN
931 Specify base DN to use. Only users under the specified base DN will
932 be listed.
933 --hide-expired
935 Do not list expired user accounts.
936 --hide-disabled
938 Do not list disabled user accounts.
939 user setprimarygroup username primarygroupname
941 Set the primary group a user account.
942 user getgroups username
944 Get the direct group memberships of a user account.
945 user show username [options]
947 Display a user AD object.
948 --attributes=USER_ATTRS
950 Comma separated list of attributes, which will be printed.
951 user move username new_parent_dn [options]
953 This command moves a user account into the specified organizational
954 unit or container.
955 The username specified on the command is the sAMAccountName.
957 The name of the organizational unit or container can be specified as a
959 full DN or without the domainDN component.
960 user password [options]
962 Change password for a user account (the one provided in
963 authentication).
964 user rename username [options]
966 Rename a user and related attributes.
967 This command allows to set the user's name related attributes. The
969 user's CN will be renamed automatically. The user's new CN will be made
970 up by combining the given-name, initials and surname. A dot ('.') will
971 be appended to the initials automatically, if required. Use the
972 --force-new-cn option to specify the new CN manually and --reset-cn to
973 reset this change.
974 Use an empty attribute value to remove the specified attribute.
976 The username specified on the command is the sAMAccountName.
978 --surname=SURNAME
980 New surname
981 --given-name=GIVEN_NAME
983 New given name
984 --initials=INITIALS
986 New initials
987 --force-new-cn=NEW_CN
989 Specify a new CN (RDN) instead of using a combination of the given
990 name, initials and surname.
991 --reset-cn
993 Set the CN to the default combination of given name, initials and
994 surname.
995 --display-name=DISPLAY_NAME
997 New display name
998 --mail-address=MAIL_ADDRESS
1000 New email address
1001 --samaccountname=SAMACCOUNTNAME
1003 New account name (sAMAccountName/logon name)
1004 --upn=UPN
1006 New user principal name
1007 user setexpiry username [options]
1009 Set the expiration of a user account.
1010 user setpassword username [options]
1012 Sets or resets the password of a user account.
1013 user unlock username [options]
1015 This command unlocks a user account in the Active Directory domain.
1016 user getpassword username [options]
1018 Gets the password of a user account.
1019 user syncpasswords --cache-ldb-initialize [options]
1021 Syncs the passwords of all user accounts, using an optional script.
1022 Note that this command should run on a single domain controller only
1024 (typically the PDC-emulator).
1025 vampire [options] domain
1027 Join and synchronise a remote AD domain to the local server. Please
1028 note that samba-tool vampire is deprecated, please use samba-tool
1029 domain join instead.
1030 visualize [options] subcommand
1032 Produce graphical representations of Samba network state. To work out
1033 what is happening in a replication graph, it is sometimes helpful to
1034 use visualisations.
1035 There are two subcommands, two graphical modes, and (roughly) two modes
1037 of operation with respect to the location of authority.
1038 MODES OF OPERATION
1040 samba-tool visualize ntdsconn
1041 Looks at NTDS connections.
1042 samba-tool visualize reps
1044 Looks at repsTo and repsFrom objects.
1045 samba-tool visualize uptodateness
1047 Looks at replication lag as shown by the uptodateness vectors.
1048 GRAPHICAL MODES
1050 --distance
1051 Distances between DCs are shown in a matrix in the terminal.
1052 --dot
1054 Generate Graphviz dot output (for ntdsconn and reps modes). When
1055 viewed using dot or xdot, this shows the network as a graph with
1056 DCs as vertices and connections edges. Certain types of degenerate
1057 edges are shown in different colours or line-styles.
1058 --xdot
1060 Generate Graphviz dot output as with [--dot] and attempt to view it
1061 immediately using /usr/bin/xdot.
1062 -r
1064 Normally, samba-tool talks to one database; with the [-r] option
1065 attempts are made to contact all the DCs known to the first
1066 database. This is necessary for samba-tool visualize uptodateness
1067 and for samba-tool visualize reps because the repsFrom/To objects
1068 are not replicated, and it can reveal replication issues in other
1069 modes.
1070 help
1072 Gives usage information.
1073
1075 This man page is complete for version 4.17.5 of the Samba suite.
1076
1078 The original Samba software and related utilities were created by
1079 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1080 Source project similar to the way the Linux kernel is developed.
1081Samba 4.17.5 01/26/2023 SAMBA-TOOL(8)