1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="samba-tool.8">
6 <refentrytitle>samba-tool</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
15 <refname>samba-tool</refname>
16 <refpurpose>Main Samba administration tool.
22 <command>samba-tool</command>
23 <arg choice="opt">-h</arg>
24 <arg choice="opt">-W myworkgroup</arg>
25 <arg choice="opt">-U user</arg>
26 <arg choice="opt">-d debuglevel</arg>
27 <arg choice="opt">--v</arg>
32 <title>DESCRIPTION</title>
33 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
34 <manvolnum>7</manvolnum></citerefentry> suite.</para>
38 <title>OPTIONS</title>
43 <term>-h|--help</term>
45 Show this help message and exit
50 <term>--realm=REALM</term>
57 <term>--simple-bind-dn=DN</term>
59 DN to use for a simple bind
64 <term>--password=PASSWORD</term>
71 <term>-U USERNAME|--username=USERNAME</term>
78 <term>-W WORKGROUP|--workgroup=WORKGROUP</term>
85 <term>-N|--no-pass</term>
87 Don't ask for a password
92 <term>-k KERBEROS|--kerberos=KERBEROS</term>
99 <term>--ipaddress=IPADDRESS</term>
101 IP address of the server
105 &popt.common.samba.client;
111 <title>COMMANDS</title>
114 <title>computer create <replaceable>computername</replaceable> [options]</title>
115 <para>Create a new computer in the Active Directory Domain.</para>
116 <para>The new computer name specified on the command is the
117 sAMAccountName, with or without the trailing dollar sign.</para>
121 <term>--computerou=COMPUTEROU</term>
123 DN of alternative location (with or without domainDN counterpart) to
124 default CN=Computers in which new computer object will be created.
130 <term>--description=DESCRIPTION</term>
132 The new computers's description.
137 <term>--ip-address=IP_ADDRESS_LIST</term>
139 IPv4 address for the computer's A record, or IPv6 address for AAAA record,
140 can be provided multiple times.
145 <term>--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST</term>
147 Computer's Service Principal Name, can be provided multiple times.
152 <term>--prepare-oldjoin</term>
154 Prepare enabled machine account for oldjoin mechanism.
161 <title>computer delete <replaceable>computername</replaceable> [options]</title>
162 <para>Delete an existing computer account.</para>
163 <para>The computer name specified on the command is the
164 sAMAccountName, with or without the trailing dollar sign.</para>
168 <title>computer list</title>
169 <para>List all computers.</para>
173 <title>computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
174 <para>This command moves a computer account into the specified
175 organizational unit or container.</para>
176 <para>The computername specified on the command is the
177 sAMAccountName, with or without the trailing dollar sign.</para>
178 <para>The name of the organizational unit or container can be
179 specified as a full DN or without the domainDN component.</para>
183 <title>computer show <replaceable>computername</replaceable> [options]</title>
184 <para>Display a computer AD object.</para>
185 <para>The computer name specified on the command is the
186 sAMAccountName, with or without the trailing dollar sign.</para>
190 <term>--attributes=USER_ATTRS</term>
192 Comma separated list of attributes, which will be printed.
199 <title>dbcheck</title>
200 <para>Check the local AD database for errors.</para>
204 <title>delegation</title>
205 <para>Manage Delegations.</para>
209 <title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
210 <para>Add a service principal as msDS-AllowedToDelegateTo.</para>
214 <title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
215 <para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
219 <title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
220 <para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
221 for an account.</para>
225 <title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
226 <para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
230 <title>delegation show <replaceable>accountname</replaceable> [options] </title>
231 <para>Show the delegation setting of an account.</para>
236 <para>Manage Domain Name Service (DNS).</para>
240 <title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
241 <para>Add a DNS record.</para>
245 <title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
246 <para>Delete a DNS record.</para>
250 <title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
251 <para>Query a name.</para>
255 <title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
256 <para>Query root hints.</para>
260 <title>dns serverinfo <replaceable>server</replaceable> [options]</title>
261 <para>Query server information.</para>
265 <title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
266 <para>Update a DNS record.</para>
270 <title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
271 <para>Create a zone.</para>
275 <title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
276 <para>Delete a zone.</para>
280 <title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
281 <para>Query zone information.</para>
285 <title>dns zonelist <replaceable>server</replaceable> [options]</title>
286 <para>List zones.</para>
290 <title>domain</title>
291 <para>Manage Domain.</para>
295 <title>domain backup</title>
296 <para>Create or restore a backup of the domain.</para>
300 <title>domain backup online</title>
301 <para>Copy a running DC's current DB into a backup tar file.</para>
305 <title>domain backup rename</title>
306 <para>Copy a running DC's DB to backup file, renaming the domain in the process.</para>
310 <title>domain backup restore</title>
311 <para>Restore the domain's DB from a backup-file.</para>
315 <title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
316 <para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
321 <title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
322 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
326 <title>domain demote</title>
327 <para>Demote ourselves from the role of domain controller.</para>
331 <title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
332 <para>Dumps Kerberos keys of the domain into a keytab.</para>
336 <title>domain info <replaceable>ip_address</replaceable> [options]</title>
337 <para>Print basic info about a domain and the specified DC.
342 <title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
343 <para>Join a domain as either member or backup domain controller.</para>
347 <title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
348 <para>Show/raise domain and forest function levels.</para>
352 <title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
353 <para>Show/set password settings.</para>
357 <title>domain passwordsettings pso</title>
358 <para>Manage fine-grained Password Settings Objects (PSOs).</para>
362 <title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
363 <para>Applies a PSO's password policy to a user or group.</para>
367 <title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
368 <para>Creates a new Password Settings Object (PSO).</para>
372 <title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
373 <para>Deletes a Password Settings Object (PSO).</para>
377 <title>domain passwordsettings pso list [options]</title>
378 <para>Lists all Password Settings Objects (PSOs).</para>
382 <title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
383 <para>Modifies a Password Settings Object (PSO).</para>
387 <title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
388 <para>Displays a Password Settings Object (PSO).</para>
392 <title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
393 <para>Displays the Password Settings that apply to a user.</para>
397 <title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
398 <para>Updates a PSO to no longer apply to a user or group.</para>
402 <title>domain provision</title>
403 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
407 <title>domain trust</title>
408 <para>Domain and forest trust management.</para>
412 <title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
413 <para>Create a domain or forest trust.</para>
417 <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
418 <para>Delete a domain trust.</para>
422 <title>domain trust list <replaceable>options</replaceable> [options]</title>
423 <para>List domain trusts.</para>
427 <title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
428 <para>Manage forest trust namespaces.</para>
432 <title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
433 <para>Show trusted domain details.</para>
437 <title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
438 <para>Validate a domain trust.</para>
443 <para>Manage Directory Replication Services (DRS).</para>
447 <title>drs bind</title>
448 <para>Show DRS capabilities of a server.</para>
452 <title>drs kcc</title>
453 <para>Trigger knowledge consistency center run.</para>
457 <title>drs options</title>
458 <para>Query or change <replaceable>options</replaceable> for NTDS Settings
459 object of a domain controller.</para>
463 <title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
464 <para>Replicate a naming context between two DCs.</para>
468 <title>drs showrepl</title>
469 <para>Show replication status. The <arg
470 choice="opt">--json</arg> option results in JSON output, and
471 with the <arg choice="opt">--summary</arg> option produces
472 very little output when the replication status seems healthy.
478 <para>Administer DS ACLs</para>
482 <title>dsacl set</title>
483 <para>Modify access list on a directory object.</para>
487 <title>forest</title>
488 <para>Manage Forest configuration.</para>
492 <title>forest directory_service</title>
493 <para>Manage directory_service behaviour for the forest.</para>
497 <title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
498 <para>Modify dsheuristics directory_service configuration for the forest.</para>
502 <title>forest directory_service show</title>
503 <para>Show current directory_service configuration for the forest.</para>
508 <para>Manage Flexible Single Master Operations (FSMO).</para>
512 <title>fsmo seize [options]</title>
513 <para>Seize the role.</para>
517 <title>fsmo show</title>
518 <para>Show the roles.</para>
522 <title>fsmo transfer [options]</title>
523 <para>Transfer the role.</para>
528 <para>Manage Group Policy Objects (GPO).</para>
532 <title>gpo create <replaceable>displayname</replaceable> [options]</title>
533 <para>Create an empty GPO.</para>
537 <title>gpo del <replaceable>gpo</replaceable> [options]</title>
538 <para>Delete GPO.</para>
542 <title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
543 <para>Delete GPO link from a container.</para>
547 <title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
548 <para>Download a GPO.</para>
552 <title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
553 <para>Get inheritance flag for a container.</para>
557 <title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
558 <para>List GPO Links for a container.</para>
562 <title>gpo list <replaceable>username</replaceable> [options]</title>
563 <para>List GPOs for an account.</para>
567 <title>gpo listall</title>
568 <para>List all GPOs.</para>
572 <title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
573 <para>List all linked containers for a GPO.</para>
577 <title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
578 <para>Set inheritance flag on a container.</para>
582 <title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
583 <para>Add or Update a GPO link to a container.</para>
587 <title>gpo show <replaceable>gpo</replaceable> [options]</title>
588 <para>Show information for a GPO.</para>
593 <para>Manage groups.</para>
597 <title>group add <replaceable>groupname</replaceable> [options]</title>
598 <para>Create a new AD group.</para>
602 <title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
603 <para>Add members to an AD group.</para>
607 <title>group delete <replaceable>groupname</replaceable> [options]</title>
608 <para>Delete an AD group.</para>
612 <title>group list</title>
613 <para>List all groups.</para>
617 <title>group listmembers <replaceable>groupname</replaceable> [options]</title>
618 <para>List all members of the specified AD group.</para>
622 <title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
623 <para>This command moves a group into the specified organizational unit
625 <para>The groupname specified on the command is the sAMAccountName.
627 <para>The name of the organizational unit or container can be
628 specified as a full DN or without the domainDN component.</para>
633 <title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
634 <para>Remove members from the specified AD group.</para>
638 <title>group show <replaceable>groupname</replaceable> [options]</title>
639 <para>Show group object and it's attributes.</para>
643 <title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
644 <para>Compare two LDAP databases.</para>
649 <para>Manage NT ACLs.</para>
653 <title>ntacl get <replaceable>file</replaceable> [options]</title>
654 <para>Get ACLs on a file.</para>
658 <title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
659 <para>Set ACLs on a file.</para>
663 <title>ntacl sysvolcheck</title>
664 <para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
668 <title>ntacl sysvolreset</title>
669 <para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
673 <title>ou create <replaceable>ou_dn</replaceable> [options]</title>
674 <para>Create an organizational unit.</para>
675 <para>The name of the organizational unit can be specified as a full DN
676 or without the domainDN component.</para>
680 <term>--description=DESCRIPTION</term>
682 Specify OU's description.
689 <title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
690 <para>Delete an organizational unit.</para>
691 <para>The name of the organizational unit can be specified as a full DN
692 or without the domainDN component.</para>
696 <term>--force-subtree-delete</term>
698 Delete organizational unit and all children reclusively.
705 <title>ou list [options]</title>
706 <para>List all organizational units.</para>
709 <term>--full-dn</term>
711 Display DNs including the base DN.
718 <title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
719 <para>List all objects in an organizational unit.</para>
720 <para>The name of the organizational unit can be specified as a full DN
721 or without the domainDN component.</para>
725 <term>--full-dn</term>
727 Display DNs including the base DN.
732 <term>-r|--recursive</term>
734 List objects recursively.
741 <title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
742 <para>Move an organizational unit.</para>
743 <para>The name of the organizational units can be specified as a full DN
744 or without the domainDN component.</para>
748 <title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
749 <para>Rename an organizational unit.</para>
750 <para>The name of the organizational units can be specified as a full DN
751 or without the domainDN component.</para>
756 <para>Manage Read-Only Domain Controller (RODC).</para>
760 <title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
761 <para>Preload one account for an RODC.</para>
765 <title>schema</title>
766 <para>Manage and query schema.</para>
770 <title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
771 <para>Modify the behaviour of an attribute in schema.</para>
775 <title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
776 <para>Display an attribute schema definition.</para>
780 <title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
781 <para>Show objectclasses that MAY or MUST contain this attribute.</para>
785 <title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
786 <para>Display an objectclass schema definition.</para>
791 <para>Manage sites.</para>
795 <title>sites create <replaceable>site</replaceable> [options]</title>
796 <para>Create a new site.</para>
800 <title>sites remove <replaceable>site</replaceable> [options]</title>
801 <para>Delete an existing site.</para>
806 <para>Manage Service Principal Names (SPN).</para>
810 <title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
811 <para>Create a new SPN.</para>
815 <title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
816 <para>Delete an existing SPN.</para>
820 <title>spn list <replaceable>user</replaceable> [options]</title>
821 <para>List SPNs of a given user.</para>
825 <title>testparm</title>
826 <para>Check the syntax of the configuration file.</para>
831 <para>Retrieve the time on a server.</para>
836 <para>Manage users.</para>
840 <title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
841 <para>Create a new user. Please note that this subcommand is deprecated
842 and available for compatibility reasons only. Please use
843 <command>samba-tool user create</command> instead.</para>
847 <title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
848 <para>Create a new user in the Active Directory Domain.</para>
852 <title>user delete <replaceable>username</replaceable> [options]</title>
853 <para>Delete an existing user account.</para>
857 <title>user disable <replaceable>username</replaceable></title>
858 <para>Disable an user account.</para>
862 <title>user enable <replaceable>username</replaceable></title>
863 <para>Enable an user account.</para>
867 <title>user list</title>
868 <para>List all users.</para>
872 <title>user show <replaceable>username</replaceable> [options]</title>
873 <para>Display a user AD object.</para>
877 <term>--attributes=USER_ATTRS</term>
879 Comma separated list of attributes, which will be printed.
886 <title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
887 <para>This command moves a user account into the specified
888 organizational unit or container.</para>
889 <para>The username specified on the command is the
890 sAMAccountName.</para>
891 <para>The name of the organizational unit or container can be
892 specified as a full DN or without the domainDN component.</para>
896 <title>user password [options]</title>
897 <para>Change password for an user account (the one provided in
898 authentication).</para>
902 <title>user setexpiry <replaceable>username</replaceable> [options]</title>
903 <para>Set the expiration of an user account.</para>
907 <title>user setpassword <replaceable>username</replaceable> [options]</title>
908 <para>Sets or resets the password of an user account.</para>
912 <title>user getpassword <replaceable>username</replaceable> [options]</title>
913 <para>Gets the password of an user account.</para>
917 <title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
918 <para>Syncs the passwords of all user accounts, using an optional script.</para>
919 <para>Note that this command should run on a single domain controller only
920 (typically the PDC-emulator).</para>
924 <title>vampire [options] <replaceable>domain</replaceable></title>
925 <para>Join and synchronise a remote AD domain to the local server.
926 Please note that <command>samba-tool vampire</command> is deprecated,
927 please use <command>samba-tool domain join</command> instead.</para>
931 <title>visualize [options] <replaceable>subcommand</replaceable></title>
932 <para>Produce graphical representations of Samba network state.
933 To work out what is happening in a replication graph, it is sometimes
934 helpful to use visualisations.</para>
937 There are two subcommands, two graphical modes, and (roughly) two modes
938 of operation with respect to the location of authority.</para>
940 <refsect3><title>MODES OF OPERATION</title>
942 <term>samba-tool visualize ntdsconn</term>
943 <listitem><para>Looks at NTDS connections.
948 <term>samba-tool visualize reps</term>
949 <listitem><para>Looks at repsTo and repsFrom objects.
954 <term>samba-tool visualize uptodateness</term>
955 <listitem><para>Looks at replication lag as shown by the
956 uptodateness vectors.
961 <refsect3><title>GRAPHICAL MODES</title>
963 <term>--distance</term>
964 <listitem><para>Distances between DCs are shown in a matrix in
971 <listitem><para>Generate Graphviz dot output (for
972 ntdsconn and reps modes). When viewed using dot or
973 xdot, this shows the network as a graph with DCs as
974 vertices and connections edges. Certain types of
975 degenerate edges are shown in different colours or
976 line-styles. </para></listitem>
980 <listitem><para>Generate Graphviz dot output as with
981 <arg choice="opt">--dot</arg> and attempt to view it
982 immediately using <command>/usr/bin/xdot</command>.
989 <listitem><para>Normally,
990 <command>samba-tool</command> talks to one database;
991 with the <arg choice="opt">-r</arg> option attempts
992 are made to contact all the DCs known to the first
993 database. This is necessary for <command>samba-tool
994 visualize uptodateness</command> and for
995 <command>samba-tool visualize reps</command> because
996 the repsFrom/To objects are not replicated, and it can
997 reveal replication issues in other modes.
1004 <para>Gives usage information.</para>
1010 <title>VERSION</title>
1012 <para>This man page is complete for version &doc.version; of the Samba
1017 <title>AUTHOR</title>
1019 <para>The original Samba software and related utilities
1020 were created by Andrew Tridgell. Samba is now developed
1021 by the Samba Team as an Open Source project similar
1022 to the way the Linux kernel is developed.</para>
git.samba.org / samba.git / blob