smbta-util

smbta-util <command> [<options>]

Common commands include:
  smbta-util check-consistency [<options>]
  smbta-util repl-sync [<options>]
  smbta-util domain-status [<options>]
  smbta-util dc-health [<options>]

check-consistency
    Performs an integrity and consistency check of the Samba AD database. This helps identify issues like orphaned records or replication discrepancies.

repl-sync
    Forces immediate replication synchronization with other domain controllers. Useful for ensuring data consistency across multiple DCs.

domain-status
    Displays the current status and health information of the Samba Active Directory domain.

dc-health
    Performs a series of health checks on the local Samba AD Domain Controller, assessing services, replication, and overall operational status.

--realm=<realm>
    Specifies the Kerberos realm to which the AD DC belongs. Often inferred or set by default.

--target=<target_dc>
    Specifies the target Domain Controller for operations like replication synchronization or health checks.

--username=<username>
    Specifies the administrative username to use for authentication against the AD DC.

--password=<password>
    Specifies the password for the given username. For security, it's often better to omit this and let the command prompt for it.

--verbose
    Increases the verbosity of the command output, providing more detailed information during execution.

--help
    Displays a help message for the smbta-util command or its specific subcommands.

The smbta-util command is a utility within the Samba suite designed for advanced administration and troubleshooting of a Samba Active Directory Domain Controller (AD DC). It provides functionalities to interact with the internal Samba AD database, perform consistency checks, manage replication, and monitor the health of the domain controller. It is particularly useful for diagnosing and resolving issues related to AD database integrity, SYSVOL replication, and Kerberos secret synchronization within a Samba AD environment. This command is typically used by system administrators managing a Samba-based Active Directory infrastructure.

This command requires administrative privileges (root or a user with sufficient permissions within the Samba AD domain). It should only be used by experienced administrators, as incorrect usage, particularly with replication commands, can lead to data inconsistencies or service disruption within the Active Directory domain. It is specific to Samba AD DC environments and is not applicable to standalone Samba servers or other directory services.

Many operations with smbta-util, especially those modifying the AD database or forcing replication, require authentication as an administrative user within the Samba AD domain. This can be done via Kerberos tickets (using kinit) or by explicitly providing --username and --password arguments.

Typical use cases include diagnosing replication failures between Samba AD DCs, verifying database integrity after a crash or power outage, forcing replication sync for specific directory partitions, and generally monitoring the health of the AD environment to preempt issues.

smbta-util was introduced as part of the Samba 4.x series, specifically with the full implementation of Active Directory Domain Controller capabilities. It provides an essential set of tools for managing the internal state of the Samba AD database, which became necessary with Samba's role as a complete AD DC, handling complex replication and consistency requirements that went beyond traditional file and print services.

samba(7), samba-tool(8), ldbtool(8), kinit(1)