<manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
- <refmiscinfo class="version">4.0</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
<cmdsynopsis>
<command>net</command>
<arg choice="req"><ads|rap|rpc></arg>
- <arg choice="opt">-h</arg>
- <arg choice="opt">-w workgroup</arg>
- <arg choice="opt">-W myworkgroup</arg>
- <arg choice="opt">-U user</arg>
- <arg choice="opt">-I ip-address</arg>
- <arg choice="opt">-p port</arg>
+ <arg choice="opt">-h|--help</arg>
+ <arg choice="opt">-w|--workgroup workgroup</arg>
+ <arg choice="opt">-W|--myworkgroup myworkgroup</arg>
+ <arg choice="opt">-U|--user user</arg>
+ <arg choice="opt">-I|--ipaddress ip-address</arg>
+ <arg choice="opt">-p|--port port</arg>
<arg choice="opt">-n myname</arg>
<arg choice="opt">-s conffile</arg>
- <arg choice="opt">-S server</arg>
- <arg choice="opt">-l</arg>
- <arg choice="opt">-P</arg>
+ <arg choice="opt">-S|--server server</arg>
+ <arg choice="opt">-l|--long</arg>
+ <arg choice="opt">-v|--verbose</arg>
+ <arg choice="opt">-f|--force</arg>
+ <arg choice="opt">-P|--machine-pass</arg>
<arg choice="opt">-d debuglevel</arg>
<arg choice="opt">-V</arg>
<arg choice="opt">--request-timeout seconds</arg>
+ <arg choice="opt">-t|--timeout seconds</arg>
+ <arg choice="opt">-i|--stdin</arg>
+ <arg choice="opt">--tallocreport</arg>
</cmdsynopsis>
</refsynopsisdiv>
&stdarg.kerberos;
<varlistentry>
- <term>-w target-workgroup</term>
+ <term>-w|--workgroup target-workgroup</term>
<listitem><para>
Sets target workgroup or domain. You have to specify
either this option or the IP address or the name of a server.
</varlistentry>
<varlistentry>
- <term>-W workgroup</term>
+ <term>-W|--myworkgroup workgroup</term>
<listitem><para>
Sets client workgroup or domain
</para></listitem>
</varlistentry>
<varlistentry>
- <term>-U user</term>
+ <term>-U|--user user</term>
<listitem><para>
User name to use
</para></listitem>
</varlistentry>
<varlistentry>
- <term>-I ip-address</term>
+ <term>-I|--ipaddress ip-address</term>
<listitem><para>
IP address of target server to use. You have to
specify either this option or a target workgroup or
</varlistentry>
<varlistentry>
- <term>-p port</term>
+ <term>-p|--port port</term>
<listitem><para>
Port on the target server to connect to (usually 139 or 445).
Defaults to trying 445 first, then 139.
</varlistentry>
&stdarg.netbios.name;
- &stdarg.configfile;
<varlistentry>
- <term>-S server</term>
+ <term>-S|--server server</term>
<listitem><para>
Name of target server. You should specify either
this option or a target workgroup or a target IP address.
</varlistentry>
<varlistentry>
- <term>-l</term>
+ <term>-l|--long</term>
<listitem><para>
When listing data, give more information on each item.
</para></listitem>
</varlistentry>
<varlistentry>
- <term>-P</term>
+ <term>-v|--verbose</term>
+ <listitem><para>
+ When listing data, give more verbose information on each item.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f|--force</term>
+ <listitem><para>
+ Enforcing a net command.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-P|--machine-pass</term>
<listitem><para>
Make queries to the external server using the machine account of the local server.
</para></listitem>
</para></listitem>
</varlistentry>
- &stdarg.server.debug;
+ <varlistentry>
+ <term>-t|--timeout 30</term>
+ <listitem><para>
+ Set timeout for client operations to 30 seconds.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--use-ccache</term>
+ <listitem><para>
+ Try to use the credentials cached by winbind.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i|--stdin</term>
+ <listitem><para>
+ Take input for net commands from standard input.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--tallocreport</term>
+ <listitem><para>
+ Generate a talloc report while processing a net
+ command.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-T|--test</term>
+ <listitem><para>Only test command sequence, dry-run.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-F|--flags FLAGS</term>
+ <listitem><para>Pass down integer flags to a net subcommand.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-C|--comment COMMENT</term>
+ <listitem><para>Pass down a comment string to a net subcommand.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-n|--myname MYNAME</term>
+ <listitem><para>Use MYNAME as a requester name for a net subcommand.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c|--container CONTAINER</term>
+ <listitem><para>Use a specific AD container for net ads operations.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-M|--maxusers MAXUSERS</term>
+ <listitem><para>Fill in the maxusers field in net rpc share operations.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r|--reboot</term>
+ <listitem><para>Reboot a remote machine after a command has been successfully executed (e.g. in remote join operations).
+ </para></listitem>
+ </varlistentry>
+
+ <!-- Options for net rpc vampire -->
+
+ <varlistentry>
+ <term>--force-full-repl</term>
+ <listitem><para>
+ When calling "net rpc vampire keytab" this option
+ enforces a full re-creation of the generated keytab file.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--single-obj-repl</term>
+ <listitem><para>
+ When calling "net rpc vampire keytab" this option
+ allows one to replicate just a single object to the generated keytab file.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--clean-old-entries</term>
+ <listitem><para>
+ When calling "net rpc vampire keytab" this option
+ allows one to cleanup old entries from the generated keytab file.
+ </para></listitem>
+ </varlistentry>
+
+ <!-- Options for net idmap -->
+
+ <varlistentry>
+ <term>--db</term>
+ <listitem><para>Define dbfile for "net idmap" commands.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--lock</term>
+ <listitem><para>Activates locking of the dbfile for "net idmap check" command.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-a|--auto</term>
+ <listitem><para>Activates noninteractive mode in "net idmap check".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--repair</term>
+ <listitem><para>Activates repair mode in "net idmap check".
+ </para></listitem>
+ </varlistentry>
+
+ <!-- Options for net rpc share migrate -->
+
+ <varlistentry>
+ <term>--acls</term>
+ <listitem><para>Includes ACLs to be copied in "net rpc share migrate".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--attrs</term>
+ <listitem><para>Includes file attributes to be copied in "net rpc share migrate".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--timestamps</term>
+ <listitem><para>Includes timestamps to be copied in "net rpc share migrate".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-X|--exclude DIRECTORY</term>
+ <listitem><para>Allows one to exclude directories when copying with "net rpc share migrate".
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--destination SERVERNAME</term>
+ <listitem><para>Defines the target servername of migration process (defaults to localhost).
+ </para></listitem>
+ </varlistentry>
+
+ <!-- Options for net groupmap set -->
+
+ <varlistentry>
+ <term>-L|--local</term>
+ <listitem><para>Sets the type of group mapping to local
+ (used in "net groupmap set").
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-D|--domain</term>
+ <listitem><para>Sets the type of group mapping to domain
+ (used in "net groupmap set").
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-N|--ntname NTNAME</term>
+ <listitem><para>Sets the ntname of a group mapping
+ (used in "net groupmap set").
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-R|--rid RID</term>
+ <listitem><para>Sets the rid of a group mapping
+ (used in "net groupmap set").
+ </para></listitem>
+ </varlistentry>
+
+ <!-- Options for net registry check -->
+
+ <varlistentry>
+ <term>--reg-version REG_VERSION</term>
+ <listitem><para>Assume database version {n|1,2,3}
+ (used in "net registry check").
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-o|--output FILENAME</term>
+ <listitem><para>Output database file
+ (used in "net registry check").
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--wipe</term>
+ <listitem><para>Create a new database from scratch
+ (used in "net registry check").
+ </para></listitem>
+ </varlistentry>
+
+ <!-- Options for net registry import -->
+
+ <varlistentry>
+ <term>--precheck PRECHECK_DB_FILENAME</term>
+ <listitem><para>Defines filename for database prechecking
+ (used in "net registry import").
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>--no-dns-updates</term>
+ <listitem><para>Do not perform DNS updates as part of
+ "net ads join".
+ </para></listitem>
+ </varlistentry>
+
+ &stdarg.encrypt;
+ &popt.common.samba.client;
+
</variablelist>
</refsect1>
<title>TIME</title>
<para>Without any options, the <command>NET TIME</command> command
-displays the time on the remote server.
+displays the time on the remote server. The remote server must be
+specified with the -S option.
</para>
</refsect3>
<refsect3>
<title>TIME SYSTEM</title>
-<para>Displays the time on the remote server in a format ready for <command>/bin/date</command>.</para>
+<para>Displays the time on the remote server in a format ready for <command>/bin/date</command>.
+The remote server must be specified with the -S option.
+</para>
</refsect3>
<refsect3>
<title>TIME SET</title>
<para>Tries to set the date and time of the local server to that on
-the remote server using <command>/bin/date</command>. </para>
+the remote server using <command>/bin/date</command>.
+The remote server must be specified with the -S option.
+</para>
</refsect3>
<refsect3>
<title>TIME ZONE</title>
-<para>Displays the timezone in hours from GMT on the remote computer.</para>
+<para>Displays the timezone in hours from GMT on the remote server.
+The remote server must be specified with the -S option.
+</para>
</refsect3>
</refsect2>
<refsect2>
-<title>[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN]
-[createcomputer=OU] [machinepass=PASS] [options]</title>
+<title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
+[createupn=UPN] [createcomputer=OU] [machinepass=PASS]
+[osName=string osVer=string] [options]</title>
<para>
Join a domain. If the account already exists on the server, and
[PASS] (ADS only) Set a specific password on the computer account
being created by the join.
</para>
+<para>
+[osName=string osVer=String] (ADS only) Set the operatingSystem and
+operatingSystemVersion attribute during the join. Both parameters
+must be specified for either to take effect.
+</para>
</refsect2>
<refsect2>
<refsect3>
<title>RPC TRUST DELETE</title>
-<para>Delete a trust trust object by calling lsaDeleteTrustedDomain.
+<para>Delete a trust object by calling lsaDeleteTrustedDomain.
The can be done on a single server or on two servers at once.</para>
<variablelist><title>Options:</title>
<para>Export users, aliases and groups from remote server to
local server. You need to run this against the PDC, from a Samba machine joined as a BDC.
+This vampire command cannot be used against an Active Directory, only
+against an NT4 Domain Controller.
</para>
</refsect2>
<refsect2>
<title>RPC GETSID</title>
-<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>). </para>
+<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename>. </para>
</refsect2>
</refsect2>
+<refsect2>
+<title>ADS KEYTAB <replaceable>CREATE</replaceable></title>
+
+<para>
+Creates a new keytab file if one doesn't exist with default entries. Default
+entries are kerberos principals created from the machinename of the
+client, the UPN (if it exists) and any Windows SPN(s) associated with the
+computer AD account for the client. If a keytab file already exists then only
+missing kerberos principals from the default entries are added. No changes
+are made to the computer AD account.
+</para>
+</refsect2>
+
+<refsect2>
+<title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+
+<para>
+Adds a new keytab entry, the entry can be either;
+ <variablelist>
+ <varlistentry><term>kerberos principal</term>
+ <listitem><para>
+ A kerberos principal (identified by the presence of '@') is just
+ added to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>machinename</term>
+ <listitem><para>
+ A machinename (identified by the trailing '$') is used to create a
+ a kerberos principal 'machinename@realm' which is added to the
+ keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>serviceclass</term>
+ <listitem><para>
+ A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair
+ of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' &
+ 'serviceclass/netbios_name@realm' which are added to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>Windows SPN</term>
+ <listitem><para>
+ A Windows SPN is of the format 'serviceclass/host:port', it is used to
+ create a kerberos principal 'serviceclass/host@realm' which will
+ be written to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</para>
+<para>
+Unlike old versions no computer AD objects are modified by this command. To
+preserve the bevhaviour of older clients 'net ads keytab ad_update_ads' is
+available.
+</para>
+</refsect2>
+
+<refsect2>
+<title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+
+<para>
+Adds a new keytab entry (see section for net ads keytab add). In addition to
+adding entries to the keytab file corrosponding Windows SPNs are created
+from the entry passed to this command. These SPN(s) added to the AD computer
+account object associated with the client machine running this command for
+the following entry types;
+ <variablelist>
+ <varlistentry><term>serviceclass</term>
+ <listitem><para>
+ A serviceclass (such as 'cifs', 'html' etc.) is used to create a
+ pair of Windows SPN(s) 'param/full_qualified_dns' &
+ 'param/netbios_name' which are added to the AD computer account object
+ for this client.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>Windows SPN</term>
+ <listitem><para>
+ A Windows SPN is of the format 'serviceclass/host:port', it is
+ added as passed to the AD computer account object for this client.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</para>
+</refsect2>
+
<refsect2>
<title>ADS WORKGROUP</title>
</refsect2>
+<refsect2>
+ <title>ADS ENCTYPES</title>
+
+<para>
+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
+</para>
+
+<para>
+ This attribute allows one to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
+</para>
+
+<para>0x00000001 DES-CBC-CRC</para>
+<para>0x00000002 DES-CBC-MD5</para>
+<para>0x00000004 RC4-HMAC</para>
+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title>
+
+<para>
+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
+</para>
+
+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title>
+
+<para>
+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is omitted, the value is set to 31 which enables all the currently supported encryption types.
+</para>
+
+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title>
+
+<para>
+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
+</para>
+
+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
+
+</refsect2>
+
+
<refsect2>
<title>SAM CREATEBUILTINGROUP <NAME></title>
</refsect2>
<refsect2>
-<title>IDMAP SECRET <DOMAIN> <secret></title>
+<title>IDMAP SET SECRET <DOMAIN> <secret></title>
<para>
Store a secret for the specified domain, used primarily for domains
</refsect2>
<refsect2>
+<title>IDMAP SET RANGE <RANGE> <SID> [index] [--db=<DB>]</title>
-<title>IDMAP DELETE [-f] [--db=<DB>] <ID></title>
+<para>
+Store a domain-range mapping for a given domain (and index) in autorid database.
+</para>
+
+</refsect2>
+
+<refsect2>
+<title>IDMAP SET CONFIG <config> [--db=<DB>]</title>
+
+<para>
+Update CONFIG entry in autorid database.
+</para>
+
+</refsect2>
+
+<refsect2>
+<title>IDMAP GET RANGE <SID> [index] [--db=<DB>]</title>
+
+<para>
+Get the range for a given domain and index from autorid database.
+</para>
+
+</refsect2>
+
+<refsect2>
+<title>IDMAP GET RANGES [<SID>] [--db=<DB>]</title>
+
+<para>
+Get ranges for all domains or for one identified by given SID.
+</para>
+
+</refsect2>
+
+<refsect2>
+<title>IDMAP GET CONFIG [--db=<DB>]</title>
+
+<para>
+Get CONFIG entry from autorid database.
+</para>
+
+</refsect2>
+
+<refsect2>
+
+<title>IDMAP DELETE MAPPING [-f] [--db=<DB>] <ID></title>
<para>
Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database.
</para>
</refsect2>
+<refsect2>
+<title>IDMAP DELETE RANGE [-f] [--db=<TDB>] <RANGE>|(<SID> [<INDEX>])</title>
+
+<para>
+Delete a domain range mapping identified by 'RANGE' or "domain SID and INDEX" from autorid database.
+Use -f to delete invalid mappings.
+</para>
+
+</refsect2>
+
+<refsect2>
+<title>IDMAP DELETE RANGES [-f] [--db=<TDB>] <SID></title>
+
+<para>
+Delete all domain range mappings for a domain identified by SID.
+Use -f to delete invalid mappings.
+</para>
+
+</refsect2>
+
<refsect2>
<title>IDMAP CHECK [-v] [-r] [-a] [-T] [-f] [-l] [--db=<DB>]</title>
<para>Starting with version 3.2.0, a Samba server can be configured by data
stored in registry. This configuration data can be edited with the new "net
-conf" commands. There is also the possiblity to configure a remote Samba server
-by enabling the RPC conf mode and specifying the the address of the remote server.
+conf" commands. There is also the possibility to configure a remote Samba server
+by enabling the RPC conf mode and specifying the address of the remote server.
</para>
<para>
</member>
<member>net registry convert - Convert a registration entries (.reg) file.
</member>
-<member>net registry check - Check and reapair a registry database.
+<member>net registry check - Check and repair a registry database.
</member>
</simplelist>
</para>
</refsect2>
+<refsect2>
+ <title>TDB</title>
+
+ <para>Print information from tdb records.</para>
+
+ <refsect3>
+ <title>TDB LOCKING <replaceable>key</replaceable> [DUMP]</title>
+
+ <para>List sharename, filename and number of share modes
+ for a record from locking.tdb. With the optional DUMP options,
+ dump the complete record.</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><replaceable>KEY</replaceable>
+ Key of the tdb record as hex string.</para>
+ </listitem>
+ </itemizedlist>
+
+ </refsect3>
+</refsect2>
+
<refsect2>
<title>HELP [COMMAND]</title>
git.samba.org / samba.git / blobdiff