1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17 -r|--realm=REALM
19 Set the realm for the domain.
20 Note that specifying this parameter here will override the realm
22 parameter in the /etc/samba/smb.conf file.
23 --simple-bind-dn=DN
25 DN to use for a simple bind.
26 --password
28 Specify the password on the commandline.
29 Be cautious about including passwords in scripts or passing
31 user-supplied values onto the command line. For security it is
32 better to let the Samba client tool ask for the password if needed,
33 or obtain the password once with kinit.
34 If --password is not specified, the tool will check the PASSWD
36 environment variable, followed by PASSWD_FD which is expected to
37 contain an open file descriptor (FD) number.
38 Finally it will check PASSWD_FILE (containing a file path to be
40 opened). The file should only contain the password. Make certain
41 that the permissions on the file restrict access from unwanted
42 users!
43 While Samba will attempt to scrub the password from the process
45 title (as seen in ps), this is after startup and so is subject to a
46 race.
47 -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
49 Sets the SMB username or username and password.
50 If %PASSWORD is not specified, the user will be prompted. The
52 client will first check the USER environment variable (which is
53 also permitted to also contain the password separated by a %), then
54 the LOGNAME variable (which is not permitted to contain a password)
55 and if either exists, the value is used. If these environmental
56 variables are not found, the username found in a Kerberos
57 Credentials cache may be used.
58 A third option is to use a credentials file which contains the
60 plaintext of the username and password. This option is mainly
61 provided for scripts where the admin does not wish to pass the
62 credentials on the command line or via environment variables. If
63 this method is used, make certain that the permissions on the file
64 restrict access from unwanted users. See the -A for more details.
65 Be cautious about including passwords in scripts or passing
67 user-supplied values onto the command line. For security it is
68 better to let the Samba client tool ask for the password if needed,
69 or obtain the password once with kinit.
70 While Samba will attempt to scrub the password from the process
72 title (as seen in ps), this is after startup and so is subject to a
73 race.
74 -W|--workgroup=WORKGROUP
76 Set the SMB domain of the username. This overrides the default
77 domain which is the domain defined in smb.conf. If the domain
78 specified is the same as the servers NetBIOS name, it causes the
79 client to log on using the servers local SAM (as opposed to the
80 Domain SAM).
81 Note that specifying this parameter here will override the
83 workgroup parameter in the /etc/samba/smb.conf file.
84 -N|--no-pass
86 If specified, this parameter suppresses the normal password prompt
87 from the client to the user. This is useful when accessing a
88 service that does not require a password.
89 Unless a password is specified on the command line or this
91 parameter is specified, the client will request a password.
92 If a password is specified on the command line and this option is
94 also defined the password on the command line will be silently
95 ignored and no password will be used.
96 --use-kerberos=desired|required|off
98 This parameter determines whether Samba client tools will try to
99 authenticate using Kerberos. For Kerberos authentication you need
100 to use dns names instead of IP addresses when connecting to a
101 service.
102 Note that specifying this parameter here will override the client
104 use kerberos parameter in the /etc/samba/smb.conf file.
105 --use-krb5-ccache=CCACHE
107 Specifies the credential cache location for Kerberos
108 authentication.
109 This will set --use-kerberos=required too.
111 -A|--authentication-file=filename
113 This option allows you to specify a file from which to read the
114 username and password used in the connection. The format of the
115 file is:
116 username = <value>
118 password = <value>
119 domain = <value>
120 Make certain that the permissions on the file restrict access from
123 unwanted users!
124 --ipaddress=IPADDRESS
126 IP address of the server
127 --color=always|never|auto
129 Indicate whether samba-tool should use ANSI colour codes in its
130 output. If 'auto' (the default), samba-tool will use colour when
131 its output is directed toward a terminal, unless the NO_COLOR
132 environment variable is set and non-empty.
133 The values 'yes' and 'force' are accepted as synonyms for 'always';
135 'no' and 'none' for 'never'; and 'tty' and 'if-tty' for 'auto'.
136 Note that asking for colour doesn't mean samba-tool will
138 necessarily be very colourful. Many commands are very monochrome,
139 particularly when successful.
140 -d|--debuglevel=DEBUGLEVEL
142 level is an integer from 0 to 10. The default value if this
143 parameter is not specified is 1 for client applications.
144 The higher this value, the more detail will be logged to the log
146 files about the activities of the server. At level 0, only critical
147 errors and serious warnings will be logged. Level 1 is a reasonable
148 level for day-to-day running - it generates a small amount of
149 information about operations carried out.
150 Levels above 1 will generate considerable amounts of log data, and
152 should only be used when investigating a problem. Levels above 3
153 are designed for use only by developers and generate HUGE amounts
154 of log data, most of which is extremely cryptic.
155 Note that specifying this parameter here will override the log
157 level parameter in the /etc/samba/smb.conf file.
158 --debug-stdout
160 This will redirect debug output to STDOUT. By default all clients
161 are logging to STDERR.
162
164 computer
165 Manage computer accounts.
166 computer add computername [options]
168 Add a new computer to the Active Directory Domain.
169 The new computer name specified on the command is the sAMAccountName,
171 with or without the trailing dollar sign.
172 --computerou=COMPUTEROU
174 DN of alternative location (with or without domainDN counterpart)
175 to default CN=Computers in which new computer object will be
176 created. E.g. 'OU=OUname'.
177 --description=DESCRIPTION
179 The new computers's description.
180 --ip-address=IP_ADDRESS_LIST
182 IPv4 address for the computer's A record, or IPv6 address for AAAA
183 record, can be provided multiple times.
184 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
186 Computer's Service Principal Name, can be provided multiple times.
187 --prepare-oldjoin
189 Prepare enabled machine account for oldjoin mechanism.
190 computer create computername [options]
192 Add a new computer. This is a synonym for the samba-tool computer add
193 command and is available for compatibility reasons only. Please use
194 samba-tool computer add instead.
195 computer delete computername [options]
197 Delete an existing computer account.
198 The computer name specified on the command is the sAMAccountName, with
200 or without the trailing dollar sign.
201 computer edit computername
203 Edit a computer AD object.
204 The computer name specified on the command is the sAMAccountName, with
206 or without the trailing dollar sign.
207 --editor=EDITOR
209 Specifies the editor to use instead of the system default, or 'vi'
210 if no system default is set.
211 computer list
213 List all computers.
214 computer move computername new_parent_dn [options]
216 This command moves a computer account into the specified organizational
217 unit or container.
218 The computername specified on the command is the sAMAccountName, with
220 or without the trailing dollar sign.
221 The name of the organizational unit or container can be specified as a
223 full DN or without the domainDN component.
224 computer show computername [options]
226 Display a computer AD object.
227 The computer name specified on the command is the sAMAccountName, with
229 or without the trailing dollar sign.
230 --attributes=USER_ATTRS
232 Comma separated list of attributes, which will be printed.
233 contact
235 Manage contacts.
236 contact add [contactname] [options]
238 Add a new contact to the Active Directory Domain.
239 The name of the new contact can be specified by the first argument
241 'contactname' or the --given-name, --initial and --surname arguments.
242 If no 'contactname' is given, contact's name will be made up of the
243 given arguments by combining the given-name, initials and surname. Each
244 argument is optional. A dot ('.') will be appended to the initials
245 automatically.
246 --ou=OU
248 DN of alternative location (with or without domainDN counterpart)
249 in which the new contact will be created. E.g. 'OU=OUname'. Default
250 is the domain base.
251 --description=DESCRIPTION
253 The new contacts's description.
254 --surname=SURNAME
256 Contact's surname.
257 --given-name=GIVEN_NAME
259 Contact's given name.
260 --initials=INITIALS
262 Contact's initials.
263 --display-name=DISPLAY_NAME
265 Contact's display name.
266 --job-title=JOB_TITLE
268 Contact's job title.
269 --department=DEPARTMENT
271 Contact's department.
272 --company=COMPANY
274 Contact's company.
275 --mail-address=MAIL_ADDRESS
277 Contact's email address.
278 --internet-address=INTERNET_ADDRESS
280 Contact's home page.
281 --telephone-number=TELEPHONE_NUMBER
283 Contact's phone number.
284 --mobile-number=MOBILE_NUMBER
286 Contact's mobile phone number.
287 --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
289 Contact's office location.
290 contact create [contactname] [options]
292 Add a new contact. This is a synonym for the samba-tool contact add
293 command and is available for compatibility reasons only. Please use
294 samba-tool contact add instead.
295 contact delete contactname [options]
297 Delete an existing contact.
298 The contactname specified on the command is the common name or the
300 distinguished name of the contact object. The distinguished name of the
301 contact can be specified with or without the domainDN component.
302 contact edit contactname
304 Modify a contact AD object.
305 The contactname specified on the command is the common name or the
307 distinguished name of the contact object. The distinguished name of the
308 contact can be specified with or without the domainDN component.
309 --editor=EDITOR
311 Specifies the editor to use instead of the system default, or 'vi'
312 if no system default is set.
313 contact list [options]
315 List all contacts.
316 --full-dn
318 Display contact's full DN instead of the name.
319 contact move contactname new_parent_dn [options]
321 This command moves a contact into the specified organizational unit or
322 container.
323 The contactname specified on the command is the common name or the
325 distinguished name of the contact object. The distinguished name of the
326 contact can be specified with or without the domainDN component.
327 contact show contactname [options]
329 Display a contact AD object.
330 The contactname specified on the command is the common name or the
332 distinguished name of the contact object. The distinguished name of the
333 contact can be specified with or without the domainDN component.
334 --attributes=CONTACT_ATTRS
336 Comma separated list of attributes, which will be printed.
337 contact rename contactname [options]
339 Rename a contact and related attributes.
340 This command allows to set the contact's name related attributes. The
342 contact's CN will be renamed automatically. The contact's new CN will
343 be made up by combining the given-name, initials and surname. A dot
344 ('.') will be appended to the initials automatically, if required. Use
345 the --force-new-cn option to specify the new CN manually and --reset-cn
346 to reset this change.
347 Use an empty attribute value to remove the specified attribute.
349 The contact name specified on the command is the CN.
351 --surname=SURNAME
353 New surname.
354 --given-name=GIVEN_NAME
356 New given name.
357 --initials=INITIALS
359 New initials.
360 --force-new-cn=NEW_CN
362 Specify a new CN (RDN) instead of using a combination of the given
363 name, initials and surname.
364 --reset-cn
366 Set the CN to the default combination of given name, initials and
367 surname.
368 --display-name=DISPLAY_NAME
370 New display name.
371 --mail-address=MAIL_ADDRESS
373 New email address.
374 dbcheck
376 Check the local AD database for errors.
377 delegation
379 Manage Delegations.
380 delegation add-service accountname principal [options]
382 Add a service principal as msDS-AllowedToDelegateTo.
383 delegation del-service accountname principal [options]
385 Delete a service principal as msDS-AllowedToDelegateTo.
386 delegation for-any-protocol accountname [(on|off)] [options]
388 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
389 account.
390 delegation for-any-service accountname [(on|off)] [options]
392 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
393 delegation show accountname [options]
395 Show the delegation setting of an account.
396 dns
398 Manage Domain Name Service (DNS).
399 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
401 Add a DNS record.
402 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
404 Delete a DNS record.
405 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
407 data
408 Query a name.
409 dns roothints server [name] [options]
411 Query root hints.
412 dns serverinfo server [options]
414 Query server information.
415 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
417 Update a DNS record.
418 dns zonecreate server zone [options]
420 Create a zone.
421 dns zonedelete server zone [options]
423 Delete a zone.
424 dns zoneinfo server zone [options]
426 Query zone information.
427 dns zonelist server [options]
429 List zones.
430 domain
432 Manage Domain.
433 domain backup
435 Create or restore a backup of the domain.
436 domain backup offline
438 Backup (with proper locking) local domain directories into a tar file.
439 domain backup online
441 Copy a running DC's current DB into a backup tar file.
442 domain backup rename
444 Copy a running DC's DB to backup file, renaming the domain in the
445 process.
446 domain backup restore
448 Restore the domain's DB from a backup-file.
449 domain classicupgrade [options] classic_smb_conf
451 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
452 domain dcpromo dnsdomain [DC|RODC] [options]
454 Promote an existing domain member or NT4 PDC to an AD DC.
455 domain demote
457 Demote ourselves from the role of domain controller.
458 domain exportkeytab keytab [options]
460 Dumps Kerberos keys of the domain into a keytab.
461 domain info ip_address [options]
463 Print basic info about a domain and the specified DC.
464 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
466 Join a domain as either member or backup domain controller.
467 domain level show|raise options [options]
469 Show/raise domain and forest function levels.
470 domain passwordsettings show|set options [options]
472 Show/set password settings.
473 domain passwordsettings pso
475 Manage fine-grained Password Settings Objects (PSOs).
476 domain passwordsettings pso apply pso-name user-or-group-name [options]
478 Applies a PSO's password policy to a user or group.
479 domain passwordsettings pso create pso-name precedence [options]
481 Creates a new Password Settings Object (PSO).
482 domain passwordsettings pso delete pso-name [options]
484 Deletes a Password Settings Object (PSO).
485 domain passwordsettings pso list [options]
487 Lists all Password Settings Objects (PSOs).
488 domain passwordsettings pso set pso-name [options]
490 Modifies a Password Settings Object (PSO).
491 domain passwordsettings pso show user-name [options]
493 Displays a Password Settings Object (PSO).
494 domain passwordsettings pso show-user pso-name [options]
496 Displays the Password Settings that apply to a user.
497 domain passwordsettings pso unapply pso-name user-or-group-name [options]
499 Updates a PSO to no longer apply to a user or group.
500 domain provision
502 Promote an existing domain member or NT4 PDC to an AD DC.
503 domain trust
505 Domain and forest trust management.
506 domain trust create DOMAIN options [options]
508 Create a domain or forest trust.
509 domain trust modify DOMAIN options [options]
511 Modify a domain or forest trust.
512 domain trust delete DOMAIN options [options]
514 Delete a domain trust.
515 domain trust list options [options]
517 List domain trusts.
518 domain trust namespaces [DOMAIN] options [options]
520 Manage forest trust namespaces.
521 domain trust show DOMAIN options [options]
523 Show trusted domain details.
524 domain trust validate DOMAIN options [options]
526 Validate a domain trust.
527 drs
529 Manage Directory Replication Services (DRS).
530 drs bind
532 Show DRS capabilities of a server.
533 drs kcc
535 Trigger knowledge consistency center run.
536 drs options
538 Query or change options for NTDS Settings object of a domain
539 controller.
540 drs replicate destination_DC source_DC NC [options]
542 Replicate a naming context between two DCs.
543 drs showrepl
545 Show replication status. The [--json] option results in JSON output,
546 and with the [--summary] option produces very little output when the
547 replication status seems healthy.
548 dsacl
550 Administer DS ACLs
551 dsacl delete
553 Delete an access list entry on a directory object.
554 dsacl get
556 Print access list on a directory object.
557 dsacl set
559 Modify access list on a directory object.
560 forest
562 Manage Forest configuration.
563 forest directory_service
565 Manage directory_service behaviour for the forest.
566 forest directory_service dsheuristics VALUE
568 Modify dsheuristics directory_service configuration for the forest.
569 forest directory_service show
571 Show current directory_service configuration for the forest.
572 fsmo
574 Manage Flexible Single Master Operations (FSMO).
575 fsmo seize [options]
577 Seize the role.
578 fsmo show
580 Show the roles.
581 fsmo transfer [options]
583 Transfer the role.
584 gpo
586 Manage Group Policy Objects (GPO).
587 gpo create displayname [options]
589 Create an empty GPO.
590 gpo del gpo [options]
592 Delete GPO.
593 gpo dellink container_dn gpo [options]
595 Delete GPO link from a container.
596 gpo fetch gpo [options]
598 Download a GPO.
599 gpo getinheritance container_dn [options]
601 Get inheritance flag for a container.
602 gpo getlink container_dn [options]
604 List GPO Links for a container.
605 gpo list username [options]
607 List GPOs for an account.
608 gpo listall
610 List all GPOs.
611 gpo listcontainers gpo [options]
613 List all linked containers for a GPO.
614 gpo setinheritance container_dn block|inherit [options]
616 Set inheritance flag on a container.
617 gpo setlink container_dn gpo [options]
619 Add or Update a GPO link to a container.
620 gpo show gpo [options]
622 Show information for a GPO.
623 gpo manage symlink list
625 List VGP Symbolic Link Group Policy from the sysvol
626 gpo manage symlink add
628 Adds a VGP Symbolic Link Group Policy to the sysvol
629 gpo manage symlink remove
631 Removes a VGP Symbolic Link Group Policy from the sysvol
632 gpo manage files list
634 List VGP Files Group Policy from the sysvol
635 gpo manage files add
637 Add VGP Files Group Policy to the sysvol
638 gpo manage files remove
640 Remove VGP Files Group Policy from the sysvol
641 gpo manage openssh list
643 List VGP OpenSSH Group Policy from the sysvol
644 gpo manage openssh set
646 Sets a VGP OpenSSH Group Policy to the sysvol
647 gpo manage sudoers add
649 Adds a Samba Sudoers Group Policy to the sysvol.
650 gpo manage sudoers list
652 List Samba Sudoers Group Policy from the sysvol.
653 gpo manage sudoers remove
655 Removes a Samba Sudoers Group Policy from the sysvol.
656 gpo manage scripts startup list
658 List VGP Startup Script Group Policy from the sysvol
659 gpo manage scripts startup add
661 Adds VGP Startup Script Group Policy to the sysvol
662 gpo manage scripts startup remove
664 Removes VGP Startup Script Group Policy from the sysvol
665 gpo manage motd list
667 List VGP MOTD Group Policy from the sysvol.
668 gpo manage motd set
670 Sets a VGP MOTD Group Policy to the sysvol
671 gpo manage issue list
673 List VGP Issue Group Policy from the sysvol.
674 gpo manage issue set
676 Sets a VGP Issue Group Policy to the sysvol
677 gpo manage access add
679 Adds a VGP Host Access Group Policy to the sysvol
680 gpo manage access list
682 List VGP Host Access Group Policy from the sysvol
683 gpo manage access remove
685 Remove a VGP Host Access Group Policy from the sysvol
686 group
688 Manage groups.
689 group add groupname [options]
691 Create a new AD group.
692 group create groupname [options]
694 Add a new AD group. This is a synonym for the samba-tool group add
695 command and is available for compatibility reasons only. Please use
696 samba-tool group add instead.
697 group addmembers groupname members [options]
699 Add members to an AD group.
700 group delete groupname [options]
702 Delete an AD group.
703 group edit groupname
705 Edit a group AD object.
706 --editor=EDITOR
708 Specifies the editor to use instead of the system default, or 'vi'
709 if no system default is set.
710 group list
712 List all groups.
713 group listmembers groupname [options]
715 List all members of the specified AD group.
716 By default the sAMAccountNames are listed. If no sAMAccountName is
718 available, the CN will be used instead.
719 --full-dn
721 List the distinguished names instead of the sAMAccountNames.
722 --hide-expired
724 Do not list expired group members.
725 --hide-disabled
727 Do not list disabled group members.
728 group move groupname new_parent_dn [options]
730 This command moves a group into the specified organizational unit or
731 container.
732 The groupname specified on the command is the sAMAccountName.
734 The name of the organizational unit or container can be specified as a
736 full DN or without the domainDN component.
737 group removemembers groupname members [options]
739 Remove members from the specified AD group.
740 group show groupname [options]
742 Show group object and it's attributes.
743 group stats [options]
745 Show statistics for overall groups and group memberships.
746 group rename groupname [options]
748 Rename a group and related attributes.
749 This command allows to set the group's name related attributes. The
751 group's CN will be renamed automatically. The group's CN will be the
752 sAMAccountName. Use the --force-new-cn option to specify the new CN
753 manually and the --reset-cn to reset this change.
754 Use an empty attribute value to remove the specified attribute.
756 The groupname specified on the command is the sAMAccountName.
758 --force-new-cn=NEW_CN
760 Specify a new CN (RDN) instead of using the sAMAccountName.
761 --reset-cn
763 Set the CN to the sAMAccountName.
764 --mail-address=MAIL_ADDRESS
766 New mail address
767 --samaccountname=SAMACCOUNTNAME
769 New account name (sAMAccountName/logon name)
770 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
772 Compare two LDAP databases.
773 ntacl
775 Manage NT ACLs.
776 ntacl changedomsid original-domain-SID new-domain-SID file [options]
778 Change the domain SID for ACLs. Can be used to change all entries in
779 acl_xattr when the machine's SID has accidentally changed or the data
780 set has been copied to another machine either via backup/restore or
781 rsync.
782 --use-ntvfs
784 Set the ACLs directly to the TDB or xattr. The POSIX permissions
785 will NOT be changed, only the NT ACL will be stored.
786 --service=SERVICE
788 Specify the name of the smb.conf service to use. This option is
789 required in combination with the --use-s3fs option.
790 --use-s3fs
792 Set the ACLs for use with the default s3fs file server via the VFS
793 layer. This option requires a smb.conf service, specified by the
794 --service=SERVICE option.
795 --xattr-backend=[native|tdb]
797 Specify the xattr backend type (native fs or tdb).
798 --eadb-file=EADB_FILE
800 Name of the tdb file where attributes are stored.
801 --recursive
803 Set the ACLs for directories and their contents recursively.
804 --follow-symlinks
806 Follow symlinks when --recursive is specified.
807 --verbose
809 Verbosely list files and ACLs which are being processed.
810 ntacl get file [options]
812 Get ACLs on a file.
813 ntacl set acl file [options]
815 Set ACLs on a file.
816 ntacl sysvolcheck
818 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
819 ntacl sysvolreset
821 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
822 ou
824 Manage organizational units (OUs).
825 ou add ou_dn [options]
827 Add a new organizational unit.
828 The name of the organizational unit can be specified as a full DN or
830 without the domainDN component.
831 --description=DESCRIPTION
833 Specify OU's description.
834 ou create ou_dn [options]
836 Add a new organizational unit. This is a synonym for the samba-tool ou
837 add command and is available for compatibility reasons only. Please use
838 samba-tool ou add instead.
839 ou delete ou_dn [options]
841 Delete an organizational unit.
842 The name of the organizational unit can be specified as a full DN or
844 without the domainDN component.
845 --force-subtree-delete
847 Delete organizational unit and all children reclusively.
848 ou list [options]
850 List all organizational units.
851 --full-dn
853 Display DNs including the base DN.
854 ou listobjects ou_dn [options]
856 List all objects in an organizational unit.
857 The name of the organizational unit can be specified as a full DN or
859 without the domainDN component.
860 --full-dn
862 Display DNs including the base DN.
863 -r|--recursive
865 List objects recursively.
866 ou move old_ou_dn new_parent_dn [options]
868 Move an organizational unit.
869 The name of the organizational units can be specified as a full DN or
871 without the domainDN component.
872 ou rename old_ou_dn new_ou_dn [options]
874 Rename an organizational unit.
875 The name of the organizational units can be specified as a full DN or
877 without the domainDN component.
878 rodc
880 Manage Read-Only Domain Controller (RODC).
881 rodc preload SID|DN|accountname [options]
883 Preload one account for an RODC.
884 schema
886 Manage and query schema.
887 schema attribute modify attribute [options]
889 Modify the behaviour of an attribute in schema.
890 schema attribute show attribute [options]
892 Display an attribute schema definition.
893 schema attribute show_oc attribute [options]
895 Show objectclasses that MAY or MUST contain this attribute.
896 schema objectclass show objectclass [options]
898 Display an objectclass schema definition.
899 sites
901 Manage sites.
902 sites create site [options]
904 Create a new site.
905 sites remove site [options]
907 Delete an existing site.
908 spn
910 Manage Service Principal Names (SPN).
911 spn add name user [options]
913 Create a new SPN.
914 spn delete name [user] [options]
916 Delete an existing SPN.
917 spn list user [options]
919 List SPNs of a given user.
920 testparm
922 Check the syntax of the configuration file.
923 time
925 Retrieve the time on a server.
926 user
928 Manage users.
929 user add username [password]
931 Add a new user to the Active Directory Domain.
932 user create username [password]
934 Add a new user. This is a synonym for the samba-tool user add command
935 and is available for compatibility reasons only. Please use samba-tool
936 user add instead.
937 user delete username [options]
939 Delete an existing user account.
940 user disable username
942 Disable a user account.
943 user edit username
945 Edit a user account AD object.
946 --editor=EDITOR
948 Specifies the editor to use instead of the system default, or 'vi'
949 if no system default is set.
950 user enable username
952 Enable a user account.
953 user list
955 List all users.
956 By default the user's sAMAccountNames are listed.
958 --full-dn
960 List user's distinguished names instead of the sAMAccountNames.
961 -b BASE_DN|--base-dn=BASE_DN
963 Specify base DN to use. Only users under the specified base DN will
964 be listed.
965 --hide-expired
967 Do not list expired user accounts.
968 --hide-disabled
970 Do not list disabled user accounts.
971 user setprimarygroup username primarygroupname
973 Set the primary group a user account.
974 user getgroups username
976 Get the direct group memberships of a user account.
977 user show username [options]
979 Display a user AD object.
980 --attributes=USER_ATTRS
982 Comma separated list of attributes, which will be printed.
983 user move username new_parent_dn [options]
985 This command moves a user account into the specified organizational
986 unit or container.
987 The username specified on the command is the sAMAccountName.
989 The name of the organizational unit or container can be specified as a
991 full DN or without the domainDN component.
992 user password [options]
994 Change password for a user account (the one provided in
995 authentication).
996 user rename username [options]
998 Rename a user and related attributes.
999 This command allows to set the user's name related attributes. The
1001 user's CN will be renamed automatically. The user's new CN will be made
1002 up by combining the given-name, initials and surname. A dot ('.') will
1003 be appended to the initials automatically, if required. Use the
1004 --force-new-cn option to specify the new CN manually and --reset-cn to
1005 reset this change.
1006 Use an empty attribute value to remove the specified attribute.
1008 The username specified on the command is the sAMAccountName.
1010 --surname=SURNAME
1012 New surname
1013 --given-name=GIVEN_NAME
1015 New given name
1016 --initials=INITIALS
1018 New initials
1019 --force-new-cn=NEW_CN
1021 Specify a new CN (RDN) instead of using a combination of the given
1022 name, initials and surname.
1023 --reset-cn
1025 Set the CN to the default combination of given name, initials and
1026 surname.
1027 --display-name=DISPLAY_NAME
1029 New display name
1030 --mail-address=MAIL_ADDRESS
1032 New email address
1033 --samaccountname=SAMACCOUNTNAME
1035 New account name (sAMAccountName/logon name)
1036 --upn=UPN
1038 New user principal name
1039 user setexpiry username [options]
1041 Set the expiration of a user account.
1042 user setpassword username [options]
1044 Sets or resets the password of a user account.
1045 user unlock username [options]
1047 This command unlocks a user account in the Active Directory domain.
1048 user getpassword username [options]
1050 Gets the password of a user account.
1051 user syncpasswords --cache-ldb-initialize [options]
1053 Syncs the passwords of all user accounts, using an optional script.
1054 Note that this command should run on a single domain controller only
1056 (typically the PDC-emulator).
1057 vampire [options] domain
1059 Join and synchronise a remote AD domain to the local server. Please
1060 note that samba-tool vampire is deprecated, please use samba-tool
1061 domain join instead.
1062 visualize [options] subcommand
1064 Produce graphical representations of Samba network state. To work out
1065 what is happening in a replication graph, it is sometimes helpful to
1066 use visualisations.
1067 There are two subcommands, two graphical modes, and (roughly) two modes
1069 of operation with respect to the location of authority.
1070 MODES OF OPERATION
1072 samba-tool visualize ntdsconn
1073 Looks at NTDS connections.
1074 samba-tool visualize reps
1076 Looks at repsTo and repsFrom objects.
1077 samba-tool visualize uptodateness
1079 Looks at replication lag as shown by the uptodateness vectors.
1080 GRAPHICAL MODES
1082 --distance
1083 Distances between DCs are shown in a matrix in the terminal.
1084 --dot
1086 Generate Graphviz dot output (for ntdsconn and reps modes). When
1087 viewed using dot or xdot, this shows the network as a graph with
1088 DCs as vertices and connections edges. Certain types of degenerate
1089 edges are shown in different colours or line-styles.
1090 --xdot
1092 Generate Graphviz dot output as with [--dot] and attempt to view it
1093 immediately using /usr/bin/xdot.
1094 -r
1096 Normally, samba-tool talks to one database; with the [-r] option
1097 attempts are made to contact all the DCs known to the first
1098 database. This is necessary for samba-tool visualize uptodateness
1099 and for samba-tool visualize reps because the repsFrom/To objects
1100 are not replicated, and it can reveal replication issues in other
1101 modes.
1102 help
1104 Gives usage information.
1105
1107 This man page is complete for version 4.18.9 of the Samba suite.
1108
1110 The original Samba software and related utilities were created by
1111 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1112 Source project similar to the way the Linux kernel is developed.
1113Samba 4.18.9 11/30/2023 SAMBA-TOOL(8)