samba-tool

samba-tool [options] [arguments]

--help
    Displays help information for samba-tool or its specific commands/subcommands.

--version
    Shows the version information of the samba-tool utility.

-k | --kerberos=METHOD
    Specifies the Kerberos authentication method to use for the operation.

--realm=REALM
    Defines the Kerberos realm to authenticate against.

-H | --url=URL
    Specifies the LDAP URL for connecting to the domain controller, e.g., ldap://dc1.example.com.

-U | --user=USERNAME
    Provides the username for authentication. Often used with --password.

-W | --workgroup=WORKGROUP
    Specifies the workgroup or domain for the user account during authentication.

-P | --password=PASSWORD
    Supplies the password for the specified username. Use with caution for security reasons.

-N | --no-pass
    Prevents samba-tool from prompting for a password, useful when using Kerberos or other authentication methods.

-S | --server=SERVER
    Specifies the target domain controller by its hostname or FQDN.

-I | --ipaddress=IPADDRESS
    Specifies the IP address of the target domain controller.

--bind=BINDDN
    Specifies the Distinguished Name (DN) to bind as for LDAP operations.

--aeskey=KEY
    Provides an AES key for authentication, typically for automated scripts.

--pwreqs=YES|NO
    Controls whether password complexity requirements are enforced for user account operations.

-d | --debuglevel=DEBUGLEVEL
    Sets the debug logging level (0-10) for verbose output to assist in troubleshooting.

samba-tool is the primary command-line utility for administering a Samba Active Directory Domain Controller (AD DC). It provides a unified interface for managing various aspects of the domain, including users, groups, computers, DNS records, GPOs, and replication. Before its introduction, administration of Samba AD DC often required a mix of various tools, some specific to Samba and others generic LDAP or DNS utilities. samba-tool consolidates these functions, making management more consistent and straightforward. It interacts directly with the Samba AD DC's LDAP directory and other backend services, simplifying complex operations like adding domain members, managing trusts, or promoting/demoting domain controllers. Its comprehensive nature makes it an indispensable tool for anyone managing a Samba-based Active Directory environment.

Most samba-tool operations require root privileges or equivalent administrative permissions on the Samba AD DC. It is primarily designed for managing Samba Active Directory Domain Controllers; its functionality is limited or irrelevant on standalone or member servers. Operations directly modify the AD database, so caution is advised, especially in production environments. Authentication typically relies on Kerberos; explicit --user and --password are alternatives for scripting or remote access.

samba-tool heavily relies on Kerberos for authentication. When executed directly on the DC, it often operates without explicit credentials due to Kerberos ticket availability. For remote execution or scripting, proper Kerberos setup (e.g., using kinit for a privileged user) or explicit --user/--password options are necessary. It connects to the DC's LDAP service, usually on port 389 or 636 (LDAPS).

For troubleshooting issues, increasing the debug level using -d or --debuglevel can provide verbose output directly to the console or logs. Detailed information about samba-tool operations, including errors and warnings, is typically logged in Samba's main log files, found under /var/log/samba/, often named log.samba or log.ldb.

samba-tool was introduced as a cornerstone utility with the Samba 4.0 release. This major milestone allowed Samba to function as a full-fledged Active Directory Domain Controller. Prior to Samba 4, administrative tasks were often disparate, relying on a mix of tools like smbpasswd, net, ldbtools, and manual LDAP operations. The development of samba-tool aimed to consolidate these administrative tasks into a single, consistent, and user-friendly command-line interface, providing a unified management experience akin to Microsoft's AD management utilities. Its introduction significantly simplified the deployment and ongoing management of Samba AD DCs, making it a critical component of the Samba project.

samba(8), smbclient(1), wbinfo(1), ldbsearch(1), kinit(1)