1NET(8) System Administration tools NET(8)
2
6 net - Tool for administration of Samba and remote CIFS servers.
7
9 net {<ads|rap|rpc>} [-h|--help] [-d|--debuglevel=DEBUGLEVEL]
10 [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value]
11 [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
12 [-R|--name-resolve=NAME-RESOLVE-ORDER]
13 [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]
14 [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE]
15 [-W|--workgroup=WORKGROUP] [--realm=REALM]
16 [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass]
17 [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE]
18 [-P|--machine-pass] [--simple-bind-dn=DN]
19 [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE]
20 [--use-winbind-ccache] [--client-protection=sign|encrypt|off]
21 [-V|--version] [-w|--target-workgroup workgroup]
22 [-I|--ipaddress ip-address] [-p|--port port] [--myname]
23 [-S|--server server] [--long] [-v|--verbose] [-f|--force]
24 [--request-timeout seconds] [-t|--timeout seconds]
25 [--dns-ttl TTL-IN-SECONDS] [-i|--stdin]
26
28 This tool is part of the samba(7) suite.
29 The Samba net utility is meant to work just like the net utility
31 available for windows and DOS. The first argument should be used to
32 specify the protocol to use when executing a certain command. ADS is
33 used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and
34 RPC can be used for NT4 and Windows 2000. If this argument is omitted,
35 net will try to determine it automatically. Not all commands are
36 available on all protocols.
37
39 -w|--target-workgroup target-workgroup
40 Sets target workgroup or domain. You have to specify either this
41 option or the IP address or the name of a server.
42 -I|--ipaddress ip-address
44 IP address of target server to use. You have to specify either this
45 option or a target workgroup or a target server.
46 -p|--port port
48 Port on the target server to connect to (usually 139 or 445).
49 Defaults to trying 445 first, then 139.
50 -S|--server server
52 Name of target server. You should specify either this option or a
53 target workgroup or a target IP address.
54 --long
56 When listing data, give more information on each item.
57 -v|--verbose
59 When listing data, give more verbose information on each item.
60 -f|--force
62 Enforcing a net command.
63 --request-timeout 30
65 Let client requests timeout after 30 seconds the default is 10
66 seconds.
67 -t|--timeout 30
69 Set timeout for client operations to 30 seconds.
70 -i|--stdin
72 Take input for net commands from standard input.
73 -T|--test
75 Only test command sequence, dry-run.
76 -F|--flags FLAGS
78 Pass down integer flags to a net subcommand.
79 -C|--comment COMMENT
81 Pass down a comment string to a net subcommand.
82 --myname MYNAME
84 Use MYNAME as a requester name for a net subcommand.
85 -c|--container CONTAINER
87 Use a specific AD container for net ads operations.
88 -M|--maxusers MAXUSERS
90 Fill in the maxusers field in net rpc share operations.
91 -r|--reboot
93 Reboot a remote machine after a command has been successfully
94 executed (e.g. in remote join operations).
95 --force-full-repl
97 When calling "net rpc vampire keytab" this option enforces a full
98 re-creation of the generated keytab file.
99 --single-obj-repl
101 When calling "net rpc vampire keytab" this option allows one to
102 replicate just a single object to the generated keytab file.
103 --clean-old-entries
105 When calling "net rpc vampire keytab" this option allows one to
106 cleanup old entries from the generated keytab file.
107 --db
109 Define dbfile for "net idmap" commands.
110 --lock
112 Activates locking of the dbfile for "net idmap check" command.
113 -a|--auto
115 Activates noninteractive mode in "net idmap check".
116 --repair
118 Activates repair mode in "net idmap check".
119 --acls
121 Includes ACLs to be copied in "net rpc share migrate".
122 --attrs
124 Includes file attributes to be copied in "net rpc share migrate".
125 --timestamps
127 Includes timestamps to be copied in "net rpc share migrate".
128 -X|--exclude DIRECTORY
130 Allows one to exclude directories when copying with "net rpc share
131 migrate".
132 --destination SERVERNAME
134 Defines the target servername of migration process (defaults to
135 localhost).
136 -L|--local
138 Sets the type of group mapping to local (used in "net groupmap
139 set").
140 -D|--domain
142 Sets the type of group mapping to domain (used in "net groupmap
143 set").
144 -N|--ntname NTNAME
146 Sets the ntname of a group mapping (used in "net groupmap set").
147 --rid RID
149 Sets the rid of a group mapping (used in "net groupmap set").
150 --reg-version REG_VERSION
152 Assume database version {n|1,2,3} (used in "net registry check").
153 -o|--output FILENAME
155 Output database file (used in "net registry check").
156 --wipe
158 Create a new database from scratch (used in "net registry check").
159 --precheck PRECHECK_DB_FILENAME
161 Defines filename for database prechecking (used in "net registry
162 import").
163 --no-dns-updates
165 Do not perform DNS updates as part of "net ads join".
166 --keep-account
168 Prevent the machine account removal as part of "net ads leave".
169 --json
171 Report results in JSON format for "net ads info" and "net ads
172 lookup".
173 --recursive
175 Traverse a directory hierarchy.
176 --continue
178 Continue traversing a directory hierarchy in case conversion of one
179 file fails.
180 --follow-symlinks
182 Follow symlinks encountered while traversing a directory.
183 --dns-ttl TTL-IN-SECONDS
185 Specify the Time to Live (TTL) of DNS records. DNS records will be
186 created or updated with the given TTL. The TTL is specified in
187 seconds. Can be used with "net ads dns register" and "net ads
188 join". The default is 3600 seconds.
189 -d|--debuglevel=DEBUGLEVEL
191 level is an integer from 0 to 10. The default value if this
192 parameter is not specified is 1 for client applications.
193 The higher this value, the more detail will be logged to the log
195 files about the activities of the server. At level 0, only critical
196 errors and serious warnings will be logged. Level 1 is a reasonable
197 level for day-to-day running - it generates a small amount of
198 information about operations carried out.
199 Levels above 1 will generate considerable amounts of log data, and
201 should only be used when investigating a problem. Levels above 3
202 are designed for use only by developers and generate HUGE amounts
203 of log data, most of which is extremely cryptic.
204 Note that specifying this parameter here will override the log
206 level parameter in the /etc/samba/smb.conf file.
207 --debug-stdout
209 This will redirect debug output to STDOUT. By default all clients
210 are logging to STDERR.
211 --configfile=<configuration file>
213 The file specified contains the configuration details required by
214 the client. The information in this file can be general for client
215 and server or only provide client specific like options such as
216 client smb encrypt. See /etc/samba/smb.conf for more information.
217 The default configuration file name is determined at compile time.
218 --option=<name>=<value>
220 Set the smb.conf(5) option "<name>" to value "<value>" from the
221 command line. This overrides compiled-in defaults and options read
222 from the configuration file. If a name or a value includes a space,
223 wrap whole --option=name=value into quotes.
224 -l|--log-basename=logdirectory
226 Base directory name for log/debug files. The extension ".progname"
227 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
228 file is never removed by the client.
229 --leak-report
231 Enable talloc leak reporting on exit.
232 --leak-report-full
234 Enable full talloc leak reporting on exit.
235 -V|--version
237 Prints the program version number.
238 -R|--name-resolve=NAME-RESOLVE-ORDER
240 This option is used to determine what naming services and in what
241 order to resolve host names to IP addresses. The option takes a
242 space-separated string of different name resolution options. The
243 best is to wrap the whole --name-resolve=NAME-RESOLVE-ORDER into
244 quotes.
245 The options are: "lmhosts", "host", "wins" and "bcast". They cause
247 names to be resolved as follows:
248 • lmhosts: Lookup an IP address in the Samba lmhosts file.
250 If the line in lmhosts has no name type attached to the
251 NetBIOS name (see the lmhosts(5) for details) then any
252 name type matches for lookup.
253 • host: Do a standard host name to IP address resolution,
255 using the system /etc/hosts, NIS, or DNS lookups. This
256 method of name resolution is operating system dependent,
257 for instance on IRIX or Solaris this may be controlled
258 by the /etc/nsswitch.conf file). Note that this method
259 is only used if the NetBIOS name type being queried is
260 the 0x20 (server) name type, otherwise it is ignored.
261 • wins: Query a name with the IP address listed in the
263 wins server parameter. If no WINS server has been
264 specified this method will be ignored.
265 • bcast: Do a broadcast on each of the known local
267 interfaces listed in the interfaces parameter. This is
268 the least reliable of the name resolution methods as it
269 depends on the target host being on a locally connected
270 subnet.
271 If this parameter is not set then the name resolve order defined in
273 the /etc/samba/smb.conf file parameter (name resolve order) will be
274 used.
275 The default order is lmhosts, host, wins, bcast. Without this
277 parameter or any entry in the name resolve order parameter of the
278 /etc/samba/smb.conf file, the name resolution methods will be
279 attempted in this order.
280 -O|--socket-options=SOCKETOPTIONS
282 TCP socket options to set on the client socket. See the socket
283 options parameter in the /etc/samba/smb.conf manual page for the
284 list of valid options.
285 -m|--max-protocol=MAXPROTOCOL
287 The value of the parameter (a string) is the highest protocol level
288 that will be supported by the client.
289 Note that specifying this parameter here will override the client
291 max protocol parameter in the /etc/samba/smb.conf file.
292 -n|--netbiosname=NETBIOSNAME
294 This option allows you to override the NetBIOS name that Samba uses
295 for itself. This is identical to setting the netbios name parameter
296 in the /etc/samba/smb.conf file. However, a command line setting
297 will take precedence over settings in /etc/samba/smb.conf.
298 --netbios-scope=SCOPE
300 This specifies a NetBIOS scope that nmblookup will use to
301 communicate with when generating NetBIOS names. For details on the
302 use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS
303 scopes are very rarely used, only set this parameter if you are the
304 system administrator in charge of all the NetBIOS systems you
305 communicate with.
306 -W|--workgroup=WORKGROUP
308 Set the SMB domain of the username. This overrides the default
309 domain which is the domain defined in smb.conf. If the domain
310 specified is the same as the servers NetBIOS name, it causes the
311 client to log on using the servers local SAM (as opposed to the
312 Domain SAM).
313 Note that specifying this parameter here will override the
315 workgroup parameter in the /etc/samba/smb.conf file.
316 -r|--realm=REALM
318 Set the realm for the domain.
319 Note that specifying this parameter here will override the realm
321 parameter in the /etc/samba/smb.conf file.
322 -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
324 Sets the SMB username or username and password.
325 If %PASSWORD is not specified, the user will be prompted. The
327 client will first check the USER environment variable (which is
328 also permitted to also contain the password separated by a %), then
329 the LOGNAME variable (which is not permitted to contain a password)
330 and if either exists, the value is used. If these environmental
331 variables are not found, the username found in a Kerberos
332 Credentials cache may be used.
333 A third option is to use a credentials file which contains the
335 plaintext of the username and password. This option is mainly
336 provided for scripts where the admin does not wish to pass the
337 credentials on the command line or via environment variables. If
338 this method is used, make certain that the permissions on the file
339 restrict access from unwanted users. See the -A for more details.
340 Be cautious about including passwords in scripts or passing
342 user-supplied values onto the command line. For security it is
343 better to let the Samba client tool ask for the password if needed,
344 or obtain the password once with kinit.
345 While Samba will attempt to scrub the password from the process
347 title (as seen in ps), this is after startup and so is subject to a
348 race.
349 -N|--no-pass
351 If specified, this parameter suppresses the normal password prompt
352 from the client to the user. This is useful when accessing a
353 service that does not require a password.
354 Unless a password is specified on the command line or this
356 parameter is specified, the client will request a password.
357 If a password is specified on the command line and this option is
359 also defined the password on the command line will be silently
360 ignored and no password will be used.
361 --password
363 Specify the password on the commandline.
364 Be cautious about including passwords in scripts or passing
366 user-supplied values onto the command line. For security it is
367 better to let the Samba client tool ask for the password if needed,
368 or obtain the password once with kinit.
369 If --password is not specified, the tool will check the PASSWD
371 environment variable, followed by PASSWD_FD which is expected to
372 contain an open file descriptor (FD) number.
373 Finally it will check PASSWD_FILE (containing a file path to be
375 opened). The file should only contain the password. Make certain
376 that the permissions on the file restrict access from unwanted
377 users!
378 While Samba will attempt to scrub the password from the process
380 title (as seen in ps), this is after startup and so is subject to a
381 race.
382 --pw-nt-hash
384 The supplied password is the NT hash.
385 -A|--authentication-file=filename
387 This option allows you to specify a file from which to read the
388 username and password used in the connection. The format of the
389 file is:
390 username = <value>
392 password = <value>
393 domain = <value>
394 Make certain that the permissions on the file restrict access from
397 unwanted users!
398 -P|--machine-pass
400 Use stored machine account password.
401 --simple-bind-dn=DN
403 DN to use for a simple bind.
404 --use-kerberos=desired|required|off
406 This parameter determines whether Samba client tools will try to
407 authenticate using Kerberos. For Kerberos authentication you need
408 to use dns names instead of IP addresses when connecting to a
409 service.
410 Note that specifying this parameter here will override the client
412 use kerberos parameter in the /etc/samba/smb.conf file.
413 --use-krb5-ccache=CCACHE
415 Specifies the credential cache location for Kerberos
416 authentication.
417 This will set --use-kerberos=required too.
419 --use-winbind-ccache
421 Try to use the credential cache by winbind.
422 --client-protection=sign|encrypt|off
424 Sets the connection protection the client tool should use.
425 Note that specifying this parameter here will override the client
427 protection parameter in the /etc/samba/smb.conf file.
428 In case you need more fine grained control you can use:
430 --option=clientsmbencrypt=OPTION, --option=clientipcsigning=OPTION,
431 --option=clientsigning=OPTION.
432
434 CHANGESECRETPW
435 This command allows the Samba machine account password to be set from
436 an external application to a machine account password that has already
437 been stored in Active Directory. DO NOT USE this command unless you
438 know exactly what you are doing. The use of this command requires that
439 the force flag (-f) be used also. There will be NO command prompt.
440 Whatever information is piped into stdin, either by typing at the
441 command line or otherwise, will be stored as the literal machine
442 password. Do NOT use this without care and attention as it will
443 overwrite a legitimate machine password without warning. YOU HAVE BEEN
444 WARNED.
445 TIME
447 The NET TIME command allows you to view the time on a remote server or
448 synchronise the time on the local server with the time on the remote
449 server.
450 TIME
452 Without any options, the NET TIME command displays the time on the
453 remote server. The remote server must be specified with the -S option.
454 TIME SYSTEM
456 Displays the time on the remote server in a format ready for /bin/date.
457 The remote server must be specified with the -S option.
458 TIME SET
460 Tries to set the date and time of the local server to that on the
461 remote server using /bin/date. The remote server must be specified with
462 the -S option.
463 TIME ZONE
465 Displays the timezone in hours from GMT on the remote server. The
466 remote server must be specified with the -S option.
467 [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
469 [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU]
470 [machinepass=PASS] [osName=string osVer=string] [options]
471 Join a domain. If the account already exists on the server, and [TYPE]
472 is MEMBER, the machine will attempt to join automatically. (Assuming
473 that the machine has been created in server manager) Otherwise, a
474 password will be prompted for, and a new account may be created.
475 [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining
477 the domain.
478 [FQDN] (ADS only) set the dnsHostName attribute during the join. The
480 default format is netbiosname.dnsdomain.
481 [UPN] (ADS only) set the principalname attribute during the join. The
483 default format is host/netbiosname@REALM.
484 [OU] (ADS only) Precreate the computer account in a specific OU. The OU
486 string reads from top to bottom without RDNs, and is delimited by a
487 '/'. Please note that '\' is used for escape by both the shell and
488 ldap, so it may need to be doubled or quadrupled to pass through, and
489 it is not used as a delimiter.
490 [PASS] (ADS only) Set a specific password on the computer account being
492 created by the join.
493 [osName=string osVer=String] (ADS only) Set the operatingSystem and
495 operatingSystemVersion attribute during the join. Both parameters must
496 be specified for either to take effect.
497 [RPC] OLDJOIN [options]
499 Join a domain. Use the OLDJOIN option to join the domain using the old
500 style of domain joining - you need to create a trust account in server
501 manager first.
502 [RPC|ADS] USER
504 [RPC|ADS] USER
505 List all users
506 [RPC|ADS] USER DELETE target
508 Delete specified user
509 [RPC|ADS] USER INFO target
511 List the domain groups of the specified user.
512 [RPC|ADS] USER RENAME oldname newname
514 Rename specified user.
515 [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]
517 Add specified user.
518 [RPC|ADS] GROUP
520 [RPC|ADS] GROUP [misc options] [targets]
521 List user groups.
522 [RPC|ADS] GROUP DELETE name [misc. options]
524 Delete specified group.
525 [RPC|ADS] GROUP ADD name [-C comment]
527 Create specified group.
528 [ADS] LOOKUP
530 Lookup the closest Domain Controller in our domain and retrieve server
531 information about it.
532 [RAP|RPC] SHARE
534 [RAP|RPC] SHARE [misc. options] [targets]
535 Enumerates all exported resources (network shares) on target server.
536 [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]
538 Adds a share from a server (makes the export active). Maxusers
539 specifies the number of users that can be connected to the share
540 simultaneously.
541 SHARE DELETE sharename
543 Delete specified share.
544 [RPC|RAP] FILE
546 [RPC|RAP] FILE
547 List all open files on remote server.
548 [RPC|RAP] FILE CLOSE fileid
550 Close file with specified fileid on remote server.
551 [RPC|RAP] FILE INFO fileid
553 Print information on specified fileid. Currently listed are: file-id,
554 username, locks, path, permissions.
555 [RAP|RPC] FILE USER user
557 List files opened by specified user. Please note that net rap file user
558 does not work against Samba servers.
559 SESSION
561 RAP SESSION
562 Without any other options, SESSION enumerates all active SMB/CIFS
563 sessions on the target server.
564 RAP SESSION DELETE|CLOSE CLIENT_NAME
566 Close the specified sessions.
567 RAP SESSION INFO CLIENT_NAME
569 Give a list with all the open files in specified session.
570 RAP SERVER DOMAIN
572 List all servers in specified domain or workgroup. Defaults to local
573 domain.
574 RAP DOMAIN
576 Lists all domains and workgroups visible on the current network.
577 RAP PRINTQ
579 RAP PRINTQ INFO QUEUE_NAME
580 Lists the specified print queue and print jobs on the server. If the
581 QUEUE_NAME is omitted, all queues are listed.
582 RAP PRINTQ DELETE JOBID
584 Delete job with specified id.
585 RAP VALIDATE user [password]
587 Validate whether the specified user can log in to the remote server. If
588 the password is not specified on the commandline, it will be prompted.
589 Note
591 Currently NOT implemented.
592 RAP GROUPMEMBER
594 RAP GROUPMEMBER LIST GROUP
595 List all members of the specified group.
596 RAP GROUPMEMBER DELETE GROUP USER
598 Delete member from group.
599 RAP GROUPMEMBER ADD GROUP USER
601 Add member to group.
602 RAP ADMIN command
604 Execute the specified command on the remote server. Only works with
605 OS/2 servers.
606 Note
608 Currently NOT implemented.
609 RAP SERVICE
611 RAP SERVICE START NAME [arguments...]
612 Start the specified service on the remote server. Not implemented yet.
613 Note
615 Currently NOT implemented.
616 RAP SERVICE STOP
618 Stop the specified service on the remote server.
619 Note
621 Currently NOT implemented.
622 RAP PASSWORD USER OLDPASS NEWPASS
624 Change password of USER from OLDPASS to NEWPASS.
625 LOOKUP
627 LOOKUP HOST HOSTNAME [TYPE]
628 Lookup the IP address of the given host with the specified type
629 (netbios suffix). The type defaults to 0x20 (workstation).
630 LOOKUP LDAP [DOMAIN]
632 Give IP address of LDAP server of specified DOMAIN. Defaults to local
633 domain.
634 LOOKUP KDC [REALM]
636 Give IP address of KDC for the specified REALM. Defaults to local
637 realm.
638 LOOKUP DC [DOMAIN]
640 Give IP's of Domain Controllers for specified
641 DOMAIN. Defaults to local domain.
642 LOOKUP MASTER DOMAIN
644 Give IP of master browser for specified DOMAIN or workgroup. Defaults
645 to local domain.
646 LOOKUP NAME [NAME]
648 Lookup username's sid and type for specified NAME
649 LOOKUP SID [SID]
651 Give sid's name and type for specified SID
652 LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME]
654 Give Domain Controller information for specified domain NAME
655 CACHE
657 Samba uses a general caching interface called 'gencache'. It can be
658 controlled using 'NET CACHE'.
659 All the timeout parameters support the suffixes:
661 s - Seconds
662 m - Minutes
663 h - Hours
664 d - Days
665 w - Weeks
666 CACHE ADD key data time-out
668 Add specified key+data to the cache with the given timeout.
669 CACHE DEL key
671 Delete key from the cache.
672 CACHE SET key data time-out
674 Update data of existing cache entry.
675 CACHE SEARCH PATTERN
677 Search for the specified pattern in the cache data.
678 CACHE LIST
680 List all current items in the cache.
681 CACHE FLUSH
683 Remove all the current items from the cache.
684 GETLOCALSID [DOMAIN]
686 Prints the SID of the specified domain, or if the parameter is omitted,
687 the SID of the local server.
688 SETLOCALSID S-1-5-21-x-y-z
690 Sets SID for the local server to the specified SID.
691 GETDOMAINSID
693 Prints the local machine SID and the SID of the current domain.
694 SETDOMAINSID
696 Sets the SID of the current domain.
697 GROUPMAP
699 Manage the mappings between Windows group SIDs and UNIX groups. Common
700 options include:
701 • unixgroup - Name of the UNIX group
703 • ntgroup - Name of the Windows NT group (must be resolvable
705 to a SID
706 • rid - Unsigned 32-bit integer
708 • sid - Full SID in the form of "S-1-..."
710 • type - Type of the group; either 'domain', 'local', or
712 'builtin'
713 • comment - Freeform text description of the group
715 GROUPMAP ADD
718 Add a new group mapping entry:
719 net groupmap add {rid=int|sid=string} unixgroup=string \
721 [type={domain|local}] [ntgroup=string] [comment=string]
722 GROUPMAP DELETE
726 Delete a group mapping entry. If more than one group name matches, the
727 first entry found is deleted.
728 net groupmap delete {ntgroup=string|sid=SID}
730 GROUPMAP MODIFY
732 Update an existing group entry.
733 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
735 [comment=string] [type={domain|local}]
736 GROUPMAP LIST
740 List existing group mapping entries.
741 net groupmap list [verbose] [ntgroup=string] [sid=SID]
743 MAXRID
745 Prints out the highest RID currently in use on the local server (by the
746 active 'passdb backend').
747 RPC INFO
749 Print information about the domain of the remote server, such as domain
750 name, domain sid and number of users and groups.
751 [RPC|ADS] TESTJOIN
753 Check whether participation in a domain is still valid.
754 [RPC|ADS] CHANGETRUSTPW
756 Force change of domain trust password.
757 RPC TRUSTDOM
759 RPC TRUSTDOM ADD DOMAIN
760 Add a interdomain trust account for DOMAIN. This is in fact a Samba
761 account named DOMAIN$ with the account flag 'I' (interdomain trust
762 account). This is required for incoming trusts to work. It makes Samba
763 be a trusted domain of the foreign (trusting) domain. Users of the
764 Samba domain will be made available in the foreign domain. If the
765 command is used against localhost it has the same effect as smbpasswd
766 -a -i DOMAIN. Please note that both commands expect a appropriate UNIX
767 account.
768 RPC TRUSTDOM DEL DOMAIN
770 Remove interdomain trust account for DOMAIN. If it is used against
771 localhost it has the same effect as smbpasswd -x DOMAIN$.
772 RPC TRUSTDOM ESTABLISH DOMAIN
774 Establish a trust relationship to a trusted domain. Interdomain account
775 must already be created on the remote PDC. This is required for
776 outgoing trusts to work. It makes Samba be a trusting domain of a
777 foreign (trusted) domain. Users of the foreign domain will be made
778 available in our domain. You'll need winbind and a working idmap config
779 to make them appear in your system.
780 RPC TRUSTDOM REVOKE DOMAIN
782 Abandon relationship to trusted domain
783 RPC TRUSTDOM LIST
785 List all interdomain trust relationships.
786 RPC TRUST
788 RPC TRUST CREATE
789 Create a trust object by calling lsaCreateTrustedDomainEx2. The can be
790 done on a single server or on two servers at once with the possibility
791 to use a random trust password.
792 Options:
794 otherserver
796 Domain controller of the second domain
797 otheruser
799 Admin user in the second domain
800 otherdomainsid
802 SID of the second domain
803 other_netbios_domain
805 NetBIOS (short) name of the second domain
806 otherdomain
808 DNS (full) name of the second domain
809 trustpw
811 Trust password
812 Examples:
814 Create a trust object on srv1.dom1.dom for the domain dom2
816 net rpc trust create \
818 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
819 other_netbios_domain=dom2 \
820 otherdomain=dom2.dom \
821 trustpw=12345678 \
822 -S srv1.dom1.dom
823 Create a trust relationship between dom1 and dom2
825 net rpc trust create \
827 otherserver=srv2.dom2.test \
828 otheruser=dom2adm \
829 -S srv1.dom1.dom
830 RPC TRUST DELETE
832 Delete a trust object by calling lsaDeleteTrustedDomain. The can be
833 done on a single server or on two servers at once.
834 Options:
836 otherserver
838 Domain controller of the second domain
839 otheruser
841 Admin user in the second domain
842 otherdomainsid
844 SID of the second domain
845 Examples:
847 Delete a trust object on srv1.dom1.dom for the domain dom2
849 net rpc trust delete \
851 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
852 -S srv1.dom1.dom
853 Delete a trust relationship between dom1 and dom2
855 net rpc trust delete \
857 otherserver=srv2.dom2.test \
858 otheruser=dom2adm \
859 -S srv1.dom1.dom
860 RPC RIGHTS
863 This subcommand is used to view and manage Samba's rights assignments
864 (also referred to as privileges). There are three options currently
865 available: list, grant, and revoke. More details on Samba's privilege
866 model and its use can be found in the Samba-HOWTO-Collection.
867 RPC ABORTSHUTDOWN
869 Abort the shutdown of a remote server.
870 RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]
872 Shut down the remote server.
873 -r
875 Reboot after shutdown.
876 -f
878 Force shutting down all applications.
879 -t timeout
881 Timeout before system will be shut down. An interactive user of the
882 system can use this time to cancel the shutdown.
883 -C message
885 Display the specified message on the screen to announce the
886 shutdown.
887 RPC SAMDUMP
889 Print out sam database of remote server. You need to run this against
890 the PDC, from a Samba machine joined as a BDC.
891 RPC VAMPIRE
893 Export users, aliases and groups from remote server to local server.
894 You need to run this against the PDC, from a Samba machine joined as a
895 BDC. This vampire command cannot be used against an Active Directory,
896 only against an NT4 Domain Controller.
897 RPC VAMPIRE KEYTAB
899 Dump remote SAM database to local Kerberos keytab file.
900 RPC VAMPIRE LDIF
902 Dump remote SAM database to local LDIF file or standard output.
903 RPC GETSID
905 Fetch domain SID and store it in the local secrets.tdb.
906 ADS GPO
908 ADS GPO APPLY <USERNAME|MACHINENAME>
909 Apply GPOs for a username or machine name. Either username or machine
910 name should be provided to the command, not both.
911 ADS GPO GETGPO [GPO]
913 List specified GPO.
914 ADS GPO LINKADD [LINKDN] [GPODN]
916 Link a container to a GPO. LINKDN Container to link to a GPO. GPODN
917 GPO to link container to. DNs must be provided properly escaped. See
918 RFC 4514 for details.
919 ADS GPO LINKGET [CONTAINER]
921 Lists gPLink of a container.
922 ADS GPO LIST <USERNAME|MACHINENAME>
924 Lists all GPOs for a username or machine name. Either username or
925 machine name should be provided to the command, not both.
926 ADS GPO LISTALL
928 Lists all GPOs on a DC.
929 ADS GPO REFRESH [USERNAME] [MACHINENAME]
931 Lists all GPOs assigned to an account and download them. USERNAME User
932 to refresh GPOs for. MACHINENAME Machine to refresh GPOs for.
933 ADS DNS
935 ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]
936 Add host dns entry to Active Directory.
937 ADS DNS UNREGISTER <HOSTNAME>
939 Remove host dns entry from Active Directory.
940 ADS LEAVE [--keep-account]
942 Make the remote host leave the domain it is part of.
943 ADS STATUS
945 Print out status of machine account of the local machine in ADS. Prints
946 out quite some debug info. Aimed at developers, regular users should
947 use NET ADS TESTJOIN.
948 ADS PRINTER
950 ADS PRINTER INFO [PRINTER] [SERVER]
951 Lookup info for PRINTER on SERVER. The printer name defaults to "*",
952 the server name defaults to the local host.
953 ADS PRINTER PUBLISH PRINTER
955 Publish specified printer using ADS.
956 ADS PRINTER REMOVE PRINTER
958 Remove specified printer from ADS directory.
959 ADS SEARCH EXPRESSION ATTRIBUTES...
961 Perform a raw LDAP search on a ADS server and dump the results. The
962 expression is a standard LDAP search expression, and the attributes are
963 a list of LDAP fields to show in the results.
964 Example: net ads search '(objectCategory=group)' sAMAccountName
966 ADS DN DN (attributes)
968 Perform a raw LDAP search on a ADS server and dump the results. The DN
969 standard LDAP DN, and the attributes are a list of LDAP fields to show
970 in the result.
971 Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain'
973 SAMAccountName
974 ADS KEYTAB CREATE
976 Creates a new keytab file if one doesn't exist with default entries.
977 Default entries are kerberos principals created from the machinename of
978 the client, the UPN (if it exists) and any Windows SPN(s) associated
979 with the computer AD account for the client. If a keytab file already
980 exists then only missing kerberos principals from the default entries
981 are added. No changes are made to the computer AD account.
982 ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN
984 Adds a new keytab entry, the entry can be either;
985 kerberos principal
987 A kerberos principal (identified by the presence of '@') is just
988 added to the keytab file.
989 machinename
991 A machinename (identified by the trailing '$') is used to create a
992 a kerberos principal 'machinename@realm' which is added to the
993 keytab file.
994 serviceclass
996 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
997 pair of kerberos principals
998 'serviceclass/fully_qualified_dns_name@realm' &
999 'serviceclass/netbios_name@realm' which are added to the keytab
1000 file.
1001 Windows SPN
1003 A Windows SPN is of the format 'serviceclass/host:port', it is used
1004 to create a kerberos principal 'serviceclass/host@realm' which will
1005 be written to the keytab file.
1006 Unlike old versions no computer AD objects are modified by this
1008 command. To preserve the bevhaviour of older clients 'net ads keytab
1009 ad_update_ads' is available.
1010 ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN
1012 Adds a new keytab entry (see section for net ads keytab add). In
1013 addition to adding entries to the keytab file corrosponding Windows
1014 SPNs are created from the entry passed to this command. These SPN(s)
1015 added to the AD computer account object associated with the client
1016 machine running this command for the following entry types;
1017 serviceclass
1019 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
1020 pair of Windows SPN(s) 'param/full_qualified_dns' &
1021 'param/netbios_name' which are added to the AD computer account
1022 object for this client.
1023 Windows SPN
1025 A Windows SPN is of the format 'serviceclass/host:port', it is
1026 added as passed to the AD computer account object for this client.
1027 ADS setspn SETSPN LIST [machine]
1029 Lists the Windows SPNs stored in the 'machine' Windows AD Computer
1030 object. If 'machine' is not specified then computer account for this
1031 client is used instead.
1032 ADS setspn SETSPN ADD SPN [machine]
1034 Adds the specified Windows SPN to the 'machine' Windows AD Computer
1035 object. If 'machine' is not specified then computer account for this
1036 client is used instead.
1037 ADS setspn SETSPN DELETE SPN [machine]
1039 DELETE the specified Window SPN from the 'machine' Windows AD Computer
1040 object. If 'machine' is not specified then computer account for this
1041 client is used instead.
1042 ADS WORKGROUP
1044 Print out workgroup name for specified kerberos realm.
1045 ADS ENCTYPES
1047 List, modify or delete the value of the "msDS-SupportedEncryptionTypes"
1048 attribute of an account in AD.
1049 This attribute allows one to control which Kerberos encryption types
1051 are used for the generation of initial and service tickets. The value
1052 consists of an integer bitmask with the following values:
1053 0x00000001 DES-CBC-CRC
1055 0x00000002 DES-CBC-MD5
1057 0x00000004 RC4-HMAC
1059 0x00000008 AES128-CTS-HMAC-SHA1-96
1061 0x00000010 AES256-CTS-HMAC-SHA1-96
1063 ADS ENCTYPES LIST <ACCOUNTNAME>
1065 List the value of the "msDS-SupportedEncryptionTypes" attribute of a
1066 given account.
1067 Example: net ads enctypes list Computername
1069 ADS ENCTYPES SET <ACCOUNTNAME> [enctypes]
1071 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the
1072 LDAP object of ACCOUNTNAME to a given value. If the value is omitted,
1073 the value is set to 31 which enables all the currently supported
1074 encryption types.
1075 Example: net ads enctypes set Computername 24
1077 ADS ENCTYPES DELETE <ACCOUNTNAME>
1079 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP
1080 object of ACCOUNTNAME.
1081 Example: net ads enctypes set Computername 24
1083 SAM CREATEBUILTINGROUP <NAME>
1085 (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can
1086 be created with this command. This is the list of currently recognized
1087 group names: Administrators, Users, Guests, Power Users, Account
1088 Operators, Server Operators, Print Operators, Backup Operators,
1089 Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
1090 command requires a running Winbindd with idmap allocation properly
1091 configured. The group gid will be allocated out of the winbindd range.
1092 SAM CREATELOCALGROUP <NAME>
1094 Create a LOCAL group (also known as Alias). This command requires a
1095 running Winbindd with idmap allocation properly configured. The group
1096 gid will be allocated out of the winbindd range.
1097 SAM DELETELOCALGROUP <NAME>
1099 Delete an existing LOCAL group (also known as Alias).
1100 SAM MAPUNIXGROUP <NAME>
1102 Map an existing Unix group and make it a Domain Group, the domain group
1103 will have the same name.
1104 SAM UNMAPUNIXGROUP <NAME>
1106 Remove an existing group mapping entry.
1107 SAM ADDMEM <GROUP> <MEMBER>
1109 Add a member to a Local group. The group can be specified only by name,
1110 the member can be specified by name or SID.
1111 SAM DELMEM <GROUP> <MEMBER>
1113 Remove a member from a Local group. The group and the member must be
1114 specified by name.
1115 SAM LISTMEM <GROUP>
1117 List Local group members. The group must be specified by name.
1118 SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]
1120 List the specified set of accounts by name. If verbose is specified,
1121 the rid and description is also provided for each account.
1122 SAM RIGHTS LIST
1124 List all available privileges.
1125 SAM RIGHTS GRANT <NAME> <PRIVILEGE>
1127 Grant one or more privileges to a user.
1128 SAM RIGHTS REVOKE <NAME> <PRIVILEGE>
1130 Revoke one or more privileges from a user.
1131 SAM SHOW <NAME>
1133 Show the full DOMAIN\\NAME the SID and the type for the corresponding
1134 account.
1135 SAM SET HOMEDIR <NAME> <DIRECTORY>
1137 Set the home directory for a user account.
1138 SAM SET PROFILEPATH <NAME> <PATH>
1140 Set the profile path for a user account.
1141 SAM SET COMMENT <NAME> <COMMENT>
1143 Set the comment for a user or group account.
1144 SAM SET FULLNAME <NAME> <FULL NAME>
1146 Set the full name for a user account.
1147 SAM SET LOGONSCRIPT <NAME> <SCRIPT>
1149 Set the logon script for a user account.
1150 SAM SET HOMEDRIVE <NAME> <DRIVE>
1152 Set the home drive for a user account.
1153 SAM SET WORKSTATIONS <NAME> <WORKSTATIONS>
1155 Set the workstations a user account is allowed to log in from.
1156 SAM SET DISABLE <NAME>
1158 Set the "disabled" flag for a user account.
1159 SAM SET PWNOTREQ <NAME>
1161 Set the "password not required" flag for a user account.
1162 SAM SET AUTOLOCK <NAME>
1164 Set the "autolock" flag for a user account.
1165 SAM SET PWNOEXP <NAME>
1167 Set the "password do not expire" flag for a user account.
1168 SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]
1170 Set or unset the "password must change" flag for a user account.
1171 SAM POLICY LIST
1173 List the available account policies.
1174 SAM POLICY SHOW <account policy>
1176 Show the account policy value.
1177 SAM POLICY SET <account policy> <value>
1179 Set a value for the account policy. Valid values can be: "forever",
1180 "never", "off", or a number.
1181 SAM PROVISION
1183 Only available if ldapsam:editposix is set and winbindd is running.
1184 Properly populates the ldap tree with the basic accounts
1185 (Administrator) and groups (Domain Users, Domain Admins, Domain Guests)
1186 on the ldap tree.
1187 IDMAP DUMP <local tdb file name>
1189 Dumps the mappings contained in the local tdb file specified. This
1190 command is useful to dump only the mappings produced by the idmap_tdb
1191 backend.
1192 IDMAP RESTORE [input file]
1194 Restore the mappings from the specified file or stdin.
1195 IDMAP SET SECRET <DOMAIN> <secret>
1197 Store a secret for the specified domain, used primarily for domains
1198 that use idmap_ldap as a backend. In this case the secret is used as
1199 the password for the user DN used to bind to the ldap server.
1200 IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]
1202 Store a domain-range mapping for a given domain (and index) in autorid
1203 database.
1204 IDMAP SET CONFIG <config> [--db=<DB>]
1206 Update CONFIG entry in autorid database.
1207 IDMAP GET RANGE <SID> [index] [--db=<DB>]
1209 Get the range for a given domain and index from autorid database.
1210 IDMAP GET RANGES [<SID>] [--db=<DB>]
1212 Get ranges for all domains or for one identified by given SID.
1213 IDMAP GET CONFIG [--db=<DB>]
1215 Get CONFIG entry from autorid database.
1216 IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID>
1218 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
1219 The mapping is given by <ID> which may either be a sid: S-x-..., a gid:
1220 "GID number" or a uid: "UID number". Use -f to delete an invalid
1221 partial mapping <ID> -> xx
1222 Use "smbcontrol all idmap ..." to notify running smbd instances. See
1224 the smbcontrol(1) manpage for details.
1225 IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])
1227 Delete a domain range mapping identified by 'RANGE' or "domain SID and
1228 INDEX" from autorid database. Use -f to delete invalid mappings.
1229 IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID>
1231 Delete all domain range mappings for a domain identified by SID. Use -f
1232 to delete invalid mappings.
1233 IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]
1235 Check and repair the IDMAP database. If no option is given a read only
1236 check of the database is done. Among others an interactive or automatic
1237 repair mode may be chosen with one of the following options:
1238 -r|--repair
1240 Interactive repair mode, ask a lot of questions.
1241 -a|--auto
1243 Noninteractive repair mode, use default answers.
1244 -v|--verbose
1246 Produce more output.
1247 -f|--force
1249 Try to apply changes, even if they do not apply cleanly.
1250 -T|--test
1252 Dry run, show what changes would be made but don't touch anything.
1253 -l|--lock
1255 Lock the database while doing the check.
1256 --db <DB>
1258 Check the specified database.
1259 It reports about the finding of the following errors:
1261 Missing reverse mapping:
1263 A record with mapping A->B where there is no B->A. Default action
1264 in repair mode is to "fix" this by adding the reverse mapping.
1265 Invalid mapping:
1267 A record with mapping A->B where B->C. Default action is to
1268 "delete" this record.
1269 Missing or invalid HWM:
1271 A high water mark is not at least equal to the largest ID in the
1272 database. Default action is to "fix" this by setting it to the
1273 largest ID found +1.
1274 Invalid record:
1276 Something we failed to parse. Default action is to "edit" it in
1277 interactive and "delete" it in automatic mode.
1278 USERSHARE
1280 Starting with version 3.0.23, a Samba server now supports the ability
1281 for non-root users to add user defined shares to be exported using the
1282 "net usershare" commands.
1283 To set this up, first set up your /etc/samba/smb.conf by adding to the
1285 [global] section: usershare path = /usr/local/samba/lib/usershares Next
1286 create the directory /usr/local/samba/lib/usershares, change the owner
1287 to root and set the group owner to the UNIX group who should have the
1288 ability to create usershares, for example a group called "serverops".
1289 Set the permissions on /usr/local/samba/lib/usershares to 01770. (Owner
1290 and group all access, no access for others, plus the sticky bit, which
1291 means that a file in that directory can be renamed or deleted only by
1292 the owner of the file). Finally, tell smbd how many usershares you will
1293 allow by adding to the [global] section of /etc/samba/smb.conf a line
1294 such as : usershare max shares = 100. To allow 100 usershare
1295 definitions. Now, members of the UNIX group "serverops" can create user
1296 defined shares on demand using the commands below.
1297 The usershare commands are:
1299 net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] -
1300 to add or change a user defined share.
1301 net usershare delete sharename - to delete a user defined share.
1302 net usershare info [--long] [wildcard sharename] - to print info
1303 about a user defined share.
1304 net usershare list [--long] [wildcard sharename] - to list user
1305 defined shares.
1306 USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]
1308 Add or replace a new user defined share, with name "sharename".
1309 "path" specifies the absolute pathname on the system to be exported.
1311 Restrictions may be put on this, see the global /etc/samba/smb.conf
1312 parameters: "usershare owner only", "usershare prefix allow list", and
1313 "usershare prefix deny list".
1314 The optional "comment" parameter is the comment that will appear on the
1316 share when browsed to by a client.
1317 The optional "acl" field specifies which users have read and write
1319 access to the entire share. Note that guest connections are not allowed
1320 unless the /etc/samba/smb.conf parameter "usershare allow guests" has
1321 been set. The definition of a user defined share acl is:
1322 "user:permission", where user is a valid username on the system and
1323 permission can be "F", "R", or "D". "F" stands for "full permissions",
1324 ie. read and write permissions. "D" stands for "deny" for a user, ie.
1325 prevent this user from accessing this share. "R" stands for "read
1326 only", ie. only allow read access to this share (no creation of new
1327 files or directories or writing to files).
1328 The default if no "acl" is given is "Everyone:R", which means any
1330 authenticated user has read-only access.
1331 The optional "guest_ok" has the same effect as the parameter of the
1333 same name in /etc/samba/smb.conf, in that it allows guest access to
1334 this user defined share. This parameter is only allowed if the global
1335 parameter "usershare allow guests" has been set to true in the
1336 /etc/samba/smb.conf.
1337 There is no separate command to modify an existing user defined share,
1340 just use the "net usershare add [sharename]" command using the same
1341 sharename as the one you wish to modify and specify the new options you
1342 wish. The Samba smbd daemon notices user defined share modifications at
1343 connect time so will see the change immediately, there is no need to
1344 restart smbd on adding, deleting or changing a user defined share.
1345 USERSHARE DELETE sharename
1347 Deletes the user defined share by name. The Samba smbd daemon
1348 immediately notices this change, although it will not disconnect any
1349 users currently connected to the deleted share.
1350 USERSHARE INFO [--long] [wildcard sharename]
1352 Get info on user defined shares owned by the current user matching the
1353 given pattern, or all users.
1354 net usershare info on its own dumps out info on the user defined shares
1356 that were created by the current user, or restricts them to share names
1357 that match the given wildcard pattern ('*' matches one or more
1358 characters, '?' matches only one character). If the '--long' option is
1359 also given, it prints out info on user defined shares created by other
1360 users.
1361 The information given about a share looks like: [foobar]
1363 path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n
1364 And is a list of the current settings of the user defined share that
1365 can be modified by the "net usershare add" command.
1366 USERSHARE LIST [--long] wildcard sharename
1368 List all the user defined shares owned by the current user matching the
1369 given pattern, or all users.
1370 net usershare list on its own list out the names of the user defined
1372 shares that were created by the current user, or restricts the list to
1373 share names that match the given wildcard pattern ('*' matches one or
1374 more characters, '?' matches only one character). If the '--long'
1375 option is also given, it includes the names of user defined shares
1376 created by other users.
1377 [RPC] CONF
1379 Starting with version 3.2.0, a Samba server can be configured by data
1380 stored in registry. This configuration data can be edited with the new
1381 "net conf" commands. There is also the possibility to configure a
1382 remote Samba server by enabling the RPC conf mode and specifying the
1383 address of the remote server.
1384 The deployment of this configuration data can be activated in two
1386 levels from the /etc/samba/smb.conf file: Share definitions from
1387 registry are activated by setting registry shares to “yes” in the
1388 [global] section and global configuration options are activated by
1389 setting include = registry in the [global] section for a mixed
1390 configuration or by setting config backend = registry in the [global]
1391 section for a registry-only configuration. See the smb.conf(5) manpage
1392 for details.
1393 The conf commands are:
1395 net [rpc] conf list - Dump the complete configuration in smb.conf
1396 like format.
1397 net [rpc] conf import - Import configuration from file in smb.conf
1398 format.
1399 net [rpc] conf listshares - List the registry shares.
1400 net [rpc] conf drop - Delete the complete configuration from
1401 registry.
1402 net [rpc] conf showshare - Show the definition of a registry share.
1403 net [rpc] conf addshare - Create a new registry share.
1404 net [rpc] conf delshare - Delete a registry share.
1405 net [rpc] conf setparm - Store a parameter.
1406 net [rpc] conf getparm - Retrieve the value of a parameter.
1407 net [rpc] conf delparm - Delete a parameter.
1408 net [rpc] conf getincludes - Show the includes of a share
1409 definition.
1410 net [rpc] conf setincludes - Set includes for a share.
1411 net [rpc] conf delincludes - Delete includes from a share
1412 definition.
1413 [RPC] CONF LIST
1415 Print the configuration data stored in the registry in a smb.conf-like
1416 format to standard output.
1417 [RPC] CONF IMPORT [--test|-T] filename [section]
1419 This command imports configuration from a file in smb.conf format. If a
1420 section encountered in the input file is present in registry, its
1421 contents is replaced. Sections of registry configuration that have no
1422 counterpart in the input file are not affected. If you want to delete
1423 these, you will have to use the "net conf drop" or "net conf delshare"
1424 commands. Optionally, a section may be specified to restrict the effect
1425 of the import command to that specific section. A test mode is enabled
1426 by specifying the parameter "-T" on the commandline. In test mode, no
1427 changes are made to the registry, and the resulting configuration is
1428 printed to standard output instead.
1429 [RPC] CONF LISTSHARES
1431 List the names of the shares defined in registry.
1432 [RPC] CONF DROP
1434 Delete the complete configuration data from registry.
1435 [RPC] CONF SHOWSHARE sharename
1437 Show the definition of the share or section specified. It is valid to
1438 specify "global" as sharename to retrieve the global configuration
1439 options from registry.
1440 [RPC] CONF ADDSHARE sharename path [writeable={y|N} [guest_ok={y|N}
1442 [comment]]]
1443 Create a new share definition in registry. The sharename and path have
1444 to be given. The share name may not be "global". Optionally, values for
1445 the very common options "writeable", "guest ok" and a "comment" may be
1446 specified. The same result may be obtained by a sequence of "net conf
1447 setparm" commands.
1448 [RPC] CONF DELSHARE sharename
1450 Delete a share definition from registry.
1451 [RPC] CONF SETPARM section parameter value
1453 Store a parameter in registry. The section may be global or a
1454 sharename. The section is created if it does not exist yet.
1455 [RPC] CONF GETPARM section parameter
1457 Show a parameter stored in registry.
1458 [RPC] CONF DELPARM section parameter
1460 Delete a parameter stored in registry.
1461 [RPC] CONF GETINCLUDES section
1463 Get the list of includes for the provided section (global or share).
1464 Note that due to the nature of the registry database and the nature of
1466 include directives, the includes need special treatment: Parameters are
1467 stored in registry by the parameter name as valuename, so there is only
1468 ever one instance of a parameter per share. Also, a specific order like
1469 in a text file is not guaranteed. For all real parameters, this is
1470 perfectly ok, but the include directive is rather a meta parameter, for
1471 which, in the smb.conf text file, the place where it is specified
1472 between the other parameters is very important. This can not be
1473 achieved by the simple registry smbconf data model, so there is one
1474 ordered list of includes per share, and this list is evaluated after
1475 all the parameters of the share.
1476 Further note that currently, only files can be included from registry
1478 configuration. In the future, there will be the ability to include
1479 configuration data from other registry keys.
1480 [RPC] CONF SETINCLUDES section [filename]+
1482 Set the list of includes for the provided section (global or share) to
1483 the given list of one or more filenames. The filenames may contain the
1484 usual smb.conf macros like %I.
1485 [RPC] CONF DELINCLUDES section
1487 Delete the list of includes from the provided section (global or
1488 share).
1489 REGISTRY
1491 Manipulate Samba's registry.
1492 The registry commands are:
1494 net registry enumerate - Enumerate registry keys and values.
1495 net registry enumerate_recursive - Enumerate registry key and its
1496 subkeys.
1497 net registry createkey - Create a new registry key.
1498 net registry deletekey - Delete a registry key.
1499 net registry deletekey_recursive - Delete a registry key with
1500 subkeys.
1501 net registry getvalue - Print a registry value.
1502 net registry getvalueraw - Print a registry value (raw format).
1503 net registry setvalue - Set a new registry value.
1504 net registry increment - Increment a DWORD registry value under a
1505 lock.
1506 net registry deletevalue - Delete a registry value.
1507 net registry getsd - Get security descriptor.
1508 net registry getsd_sdd1 - Get security descriptor in sddl format.
1509 net registry setsd_sdd1 - Set security descriptor from sddl format
1510 string.
1511 net registry import - Import a registration entries (.reg)
1512 file.
1513 net registry export - Export a registration entries (.reg)
1514 file.
1515 net registry convert - Convert a registration entries (.reg)
1516 file.
1517 net registry check - Check and repair a registry database.
1518 REGISTRY ENUMERATE key
1520 Enumerate subkeys and values of key.
1521 REGISTRY ENUMERATE_RECURSIVE key
1523 Enumerate values of key and its subkeys.
1524 REGISTRY CREATEKEY key
1526 Create a new key if not yet existing.
1527 REGISTRY DELETEKEY key
1529 Delete the given key and its values from the registry, if it has no
1530 subkeys.
1531 REGISTRY DELETEKEY_RECURSIVE key
1533 Delete the given key and all of its subkeys and values from the
1534 registry.
1535 REGISTRY GETVALUE key name
1537 Output type and actual value of the value name of the given key.
1538 REGISTRY GETVALUERAW key name
1540 Output the actual value of the value name of the given key.
1541 REGISTRY SETVALUE key name type value ...
1543 Set the value name of an existing key. type may be one of sz, multi_sz
1544 or dword. In case of multi_sz value may be given multiple times.
1545 REGISTRY INCREMENT key name [inc]
1547 Increment the DWORD value name of key by inc while holding a g_lock.
1548 inc defaults to 1.
1549 REGISTRY DELETEVALUE key name
1551 Delete the value name of the given key.
1552 REGISTRY GETSD key
1554 Get the security descriptor of the given key.
1555 REGISTRY GETSD_SDDL key
1557 Get the security descriptor of the given key as a Security Descriptor
1558 Definition Language (SDDL) string.
1559 REGISTRY SETSD_SDDL keysd
1561 Set the security descriptor of the given key from a Security Descriptor
1562 Definition Language (SDDL) string sd.
1563 REGISTRY IMPORT file [--precheck <check-file>] [opt]
1565 Import a registration entries (.reg) file.
1566 The following options are available:
1568 --precheck check-file
1570 This is a mechanism to check the existence or non-existence of
1571 certain keys or values specified in a precheck file before applying
1572 the import file. The import file will only be applied if the
1573 precheck succeeds.
1574 The check-file follows the normal registry file syntax with the
1576 following semantics:
1577 • <value name>=<value> checks whether the value exists and
1579 has the given value.
1580 • <value name>=- checks whether the value does not exist.
1582 • [key] checks whether the key exists.
1584 • [-key] checks whether the key does not exist.
1586 REGISTRY EXPORT keyfile[opt]
1589 Export a key to a registration entries (.reg) file.
1590 REGISTRY CONVERT in out [[inopt] outopt]
1592 Convert a registration entries (.reg) file in.
1593 REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]
1595 Check and repair the registry database. If no option is given a read
1596 only check of the database is done. Among others an interactive or
1597 automatic repair mode may be chosen with one of the following options
1598 -r|--repair
1600 Interactive repair mode, ask a lot of questions.
1601 -a|--auto
1603 Noninteractive repair mode, use default answers.
1604 -v|--verbose
1606 Produce more output.
1607 -T|--test
1609 Dry run, show what changes would be made but don't touch anything.
1610 -l|--lock
1612 Lock the database while doing the check.
1613 --reg-version={1,2,3}
1615 Specify the format of the registry database. If not given it
1616 defaults to the value of the binary or, if an registry.tdb is
1617 explicitly stated at the commandline, to the value found in the
1618 INFO/version record.
1619 [--db] <DB>
1621 Check the specified database.
1622 -o|--output <ODB>
1624 Create a new registry database <ODB> instead of modifying the
1625 input. If <ODB> is already existing --wipe may be used to overwrite
1626 it.
1627 --wipe
1629 Replace the registry database instead of modifying the input or
1630 overwrite an existing output database.
1631 EVENTLOG
1633 Starting with version 3.4.0 net can read, dump, import and export
1634 native win32 eventlog files (usually *.evt). evt files are used by the
1635 native Windows eventviewer tools.
1636 The import and export of evt files can only succeed when eventlog list
1638 is used in /etc/samba/smb.conf file. See the smb.conf(5) manpage for
1639 details.
1640 The eventlog commands are:
1642 net eventlog dump - Dump a eventlog *.evt file on the screen.
1643 net eventlog import - Import a eventlog *.evt into the samba
1644 internal tdb based representation of eventlogs.
1645 net eventlog export - Export the samba internal tdb based
1646 representation of eventlogs into an eventlog *.evt file.
1647 EVENTLOG DUMP filename
1649 Prints a eventlog *.evt file to standard output.
1650 EVENTLOG IMPORT filename eventlog
1652 Imports a eventlog *.evt file defined by filename into the samba
1653 internal tdb representation of eventlog defined by eventlog. eventlog
1654 needs to part of the eventlog list defined in /etc/samba/smb.conf. See
1655 the smb.conf(5) manpage for details.
1656 EVENTLOG EXPORT filename eventlog
1658 Exports the samba internal tdb representation of eventlog defined by
1659 eventlog to a eventlog *.evt file defined by filename. eventlog needs
1660 to part of the eventlog list defined in /etc/samba/smb.conf. See the
1661 smb.conf(5) manpage for details.
1662 DOM
1664 Starting with version 3.2.0 Samba has support for remote join and
1665 unjoin APIs, both client and server-side. Windows supports remote join
1666 capabilities since Windows 2000.
1667 In order for Samba to be joined or unjoined remotely an account must be
1669 used that is either member of the Domain Admins group, a member of the
1670 local Administrators group or a user that is granted the
1671 SeMachineAccountPrivilege privilege.
1672 The client side support for remote join is implemented in the net dom
1674 commands which are:
1675 net dom join - Join a remote computer into a domain.
1676 net dom unjoin - Unjoin a remote computer from a domain.
1677 net dom renamecomputer - Renames a remote computer joined to a
1678 domain.
1679 DOM JOIN domain=DOMAIN ou=OU account=ACCOUNT password=PASSWORD reboot
1681 Joins a computer into a domain. This command supports the following
1682 additional parameters:
1683 • DOMAIN can be a NetBIOS domain name (also known as short
1685 domain name) or a DNS domain name for Active Directory
1686 Domains. As in Windows, it is also possible to control which
1687 Domain Controller to use. This can be achieved by appending
1688 the DC name using the \ separator character. Example:
1689 MYDOM\MYDC. The DOMAIN parameter cannot be NULL.
1690 • OU can be set to a RFC 1779 LDAP DN, like
1692 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1693 the machine account in a non-default LDAP container. This
1694 optional parameter is only supported when joining Active
1695 Directory Domains.
1696 • ACCOUNT defines a domain account that will be used to join
1698 the machine to the domain. This domain account needs to have
1699 sufficient privileges to join machines.
1700 • PASSWORD defines the password for the domain account defined
1702 with ACCOUNT.
1703 • REBOOT is an optional parameter that can be set to reboot
1705 the remote machine after successful join to the domain.
1706 Note that you also need to use standard net parameters to connect and
1709 authenticate to the remote machine that you want to join. These
1710 additional parameters include: -S computer and -U user.
1711 Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM
1713 account=MYDOM\\administrator password=topsecret reboot.
1714 This example would connect to a computer named XP as the local
1716 administrator using password secret, and join the computer into a
1717 domain called MYDOM using the MYDOM domain administrator account and
1718 password topsecret. After successful join, the computer would reboot.
1719 DOM UNJOIN account=ACCOUNT password=PASSWORD reboot
1721 Unjoins a computer from a domain. This command supports the following
1722 additional parameters:
1723 • ACCOUNT defines a domain account that will be used to unjoin
1725 the machine from the domain. This domain account needs to
1726 have sufficient privileges to unjoin machines.
1727 • PASSWORD defines the password for the domain account defined
1729 with ACCOUNT.
1730 • REBOOT is an optional parameter that can be set to reboot
1732 the remote machine after successful unjoin from the domain.
1733 Note that you also need to use standard net parameters to connect and
1736 authenticate to the remote machine that you want to unjoin. These
1737 additional parameters include: -S computer and -U user.
1738 Example: net dom unjoin -S xp -U XP\\administrator%secret
1740 account=MYDOM\\administrator password=topsecret reboot.
1741 This example would connect to a computer named XP as the local
1743 administrator using password secret, and unjoin the computer from the
1744 domain using the MYDOM domain administrator account and password
1745 topsecret. After successful unjoin, the computer would reboot.
1746 DOM RENAMECOMPUTER newname=NEWNAME account=ACCOUNT password=PASSWORD reboot
1748 Renames a computer that is joined to a domain. This command supports
1749 the following additional parameters:
1750 • NEWNAME defines the new name of the machine in the domain.
1752 • ACCOUNT defines a domain account that will be used to rename
1754 the machine in the domain. This domain account needs to have
1755 sufficient privileges to rename machines.
1756 • PASSWORD defines the password for the domain account defined
1758 with ACCOUNT.
1759 • REBOOT is an optional parameter that can be set to reboot
1761 the remote machine after successful rename in the domain.
1762 Note that you also need to use standard net parameters to connect and
1765 authenticate to the remote machine that you want to rename in the
1766 domain. These additional parameters include: -S computer and -U user.
1767 Example: net dom renamecomputer -S xp -U XP\\administrator%secret
1769 newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1770 This example would connect to a computer named XP as the local
1772 administrator using password secret, and rename the joined computer to
1773 XPNEW using the MYDOM domain administrator account and password
1774 topsecret. After successful rename, the computer would reboot.
1775 G_LOCK
1777 Manage global locks.
1778 G_LOCK DO lockname timeout command
1780 Execute a shell command under a global lock. This might be useful to
1781 define the order in which several shell commands will be executed. The
1782 locking information is stored in a file called g_lock.tdb. In setups
1783 with CTDB running, the locking information will be available on all
1784 cluster nodes.
1785 • LOCKNAME defines the name of the global lock.
1787 • TIMEOUT defines the timeout.
1789 • COMMAND defines the shell command to execute.
1791 G_LOCK LOCKS
1793 Print a list of all currently existing locknames.
1794 G_LOCK DUMP lockname
1796 Dump the locking table of a certain global lock.
1797 TDB
1799 Print information from tdb records.
1800 TDB LOCKING key [DUMP]
1802 List sharename, filename and number of share modes for a record from
1803 locking.tdb. With the optional DUMP options, dump the complete record.
1804 • KEY Key of the tdb record as hex string.
1806 vfs
1808 Access shared filesystem through the VFS.
1809 vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-
1811 symlinks] share path
1812 Convert file streams to AppleDouble files.
1813 • share A Samba share.
1815 • path A relative path of something in the Samba share. "."
1818 can be used for the root directory of the share.
1819 Options:
1822 --recursive
1824 Traverse a directory hierarchy.
1825 --verbose
1827 Verbose output.
1828 --continue
1830 Continue traversing a directory hierarchy if a single conversion
1831 fails.
1832 --follow-symlinks
1834 Follow symlinks encountered while traversing a directory.
1835 vfs getntacl share path
1837 Display the security descriptor of a file or directory.
1838 • share A Samba share.
1840 • path A relative path of something in the Samba share. "."
1843 can be used for the root directory of the share.
1844 OFFLINEJOIN
1846 Starting with version 4.15 Samba has support for offline join APIs.
1847 Windows supports offline join capabilities since Windows 7 and Windows
1848 2008 R2.
1849 The following offline commands are implemented:
1851 net offlinejoin provision - Provisions a machine account in AD.
1852 net offlinejoin requestodj - Requests a domain offline join.
1853 OFFLINEJOIN PROVISION domain=DOMAIN machine_name=MACHINE_NAME
1855 machine_account_ou=MACHINE_ACCOUNT_OU dcname=DCNAME defpwd reuse
1856 savefile=FILENAME printblob
1857 Provisions a machine account in AD. This command needs network
1858 connectivity to the domain controller to succeed. This command supports
1859 the following additional parameters:
1860 • DOMAIN can be a NetBIOS domain name (also known as short
1862 domain name) or a DNS domain name for Active Directory
1863 Domains. The DOMAIN parameter cannot be NULL.
1864 • MACHINE_NAME defines the machine account name that will be
1866 provisioned in AD. The MACHINE_NAME parameter cannot be
1867 NULL.
1868 • MACHINE_ACCOUNT_OU can be set to a RFC 1779 LDAP DN, like
1870 ou=mymachines,cn=Users,dc=example,dc=com in order to create
1871 the machine account in a non-default LDAP container. This
1872 optional parameter is only supported when joining Active
1873 Directory Domains.
1874 • DCNAME defines a specific domain controller for creating the
1876 machine account in AD.
1877 • DEFPWD is an optional parameter that can be set to enforce
1879 using the default machine account password. The use of this
1880 parameter is not recommended as the default machine account
1881 password can be easily guessed.
1882 • REUSE is an optional parameter that can be set to enforce
1884 reusing an existing machine account in AD.
1885 • SAVEFILE is an optional parameter to store the generated
1887 provisioning data on disk.
1888 • PRINTBLOB is an optional parameter to print the generated
1890 provisioning data on stdout.
1891 Example: net offlinejoin provision -U administrator%secret domain=MYDOM
1894 machine_name=MYHOST savefile=provisioning.txt
1895 OFFLINEJOIN REQUESTODJ loadfile=FILENAME
1897 Requests an offline domain join by providing file-based provisioning
1898 data. This command supports the following additional parameters:
1899 • LOADFILE is a required parameter to load the provisioning
1901 from a file.
1902 Example: net offlinejoin requestodj -U administrator%secret
1905 loadfile=provisioning.txt
1906 HELP [COMMAND]
1908 Gives usage information for the specified command.
1909
1911 This man page is complete for version 3 of the Samba suite.
1912
1914 The original Samba software and related utilities were created by
1915 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1916 Source project similar to the way the Linux kernel is developed.
1917 The net manpage was written by Jelmer Vernooij.
1919Samba 4.19.3 11/27/2023 NET(8)