1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
3
4
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17
18 -r|--realm=REALM
19 Set the realm for the domain.
20
21 Note that specifying this parameter here will override the realm
22 parameter in the /etc/samba/smb.conf file.
23
24 --simple-bind-dn=DN
25 DN to use for a simple bind.
26
27 --password
28 Specify the password on the commandline.
29
30 Be cautious about including passwords in scripts or passing
31 user-supplied values onto the command line. For security it is
32 better to let the Samba client tool ask for the password if needed,
33 or obtain the password once with kinit.
34
35 If --password is not specified, the tool will check the PASSWD
36 environment variable, followed by PASSWD_FD which is expected to
37 contain an open file descriptor (FD) number.
38
39 Finally it will check PASSWD_FILE (containing a file path to be
40 opened). The file should only contain the password. Make certain
41 that the permissions on the file restrict access from unwanted
42 users!
43
44 While Samba will attempt to scrub the password from the process
45 title (as seen in ps), this is after startup and so is subject to a
46 race.
47
48 -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
49 Sets the SMB username or username and password.
50
51 If %PASSWORD is not specified, the user will be prompted. The
52 client will first check the USER environment variable (which is
53 also permitted to also contain the password separated by a %), then
54 the LOGNAME variable (which is not permitted to contain a password)
55 and if either exists, the value is used. If these environmental
56 variables are not found, the username found in a Kerberos
57 Credentials cache may be used.
58
59 A third option is to use a credentials file which contains the
60 plaintext of the username and password. This option is mainly
61 provided for scripts where the admin does not wish to pass the
62 credentials on the command line or via environment variables. If
63 this method is used, make certain that the permissions on the file
64 restrict access from unwanted users. See the -A for more details.
65
66 Be cautious about including passwords in scripts or passing
67 user-supplied values onto the command line. For security it is
68 better to let the Samba client tool ask for the password if needed,
69 or obtain the password once with kinit.
70
71 While Samba will attempt to scrub the password from the process
72 title (as seen in ps), this is after startup and so is subject to a
73 race.
74
75 -W|--workgroup=WORKGROUP
76 Set the SMB domain of the username. This overrides the default
77 domain which is the domain defined in smb.conf. If the domain
78 specified is the same as the servers NetBIOS name, it causes the
79 client to log on using the servers local SAM (as opposed to the
80 Domain SAM).
81
82 Note that specifying this parameter here will override the
83 workgroup parameter in the /etc/samba/smb.conf file.
84
85 -N|--no-pass
86 If specified, this parameter suppresses the normal password prompt
87 from the client to the user. This is useful when accessing a
88 service that does not require a password.
89
90 Unless a password is specified on the command line or this
91 parameter is specified, the client will request a password.
92
93 If a password is specified on the command line and this option is
94 also defined the password on the command line will be silently
95 ignored and no password will be used.
96
97 --use-kerberos=desired|required|off
98 This parameter determines whether Samba client tools will try to
99 authenticate using Kerberos. For Kerberos authentication you need
100 to use dns names instead of IP addresses when connecting to a
101 service.
102
103 Note that specifying this parameter here will override the client
104 use kerberos parameter in the /etc/samba/smb.conf file.
105
106 --use-krb5-ccache=CCACHE
107 Specifies the credential cache location for Kerberos
108 authentication.
109
110 This will set --use-kerberos=required too.
111
112 -A|--authentication-file=filename
113 This option allows you to specify a file from which to read the
114 username and password used in the connection. The format of the
115 file is:
116
117 username = <value>
118 password = <value>
119 domain = <value>
120
121
122 Make certain that the permissions on the file restrict access from
123 unwanted users!
124
125 --ipaddress=IPADDRESS
126 IP address of the server
127
128 --color=always|never|auto
129 Indicate whether samba-tool should use ANSI colour codes in its
130 output. If 'auto' (the default), samba-tool will use colour when
131 its output is directed toward a terminal, unless the NO_COLOR
132 environment variable is set and non-empty.
133
134 The values 'yes' and 'force' are accepted as synonyms for 'always';
135 'no' and 'none' for 'never'; and 'tty' and 'if-tty' for 'auto'.
136
137 Note that asking for colour doesn't mean samba-tool will
138 necessarily be very colourful. Many commands are very monochrome,
139 particularly when successful.
140
141 -d|--debuglevel=DEBUGLEVEL
142 level is an integer from 0 to 10. The default value if this
143 parameter is not specified is 1 for client applications.
144
145 The higher this value, the more detail will be logged to the log
146 files about the activities of the server. At level 0, only critical
147 errors and serious warnings will be logged. Level 1 is a reasonable
148 level for day-to-day running - it generates a small amount of
149 information about operations carried out.
150
151 Levels above 1 will generate considerable amounts of log data, and
152 should only be used when investigating a problem. Levels above 3
153 are designed for use only by developers and generate HUGE amounts
154 of log data, most of which is extremely cryptic.
155
156 Note that specifying this parameter here will override the log
157 level parameter in the /etc/samba/smb.conf file.
158
159 --debug-stdout
160 This will redirect debug output to STDOUT. By default all clients
161 are logging to STDERR.
162
164 computer
165 Manage computer accounts.
166
167 computer add computername [options]
168 Add a new computer to the Active Directory Domain.
169
170 The new computer name specified on the command is the sAMAccountName,
171 with or without the trailing dollar sign.
172
173 --computerou=COMPUTEROU
174 DN of alternative location (with or without domainDN counterpart)
175 to default CN=Computers in which new computer object will be
176 created. E.g. 'OU=OUname'.
177
178 --description=DESCRIPTION
179 The new computers's description.
180
181 --ip-address=IP_ADDRESS_LIST
182 IPv4 address for the computer's A record, or IPv6 address for AAAA
183 record, can be provided multiple times.
184
185 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
186 Computer's Service Principal Name, can be provided multiple times.
187
188 --prepare-oldjoin
189 Prepare enabled machine account for oldjoin mechanism.
190
191 computer create computername [options]
192 Add a new computer. This is a synonym for the samba-tool computer add
193 command and is available for compatibility reasons only. Please use
194 samba-tool computer add instead.
195
196 computer delete computername [options]
197 Delete an existing computer account.
198
199 The computer name specified on the command is the sAMAccountName, with
200 or without the trailing dollar sign.
201
202 computer edit computername
203 Edit a computer AD object.
204
205 The computer name specified on the command is the sAMAccountName, with
206 or without the trailing dollar sign.
207
208 --editor=EDITOR
209 Specifies the editor to use instead of the system default, or 'vi'
210 if no system default is set.
211
212 computer list
213 List all computers.
214
215 computer move computername new_parent_dn [options]
216 This command moves a computer account into the specified organizational
217 unit or container.
218
219 The computername specified on the command is the sAMAccountName, with
220 or without the trailing dollar sign.
221
222 The name of the organizational unit or container can be specified as a
223 full DN or without the domainDN component.
224
225 computer show computername [options]
226 Display a computer AD object.
227
228 The computer name specified on the command is the sAMAccountName, with
229 or without the trailing dollar sign.
230
231 --attributes=USER_ATTRS
232 Comma separated list of attributes, which will be printed.
233
234 contact
235 Manage contacts.
236
237 contact add [contactname] [options]
238 Add a new contact to the Active Directory Domain.
239
240 The name of the new contact can be specified by the first argument
241 'contactname' or the --given-name, --initial and --surname arguments.
242 If no 'contactname' is given, contact's name will be made up of the
243 given arguments by combining the given-name, initials and surname. Each
244 argument is optional. A dot ('.') will be appended to the initials
245 automatically.
246
247 --ou=OU
248 DN of alternative location (with or without domainDN counterpart)
249 in which the new contact will be created. E.g. 'OU=OUname'. Default
250 is the domain base.
251
252 --description=DESCRIPTION
253 The new contacts's description.
254
255 --surname=SURNAME
256 Contact's surname.
257
258 --given-name=GIVEN_NAME
259 Contact's given name.
260
261 --initials=INITIALS
262 Contact's initials.
263
264 --display-name=DISPLAY_NAME
265 Contact's display name.
266
267 --job-title=JOB_TITLE
268 Contact's job title.
269
270 --department=DEPARTMENT
271 Contact's department.
272
273 --company=COMPANY
274 Contact's company.
275
276 --mail-address=MAIL_ADDRESS
277 Contact's email address.
278
279 --internet-address=INTERNET_ADDRESS
280 Contact's home page.
281
282 --telephone-number=TELEPHONE_NUMBER
283 Contact's phone number.
284
285 --mobile-number=MOBILE_NUMBER
286 Contact's mobile phone number.
287
288 --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
289 Contact's office location.
290
291 contact create [contactname] [options]
292 Add a new contact. This is a synonym for the samba-tool contact add
293 command and is available for compatibility reasons only. Please use
294 samba-tool contact add instead.
295
296 contact delete contactname [options]
297 Delete an existing contact.
298
299 The contactname specified on the command is the common name or the
300 distinguished name of the contact object. The distinguished name of the
301 contact can be specified with or without the domainDN component.
302
303 contact edit contactname
304 Modify a contact AD object.
305
306 The contactname specified on the command is the common name or the
307 distinguished name of the contact object. The distinguished name of the
308 contact can be specified with or without the domainDN component.
309
310 --editor=EDITOR
311 Specifies the editor to use instead of the system default, or 'vi'
312 if no system default is set.
313
314 contact list [options]
315 List all contacts.
316
317 --full-dn
318 Display contact's full DN instead of the name.
319
320 contact move contactname new_parent_dn [options]
321 This command moves a contact into the specified organizational unit or
322 container.
323
324 The contactname specified on the command is the common name or the
325 distinguished name of the contact object. The distinguished name of the
326 contact can be specified with or without the domainDN component.
327
328 contact show contactname [options]
329 Display a contact AD object.
330
331 The contactname specified on the command is the common name or the
332 distinguished name of the contact object. The distinguished name of the
333 contact can be specified with or without the domainDN component.
334
335 --attributes=CONTACT_ATTRS
336 Comma separated list of attributes, which will be printed.
337
338 contact rename contactname [options]
339 Rename a contact and related attributes.
340
341 This command allows to set the contact's name related attributes. The
342 contact's CN will be renamed automatically. The contact's new CN will
343 be made up by combining the given-name, initials and surname. A dot
344 ('.') will be appended to the initials automatically, if required. Use
345 the --force-new-cn option to specify the new CN manually and --reset-cn
346 to reset this change.
347
348 Use an empty attribute value to remove the specified attribute.
349
350 The contact name specified on the command is the CN.
351
352 --surname=SURNAME
353 New surname.
354
355 --given-name=GIVEN_NAME
356 New given name.
357
358 --initials=INITIALS
359 New initials.
360
361 --force-new-cn=NEW_CN
362 Specify a new CN (RDN) instead of using a combination of the given
363 name, initials and surname.
364
365 --reset-cn
366 Set the CN to the default combination of given name, initials and
367 surname.
368
369 --display-name=DISPLAY_NAME
370 New display name.
371
372 --mail-address=MAIL_ADDRESS
373 New email address.
374
375 dbcheck
376 Check the local AD database for errors.
377
378 delegation
379 Manage Delegations.
380
381 delegation add-service accountname principal [options]
382 Add a service principal as msDS-AllowedToDelegateTo.
383
384 delegation del-service accountname principal [options]
385 Delete a service principal as msDS-AllowedToDelegateTo.
386
387 delegation for-any-protocol accountname [(on|off)] [options]
388 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
389 account.
390
391 delegation for-any-service accountname [(on|off)] [options]
392 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
393
394 delegation show accountname [options]
395 Show the delegation setting of an account.
396
397 dns
398 Manage Domain Name Service (DNS).
399
400 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
401 Add a DNS record.
402
403 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
404 Delete a DNS record.
405
406 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
407 data
408 Query a name.
409
410 dns roothints server [name] [options]
411 Query root hints.
412
413 dns serverinfo server [options]
414 Query server information.
415
416 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
417 Update a DNS record.
418
419 dns zonecreate server zone [options]
420 Create a zone.
421
422 dns zonedelete server zone [options]
423 Delete a zone.
424
425 dns zoneinfo server zone [options]
426 Query zone information.
427
428 dns zonelist server [options]
429 List zones.
430
431 domain
432 Manage Domain.
433
434 domain backup
435 Create or restore a backup of the domain.
436
437 domain backup offline
438 Backup (with proper locking) local domain directories into a tar file.
439
440 domain backup online
441 Copy a running DC's current DB into a backup tar file.
442
443 domain backup rename
444 Copy a running DC's DB to backup file, renaming the domain in the
445 process.
446
447 domain backup restore
448 Restore the domain's DB from a backup-file.
449
450 domain auth policy list
451 List authentication policies on the domain.
452
453 -H, --URL
454 LDB URL for database or target server.
455
456 --json
457 View authentication policies as JSON instead of a list.
458
459 domain auth policy view
460 View an authentication policy on the domain.
461
462 -H, --URL
463 LDB URL for database or target server.
464
465 --name
466 Name of the authentication policy to view (required).
467
468 domain auth policy create
469 Create authentication policies on the domain.
470
471 -H, --URL
472 LDB URL for database or target server.
473
474 --name
475 Name of the authentication policy (required).
476
477 --description
478 Optional description for the authentication policy.
479
480 --protect
481 Protect authentication policy from accidental deletion.
482
483 Cannot be used together with --unprotect.
484
485 --unprotect
486 Unprotect authentication policy from accidental deletion.
487
488 Cannot be used together with --protect.
489
490 --audit
491 Only audit authentication policy.
492
493 Cannot be used together with --enforce.
494
495 --enforce
496 Enforce authentication policy.
497
498 Cannot be used together with --audit.
499
500 --strong-ntlm-policy
501 Strong NTLM Policy (Disabled, Optional, Required).
502
503 --user-tgt-lifetime
504 Ticket-Granting-Ticket lifetime for user accounts.
505
506 --user-allow-ntlm-auth
507 Allow NTLM network authentication when user is restricted to
508 selected devices.
509
510 --service-tgt-lifetime
511 Ticket-Granting-Ticket lifetime for service accounts.
512
513 --service-allow-ntlm-auth
514 Allow NTLM network authentication when service is restricted to
515 selected devices.
516
517 --computer-tgt-lifetime
518 Ticket-Granting-Ticket lifetime for computer accounts.
519
520 domain auth policy modify
521 Modify authentication policies on the domain.
522
523 -H, --URL
524 LDB URL for database or target server.
525
526 --name
527 Name of the authentication policy (required).
528
529 --description
530 Optional description for the authentication policy.
531
532 --protect
533 Protect authentication policy from accidental deletion.
534
535 Cannot be used together with --unprotect.
536
537 --unprotect
538 Unprotect authentication policy from accidental deletion.
539
540 Cannot be used together with --protect.
541
542 --audit
543 Only audit authentication policy.
544
545 Cannot be used together with --enforce.
546
547 --enforce
548 Enforce authentication policy.
549
550 Cannot be used together with --audit.
551
552 --strong-ntlm-policy
553 Strong NTLM Policy (Disabled, Optional, Required).
554
555 --user-tgt-lifetime
556 Ticket-Granting-Ticket lifetime for user accounts.
557
558 --user-allow-ntlm-auth
559 Allow NTLM network authentication when user is restricted to
560 selected devices.
561
562 --service-tgt-lifetime
563 Ticket-Granting-Ticket lifetime for service accounts.
564
565 --service-allow-ntlm-auth
566 Allow NTLM network authentication when service is restricted to
567 selected devices.
568
569 --computer-tgt-lifetime
570 Ticket-Granting-Ticket lifetime for computer accounts.
571
572 domain auth policy delete
573 Delete authentication policies on the domain.
574
575 -H, --URL
576 LDB URL for database or target server.
577
578 --name
579 Name of authentication policy to delete (required).
580
581 --force
582 Force authentication policy delete even if it is protected.
583
584 domain auth silo list
585 List authentication silos on the domain.
586
587 -H, --URL
588 LDB URL for database or target server.
589
590 --json
591 View authentication silos as JSON instead of a list.
592
593 domain auth silo view
594 View an authentication silo on the domain.
595
596 -H, --URL
597 LDB URL for database or target server.
598
599 --name
600 Name of the authentication silo to view (required).
601
602 domain auth silo create
603 Create authentication silos on the domain.
604
605 -H, --URL
606 LDB URL for database or target server.
607
608 --name
609 Name of the authentication silo (required).
610
611 --description
612 Optional description for the authentication silo.
613
614 --policy
615 Use single policy for all principals in this silo.
616
617 --user-policy
618 User account policy.
619
620 --service-policy
621 Managed Service Account policy.
622
623 --computer-policy
624 Computer Account policy.
625
626 --protect
627 Protect authentication silo from accidental deletion.
628
629 Cannot be used together with --unprotect.
630
631 --unprotect
632 Unprotect authentication silo from accidental deletion.
633
634 Cannot be used together with --protect.
635
636 --audit
637 Only audit silo policies.
638
639 Cannot be used together with --enforce.
640
641 --enforce
642 Enforce silo policies.
643
644 Cannot be used together with --audit.
645
646 domain auth silo modify
647 Modify authentication silos on the domain.
648
649 -H, --URL
650 LDB URL for database or target server.
651
652 --name
653 Name of the authentication silo (required).
654
655 --description
656 Optional description for the authentication silo.
657
658 --policy
659 Use single policy for all principals in this silo.
660
661 --user-policy
662 User account policy.
663
664 --service-policy
665 Managed Service Account policy.
666
667 --computer-policy
668 Computer Account policy.
669
670 --protect
671 Protect authentication silo from accidental deletion.
672
673 Cannot be used together with --unprotect.
674
675 --unprotect
676 Unprotect authentication silo from accidental deletion.
677
678 Cannot be used together with --protect.
679
680 --audit
681 Only audit silo policies.
682
683 Cannot be used together with --enforce.
684
685 --enforce
686 Enforce silo policies.
687
688 Cannot be used together with --audit.
689
690 domain auth silo delete
691 Delete authentication silos on the domain.
692
693 -H, --URL
694 LDB URL for database or target server.
695
696 --name
697 Name of authentication silo to delete (required).
698
699 --force
700 Force authentication silo delete even if it is protected.
701
702 domain auth silo member add
703 Add a member to an authentication silo.
704
705 -H, --URL
706 LDB URL for database or target server.
707
708 --name
709 Name of authentication silo (required).
710
711 --member
712 Member to add to the silo (DN or account name).
713
714 domain auth silo member list
715 List members in an authentication silo.
716
717 -H, --URL
718 LDB URL for database or target server.
719
720 --name
721 Name of authentication silo (required).
722
723 --json
724 View members as JSON instead of a list.
725
726 domain auth silo member remove
727 Remove a member from an authentication silo.
728
729 -H, --URL
730 LDB URL for database or target server.
731
732 --name
733 Name of authentication silo (required).
734
735 --member
736 Member to remove from the silo (DN or account name).
737
738 domain claim claim-type list
739 List claim types on the domain.
740
741 -H, --URL
742 LDB URL for database or target server.
743
744 --json
745 View claim types as JSON instead of a list.
746
747 domain claim claim-type view
748 View a single claim type on the domain.
749
750 -H, --URL
751 LDB URL for database or target server.
752
753 --name
754 Display name of claim type to view (required).
755
756 domain claim claim-type create
757 Create claim types on the domain.
758
759 -H, --URL
760 LDB URL for database or target server.
761
762 --attribute
763 Attribute of claim type to create (required).
764
765 --class
766 Object classes to set claim type to.
767
768 Example: --class=user --class=computer
769
770 --name
771 Optional display name or use attribute name.
772
773 --description
774 Optional description or use from attribute.
775
776 --enable
777 Enable claim type.
778
779 Cannot be used together with --disable.
780
781 --disable
782 Disable claim type.
783
784 Cannot be used together with --enable.
785
786 --protect
787 Protect claim type from accidental deletion.
788
789 Cannot be used together with --unprotect.
790
791 --unprotect
792 Unprotect claim type from accidental deletion.
793
794 Cannot be used together with --protect.
795
796 domain claim claim-type modify
797 Modify claim types on the domain.
798
799 -H, --URL
800 LDB URL for database or target server.
801
802 --name
803 Display name of claim type to modify (required).
804
805 --class
806 Object classes to set claim type to.
807
808 Example: --class=user --class=computer
809
810 --description
811 Set the claim type description.
812
813 --enable
814 Enable claim type.
815
816 Cannot be used together with --disable.
817
818 --disable
819 Disable claim type.
820
821 Cannot be used together with --enable.
822
823 --protect
824 Protect claim type from accidental deletion.
825
826 Cannot be used together with --unprotect.
827
828 --unprotect
829 Unprotect claim type from accidental deletion.
830
831 Cannot be used together with --protect.
832
833 domain claim claim-type delete
834 Delete claim types on the domain.
835
836 -H, --URL
837 LDB URL for database or target server.
838
839 --name
840 Display name of claim type to delete (required).
841
842 --force
843 Force claim type delete even if it is protected.
844
845 domain claim value-type list
846 List claim value types on the domain.
847
848 -H, --URL
849 LDB URL for database or target server.
850
851 --json
852 View claim value types as JSON instead of a list.
853
854 domain claim value-type view
855 View a single claim value type on the domain.
856
857 -H, --URL
858 LDB URL for database or target server.
859
860 --name
861 Display name of claim value type to view (required).
862
863 domain classicupgrade [options] classic_smb_conf
864 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
865
866 domain dcpromo dnsdomain [DC|RODC] [options]
867 Promote an existing domain member or NT4 PDC to an AD DC.
868
869 domain demote
870 Demote ourselves from the role of domain controller.
871
872 domain exportkeytab keytab [options]
873 Dumps Kerberos keys of the domain into a keytab.
874
875 domain info ip_address [options]
876 Print basic info about a domain and the specified DC.
877
878 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
879 Join a domain as either member or backup domain controller.
880
881 domain level show|raise options [options]
882 Show/raise domain and forest function levels.
883
884 domain passwordsettings show|set options [options]
885 Show/set password settings.
886
887 domain passwordsettings pso
888 Manage fine-grained Password Settings Objects (PSOs).
889
890 domain passwordsettings pso apply pso-name user-or-group-name [options]
891 Applies a PSO's password policy to a user or group.
892
893 domain passwordsettings pso create pso-name precedence [options]
894 Creates a new Password Settings Object (PSO).
895
896 domain passwordsettings pso delete pso-name [options]
897 Deletes a Password Settings Object (PSO).
898
899 domain passwordsettings pso list [options]
900 Lists all Password Settings Objects (PSOs).
901
902 domain passwordsettings pso set pso-name [options]
903 Modifies a Password Settings Object (PSO).
904
905 domain passwordsettings pso show user-name [options]
906 Displays a Password Settings Object (PSO).
907
908 domain passwordsettings pso show-user pso-name [options]
909 Displays the Password Settings that apply to a user.
910
911 domain passwordsettings pso unapply pso-name user-or-group-name [options]
912 Updates a PSO to no longer apply to a user or group.
913
914 domain provision
915 Promote an existing domain member or NT4 PDC to an AD DC.
916
917 domain trust
918 Domain and forest trust management.
919
920 domain trust create DOMAIN options [options]
921 Create a domain or forest trust.
922
923 domain trust modify DOMAIN options [options]
924 Modify a domain or forest trust.
925
926 domain trust delete DOMAIN options [options]
927 Delete a domain trust.
928
929 domain trust list options [options]
930 List domain trusts.
931
932 domain trust namespaces [DOMAIN] options [options]
933 Manage forest trust namespaces.
934
935 domain trust show DOMAIN options [options]
936 Show trusted domain details.
937
938 domain trust validate DOMAIN options [options]
939 Validate a domain trust.
940
941 drs
942 Manage Directory Replication Services (DRS).
943
944 drs bind
945 Show DRS capabilities of a server.
946
947 drs kcc
948 Trigger knowledge consistency center run.
949
950 drs options
951 Query or change options for NTDS Settings object of a domain
952 controller.
953
954 drs replicate destination_DC source_DC NC [options]
955 Replicate a naming context between two DCs.
956
957 drs showrepl
958 Show replication status. The [--json] option results in JSON output,
959 and with the [--summary] option produces very little output when the
960 replication status seems healthy.
961
962 dsacl
963 Administer DS ACLs
964
965 dsacl delete
966 Delete an access list entry on a directory object.
967
968 dsacl get
969 Print access list on a directory object.
970
971 dsacl set
972 Modify access list on a directory object.
973
974 forest
975 Manage Forest configuration.
976
977 forest directory_service
978 Manage directory_service behaviour for the forest.
979
980 forest directory_service dsheuristics VALUE
981 Modify dsheuristics directory_service configuration for the forest.
982
983 forest directory_service show
984 Show current directory_service configuration for the forest.
985
986 fsmo
987 Manage Flexible Single Master Operations (FSMO).
988
989 fsmo seize [options]
990 Seize the role.
991
992 fsmo show
993 Show the roles.
994
995 fsmo transfer [options]
996 Transfer the role.
997
998 gpo
999 Manage Group Policy Objects (GPO).
1000
1001 gpo create displayname [options]
1002 Create an empty GPO.
1003
1004 gpo del gpo [options]
1005 Delete GPO.
1006
1007 gpo dellink container_dn gpo [options]
1008 Delete GPO link from a container.
1009
1010 gpo fetch gpo [options]
1011 Download a GPO.
1012
1013 gpo getinheritance container_dn [options]
1014 Get inheritance flag for a container.
1015
1016 gpo getlink container_dn [options]
1017 List GPO Links for a container.
1018
1019 gpo list username [options]
1020 List GPOs for an account.
1021
1022 gpo listall
1023 List all GPOs.
1024
1025 gpo listcontainers gpo [options]
1026 List all linked containers for a GPO.
1027
1028 gpo setinheritance container_dn block|inherit [options]
1029 Set inheritance flag on a container.
1030
1031 gpo setlink container_dn gpo [options]
1032 Add or Update a GPO link to a container.
1033
1034 gpo show gpo [options]
1035 Show information for a GPO.
1036
1037 gpo manage symlink list
1038 List VGP Symbolic Link Group Policy from the sysvol
1039
1040 gpo manage symlink add
1041 Adds a VGP Symbolic Link Group Policy to the sysvol
1042
1043 gpo manage symlink remove
1044 Removes a VGP Symbolic Link Group Policy from the sysvol
1045
1046 gpo manage files list
1047 List VGP Files Group Policy from the sysvol
1048
1049 gpo manage files add
1050 Add VGP Files Group Policy to the sysvol
1051
1052 gpo manage files remove
1053 Remove VGP Files Group Policy from the sysvol
1054
1055 gpo manage openssh list
1056 List VGP OpenSSH Group Policy from the sysvol
1057
1058 gpo manage openssh set
1059 Sets a VGP OpenSSH Group Policy to the sysvol
1060
1061 gpo manage sudoers add
1062 Adds a Samba Sudoers Group Policy to the sysvol.
1063
1064 gpo manage sudoers list
1065 List Samba Sudoers Group Policy from the sysvol.
1066
1067 gpo manage sudoers remove
1068 Removes a Samba Sudoers Group Policy from the sysvol.
1069
1070 gpo manage scripts startup list
1071 List VGP Startup Script Group Policy from the sysvol
1072
1073 gpo manage scripts startup add
1074 Adds VGP Startup Script Group Policy to the sysvol
1075
1076 gpo manage scripts startup remove
1077 Removes VGP Startup Script Group Policy from the sysvol
1078
1079 gpo manage motd list
1080 List VGP MOTD Group Policy from the sysvol.
1081
1082 gpo manage motd set
1083 Sets a VGP MOTD Group Policy to the sysvol
1084
1085 gpo manage issue list
1086 List VGP Issue Group Policy from the sysvol.
1087
1088 gpo manage issue set
1089 Sets a VGP Issue Group Policy to the sysvol
1090
1091 gpo manage access add
1092 Adds a VGP Host Access Group Policy to the sysvol
1093
1094 gpo manage access list
1095 List VGP Host Access Group Policy from the sysvol
1096
1097 gpo manage access remove
1098 Remove a VGP Host Access Group Policy from the sysvol
1099
1100 group
1101 Manage groups.
1102
1103 group add groupname [options]
1104 Create a new AD group.
1105
1106 group create groupname [options]
1107 Add a new AD group. This is a synonym for the samba-tool group add
1108 command and is available for compatibility reasons only. Please use
1109 samba-tool group add instead.
1110
1111 group addmembers groupname members [options]
1112 Add members to an AD group.
1113
1114 group delete groupname [options]
1115 Delete an AD group.
1116
1117 group edit groupname
1118 Edit a group AD object.
1119
1120 --editor=EDITOR
1121 Specifies the editor to use instead of the system default, or 'vi'
1122 if no system default is set.
1123
1124 group list
1125 List all groups.
1126
1127 group listmembers groupname [options]
1128 List all members of the specified AD group.
1129
1130 By default the sAMAccountNames are listed. If no sAMAccountName is
1131 available, the CN will be used instead.
1132
1133 --full-dn
1134 List the distinguished names instead of the sAMAccountNames.
1135
1136 --hide-expired
1137 Do not list expired group members.
1138
1139 --hide-disabled
1140 Do not list disabled group members.
1141
1142 group move groupname new_parent_dn [options]
1143 This command moves a group into the specified organizational unit or
1144 container.
1145
1146 The groupname specified on the command is the sAMAccountName.
1147
1148 The name of the organizational unit or container can be specified as a
1149 full DN or without the domainDN component.
1150
1151 group removemembers groupname members [options]
1152 Remove members from the specified AD group.
1153
1154 group show groupname [options]
1155 Show group object and it's attributes.
1156
1157 group stats [options]
1158 Show statistics for overall groups and group memberships.
1159
1160 group rename groupname [options]
1161 Rename a group and related attributes.
1162
1163 This command allows to set the group's name related attributes. The
1164 group's CN will be renamed automatically. The group's CN will be the
1165 sAMAccountName. Use the --force-new-cn option to specify the new CN
1166 manually and the --reset-cn to reset this change.
1167
1168 Use an empty attribute value to remove the specified attribute.
1169
1170 The groupname specified on the command is the sAMAccountName.
1171
1172 --force-new-cn=NEW_CN
1173 Specify a new CN (RDN) instead of using the sAMAccountName.
1174
1175 --reset-cn
1176 Set the CN to the sAMAccountName.
1177
1178 --mail-address=MAIL_ADDRESS
1179 New mail address
1180
1181 --samaccountname=SAMACCOUNTNAME
1182 New account name (sAMAccountName/logon name)
1183
1184 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
1185 Compare two LDAP databases.
1186
1187 ntacl
1188 Manage NT ACLs.
1189
1190 ntacl changedomsid original-domain-SID new-domain-SID file [options]
1191 Change the domain SID for ACLs. Can be used to change all entries in
1192 acl_xattr when the machine's SID has accidentally changed or the data
1193 set has been copied to another machine either via backup/restore or
1194 rsync.
1195
1196 --use-ntvfs
1197 Set the ACLs directly to the TDB or xattr. The POSIX permissions
1198 will NOT be changed, only the NT ACL will be stored.
1199
1200 --service=SERVICE
1201 Specify the name of the smb.conf service to use. This option is
1202 required in combination with the --use-s3fs option.
1203
1204 --use-s3fs
1205 Set the ACLs for use with the default s3fs file server via the VFS
1206 layer. This option requires a smb.conf service, specified by the
1207 --service=SERVICE option.
1208
1209 --xattr-backend=[native|tdb]
1210 Specify the xattr backend type (native fs or tdb).
1211
1212 --eadb-file=EADB_FILE
1213 Name of the tdb file where attributes are stored.
1214
1215 --recursive
1216 Set the ACLs for directories and their contents recursively.
1217
1218 --follow-symlinks
1219 Follow symlinks when --recursive is specified.
1220
1221 --verbose
1222 Verbosely list files and ACLs which are being processed.
1223
1224 ntacl get file [options]
1225 Get ACLs on a file.
1226
1227 ntacl set acl file [options]
1228 Set ACLs on a file.
1229
1230 ntacl sysvolcheck
1231 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
1232
1233 ntacl sysvolreset
1234 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
1235
1236 ou
1237 Manage organizational units (OUs).
1238
1239 ou add ou_dn [options]
1240 Add a new organizational unit.
1241
1242 The name of the organizational unit can be specified as a full DN or
1243 without the domainDN component.
1244
1245 --description=DESCRIPTION
1246 Specify OU's description.
1247
1248 ou create ou_dn [options]
1249 Add a new organizational unit. This is a synonym for the samba-tool ou
1250 add command and is available for compatibility reasons only. Please use
1251 samba-tool ou add instead.
1252
1253 ou delete ou_dn [options]
1254 Delete an organizational unit.
1255
1256 The name of the organizational unit can be specified as a full DN or
1257 without the domainDN component.
1258
1259 --force-subtree-delete
1260 Delete organizational unit and all children recursively.
1261
1262 ou list [options]
1263 List all organizational units.
1264
1265 --full-dn
1266 Display DNs including the base DN.
1267
1268 ou listobjects ou_dn [options]
1269 List all objects in an organizational unit.
1270
1271 The name of the organizational unit can be specified as a full DN or
1272 without the domainDN component.
1273
1274 --full-dn
1275 Display DNs including the base DN.
1276
1277 -r|--recursive
1278 List objects recursively.
1279
1280 ou move old_ou_dn new_parent_dn [options]
1281 Move an organizational unit.
1282
1283 The name of the organizational units can be specified as a full DN or
1284 without the domainDN component.
1285
1286 ou rename old_ou_dn new_ou_dn [options]
1287 Rename an organizational unit.
1288
1289 The name of the organizational units can be specified as a full DN or
1290 without the domainDN component.
1291
1292 rodc
1293 Manage Read-Only Domain Controller (RODC).
1294
1295 rodc preload SID|DN|accountname [options]
1296 Preload one account for an RODC.
1297
1298 schema
1299 Manage and query schema.
1300
1301 schema attribute modify attribute [options]
1302 Modify the behaviour of an attribute in schema.
1303
1304 schema attribute show attribute [options]
1305 Display an attribute schema definition.
1306
1307 schema attribute show_oc attribute [options]
1308 Show objectclasses that MAY or MUST contain this attribute.
1309
1310 schema objectclass show objectclass [options]
1311 Display an objectclass schema definition.
1312
1313 sites
1314 Manage sites.
1315
1316 sites list [options]
1317 List sites.
1318
1319 --json
1320 Output as JSON instead of a list
1321
1322 sites view site [options]
1323 View site details.
1324
1325 sites create site [options]
1326 Create a new site.
1327
1328 sites remove site [options]
1329 Delete an existing site.
1330
1331 sites subnet list site [options]
1332 List subnets for a site.
1333
1334 --json
1335 Output as JSON instead of a list
1336
1337 sites subnet view subnet [options]
1338 View subnet details.
1339
1340 sites subnet create subnet site-of-subnet [options]
1341 Create a new subnet.
1342
1343 sites subnet remove subnet [options]
1344 Delete an existing subnet.
1345
1346 sites subnet set-site subnet site-of-subnet [options]
1347 Assign a subnet to a site.
1348
1349 spn
1350 Manage Service Principal Names (SPN).
1351
1352 spn add name user [options]
1353 Create a new SPN.
1354
1355 spn delete name [user] [options]
1356 Delete an existing SPN.
1357
1358 spn list user [options]
1359 List SPNs of a given user.
1360
1361 testparm
1362 Check the syntax of the configuration file.
1363
1364 time
1365 Retrieve the time on a server.
1366
1367 user
1368 Manage users.
1369
1370 user add username [password]
1371 Add a new user to the Active Directory Domain.
1372
1373 user create username [password]
1374 Add a new user. This is a synonym for the samba-tool user add command
1375 and is available for compatibility reasons only. Please use samba-tool
1376 user add instead.
1377
1378 user delete username [options]
1379 Delete an existing user account.
1380
1381 user disable username
1382 Disable a user account.
1383
1384 user edit username
1385 Edit a user account AD object.
1386
1387 --editor=EDITOR
1388 Specifies the editor to use instead of the system default, or 'vi'
1389 if no system default is set.
1390
1391 user enable username
1392 Enable a user account.
1393
1394 user list
1395 List all users.
1396
1397 By default the user's sAMAccountNames are listed.
1398
1399 --full-dn
1400 List user's distinguished names instead of the sAMAccountNames.
1401
1402 -b BASE_DN|--base-dn=BASE_DN
1403 Specify base DN to use. Only users under the specified base DN will
1404 be listed.
1405
1406 --hide-expired
1407 Do not list expired user accounts.
1408
1409 --hide-disabled
1410 Do not list disabled user accounts.
1411
1412 user setprimarygroup username primarygroupname
1413 Set the primary group a user account.
1414
1415 user getgroups username
1416 Get the direct group memberships of a user account.
1417
1418 user show username [options]
1419 Display a user AD object.
1420
1421 --attributes=USER_ATTRS
1422 Comma separated list of attributes, which will be printed.
1423
1424 user move username new_parent_dn [options]
1425 This command moves a user account into the specified organizational
1426 unit or container.
1427
1428 The username specified on the command is the sAMAccountName.
1429
1430 The name of the organizational unit or container can be specified as a
1431 full DN or without the domainDN component.
1432
1433 user password [options]
1434 Change password for a user account (the one provided in
1435 authentication).
1436
1437 user rename username [options]
1438 Rename a user and related attributes.
1439
1440 This command allows to set the user's name related attributes. The
1441 user's CN will be renamed automatically. The user's new CN will be made
1442 up by combining the given-name, initials and surname. A dot ('.') will
1443 be appended to the initials automatically, if required. Use the
1444 --force-new-cn option to specify the new CN manually and --reset-cn to
1445 reset this change.
1446
1447 Use an empty attribute value to remove the specified attribute.
1448
1449 The username specified on the command is the sAMAccountName.
1450
1451 --surname=SURNAME
1452 New surname
1453
1454 --given-name=GIVEN_NAME
1455 New given name
1456
1457 --initials=INITIALS
1458 New initials
1459
1460 --force-new-cn=NEW_CN
1461 Specify a new CN (RDN) instead of using a combination of the given
1462 name, initials and surname.
1463
1464 --reset-cn
1465 Set the CN to the default combination of given name, initials and
1466 surname.
1467
1468 --display-name=DISPLAY_NAME
1469 New display name
1470
1471 --mail-address=MAIL_ADDRESS
1472 New email address
1473
1474 --samaccountname=SAMACCOUNTNAME
1475 New account name (sAMAccountName/logon name)
1476
1477 --upn=UPN
1478 New user principal name
1479
1480 user setexpiry username [options]
1481 Set the expiration of a user account.
1482
1483 user setpassword username [options]
1484 Sets or resets the password of a user account.
1485
1486 user unlock username [options]
1487 This command unlocks a user account in the Active Directory domain.
1488
1489 user getpassword username [options]
1490 Gets the password of a user account.
1491
1492 user syncpasswords --cache-ldb-initialize [options]
1493 Syncs the passwords of all user accounts, using an optional script.
1494
1495 Note that this command should run on a single domain controller only
1496 (typically the PDC-emulator).
1497
1498 vampire [options] domain
1499 Join and synchronise a remote AD domain to the local server. Please
1500 note that samba-tool vampire is deprecated, please use samba-tool
1501 domain join instead.
1502
1503 visualize [options] subcommand
1504 Produce graphical representations of Samba network state. To work out
1505 what is happening in a replication graph, it is sometimes helpful to
1506 use visualisations.
1507
1508 There are two subcommands, two graphical modes, and (roughly) two modes
1509 of operation with respect to the location of authority.
1510
1511 MODES OF OPERATION
1512 samba-tool visualize ntdsconn
1513 Looks at NTDS connections.
1514
1515 samba-tool visualize reps
1516 Looks at repsTo and repsFrom objects.
1517
1518 samba-tool visualize uptodateness
1519 Looks at replication lag as shown by the uptodateness vectors.
1520
1521 GRAPHICAL MODES
1522 --distance
1523 Distances between DCs are shown in a matrix in the terminal.
1524
1525 --dot
1526 Generate Graphviz dot output (for ntdsconn and reps modes). When
1527 viewed using dot or xdot, this shows the network as a graph with
1528 DCs as vertices and connections edges. Certain types of degenerate
1529 edges are shown in different colours or line-styles.
1530
1531 --xdot
1532 Generate Graphviz dot output as with [--dot] and attempt to view it
1533 immediately using /usr/bin/xdot.
1534
1535 -r
1536 Normally, samba-tool talks to one database; with the [-r] option
1537 attempts are made to contact all the DCs known to the first
1538 database. This is necessary for samba-tool visualize uptodateness
1539 and for samba-tool visualize reps because the repsFrom/To objects
1540 are not replicated, and it can reveal replication issues in other
1541 modes.
1542
1543 help
1544 Gives usage information.
1545
1547 This man page is complete for version 4.19.3 of the Samba suite.
1548
1550 The original Samba software and related utilities were created by
1551 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1552 Source project similar to the way the Linux kernel is developed.
1553
1554
1555
1556Samba 4.19.3 11/27/2023 SAMBA-TOOL(8)