samba-tool

samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v]

This tool is part of the samba(7) suite.

-h|--help

Show this help message and exit

--realm=REALM

Set the realm name

--simple-bind-dn=DN

DN to use for a simple bind

--password=PASSWORD

Password

-U USERNAME|--username=USERNAME

Username

-W WORKGROUP|--workgroup=WORKGROUP

Workgroup

-N|--no-pass

Dont ask for a password

-k KERBEROS|--kerberos=KERBEROS

Use Kerberos

--ipaddress=IPADDRESS

IP address of the server

-d|--debuglevel=level

level is an integer from 0 to 10. The default value if this parameter is not specified is 1.

The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will override the log level parameter in the smb.conf file.

-V|--version

Prints the program version number.

-s|--configfile=<configuration file>

The file specified contains the configuration details required by the server. The information in this file includes server-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide. See smb.conf for more information. The default configuration file name is determined at compile time.

-l|--log-basename=logdirectory

Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client.

--option=<name>=<value>

Set the smb.conf(5) option "<name>" to value "<value>" from the command line. This overrides compiled-in defaults and options read from the configuration file.

computer

Manage computer accounts.

computer add computername [options]

Add a new computer to the Active Directory Domain.

The new computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

--computerou=COMPUTEROU

DN of alternative location (with or without domainDN counterpart) to default CN=Computers in which new computer object will be created. E.g. OU=OUname.

--description=DESCRIPTION

The new computerss description.

--ip-address=IP_ADDRESS_LIST

IPv4 address for the computers A record, or IPv6 address for AAAA record, can be provided multiple times.

--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST

Computers Service Principal Name, can be provided multiple times.

--prepare-oldjoin

Prepare enabled machine account for oldjoin mechanism.

computer create computername [options]

Add a new computer. This is a synonym for the samba-tool computer add command and is available for compatibility reasons only. Please use samba-tool computer add instead.

computer delete computername [options]

Delete an existing computer account.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

computer edit computername

Edit a computer AD object.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

--editor=EDITOR

Specifies the editor to use instead of the system default, or vi if no system default is set.

computer list

List all computers.

computer move computername new_parent_dn [options]

This command moves a computer account into the specified organizational unit or container.

The computername specified on the command is the sAMAccountName, with or without the trailing dollar sign.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

computer show computername [options]

Display a computer AD object.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

--attributes=USER_ATTRS

Comma separated list of attributes, which will be printed.

contact

Manage contacts.

contact add [contactname] [options]

Add a new contact to the Active Directory Domain.

The name of the new contact can be specified by the first argument contactname or the --given-name, --initial and --surname arguments. If no contactname is given, contacts name will be made up of the given arguments by combining the given-name, initials and surname. Each argument is optional. A dot (.) will be appended to the initials automatically.

--ou=OU

DN of alternative location (with or without domainDN counterpart) in which the new contact will be created. E.g. OU=OUname. Default is the domain base.

--description=DESCRIPTION

The new contactss description.

--surname=SURNAME

Contacts surname.

--given-name=GIVEN_NAME

Contacts given name.

--initials=INITIALS

Contacts initials.

--display-name=DISPLAY_NAME

Contacts display name.

--job-title=JOB_TITLE

Contacts job title.

--department=DEPARTMENT

Contacts department.

--company=COMPANY

Contacts company.

--mail-address=MAIL_ADDRESS

Contacts email address.

--internet-address=INTERNET_ADDRESS

Contacts home page.

--telephone-number=TELEPHONE_NUMBER

Contacts phone number.

--mobile-number=MOBILE_NUMBER

Contacts mobile phone number.

--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE

Contacts office location.

contact create [contactname] [options]

Add a new contact. This is a synonym for the samba-tool contact add command and is available for compatibility reasons only. Please use samba-tool contact add instead.

contact delete contactname [options]

Delete an existing contact.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

contact edit contactname

Modify a contact AD object.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

--editor=EDITOR

Specifies the editor to use instead of the system default, or vi if no system default is set.

contact list [options]

List all contacts.

--full-dn

Display contacts full DN instead of the name.

contact move contactname new_parent_dn [options]

This command moves a contact into the specified organizational unit or container.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

contact show contactname [options]

Display a contact AD object.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

--attributes=CONTACT_ATTRS

Comma separated list of attributes, which will be printed.

contact rename contactname [options]

Rename a contact and related attributes.

This command allows to set the contacts name related attributes. The contacts CN will be renamed automatically. The contacts new CN will be made up by combining the given-name, initials and surname. A dot (.) will be appended to the initials automatically, if required. Use the --force-new-cn option to specify the new CN manually and --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The contact name specified on the command is the CN.

--surname=SURNAME

New surname.

--given-name=GIVEN_NAME

New given name.

--initials=INITIALS

New initials.

--force-new-cn=NEW_CN

Specify a new CN (RDN) instead of using a combination of the given name, initials and surname.

--reset-cn

Set the CN to the default combination of given name, initials and surname.

--display-name=DISPLAY_NAME

New display name.

--mail-address=MAIL_ADDRESS

New email address.

dbcheck

Check the local AD database for errors.

delegation

Manage Delegations.

delegation add-service accountname principal [options]

Add a service principal as msDS-AllowedToDelegateTo.

delegation del-service accountname principal [options]

Delete a service principal as msDS-AllowedToDelegateTo.

delegation for-any-protocol accountname [(on|off)] [options]

Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account.

delegation for-any-service accountname [(on|off)] [options]

Set/unset UF_TRUSTED_FOR_DELEGATION for an account.

delegation show accountname [options]

Show the delegation setting of an account.

dns

Manage Domain Name Service (DNS).

dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data

Add a DNS record.

dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data

Delete a DNS record.

dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options] data

Query a name.

dns roothints server [name] [options]

Query root hints.

dns serverinfo server [options]

Query server information.

dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata

Update a DNS record.

dns zonecreate server zone [options]

Create a zone.

dns zonedelete server zone [options]

Delete a zone.

dns zoneinfo server zone [options]

Query zone information.

dns zonelist server [options]

List zones.

domain

Manage Domain.

domain backup

Create or restore a backup of the domain.

domain backup offline

Backup (with proper locking) local domain directories into a tar file.

domain backup online

Copy a running DCs current DB into a backup tar file.

domain backup rename

Copy a running DCs DB to backup file, renaming the domain in the process.

domain backup restore

Restore the domains DB from a backup-file.

domain classicupgrade [options] classic_smb_conf

Upgrade from Samba classic (NT4-like) database to Samba AD DC database.

domain dcpromo dnsdomain [DC|RODC] [options]

Promote an existing domain member or NT4 PDC to an AD DC.

domain demote

Demote ourselves from the role of domain controller.

domain exportkeytab keytab [options]

Dumps Kerberos keys of the domain into a keytab.

domain info ip_address [options]

Print basic info about a domain and the specified DC.

domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]

Join a domain as either member or backup domain controller.

domain level show|raise options [options]

Show/raise domain and forest function levels.

domain passwordsettings show|set options [options]

Show/set password settings.

domain passwordsettings pso

Manage fine-grained Password Settings Objects (PSOs).

domain passwordsettings pso apply pso-name user-or-group-name [options]

Applies a PSOs password policy to a user or group.

domain passwordsettings pso create pso-name precedence [options]

Creates a new Password Settings Object (PSO).

domain passwordsettings pso delete pso-name [options]

Deletes a Password Settings Object (PSO).

domain passwordsettings pso list [options]

Lists all Password Settings Objects (PSOs).

domain passwordsettings pso set pso-name [options]

Modifies a Password Settings Object (PSO).

domain passwordsettings pso show user-name [options]

Displays a Password Settings Object (PSO).

domain passwordsettings pso show-user pso-name [options]

Displays the Password Settings that apply to a user.

domain passwordsettings pso unapply pso-name user-or-group-name [options]

Updates a PSO to no longer apply to a user or group.

domain provision

Promote an existing domain member or NT4 PDC to an AD DC.

domain trust

Domain and forest trust management.

domain trust create DOMAIN options [options]

Create a domain or forest trust.

domain trust delete DOMAIN options [options]

Delete a domain trust.

domain trust list options [options]

List domain trusts.

domain trust namespaces [DOMAIN] options [options]

Manage forest trust namespaces.

domain trust show DOMAIN options [options]

Show trusted domain details.

domain trust validate DOMAIN options [options]

Validate a domain trust.

drs

Manage Directory Replication Services (DRS).

drs bind

Show DRS capabilities of a server.

drs kcc

Trigger knowledge consistency center run.

drs options

Query or change options for NTDS Settings object of a domain controller.

drs replicate destination_DC source_DC NC [options]

Replicate a naming context between two DCs.

drs showrepl

Show replication status. The [--json] option results in JSON output, and with the [--summary] option produces very little output when the replication status seems healthy.

dsacl

Administer DS ACLs

dsacl set

Modify access list on a directory object.

forest

Manage Forest configuration.

forest directory_service

Manage directory_service behaviour for the forest.

forest directory_service dsheuristics VALUE

Modify dsheuristics directory_service configuration for the forest.

forest directory_service show

Show current directory_service configuration for the forest.

fsmo

Manage Flexible Single Master Operations (FSMO).

fsmo seize [options]

Seize the role.

fsmo show

Show the roles.

fsmo transfer [options]

Transfer the role.

gpo

Manage Group Policy Objects (GPO).

gpo create displayname [options]

Create an empty GPO.

gpo del gpo [options]

Delete GPO.

gpo dellink container_dn gpo [options]

Delete GPO link from a container.

gpo fetch gpo [options]

Download a GPO.

gpo getinheritance container_dn [options]

Get inheritance flag for a container.

gpo getlink container_dn [options]

List GPO Links for a container.

gpo list username [options]

List GPOs for an account.

gpo listall

List all GPOs.

gpo listcontainers gpo [options]

List all linked containers for a GPO.

gpo setinheritance container_dn block|inherit [options]

Set inheritance flag on a container.

gpo setlink container_dn gpo [options]

Add or Update a GPO link to a container.

gpo show gpo [options]

Show information for a GPO.

group

Manage groups.

group add groupname [options]

Create a new AD group.

group create groupname [options]

Add a new AD group. This is a synonym for the samba-tool group add command and is available for compatibility reasons only. Please use samba-tool group add instead.

group addmembers groupname members [options]

Add members to an AD group.

group delete groupname [options]

Delete an AD group.

group edit groupname

Edit a group AD object.

--editor=EDITOR

Specifies the editor to use instead of the system default, or vi if no system default is set.

group list

List all groups.

group listmembers groupname [options]

List all members of the specified AD group.

By default the sAMAccountNames are listed. If no sAMAccountName is available, the CN will be used instead.

--full-dn

List the distinguished names instead of the sAMAccountNames.

--hide-expired

Do not list expired group members.

--hide-disabled

Do not list disabled group members.

group move groupname new_parent_dn [options]

This command moves a group into the specified organizational unit or container.

The groupname specified on the command is the sAMAccountName.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

group removemembers groupname members [options]

Remove members from the specified AD group.

group show groupname [options]

Show group object and its attributes.

group stats [options]

Show statistics for overall groups and group memberships.

group rename groupname [options]

Rename a group and related attributes.

This command allows to set the groups name related attributes. The groups CN will be renamed automatically. The groups CN will be the sAMAccountName. Use the --force-new-cn option to specify the new CN manually and the --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The groupname specified on the command is the sAMAccountName.

--force-new-cn=NEW_CN

Specify a new CN (RDN) instead of using the sAMAccountName.

--reset-cn

Set the CN to the sAMAccountName.

--mail-address=MAIL_ADDRESS

New mail address

--samaccountname=SAMACCOUNTNAME

New account name (sAMAccountName/logon name)

ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]

Compare two LDAP databases.

ntacl

Manage NT ACLs.

ntacl changedomsid original-domain-SID new-domain-SID file [options]

Change the domain SID for ACLs. Can be used to change all entries in acl_xattr when the machines SID has accidentally changed or the data set has been copied to another machine either via backup/restore or rsync.

--use-ntvfs

Set the ACLs directly to the TDB or xattr. The POSIX permissions will NOT be changed, only the NT ACL will be stored.

--service=SERVICE

Specify the name of the smb.conf service to use. This option is required in combination with the --use-s3fs option.

--use-s3fs

Set the ACLs for use with the default s3fs file server via the VFS layer. This option requires a smb.conf service, specified by the --service=SERVICE option.

--xattr-backend=[native|tdb]

Specify the xattr backend type (native fs or tdb).

--eadb-file=EADB_FILE

Name of the tdb file where attributes are stored.

--recursive

Set the ACLs for directories and their contents recursively.

--follow-symlinks

Follow symlinks when --recursive is specified.

--verbose

Verbosely list files and ACLs which are being processed.

ntacl get file [options]

Get ACLs on a file.

ntacl set acl file [options]

Set ACLs on a file.

ntacl sysvolcheck

Check sysvol ACLs match defaults (including correct ACLs on GPOs).

ntacl sysvolreset

Reset sysvol ACLs to defaults (including correct ACLs on GPOs).

ou

Manage organizational units (OUs).

ou add ou_dn [options]

Add a new organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

--description=DESCRIPTION

Specify OUs description.

ou create ou_dn [options]

Add a new organizational unit. This is a synonym for the samba-tool ou add command and is available for compatibility reasons only. Please use samba-tool ou add instead.

ou delete ou_dn [options]

Delete an organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

--force-subtree-delete

Delete organizational unit and all children reclusively.

ou list [options]

List all organizational units.

--full-dn

Display DNs including the base DN.

ou listobjects ou_dn [options]

List all objects in an organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

--full-dn

Display DNs including the base DN.

-r|--recursive

List objects recursively.

ou move old_ou_dn new_parent_dn [options]

Move an organizational unit.

The name of the organizational units can be specified as a full DN or without the domainDN component.

ou rename old_ou_dn new_ou_dn [options]

Rename an organizational unit.

The name of the organizational units can be specified as a full DN or without the domainDN component.

rodc

Manage Read-Only Domain Controller (RODC).

rodc preload SID|DN|accountname [options]

Preload one account for an RODC.

schema

Manage and query schema.

schema attribute modify attribute [options]

Modify the behaviour of an attribute in schema.

schema attribute show attribute [options]

Display an attribute schema definition.

schema attribute show_oc attribute [options]

Show objectclasses that MAY or MUST contain this attribute.

schema objectclass show objectclass [options]

Display an objectclass schema definition.

sites

Manage sites.

sites create site [options]

Create a new site.

sites remove site [options]

Delete an existing site.

spn

Manage Service Principal Names (SPN).

spn add name user [options]

Create a new SPN.

spn delete name [user] [options]

Delete an existing SPN.

spn list user [options]

List SPNs of a given user.

testparm

Check the syntax of the configuration file.

time

Retrieve the time on a server.

user

Manage users.

user add username [password]

Add a new user to the Active Directory Domain.

user create username [password]

Add a new user. This is a synonym for the samba-tool user add command and is available for compatibility reasons only. Please use samba-tool user add instead.

user delete username [options]

Delete an existing user account.

user disable username

Disable a user account.

user edit username

Edit a user account AD object.

--editor=EDITOR

Specifies the editor to use instead of the system default, or vi if no system default is set.

user enable username

Enable a user account.

user list

List all users.

By default the users sAMAccountNames are listed.

--full-dn

List users distinguished names instead of the sAMAccountNames.

-b BASE_DN|--base-dn=BASE_DN

Specify base DN to use. Only users under the specified base DN will be listed.

--hide-expired

Do not list expired user accounts.

--hide-disabled

Do not list disabled user accounts.

user setprimarygroup username primarygroupname

Set the primary group a user account.

user getgroups username

Get the direct group memberships of a user account.

user show username [options]

Display a user AD object.

--attributes=USER_ATTRS

Comma separated list of attributes, which will be printed.

user move username new_parent_dn [options]

This command moves a user account into the specified organizational unit or container.

The username specified on the command is the sAMAccountName.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

user password [options]

Change password for a user account (the one provided in authentication).

user rename username [options]

Rename a user and related attributes.

This command allows to set the users name related attributes. The users CN will be renamed automatically. The users new CN will be made up by combining the given-name, initials and surname. A dot (.) will be appended to the initials automatically, if required. Use the --force-new-cn option to specify the new CN manually and --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The username specified on the command is the sAMAccountName.

--surname=SURNAME

New surname

--given-name=GIVEN_NAME

New given name

--initials=INITIALS

New initials

--force-new-cn=NEW_CN

Specify a new CN (RDN) instead of using a combination of the given name, initials and surname.

--reset-cn

Set the CN to the default combination of given name, initials and surname.

--display-name=DISPLAY_NAME

New display name

--mail-address=MAIL_ADDRESS

New email address

--samaccountname=SAMACCOUNTNAME

New account name (sAMAccountName/logon name)

--upn=UPN

New user principal name

user setexpiry username [options]

Set the expiration of a user account.

user setpassword username [options]

Sets or resets the password of a user account.

user unlock username [options]

This command unlocks a user account in the Active Directory domain.

user getpassword username [options]

Gets the password of a user account.

user syncpasswords --cache-ldb-initialize [options]

Syncs the passwords of all user accounts, using an optional script.

Note that this command should run on a single domain controller only (typically the PDC-emulator).

vampire [options] domain

Join and synchronise a remote AD domain to the local server. Please note that samba-tool vampire is deprecated, please use samba-tool domain join instead.

visualize [options] subcommand

Produce graphical representations of Samba network state. To work out what is happening in a replication graph, it is sometimes helpful to use visualisations.

There are two subcommands, two graphical modes, and (roughly) two modes of operation with respect to the location of authority.

MODES OF OPERATION

samba-tool visualize ntdsconn

Looks at NTDS connections.

samba-tool visualize reps

Looks at repsTo and repsFrom objects.

samba-tool visualize uptodateness

Looks at replication lag as shown by the uptodateness vectors.

GRAPHICAL MODES

--distance

Distances between DCs are shown in a matrix in the terminal.

--dot

Generate Graphviz dot output (for ntdsconn and reps modes). When viewed using dot or xdot, this shows the network as a graph with DCs as vertices and connections edges. Certain types of degenerate edges are shown in different colours or line-styles.

--xdot

Generate Graphviz dot output as with [--dot] and attempt to view it immediately using /usr/bin/xdot.

-r

Normally, samba-tool talks to one database; with the [-r] option attempts are made to contact all the DCs known to the first database. This is necessary for samba-tool visualize uptodateness and for samba-tool visualize reps because the repsFrom/To objects are not replicated, and it can reveal replication issues in other modes.

help

Gives usage information.

This man page is complete for version 4.14.0 of the Samba suite.

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.