1SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)
2
6 samba-tool - Main Samba administration tool.
7
9 samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]
10
12 This tool is part of the samba(7) suite.
13
15 -h|--help
16 Show this help message and exit
17 -r|--realm=REALM
19 Set the realm for the domain.
20 Note that specifying this parameter here will override the realm
22 parameter in the /etc/samba/smb.conf file.
23 --simple-bind-dn=DN
25 DN to use for a simple bind.
26 --password
28 Specify the password on the commandline.
29 Be cautious about including passwords in scripts or passing
31 user-supplied values onto the command line. For security it is
32 better to let the Samba client tool ask for the password if needed,
33 or obtain the password once with kinit.
34 If --password is not specified, the tool will check the PASSWD
36 environment variable, followed by PASSWD_FD which is expected to
37 contain an open file descriptor (FD) number.
38 Finally it will check PASSWD_FILE (containing a file path to be
40 opened). The file should only contain the password. Make certain
41 that the permissions on the file restrict access from unwanted
42 users!
43 While Samba will attempt to scrub the password from the process
45 title (as seen in ps), this is after startup and so is subject to a
46 race.
47 -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
49 Sets the SMB username or username and password.
50 If %PASSWORD is not specified, the user will be prompted. The
52 client will first check the USER environment variable (which is
53 also permitted to also contain the password separated by a %), then
54 the LOGNAME variable (which is not permitted to contain a password)
55 and if either exists, the value is used. If these environmental
56 variables are not found, the username found in a Kerberos
57 Credentials cache may be used.
58 A third option is to use a credentials file which contains the
60 plaintext of the username and password. This option is mainly
61 provided for scripts where the admin does not wish to pass the
62 credentials on the command line or via environment variables. If
63 this method is used, make certain that the permissions on the file
64 restrict access from unwanted users. See the -A for more details.
65 Be cautious about including passwords in scripts or passing
67 user-supplied values onto the command line. For security it is
68 better to let the Samba client tool ask for the password if needed,
69 or obtain the password once with kinit.
70 While Samba will attempt to scrub the password from the process
72 title (as seen in ps), this is after startup and so is subject to a
73 race.
74 -W|--workgroup=WORKGROUP
76 Set the SMB domain of the username. This overrides the default
77 domain which is the domain defined in smb.conf. If the domain
78 specified is the same as the servers NetBIOS name, it causes the
79 client to log on using the servers local SAM (as opposed to the
80 Domain SAM).
81 Note that specifying this parameter here will override the
83 workgroup parameter in the /etc/samba/smb.conf file.
84 -N|--no-pass
86 If specified, this parameter suppresses the normal password prompt
87 from the client to the user. This is useful when accessing a
88 service that does not require a password.
89 Unless a password is specified on the command line or this
91 parameter is specified, the client will request a password.
92 If a password is specified on the command line and this option is
94 also defined the password on the command line will be silently
95 ignored and no password will be used.
96 --use-kerberos=desired|required|off
98 This parameter determines whether Samba client tools will try to
99 authenticate using Kerberos. For Kerberos authentication you need
100 to use dns names instead of IP addresses when connecting to a
101 service.
102 Note that specifying this parameter here will override the client
104 use kerberos parameter in the /etc/samba/smb.conf file.
105 --use-krb5-ccache=CCACHE
107 Specifies the credential cache location for Kerberos
108 authentication.
109 This will set --use-kerberos=required too.
111 -A|--authentication-file=filename
113 This option allows you to specify a file from which to read the
114 username and password used in the connection. The format of the
115 file is:
116 username = <value>
118 password = <value>
119 domain = <value>
120 Make certain that the permissions on the file restrict access from
123 unwanted users!
124 --ipaddress=IPADDRESS
126 IP address of the server
127 --color=always|never|auto
129 Indicate whether samba-tool should use ANSI colour codes in its
130 output. If 'auto' (the default), samba-tool will use colour when
131 its output is directed toward a terminal, unless the NO_COLOR
132 environment variable is set and non-empty.
133 The values 'yes' and 'force' are accepted as synonyms for 'always';
135 'no' and 'none' for 'never'; and 'tty' and 'if-tty' for 'auto'.
136 Note that asking for colour doesn't mean samba-tool will
138 necessarily be very colourful. Many commands are very monochrome,
139 particularly when successful.
140 -d|--debuglevel=DEBUGLEVEL
142 level is an integer from 0 to 10. The default value if this
143 parameter is not specified is 1 for client applications.
144 The higher this value, the more detail will be logged to the log
146 files about the activities of the server. At level 0, only critical
147 errors and serious warnings will be logged. Level 1 is a reasonable
148 level for day-to-day running - it generates a small amount of
149 information about operations carried out.
150 Levels above 1 will generate considerable amounts of log data, and
152 should only be used when investigating a problem. Levels above 3
153 are designed for use only by developers and generate HUGE amounts
154 of log data, most of which is extremely cryptic.
155 Note that specifying this parameter here will override the log
157 level parameter in the /etc/samba/smb.conf file.
158 --debug-stdout
160 This will redirect debug output to STDOUT. By default all clients
161 are logging to STDERR.
162
164 computer
165 Manage computer accounts.
166 computer add computername [options]
168 Add a new computer to the Active Directory Domain.
169 The new computer name specified on the command is the sAMAccountName,
171 with or without the trailing dollar sign.
172 --computerou=COMPUTEROU
174 DN of alternative location (with or without domainDN counterpart)
175 to default CN=Computers in which new computer object will be
176 created. E.g. 'OU=OUname'.
177 --description=DESCRIPTION
179 The new computers's description.
180 --ip-address=IP_ADDRESS_LIST
182 IPv4 address for the computer's A record, or IPv6 address for AAAA
183 record, can be provided multiple times.
184 --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST
186 Computer's Service Principal Name, can be provided multiple times.
187 --prepare-oldjoin
189 Prepare enabled machine account for oldjoin mechanism.
190 computer create computername [options]
192 Add a new computer. This is a synonym for the samba-tool computer add
193 command and is available for compatibility reasons only. Please use
194 samba-tool computer add instead.
195 computer delete computername [options]
197 Delete an existing computer account.
198 The computer name specified on the command is the sAMAccountName, with
200 or without the trailing dollar sign.
201 computer edit computername
203 Edit a computer AD object.
204 The computer name specified on the command is the sAMAccountName, with
206 or without the trailing dollar sign.
207 --editor=EDITOR
209 Specifies the editor to use instead of the system default, or 'vi'
210 if no system default is set.
211 computer list
213 List all computers.
214 computer move computername new_parent_dn [options]
216 This command moves a computer account into the specified organizational
217 unit or container.
218 The computername specified on the command is the sAMAccountName, with
220 or without the trailing dollar sign.
221 The name of the organizational unit or container can be specified as a
223 full DN or without the domainDN component.
224 computer show computername [options]
226 Display a computer AD object.
227 The computer name specified on the command is the sAMAccountName, with
229 or without the trailing dollar sign.
230 --attributes=USER_ATTRS
232 Comma separated list of attributes, which will be printed.
233 contact
235 Manage contacts.
236 contact add [contactname] [options]
238 Add a new contact to the Active Directory Domain.
239 The name of the new contact can be specified by the first argument
241 'contactname' or the --given-name, --initial and --surname arguments.
242 If no 'contactname' is given, contact's name will be made up of the
243 given arguments by combining the given-name, initials and surname. Each
244 argument is optional. A dot ('.') will be appended to the initials
245 automatically.
246 --ou=OU
248 DN of alternative location (with or without domainDN counterpart)
249 in which the new contact will be created. E.g. 'OU=OUname'. Default
250 is the domain base.
251 --description=DESCRIPTION
253 The new contacts's description.
254 --surname=SURNAME
256 Contact's surname.
257 --given-name=GIVEN_NAME
259 Contact's given name.
260 --initials=INITIALS
262 Contact's initials.
263 --display-name=DISPLAY_NAME
265 Contact's display name.
266 --job-title=JOB_TITLE
268 Contact's job title.
269 --department=DEPARTMENT
271 Contact's department.
272 --company=COMPANY
274 Contact's company.
275 --mail-address=MAIL_ADDRESS
277 Contact's email address.
278 --internet-address=INTERNET_ADDRESS
280 Contact's home page.
281 --telephone-number=TELEPHONE_NUMBER
283 Contact's phone number.
284 --mobile-number=MOBILE_NUMBER
286 Contact's mobile phone number.
287 --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
289 Contact's office location.
290 contact create [contactname] [options]
292 Add a new contact. This is a synonym for the samba-tool contact add
293 command and is available for compatibility reasons only. Please use
294 samba-tool contact add instead.
295 contact delete contactname [options]
297 Delete an existing contact.
298 The contactname specified on the command is the common name or the
300 distinguished name of the contact object. The distinguished name of the
301 contact can be specified with or without the domainDN component.
302 contact edit contactname
304 Modify a contact AD object.
305 The contactname specified on the command is the common name or the
307 distinguished name of the contact object. The distinguished name of the
308 contact can be specified with or without the domainDN component.
309 --editor=EDITOR
311 Specifies the editor to use instead of the system default, or 'vi'
312 if no system default is set.
313 contact list [options]
315 List all contacts.
316 --full-dn
318 Display contact's full DN instead of the name.
319 contact move contactname new_parent_dn [options]
321 This command moves a contact into the specified organizational unit or
322 container.
323 The contactname specified on the command is the common name or the
325 distinguished name of the contact object. The distinguished name of the
326 contact can be specified with or without the domainDN component.
327 contact show contactname [options]
329 Display a contact AD object.
330 The contactname specified on the command is the common name or the
332 distinguished name of the contact object. The distinguished name of the
333 contact can be specified with or without the domainDN component.
334 --attributes=CONTACT_ATTRS
336 Comma separated list of attributes, which will be printed.
337 contact rename contactname [options]
339 Rename a contact and related attributes.
340 This command allows to set the contact's name related attributes. The
342 contact's CN will be renamed automatically. The contact's new CN will
343 be made up by combining the given-name, initials and surname. A dot
344 ('.') will be appended to the initials automatically, if required. Use
345 the --force-new-cn option to specify the new CN manually and --reset-cn
346 to reset this change.
347 Use an empty attribute value to remove the specified attribute.
349 The contact name specified on the command is the CN.
351 --surname=SURNAME
353 New surname.
354 --given-name=GIVEN_NAME
356 New given name.
357 --initials=INITIALS
359 New initials.
360 --force-new-cn=NEW_CN
362 Specify a new CN (RDN) instead of using a combination of the given
363 name, initials and surname.
364 --reset-cn
366 Set the CN to the default combination of given name, initials and
367 surname.
368 --display-name=DISPLAY_NAME
370 New display name.
371 --mail-address=MAIL_ADDRESS
373 New email address.
374 dbcheck
376 Check the local AD database for errors.
377 delegation
379 Manage Delegations.
380 delegation add-service accountname principal [options]
382 Add a service principal as msDS-AllowedToDelegateTo.
383 delegation del-service accountname principal [options]
385 Delete a service principal as msDS-AllowedToDelegateTo.
386 delegation for-any-protocol accountname [(on|off)] [options]
388 Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an
389 account.
390 delegation for-any-service accountname [(on|off)] [options]
392 Set/unset UF_TRUSTED_FOR_DELEGATION for an account.
393 delegation show accountname [options]
395 Show the delegation setting of an account.
396 dns
398 Manage Domain Name Service (DNS).
399 dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
401 Add a DNS record.
402 dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data
404 Delete a DNS record.
405 dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options]
407 data
408 Query a name.
409 dns roothints server [name] [options]
411 Query root hints.
412 dns serverinfo server [options]
414 Query server information.
415 dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata
417 Update a DNS record.
418 dns zonecreate server zone [options]
420 Create a zone.
421 dns zonedelete server zone [options]
423 Delete a zone.
424 dns zoneinfo server zone [options]
426 Query zone information.
427 dns zonelist server [options]
429 List zones.
430 domain
432 Manage Domain.
433 domain backup
435 Create or restore a backup of the domain.
436 domain backup offline
438 Backup (with proper locking) local domain directories into a tar file.
439 domain backup online
441 Copy a running DC's current DB into a backup tar file.
442 domain backup rename
444 Copy a running DC's DB to backup file, renaming the domain in the
445 process.
446 domain backup restore
448 Restore the domain's DB from a backup-file.
449 domain auth policy list
451 List authentication policies on the domain.
452 -H, --URL
454 LDB URL for database or target server.
455 --json
457 View authentication policies as JSON instead of a list.
458 domain auth policy view
460 View an authentication policy on the domain.
461 -H, --URL
463 LDB URL for database or target server.
464 --name
466 Name of the authentication policy to view (required).
467 domain auth policy create
469 Create authentication policies on the domain.
470 -H, --URL
472 LDB URL for database or target server.
473 --name
475 Name of the authentication policy (required).
476 --description
478 Optional description for the authentication policy.
479 --protect
481 Protect authentication policy from accidental deletion.
482 Cannot be used together with --unprotect.
484 --unprotect
486 Unprotect authentication policy from accidental deletion.
487 Cannot be used together with --protect.
489 --audit
491 Only audit authentication policy.
492 Cannot be used together with --enforce.
494 --enforce
496 Enforce authentication policy.
497 Cannot be used together with --audit.
499 --strong-ntlm-policy
501 Strong NTLM Policy (Disabled, Optional, Required).
502 --user-tgt-lifetime
504 Ticket-Granting-Ticket lifetime for user accounts.
505 --user-allow-ntlm-auth
507 Allow NTLM network authentication when user is restricted to
508 selected devices.
509 --service-tgt-lifetime
511 Ticket-Granting-Ticket lifetime for service accounts.
512 --service-allow-ntlm-auth
514 Allow NTLM network authentication when service is restricted to
515 selected devices.
516 --computer-tgt-lifetime
518 Ticket-Granting-Ticket lifetime for computer accounts.
519 domain auth policy modify
521 Modify authentication policies on the domain.
522 -H, --URL
524 LDB URL for database or target server.
525 --name
527 Name of the authentication policy (required).
528 --description
530 Optional description for the authentication policy.
531 --protect
533 Protect authentication policy from accidental deletion.
534 Cannot be used together with --unprotect.
536 --unprotect
538 Unprotect authentication policy from accidental deletion.
539 Cannot be used together with --protect.
541 --audit
543 Only audit authentication policy.
544 Cannot be used together with --enforce.
546 --enforce
548 Enforce authentication policy.
549 Cannot be used together with --audit.
551 --strong-ntlm-policy
553 Strong NTLM Policy (Disabled, Optional, Required).
554 --user-tgt-lifetime
556 Ticket-Granting-Ticket lifetime for user accounts.
557 --user-allow-ntlm-auth
559 Allow NTLM network authentication when user is restricted to
560 selected devices.
561 --service-tgt-lifetime
563 Ticket-Granting-Ticket lifetime for service accounts.
564 --service-allow-ntlm-auth
566 Allow NTLM network authentication when service is restricted to
567 selected devices.
568 --computer-tgt-lifetime
570 Ticket-Granting-Ticket lifetime for computer accounts.
571 domain auth policy delete
573 Delete authentication policies on the domain.
574 -H, --URL
576 LDB URL for database or target server.
577 --name
579 Name of authentication policy to delete (required).
580 --force
582 Force authentication policy delete even if it is protected.
583 domain auth silo list
585 List authentication silos on the domain.
586 -H, --URL
588 LDB URL for database or target server.
589 --json
591 View authentication silos as JSON instead of a list.
592 domain auth silo view
594 View an authentication silo on the domain.
595 -H, --URL
597 LDB URL for database or target server.
598 --name
600 Name of the authentication silo to view (required).
601 domain auth silo create
603 Create authentication silos on the domain.
604 -H, --URL
606 LDB URL for database or target server.
607 --name
609 Name of the authentication silo (required).
610 --description
612 Optional description for the authentication silo.
613 --policy
615 Use single policy for all principals in this silo.
616 --user-policy
618 User account policy.
619 --service-policy
621 Managed Service Account policy.
622 --computer-policy
624 Computer Account policy.
625 --protect
627 Protect authentication silo from accidental deletion.
628 Cannot be used together with --unprotect.
630 --unprotect
632 Unprotect authentication silo from accidental deletion.
633 Cannot be used together with --protect.
635 --audit
637 Only audit silo policies.
638 Cannot be used together with --enforce.
640 --enforce
642 Enforce silo policies.
643 Cannot be used together with --audit.
645 domain auth silo modify
647 Modify authentication silos on the domain.
648 -H, --URL
650 LDB URL for database or target server.
651 --name
653 Name of the authentication silo (required).
654 --description
656 Optional description for the authentication silo.
657 --policy
659 Use single policy for all principals in this silo.
660 --user-policy
662 User account policy.
663 --service-policy
665 Managed Service Account policy.
666 --computer-policy
668 Computer Account policy.
669 --protect
671 Protect authentication silo from accidental deletion.
672 Cannot be used together with --unprotect.
674 --unprotect
676 Unprotect authentication silo from accidental deletion.
677 Cannot be used together with --protect.
679 --audit
681 Only audit silo policies.
682 Cannot be used together with --enforce.
684 --enforce
686 Enforce silo policies.
687 Cannot be used together with --audit.
689 domain auth silo delete
691 Delete authentication silos on the domain.
692 -H, --URL
694 LDB URL for database or target server.
695 --name
697 Name of authentication silo to delete (required).
698 --force
700 Force authentication silo delete even if it is protected.
701 domain auth silo member add
703 Add a member to an authentication silo.
704 -H, --URL
706 LDB URL for database or target server.
707 --name
709 Name of authentication silo (required).
710 --member
712 Member to add to the silo (DN or account name).
713 domain auth silo member list
715 List members in an authentication silo.
716 -H, --URL
718 LDB URL for database or target server.
719 --name
721 Name of authentication silo (required).
722 --json
724 View members as JSON instead of a list.
725 domain auth silo member remove
727 Remove a member from an authentication silo.
728 -H, --URL
730 LDB URL for database or target server.
731 --name
733 Name of authentication silo (required).
734 --member
736 Member to remove from the silo (DN or account name).
737 domain claim claim-type list
739 List claim types on the domain.
740 -H, --URL
742 LDB URL for database or target server.
743 --json
745 View claim types as JSON instead of a list.
746 domain claim claim-type view
748 View a single claim type on the domain.
749 -H, --URL
751 LDB URL for database or target server.
752 --name
754 Display name of claim type to view (required).
755 domain claim claim-type create
757 Create claim types on the domain.
758 -H, --URL
760 LDB URL for database or target server.
761 --attribute
763 Attribute of claim type to create (required).
764 --class
766 Object classes to set claim type to.
767 Example: --class=user --class=computer
769 --name
771 Optional display name or use attribute name.
772 --description
774 Optional description or use from attribute.
775 --enable
777 Enable claim type.
778 Cannot be used together with --disable.
780 --disable
782 Disable claim type.
783 Cannot be used together with --enable.
785 --protect
787 Protect claim type from accidental deletion.
788 Cannot be used together with --unprotect.
790 --unprotect
792 Unprotect claim type from accidental deletion.
793 Cannot be used together with --protect.
795 domain claim claim-type modify
797 Modify claim types on the domain.
798 -H, --URL
800 LDB URL for database or target server.
801 --name
803 Display name of claim type to modify (required).
804 --class
806 Object classes to set claim type to.
807 Example: --class=user --class=computer
809 --description
811 Set the claim type description.
812 --enable
814 Enable claim type.
815 Cannot be used together with --disable.
817 --disable
819 Disable claim type.
820 Cannot be used together with --enable.
822 --protect
824 Protect claim type from accidental deletion.
825 Cannot be used together with --unprotect.
827 --unprotect
829 Unprotect claim type from accidental deletion.
830 Cannot be used together with --protect.
832 domain claim claim-type delete
834 Delete claim types on the domain.
835 -H, --URL
837 LDB URL for database or target server.
838 --name
840 Display name of claim type to delete (required).
841 --force
843 Force claim type delete even if it is protected.
844 domain claim value-type list
846 List claim value types on the domain.
847 -H, --URL
849 LDB URL for database or target server.
850 --json
852 View claim value types as JSON instead of a list.
853 domain claim value-type view
855 View a single claim value type on the domain.
856 -H, --URL
858 LDB URL for database or target server.
859 --name
861 Display name of claim value type to view (required).
862 domain classicupgrade [options] classic_smb_conf
864 Upgrade from Samba classic (NT4-like) database to Samba AD DC database.
865 domain dcpromo dnsdomain [DC|RODC] [options]
867 Promote an existing domain member or NT4 PDC to an AD DC.
868 domain demote
870 Demote ourselves from the role of domain controller.
871 domain exportkeytab keytab [options]
873 Dumps Kerberos keys of the domain into a keytab.
874 domain info ip_address [options]
876 Print basic info about a domain and the specified DC.
877 domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]
879 Join a domain as either member or backup domain controller.
880 domain level show|raise options [options]
882 Show/raise domain and forest function levels.
883 domain passwordsettings show|set options [options]
885 Show/set password settings.
886 domain passwordsettings pso
888 Manage fine-grained Password Settings Objects (PSOs).
889 domain passwordsettings pso apply pso-name user-or-group-name [options]
891 Applies a PSO's password policy to a user or group.
892 domain passwordsettings pso create pso-name precedence [options]
894 Creates a new Password Settings Object (PSO).
895 domain passwordsettings pso delete pso-name [options]
897 Deletes a Password Settings Object (PSO).
898 domain passwordsettings pso list [options]
900 Lists all Password Settings Objects (PSOs).
901 domain passwordsettings pso set pso-name [options]
903 Modifies a Password Settings Object (PSO).
904 domain passwordsettings pso show user-name [options]
906 Displays a Password Settings Object (PSO).
907 domain passwordsettings pso show-user pso-name [options]
909 Displays the Password Settings that apply to a user.
910 domain passwordsettings pso unapply pso-name user-or-group-name [options]
912 Updates a PSO to no longer apply to a user or group.
913 domain provision
915 Promote an existing domain member or NT4 PDC to an AD DC.
916 domain trust
918 Domain and forest trust management.
919 domain trust create DOMAIN options [options]
921 Create a domain or forest trust.
922 domain trust modify DOMAIN options [options]
924 Modify a domain or forest trust.
925 domain trust delete DOMAIN options [options]
927 Delete a domain trust.
928 domain trust list options [options]
930 List domain trusts.
931 domain trust namespaces [DOMAIN] options [options]
933 Manage forest trust namespaces.
934 domain trust show DOMAIN options [options]
936 Show trusted domain details.
937 domain trust validate DOMAIN options [options]
939 Validate a domain trust.
940 drs
942 Manage Directory Replication Services (DRS).
943 drs bind
945 Show DRS capabilities of a server.
946 drs kcc
948 Trigger knowledge consistency center run.
949 drs options
951 Query or change options for NTDS Settings object of a domain
952 controller.
953 drs replicate destination_DC source_DC NC [options]
955 Replicate a naming context between two DCs.
956 drs showrepl
958 Show replication status. The [--json] option results in JSON output,
959 and with the [--summary] option produces very little output when the
960 replication status seems healthy.
961 dsacl
963 Administer DS ACLs
964 dsacl delete
966 Delete an access list entry on a directory object.
967 dsacl get
969 Print access list on a directory object.
970 dsacl set
972 Modify access list on a directory object.
973 forest
975 Manage Forest configuration.
976 forest directory_service
978 Manage directory_service behaviour for the forest.
979 forest directory_service dsheuristics VALUE
981 Modify dsheuristics directory_service configuration for the forest.
982 forest directory_service show
984 Show current directory_service configuration for the forest.
985 fsmo
987 Manage Flexible Single Master Operations (FSMO).
988 fsmo seize [options]
990 Seize the role.
991 fsmo show
993 Show the roles.
994 fsmo transfer [options]
996 Transfer the role.
997 gpo
999 Manage Group Policy Objects (GPO).
1000 gpo create displayname [options]
1002 Create an empty GPO.
1003 gpo del gpo [options]
1005 Delete GPO.
1006 gpo dellink container_dn gpo [options]
1008 Delete GPO link from a container.
1009 gpo fetch gpo [options]
1011 Download a GPO.
1012 gpo getinheritance container_dn [options]
1014 Get inheritance flag for a container.
1015 gpo getlink container_dn [options]
1017 List GPO Links for a container.
1018 gpo list username [options]
1020 List GPOs for an account.
1021 gpo listall
1023 List all GPOs.
1024 gpo listcontainers gpo [options]
1026 List all linked containers for a GPO.
1027 gpo setinheritance container_dn block|inherit [options]
1029 Set inheritance flag on a container.
1030 gpo setlink container_dn gpo [options]
1032 Add or Update a GPO link to a container.
1033 gpo show gpo [options]
1035 Show information for a GPO.
1036 gpo manage symlink list
1038 List VGP Symbolic Link Group Policy from the sysvol
1039 gpo manage symlink add
1041 Adds a VGP Symbolic Link Group Policy to the sysvol
1042 gpo manage symlink remove
1044 Removes a VGP Symbolic Link Group Policy from the sysvol
1045 gpo manage files list
1047 List VGP Files Group Policy from the sysvol
1048 gpo manage files add
1050 Add VGP Files Group Policy to the sysvol
1051 gpo manage files remove
1053 Remove VGP Files Group Policy from the sysvol
1054 gpo manage openssh list
1056 List VGP OpenSSH Group Policy from the sysvol
1057 gpo manage openssh set
1059 Sets a VGP OpenSSH Group Policy to the sysvol
1060 gpo manage sudoers add
1062 Adds a Samba Sudoers Group Policy to the sysvol.
1063 gpo manage sudoers list
1065 List Samba Sudoers Group Policy from the sysvol.
1066 gpo manage sudoers remove
1068 Removes a Samba Sudoers Group Policy from the sysvol.
1069 gpo manage scripts startup list
1071 List VGP Startup Script Group Policy from the sysvol
1072 gpo manage scripts startup add
1074 Adds VGP Startup Script Group Policy to the sysvol
1075 gpo manage scripts startup remove
1077 Removes VGP Startup Script Group Policy from the sysvol
1078 gpo manage motd list
1080 List VGP MOTD Group Policy from the sysvol.
1081 gpo manage motd set
1083 Sets a VGP MOTD Group Policy to the sysvol
1084 gpo manage issue list
1086 List VGP Issue Group Policy from the sysvol.
1087 gpo manage issue set
1089 Sets a VGP Issue Group Policy to the sysvol
1090 gpo manage access add
1092 Adds a VGP Host Access Group Policy to the sysvol
1093 gpo manage access list
1095 List VGP Host Access Group Policy from the sysvol
1096 gpo manage access remove
1098 Remove a VGP Host Access Group Policy from the sysvol
1099 group
1101 Manage groups.
1102 group add groupname [options]
1104 Create a new AD group.
1105 group create groupname [options]
1107 Add a new AD group. This is a synonym for the samba-tool group add
1108 command and is available for compatibility reasons only. Please use
1109 samba-tool group add instead.
1110 group addmembers groupname members [options]
1112 Add members to an AD group.
1113 group delete groupname [options]
1115 Delete an AD group.
1116 group edit groupname
1118 Edit a group AD object.
1119 --editor=EDITOR
1121 Specifies the editor to use instead of the system default, or 'vi'
1122 if no system default is set.
1123 group list
1125 List all groups.
1126 group listmembers groupname [options]
1128 List all members of the specified AD group.
1129 By default the sAMAccountNames are listed. If no sAMAccountName is
1131 available, the CN will be used instead.
1132 --full-dn
1134 List the distinguished names instead of the sAMAccountNames.
1135 --hide-expired
1137 Do not list expired group members.
1138 --hide-disabled
1140 Do not list disabled group members.
1141 group move groupname new_parent_dn [options]
1143 This command moves a group into the specified organizational unit or
1144 container.
1145 The groupname specified on the command is the sAMAccountName.
1147 The name of the organizational unit or container can be specified as a
1149 full DN or without the domainDN component.
1150 group removemembers groupname members [options]
1152 Remove members from the specified AD group.
1153 group show groupname [options]
1155 Show group object and it's attributes.
1156 group stats [options]
1158 Show statistics for overall groups and group memberships.
1159 group rename groupname [options]
1161 Rename a group and related attributes.
1162 This command allows to set the group's name related attributes. The
1164 group's CN will be renamed automatically. The group's CN will be the
1165 sAMAccountName. Use the --force-new-cn option to specify the new CN
1166 manually and the --reset-cn to reset this change.
1167 Use an empty attribute value to remove the specified attribute.
1169 The groupname specified on the command is the sAMAccountName.
1171 --force-new-cn=NEW_CN
1173 Specify a new CN (RDN) instead of using the sAMAccountName.
1174 --reset-cn
1176 Set the CN to the sAMAccountName.
1177 --mail-address=MAIL_ADDRESS
1179 New mail address
1180 --samaccountname=SAMACCOUNTNAME
1182 New account name (sAMAccountName/logon name)
1183 ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]
1185 Compare two LDAP databases.
1186 ntacl
1188 Manage NT ACLs.
1189 ntacl changedomsid original-domain-SID new-domain-SID file [options]
1191 Change the domain SID for ACLs. Can be used to change all entries in
1192 acl_xattr when the machine's SID has accidentally changed or the data
1193 set has been copied to another machine either via backup/restore or
1194 rsync.
1195 --use-ntvfs
1197 Set the ACLs directly to the TDB or xattr. The POSIX permissions
1198 will NOT be changed, only the NT ACL will be stored.
1199 --service=SERVICE
1201 Specify the name of the smb.conf service to use. This option is
1202 required in combination with the --use-s3fs option.
1203 --use-s3fs
1205 Set the ACLs for use with the default s3fs file server via the VFS
1206 layer. This option requires a smb.conf service, specified by the
1207 --service=SERVICE option.
1208 --xattr-backend=[native|tdb]
1210 Specify the xattr backend type (native fs or tdb).
1211 --eadb-file=EADB_FILE
1213 Name of the tdb file where attributes are stored.
1214 --recursive
1216 Set the ACLs for directories and their contents recursively.
1217 --follow-symlinks
1219 Follow symlinks when --recursive is specified.
1220 --verbose
1222 Verbosely list files and ACLs which are being processed.
1223 ntacl get file [options]
1225 Get ACLs on a file.
1226 ntacl set acl file [options]
1228 Set ACLs on a file.
1229 ntacl sysvolcheck
1231 Check sysvol ACLs match defaults (including correct ACLs on GPOs).
1232 ntacl sysvolreset
1234 Reset sysvol ACLs to defaults (including correct ACLs on GPOs).
1235 ou
1237 Manage organizational units (OUs).
1238 ou add ou_dn [options]
1240 Add a new organizational unit.
1241 The name of the organizational unit can be specified as a full DN or
1243 without the domainDN component.
1244 --description=DESCRIPTION
1246 Specify OU's description.
1247 ou create ou_dn [options]
1249 Add a new organizational unit. This is a synonym for the samba-tool ou
1250 add command and is available for compatibility reasons only. Please use
1251 samba-tool ou add instead.
1252 ou delete ou_dn [options]
1254 Delete an organizational unit.
1255 The name of the organizational unit can be specified as a full DN or
1257 without the domainDN component.
1258 --force-subtree-delete
1260 Delete organizational unit and all children recursively.
1261 ou list [options]
1263 List all organizational units.
1264 --full-dn
1266 Display DNs including the base DN.
1267 ou listobjects ou_dn [options]
1269 List all objects in an organizational unit.
1270 The name of the organizational unit can be specified as a full DN or
1272 without the domainDN component.
1273 --full-dn
1275 Display DNs including the base DN.
1276 -r|--recursive
1278 List objects recursively.
1279 ou move old_ou_dn new_parent_dn [options]
1281 Move an organizational unit.
1282 The name of the organizational units can be specified as a full DN or
1284 without the domainDN component.
1285 ou rename old_ou_dn new_ou_dn [options]
1287 Rename an organizational unit.
1288 The name of the organizational units can be specified as a full DN or
1290 without the domainDN component.
1291 rodc
1293 Manage Read-Only Domain Controller (RODC).
1294 rodc preload SID|DN|accountname [options]
1296 Preload one account for an RODC.
1297 schema
1299 Manage and query schema.
1300 schema attribute modify attribute [options]
1302 Modify the behaviour of an attribute in schema.
1303 schema attribute show attribute [options]
1305 Display an attribute schema definition.
1306 schema attribute show_oc attribute [options]
1308 Show objectclasses that MAY or MUST contain this attribute.
1309 schema objectclass show objectclass [options]
1311 Display an objectclass schema definition.
1312 sites
1314 Manage sites.
1315 sites list [options]
1317 List sites.
1318 --json
1320 Output as JSON instead of a list
1321 sites view site [options]
1323 View site details.
1324 sites create site [options]
1326 Create a new site.
1327 sites remove site [options]
1329 Delete an existing site.
1330 sites subnet list site [options]
1332 List subnets for a site.
1333 --json
1335 Output as JSON instead of a list
1336 sites subnet view subnet [options]
1338 View subnet details.
1339 sites subnet create subnet site-of-subnet [options]
1341 Create a new subnet.
1342 sites subnet remove subnet [options]
1344 Delete an existing subnet.
1345 sites subnet set-site subnet site-of-subnet [options]
1347 Assign a subnet to a site.
1348 spn
1350 Manage Service Principal Names (SPN).
1351 spn add name user [options]
1353 Create a new SPN.
1354 spn delete name [user] [options]
1356 Delete an existing SPN.
1357 spn list user [options]
1359 List SPNs of a given user.
1360 testparm
1362 Check the syntax of the configuration file.
1363 time
1365 Retrieve the time on a server.
1366 user
1368 Manage users.
1369 user add username [password]
1371 Add a new user to the Active Directory Domain.
1372 user create username [password]
1374 Add a new user. This is a synonym for the samba-tool user add command
1375 and is available for compatibility reasons only. Please use samba-tool
1376 user add instead.
1377 user delete username [options]
1379 Delete an existing user account.
1380 user disable username
1382 Disable a user account.
1383 user edit username
1385 Edit a user account AD object.
1386 --editor=EDITOR
1388 Specifies the editor to use instead of the system default, or 'vi'
1389 if no system default is set.
1390 user enable username
1392 Enable a user account.
1393 user list
1395 List all users.
1396 By default the user's sAMAccountNames are listed.
1398 --full-dn
1400 List user's distinguished names instead of the sAMAccountNames.
1401 -b BASE_DN|--base-dn=BASE_DN
1403 Specify base DN to use. Only users under the specified base DN will
1404 be listed.
1405 --hide-expired
1407 Do not list expired user accounts.
1408 --hide-disabled
1410 Do not list disabled user accounts.
1411 user setprimarygroup username primarygroupname
1413 Set the primary group a user account.
1414 user getgroups username
1416 Get the direct group memberships of a user account.
1417 user show username [options]
1419 Display a user AD object.
1420 --attributes=USER_ATTRS
1422 Comma separated list of attributes, which will be printed.
1423 user move username new_parent_dn [options]
1425 This command moves a user account into the specified organizational
1426 unit or container.
1427 The username specified on the command is the sAMAccountName.
1429 The name of the organizational unit or container can be specified as a
1431 full DN or without the domainDN component.
1432 user password [options]
1434 Change password for a user account (the one provided in
1435 authentication).
1436 user rename username [options]
1438 Rename a user and related attributes.
1439 This command allows to set the user's name related attributes. The
1441 user's CN will be renamed automatically. The user's new CN will be made
1442 up by combining the given-name, initials and surname. A dot ('.') will
1443 be appended to the initials automatically, if required. Use the
1444 --force-new-cn option to specify the new CN manually and --reset-cn to
1445 reset this change.
1446 Use an empty attribute value to remove the specified attribute.
1448 The username specified on the command is the sAMAccountName.
1450 --surname=SURNAME
1452 New surname
1453 --given-name=GIVEN_NAME
1455 New given name
1456 --initials=INITIALS
1458 New initials
1459 --force-new-cn=NEW_CN
1461 Specify a new CN (RDN) instead of using a combination of the given
1462 name, initials and surname.
1463 --reset-cn
1465 Set the CN to the default combination of given name, initials and
1466 surname.
1467 --display-name=DISPLAY_NAME
1469 New display name
1470 --mail-address=MAIL_ADDRESS
1472 New email address
1473 --samaccountname=SAMACCOUNTNAME
1475 New account name (sAMAccountName/logon name)
1476 --upn=UPN
1478 New user principal name
1479 user setexpiry username [options]
1481 Set the expiration of a user account.
1482 user setpassword username [options]
1484 Sets or resets the password of a user account.
1485 user unlock username [options]
1487 This command unlocks a user account in the Active Directory domain.
1488 user getpassword username [options]
1490 Gets the password of a user account.
1491 user syncpasswords --cache-ldb-initialize [options]
1493 Syncs the passwords of all user accounts, using an optional script.
1494 Note that this command should run on a single domain controller only
1496 (typically the PDC-emulator).
1497 vampire [options] domain
1499 Join and synchronise a remote AD domain to the local server. Please
1500 note that samba-tool vampire is deprecated, please use samba-tool
1501 domain join instead.
1502 visualize [options] subcommand
1504 Produce graphical representations of Samba network state. To work out
1505 what is happening in a replication graph, it is sometimes helpful to
1506 use visualisations.
1507 There are two subcommands, two graphical modes, and (roughly) two modes
1509 of operation with respect to the location of authority.
1510 MODES OF OPERATION
1512 samba-tool visualize ntdsconn
1513 Looks at NTDS connections.
1514 samba-tool visualize reps
1516 Looks at repsTo and repsFrom objects.
1517 samba-tool visualize uptodateness
1519 Looks at replication lag as shown by the uptodateness vectors.
1520 GRAPHICAL MODES
1522 --distance
1523 Distances between DCs are shown in a matrix in the terminal.
1524 --dot
1526 Generate Graphviz dot output (for ntdsconn and reps modes). When
1527 viewed using dot or xdot, this shows the network as a graph with
1528 DCs as vertices and connections edges. Certain types of degenerate
1529 edges are shown in different colours or line-styles.
1530 --xdot
1532 Generate Graphviz dot output as with [--dot] and attempt to view it
1533 immediately using /usr/bin/xdot.
1534 -r
1536 Normally, samba-tool talks to one database; with the [-r] option
1537 attempts are made to contact all the DCs known to the first
1538 database. This is necessary for samba-tool visualize uptodateness
1539 and for samba-tool visualize reps because the repsFrom/To objects
1540 are not replicated, and it can reveal replication issues in other
1541 modes.
1542 help
1544 Gives usage information.
1545
1547 This man page is complete for version 4.19.3 of the Samba suite.
1548
1550 The original Samba software and related utilities were created by
1551 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
1552 Source project similar to the way the Linux kernel is developed.
1553Samba 4.19.3 11/27/2023 SAMBA-TOOL(8)