From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- docs-xml/manpages/samba-tool.8.xml | 2906 ++++++++++++++++++++++++++++++++++++ 1 file changed, 2906 insertions(+) create mode 100644 docs-xml/manpages/samba-tool.8.xml (limited to 'docs-xml/manpages/samba-tool.8.xml') diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml new file mode 100644 index 0000000..3471b0e --- /dev/null +++ b/docs-xml/manpages/samba-tool.8.xml @@ -0,0 +1,2906 @@ + + + + + + samba-tool + 8 + Samba + System Administration tools + &doc.version; + + + + + samba-tool + Main Samba administration tool. + + + + + + samba-tool + -h + -W myworkgroup + -U user + -d debuglevel + --v + + + + + DESCRIPTION + This tool is part of the samba + 7 suite. + + + + OPTIONS + + + + + -h|--help + + Show this help message and exit + + + + &cmdline.common.connection.realm; + + &cmdline.common.credentials.simplebinddn; + + &cmdline.common.credentials.password; + + &cmdline.common.credentials.user; + + &cmdline.common.connection.workgroup; + + &cmdline.common.credentials.nopass; + + &cmdline.common.credentials.usekerberos; + + &cmdline.common.credentials.usekrb5ccache; + + &cmdline.common.credentials.authenticationfile; + + + --ipaddress=IPADDRESS + + IP address of the server + + + + + --color=always|never|auto + + + Indicate whether samba-tool should use ANSI colour codes + in its output. If 'auto' (the default), samba-tool will + use colour when its output is directed toward a terminal, + unless the NO_COLOR environment variable is set and + non-empty. + + + The values 'yes' and 'force' are accepted as synonyms for + 'always'; 'no' and 'none' for 'never'; and 'tty' and + 'if-tty' for 'auto'. + + + Note that asking for colour doesn't mean samba-tool will + necessarily be very colourful. Many commands are very + monochrome, particularly when successful. + + + + + &cmdline.common.debug.client; + + + + + +COMMANDS + + + computer + Manage computer accounts. + + + + computer add <replaceable>computername</replaceable> [options] + Add a new computer to the Active Directory Domain. + The new computer name specified on the command is the + sAMAccountName, with or without the trailing dollar sign. + + + + --computerou=COMPUTEROU + + DN of alternative location (with or without domainDN counterpart) to + default CN=Computers in which new computer object will be created. + E.g. 'OU=OUname'. + + + + + --description=DESCRIPTION + + The new computer's description. + + + + + --ip-address=IP_ADDRESS_LIST + + IPv4 address for the computer's A record, or IPv6 address for AAAA record, + can be provided multiple times. + + + + + --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST + + Computer's Service Principal Name, can be provided multiple times. + + + + + --prepare-oldjoin + + Prepare enabled machine account for oldjoin mechanism. + + + + + + + computer create <replaceable>computername</replaceable> [options] + Add a new computer. This is a synonym for the + samba-tool computer add command and is available + for compatibility reasons only. Please use + samba-tool computer add instead. + + + + computer delete <replaceable>computername</replaceable> [options] + Delete an existing computer account. + The computer name specified on the command is the + sAMAccountName, with or without the trailing dollar sign. + + + + computer edit <replaceable>computername</replaceable> + Edit a computer AD object. + The computer name specified on the command is the + sAMAccountName, with or without the trailing dollar sign. + + + + --editor=EDITOR + + Specifies the editor to use instead of the system default, or 'vi' if no + system default is set. + + + + + + + computer list + List all computers. + + + + computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options] + This command moves a computer account into the specified + organizational unit or container. + The computername specified on the command is the + sAMAccountName, with or without the trailing dollar sign. + The name of the organizational unit or container can be + specified as a full DN or without the domainDN component. + + + + computer show <replaceable>computername</replaceable> [options] + Display a computer AD object. + The computer name specified on the command is the + sAMAccountName, with or without the trailing dollar sign. + + + + --attributes=USER_ATTRS + + Comma separated list of attributes, which will be printed. + + + + + + + contact + Manage contacts. + + + + contact add [<replaceable>contactname</replaceable>] [options] + Add a new contact to the Active Directory Domain. + The name of the new contact can be specified by the first + argument 'contactname' or the --given-name, --initial and --surname + arguments. If no 'contactname' is given, contact's name will be made + up of the given arguments by combining the given-name, initials and + surname. Each argument is optional. A dot ('.') will be appended to + the initials automatically. + + + + --ou=OU + + DN of alternative location (with or without domainDN counterpart) in + which the new contact will be created. + E.g. 'OU=OUname'. + Default is the domain base. + + + + + --description=DESCRIPTION + + The new contact's description. + + + + + --surname=SURNAME + + Contact's surname. + + + + + --given-name=GIVEN_NAME + + Contact's given name. + + + + + --initials=INITIALS + + Contact's initials. + + + + + --display-name=DISPLAY_NAME + + Contact's display name. + + + + + --job-title=JOB_TITLE + + Contact's job title. + + + + + --department=DEPARTMENT + + Contact's department. + + + + + --company=COMPANY + + Contact's company. + + + + + --mail-address=MAIL_ADDRESS + + Contact's email address. + + + + + --internet-address=INTERNET_ADDRESS + + Contact's home page. + + + + + --telephone-number=TELEPHONE_NUMBER + + Contact's phone number. + + + + + --mobile-number=MOBILE_NUMBER + + Contact's mobile phone number. + + + + + --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE + + Contact's office location. + + + + + + + + contact create [<replaceable>contactname</replaceable>] [options] + Add a new contact. This is a synonym for the + samba-tool contact add command and is available + for compatibility reasons only. Please use + samba-tool contact add instead. + + + + contact delete <replaceable>contactname</replaceable> [options] + Delete an existing contact. + The contactname specified on the command is the common name or the + distinguished name of the contact object. The distinguished name of the + contact can be specified with or without the domainDN component. + + + + contact edit <replaceable>contactname</replaceable> + Modify a contact AD object. + The contactname specified on the command is the common name or the + distinguished name of the contact object. The distinguished name of the + contact can be specified with or without the domainDN component. + + + + --editor=EDITOR + + Specifies the editor to use instead of the system default, or 'vi' if no + system default is set. + + + + + + + contact list [options] + List all contacts. + + + + --full-dn + + Display contact's full DN instead of the name. + + + + + + + contact move <replaceable>contactname</replaceable> <replaceable>new_parent_dn</replaceable> [options] + This command moves a contact into the specified organizational + unit or container. + The contactname specified on the command is the common name or the + distinguished name of the contact object. The distinguished name of the + contact can be specified with or without the domainDN component. + + + + contact show <replaceable>contactname</replaceable> [options] + Display a contact AD object. + The contactname specified on the command is the common name or the + distinguished name of the contact object. The distinguished name of the + contact can be specified with or without the domainDN component. + + + + --attributes=CONTACT_ATTRS + + Comma separated list of attributes, which will be printed. + + + + + + + contact rename <replaceable>contactname</replaceable> [options] + Rename a contact and related attributes. + This command allows to set the contact's name related attributes. The contact's + CN will be renamed automatically. + The contact's new CN will be made up by combining the given-name, initials + and surname. A dot ('.') will be appended to the initials automatically, + if required. + Use the --force-new-cn option to specify the new CN manually and --reset-cn + to reset this change. + Use an empty attribute value to remove the specified attribute. + The contact name specified on the command is the CN. + + + + --surname=SURNAME + + New surname. + + + + + --given-name=GIVEN_NAME + + New given name. + + + + + --initials=INITIALS + + New initials. + + + + + --force-new-cn=NEW_CN + + Specify a new CN (RDN) instead of using a combination + of the given name, initials and surname. + + + + + --reset-cn + + Set the CN to the default combination of given name, + initials and surname. + + + + + --display-name=DISPLAY_NAME + + New display name. + + + + + --mail-address=MAIL_ADDRESS + + New email address. + + + + + + + dbcheck + Check the local AD database for errors. + + + + delegation + Manage Delegations. + + + + delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options] + Add a service principal as msDS-AllowedToDelegateTo. + + + + delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options] + Delete a service principal as msDS-AllowedToDelegateTo. + + + + delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options] + Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) + for an account. + + + + delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options] + Set/unset UF_TRUSTED_FOR_DELEGATION for an account. + + + + delegation show <replaceable>accountname</replaceable> [options] + Show the delegation setting of an account. + + + + dns + Manage Domain Name Service (DNS). + + + + dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable> + Add a DNS record. + + + + dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable> + Delete a DNS record. + + + + dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable> + Query a name. + + + + dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options] + Query root hints. + + + + dns serverinfo <replaceable>server</replaceable> [options] + Query server information. + + + + dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable> + Update a DNS record. + + + + dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options] + Create a zone. + + + + dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options] + Delete a zone. + + + + dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options] + Query zone information. + + + + dns zonelist <replaceable>server</replaceable> [options] + List zones. + + + + domain + Manage Domain. + + + + domain backup + Create or restore a backup of the domain. + + + + domain backup offline + Backup (with proper locking) local domain directories into a tar file. + + + + domain backup online + Copy a running DC's current DB into a backup tar file. + + + + domain backup rename + Copy a running DC's DB to backup file, renaming the domain in the process. + + + + domain backup restore + Restore the domain's DB from a backup-file. + + + + domain auth policy list + List authentication policies on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --json + + View authentication policies as JSON instead of a list. + + + + + + + domain auth policy view + View an authentication policy on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of the authentication policy to view (required). + + + + + + + domain auth policy create + Create authentication policies on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of the authentication policy (required). + + + + --description + + Optional description for the authentication policy. + + + + --protect + + + Protect authentication policy from accidental deletion. + + + Cannot be used together with --unprotect. + + + + + --unprotect + + + Unprotect authentication policy from accidental deletion. + + + Cannot be used together with --protect. + + + + + --audit + + + Only audit authentication policy. + + + Cannot be used together with --enforce. + + + + + --enforce + + + Enforce authentication policy. + + + Cannot be used together with --audit. + + + + + --strong-ntlm-policy + + + Strong NTLM Policy (Disabled, Optional, Required). + + + + + --user-tgt-lifetime-mins + + + Ticket-Granting-Ticket lifetime for user accounts. + + + + + --user-allow-ntlm-auth + + + Allow NTLM and + Interactive NETLOGON SamLogon + authentication despite the + fact that + allowed-to-authenticate-from + is in use, which would + otherwise restrict the user to selected devices. + + + + + --user-allowed-to-authenticate-from + + + Conditions a device must meet + for users covered by this + policy to be allowed to + authenticate. While this is a + restriction on the device, + any conditional ACE rules are + expressed as if the device was + a user. + + + Must be a valid SDDL string + without reference to Device + keywords. + + + Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + + + + + --user-allowed-to-authenticate-from-silo + + + User is allowed to + authenticate, if the device they + authenticate from is assigned + and granted membership of a + given silo. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --user-allowed-to-authenticate-from + + + + + --user-allowed-to-authenticate-to=SDDL + + + This policy, applying to a + user account that is offering + a service, eg a web server + with a user account, restricts + which accounts may access it. + + + Must be a valid SDDL string. + The SDDL can reference both + bare (user) and Device conditions. + + + SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + + + + + --user-allowed-to-authenticate-to-by-group=GROUP + + + The user account, offering a + network service, covered by + this policy, will only be allowed + access from other accounts + that are members of the given + GROUP. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --user-allowed-to-authenticate-to + + + + + --user-allowed-to-authenticate-to-by-silo=SILO + + + The user account, offering a + network service, covered by + this policy, will only be + allowed access from other accounts + that are assigned to, + granted membership of (and + meet any authentication + conditions of) the given SILO. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --user-allowed-to-authenticate-to + + + + + --service-tgt-lifetime-mins + + + Ticket-Granting-Ticket lifetime for service accounts. + + + + + --service-allow-ntlm-auth + + + Allow NTLM network authentication when service + is restricted to selected devices. + + + + + --service-allowed-to-authenticate-from + + + Conditions a device must meet + for service accounts covered + by this policy to be allowed + to authenticate. While this + is a restriction on the + device, any conditional ACE + rules are expressed as if the + device was a user. + + + Must be a valid SDDL string + without reference to Device + keywords. + + + SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + + + + + --service-allowed-to-authenticate-from-device-silo=SILO + + + The service account (eg a Managed + Service Account, Group Managed + Service Account) is allowed to + authenticate, if the device it + authenticates from is assigned + and granted membership of a + given SILO. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --service-allowed-to-authenticate-from + + + + + --service-allowed-to-authenticate-from-device-group=GROUP + + + The service account (eg a Managed + Service Account, Group Managed + Service Account) is allowed to + authenticate, if the device it + authenticates from is a member + of the given group. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --service-allowed-to-authenticate-from + + + + + --service-allowed-to-authenticate-to=SDDL + + + This policy, applying to a + service account (eg a Managed + Service Account, Group Managed + Service Account), restricts + which accounts may access it. + + + Must be a valid SDDL string. + The SDDL can reference both + bare (user) and Device conditions. + + + SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + + + + + --service-allowed-to-authenticate-to-by-group=GROUP + + + The service account (eg a Managed + Service Account, Group Managed + Service Account), will only be + allowed access by other accounts + that are members of the given + GROUP. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --service-allowed-to-authenticate-to + + + + + --service-allowed-to-authenticate-to-by-silo=SILO + + + The service account (eg a + Managed Service Account, Group + Managed Service Account), will + only be allowed access by other + accounts that are assigned + to, granted membership of (and + meet any authentication + conditions of) the given SILO. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --service-allowed-to-authenticate-to + + + + + --computer-tgt-lifetime-mins + + + Ticket-Granting-Ticket lifetime for computer accounts. + + + + + --computer-allowed-to-authenticate-to=SDDL + + + This policy, applying to a + computer account (eg a server + or workstation), restricts + which accounts may access it. + + + Must be a valid SDDL string. + The SDDL can reference both + bare (user) and Device conditions. + + + SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + + + + + --computer-allowed-to-authenticate-to-by-group=GROUP + + + The computer account (eg a server + or workstation), will only be + allowed access by other accounts + that are members of the given + GROUP. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --computer-allowed-to-authenticate-to + + + + + --computer-allowed-to-authenticate-to-by-silo=SILO + + + The computer account (eg a + server or workstation), will + only be allowed access by + other accounts that are + assigned to, granted + membership of (and meet any + authentication conditions of) + the given SILO. + + + This attribute avoids the need to write SDDL by hand and + cannot be used with --computer-allowed-to-authenticate-to + + + + + + + + + domain auth policy modify + Modify authentication policies on the domain. The same + options apply as for domain auth policy create. + + + + domain auth policy delete + Delete authentication policies on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication policy to delete (required). + + + + --force + + Force authentication policy delete even if it is protected. + + + + + + + domain auth silo list + List authentication silos on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --json + + View authentication silos as JSON instead of a list. + + + + + + + domain auth silo view + View an authentication silo on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of the authentication silo to view (required). + + + + + + + domain auth silo create + Create authentication silos on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of the authentication silo (required). + + + + --description + + Optional description for the authentication silo. + + + + --user-authentication-policy + + User account authentication policy. + + + + --service-authentication-policy + + Managed service account authentication policy. + + + + --computer-authentication-policy + + Computer authentication policy. + + + + --protect + + + Protect authentication silo from accidental deletion. + + + Cannot be used together with --unprotect. + + + + + --unprotect + + + Unprotect authentication silo from accidental deletion. + + + Cannot be used together with --protect. + + + + + --audit + + + Only audit silo policies. + + + Cannot be used together with --enforce. + + + + + --enforce + + + Enforce silo policies. + + + Cannot be used together with --audit. + + + + + + + + domain auth silo modify + Modify authentication silos on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of the authentication silo (required). + + + + --description + + Optional description for the authentication silo. + + + + --user-authentication-policy + + User account authentication policy. + + + + --service-authentication-policy + + Managed service account authentication policy. + + + + --computer-authentication-policy + + Computer authentication policy. + + + + --protect + + + Protect authentication silo from accidental deletion. + + + Cannot be used together with --unprotect. + + + + + --unprotect + + + Unprotect authentication silo from accidental deletion. + + + Cannot be used together with --protect. + + + + + --audit + + + Only audit silo policies. + + + Cannot be used together with --enforce. + + + + + --enforce + + + Enforce silo policies. + + + Cannot be used together with --audit. + + + + + + + + domain auth silo delete + Delete authentication silos on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication silo to delete (required). + + + + --force + + Force authentication silo delete even if it is protected. + + + + + + + domain auth silo member grant + Grant a member access to an authentication silo. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication silo (required). + + + + --member + + Member to grant access to the silo (DN or account name). + + + + + + + domain auth silo member list + List members in an authentication silo. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication silo (required). + + + + --json + + View members as JSON instead of a list. + + + + + + + domain auth silo member revoke + Revoke a member from an authentication silo. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Name of authentication silo (required). + + + + --member + + Member to revoke from the silo (DN or account name). + + + + + + + domain claim claim-type list + List claim types on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --json + + View claim types as JSON instead of a list. + + + + + + + domain claim claim-type view + View a single claim type on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Display name of claim type to view (required). + + + + + + + domain claim claim-type create + Create claim types on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --attribute + + Attribute of claim type to create (required). + + + + --class + + + Object classes to set claim type to. + + + Example: --class=user --class=computer + + + + + --name + + Optional display name or use attribute name. + + + + --description + + Optional description or use from attribute. + + + + --enable + + + Enable claim type. + + + Cannot be used together with --disable. + + + + + --disable + + + Disable claim type. + + + Cannot be used together with --enable. + + + + + --protect + + + Protect claim type from accidental deletion. + + + Cannot be used together with --unprotect. + + + + + --unprotect + + + Unprotect claim type from accidental deletion. + + + Cannot be used together with --protect. + + + + + + + + domain claim claim-type modify + Modify claim types on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Display name of claim type to modify (required). + + + + --class + + + Object classes to set claim type to. + + + Example: --class=user --class=computer + + + + + --description + + Set the claim type description. + + + + --enable + + + Enable claim type. + + + Cannot be used together with --disable. + + + + + --disable + + + Disable claim type. + + + Cannot be used together with --enable. + + + + + --protect + + + Protect claim type from accidental deletion. + + + Cannot be used together with --unprotect. + + + + + --unprotect + + + Unprotect claim type from accidental deletion. + + + Cannot be used together with --protect. + + + + + + + + domain claim claim-type delete + Delete claim types on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Display name of claim type to delete (required). + + + + --force + + Force claim type delete even if it is protected. + + + + + + + domain claim value-type list + List claim value types on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --json + + View claim value types as JSON instead of a list. + + + + + + + domain claim value-type view + View a single claim value type on the domain. + + + -H, --URL + + LDB URL for database or target server. + + + + --name + + Display name of claim value type to view (required). + + + + + + + domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable> + Upgrade from Samba classic (NT4-like) database to Samba AD DC + database. + + + + domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options] + Promote an existing domain member or NT4 PDC to an AD DC. + + + + domain demote + Demote ourselves from the role of domain controller. + + + + domain exportkeytab <replaceable>keytab</replaceable> [options] + Dumps Kerberos keys of the domain into a keytab. + + + + domain info <replaceable>ip_address</replaceable> [options] + Print basic info about a domain and the specified DC. + + + + + domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options] + Join a domain as either member or backup domain controller. + + + + domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options] + Show/raise domain and forest function levels. + + + + domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options] + Show/set password settings. + + + + domain passwordsettings pso + Manage fine-grained Password Settings Objects (PSOs). + + + + domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options] + Applies a PSO's password policy to a user or group. + + + + domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options] + Creates a new Password Settings Object (PSO). + + + + domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options] + Deletes a Password Settings Object (PSO). + + + + domain passwordsettings pso list [options] + Lists all Password Settings Objects (PSOs). + + + + domain passwordsettings pso set <replaceable>pso-name</replaceable> [options] + Modifies a Password Settings Object (PSO). + + + + domain passwordsettings pso show <replaceable>user-name</replaceable> [options] + Displays a Password Settings Object (PSO). + + + + domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options] + Displays the Password Settings that apply to a user. + + + + domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options] + Updates a PSO to no longer apply to a user or group. + + + + domain provision + Promote an existing domain member or NT4 PDC to an AD DC. + + + + domain trust + Domain and forest trust management. + + + + domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options] + Create a domain or forest trust. + + + + domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options] + Modify a domain or forest trust. + + + + domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options] + Delete a domain trust. + + + + domain trust list <replaceable>options</replaceable> [options] + List domain trusts. + + + + domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options] + Manage forest trust namespaces. + + + + domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options] + Show trusted domain details. + + + + domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options] + Validate a domain trust. + + + + drs + Manage Directory Replication Services (DRS). + + + + drs bind + Show DRS capabilities of a server. + + + + drs kcc + Trigger knowledge consistency center run. + + + + drs options + Query or change options for NTDS Settings + object of a domain controller. + + + + drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options] + Replicate a naming context between two DCs. + + + + drs showrepl + Show replication status. The --json option results in JSON output, and + with the --summary option produces + very little output when the replication status seems healthy. + + + + + dsacl + Administer DS ACLs + + + + dsacl delete + Delete an access list entry on a directory object. + + + + dsacl get + Print access list on a directory object. + + + + dsacl set + Modify access list on a directory object. + + + + forest + Manage Forest configuration. + + + + forest directory_service + Manage directory_service behaviour for the forest. + + + + forest directory_service dsheuristics <replaceable>VALUE</replaceable> + Modify dsheuristics directory_service configuration for the forest. + + + + forest directory_service show + Show current directory_service configuration for the forest. + + + + fsmo + Manage Flexible Single Master Operations (FSMO). + + + + fsmo seize [options] + Seize the role. + + + + fsmo show + Show the roles. + + + + fsmo transfer [options] + Transfer the role. + + + + gpo + Manage Group Policy Objects (GPO). + + + + gpo create <replaceable>displayname</replaceable> [options] + Create an empty GPO. + + + + gpo del <replaceable>gpo</replaceable> [options] + Delete GPO. + + + + gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options] + Delete GPO link from a container. + + + + gpo fetch <replaceable>gpo</replaceable> [options] + Download a GPO. + + + + gpo getinheritance <replaceable>container_dn</replaceable> [options] + Get inheritance flag for a container. + + + + gpo getlink <replaceable>container_dn</replaceable> [options] + List GPO Links for a container. + + + + gpo list <replaceable>username</replaceable> [options] + List GPOs for an account. + + + + gpo listall + List all GPOs. + + + + gpo listcontainers <replaceable>gpo</replaceable> [options] + List all linked containers for a GPO. + + + + gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options] + Set inheritance flag on a container. + + + + gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options] + Add or Update a GPO link to a container. + + + + gpo show <replaceable>gpo</replaceable> [options] + Show information for a GPO. + + + + gpo manage symlink list + List VGP Symbolic Link Group Policy from the sysvol + + + + gpo manage symlink add + Adds a VGP Symbolic Link Group Policy to the sysvol + + + + gpo manage symlink remove + Removes a VGP Symbolic Link Group Policy from the sysvol + + + + gpo manage files list + List VGP Files Group Policy from the sysvol + + + + gpo manage files add + Add VGP Files Group Policy to the sysvol + + + + gpo manage files remove + Remove VGP Files Group Policy from the sysvol + + + + gpo manage openssh list + List VGP OpenSSH Group Policy from the sysvol + + + + gpo manage openssh set + Sets a VGP OpenSSH Group Policy to the sysvol + + + + gpo manage sudoers add + Adds a Samba Sudoers Group Policy to the sysvol. + + + + gpo manage sudoers list + List Samba Sudoers Group Policy from the sysvol. + + + + gpo manage sudoers remove + Removes a Samba Sudoers Group Policy from the sysvol. + + + + gpo manage scripts startup list + List VGP Startup Script Group Policy from the sysvol + + + + gpo manage scripts startup add + Adds VGP Startup Script Group Policy to the sysvol + + + + gpo manage scripts startup remove + Removes VGP Startup Script Group Policy from the sysvol + + + + gpo manage motd list + List VGP MOTD Group Policy from the sysvol. + + + + gpo manage motd set + Sets a VGP MOTD Group Policy to the sysvol + + + + gpo manage issue list + List VGP Issue Group Policy from the sysvol. + + + + gpo manage issue set + Sets a VGP Issue Group Policy to the sysvol + + + + gpo manage access add + Adds a VGP Host Access Group Policy to the sysvol + + + + gpo manage access list + List VGP Host Access Group Policy from the sysvol + + + + gpo manage access remove + Remove a VGP Host Access Group Policy from the sysvol + + + + group + Manage groups. + + + + group add <replaceable>groupname</replaceable> [options] + Create a new AD group. + + + + group create <replaceable>groupname</replaceable> [options] + Add a new AD group. This is a synonym for the + samba-tool group add command and is available + for compatibility reasons only. Please use + samba-tool group add instead. + + + + group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options] + Add members to an AD group. + + + + group delete <replaceable>groupname</replaceable> [options] + Delete an AD group. + + + + group edit <replaceable>groupname</replaceable> + Edit a group AD object. + + + + --editor=EDITOR + + Specifies the editor to use instead of the system default, or 'vi' if no + system default is set. + + + + + + + group list + List all groups. + + + + group listmembers <replaceable>groupname</replaceable> [options] + List all members of the specified AD group. + By default the sAMAccountNames are listed. If no sAMAccountName + is available, the CN will be used instead. + + + --full-dn + + List the distinguished names instead of the sAMAccountNames. + + + + --hide-expired + + Do not list expired group members. + + + + --hide-disabled + + Do not list disabled group members. + + + + + + + group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options] + This command moves a group into the specified organizational unit + or container. + The groupname specified on the command is the sAMAccountName. + + The name of the organizational unit or container can be + specified as a full DN or without the domainDN component. + + + + + group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options] + Remove members from the specified AD group. + + + + group show <replaceable>groupname</replaceable> [options] + Show group object and it's attributes. + + + + group stats [options] + Show statistics for overall groups and group memberships. + + + + group rename <replaceable>groupname</replaceable> [options] + Rename a group and related attributes. + This command allows to set the group's name related attributes. The + group's CN will be renamed automatically. + The group's CN will be the sAMAccountName. + Use the --force-new-cn option to specify the new CN manually and the + --reset-cn to reset this change. + Use an empty attribute value to remove the specified attribute. + The groupname specified on the command is the sAMAccountName. + + + + --force-new-cn=NEW_CN + + Specify a new CN (RDN) instead of using the sAMAccountName. + + + + + --reset-cn + + Set the CN to the sAMAccountName. + + + + + --mail-address=MAIL_ADDRESS + + New mail address + + + + + --samaccountname=SAMACCOUNTNAME + + New account name (sAMAccountName/logon name) + + + + + + + ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] + Compare two LDAP databases. + + + + ntacl + Manage NT ACLs. + + + + ntacl changedomsid <replaceable>original-domain-SID</replaceable> <replaceable>new-domain-SID</replaceable> <replaceable>file</replaceable> [options] + Change the domain SID for ACLs. + Can be used to change all entries in acl_xattr when the machine's SID + has accidentally changed or the data set has been copied + to another machine either via backup/restore or rsync. + + + + --use-ntvfs + + Set the ACLs directly to the TDB or xattr. The POSIX permissions will + NOT be changed, only the NT ACL will be stored. + + + + + --service=SERVICE + + Specify the name of the smb.conf service to use. This option is + required in combination with the --use-s3fs option. + + + + + --use-s3fs + + Set the ACLs for use with the default s3fs file server via the VFS + layer. This option requires a smb.conf service, specified by the + --service=SERVICE option. + + + + + --xattr-backend=[native|tdb] + + Specify the xattr backend type (native fs or tdb). + + + + + --eadb-file=EADB_FILE + + Name of the tdb file where attributes are stored. + + + + + --recursive + + Set the ACLs for directories and their contents recursively. + + + + + --follow-symlinks + + Follow symlinks when --recursive is specified. + + + + + --verbose + + Verbosely list files and ACLs which are being processed. + + + + + + + + ntacl get <replaceable>file</replaceable> [options] + Get ACLs on a file. + + + + ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options] + Set ACLs on a file. + + + + ntacl sysvolcheck + Check sysvol ACLs match defaults (including correct ACLs on GPOs). + + + + ntacl sysvolreset + Reset sysvol ACLs to defaults (including correct ACLs on GPOs). + + + + ou + Manage organizational units (OUs). + + + + ou add <replaceable>ou_dn</replaceable> [options] + Add a new organizational unit. + The name of the organizational unit can be specified as a full DN + or without the domainDN component. + + + + --description=DESCRIPTION + + Specify OU's description. + + + + + + + ou create <replaceable>ou_dn</replaceable> [options] + Add a new organizational unit. This is a synonym for the + samba-tool ou add command and is available + for compatibility reasons only. Please use + samba-tool ou add instead. + + + + ou delete <replaceable>ou_dn</replaceable> [options] + Delete an organizational unit. + The name of the organizational unit can be specified as a full DN + or without the domainDN component. + + + + --force-subtree-delete + + Delete organizational unit and all children recursively. + + + + + + + ou list [options] + List all organizational units. + + + --full-dn + + Display DNs including the base DN. + + + + + + + ou listobjects <replaceable>ou_dn</replaceable> [options] + List all objects in an organizational unit. + The name of the organizational unit can be specified as a full DN + or without the domainDN component. + + + + --full-dn + + Display DNs including the base DN. + + + + + -r|--recursive + + List objects recursively. + + + + + + + ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options] + Move an organizational unit. + The name of the organizational units can be specified as a full DN + or without the domainDN component. + + + + ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options] + Rename an organizational unit. + The name of the organizational units can be specified as a full DN + or without the domainDN component. + + + + rodc + Manage Read-Only Domain Controller (RODC). + + + + rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options] + Preload one account for an RODC. + + + + schema + Manage and query schema. + + + + schema attribute modify <replaceable>attribute</replaceable> [options] + Modify the behaviour of an attribute in schema. + + + + schema attribute show <replaceable>attribute</replaceable> [options] + Display an attribute schema definition. + + + + schema attribute show_oc <replaceable>attribute</replaceable> [options] + Show objectclasses that MAY or MUST contain this attribute. + + + + schema objectclass show <replaceable>objectclass</replaceable> [options] + Display an objectclass schema definition. + + + + shell + Opens an interactive Samba Python shell. + + + + shell [options] + Opens an interactive Python shell for Samba ldb connection. + + + -H, --URL + + LDB URL for database or target server. + + + + + + + sites + Manage sites. + + + + sites list [options] + List sites. + + + --json + + Output as JSON instead of a list + + + + + + + sites view <replaceable>site</replaceable> [options] + View site details. + + + + sites create <replaceable>site</replaceable> [options] + Create a new site. + + + + sites remove <replaceable>site</replaceable> [options] + Delete an existing site. + + + + sites subnet list <replaceable>site</replaceable> [options] + List subnets for a site. + + + --json + + Output as JSON instead of a list + + + + + + + sites subnet view <replaceable>subnet</replaceable> [options] + View subnet details. + + + + sites subnet create <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options] + Create a new subnet. + + + + sites subnet remove <replaceable>subnet</replaceable> [options] + Delete an existing subnet. + + + + sites subnet set-site <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options] + Assign a subnet to a site. + + + + spn + Manage Service Principal Names (SPN). + + + + spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options] + Create a new SPN. + + + + spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options] + Delete an existing SPN. + + + + spn list <replaceable>user</replaceable> [options] + List SPNs of a given user. + + + + testparm + Check the syntax of the configuration file. + + + + time + Retrieve the time on a server. + + + + user + Manage users. + + + + user add <replaceable>username</replaceable> [<replaceable>password</replaceable>] + Add a new user to the Active Directory Domain. + + + + user create <replaceable>username</replaceable> [<replaceable>password</replaceable>] + Add a new user. This is a synonym for the + samba-tool user add command and is available + for compatibility reasons only. Please use + samba-tool user add instead. + + + + user delete <replaceable>username</replaceable> [options] + Delete an existing user account. + + + + user disable <replaceable>username</replaceable> + Disable a user account. + + + + user edit <replaceable>username</replaceable> + Edit a user account AD object. + + + + --editor=EDITOR + + Specifies the editor to use instead of the system default, or 'vi' if no + system default is set. + + + + + + + user enable <replaceable>username</replaceable> + Enable a user account. + + + + user list + List all users. + By default the user's sAMAccountNames are listed. + + + --full-dn + + List user's distinguished names instead of the sAMAccountNames. + + + + -b BASE_DN|--base-dn=BASE_DN + + Specify base DN to use. Only users under the specified base DN will be + listed. + + + + --hide-expired + + Do not list expired user accounts. + + + + --hide-disabled + + Do not list disabled user accounts. + + + + + + + user setprimarygroup <replaceable>username</replaceable> <replaceable>primarygroupname</replaceable> + Set the primary group a user account. + + + + user getgroups <replaceable>username</replaceable> + Get the direct group memberships of a user account. + + + + user show <replaceable>username</replaceable> [options] + Display a user AD object. + + + + --attributes=USER_ATTRS + + Comma separated list of attributes, which will be printed. + + + + + + + user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options] + This command moves a user account into the specified + organizational unit or container. + The username specified on the command is the + sAMAccountName. + The name of the organizational unit or container can be + specified as a full DN or without the domainDN component. + + + + user password [options] + Change password for a user account (the one provided in + authentication). + + + + user rename <replaceable>username</replaceable> [options] + Rename a user and related attributes. + This command allows to set the user's name related attributes. The user's + CN will be renamed automatically. + The user's new CN will be made up by combining the given-name, initials + and surname. A dot ('.') will be appended to the initials automatically, + if required. + Use the --force-new-cn option to specify the new CN manually and --reset-cn + to reset this change. + Use an empty attribute value to remove the specified attribute. + The username specified on the command is the sAMAccountName. + + + + --surname=SURNAME + + New surname + + + + + --given-name=GIVEN_NAME + + New given name + + + + + --initials=INITIALS + + New initials + + + + + --force-new-cn=NEW_CN + + Specify a new CN (RDN) instead of using a combination + of the given name, initials and surname. + + + + + --reset-cn + + Set the CN to the default combination of given name, + initials and surname. + + + + + --display-name=DISPLAY_NAME + + New display name + + + + + --mail-address=MAIL_ADDRESS + + New email address + + + + + --samaccountname=SAMACCOUNTNAME + + New account name (sAMAccountName/logon name) + + + + + --upn=UPN + + New user principal name + + + + + + + user setexpiry <replaceable>username</replaceable> [options] + Set the expiration of a user account. + + + + user setpassword <replaceable>username</replaceable> [options] + Sets or resets the password of a user account. + + + + user unlock <replaceable>username</replaceable> [options] + This command unlocks a user account in the Active Directory + domain. + + + + user getpassword <replaceable>username</replaceable> [options] + Gets the password of a user account. + + + + user get-kerberos-ticket <replaceable>username</replaceable> [options] + Gets a Kerberos Ticket Granting Ticket as the account. + + + + user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options] + Syncs the passwords of all user accounts, using an optional script. + Note that this command should run on a single domain controller only + (typically the PDC-emulator). + + + + user auth policy assign <replaceable>username</replaceable> [options] + Set assigned authentication policy for user. + + + --policy + + Name of authentication policy to assign or leave empty to remove. + + + + + + + user auth policy remove <replaceable>username</replaceable> + Remove assigned authentication policy from user. + + + + user auth policy view <replaceable>username</replaceable> + View the assigned authentication policy for user. + + + + user auth silo assign <replaceable>username</replaceable> [options] + Set assigned authentication silo for user. + + + --silo + + Name of authentication silo to assign or leave empty to remove. + + + + + + + user auth silo remove <replaceable>username</replaceable> + Remove assigned authentication silo from user. + + + + user auth silo view <replaceable>username</replaceable> + View the assigned authentication silo for user. + + + + vampire [options] <replaceable>domain</replaceable> + Join and synchronise a remote AD domain to the local server. + Please note that samba-tool vampire is deprecated, + please use samba-tool domain join instead. + + + + visualize [options] <replaceable>subcommand</replaceable> + Produce graphical representations of Samba network state. + To work out what is happening in a replication graph, it is sometimes + helpful to use visualisations. + + + There are two subcommands, two graphical modes, and (roughly) two modes + of operation with respect to the location of authority. + + MODES OF OPERATION + + samba-tool visualize ntdsconn + Looks at NTDS connections. + + + + + samba-tool visualize reps + Looks at repsTo and repsFrom objects. + + + + + samba-tool visualize uptodateness + Looks at replication lag as shown by the + uptodateness vectors. + + + + + GRAPHICAL MODES + + --distance + Distances between DCs are shown in a matrix in + the terminal. + + + + + --dot + Generate Graphviz dot output (for + ntdsconn and reps modes). When viewed using dot or + xdot, this shows the network as a graph with DCs as + vertices and connections edges. Certain types of + degenerate edges are shown in different colours or + line-styles. + + + --xdot + Generate Graphviz dot output as with + --dot and attempt to view it + immediately using /usr/bin/xdot. + + + + + + -r + Normally, + samba-tool talks to one database; + with the -r option attempts + are made to contact all the DCs known to the first + database. This is necessary for samba-tool + visualize uptodateness and for + samba-tool visualize reps because + the repsFrom/To objects are not replicated, and it can + reveal replication issues in other modes. + + + + + +help +Gives usage information. + + + + + + VERSION + + This man page is complete for version &doc.version; of the Samba + suite. + + + + AUTHOR + + The original Samba software and related utilities + were created by Andrew Tridgell. Samba is now developed + by the Samba Team as an Open Source project similar + to the way the Linux kernel is developed. + + + -- cgit v1.2.3