Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 2906 insertions, 0 deletions

diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
new file mode 100644
index 0000000..3471b0e
--- /dev/null
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -0,0 +1,2906 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="samba-tool.8">
+
+<refmeta>
+	<refentrytitle>samba-tool</refentrytitle>
+	<manvolnum>8</manvolnum>
+	<refmiscinfo class="source">Samba</refmiscinfo>
+	<refmiscinfo class="manual">System Administration tools</refmiscinfo>
+	<refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+	<refname>samba-tool</refname>
+	<refpurpose>Main Samba administration tool.
+	</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>samba-tool</command>
+		<arg choice="opt">-h</arg>
+		<arg choice="opt">-W myworkgroup</arg>
+		<arg choice="opt">-U user</arg>
+		<arg choice="opt">-d debuglevel</arg>
+		<arg choice="opt">--v</arg>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+	<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
+	<manvolnum>7</manvolnum></citerefentry> suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+
+	<varlistentry>
+	<term>-h|--help</term>
+	<listitem><para>
+	Show this help message and exit
+	</para></listitem>
+	</varlistentry>
+
+	&cmdline.common.connection.realm;
+
+	&cmdline.common.credentials.simplebinddn;
+
+	&cmdline.common.credentials.password;
+
+	&cmdline.common.credentials.user;
+
+	&cmdline.common.connection.workgroup;
+
+	&cmdline.common.credentials.nopass;
+
+	&cmdline.common.credentials.usekerberos;
+
+	&cmdline.common.credentials.usekrb5ccache;
+
+	&cmdline.common.credentials.authenticationfile;
+
+	<varlistentry>
+	<term>--ipaddress=IPADDRESS</term>
+	<listitem><para>
+	IP address of the server
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--color=always|never|auto</term>
+	<listitem>
+          <para>
+	    Indicate whether samba-tool should use ANSI colour codes
+	    in its output. If 'auto' (the default), samba-tool will
+	    use colour when its output is directed toward a terminal,
+	    unless the NO_COLOR environment variable is set and
+	    non-empty.
+	  </para>
+          <para>
+            The values 'yes' and 'force' are accepted as synonyms for
+            'always'; 'no' and 'none' for 'never'; and 'tty' and
+            'if-tty' for 'auto'.
+          </para>
+          <para>
+	    Note that asking for colour doesn't mean samba-tool will
+	    necessarily be very colourful. Many commands are very
+	    monochrome, particularly when successful.
+	</para>
+        </listitem>
+	</varlistentry>
+
+	&cmdline.common.debug.client;
+
+	</variablelist>
+</refsect1>
+
+<refsect1>
+<title>COMMANDS</title>
+
+<refsect2>
+	<title>computer</title>
+	<para>Manage computer accounts.</para>
+</refsect2>
+
+<refsect3>
+	<title>computer add <replaceable>computername</replaceable> [options]</title>
+	<para>Add a new computer to the Active Directory Domain.</para>
+	<para>The new computer name specified on the command is the
+	sAMAccountName, with or without the trailing dollar sign.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--computerou=COMPUTEROU</term>
+	<listitem><para>
+	DN of alternative location (with or without domainDN counterpart) to
+	default CN=Computers in which new computer object will be created.
+	E.g. 'OU=OUname'.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--description=DESCRIPTION</term>
+	<listitem><para>
+	The new computer's description.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--ip-address=IP_ADDRESS_LIST</term>
+	<listitem><para>
+	IPv4 address for the computer's A record, or IPv6 address for AAAA record,
+	can be provided multiple times.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST</term>
+	<listitem><para>
+	Computer's Service Principal Name, can be provided multiple times.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--prepare-oldjoin</term>
+	<listitem><para>
+	Prepare enabled machine account for oldjoin mechanism.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>computer create <replaceable>computername</replaceable> [options]</title>
+	<para>Add a new computer. This is a synonym for the
+	<command>samba-tool computer add</command> command and is available
+	for compatibility reasons only. Please use
+	<command>samba-tool computer add</command> instead.</para>
+</refsect3>
+
+<refsect3>
+	<title>computer delete <replaceable>computername</replaceable> [options]</title>
+	<para>Delete an existing computer account.</para>
+	<para>The computer name specified on the command is the
+	sAMAccountName, with or without the trailing dollar sign.</para>
+</refsect3>
+
+<refsect3>
+	<title>computer edit <replaceable>computername</replaceable></title>
+	<para>Edit a computer AD object.</para>
+	<para>The computer name specified on the command is the
+	sAMAccountName, with or without the trailing dollar sign.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--editor=EDITOR</term>
+	<listitem><para>
+	Specifies the editor to use instead of the system default, or 'vi' if no
+	system default is set.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>computer list</title>
+	<para>List all computers.</para>
+</refsect3>
+
+<refsect3>
+	<title>computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
+	<para>This command moves a computer account into the specified
+	organizational unit or container.</para>
+	<para>The computername specified on the command is the
+	sAMAccountName, with or without the trailing dollar sign.</para>
+	<para>The name of the organizational unit or container can be
+	specified as a full DN or without the domainDN component.</para>
+</refsect3>
+
+<refsect3>
+	<title>computer show <replaceable>computername</replaceable> [options]</title>
+	<para>Display a computer AD object.</para>
+	<para>The computer name specified on the command is the
+	sAMAccountName, with or without the trailing dollar sign.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--attributes=USER_ATTRS</term>
+	<listitem><para>
+	Comma separated list of attributes, which will be printed.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect2>
+	<title>contact</title>
+	<para>Manage contacts.</para>
+</refsect2>
+
+<refsect3>
+	<title>contact add [<replaceable>contactname</replaceable>] [options]</title>
+	<para>Add a new contact to the Active Directory Domain.</para>
+	<para>The name of the new contact can be specified by the first
+	argument 'contactname' or the --given-name, --initial and --surname
+	arguments. If no 'contactname' is given, contact's name will be made
+	up of the given arguments by combining the given-name, initials and
+	surname. Each argument is optional. A dot ('.') will be appended to
+	the initials automatically.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--ou=OU</term>
+	<listitem><para>
+	DN of alternative location (with or without domainDN counterpart) in
+	which the new contact will be created.
+	E.g. 'OU=OUname'.
+	Default is the domain base.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--description=DESCRIPTION</term>
+	<listitem><para>
+	The new contact's description.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--surname=SURNAME</term>
+	<listitem><para>
+	Contact's surname.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--given-name=GIVEN_NAME</term>
+	<listitem><para>
+	Contact's given name.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--initials=INITIALS</term>
+	<listitem><para>
+	Contact's initials.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--display-name=DISPLAY_NAME</term>
+	<listitem><para>
+	Contact's display name.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--job-title=JOB_TITLE</term>
+	<listitem><para>
+	Contact's job title.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--department=DEPARTMENT</term>
+	<listitem><para>
+	Contact's department.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--company=COMPANY</term>
+	<listitem><para>
+	Contact's company.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--mail-address=MAIL_ADDRESS</term>
+	<listitem><para>
+	Contact's email address.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--internet-address=INTERNET_ADDRESS</term>
+	<listitem><para>
+	Contact's home page.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--telephone-number=TELEPHONE_NUMBER</term>
+	<listitem><para>
+	Contact's phone number.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--mobile-number=MOBILE_NUMBER</term>
+	<listitem><para>
+	Contact's mobile phone number.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE</term>
+	<listitem><para>
+	Contact's office location.
+	</para></listitem>
+	</varlistentry>
+
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>contact create [<replaceable>contactname</replaceable>] [options]</title>
+	<para>Add a new contact. This is a synonym for the
+	<command>samba-tool contact add</command> command and is available
+	for compatibility reasons only. Please use
+	<command>samba-tool contact add</command> instead.</para>
+</refsect3>
+
+<refsect3>
+	<title>contact delete <replaceable>contactname</replaceable> [options]</title>
+	<para>Delete an existing contact.</para>
+	<para>The contactname specified on the command is the common name or the
+        distinguished name of the contact object. The distinguished name of the
+        contact can be specified with or without the domainDN component.</para>
+</refsect3>
+
+<refsect3>
+	<title>contact edit <replaceable>contactname</replaceable></title>
+	<para>Modify a contact AD object.</para>
+	<para>The contactname specified on the command is the common name or the
+        distinguished name of the contact object. The distinguished name of the
+        contact can be specified with or without the domainDN component.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--editor=EDITOR</term>
+	<listitem><para>
+	Specifies the editor to use instead of the system default, or 'vi' if no
+	system default is set.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>contact list [options]</title>
+	<para>List all contacts.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--full-dn</term>
+	<listitem><para>
+	Display contact's full DN instead of the name.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>contact move <replaceable>contactname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
+	<para>This command moves a contact into the specified organizational
+	unit or container.</para>
+	<para>The contactname specified on the command is the common name or the
+        distinguished name of the contact object. The distinguished name of the
+        contact can be specified with or without the domainDN component.</para>
+</refsect3>
+
+<refsect3>
+	<title>contact show <replaceable>contactname</replaceable> [options]</title>
+	<para>Display a contact AD object.</para>
+	<para>The contactname specified on the command is the common name or the
+        distinguished name of the contact object. The distinguished name of the
+        contact can be specified with or without the domainDN component.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--attributes=CONTACT_ATTRS</term>
+	<listitem><para>
+	Comma separated list of attributes, which will be printed.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>contact rename <replaceable>contactname</replaceable> [options]</title>
+	<para>Rename a contact and related attributes.</para>
+	<para>This command allows to set the contact's name related attributes. The contact's
+	CN will be renamed automatically.
+	The contact's new CN will be made up by combining the given-name, initials
+	and surname. A dot ('.') will be appended to the initials automatically,
+	if required.
+	Use the --force-new-cn option to specify the new CN manually and --reset-cn
+	to reset this change.</para>
+	<para>Use an empty attribute value to remove the specified attribute.</para>
+	<para>The contact name specified on the command is the CN.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--surname=SURNAME</term>
+	<listitem><para>
+	New surname.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--given-name=GIVEN_NAME</term>
+	<listitem><para>
+	New given name.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--initials=INITIALS</term>
+	<listitem><para>
+	New initials.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--force-new-cn=NEW_CN</term>
+	<listitem><para>
+	Specify a new CN (RDN) instead of using a combination
+	of the given name, initials and surname.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--reset-cn</term>
+	<listitem><para>
+	Set the CN to the default combination of given name,
+	initials and surname.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--display-name=DISPLAY_NAME</term>
+	<listitem><para>
+	New display name.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--mail-address=MAIL_ADDRESS</term>
+	<listitem><para>
+	New email address.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect2>
+	<title>dbcheck</title>
+	<para>Check the local AD database for errors.</para>
+</refsect2>
+
+<refsect2>
+	<title>delegation</title>
+	<para>Manage Delegations.</para>
+</refsect2>
+
+<refsect3>
+	<title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
+	<para>Add a service principal as msDS-AllowedToDelegateTo.</para>
+</refsect3>
+
+<refsect3>
+	<title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
+	<para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
+</refsect3>
+
+<refsect3>
+	<title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
+	<para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
+	for an account.</para>
+</refsect3>
+
+<refsect3>
+	<title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
+	<para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
+</refsect3>
+
+<refsect3>
+	<title>delegation show <replaceable>accountname</replaceable> [options]	</title>
+	<para>Show the delegation setting of an account.</para>
+</refsect3>
+
+<refsect2>
+	<title>dns</title>
+	<para>Manage Domain Name Service (DNS).</para>
+</refsect2>
+
+<refsect3>
+	<title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
+	<para>Add a DNS record.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
+	<para>Delete a DNS record.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
+	<para>Query a name.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
+	<para>Query root hints.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns serverinfo <replaceable>server</replaceable> [options]</title>
+	<para>Query server information.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
+	<para>Update a DNS record.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
+	<para>Create a zone.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
+	<para>Delete a zone.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
+	<para>Query zone information.</para>
+</refsect3>
+
+<refsect3>
+	<title>dns zonelist <replaceable>server</replaceable> [options]</title>
+	<para>List zones.</para>
+</refsect3>
+
+<refsect2>
+	<title>domain</title>
+	<para>Manage Domain.</para>
+</refsect2>
+
+<refsect3>
+	<title>domain backup</title>
+	<para>Create or restore a backup of the domain.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain backup offline</title>
+	<para>Backup (with proper locking) local domain directories into a tar file.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain backup online</title>
+	<para>Copy a running DC's current DB into a backup tar file.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain backup rename</title>
+	<para>Copy a running DC's DB to backup file, renaming the domain in the process.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain backup restore</title>
+	<para>Restore the domain's DB from a backup-file.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain auth policy list</title>
+	<para>List authentication policies on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--json</term>
+			<listitem><para>
+				View authentication policies as JSON instead of a list.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth policy view</title>
+	<para>View an authentication policy on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of the authentication policy to view (required).
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth policy create</title>
+	<para>Create authentication policies on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of the authentication policy (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--description</term>
+			<listitem><para>
+				Optional description for the authentication policy.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--protect</term>
+			<listitem>
+				<para>
+					Protect authentication policy from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --unprotect.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--unprotect</term>
+			<listitem>
+				<para>
+					Unprotect authentication policy from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --protect.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--audit</term>
+			<listitem>
+				<para>
+					Only audit authentication policy.
+				</para>
+				<para>
+					Cannot be used together with --enforce.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--enforce</term>
+			<listitem>
+				<para>
+					Enforce authentication policy.
+				</para>
+				<para>
+					Cannot be used together with --audit.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--strong-ntlm-policy</term>
+			<listitem>
+				<para>
+					Strong NTLM Policy (Disabled, Optional, Required).
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-tgt-lifetime-mins</term>
+			<listitem>
+				<para>
+					Ticket-Granting-Ticket lifetime for user accounts.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-allow-ntlm-auth</term>
+			<listitem>
+				<para>
+					Allow <constant>NTLM</constant> and <constant>
+					Interactive NETLOGON SamLogon</constant>
+					authentication despite the
+					fact that
+					<constant>allowed-to-authenticate-from</constant>
+					is in use, which would
+					otherwise restrict the user to selected devices.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-allowed-to-authenticate-from</term>
+			<listitem>
+				<para>
+					Conditions a device must meet
+					for users covered by this
+					policy to be allowed to
+					authenticate.  While this is a
+					restriction on the device,
+					any conditional ACE rules are
+					expressed as if the device was
+					a user.
+				</para>
+				<para>
+					Must be a valid SDDL string
+					without reference to Device
+					keywords.
+				</para>
+				<para>
+					Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-allowed-to-authenticate-from-silo</term>
+			<listitem>
+				<para>
+					User is allowed to
+					authenticate, if the device they
+					authenticate from is assigned
+					and granted membership of a
+					given silo.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --user-allowed-to-authenticate-from
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-allowed-to-authenticate-to=SDDL</term>
+			<listitem>
+				<para>
+					This policy, applying to a
+					user account that is offering
+					a service, eg a web server
+					with a user account, restricts
+					which accounts may access it.
+				</para>
+				<para>
+					Must be a valid SDDL string.
+					The SDDL can reference both
+					bare (user) and Device conditions.
+				</para>
+				<para>
+					SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant>
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-allowed-to-authenticate-to-by-group=GROUP</term>
+			<listitem>
+				<para>
+					The user account, offering a
+					network service, covered by
+					this policy, will only be allowed
+					access from other accounts
+					that are members of the given
+					<constant>GROUP</constant>.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --user-allowed-to-authenticate-to
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-allowed-to-authenticate-to-by-silo=SILO</term>
+			<listitem>
+				<para>
+					The user account, offering a
+					network service, covered by
+					this policy, will only be
+					allowed access from other accounts
+					that are assigned to,
+					granted membership of (and
+					meet any authentication
+					conditions of) the given SILO.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --user-allowed-to-authenticate-to
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-tgt-lifetime-mins</term>
+			<listitem>
+				<para>
+					Ticket-Granting-Ticket lifetime for service accounts.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-allow-ntlm-auth</term>
+			<listitem>
+				<para>
+					Allow NTLM network authentication when service
+					is restricted to selected devices.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-allowed-to-authenticate-from</term>
+			<listitem>
+				<para>
+					Conditions a device must meet
+					for service accounts covered
+					by this policy to be allowed
+					to authenticate.  While this
+					is a restriction on the
+					device, any conditional ACE
+					rules are expressed as if the
+					device was a user.
+				</para>
+				<para>
+					Must be a valid SDDL string
+					without reference to Device
+					keywords.
+				</para>
+				<para>
+					SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))</constant>
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-allowed-to-authenticate-from-device-silo=SILO</term>
+			<listitem>
+				<para>
+					The service account (eg a Managed
+					Service Account, Group Managed
+					Service Account) is allowed to
+					authenticate, if the device it
+					authenticates from is assigned
+					and granted membership of a
+					given <constant>SILO</constant>.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --service-allowed-to-authenticate-from
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-allowed-to-authenticate-from-device-group=GROUP</term>
+			<listitem>
+				<para>
+					The service account (eg a Managed
+					Service Account, Group Managed
+					Service Account) is allowed to
+					authenticate, if the device it
+					authenticates from is a member
+					of the given <constant>group</constant>.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --service-allowed-to-authenticate-from
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-allowed-to-authenticate-to=SDDL</term>
+			<listitem>
+				<para>
+					This policy, applying to a
+					service account (eg a Managed
+					Service Account, Group Managed
+					Service Account), restricts
+					which accounts may access it.
+				</para>
+				<para>
+					Must be a valid SDDL string.
+					The SDDL can reference both
+					bare (user) and Device conditions.
+				</para>
+				<para>
+					SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant>
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-allowed-to-authenticate-to-by-group=GROUP</term>
+			<listitem>
+				<para>
+					The service account (eg a Managed
+					Service Account, Group Managed
+					Service Account), will only be
+					allowed access by other accounts
+					that are members of the given
+					<constant>GROUP</constant>.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --service-allowed-to-authenticate-to
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-allowed-to-authenticate-to-by-silo=SILO</term>
+			<listitem>
+				<para>
+					The service account (eg a
+					Managed Service Account, Group
+					Managed Service Account), will
+					only be allowed access by other
+					accounts that are assigned
+					to, granted membership of (and
+					meet any authentication
+					conditions of) the given SILO.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --service-allowed-to-authenticate-to
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--computer-tgt-lifetime-mins</term>
+			<listitem>
+				<para>
+					Ticket-Granting-Ticket lifetime for computer accounts.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--computer-allowed-to-authenticate-to=SDDL</term>
+			<listitem>
+				<para>
+					This policy, applying to a
+					computer account (eg a server
+					or workstation), restricts
+					which accounts may access it.
+				</para>
+				<para>
+					Must be a valid SDDL string.
+					The SDDL can reference both
+					bare (user) and Device conditions.
+				</para>
+				<para>
+					SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--computer-allowed-to-authenticate-to-by-group=GROUP</term>
+			<listitem>
+				<para>
+					The computer account (eg a server
+					or workstation), will only be
+					allowed access by other accounts
+					that are members of the given
+					<constant>GROUP</constant>.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --computer-allowed-to-authenticate-to
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--computer-allowed-to-authenticate-to-by-silo=SILO</term>
+			<listitem>
+				<para>
+					The computer account (eg a
+					server or workstation), will
+					only be allowed access by
+					other accounts that are
+					assigned to, granted
+					membership of (and meet any
+					authentication conditions of)
+					the given SILO.
+				</para>
+				<para>
+					This attribute avoids the need to write SDDL by hand and
+					cannot be used with --computer-allowed-to-authenticate-to
+				</para>
+			</listitem>
+		</varlistentry>
+
+	      </variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth policy modify</title>
+	<para>Modify authentication policies on the domain.  The same
+	options apply as for <constant>domain auth policy create</constant>.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain auth policy delete</title>
+	<para>Delete authentication policies on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of authentication policy to delete (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--force</term>
+			<listitem><para>
+				Force authentication policy delete even if it is protected.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth silo list</title>
+	<para>List authentication silos on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--json</term>
+			<listitem><para>
+				View authentication silos as JSON instead of a list.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth silo view</title>
+	<para>View an authentication silo on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of the authentication silo to view (required).
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth silo create</title>
+	<para>Create authentication silos on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of the authentication silo (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--description</term>
+			<listitem><para>
+				Optional description for the authentication silo.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-authentication-policy</term>
+			<listitem><para>
+				User account authentication policy.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-authentication-policy</term>
+			<listitem><para>
+				Managed service account authentication policy.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--computer-authentication-policy</term>
+			<listitem><para>
+				Computer authentication policy.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--protect</term>
+			<listitem>
+				<para>
+					Protect authentication silo from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --unprotect.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--unprotect</term>
+			<listitem>
+				<para>
+					Unprotect authentication silo from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --protect.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--audit</term>
+			<listitem>
+				<para>
+					Only audit silo policies.
+				</para>
+				<para>
+					Cannot be used together with --enforce.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--enforce</term>
+			<listitem>
+				<para>
+					Enforce silo policies.
+				</para>
+				<para>
+					Cannot be used together with --audit.
+				</para>
+			</listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth silo modify</title>
+	<para>Modify authentication silos on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of the authentication silo (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--description</term>
+			<listitem><para>
+				Optional description for the authentication silo.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--user-authentication-policy</term>
+			<listitem><para>
+				User account authentication policy.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--service-authentication-policy</term>
+			<listitem><para>
+				Managed service account authentication policy.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--computer-authentication-policy</term>
+			<listitem><para>
+				Computer authentication policy.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--protect</term>
+			<listitem>
+				<para>
+					Protect authentication silo from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --unprotect.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--unprotect</term>
+			<listitem>
+				<para>
+					Unprotect authentication silo from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --protect.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--audit</term>
+			<listitem>
+				<para>
+					Only audit silo policies.
+				</para>
+				<para>
+					Cannot be used together with --enforce.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--enforce</term>
+			<listitem>
+				<para>
+					Enforce silo policies.
+				</para>
+				<para>
+					Cannot be used together with --audit.
+				</para>
+			</listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth silo delete</title>
+	<para>Delete authentication silos on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of authentication silo to delete (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--force</term>
+			<listitem><para>
+				Force authentication silo delete even if it is protected.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth silo member grant</title>
+	<para>Grant a member access to an authentication silo.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of authentication silo (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--member</term>
+			<listitem><para>
+				Member to grant access to the silo (DN or account name).
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth silo member list</title>
+	<para>List members in an authentication silo.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of authentication silo (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--json</term>
+			<listitem><para>
+				View members as JSON instead of a list.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain auth silo member revoke</title>
+	<para>Revoke a member from an authentication silo.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Name of authentication silo (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--member</term>
+			<listitem><para>
+				Member to revoke from the silo (DN or account name).
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain claim claim-type list</title>
+	<para>List claim types on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--json</term>
+			<listitem><para>
+				View claim types as JSON instead of a list.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain claim claim-type view</title>
+	<para>View a single claim type on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Display name of claim type to view (required).
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain claim claim-type create</title>
+	<para>Create claim types on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--attribute</term>
+			<listitem><para>
+				Attribute of claim type to create (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--class</term>
+			<listitem>
+				<para>
+					Object classes to set claim type to.
+				</para>
+				<para>
+					Example: --class=user --class=computer
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Optional display name or use attribute name.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--description</term>
+			<listitem><para>
+				Optional description or use from attribute.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--enable</term>
+			<listitem>
+				<para>
+					Enable claim type.
+				</para>
+				<para>
+					Cannot be used together with --disable.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--disable</term>
+			<listitem>
+				<para>
+					Disable claim type.
+				</para>
+				<para>
+					Cannot be used together with --enable.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--protect</term>
+			<listitem>
+				<para>
+					Protect claim type from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --unprotect.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--unprotect</term>
+			<listitem>
+				<para>
+					Unprotect claim type from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --protect.
+				</para>
+			</listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain claim claim-type modify</title>
+	<para>Modify claim types on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Display name of claim type to modify (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--class</term>
+			<listitem>
+				<para>
+					Object classes to set claim type to.
+				</para>
+				<para>
+					Example: --class=user --class=computer
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--description</term>
+			<listitem><para>
+				Set the claim type description.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--enable</term>
+			<listitem>
+				<para>
+					Enable claim type.
+				</para>
+				<para>
+					Cannot be used together with --disable.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--disable</term>
+			<listitem>
+				<para>
+					Disable claim type.
+				</para>
+				<para>
+					Cannot be used together with --enable.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--protect</term>
+			<listitem>
+				<para>
+					Protect claim type from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --unprotect.
+				</para>
+			</listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--unprotect</term>
+			<listitem>
+				<para>
+					Unprotect claim type from accidental deletion.
+				</para>
+				<para>
+					Cannot be used together with --protect.
+				</para>
+			</listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain claim claim-type delete</title>
+	<para>Delete claim types on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Display name of claim type to delete (required).
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--force</term>
+			<listitem><para>
+				Force claim type delete even if it is protected.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain claim value-type list</title>
+	<para>List claim value types on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--json</term>
+			<listitem><para>
+				View claim value types as JSON instead of a list.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain claim value-type view</title>
+	<para>View a single claim value type on the domain.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--name</term>
+			<listitem><para>
+				Display name of claim value type to view (required).
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
+	<para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
+	database.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
+	<para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain demote</title>
+	<para>Demote ourselves from the role of domain controller.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
+	<para>Dumps Kerberos keys of the domain into a keytab.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain info <replaceable>ip_address</replaceable> [options]</title>
+	<para>Print basic info about a domain and the specified DC.
+</para>
+</refsect3>
+
+<refsect3>
+	<title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
+	<para>Join a domain as either member or backup domain controller.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
+	<para>Show/raise domain and forest function levels.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
+	<para>Show/set password settings.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso</title>
+	<para>Manage fine-grained Password Settings Objects (PSOs).</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
+	<para>Applies a PSO's password policy to a user or group.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
+	<para>Creates a new Password Settings Object (PSO).</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
+	<para>Deletes a Password Settings Object (PSO).</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso list [options]</title>
+	<para>Lists all Password Settings Objects (PSOs).</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
+	<para>Modifies a Password Settings Object (PSO).</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
+	<para>Displays a Password Settings Object (PSO).</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
+	<para>Displays the Password Settings that apply to a user.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
+	<para>Updates a PSO to no longer apply to a user or group.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain provision</title>
+	<para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain trust</title>
+	<para>Domain and forest trust management.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+	<para>Create a domain or forest trust.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+	<para>Modify a domain or forest trust.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+	<para>Delete a domain trust.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain trust list <replaceable>options</replaceable> [options]</title>
+	<para>List domain trusts.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
+	<para>Manage forest trust namespaces.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+	<para>Show trusted domain details.</para>
+</refsect3>
+
+<refsect3>
+	<title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+	<para>Validate a domain trust.</para>
+</refsect3>
+
+<refsect2>
+	<title>drs</title>
+	<para>Manage Directory Replication Services (DRS).</para>
+</refsect2>
+
+<refsect3>
+	<title>drs bind</title>
+	<para>Show DRS capabilities of a server.</para>
+</refsect3>
+
+<refsect3>
+	<title>drs kcc</title>
+	<para>Trigger knowledge consistency center run.</para>
+</refsect3>
+
+<refsect3>
+	<title>drs options</title>
+	<para>Query or change <replaceable>options</replaceable> for NTDS Settings
+	object of a domain controller.</para>
+</refsect3>
+
+<refsect3>
+	<title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
+	<para>Replicate a naming context between two DCs.</para>
+</refsect3>
+
+<refsect3>
+	<title>drs showrepl</title>
+	<para>Show replication status. The <arg
+	choice="opt">--json</arg> option results in JSON output, and
+	with the <arg choice="opt">--summary</arg> option produces
+	very little output when the replication status seems healthy.
+	</para>
+</refsect3>
+
+<refsect2>
+	<title>dsacl</title>
+	<para>Administer DS ACLs</para>
+</refsect2>
+
+<refsect3>
+	<title>dsacl delete</title>
+	<para>Delete an access list entry on a directory object.</para>
+</refsect3>
+
+<refsect3>
+	<title>dsacl get</title>
+	<para>Print access list on a directory object.</para>
+</refsect3>
+
+<refsect3>
+	<title>dsacl set</title>
+	<para>Modify access list on a directory object.</para>
+</refsect3>
+
+<refsect2>
+	<title>forest</title>
+	<para>Manage Forest configuration.</para>
+</refsect2>
+
+<refsect3>
+	<title>forest directory_service</title>
+	<para>Manage directory_service behaviour for the forest.</para>
+</refsect3>
+
+<refsect3>
+	<title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
+	<para>Modify dsheuristics directory_service configuration for the forest.</para>
+</refsect3>
+
+<refsect3>
+	<title>forest directory_service show</title>
+	<para>Show current directory_service configuration for the forest.</para>
+</refsect3>
+
+<refsect2>
+	<title>fsmo</title>
+	<para>Manage Flexible Single Master Operations (FSMO).</para>
+</refsect2>
+
+<refsect3>
+	<title>fsmo seize [options]</title>
+	<para>Seize the role.</para>
+</refsect3>
+
+<refsect3>
+	<title>fsmo show</title>
+	<para>Show the roles.</para>
+</refsect3>
+
+<refsect3>
+	<title>fsmo transfer [options]</title>
+	<para>Transfer the role.</para>
+</refsect3>
+
+<refsect2>
+	<title>gpo</title>
+	<para>Manage Group Policy Objects (GPO).</para>
+</refsect2>
+
+<refsect3>
+	<title>gpo create <replaceable>displayname</replaceable> [options]</title>
+	<para>Create an empty GPO.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo del <replaceable>gpo</replaceable> [options]</title>
+	<para>Delete GPO.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
+	<para>Delete GPO link from a container.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
+	<para>Download a GPO.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
+	<para>Get inheritance flag for a container.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
+	<para>List GPO Links for a container.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo list <replaceable>username</replaceable> [options]</title>
+	<para>List GPOs for an account.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo listall</title>
+	<para>List all GPOs.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
+	<para>List all linked containers for a GPO.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
+	<para>Set inheritance flag on a container.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
+	<para>Add or Update a GPO link to a container.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo show <replaceable>gpo</replaceable> [options]</title>
+	<para>Show information for a GPO.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage symlink list</title>
+	<para>List VGP Symbolic Link Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage symlink add</title>
+	<para>Adds a VGP Symbolic Link Group Policy to the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage symlink remove</title>
+	<para>Removes a VGP Symbolic Link Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage files list</title>
+	<para>List VGP Files Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage files add</title>
+	<para>Add VGP Files Group Policy to the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage files remove</title>
+	<para>Remove VGP Files Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage openssh list</title>
+	<para>List VGP OpenSSH Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage openssh set</title>
+	<para>Sets a VGP OpenSSH Group Policy to the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage sudoers add</title>
+	<para>Adds a Samba Sudoers Group Policy to the sysvol.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage sudoers list</title>
+	<para>List Samba Sudoers Group Policy from the sysvol.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage sudoers remove</title>
+	<para>Removes a Samba Sudoers Group Policy from the sysvol.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage scripts startup list</title>
+	<para>List VGP Startup Script Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage scripts startup add</title>
+	<para>Adds VGP Startup Script Group Policy to the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage scripts startup remove</title>
+	<para>Removes VGP Startup Script Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage motd list</title>
+	<para>List VGP MOTD Group Policy from the sysvol.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage motd set</title>
+	<para>Sets a VGP MOTD Group Policy to the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage issue list</title>
+	<para>List VGP Issue Group Policy from the sysvol.</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage issue set</title>
+	<para>Sets a VGP Issue Group Policy to the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage access add</title>
+	<para>Adds a VGP Host Access Group Policy to the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage access list</title>
+	<para>List VGP Host Access Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect3>
+	<title>gpo manage access remove</title>
+	<para>Remove a VGP Host Access Group Policy from the sysvol</para>
+</refsect3>
+
+<refsect2>
+	<title>group</title>
+	<para>Manage groups.</para>
+</refsect2>
+
+<refsect3>
+	<title>group add <replaceable>groupname</replaceable> [options]</title>
+	<para>Create a new AD group.</para>
+</refsect3>
+
+<refsect3>
+	<title>group create <replaceable>groupname</replaceable> [options]</title>
+	<para>Add a new AD group. This is a synonym for the
+	<command>samba-tool group add</command> command and is available
+	for compatibility reasons only. Please use
+	<command>samba-tool group add</command> instead.</para>
+</refsect3>
+
+<refsect3>
+	<title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
+	<para>Add members to an AD group.</para>
+</refsect3>
+
+<refsect3>
+	<title>group delete <replaceable>groupname</replaceable> [options]</title>
+	<para>Delete an AD group.</para>
+</refsect3>
+
+<refsect3>
+	<title>group edit <replaceable>groupname</replaceable></title>
+	<para>Edit a group AD object.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--editor=EDITOR</term>
+	<listitem><para>
+	Specifies the editor to use instead of the system default, or 'vi' if no
+	system default is set.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>group list</title>
+	<para>List all groups.</para>
+</refsect3>
+
+<refsect3>
+	<title>group listmembers <replaceable>groupname</replaceable> [options]</title>
+	<para>List all members of the specified AD group.</para>
+	<para>By default the sAMAccountNames are listed. If no sAMAccountName
+	is available, the CN will be used instead.</para>
+	<variablelist>
+	<varlistentry>
+	<term>--full-dn</term>
+	<listitem><para>
+	List the distinguished names instead of the sAMAccountNames.
+	</para></listitem>
+	</varlistentry>
+	<varlistentry>
+	<term>--hide-expired</term>
+	<listitem><para>
+	Do not list expired group members.
+	</para></listitem>
+	</varlistentry>
+	<varlistentry>
+	<term>--hide-disabled</term>
+	<listitem><para>
+	Do not list disabled group members.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
+	<para>This command moves a group into the specified organizational unit
+	or container.</para>
+	<para>The groupname specified on the command is the sAMAccountName.
+	</para>
+	<para>The name of the organizational unit or container can be
+	specified as a full DN or without the domainDN component.</para>
+	<para></para>
+</refsect3>
+
+<refsect3>
+	<title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
+	<para>Remove members from the specified AD group.</para>
+</refsect3>
+
+<refsect3>
+	<title>group show <replaceable>groupname</replaceable> [options]</title>
+	<para>Show group object and it's attributes.</para>
+</refsect3>
+
+<refsect3>
+	<title>group stats [options]</title>
+	<para>Show statistics for overall groups and group memberships.</para>
+</refsect3>
+
+<refsect3>
+	<title>group rename <replaceable>groupname</replaceable> [options]</title>
+	<para>Rename a group and related attributes.</para>
+	<para>This command allows to set the group's name related attributes. The
+	group's CN will be renamed automatically.
+	The group's CN will be the sAMAccountName.
+	Use the --force-new-cn option to specify the new CN manually and the
+	--reset-cn to reset this change.</para>
+	<para>Use an empty attribute value to remove the specified attribute.</para>
+	<para>The groupname specified on the command is the sAMAccountName.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--force-new-cn=NEW_CN</term>
+	<listitem><para>
+	Specify a new CN (RDN) instead of using the sAMAccountName.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--reset-cn</term>
+	<listitem><para>
+	Set the CN to the sAMAccountName.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--mail-address=MAIL_ADDRESS</term>
+	<listitem><para>
+	New mail address
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--samaccountname=SAMACCOUNTNAME</term>
+	<listitem><para>
+	New account name (sAMAccountName/logon name)
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect2>
+	<title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
+	<para>Compare two LDAP databases.</para>
+</refsect2>
+
+<refsect2>
+	<title>ntacl</title>
+	<para>Manage NT ACLs.</para>
+</refsect2>
+
+<refsect3>
+	<title>ntacl changedomsid <replaceable>original-domain-SID</replaceable> <replaceable>new-domain-SID</replaceable> <replaceable>file</replaceable> [options]</title>
+	<para>Change the domain SID for ACLs.
+	Can be used to change all entries in acl_xattr when the machine's SID
+	has accidentally changed or the data set has been copied
+	to another machine either via backup/restore or rsync.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--use-ntvfs</term>
+	<listitem><para>
+	Set the ACLs directly to the TDB or xattr. The POSIX permissions will
+	NOT be changed, only the NT ACL will be stored.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--service=SERVICE</term>
+	<listitem><para>
+	Specify the name of the smb.conf service to use. This option is
+	required in combination with the --use-s3fs option.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--use-s3fs</term>
+	<listitem><para>
+	Set the ACLs for use with the default s3fs file server via the VFS
+	layer. This option requires a smb.conf service, specified by the
+	--service=SERVICE option.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--xattr-backend=[native|tdb]</term>
+	<listitem><para>
+	Specify the xattr backend type (native fs or tdb).
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--eadb-file=EADB_FILE</term>
+	<listitem><para>
+	Name of the tdb file where attributes are stored.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--recursive</term>
+	<listitem><para>
+	Set the ACLs for directories and their contents recursively.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--follow-symlinks</term>
+	<listitem><para>
+	Follow symlinks when --recursive is specified.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--verbose</term>
+	<listitem><para>
+	Verbosely list files and ACLs which are being processed.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+
+<refsect3>
+	<title>ntacl get <replaceable>file</replaceable> [options]</title>
+	<para>Get ACLs on a file.</para>
+</refsect3>
+
+<refsect3>
+	<title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
+	<para>Set ACLs on a file.</para>
+</refsect3>
+
+<refsect3>
+	<title>ntacl sysvolcheck</title>
+	<para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
+</refsect3>
+
+<refsect3>
+	<title>ntacl sysvolreset</title>
+	<para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
+</refsect3>
+
+<refsect2>
+	<title>ou</title>
+	<para>Manage organizational units (OUs).</para>
+</refsect2>
+
+<refsect3>
+	<title>ou add <replaceable>ou_dn</replaceable> [options]</title>
+	<para>Add a new organizational unit.</para>
+	<para>The name of the organizational unit can be specified as a full DN
+	or without the domainDN component.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--description=DESCRIPTION</term>
+	<listitem><para>
+	Specify OU's description.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>ou create <replaceable>ou_dn</replaceable> [options]</title>
+	<para>Add a new organizational unit. This is a synonym for the
+	<command>samba-tool ou add</command> command and is available
+	for compatibility reasons only. Please use
+	<command>samba-tool ou add</command> instead.</para>
+</refsect3>
+
+<refsect3>
+	<title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
+	<para>Delete an organizational unit.</para>
+	<para>The name of the organizational unit can be specified as a full DN
+	or without the domainDN component.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--force-subtree-delete</term>
+	<listitem><para>
+	Delete organizational unit and all children recursively.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>ou list [options]</title>
+	<para>List all organizational units.</para>
+	<variablelist>
+	<varlistentry>
+	<term>--full-dn</term>
+	<listitem><para>
+	Display DNs including the base DN.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
+	<para>List all objects in an organizational unit.</para>
+	<para>The name of the organizational unit can be specified as a full DN
+	or without the domainDN component.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--full-dn</term>
+	<listitem><para>
+	Display DNs including the base DN.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>-r|--recursive</term>
+	<listitem><para>
+	List objects recursively.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
+	<para>Move an organizational unit.</para>
+	<para>The name of the organizational units can be specified as a full DN
+	or without the domainDN component.</para>
+</refsect3>
+
+<refsect3>
+	<title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
+	<para>Rename an organizational unit.</para>
+	<para>The name of the organizational units can be specified as a full DN
+	or without the domainDN component.</para>
+</refsect3>
+
+<refsect2>
+	<title>rodc</title>
+	<para>Manage Read-Only Domain Controller (RODC).</para>
+</refsect2>
+
+<refsect3>
+	<title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
+	<para>Preload one account for an RODC.</para>
+</refsect3>
+
+<refsect2>
+	<title>schema</title>
+	<para>Manage and query schema.</para>
+</refsect2>
+
+<refsect3>
+	<title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
+	<para>Modify the behaviour of an attribute in schema.</para>
+</refsect3>
+
+<refsect3>
+	<title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
+	<para>Display an attribute schema definition.</para>
+</refsect3>
+
+<refsect3>
+	<title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
+	<para>Show objectclasses that MAY or MUST contain this attribute.</para>
+</refsect3>
+
+<refsect3>
+	<title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
+	<para>Display an objectclass schema definition.</para>
+</refsect3>
+
+<refsect2>
+	<title>shell</title>
+	<para>Opens an interactive Samba Python shell.</para>
+</refsect2>
+
+<refsect3>
+	<title>shell [options]</title>
+	<para>Opens an interactive Python shell for Samba ldb connection.</para>
+	<variablelist>
+		<varlistentry>
+			<term>-H, --URL</term>
+			<listitem><para>
+				LDB URL for database or target server.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect2>
+	<title>sites</title>
+	<para>Manage sites.</para>
+</refsect2>
+
+<refsect3>
+	<title>sites list [options]</title>
+	<para>List sites.</para>
+	<variablelist>
+		<varlistentry>
+			<term>--json</term>
+			<listitem><para>
+				Output as JSON instead of a list
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>sites view <replaceable>site</replaceable> [options]</title>
+	<para>View site details.</para>
+</refsect3>
+
+<refsect3>
+	<title>sites create <replaceable>site</replaceable> [options]</title>
+	<para>Create a new site.</para>
+</refsect3>
+
+<refsect3>
+	<title>sites remove <replaceable>site</replaceable> [options]</title>
+	<para>Delete an existing site.</para>
+</refsect3>
+
+<refsect3>
+	<title>sites subnet list <replaceable>site</replaceable> [options]</title>
+	<para>List subnets for a site.</para>
+	<variablelist>
+		<varlistentry>
+			<term>--json</term>
+			<listitem><para>
+				Output as JSON instead of a list
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>sites subnet view <replaceable>subnet</replaceable> [options]</title>
+	<para>View subnet details.</para>
+</refsect3>
+
+<refsect3>
+	<title>sites subnet create <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
+	<para>Create a new subnet.</para>
+</refsect3>
+
+<refsect3>
+	<title>sites subnet remove <replaceable>subnet</replaceable> [options]</title>
+	<para>Delete an existing subnet.</para>
+</refsect3>
+
+<refsect3>
+	<title>sites subnet set-site <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
+	<para>Assign a subnet to a site.</para>
+</refsect3>
+
+<refsect2>
+	<title>spn</title>
+	<para>Manage Service Principal Names (SPN).</para>
+</refsect2>
+
+<refsect3>
+	<title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
+	<para>Create a new SPN.</para>
+</refsect3>
+
+<refsect3>
+	<title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
+	<para>Delete an existing SPN.</para>
+</refsect3>
+
+<refsect3>
+	<title>spn list <replaceable>user</replaceable> [options]</title>
+	<para>List SPNs of a given user.</para>
+</refsect3>
+
+<refsect2>
+	<title>testparm</title>
+	<para>Check the syntax of the configuration file.</para>
+</refsect2>
+
+<refsect2>
+	<title>time</title>
+	<para>Retrieve the time on a server.</para>
+</refsect2>
+
+<refsect2>
+	<title>user</title>
+	<para>Manage users.</para>
+</refsect2>
+
+<refsect3>
+	<title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
+	<para>Add a new user to the Active Directory Domain.</para>
+</refsect3>
+
+<refsect3>
+	<title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
+	<para>Add a new user. This is a synonym for the
+	<command>samba-tool user add</command> command and is available
+	for compatibility reasons only. Please use
+	<command>samba-tool user add</command> instead.</para>
+</refsect3>
+
+<refsect3>
+	<title>user delete <replaceable>username</replaceable> [options]</title>
+	<para>Delete an existing user account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user disable <replaceable>username</replaceable></title>
+	<para>Disable a user account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user edit <replaceable>username</replaceable></title>
+	<para>Edit a user account AD object.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--editor=EDITOR</term>
+	<listitem><para>
+	Specifies the editor to use instead of the system default, or 'vi' if no
+	system default is set.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>user enable <replaceable>username</replaceable></title>
+	<para>Enable a user account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user list</title>
+	<para>List all users.</para>
+	<para>By default the user's sAMAccountNames are listed.</para>
+	<variablelist>
+	<varlistentry>
+	<term>--full-dn</term>
+	<listitem><para>
+	List user's distinguished names instead of the sAMAccountNames.
+	</para></listitem>
+	</varlistentry>
+	<varlistentry>
+	<term>-b BASE_DN|--base-dn=BASE_DN</term>
+	<listitem><para>
+	Specify base DN to use. Only users under the specified base DN will be
+	listed.
+	</para></listitem>
+	</varlistentry>
+	<varlistentry>
+	<term>--hide-expired</term>
+	<listitem><para>
+	Do not list expired user accounts.
+	</para></listitem>
+	</varlistentry>
+	<varlistentry>
+	<term>--hide-disabled</term>
+	<listitem><para>
+	Do not list disabled user accounts.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>user setprimarygroup <replaceable>username</replaceable> <replaceable>primarygroupname</replaceable></title>
+	<para>Set the primary group a user account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user getgroups <replaceable>username</replaceable></title>
+	<para>Get the direct group memberships of a user account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user show <replaceable>username</replaceable> [options]</title>
+	<para>Display a user AD object.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--attributes=USER_ATTRS</term>
+	<listitem><para>
+	Comma separated list of attributes, which will be printed.
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
+	<para>This command moves a user account into the specified
+	organizational unit or container.</para>
+	<para>The username specified on the command is the
+	sAMAccountName.</para>
+	<para>The name of the organizational unit or container can be
+	specified as a full DN or without the domainDN component.</para>
+</refsect3>
+
+<refsect3>
+	<title>user password [options]</title>
+	<para>Change password for a user account (the one provided in
+	authentication).</para>
+</refsect3>
+
+<refsect3>
+	<title>user rename <replaceable>username</replaceable> [options]</title>
+	<para>Rename a user and related attributes.</para>
+	<para>This command allows to set the user's name related attributes. The user's
+	CN will be renamed automatically.
+	The user's new CN will be made up by combining the given-name, initials
+	and surname. A dot ('.') will be appended to the initials automatically,
+	if required.
+	Use the --force-new-cn option to specify the new CN manually and --reset-cn
+	to reset this change.</para>
+	<para>Use an empty attribute value to remove the specified attribute.</para>
+	<para>The username specified on the command is the sAMAccountName.</para>
+
+	<variablelist>
+	<varlistentry>
+	<term>--surname=SURNAME</term>
+	<listitem><para>
+	New surname
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--given-name=GIVEN_NAME</term>
+	<listitem><para>
+	New given name
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--initials=INITIALS</term>
+	<listitem><para>
+	New initials
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--force-new-cn=NEW_CN</term>
+	<listitem><para>
+	Specify a new CN (RDN) instead of using a combination
+	of the given name, initials and surname.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--reset-cn</term>
+	<listitem><para>
+	Set the CN to the default combination of given name,
+	initials and surname.
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--display-name=DISPLAY_NAME</term>
+	<listitem><para>
+	New display name
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--mail-address=MAIL_ADDRESS</term>
+	<listitem><para>
+	New email address
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--samaccountname=SAMACCOUNTNAME</term>
+	<listitem><para>
+	New account name (sAMAccountName/logon name)
+	</para></listitem>
+	</varlistentry>
+
+	<varlistentry>
+	<term>--upn=UPN</term>
+	<listitem><para>
+	New user principal name
+	</para></listitem>
+	</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>user setexpiry <replaceable>username</replaceable> [options]</title>
+	<para>Set the expiration of a user account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user setpassword <replaceable>username</replaceable> [options]</title>
+	<para>Sets or resets the password of a user account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user unlock <replaceable>username</replaceable> [options]</title>
+	<para>This command unlocks a user account in the Active Directory
+	domain.</para>
+</refsect3>
+
+<refsect3>
+	<title>user getpassword <replaceable>username</replaceable> [options]</title>
+	<para>Gets the password of a user account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user get-kerberos-ticket <replaceable>username</replaceable> [options]</title>
+	<para>Gets a Kerberos Ticket Granting Ticket as the account.</para>
+</refsect3>
+
+<refsect3>
+	<title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
+	<para>Syncs the passwords of all user accounts, using an optional script.</para>
+	<para>Note that this command should run on a single domain controller only
+	(typically the PDC-emulator).</para>
+</refsect3>
+
+<refsect3>
+	<title>user auth policy assign <replaceable>username</replaceable> [options]</title>
+	<para>Set assigned authentication policy for user.</para>
+	<variablelist>
+		<varlistentry>
+			<term>--policy</term>
+			<listitem><para>
+				Name of authentication policy to assign or leave empty to remove.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>user auth policy remove <replaceable>username</replaceable></title>
+	<para>Remove assigned authentication policy from user.</para>
+</refsect3>
+
+<refsect3>
+	<title>user auth policy view <replaceable>username</replaceable></title>
+	<para>View the assigned authentication policy for user.</para>
+</refsect3>
+
+<refsect3>
+	<title>user auth silo assign <replaceable>username</replaceable> [options]</title>
+	<para>Set assigned authentication silo for user.</para>
+	<variablelist>
+		<varlistentry>
+			<term>--silo</term>
+			<listitem><para>
+				Name of authentication silo to assign or leave empty to remove.
+			</para></listitem>
+		</varlistentry>
+	</variablelist>
+</refsect3>
+
+<refsect3>
+	<title>user auth silo remove <replaceable>username</replaceable></title>
+	<para>Remove assigned authentication silo from user.</para>
+</refsect3>
+
+<refsect3>
+	<title>user auth silo view <replaceable>username</replaceable></title>
+	<para>View the assigned authentication silo for user.</para>
+</refsect3>
+
+<refsect2>
+	<title>vampire [options] <replaceable>domain</replaceable></title>
+	<para>Join and synchronise a remote AD domain to the local server.
+	Please note that <command>samba-tool vampire</command> is deprecated,
+	please use <command>samba-tool domain join</command> instead.</para>
+</refsect2>
+
+<refsect2>
+	<title>visualize [options] <replaceable>subcommand</replaceable></title>
+	<para>Produce graphical representations of Samba network state.
+	To work out what is happening in a replication graph, it is sometimes
+	helpful to use visualisations.</para>
+
+	<para>
+	There are two subcommands, two graphical modes, and (roughly) two modes
+	of operation with respect to the location of authority.</para>
+
+	<refsect3><title>MODES OF OPERATION</title>
+	<varlistentry>
+                <term>samba-tool visualize ntdsconn</term>
+                <listitem><para>Looks at NTDS connections.
+                </para></listitem>
+                </varlistentry>
+
+	<varlistentry>
+		<term>samba-tool visualize reps</term>
+		<listitem><para>Looks at repsTo and repsFrom objects.
+		</para></listitem>
+		</varlistentry>
+
+	<varlistentry>
+		<term>samba-tool visualize uptodateness</term>
+		<listitem><para>Looks at replication lag as shown by the
+                uptodateness vectors.
+		</para></listitem>
+		</varlistentry>
+	</refsect3>
+
+	<refsect3><title>GRAPHICAL MODES</title>
+	<varlistentry>
+                <term>--distance</term>
+                <listitem><para>Distances between DCs are shown in a matrix in
+		 the terminal.
+                </para></listitem>
+                </varlistentry>
+
+	<varlistentry>
+                <term>--dot</term>
+                <listitem><para>Generate Graphviz dot output (for
+                ntdsconn and reps modes). When viewed using dot or
+                xdot, this shows the network as a graph with DCs as
+                vertices and connections edges. Certain types of
+                degenerate edges are shown in different colours or
+                line-styles. </para></listitem>
+                </varlistentry>
+	<varlistentry>
+                <term>--xdot</term>
+                <listitem><para>Generate Graphviz dot output as with
+                <arg choice="opt">--dot</arg> and attempt to view it
+                immediately using <command>/usr/bin/xdot</command>.
+                </para></listitem>
+                </varlistentry>
+	</refsect3>
+
+	<varlistentry>
+		<term>-r</term>
+		<listitem><para>Normally,
+		<command>samba-tool</command> talks to one database;
+		with the <arg choice="opt">-r</arg> option attempts
+		are made to contact all the DCs known to the first
+		database. This is necessary for <command>samba-tool
+		visualize uptodateness</command> and for
+		<command>samba-tool visualize reps</command> because
+		the repsFrom/To objects are not replicated, and it can
+		reveal replication issues in other modes.
+		</para></listitem>
+                </varlistentry>
+</refsect2>
+
+<refsect2>
+<title>help</title>
+<para>Gives usage information.</para>
+</refsect2>
+
+</refsect1>
+
+<refsect1>
+	<title>VERSION</title>
+
+	<para>This man page is complete for version &doc.version; of the Samba
+	suite.</para>
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para>The original Samba software and related utilities
+	were created by Andrew Tridgell. Samba is now developed
+	by the Samba Team as an Open Source project similar
+	to the way the Linux kernel is developed.</para>
+</refsect1>
+
+</refentry>