1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="samba-tool.8">
6 <refentrytitle>samba-tool</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
15 <refname>samba-tool</refname>
16 <refpurpose>Main Samba administration tool.
22 <command>samba-tool</command>
23 <arg choice="opt">-h</arg>
24 <arg choice="opt">-W myworkgroup</arg>
25 <arg choice="opt">-U user</arg>
26 <arg choice="opt">-d debuglevel</arg>
27 <arg choice="opt">--v</arg>
32 <title>DESCRIPTION</title>
33 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
34 <manvolnum>7</manvolnum></citerefentry> suite.</para>
38 <title>OPTIONS</title>
43 <term>-h|--help</term>
45 Show this help message and exit
50 <term>--realm=REALM</term>
57 <term>--simple-bind-dn=DN</term>
59 DN to use for a simple bind
64 <term>--password=PASSWORD</term>
71 <term>-U USERNAME|--username=USERNAME</term>
78 <term>-W WORKGROUP|--workgroup=WORKGROUP</term>
85 <term>-N|--no-pass</term>
87 Don't ask for a password
92 <term>-k KERBEROS|--kerberos=KERBEROS</term>
99 <term>--ipaddress=IPADDRESS</term>
101 IP address of the server
105 &popt.common.samba.client;
111 <title>COMMANDS</title>
114 <title>computer create <replaceable>computername</replaceable> [options]</title>
115 <para>Create a new computer in the Active Directory Domain.</para>
116 <para>The new computer name specified on the command is the
117 sAMAccountName, with or without the trailing dollar sign.</para>
121 <term>--computerou=COMPUTEROU</term>
123 DN of alternative location (with or without domainDN counterpart) to
124 default CN=Computers in which new computer object will be created.
130 <term>--description=DESCRIPTION</term>
132 The new computers's description.
137 <term>--ip-address=IP_ADDRESS_LIST</term>
139 IPv4 address for the computer's A record, or IPv6 address for AAAA record,
140 can be provided multiple times.
145 <term>--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST</term>
147 Computer's Service Principal Name, can be provided multiple times.
152 <term>--prepare-oldjoin</term>
154 Prepare enabled machine account for oldjoin mechanism.
161 <title>computer delete <replaceable>computername</replaceable> [options]</title>
162 <para>Delete an existing computer account.</para>
163 <para>The computer name specified on the command is the
164 sAMAccountName, with or without the trailing dollar sign.</para>
168 <title>computer list</title>
169 <para>List all computers.</para>
173 <title>computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
174 <para>This command moves a computer account into the specified
175 organizational unit or container.</para>
176 <para>The computername specified on the command is the
177 sAMAccountName, with or without the trailing dollar sign.</para>
178 <para>The name of the organizational unit or container can be
179 specified as a full DN or without the domainDN component.</para>
183 <title>computer show <replaceable>computername</replaceable> [options]</title>
184 <para>Display a computer AD object.</para>
185 <para>The computer name specified on the command is the
186 sAMAccountName, with or without the trailing dollar sign.</para>
190 <term>--attributes=USER_ATTRS</term>
192 Comma separated list of attributes, which will be printed.
199 <title>dbcheck</title>
200 <para>Check the local AD database for errors.</para>
204 <title>delegation</title>
205 <para>Manage Delegations.</para>
209 <title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
210 <para>Add a service principal as msDS-AllowedToDelegateTo.</para>
214 <title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
215 <para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
219 <title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
220 <para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
221 for an account.</para>
225 <title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
226 <para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
230 <title>delegation show <replaceable>accountname</replaceable> [options] </title>
231 <para>Show the delegation setting of an account.</para>
236 <para>Manage Domain Name Service (DNS).</para>
240 <title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
241 <para>Add a DNS record.</para>
245 <title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
246 <para>Delete a DNS record.</para>
250 <title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
251 <para>Query a name.</para>
255 <title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
256 <para>Query root hints.</para>
260 <title>dns serverinfo <replaceable>server</replaceable> [options]</title>
261 <para>Query server information.</para>
265 <title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
266 <para>Update a DNS record.</para>
270 <title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
271 <para>Create a zone.</para>
275 <title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
276 <para>Delete a zone.</para>
280 <title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
281 <para>Query zone information.</para>
285 <title>dns zonelist <replaceable>server</replaceable> [options]</title>
286 <para>List zones.</para>
290 <title>domain</title>
291 <para>Manage Domain.</para>
295 <title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
296 <para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
301 <title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
302 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
306 <title>domain demote</title>
307 <para>Demote ourselves from the role of domain controller.</para>
311 <title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
312 <para>Dumps Kerberos keys of the domain into a keytab.</para>
316 <title>domain info <replaceable>ip_address</replaceable> [options]</title>
317 <para>Print basic info about a domain and the specified DC.
322 <title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
323 <para>Join a domain as either member or backup domain controller.</para>
327 <title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
328 <para>Show/raise domain and forest function levels.</para>
332 <title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
333 <para>Show/set password settings.</para>
337 <title>domain passwordsettings pso</title>
338 <para>Manage fine-grained Password Settings Objects (PSOs).</para>
342 <title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
343 <para>Applies a PSO's password policy to a user or group.</para>
347 <title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
348 <para>Creates a new Password Settings Object (PSO).</para>
352 <title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
353 <para>Deletes a Password Settings Object (PSO).</para>
357 <title>domain passwordsettings pso list [options]</title>
358 <para>Lists all Password Settings Objects (PSOs).</para>
362 <title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
363 <para>Modifies a Password Settings Object (PSO).</para>
367 <title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
368 <para>Displays a Password Settings Object (PSO).</para>
372 <title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
373 <para>Displays the Password Settings that apply to a user.</para>
377 <title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
378 <para>Updates a PSO to no longer apply to a user or group.</para>
382 <title>domain provision</title>
383 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
387 <title>domain trust</title>
388 <para>Domain and forest trust management.</para>
392 <title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
393 <para>Create a domain or forest trust.</para>
397 <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
398 <para>Delete a domain trust.</para>
402 <title>domain trust list <replaceable>options</replaceable> [options]</title>
403 <para>List domain trusts.</para>
407 <title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
408 <para>Manage forest trust namespaces.</para>
412 <title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
413 <para>Show trusted domain details.</para>
417 <title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
418 <para>Validate a domain trust.</para>
423 <para>Manage Directory Replication Services (DRS).</para>
427 <title>drs bind</title>
428 <para>Show DRS capabilities of a server.</para>
432 <title>drs kcc</title>
433 <para>Trigger knowledge consistency center run.</para>
437 <title>drs options</title>
438 <para>Query or change <replaceable>options</replaceable> for NTDS Settings
439 object of a domain controller.</para>
443 <title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
444 <para>Replicate a naming context between two DCs.</para>
448 <title>drs showrepl</title>
449 <para>Show replication status.</para>
454 <para>Administer DS ACLs</para>
458 <title>dsacl set</title>
459 <para>Modify access list on a directory object.</para>
463 <title>forest</title>
464 <para>Manage Forest configuration.</para>
468 <title>forest directory_service</title>
469 <para>Manage directory_service behaviour for the forest.</para>
473 <title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
474 <para>Modify dsheuristics directory_service configuration for the forest.</para>
478 <title>forest directory_service show</title>
479 <para>Show current directory_service configuration for the forest.</para>
484 <para>Manage Flexible Single Master Operations (FSMO).</para>
488 <title>fsmo seize [options]</title>
489 <para>Seize the role.</para>
493 <title>fsmo show</title>
494 <para>Show the roles.</para>
498 <title>fsmo transfer [options]</title>
499 <para>Transfer the role.</para>
504 <para>Manage Group Policy Objects (GPO).</para>
508 <title>gpo create <replaceable>displayname</replaceable> [options]</title>
509 <para>Create an empty GPO.</para>
513 <title>gpo del <replaceable>gpo</replaceable> [options]</title>
514 <para>Delete GPO.</para>
518 <title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
519 <para>Delete GPO link from a container.</para>
523 <title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
524 <para>Download a GPO.</para>
528 <title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
529 <para>Get inheritance flag for a container.</para>
533 <title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
534 <para>List GPO Links for a container.</para>
538 <title>gpo list <replaceable>username</replaceable> [options]</title>
539 <para>List GPOs for an account.</para>
543 <title>gpo listall</title>
544 <para>List all GPOs.</para>
548 <title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
549 <para>List all linked containers for a GPO.</para>
553 <title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
554 <para>Set inheritance flag on a container.</para>
558 <title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
559 <para>Add or Update a GPO link to a container.</para>
563 <title>gpo show <replaceable>gpo</replaceable> [options]</title>
564 <para>Show information for a GPO.</para>
569 <para>Manage groups.</para>
573 <title>group add <replaceable>groupname</replaceable> [options]</title>
574 <para>Create a new AD group.</para>
578 <title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
579 <para>Add members to an AD group.</para>
583 <title>group delete <replaceable>groupname</replaceable> [options]</title>
584 <para>Delete an AD group.</para>
588 <title>group list</title>
589 <para>List all groups.</para>
593 <title>group listmembers <replaceable>groupname</replaceable> [options]</title>
594 <para>List all members of the specified AD group.</para>
598 <title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
599 <para>This command moves a group into the specified organizational unit
601 <para>The groupname specified on the command is the sAMAccountName.
603 <para>The name of the organizational unit or container can be
604 specified as a full DN or without the domainDN component.</para>
609 <title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
610 <para>Remove members from the specified AD group.</para>
614 <title>group show <replaceable>groupname</replaceable> [options]</title>
615 <para>Show group object and it's attributes.</para>
619 <title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
620 <para>Compare two LDAP databases.</para>
625 <para>Manage NT ACLs.</para>
629 <title>ntacl get <replaceable>file</replaceable> [options]</title>
630 <para>Get ACLs on a file.</para>
634 <title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
635 <para>Set ACLs on a file.</para>
639 <title>ntacl sysvolcheck</title>
640 <para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
644 <title>ntacl sysvolreset</title>
645 <para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
649 <title>ou create <replaceable>ou_dn</replaceable> [options]</title>
650 <para>Create an organizational unit.</para>
651 <para>The name of the organizational unit can be specified as a full DN
652 or without the domainDN component.</para>
656 <term>--description=DESCRIPTION</term>
658 Specify OU's description.
665 <title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
666 <para>Delete an organizational unit.</para>
667 <para>The name of the organizational unit can be specified as a full DN
668 or without the domainDN component.</para>
672 <term>--force-subtree-delete</term>
674 Delete organizational unit and all children reclusively.
681 <title>ou list [options]</title>
682 <para>List all organizational units.</para>
685 <term>--full-dn</term>
687 Display DNs including the base DN.
694 <title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
695 <para>List all objects in an organizational unit.</para>
696 <para>The name of the organizational unit can be specified as a full DN
697 or without the domainDN component.</para>
701 <term>--full-dn</term>
703 Display DNs including the base DN.
708 <term>-r|--recursive</term>
710 List objects recursively.
717 <title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
718 <para>Move an organizational unit.</para>
719 <para>The name of the organizational units can be specified as a full DN
720 or without the domainDN component.</para>
724 <title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
725 <para>Rename an organizational unit.</para>
726 <para>The name of the organizational units can be specified as a full DN
727 or without the domainDN component.</para>
732 <para>Manage Read-Only Domain Controller (RODC).</para>
736 <title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
737 <para>Preload one account for an RODC.</para>
742 <para>Manage sites.</para>
746 <title>sites create <replaceable>site</replaceable> [options]</title>
747 <para>Create a new site.</para>
751 <title>sites remove <replaceable>site</replaceable> [options]</title>
752 <para>Delete an existing site.</para>
757 <para>Manage Service Principal Names (SPN).</para>
761 <title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
762 <para>Create a new SPN.</para>
766 <title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
767 <para>Delete an existing SPN.</para>
771 <title>spn list <replaceable>user</replaceable> [options]</title>
772 <para>List SPNs of a given user.</para>
776 <title>testparm</title>
777 <para>Check the syntax of the configuration file.</para>
782 <para>Retrieve the time on a server.</para>
787 <para>Manage users.</para>
791 <title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
792 <para>Create a new user. Please note that this subcommand is deprecated
793 and available for compatibility reasons only. Please use
794 <command>samba-tool user create</command> instead.</para>
798 <title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
799 <para>Create a new user in the Active Directory Domain.</para>
803 <title>user delete <replaceable>username</replaceable> [options]</title>
804 <para>Delete an existing user account.</para>
808 <title>user disable <replaceable>username</replaceable></title>
809 <para>Disable an user account.</para>
813 <title>user enable <replaceable>username</replaceable></title>
814 <para>Enable an user account.</para>
818 <title>user list</title>
819 <para>List all users.</para>
823 <title>user show <replaceable>username</replaceable> [options]</title>
824 <para>Display a user AD object.</para>
828 <term>--attributes=USER_ATTRS</term>
830 Comma separated list of attributes, which will be printed.
837 <title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
838 <para>This command moves a user account into the specified
839 organizational unit or container.</para>
840 <para>The username specified on the command is the
841 sAMAccountName.</para>
842 <para>The name of the organizational unit or container can be
843 specified as a full DN or without the domainDN component.</para>
847 <title>user password [options]</title>
848 <para>Change password for an user account (the one provided in
849 authentication).</para>
853 <title>user setexpiry <replaceable>username</replaceable> [options]</title>
854 <para>Set the expiration of an user account.</para>
858 <title>user setpassword <replaceable>username</replaceable> [options]</title>
859 <para>Sets or resets the password of an user account.</para>
863 <title>user getpassword <replaceable>username</replaceable> [options]</title>
864 <para>Gets the password of an user account.</para>
868 <title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
869 <para>Syncs the passwords of all user accounts, using an optional script.</para>
870 <para>Note that this command should run on a single domain controller only
871 (typically the PDC-emulator).</para>
875 <title>vampire [options] <replaceable>domain</replaceable></title>
876 <para>Join and synchronise a remote AD domain to the local server.
877 Please note that <command>samba-tool vampire</command> is deprecated,
878 please use <command>samba-tool domain join</command> instead.</para>
882 <title>visualize [options] <replaceable>subcommand</replaceable></title>
883 <para>Produce graphical representations of Samba network state.
884 To work out what is happening in a replication graph, it is sometimes
885 helpful to use visualisations.</para>
888 There are two subcommands, two graphical modes, and (roughly) two modes
889 of operation with respect to the location of authority.</para>
891 <refsect3><title>MODES OF OPERATION</title>
893 <term>samba-tool visualize ntdsconn</term>
894 <listitem><para>Looks at NTDS connections.
899 <term>samba-tool visualize reps</term>
900 <listitem><para>Looks at repsTo and repsFrom objects.
905 <refsect3><title>GRAPHICAL MODES</title>
907 <term>--distance</term>
908 <listitem><para>Distances between DCs are shown in a matrix in
915 <listitem><para>Generate Graphviz dot output. When viewed using
916 dot or xdot, this shows the network as a graph with DCs as
917 vertices and connections edges. Certain types of degenerate
918 edges are shown in different colours or line-styles.
925 <listitem><para>Normally, <command>samba-tool</command> talks
926 to one database; with the <arg choice="opt">-r</arg> option
927 attempts are made to contact all the DCs known to the first
928 database. This is necessary to get sensible results from
929 <command>samba-tool visualize reps</command> because the
930 repsFrom/To objects are not replicated, and it can reveal
931 replication issues in other modes.
938 <para>Gives usage information.</para>
944 <title>VERSION</title>
946 <para>This man page is complete for version &doc.version; of the Samba
951 <title>AUTHOR</title>
953 <para>The original Samba software and related utilities
954 were created by Andrew Tridgell. Samba is now developed
955 by the Samba Team as an Open Source project similar
956 to the way the Linux kernel is developed.</para>
git.samba.org / samba.git / blob