1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
6 <refentrytitle>net</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
15 <refname>net</refname>
16 <refpurpose>Tool for administration of Samba and remote
23 <command>net</command>
24 <arg choice="req"><ads|rap|rpc></arg>
25 <arg choice="opt">-h|--help</arg>
26 <arg choice="opt">-w|--workgroup workgroup</arg>
27 <arg choice="opt">-W|--myworkgroup myworkgroup</arg>
28 <arg choice="opt">-U|--user user</arg>
29 <arg choice="opt">-A|--authentication-file authfile</arg>
30 <arg choice="opt">-I|--ipaddress ip-address</arg>
31 <arg choice="opt">-p|--port port</arg>
32 <arg choice="opt">-n myname</arg>
33 <arg choice="opt">-s conffile</arg>
34 <arg choice="opt">-S|--server server</arg>
35 <arg choice="opt">-l|--long</arg>
36 <arg choice="opt">-v|--verbose</arg>
37 <arg choice="opt">-f|--force</arg>
38 <arg choice="opt">-P|--machine-pass</arg>
39 <arg choice="opt">-d debuglevel</arg>
40 <arg choice="opt">-V</arg>
41 <arg choice="opt">--request-timeout seconds</arg>
42 <arg choice="opt">-t|--timeout seconds</arg>
43 <arg choice="opt">-i|--stdin</arg>
44 <arg choice="opt">--tallocreport</arg>
49 <title>DESCRIPTION</title>
51 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
52 <manvolnum>7</manvolnum></citerefentry> suite.</para>
54 <para>The Samba net utility is meant to work just like the net utility
55 available for windows and DOS. The first argument should be used
56 to specify the protocol to use when executing a certain command.
57 ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
58 clients and RPC can be used for NT4 and Windows 2000. If this
59 argument is omitted, net will try to determine it automatically.
60 Not all commands are available on all protocols.
66 <title>OPTIONS</title>
73 <term>-w|--workgroup target-workgroup</term>
75 Sets target workgroup or domain. You have to specify
76 either this option or the IP address or the name of a server.
81 <term>-W|--myworkgroup workgroup</term>
83 Sets client workgroup or domain
88 <term>-U|--user user</term>
95 <term>-I|--ipaddress ip-address</term>
97 IP address of target server to use. You have to
98 specify either this option or a target workgroup or
104 <term>-p|--port port</term>
106 Port on the target server to connect to (usually 139 or 445).
107 Defaults to trying 445 first, then 139.
111 &stdarg.netbios.name;
114 <term>-S|--server server</term>
116 Name of target server. You should specify either
117 this option or a target workgroup or a target IP address.
122 <term>-l|--long</term>
124 When listing data, give more information on each item.
129 <term>-v|--verbose</term>
131 When listing data, give more verbose information on each item.
136 <term>-f|--force</term>
138 Enforcing a net command.
143 <term>-P|--machine-pass</term>
145 Make queries to the external server using the machine account of the local server.
150 <term>--request-timeout 30</term>
152 Let client requests timeout after 30 seconds the default is 10
158 <term>-t|--timeout 30</term>
160 Set timeout for client operations to 30 seconds.
165 <term>--use-ccache</term>
167 Try to use the credentials cached by winbind.
172 <term>-i|--stdin</term>
174 Take input for net commands from standard input.
179 <term>--tallocreport</term>
181 Generate a talloc report while processing a net
187 <term>-T|--test</term>
188 <listitem><para>Only test command sequence, dry-run.
193 <term>-F|--flags FLAGS</term>
194 <listitem><para>Pass down integer flags to a net subcommand.
199 <term>-C|--comment COMMENT</term>
200 <listitem><para>Pass down a comment string to a net subcommand.
205 <term>-n|--myname MYNAME</term>
206 <listitem><para>Use MYNAME as a requester name for a net subcommand.
211 <term>-c|--container CONTAINER</term>
212 <listitem><para>Use a specific AD container for net ads operations.
217 <term>-M|--maxusers MAXUSERS</term>
218 <listitem><para>Fill in the maxusers field in net rpc share operations.
223 <term>-r|--reboot</term>
224 <listitem><para>Reboot a remote machine after a command has been successfully executed (e.g. in remote join operations).
228 <!-- Options for net rpc vampire -->
231 <term>--force-full-repl</term>
233 When calling "net rpc vampire keytab" this option
234 enforces a full re-creation of the generated keytab file.
239 <term>--single-obj-repl</term>
241 When calling "net rpc vampire keytab" this option
242 allows one to replicate just a single object to the generated keytab file.
247 <term>--clean-old-entries</term>
249 When calling "net rpc vampire keytab" this option
250 allows one to cleanup old entries from the generated keytab file.
254 <!-- Options for net idmap -->
258 <listitem><para>Define dbfile for "net idmap" commands.
264 <listitem><para>Activates locking of the dbfile for "net idmap check" command.
269 <term>-a|--auto</term>
270 <listitem><para>Activates noninteractive mode in "net idmap check".
275 <term>--repair</term>
276 <listitem><para>Activates repair mode in "net idmap check".
280 <!-- Options for net rpc share migrate -->
284 <listitem><para>Includes ACLs to be copied in "net rpc share migrate".
290 <listitem><para>Includes file attributes to be copied in "net rpc share migrate".
295 <term>--timestamps</term>
296 <listitem><para>Includes timestamps to be copied in "net rpc share migrate".
301 <term>-X|--exclude DIRECTORY</term>
302 <listitem><para>Allows one to exclude directories when copying with "net rpc share migrate".
307 <term>--destination SERVERNAME</term>
308 <listitem><para>Defines the target servername of migration process (defaults to localhost).
312 <!-- Options for net groupmap set -->
315 <term>-L|--local</term>
316 <listitem><para>Sets the type of group mapping to local
317 (used in "net groupmap set").
322 <term>-D|--domain</term>
323 <listitem><para>Sets the type of group mapping to domain
324 (used in "net groupmap set").
329 <term>-N|--ntname NTNAME</term>
330 <listitem><para>Sets the ntname of a group mapping
331 (used in "net groupmap set").
336 <term>-R|--rid RID</term>
337 <listitem><para>Sets the rid of a group mapping
338 (used in "net groupmap set").
342 <!-- Options for net registry check -->
345 <term>--reg-version REG_VERSION</term>
346 <listitem><para>Assume database version {n|1,2,3}
347 (used in "net registry check").
352 <term>-o|--output FILENAME</term>
353 <listitem><para>Output database file
354 (used in "net registry check").
360 <listitem><para>Create a new database from scratch
361 (used in "net registry check").
365 <!-- Options for net registry import -->
368 <term>--precheck PRECHECK_DB_FILENAME</term>
369 <listitem><para>Defines filename for database prechecking
370 (used in "net registry import").
375 <term>--no-dns-updates</term>
376 <listitem><para>Do not perform DNS updates as part of
382 <term>--keep-account</term>
383 <listitem><para>Prevent the machine account removal as
384 part of "net ads leave".
390 <listitem><para>Report results in JSON format for
391 "net ads info" and "net ads lookup".
395 <!-- Options for net vfs stream2abouble -->
398 <term>--recursive</term>
399 <listitem><para>Traverse a directory
400 hierarchy.</para></listitem>
404 <term>--continue</term>
405 <listitem><para>Continue traversing a directory hierarchy in
406 case conversion of one file fails.</para></listitem>
410 <term>--follow-symlinks</term>
411 <listitem><para>Follow symlinks encountered while traversing a
412 directory.</para></listitem>
416 &popt.common.samba.client;
422 <title>COMMANDS</title>
425 <title>CHANGESECRETPW</title>
427 <para>This command allows the Samba machine account password to be set from an external application
428 to a machine account password that has already been stored in Active Directory. DO NOT USE this command
429 unless you know exactly what you are doing. The use of this command requires that the force flag (-f)
430 be used also. There will be NO command prompt. Whatever information is piped into stdin, either by
431 typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use
432 this without care and attention as it will overwrite a legitimate machine password without warning.
433 YOU HAVE BEEN WARNED.
441 <para>The <command>NET TIME</command> command allows you to view the time on a remote server
442 or synchronise the time on the local server with the time on the remote server.</para>
447 <para>Without any options, the <command>NET TIME</command> command
448 displays the time on the remote server. The remote server must be
449 specified with the -S option.
455 <title>TIME SYSTEM</title>
457 <para>Displays the time on the remote server in a format ready for <command>/bin/date</command>.
458 The remote server must be specified with the -S option.
464 <title>TIME SET</title>
465 <para>Tries to set the date and time of the local server to that on
466 the remote server using <command>/bin/date</command>.
467 The remote server must be specified with the -S option.
473 <title>TIME ZONE</title>
475 <para>Displays the timezone in hours from GMT on the remote server.
476 The remote server must be specified with the -S option.
483 <title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
484 [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS]
485 [osName=string osVer=string] [options]</title>
488 Join a domain. If the account already exists on the server, and
489 [TYPE] is MEMBER, the machine will attempt to join automatically.
490 (Assuming that the machine has been created in server manager)
491 Otherwise, a password will be prompted for, and a new account may
495 [TYPE] may be PDC, BDC or MEMBER to specify the type of server
500 [FQDN] (ADS only) set the dnsHostName attribute during the join.
501 The default format is netbiosname.dnsdomain.
505 [UPN] (ADS only) set the principalname attribute during the join. The default
506 format is host/netbiosname@REALM.
510 [OU] (ADS only) Precreate the computer account in a specific OU. The
511 OU string reads from top to bottom without RDNs, and is delimited by
512 a '/'. Please note that '\' is used for escape by both the shell
513 and ldap, so it may need to be doubled or quadrupled to pass through,
514 and it is not used as a delimiter.
517 [PASS] (ADS only) Set a specific password on the computer account
518 being created by the join.
521 [osName=string osVer=String] (ADS only) Set the operatingSystem and
522 operatingSystemVersion attribute during the join. Both parameters
523 must be specified for either to take effect.
528 <title>[RPC] OLDJOIN [options]</title>
530 <para>Join a domain. Use the OLDJOIN option to join the domain
531 using the old style of domain joining - you need to create a trust
532 account in server manager first.</para>
536 <title>[RPC|ADS] USER</title>
539 <title>[RPC|ADS] USER</title>
541 <para>List all users</para>
546 <title>[RPC|ADS] USER DELETE <replaceable>target</replaceable></title>
548 <para>Delete specified user</para>
553 <title>[RPC|ADS] USER INFO <replaceable>target</replaceable></title>
555 <para>List the domain groups of the specified user.</para>
560 <title>[RPC|ADS] USER RENAME <replaceable>oldname</replaceable> <replaceable>newname</replaceable></title>
562 <para>Rename specified user.</para>
567 <title>[RPC|ADS] USER ADD <replaceable>name</replaceable> [password] [-F user flags] [-C comment]</title>
569 <para>Add specified user.</para>
574 <title>[RPC|ADS] GROUP</title>
577 <title>[RPC|ADS] GROUP [misc options] [targets]</title>
578 <para>List user groups.</para>
582 <title>[RPC|ADS] GROUP DELETE <replaceable>name</replaceable> [misc. options]</title>
584 <para>Delete specified group.</para>
589 <title>[RPC|ADS] GROUP ADD <replaceable>name</replaceable> [-C comment]</title>
591 <para>Create specified group.</para>
595 <title>[ADS] LOOKUP</title>
597 <para>Lookup the closest Domain Controller in our domain and retrieve server information about it.</para>
603 <title>[RAP|RPC] SHARE</title>
606 <title>[RAP|RPC] SHARE [misc. options] [targets]</title>
608 <para>Enumerates all exported resources (network shares) on target server.</para>
613 <title>[RAP|RPC] SHARE ADD <replaceable>name=serverpath</replaceable> [-C comment] [-M maxusers] [targets]</title>
615 <para>Adds a share from a server (makes the export active). Maxusers
616 specifies the number of users that can be connected to the
617 share simultaneously.</para>
622 <title>SHARE DELETE <replaceable>sharename</replaceable></title>
624 <para>Delete specified share.</para>
629 <title>[RPC|RAP] FILE</title>
632 <title>[RPC|RAP] FILE</title>
634 <para>List all open files on remote server.</para>
639 <title>[RPC|RAP] FILE CLOSE <replaceable>fileid</replaceable></title>
641 <para>Close file with specified <replaceable>fileid</replaceable> on
642 remote server.</para>
647 <title>[RPC|RAP] FILE INFO <replaceable>fileid</replaceable></title>
650 Print information on specified <replaceable>fileid</replaceable>.
651 Currently listed are: file-id, username, locks, path, permissions.
657 <title>[RAP|RPC] FILE USER <replaceable>user</replaceable></title>
660 List files opened by specified <replaceable>user</replaceable>.
661 Please note that <command>net rap file user</command> does not work
662 against Samba servers.
670 <title>SESSION</title>
673 <title>RAP SESSION</title>
675 <para>Without any other options, SESSION enumerates all active SMB/CIFS
676 sessions on the target server.</para>
681 <title>RAP SESSION DELETE|CLOSE <replaceable>CLIENT_NAME</replaceable></title>
683 <para>Close the specified sessions.</para>
688 <title>RAP SESSION INFO <replaceable>CLIENT_NAME</replaceable></title>
690 <para>Give a list with all the open files in specified session.</para>
697 <title>RAP SERVER <replaceable>DOMAIN</replaceable></title>
699 <para>List all servers in specified domain or workgroup. Defaults
700 to local domain.</para>
705 <title>RAP DOMAIN</title>
707 <para>Lists all domains and workgroups visible on the
708 current network.</para>
713 <title>RAP PRINTQ</title>
716 <title>RAP PRINTQ INFO <replaceable>QUEUE_NAME</replaceable></title>
718 <para>Lists the specified print queue and print jobs on the server.
719 If the <replaceable>QUEUE_NAME</replaceable> is omitted, all
720 queues are listed.</para>
725 <title>RAP PRINTQ DELETE <replaceable>JOBID</replaceable></title>
727 <para>Delete job with specified id.</para>
734 <title>RAP VALIDATE <replaceable>user</replaceable> [<replaceable>password</replaceable>]</title>
737 Validate whether the specified user can log in to the
738 remote server. If the password is not specified on the commandline, it
747 <title>RAP GROUPMEMBER</title>
750 <title>RAP GROUPMEMBER LIST <replaceable>GROUP</replaceable></title>
752 <para>List all members of the specified group.</para>
757 <title>RAP GROUPMEMBER DELETE <replaceable>GROUP</replaceable> <replaceable>USER</replaceable></title>
759 <para>Delete member from group.</para>
764 <title>RAP GROUPMEMBER ADD <replaceable>GROUP</replaceable> <replaceable>USER</replaceable></title>
766 <para>Add member to group.</para>
773 <title>RAP ADMIN <replaceable>command</replaceable></title>
775 <para>Execute the specified <replaceable>command</replaceable> on
776 the remote server. Only works with OS/2 servers.
784 <title>RAP SERVICE</title>
787 <title>RAP SERVICE START <replaceable>NAME</replaceable> [arguments...]</title>
789 <para>Start the specified service on the remote server. Not implemented yet.</para>
796 <title>RAP SERVICE STOP</title>
798 <para>Stop the specified service on the remote server.</para>
807 <title>RAP PASSWORD <replaceable>USER</replaceable> <replaceable>OLDPASS</replaceable> <replaceable>NEWPASS</replaceable></title>
810 Change password of <replaceable>USER</replaceable> from <replaceable>OLDPASS</replaceable> to <replaceable>NEWPASS</replaceable>.
816 <title>LOOKUP</title>
819 <title>LOOKUP HOST <replaceable>HOSTNAME</replaceable> [<replaceable>TYPE</replaceable>]</title>
822 Lookup the IP address of the given host with the specified type (netbios suffix).
823 The type defaults to 0x20 (workstation).
829 <title>LOOKUP LDAP [<replaceable>DOMAIN</replaceable>]</title>
831 <para>Give IP address of LDAP server of specified <replaceable>DOMAIN</replaceable>. Defaults to local domain.</para>
836 <title>LOOKUP KDC [<replaceable>REALM</replaceable>]</title>
838 <para>Give IP address of KDC for the specified <replaceable>REALM</replaceable>.
839 Defaults to local realm.</para>
844 <title>LOOKUP DC [<replaceable>DOMAIN</replaceable>]</title>
846 <para>Give IP's of Domain Controllers for specified <replaceable>
847 DOMAIN</replaceable>. Defaults to local domain.</para>
852 <title>LOOKUP MASTER <replaceable>DOMAIN</replaceable></title>
854 <para>Give IP of master browser for specified <replaceable>DOMAIN</replaceable>
855 or workgroup. Defaults to local domain.</para>
860 <title>LOOKUP NAME [<replaceable>NAME</replaceable>]</title>
862 <para>Lookup username's sid and type for specified <replaceable>NAME</replaceable>
868 <title>LOOKUP SID [<replaceable>SID</replaceable>]</title>
870 <para>Give sid's name and type for specified <replaceable>SID</replaceable>
876 <title>LOOKUP DSGETDCNAME [<replaceable>NAME</replaceable>] [<replaceable>FLAGS</replaceable>] [<replaceable>SITENAME</replaceable>]</title>
878 <para>Give Domain Controller information for specified domain <replaceable>NAME</replaceable>
888 <para>Samba uses a general caching interface called 'gencache'. It
889 can be controlled using 'NET CACHE'.</para>
891 <para>All the timeout parameters support the suffixes:
894 <member>s - Seconds</member>
895 <member>m - Minutes</member>
896 <member>h - Hours</member>
897 <member>d - Days</member>
898 <member>w - Weeks</member>
904 <title>CACHE ADD <replaceable>key</replaceable> <replaceable>data</replaceable> <replaceable>time-out</replaceable></title>
906 <para>Add specified key+data to the cache with the given timeout.</para>
911 <title>CACHE DEL <replaceable>key</replaceable></title>
913 <para>Delete key from the cache.</para>
918 <title>CACHE SET <replaceable>key</replaceable> <replaceable>data</replaceable> <replaceable>time-out</replaceable></title>
920 <para>Update data of existing cache entry.</para>
925 <title>CACHE SEARCH <replaceable>PATTERN</replaceable></title>
927 <para>Search for the specified pattern in the cache data.</para>
932 <title>CACHE LIST</title>
935 List all current items in the cache.
941 <title>CACHE FLUSH</title>
943 <para>Remove all the current items from the cache.</para>
950 <title>GETLOCALSID [DOMAIN]</title>
952 <para>Prints the SID of the specified domain, or if the parameter is
953 omitted, the SID of the local server.</para>
958 <title>SETLOCALSID S-1-5-21-x-y-z</title>
960 <para>Sets SID for the local server to the specified SID.</para>
965 <title>GETDOMAINSID</title>
967 <para>Prints the local machine SID and the SID of the current
973 <title>SETDOMAINSID</title>
975 <para>Sets the SID of the current domain.</para>
980 <title>GROUPMAP</title>
982 <para>Manage the mappings between Windows group SIDs and UNIX groups.
983 Common options include:</para>
986 <listitem><para>unixgroup - Name of the UNIX group</para></listitem>
987 <listitem><para>ntgroup - Name of the Windows NT group (must be
988 resolvable to a SID</para></listitem>
989 <listitem><para>rid - Unsigned 32-bit integer</para></listitem>
990 <listitem><para>sid - Full SID in the form of "S-1-..."</para></listitem>
991 <listitem><para>type - Type of the group; either 'domain', 'local',
992 or 'builtin'</para></listitem>
993 <listitem><para>comment - Freeform text description of the group</para></listitem>
997 <title>GROUPMAP ADD</title>
1000 Add a new group mapping entry:
1002 net groupmap add {rid=int|sid=string} unixgroup=string \
1003 [type={domain|local}] [ntgroup=string] [comment=string]
1010 <title>GROUPMAP DELETE</title>
1012 <para>Delete a group mapping entry. If more than one group name matches, the first entry found is deleted.</para>
1014 <para>net groupmap delete {ntgroup=string|sid=SID}</para>
1019 <title>GROUPMAP MODIFY</title>
1021 <para>Update an existing group entry.</para>
1025 net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
1026 [comment=string] [type={domain|local}]
1032 <title>GROUPMAP LIST</title>
1034 <para>List existing group mapping entries.</para>
1036 <para>net groupmap list [verbose] [ntgroup=string] [sid=SID]</para>
1044 <title>MAXRID</title>
1046 <para>Prints out the highest RID currently in use on the local
1047 server (by the active 'passdb backend').
1053 <title>RPC INFO</title>
1055 <para>Print information about the domain of the remote server,
1056 such as domain name, domain sid and number of users and groups.
1062 <title>[RPC|ADS] TESTJOIN</title>
1064 <para>Check whether participation in a domain is still valid.</para>
1069 <title>[RPC|ADS] CHANGETRUSTPW</title>
1071 <para>Force change of domain trust password.</para>
1076 <title>RPC TRUSTDOM</title>
1079 <title>RPC TRUSTDOM ADD <replaceable>DOMAIN</replaceable></title>
1081 <para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>.
1082 This is in fact a Samba account named <replaceable>DOMAIN$</replaceable>
1083 with the account flag <constant>'I'</constant> (interdomain trust account).
1084 This is required for incoming trusts to work. It makes Samba be a
1085 trusted domain of the foreign (trusting) domain.
1086 Users of the Samba domain will be made available in the foreign domain.
1087 If the command is used against localhost it has the same effect as
1088 <command>smbpasswd -a -i DOMAIN</command>. Please note that both commands
1089 expect a appropriate UNIX account.
1095 <title>RPC TRUSTDOM DEL <replaceable>DOMAIN</replaceable></title>
1097 <para>Remove interdomain trust account for
1098 <replaceable>DOMAIN</replaceable>. If it is used against localhost
1099 it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
1105 <title>RPC TRUSTDOM ESTABLISH <replaceable>DOMAIN</replaceable></title>
1108 Establish a trust relationship to a trusted domain.
1109 Interdomain account must already be created on the remote PDC.
1110 This is required for outgoing trusts to work. It makes Samba be a
1111 trusting domain of a foreign (trusted) domain.
1112 Users of the foreign domain will be made available in our domain.
1113 You'll need winbind and a working idmap config to make them
1114 appear in your system.
1120 <title>RPC TRUSTDOM REVOKE <replaceable>DOMAIN</replaceable></title>
1121 <para>Abandon relationship to trusted domain</para>
1126 <title>RPC TRUSTDOM LIST</title>
1128 <para>List all interdomain trust relationships.</para>
1134 <title>RPC TRUST</title>
1137 <title>RPC TRUST CREATE</title>
1139 <para>Create a trust object by calling lsaCreateTrustedDomainEx2.
1140 The can be done on a single server or on two servers at once with the
1141 possibility to use a random trust password.</para>
1143 <variablelist><title>Options:</title>
1145 <term>otherserver</term>
1146 <listitem><para>Domain controller of the second domain</para></listitem>
1150 <term>otheruser</term>
1151 <listitem><para>Admin user in the second domain</para></listitem>
1155 <term>otherdomainsid</term>
1156 <listitem><para>SID of the second domain</para></listitem>
1160 <term>other_netbios_domain</term>
1161 <listitem><para>NetBIOS (short) name of the second domain</para></listitem>
1165 <term>otherdomain</term>
1166 <listitem><para>DNS (full) name of the second domain</para></listitem>
1170 <term>trustpw</term>
1171 <listitem><para>Trust password</para></listitem>
1175 <variablelist><title>Examples:</title>
1177 <term>Create a trust object on srv1.dom1.dom for the domain dom2</term>
1178 <listitem><literallayout>
1179 net rpc trust create \
1180 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
1181 other_netbios_domain=dom2 \
1182 otherdomain=dom2.dom \
1185 </literallayout></listitem>
1188 <term>Create a trust relationship between dom1 and dom2</term>
1189 <listitem><literallayout>
1190 net rpc trust create \
1191 otherserver=srv2.dom2.test \
1194 </literallayout></listitem>
1200 <title>RPC TRUST DELETE</title>
1202 <para>Delete a trust object by calling lsaDeleteTrustedDomain.
1203 The can be done on a single server or on two servers at once.</para>
1205 <variablelist><title>Options:</title>
1207 <term>otherserver</term>
1208 <listitem><para>Domain controller of the second domain</para></listitem>
1212 <term>otheruser</term>
1213 <listitem><para>Admin user in the second domain</para></listitem>
1217 <term>otherdomainsid</term>
1218 <listitem><para>SID of the second domain</para></listitem>
1222 <variablelist><title>Examples:</title>
1224 <term>Delete a trust object on srv1.dom1.dom for the domain dom2</term>
1225 <listitem><literallayout>
1226 net rpc trust delete \
1227 otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
1229 </literallayout></listitem>
1232 <term>Delete a trust relationship between dom1 and dom2</term>
1233 <listitem><literallayout>
1234 net rpc trust delete \
1235 otherserver=srv2.dom2.test \
1238 </literallayout></listitem>
1247 <title>RPC RIGHTS</title>
1249 <para>This subcommand is used to view and manage Samba's rights assignments (also
1250 referred to as privileges). There are three options currently available:
1251 <parameter>list</parameter>, <parameter>grant</parameter>, and
1252 <parameter>revoke</parameter>. More details on Samba's privilege model and its use
1253 can be found in the Samba-HOWTO-Collection.</para>
1261 <title>RPC ABORTSHUTDOWN</title>
1263 <para>Abort the shutdown of a remote server.</para>
1268 <title>RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]</title>
1270 <para>Shut down the remote server.</para>
1276 Reboot after shutdown.
1283 Force shutting down all applications.
1288 <term>-t timeout</term>
1290 Timeout before system will be shut down. An interactive
1291 user of the system can use this time to cancel the shutdown.
1296 <term>-C message</term>
1297 <listitem><para>Display the specified message on the screen to
1298 announce the shutdown.</para></listitem>
1305 <title>RPC SAMDUMP</title>
1307 <para>Print out sam database of remote server. You need
1308 to run this against the PDC, from a Samba machine joined as a BDC. </para>
1312 <title>RPC VAMPIRE</title>
1314 <para>Export users, aliases and groups from remote server to
1315 local server. You need to run this against the PDC, from a Samba machine joined as a BDC.
1316 This vampire command cannot be used against an Active Directory, only
1317 against an NT4 Domain Controller.
1322 <title>RPC VAMPIRE KEYTAB</title>
1324 <para>Dump remote SAM database to local Kerberos keytab file.
1329 <title>RPC VAMPIRE LDIF</title>
1331 <para>Dump remote SAM database to local LDIF file or standard output.
1336 <title>RPC GETSID</title>
1338 <para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename>. </para>
1344 <title>ADS GPO</title>
1346 <title>ADS GPO APPLY <USERNAME|MACHINENAME> </title>
1347 <para>Apply GPOs for a username or machine name. Either username or machine name should be provided to the command, not both. </para>
1351 <title>ADS GPO GETGPO [<replaceable>GPO</replaceable>]</title>
1352 <para>List specified GPO.</para>
1356 <title>ADS GPO LINKADD [<replaceable>LINKDN</replaceable>] [<replaceable>GPODN</replaceable>]</title>
1357 <para>Link a container to a GPO. <replaceable>LINKDN</replaceable> Container to link to a GPO. <replaceable>GPODN</replaceable> GPO to link container to. DNs must be provided properly escaped. See RFC 4514 for details.</para>
1361 <title>ADS GPO LINKGET [<replaceable>CONTAINER</replaceable>]</title>
1362 <para>Lists gPLink of a containter.</para>
1366 <title>ADS GPO LIST <USERNAME|MACHINENAME> </title>
1367 <para>Lists all GPOs for a username or machine name. Either username or machine name should be provided to the command, not both. </para>
1371 <title>ADS GPO LISTALL</title>
1372 <para>Lists all GPOs on a DC.</para>
1376 <title>ADS GPO REFRESH [<replaceable>USERNAME</replaceable>] [<replaceable>MACHINENAME</replaceable>]</title>
1377 <para>Lists all GPOs assigned to an account and download them. <replaceable>USERNAME</replaceable> User to refresh GPOs for. <replaceable>MACHINENAME</replaceable> Machine to refresh GPOs for.</para>
1384 <title>ADS DNS</title>
1387 <title>ADS DNS REGISTER [HOSTNAME [IP [IP.....]]]</title>
1388 <para>Add host dns entry to Active Directory.</para>
1392 <title>ADS DNS UNREGISTER <HOSTNAME></title>
1393 <para>Remove host dns entry from Active Directory.</para>
1397 <title>ADS DNS GETHOSTBYNAME <NAMESERVER|HOSTNAME></title>
1398 <para>Look up the hostname from Active Directory. You can either provide nameserver ie IPv4|IPv6 address or the hostname. Only one should be provided at a time.</para>
1404 <title>ADS LEAVE [--keep-account]</title>
1406 <para>Make the remote host leave the domain it is part of. </para>
1411 <title>ADS STATUS</title>
1413 <para>Print out status of machine account of the local machine in ADS.
1414 Prints out quite some debug info. Aimed at developers, regular
1415 users should use <command>NET ADS TESTJOIN</command>.</para>
1420 <title>ADS PRINTER</title>
1423 <title>ADS PRINTER INFO [<replaceable>PRINTER</replaceable>] [<replaceable>SERVER</replaceable>]</title>
1426 Lookup info for <replaceable>PRINTER</replaceable> on <replaceable>SERVER</replaceable>. The printer name defaults to "*", the
1427 server name defaults to the local host.</para>
1432 <title>ADS PRINTER PUBLISH <replaceable>PRINTER</replaceable></title>
1434 <para>Publish specified printer using ADS.</para>
1439 <title>ADS PRINTER REMOVE <replaceable>PRINTER</replaceable></title>
1441 <para>Remove specified printer from ADS directory.</para>
1448 <title>ADS SEARCH <replaceable>EXPRESSION</replaceable> <replaceable>ATTRIBUTES...</replaceable></title>
1450 <para>Perform a raw LDAP search on a ADS server and dump the results. The
1451 expression is a standard LDAP search expression, and the
1452 attributes are a list of LDAP fields to show in the results.</para>
1454 <para>Example: <userinput>net ads search '(objectCategory=group)' sAMAccountName</userinput>
1460 <title>ADS DN <replaceable>DN</replaceable> <replaceable>(attributes)</replaceable></title>
1463 Perform a raw LDAP search on a ADS server and dump the results. The
1464 DN standard LDAP DN, and the attributes are a list of LDAP fields
1465 to show in the result.
1468 <para>Example: <userinput>net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName</userinput></para>
1473 <title>ADS KEYTAB <replaceable>CREATE</replaceable></title>
1476 Creates a new keytab file if one doesn't exist with default entries. Default
1477 entries are kerberos principals created from the machinename of the
1478 client, the UPN (if it exists) and any Windows SPN(s) associated with the
1479 computer AD account for the client. If a keytab file already exists then only
1480 missing kerberos principals from the default entries are added. No changes
1481 are made to the computer AD account.
1486 <title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
1489 Adds a new keytab entry, the entry can be either;
1491 <varlistentry><term>kerberos principal</term>
1493 A kerberos principal (identified by the presence of '@') is just
1494 added to the keytab file.
1497 <varlistentry><term>machinename</term>
1499 A machinename (identified by the trailing '$') is used to create a
1500 a kerberos principal 'machinename@realm' which is added to the
1504 <varlistentry><term>serviceclass</term>
1506 A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair
1507 of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' &
1508 'serviceclass/netbios_name@realm' which are added to the keytab file.
1511 <varlistentry><term>Windows SPN</term>
1513 A Windows SPN is of the format 'serviceclass/host:port', it is used to
1514 create a kerberos principal 'serviceclass/host@realm' which will
1515 be written to the keytab file.
1521 Unlike old versions no computer AD objects are modified by this command. To
1522 preserve the bevhaviour of older clients 'net ads keytab ad_update_ads' is
1528 <title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
1531 Adds a new keytab entry (see section for net ads keytab add). In addition to
1532 adding entries to the keytab file corrosponding Windows SPNs are created
1533 from the entry passed to this command. These SPN(s) added to the AD computer
1534 account object associated with the client machine running this command for
1535 the following entry types;
1537 <varlistentry><term>serviceclass</term>
1539 A serviceclass (such as 'cifs', 'html' etc.) is used to create a
1540 pair of Windows SPN(s) 'param/full_qualified_dns' &
1541 'param/netbios_name' which are added to the AD computer account object
1545 <varlistentry><term>Windows SPN</term>
1547 A Windows SPN is of the format 'serviceclass/host:port', it is
1548 added as passed to the AD computer account object for this client.
1556 <title>ADS setspn <replaceable>SETSPN LIST [machine]</replaceable></title>
1559 Lists the Windows SPNs stored in the 'machine' Windows AD Computer object.
1560 If 'machine' is not specified then computer account for this client is used
1566 <title>ADS setspn <replaceable>SETSPN ADD SPN [machine]</replaceable></title>
1569 Adds the specified Windows SPN to the 'machine' Windows AD Computer object.
1570 If 'machine' is not specified then computer account for this client is used
1577 <title>ADS setspn <replaceable>SETSPN DELETE SPN [machine]</replaceable></title>
1580 DELETE the specified Window SPN from the 'machine' Windows AD Computer
1581 object. If 'machine' is not specified then computer account for this
1589 <title>ADS WORKGROUP</title>
1591 <para>Print out workgroup name for specified kerberos realm.</para>
1596 <title>ADS ENCTYPES</title>
1599 List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
1603 This attribute allows one to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
1606 <para>0x00000001 DES-CBC-CRC</para>
1607 <para>0x00000002 DES-CBC-MD5</para>
1608 <para>0x00000004 RC4-HMAC</para>
1609 <para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
1610 <para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
1615 <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title>
1618 List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
1621 <para>Example: <userinput>net ads enctypes list Computername</userinput></para>
1626 <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title>
1629 Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is omitted, the value is set to 31 which enables all the currently supported encryption types.
1632 <para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
1637 <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title>
1640 Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
1643 <para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
1649 <title>SAM CREATEBUILTINGROUP <NAME></title>
1652 (Re)Create a BUILTIN group.
1653 Only a wellknown set of BUILTIN groups can be created with this command.
1654 This is the list of currently recognized group names: Administrators,
1655 Users, Guests, Power Users, Account Operators, Server Operators, Print
1656 Operators, Backup Operators, Replicator, RAS Servers, Pre-Windows 2000
1659 This command requires a running Winbindd with idmap allocation properly
1660 configured. The group gid will be allocated out of the winbindd range.
1666 <title>SAM CREATELOCALGROUP <NAME></title>
1669 Create a LOCAL group (also known as Alias).
1671 This command requires a running Winbindd with idmap allocation properly
1672 configured. The group gid will be allocated out of the winbindd range.
1678 <title>SAM DELETELOCALGROUP <NAME></title>
1681 Delete an existing LOCAL group (also known as Alias).
1688 <title>SAM MAPUNIXGROUP <NAME></title>
1691 Map an existing Unix group and make it a Domain Group, the domain group
1692 will have the same name.
1698 <title>SAM UNMAPUNIXGROUP <NAME></title>
1701 Remove an existing group mapping entry.
1707 <title>SAM ADDMEM <GROUP> <MEMBER></title>
1710 Add a member to a Local group. The group can be specified only by name,
1711 the member can be specified by name or SID.
1717 <title>SAM DELMEM <GROUP> <MEMBER></title>
1720 Remove a member from a Local group. The group and the member must be
1727 <title>SAM LISTMEM <GROUP></title>
1730 List Local group members. The group must be specified by name.
1736 <title>SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]</title>
1739 List the specified set of accounts by name. If verbose is specified,
1740 the rid and description is also provided for each account.
1746 <title>SAM RIGHTS LIST</title>
1749 List all available privileges.
1755 <title>SAM RIGHTS GRANT <NAME> <PRIVILEGE></title>
1758 Grant one or more privileges to a user.
1764 <title>SAM RIGHTS REVOKE <NAME> <PRIVILEGE></title>
1767 Revoke one or more privileges from a user.
1773 <title>SAM SHOW <NAME></title>
1776 Show the full DOMAIN\\NAME the SID and the type for the corresponding
1783 <title>SAM SET HOMEDIR <NAME> <DIRECTORY></title>
1786 Set the home directory for a user account.
1792 <title>SAM SET PROFILEPATH <NAME> <PATH></title>
1795 Set the profile path for a user account.
1801 <title>SAM SET COMMENT <NAME> <COMMENT></title>
1804 Set the comment for a user or group account.
1810 <title>SAM SET FULLNAME <NAME> <FULL NAME></title>
1813 Set the full name for a user account.
1819 <title>SAM SET LOGONSCRIPT <NAME> <SCRIPT></title>
1822 Set the logon script for a user account.
1828 <title>SAM SET HOMEDRIVE <NAME> <DRIVE></title>
1831 Set the home drive for a user account.
1837 <title>SAM SET WORKSTATIONS <NAME> <WORKSTATIONS></title>
1840 Set the workstations a user account is allowed to log in from.
1846 <title>SAM SET DISABLE <NAME></title>
1849 Set the "disabled" flag for a user account.
1855 <title>SAM SET PWNOTREQ <NAME></title>
1858 Set the "password not required" flag for a user account.
1864 <title>SAM SET AUTOLOCK <NAME></title>
1867 Set the "autolock" flag for a user account.
1873 <title>SAM SET PWNOEXP <NAME></title>
1876 Set the "password do not expire" flag for a user account.
1882 <title>SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]</title>
1885 Set or unset the "password must change" flag for a user account.
1891 <title>SAM POLICY LIST</title>
1894 List the available account policies.
1900 <title>SAM POLICY SHOW <account policy></title>
1903 Show the account policy value.
1909 <title>SAM POLICY SET <account policy> <value></title>
1912 Set a value for the account policy.
1913 Valid values can be: "forever", "never", "off", or a number.
1919 <title>SAM PROVISION</title>
1922 Only available if ldapsam:editposix is set and winbindd is running.
1923 Properly populates the ldap tree with the basic accounts (Administrator)
1924 and groups (Domain Users, Domain Admins, Domain Guests) on the ldap tree.
1930 <title>IDMAP DUMP <local tdb file name></title>
1933 Dumps the mappings contained in the local tdb file specified.
1934 This command is useful to dump only the mappings produced by the idmap_tdb backend.
1940 <title>IDMAP RESTORE [input file]</title>
1943 Restore the mappings from the specified file or stdin.
1949 <title>IDMAP SET SECRET <DOMAIN> <secret></title>
1952 Store a secret for the specified domain, used primarily for domains
1953 that use idmap_ldap as a backend. In this case the secret is used
1954 as the password for the user DN used to bind to the ldap server.
1960 <title>IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]</title>
1963 Store a domain-range mapping for a given domain (and index) in autorid database.
1969 <title>IDMAP SET CONFIG <config> [--db=<DB>]</title>
1972 Update CONFIG entry in autorid database.
1978 <title>IDMAP GET RANGE <SID> [index] [--db=<DB>]</title>
1981 Get the range for a given domain and index from autorid database.
1987 <title>IDMAP GET RANGES [<SID>] [--db=<DB>]</title>
1990 Get ranges for all domains or for one identified by given SID.
1996 <title>IDMAP GET CONFIG [--db=<DB>]</title>
1999 Get CONFIG entry from autorid database.
2006 <title>IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID></title>
2009 Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
2010 The mapping is given by <ID> which may either be a sid: S-x-..., a gid: "GID number" or a uid: "UID number".
2011 Use -f to delete an invalid partial mapping <ID> -> xx
2014 Use "smbcontrol all idmap ..." to notify running smbd instances.
2015 See the <citerefentry><refentrytitle>smbcontrol</refentrytitle>
2016 <manvolnum>1</manvolnum></citerefentry> manpage for details.
2021 <title>IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])</title>
2024 Delete a domain range mapping identified by 'RANGE' or "domain SID and INDEX" from autorid database.
2025 Use -f to delete invalid mappings.
2031 <title>IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID></title>
2034 Delete all domain range mappings for a domain identified by SID.
2035 Use -f to delete invalid mappings.
2042 <title>IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]</title>
2045 Check and repair the IDMAP database. If no option is given a read only check
2046 of the database is done. Among others an interactive or automatic repair mode
2047 may be chosen with one of the following options:
2050 <varlistentry><term>-r|--repair</term>
2052 Interactive repair mode, ask a lot of questions.
2056 <varlistentry><term>-a|--auto</term>
2058 Noninteractive repair mode, use default answers.
2062 <varlistentry><term>-v|--verbose</term>
2064 Produce more output.
2068 <varlistentry><term>-f|--force</term>
2070 Try to apply changes, even if they do not apply cleanly.
2074 <varlistentry><term>-T|--test</term>
2076 Dry run, show what changes would be made but don't touch anything.
2080 <varlistentry><term>-l|--lock</term>
2082 Lock the database while doing the check.
2086 <varlistentry><term>--db <DB></term>
2088 Check the specified database.
2091 <varlistentry><term></term>
2097 It reports about the finding of the following errors:
2100 <varlistentry><term>Missing reverse mapping:</term>
2102 A record with mapping A->B where there is no B->A. Default action
2103 in repair mode is to "fix" this by adding the reverse mapping.
2107 <varlistentry><term>Invalid mapping:</term>
2109 A record with mapping A->B where B->C. Default action
2110 is to "delete" this record.
2114 <varlistentry><term>Missing or invalid HWM:</term>
2116 A high water mark is not at least equal to the largest ID in the
2117 database. Default action is to "fix" this by setting it to the
2118 largest ID found +1.
2122 <varlistentry><term>Invalid record:</term>
2124 Something we failed to parse. Default action is to "edit" it
2125 in interactive and "delete" it in automatic mode.
2134 <title>USERSHARE</title>
2136 <para>Starting with version 3.0.23, a Samba server now supports the ability for
2137 non-root users to add user defined shares to be exported using the "net usershare"
2142 To set this up, first set up your smb.conf by adding to the [global] section:
2144 usershare path = /usr/local/samba/lib/usershares
2146 Next create the directory /usr/local/samba/lib/usershares, change the owner to root and
2147 set the group owner to the UNIX group who should have the ability to create usershares,
2148 for example a group called "serverops".
2150 Set the permissions on /usr/local/samba/lib/usershares to 01770.
2152 (Owner and group all access, no access for others, plus the sticky bit,
2153 which means that a file in that directory can be renamed or deleted only
2154 by the owner of the file).
2156 Finally, tell smbd how many usershares you will allow by adding to the [global]
2157 section of smb.conf a line such as :
2159 usershare max shares = 100.
2161 To allow 100 usershare definitions. Now, members of the UNIX group "serverops"
2162 can create user defined shares on demand using the commands below.
2165 <para>The usershare commands are:
2168 <member>net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] - to add or change a user defined share.</member>
2169 <member>net usershare delete sharename - to delete a user defined share.</member>
2170 <member>net usershare info [-l|--long] [wildcard sharename] - to print info about a user defined share.</member>
2171 <member>net usershare list [-l|--long] [wildcard sharename] - to list user defined shares.</member>
2177 <title>USERSHARE ADD <replaceable>sharename</replaceable> <replaceable>path</replaceable> <replaceable>[comment]</replaceable> <replaceable>[acl]</replaceable> <replaceable>[guest_ok=[y|n]]</replaceable></title>
2180 Add or replace a new user defined share, with name "sharename".
2184 "path" specifies the absolute pathname on the system to be exported.
2185 Restrictions may be put on this, see the global smb.conf parameters:
2186 "usershare owner only", "usershare prefix allow list", and
2187 "usershare prefix deny list".
2191 The optional "comment" parameter is the comment that will appear
2192 on the share when browsed to by a client.
2195 <para>The optional "acl" field
2196 specifies which users have read and write access to the entire share.
2197 Note that guest connections are not allowed unless the smb.conf parameter
2198 "usershare allow guests" has been set. The definition of a user
2199 defined share acl is: "user:permission", where user is a valid
2200 username on the system and permission can be "F", "R", or "D".
2201 "F" stands for "full permissions", ie. read and write permissions.
2202 "D" stands for "deny" for a user, ie. prevent this user from accessing
2204 "R" stands for "read only", ie. only allow read access to this
2205 share (no creation of new files or directories or writing to files).
2209 The default if no "acl" is given is "Everyone:R", which means any
2210 authenticated user has read-only access.
2214 The optional "guest_ok" has the same effect as the parameter of the
2215 same name in smb.conf, in that it allows guest access to this user
2216 defined share. This parameter is only allowed if the global parameter
2217 "usershare allow guests" has been set to true in the smb.conf.
2220 There is no separate command to modify an existing user defined share,
2221 just use the "net usershare add [sharename]" command using the same
2222 sharename as the one you wish to modify and specify the new options
2223 you wish. The Samba smbd daemon notices user defined share modifications
2224 at connect time so will see the change immediately, there is no need
2225 to restart smbd on adding, deleting or changing a user defined share.
2229 <title>USERSHARE DELETE <replaceable>sharename</replaceable></title>
2232 Deletes the user defined share by name. The Samba smbd daemon
2233 immediately notices this change, although it will not disconnect
2234 any users currently connected to the deleted share.
2240 <title>USERSHARE INFO <replaceable>[-l|--long]</replaceable> <replaceable>[wildcard sharename]</replaceable></title>
2243 Get info on user defined shares owned by the current user matching the given pattern, or all users.
2247 net usershare info on its own dumps out info on the user defined shares that were
2248 created by the current user, or restricts them to share names that match the given
2249 wildcard pattern ('*' matches one or more characters, '?' matches only one character).
2250 If the '-l' or '--long' option is also given, it prints out info on user defined
2251 shares created by other users.
2255 The information given about a share looks like:
2260 usershare_acl=Everyone:F
2263 And is a list of the current settings of the user defined share that can be
2264 modified by the "net usershare add" command.
2270 <title>USERSHARE LIST <replaceable>[-l|--long]</replaceable> <replaceable>wildcard sharename</replaceable></title>
2273 List all the user defined shares owned by the current user matching the given pattern, or all users.
2277 net usershare list on its own list out the names of the user defined shares that were
2278 created by the current user, or restricts the list to share names that match the given
2279 wildcard pattern ('*' matches one or more characters, '?' matches only one character).
2280 If the '-l' or '--long' option is also given, it includes the names of user defined
2281 shares created by other users.
2289 <title>[RPC] CONF</title>
2291 <para>Starting with version 3.2.0, a Samba server can be configured by data
2292 stored in registry. This configuration data can be edited with the new "net
2293 conf" commands. There is also the possibility to configure a remote Samba server
2294 by enabling the RPC conf mode and specifying the address of the remote server.
2298 The deployment of this configuration data can be activated in two levels from the
2299 <emphasis>smb.conf</emphasis> file: Share definitions from registry are
2300 activated by setting <parameter>registry shares</parameter> to
2301 <quote>yes</quote> in the [global] section and global configuration options are
2302 activated by setting <smbconfoption name="include">registry</smbconfoption> in
2303 the [global] section for a mixed configuration or by setting
2304 <smbconfoption name="config backend">registry</smbconfoption> in the [global]
2305 section for a registry-only configuration.
2306 See the <citerefentry><refentrytitle>smb.conf</refentrytitle>
2307 <manvolnum>5</manvolnum></citerefentry> manpage for details.
2310 <para>The conf commands are:
2312 <member>net [rpc] conf list - Dump the complete configuration in smb.conf like
2314 <member>net [rpc] conf import - Import configuration from file in smb.conf
2316 <member>net [rpc] conf listshares - List the registry shares.</member>
2317 <member>net [rpc] conf drop - Delete the complete configuration from
2319 <member>net [rpc] conf showshare - Show the definition of a registry share.</member>
2320 <member>net [rpc] conf addshare - Create a new registry share.</member>
2321 <member>net [rpc] conf delshare - Delete a registry share.</member>
2322 <member>net [rpc] conf setparm - Store a parameter.</member>
2323 <member>net [rpc] conf getparm - Retrieve the value of a parameter.</member>
2324 <member>net [rpc] conf delparm - Delete a parameter.</member>
2325 <member>net [rpc] conf getincludes - Show the includes of a share definition.</member>
2326 <member>net [rpc] conf setincludes - Set includes for a share.</member>
2327 <member>net [rpc] conf delincludes - Delete includes from a share definition.</member>
2332 <title>[RPC] CONF LIST</title>
2335 Print the configuration data stored in the registry in a smb.conf-like format to
2341 <title>[RPC] CONF IMPORT <replaceable>[--test|-T]</replaceable> <replaceable>filename</replaceable> <replaceable>[section]</replaceable></title>
2344 This command imports configuration from a file in smb.conf format.
2345 If a section encountered in the input file is present in registry,
2346 its contents is replaced. Sections of registry configuration that have
2347 no counterpart in the input file are not affected. If you want to delete these,
2348 you will have to use the "net conf drop" or "net conf delshare" commands.
2349 Optionally, a section may be specified to restrict the effect of the
2350 import command to that specific section. A test mode is enabled by specifying
2351 the parameter "-T" on the commandline. In test mode, no changes are made to the
2352 registry, and the resulting configuration is printed to standard output instead.
2357 <title>[RPC] CONF LISTSHARES</title>
2360 List the names of the shares defined in registry.
2365 <title>[RPC] CONF DROP</title>
2368 Delete the complete configuration data from registry.
2373 <title>[RPC] CONF SHOWSHARE <replaceable>sharename</replaceable></title>
2376 Show the definition of the share or section specified. It is valid to specify
2377 "global" as sharename to retrieve the global configuration options from
2383 <title>[RPC] CONF ADDSHARE <replaceable>sharename</replaceable> <replaceable>path</replaceable> [<replaceable>writeable={y|N}</replaceable> [<replaceable>guest_ok={y|N}</replaceable> [<replaceable>comment</replaceable>]]] </title>
2385 <para>Create a new share definition in registry.
2386 The sharename and path have to be given. The share name may
2387 <emphasis>not</emphasis> be "global". Optionally, values for the very
2388 common options "writeable", "guest ok" and a "comment" may be specified.
2389 The same result may be obtained by a sequence of "net conf setparm"
2395 <title>[RPC] CONF DELSHARE <replaceable>sharename</replaceable></title>
2398 Delete a share definition from registry.
2403 <title>[RPC] CONF SETPARM <replaceable>section</replaceable> <replaceable>parameter</replaceable> <replaceable>value</replaceable></title>
2406 Store a parameter in registry. The section may be global or a sharename.
2407 The section is created if it does not exist yet.
2412 <title>[RPC] CONF GETPARM <replaceable>section</replaceable> <replaceable>parameter</replaceable></title>
2415 Show a parameter stored in registry.
2420 <title>[RPC] CONF DELPARM <replaceable>section</replaceable> <replaceable>parameter</replaceable></title>
2423 Delete a parameter stored in registry.
2428 <title>[RPC] CONF GETINCLUDES <replaceable>section</replaceable></title>
2431 Get the list of includes for the provided section (global or share).
2435 Note that due to the nature of the registry database and the nature of include directives,
2436 the includes need special treatment: Parameters are stored in registry by the parameter
2437 name as valuename, so there is only ever one instance of a parameter per share.
2438 Also, a specific order like in a text file is not guaranteed. For all real
2439 parameters, this is perfectly ok, but the include directive is rather a meta
2440 parameter, for which, in the smb.conf text file, the place where it is specified
2441 between the other parameters is very important. This can not be achieved by the
2442 simple registry smbconf data model, so there is one ordered list of includes
2443 per share, and this list is evaluated after all the parameters of the share.
2447 Further note that currently, only files can be included from registry
2448 configuration. In the future, there will be the ability to include configuration
2449 data from other registry keys.
2454 <title>[RPC] CONF SETINCLUDES <replaceable>section</replaceable> [<replaceable>filename</replaceable>]+</title>
2457 Set the list of includes for the provided section (global or share) to the given
2458 list of one or more filenames. The filenames may contain the usual smb.conf
2464 <title>[RPC] CONF DELINCLUDES <replaceable>section</replaceable></title>
2467 Delete the list of includes from the provided section (global or share).
2474 <title>REGISTRY</title>
2476 Manipulate Samba's registry.
2479 <para>The registry commands are:
2481 <member>net registry enumerate - Enumerate registry keys and values.</member>
2482 <member>net registry enumerate_recursive - Enumerate registry key and its subkeys.</member>
2483 <member>net registry createkey - Create a new registry key.</member>
2484 <member>net registry deletekey - Delete a registry key.</member>
2485 <member>net registry deletekey_recursive - Delete a registry key with subkeys.</member>
2486 <member>net registry getvalue - Print a registry value.</member>
2487 <member>net registry getvalueraw - Print a registry value (raw format).</member>
2488 <member>net registry setvalue - Set a new registry value.</member>
2489 <member>net registry increment - Increment a DWORD registry value under a lock.
2491 <member>net registry deletevalue - Delete a registry value.</member>
2492 <member>net registry getsd - Get security descriptor.</member>
2493 <member>net registry getsd_sdd1 - Get security descriptor in sddl format.
2495 <member>net registry setsd_sdd1 - Set security descriptor from sddl format
2497 <member>net registry import - Import a registration entries (.reg) file.
2499 <member>net registry export - Export a registration entries (.reg) file.
2501 <member>net registry convert - Convert a registration entries (.reg) file.
2503 <member>net registry check - Check and repair a registry database.
2509 <title>REGISTRY ENUMERATE <replaceable>key</replaceable> </title>
2510 <para>Enumerate subkeys and values of <emphasis>key</emphasis>.
2515 <title>REGISTRY ENUMERATE_RECURSIVE <replaceable>key</replaceable> </title>
2516 <para>Enumerate values of <emphasis>key</emphasis> and its subkeys.
2521 <title>REGISTRY CREATEKEY <replaceable>key</replaceable> </title>
2522 <para>Create a new <emphasis>key</emphasis> if not yet existing.
2527 <title>REGISTRY DELETEKEY <replaceable>key</replaceable> </title>
2528 <para>Delete the given <emphasis>key</emphasis> and its
2529 values from the registry, if it has no subkeys.
2534 <title>REGISTRY DELETEKEY_RECURSIVE <replaceable>key</replaceable> </title>
2535 <para>Delete the given <emphasis>key</emphasis> and all of its
2536 subkeys and values from the registry.
2541 <title>REGISTRY GETVALUE <replaceable>key</replaceable> <!--
2542 --><replaceable>name</replaceable></title>
2544 <para>Output type and actual value of the value <emphasis>name</emphasis>
2545 of the given <emphasis>key</emphasis>.
2550 <title>REGISTRY GETVALUERAW <replaceable>key</replaceable> <!--
2551 --><replaceable>name</replaceable></title>
2552 <para>Output the actual value of the value <emphasis>name</emphasis>
2553 of the given <emphasis>key</emphasis>.
2558 <title>REGISTRY SETVALUE <replaceable>key</replaceable> <!--
2559 --><replaceable>name</replaceable> <replaceable>type</replaceable> <!--
2560 --><replaceable>value</replaceable> ...<!--
2563 <para>Set the value <emphasis>name</emphasis>
2564 of an existing <emphasis>key</emphasis>.
2565 <emphasis>type</emphasis> may be one of
2566 <emphasis>sz</emphasis>, <emphasis>multi_sz</emphasis> or
2567 <emphasis>dword</emphasis>.
2568 In case of <emphasis>multi_sz</emphasis> <replaceable>value</replaceable> may
2569 be given multiple times.
2574 <title>REGISTRY INCREMENT <replaceable>key</replaceable> <!--
2575 --><replaceable>name</replaceable> <replaceable>[inc]</replaceable><!--
2578 <para>Increment the DWORD value <emphasis>name</emphasis>
2579 of <emphasis>key</emphasis> by <replaceable>inc</replaceable>
2580 while holding a g_lock.
2581 <emphasis>inc</emphasis> defaults to 1.
2586 <title>REGISTRY DELETEVALUE <replaceable>key</replaceable> <!--
2587 --><replaceable>name</replaceable></title>
2589 <para>Delete the value <emphasis>name</emphasis>
2590 of the given <emphasis>key</emphasis>.
2595 <title>REGISTRY GETSD <replaceable>key</replaceable></title>
2597 <para>Get the security descriptor of the given <emphasis>key</emphasis>.
2602 <title>REGISTRY GETSD_SDDL <replaceable>key</replaceable></title>
2604 <para>Get the security descriptor of the given <emphasis>key</emphasis> as a
2605 Security Descriptor Definition Language (SDDL) string.
2610 <title>REGISTRY SETSD_SDDL <replaceable>key</replaceable><!--
2611 --><replaceable>sd</replaceable></title>
2613 <para>Set the security descriptor of the given <emphasis>key</emphasis> from a
2614 Security Descriptor Definition Language (SDDL) string <emphasis>sd</emphasis>.
2619 <title>REGISTRY IMPORT <replaceable>file</replaceable><!--
2620 --><replaceable> [--precheck <check-file>] [opt]</replaceable></title>
2621 <para>Import a registration entries (.reg) <emphasis>file</emphasis>.</para>
2622 <para>The following options are available:</para>
2624 <varlistentry><term>--precheck <replaceable>check-file</replaceable></term>
2626 This is a mechanism to check the existence or non-existence of
2627 certain keys or values specified in a precheck file before applying
2629 The import file will only be applied if the precheck succeeds.
2632 The check-file follows the normal registry file syntax with the
2633 following semantics:
2636 <listitem><para><value name>=<value> checks whether the
2637 value exists and has the given value.</para></listitem>
2638 <listitem><para><value name>=- checks whether the value does
2639 not exist.</para></listitem>
2640 <listitem><para>[key] checks whether the key exists.</para>
2642 <listitem><para>[-key] checks whether the key does not exist.</para>
2651 <title>REGISTRY EXPORT <replaceable>key</replaceable><!--
2652 --><replaceable>file</replaceable><!--
2653 --><replaceable>[opt]</replaceable></title>
2655 <para>Export a <emphasis>key</emphasis> to a registration entries (.reg)
2656 <emphasis>file</emphasis>.
2661 <title>REGISTRY CONVERT <replaceable>in</replaceable> <!--
2662 --><replaceable>out</replaceable> <!--
2663 --><replaceable>[[inopt] outopt]</replaceable></title>
2665 <para>Convert a registration entries (.reg) file <emphasis>in</emphasis>.
2670 <title>REGISTRY CHECK [-ravTl] [-o <ODB>] [--wipe] [<DB>]</title>
2671 <para>Check and repair the registry database. If no option is given a read only check of the database is done. Among others an interactive or automatic repair mode may be chosen with one of the following options
2674 <varlistentry><term>-r|--repair</term>
2676 Interactive repair mode, ask a lot of questions.
2680 <varlistentry><term>-a|--auto</term>
2682 Noninteractive repair mode, use default answers.
2686 <varlistentry><term>-v|--verbose</term>
2688 Produce more output.
2692 <varlistentry><term>-T|--test</term>
2694 Dry run, show what changes would be made but don't touch anything.
2698 <varlistentry><term>-l|--lock</term>
2700 Lock the database while doing the check.
2704 <varlistentry><term>--reg-version={1,2,3}</term>
2706 Specify the format of the registry database. If not given it defaults to
2707 the value of the binary or, if an registry.tdb is explicitly stated at
2708 the commandline, to the value found in the INFO/version record.
2712 <varlistentry><term>[--db] <DB></term>
2714 Check the specified database.
2718 <varlistentry><term>-o|--output <ODB></term>
2720 Create a new registry database <ODB> instead of modifying the
2721 input. If <ODB> is already existing --wipe may be used to
2726 <varlistentry><term>--wipe</term>
2728 Replace the registry database instead of modifying the input or
2729 overwrite an existing output database.
2733 <varlistentry><term></term>
2744 <title>EVENTLOG</title>
2746 <para>Starting with version 3.4.0 net can read, dump, import and export native
2747 win32 eventlog files (usually *.evt). evt files are used by the native Windows eventviewer tools.
2751 The import and export of evt files can only succeed when <parameter>eventlog list</parameter> is used in
2752 <emphasis>smb.conf</emphasis> file.
2753 See the <citerefentry><refentrytitle>smb.conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manpage for details.
2756 <para>The eventlog commands are:
2758 <member>net eventlog dump - Dump a eventlog *.evt file on the screen.</member>
2759 <member>net eventlog import - Import a eventlog *.evt into the samba internal
2760 tdb based representation of eventlogs.</member>
2761 <member>net eventlog export - Export the samba internal tdb based representation
2762 of eventlogs into an eventlog *.evt file.</member>
2767 <title>EVENTLOG DUMP <replaceable>filename</replaceable></title>
2770 Prints a eventlog *.evt file to standard output.
2775 <title>EVENTLOG IMPORT <replaceable>filename</replaceable> <replaceable>eventlog</replaceable></title>
2778 Imports a eventlog *.evt file defined by <replaceable>filename</replaceable> into the
2779 samba internal tdb representation of eventlog defined by <replaceable>eventlog</replaceable>.
2780 <replaceable>eventlog</replaceable> needs to part of the <parameter>eventlog list</parameter>
2781 defined in smb.conf.
2782 See the <citerefentry><refentrytitle>smb.conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manpage for details.
2788 <title>EVENTLOG EXPORT <replaceable>filename</replaceable> <replaceable>eventlog</replaceable></title>
2791 Exports the samba internal tdb representation of eventlog defined by <replaceable>eventlog</replaceable>
2792 to a eventlog *.evt file defined by <replaceable>filename</replaceable>.
2793 <replaceable>eventlog</replaceable> needs to part of the <parameter>eventlog list</parameter>
2794 defined in smb.conf.
2795 See the <citerefentry><refentrytitle>smb.conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manpage for details.
2805 <para>Starting with version 3.2.0 Samba has support for remote join and unjoin APIs, both client and server-side. Windows supports remote join capabilities since Windows 2000.
2807 <para>In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege.
2810 <para>The client side support for remote join is implemented in the net dom commands which are:
2812 <member>net dom join - Join a remote computer into a domain.</member>
2813 <member>net dom unjoin - Unjoin a remote computer from a domain.</member>
2814 <member>net dom renamecomputer - Renames a remote computer joined to a domain.</member>
2819 <title>DOM JOIN <replaceable>domain=DOMAIN</replaceable> <replaceable>ou=OU</replaceable> <replaceable>account=ACCOUNT</replaceable> <replaceable>password=PASSWORD</replaceable> <replaceable>reboot</replaceable></title>
2822 Joins a computer into a domain. This command supports the following additional parameters:
2827 <listitem><para><replaceable>DOMAIN</replaceable> can be a NetBIOS domain name (also known as short domain name) or a DNS domain name for Active Directory Domains. As in Windows, it is also possible to control which Domain Controller to use. This can be achieved by appending the DC name using the \ separator character. Example: MYDOM\MYDC. The <replaceable>DOMAIN</replaceable> parameter cannot be NULL.</para></listitem>
2829 <listitem><para><replaceable>OU</replaceable> can be set to a RFC 1779 LDAP DN, like <emphasis>ou=mymachines,cn=Users,dc=example,dc=com</emphasis> in order to create the machine account in a non-default LDAP container. This optional parameter is only supported when joining Active Directory Domains.</para></listitem>
2831 <listitem><para><replaceable>ACCOUNT</replaceable> defines a domain account that will be used to join the machine to the domain. This domain account needs to have sufficient privileges to join machines.</para></listitem>
2833 <listitem><para><replaceable>PASSWORD</replaceable> defines the password for the domain account defined with <replaceable>ACCOUNT</replaceable>.</para></listitem>
2835 <listitem><para><replaceable>REBOOT</replaceable> is an optional parameter that can be set to reboot the remote machine after successful join to the domain.</para></listitem>
2840 Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to join. These additional parameters include: -S computer and -U user.
2844 net dom join -S xp -U XP\\administrator%secret domain=MYDOM account=MYDOM\\administrator password=topsecret reboot.
2847 This example would connect to a computer named XP as the local administrator using password secret, and join the computer into a domain called MYDOM using the MYDOM domain administrator account and password topsecret. After successful join, the computer would reboot.
2853 <title>DOM UNJOIN <replaceable>account=ACCOUNT</replaceable> <replaceable>password=PASSWORD</replaceable> <replaceable>reboot</replaceable></title>
2856 Unjoins a computer from a domain. This command supports the following additional parameters:
2861 <listitem><para><replaceable>ACCOUNT</replaceable> defines a domain account that will be used to unjoin the machine from the domain. This domain account needs to have sufficient privileges to unjoin machines.</para></listitem>
2863 <listitem><para><replaceable>PASSWORD</replaceable> defines the password for the domain account defined with <replaceable>ACCOUNT</replaceable>.</para></listitem>
2865 <listitem><para><replaceable>REBOOT</replaceable> is an optional parameter that can be set to reboot the remote machine after successful unjoin from the domain.</para></listitem>
2870 Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to unjoin. These additional parameters include: -S computer and -U user.
2874 net dom unjoin -S xp -U XP\\administrator%secret account=MYDOM\\administrator password=topsecret reboot.
2877 This example would connect to a computer named XP as the local administrator using password secret, and unjoin the computer from the domain using the MYDOM domain administrator account and password topsecret. After successful unjoin, the computer would reboot.
2883 <title>DOM RENAMECOMPUTER <replaceable>newname=NEWNAME</replaceable> <replaceable>account=ACCOUNT</replaceable> <replaceable>password=PASSWORD</replaceable> <replaceable>reboot</replaceable></title>
2886 Renames a computer that is joined to a domain. This command supports the following additional parameters:
2891 <listitem><para><replaceable>NEWNAME</replaceable> defines the new name of the machine in the domain.</para></listitem>
2893 <listitem><para><replaceable>ACCOUNT</replaceable> defines a domain account that will be used to rename the machine in the domain. This domain account needs to have sufficient privileges to rename machines.</para></listitem>
2895 <listitem><para><replaceable>PASSWORD</replaceable> defines the password for the domain account defined with <replaceable>ACCOUNT</replaceable>.</para></listitem>
2897 <listitem><para><replaceable>REBOOT</replaceable> is an optional parameter that can be set to reboot the remote machine after successful rename in the domain.</para></listitem>
2902 Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to rename in the domain. These additional parameters include: -S computer and -U user.
2906 net dom renamecomputer -S xp -U XP\\administrator%secret newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
2909 This example would connect to a computer named XP as the local administrator using password secret, and rename the joined computer to XPNEW using the MYDOM domain administrator account and password topsecret. After successful rename, the computer would reboot.
2917 <title>G_LOCK</title>
2919 <para>Manage global locks.</para>
2922 <title>G_LOCK DO <replaceable>lockname</replaceable> <replaceable>timeout</replaceable> <replaceable>command</replaceable></title>
2925 Execute a shell command under a global lock. This might be useful to define the
2926 order in which several shell commands will be executed. The locking information
2927 is stored in a file called <filename>g_lock.tdb</filename>. In setups with CTDB
2928 running, the locking information will be available on all cluster nodes.
2932 <listitem><para><replaceable>LOCKNAME</replaceable> defines the name of the global lock.</para></listitem>
2933 <listitem><para><replaceable>TIMEOUT</replaceable> defines the timeout.</para></listitem>
2934 <listitem><para><replaceable>COMMAND</replaceable> defines the shell command to execute.</para></listitem>
2939 <title>G_LOCK LOCKS</title>
2942 Print a list of all currently existing locknames.
2947 <title>G_LOCK DUMP <replaceable>lockname</replaceable></title>
2950 Dump the locking table of a certain global lock.
2959 <para>Print information from tdb records.</para>
2962 <title>TDB LOCKING <replaceable>key</replaceable> [DUMP]</title>
2964 <para>List sharename, filename and number of share modes
2965 for a record from locking.tdb. With the optional DUMP options,
2966 dump the complete record.</para>
2970 <para><replaceable>KEY</replaceable>
2971 Key of the tdb record as hex string.</para>
2980 <para>Access shared filesystem through the VFS.</para>
2983 <title>vfs stream2abouble [--recursive] [--verbose] [--continue] [--follow-symlinks] <replaceable>share</replaceable> <replaceable>path</replaceable></title>
2985 <para>Convert file streams to AppleDouble files.</para>
2988 <para><replaceable>share</replaceable>
2989 A Samba share.</para>
2994 <para><replaceable>path</replaceable> A relative path of something in
2995 the Samba share. "." can be used for the root directory of the
3000 <para>Options:</para>
3003 <term>--recursive</term>
3004 <listitem><para>Traverse a directory hierarchy.</para></listitem>
3007 <term>--verbose</term>
3008 <listitem><para>Verbose output.</para></listitem>
3011 <term>--continue</term>
3012 <listitem><para>Continue traversing a directory hierarchy if a single
3013 conversion fails.</para></listitem>
3016 <term>--follow-symlinks</term>
3017 <listitem><para>Follow symlinks encountered while traversing a
3018 directory.</para></listitem>
3024 <title>vfs getntacl <replaceable>share</replaceable> <replaceable>path</replaceable></title>
3026 <para>Display the security descriptor of a file or directory.</para>
3029 <para><replaceable>share</replaceable>
3030 A Samba share.</para>
3035 <para><replaceable>path</replaceable> A relative path of something in
3036 the Samba share. "." can be used for the root directory of the
3045 <title>HELP [COMMAND]</title>
3047 <para>Gives usage information for the specified command.</para>
3054 <title>VERSION</title>
3056 <para>This man page is complete for version 3 of the Samba
3061 <title>AUTHOR</title>
3063 <para>The original Samba software and related utilities
3064 were created by Andrew Tridgell. Samba is now developed
3065 by the Samba Team as an Open Source project similar
3066 to the way the Linux kernel is developed.</para>
3068 <para>The net manpage was written by Jelmer Vernooij.</para>
git.samba.org / amitay / samba.git / blob