1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="samba-tool.8">
6 <refentrytitle>samba-tool</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
15 <refname>samba-tool</refname>
16 <refpurpose>Main Samba administration tool.
22 <command>samba-tool</command>
23 <arg choice="opt">-h</arg>
24 <arg choice="opt">-W myworkgroup</arg>
25 <arg choice="opt">-U user</arg>
26 <arg choice="opt">-d debuglevel</arg>
27 <arg choice="opt">--v</arg>
32 <title>DESCRIPTION</title>
33 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
34 <manvolnum>7</manvolnum></citerefentry> suite.</para>
38 <title>OPTIONS</title>
43 <term>-h|--help</term>
45 Show this help message and exit
50 <term>--realm=REALM</term>
57 <term>--simple-bind-dn=DN</term>
59 DN to use for a simple bind
64 <term>--password=PASSWORD</term>
71 <term>-U USERNAME|--username=USERNAME</term>
78 <term>-W WORKGROUP|--workgroup=WORKGROUP</term>
85 <term>-N|--no-pass</term>
87 Don't ask for a password
92 <term>-k KERBEROS|--kerberos=KERBEROS</term>
99 <term>--ipaddress=IPADDRESS</term>
101 IP address of the server
105 &popt.common.samba.client;
111 <title>COMMANDS</title>
114 <title>computer</title>
115 <para>Manage computer accounts.</para>
119 <title>computer add <replaceable>computername</replaceable> [options]</title>
120 <para>Add a new computer to the Active Directory Domain.</para>
121 <para>The new computer name specified on the command is the
122 sAMAccountName, with or without the trailing dollar sign.</para>
126 <term>--computerou=COMPUTEROU</term>
128 DN of alternative location (with or without domainDN counterpart) to
129 default CN=Computers in which new computer object will be created.
135 <term>--description=DESCRIPTION</term>
137 The new computers's description.
142 <term>--ip-address=IP_ADDRESS_LIST</term>
144 IPv4 address for the computer's A record, or IPv6 address for AAAA record,
145 can be provided multiple times.
150 <term>--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST</term>
152 Computer's Service Principal Name, can be provided multiple times.
157 <term>--prepare-oldjoin</term>
159 Prepare enabled machine account for oldjoin mechanism.
166 <title>computer create <replaceable>computername</replaceable> [options]</title>
167 <para>Add a new computer. This is a synonym for the
168 <command>samba-tool computer add</command> command and is available
169 for compatibility reasons only. Please use
170 <command>samba-tool computer add</command> instead.</para>
174 <title>computer delete <replaceable>computername</replaceable> [options]</title>
175 <para>Delete an existing computer account.</para>
176 <para>The computer name specified on the command is the
177 sAMAccountName, with or without the trailing dollar sign.</para>
181 <title>computer edit <replaceable>computername</replaceable></title>
182 <para>Edit a computer AD object.</para>
183 <para>The computer name specified on the command is the
184 sAMAccountName, with or without the trailing dollar sign.</para>
188 <term>--editor=EDITOR</term>
190 Specifies the editor to use instead of the system default, or 'vi' if no
191 system default is set.
198 <title>computer list</title>
199 <para>List all computers.</para>
203 <title>computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
204 <para>This command moves a computer account into the specified
205 organizational unit or container.</para>
206 <para>The computername specified on the command is the
207 sAMAccountName, with or without the trailing dollar sign.</para>
208 <para>The name of the organizational unit or container can be
209 specified as a full DN or without the domainDN component.</para>
213 <title>computer show <replaceable>computername</replaceable> [options]</title>
214 <para>Display a computer AD object.</para>
215 <para>The computer name specified on the command is the
216 sAMAccountName, with or without the trailing dollar sign.</para>
220 <term>--attributes=USER_ATTRS</term>
222 Comma separated list of attributes, which will be printed.
229 <title>contact</title>
230 <para>Manage contacts.</para>
234 <title>contact add [<replaceable>contactname</replaceable>] [options]</title>
235 <para>Add a new contact to the Active Directory Domain.</para>
236 <para>The name of the new contact can be specified by the first
237 argument 'contactname' or the --given-name, --initial and --surname
238 arguments. If no 'contactname' is given, contact's name will be made
239 up of the given arguments by combining the given-name, initials and
240 surname. Each argument is optional. A dot ('.') will be appended to
241 the initials automatically.</para>
247 DN of alternative location (with or without domainDN counterpart) in
248 which the new contact will be created.
250 Default is the domain base.
255 <term>--description=DESCRIPTION</term>
257 The new contacts's description.
262 <term>--surname=SURNAME</term>
269 <term>--given-name=GIVEN_NAME</term>
271 Contact's given name.
276 <term>--initials=INITIALS</term>
283 <term>--display-name=DISPLAY_NAME</term>
285 Contact's display name.
290 <term>--job-title=JOB_TITLE</term>
297 <term>--department=DEPARTMENT</term>
299 Contact's department.
304 <term>--company=COMPANY</term>
311 <term>--mail-address=MAIL_ADDRESS</term>
313 Contact's email address.
318 <term>--internet-address=INTERNET_ADDRESS</term>
325 <term>--telephone-number=TELEPHONE_NUMBER</term>
327 Contact's phone number.
332 <term>--mobile-number=MOBILE_NUMBER</term>
334 Contact's mobile phone number.
339 <term>--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE</term>
341 Contact's office location.
349 <title>contact create [<replaceable>contactname</replaceable>] [options]</title>
350 <para>Add a new contact. This is a synonym for the
351 <command>samba-tool contact add</command> command and is available
352 for compatibility reasons only. Please use
353 <command>samba-tool contact add</command> instead.</para>
357 <title>contact delete <replaceable>contactname</replaceable> [options]</title>
358 <para>Delete an existing contact.</para>
359 <para>The contactname specified on the command is the common name or the
360 distinguished name of the contact object. The distinguished name of the
361 contact can be specified with or without the domainDN component.</para>
365 <title>contact edit <replaceable>contactname</replaceable></title>
366 <para>Modify a contact AD object.</para>
367 <para>The contactname specified on the command is the common name or the
368 distinguished name of the contact object. The distinguished name of the
369 contact can be specified with or without the domainDN component.</para>
373 <term>--editor=EDITOR</term>
375 Specifies the editor to use instead of the system default, or 'vi' if no
376 system default is set.
383 <title>contact list [options]</title>
384 <para>List all contacts.</para>
388 <term>--full-dn</term>
390 Display contact's full DN instead of the name.
397 <title>contact move <replaceable>contactname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
398 <para>This command moves a contact into the specified organizational
399 unit or container.</para>
400 <para>The contactname specified on the command is the common name or the
401 distinguished name of the contact object. The distinguished name of the
402 contact can be specified with or without the domainDN component.</para>
406 <title>contact show <replaceable>contactname</replaceable> [options]</title>
407 <para>Display a contact AD object.</para>
408 <para>The contactname specified on the command is the common name or the
409 distinguished name of the contact object. The distinguished name of the
410 contact can be specified with or without the domainDN component.</para>
414 <term>--attributes=CONTACT_ATTRS</term>
416 Comma separated list of attributes, which will be printed.
423 <title>contact rename <replaceable>contactname</replaceable> [options]</title>
424 <para>Rename a contact and related attributes.</para>
425 <para>This command allows to set the contact's name related attributes. The contact's
426 CN will be renamed automatically.
427 The contact's new CN will be made up by combining the given-name, initials
428 and surname. A dot ('.') will be appended to the initials automatically,
430 Use the --force-new-cn option to specify the new CN manually and --reset-cn
431 to reset this change.</para>
432 <para>Use an empty attribute value to remove the specified attribute.</para>
433 <para>The contact name specified on the command is the CN.</para>
437 <term>--surname=SURNAME</term>
444 <term>--given-name=GIVEN_NAME</term>
451 <term>--initials=INITIALS</term>
458 <term>--force-new-cn=NEW_CN</term>
460 Specify a new CN (RDN) instead of using a combination
461 of the given name, initials and surname.
466 <term>--reset-cn</term>
468 Set the CN to the default combination of given name,
469 initials and surname.
474 <term>--display-name=DISPLAY_NAME</term>
481 <term>--mail-address=MAIL_ADDRESS</term>
490 <title>dbcheck</title>
491 <para>Check the local AD database for errors.</para>
495 <title>delegation</title>
496 <para>Manage Delegations.</para>
500 <title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
501 <para>Add a service principal as msDS-AllowedToDelegateTo.</para>
505 <title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
506 <para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
510 <title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
511 <para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
512 for an account.</para>
516 <title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
517 <para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
521 <title>delegation show <replaceable>accountname</replaceable> [options] </title>
522 <para>Show the delegation setting of an account.</para>
527 <para>Manage Domain Name Service (DNS).</para>
531 <title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
532 <para>Add a DNS record.</para>
536 <title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
537 <para>Delete a DNS record.</para>
541 <title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
542 <para>Query a name.</para>
546 <title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
547 <para>Query root hints.</para>
551 <title>dns serverinfo <replaceable>server</replaceable> [options]</title>
552 <para>Query server information.</para>
556 <title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
557 <para>Update a DNS record.</para>
561 <title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
562 <para>Create a zone.</para>
566 <title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
567 <para>Delete a zone.</para>
571 <title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
572 <para>Query zone information.</para>
576 <title>dns zonelist <replaceable>server</replaceable> [options]</title>
577 <para>List zones.</para>
581 <title>domain</title>
582 <para>Manage Domain.</para>
586 <title>domain backup</title>
587 <para>Create or restore a backup of the domain.</para>
591 <title>domain backup offline</title>
592 <para>Backup (with proper locking) local domain directories into a tar file.</para>
596 <title>domain backup online</title>
597 <para>Copy a running DC's current DB into a backup tar file.</para>
601 <title>domain backup rename</title>
602 <para>Copy a running DC's DB to backup file, renaming the domain in the process.</para>
606 <title>domain backup restore</title>
607 <para>Restore the domain's DB from a backup-file.</para>
611 <title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
612 <para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
617 <title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
618 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
622 <title>domain demote</title>
623 <para>Demote ourselves from the role of domain controller.</para>
627 <title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
628 <para>Dumps Kerberos keys of the domain into a keytab.</para>
632 <title>domain info <replaceable>ip_address</replaceable> [options]</title>
633 <para>Print basic info about a domain and the specified DC.
638 <title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
639 <para>Join a domain as either member or backup domain controller.</para>
643 <title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
644 <para>Show/raise domain and forest function levels.</para>
648 <title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
649 <para>Show/set password settings.</para>
653 <title>domain passwordsettings pso</title>
654 <para>Manage fine-grained Password Settings Objects (PSOs).</para>
658 <title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
659 <para>Applies a PSO's password policy to a user or group.</para>
663 <title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
664 <para>Creates a new Password Settings Object (PSO).</para>
668 <title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
669 <para>Deletes a Password Settings Object (PSO).</para>
673 <title>domain passwordsettings pso list [options]</title>
674 <para>Lists all Password Settings Objects (PSOs).</para>
678 <title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
679 <para>Modifies a Password Settings Object (PSO).</para>
683 <title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
684 <para>Displays a Password Settings Object (PSO).</para>
688 <title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
689 <para>Displays the Password Settings that apply to a user.</para>
693 <title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
694 <para>Updates a PSO to no longer apply to a user or group.</para>
698 <title>domain provision</title>
699 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
703 <title>domain trust</title>
704 <para>Domain and forest trust management.</para>
708 <title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
709 <para>Create a domain or forest trust.</para>
713 <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
714 <para>Delete a domain trust.</para>
718 <title>domain trust list <replaceable>options</replaceable> [options]</title>
719 <para>List domain trusts.</para>
723 <title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
724 <para>Manage forest trust namespaces.</para>
728 <title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
729 <para>Show trusted domain details.</para>
733 <title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
734 <para>Validate a domain trust.</para>
739 <para>Manage Directory Replication Services (DRS).</para>
743 <title>drs bind</title>
744 <para>Show DRS capabilities of a server.</para>
748 <title>drs kcc</title>
749 <para>Trigger knowledge consistency center run.</para>
753 <title>drs options</title>
754 <para>Query or change <replaceable>options</replaceable> for NTDS Settings
755 object of a domain controller.</para>
759 <title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
760 <para>Replicate a naming context between two DCs.</para>
764 <title>drs showrepl</title>
765 <para>Show replication status. The <arg
766 choice="opt">--json</arg> option results in JSON output, and
767 with the <arg choice="opt">--summary</arg> option produces
768 very little output when the replication status seems healthy.
774 <para>Administer DS ACLs</para>
778 <title>dsacl set</title>
779 <para>Modify access list on a directory object.</para>
783 <title>forest</title>
784 <para>Manage Forest configuration.</para>
788 <title>forest directory_service</title>
789 <para>Manage directory_service behaviour for the forest.</para>
793 <title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
794 <para>Modify dsheuristics directory_service configuration for the forest.</para>
798 <title>forest directory_service show</title>
799 <para>Show current directory_service configuration for the forest.</para>
804 <para>Manage Flexible Single Master Operations (FSMO).</para>
808 <title>fsmo seize [options]</title>
809 <para>Seize the role.</para>
813 <title>fsmo show</title>
814 <para>Show the roles.</para>
818 <title>fsmo transfer [options]</title>
819 <para>Transfer the role.</para>
824 <para>Manage Group Policy Objects (GPO).</para>
828 <title>gpo create <replaceable>displayname</replaceable> [options]</title>
829 <para>Create an empty GPO.</para>
833 <title>gpo del <replaceable>gpo</replaceable> [options]</title>
834 <para>Delete GPO.</para>
838 <title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
839 <para>Delete GPO link from a container.</para>
843 <title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
844 <para>Download a GPO.</para>
848 <title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
849 <para>Get inheritance flag for a container.</para>
853 <title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
854 <para>List GPO Links for a container.</para>
858 <title>gpo list <replaceable>username</replaceable> [options]</title>
859 <para>List GPOs for an account.</para>
863 <title>gpo listall</title>
864 <para>List all GPOs.</para>
868 <title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
869 <para>List all linked containers for a GPO.</para>
873 <title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
874 <para>Set inheritance flag on a container.</para>
878 <title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
879 <para>Add or Update a GPO link to a container.</para>
883 <title>gpo show <replaceable>gpo</replaceable> [options]</title>
884 <para>Show information for a GPO.</para>
889 <para>Manage groups.</para>
893 <title>group add <replaceable>groupname</replaceable> [options]</title>
894 <para>Create a new AD group.</para>
898 <title>group create <replaceable>groupname</replaceable> [options]</title>
899 <para>Add a new AD group. This is a synonym for the
900 <command>samba-tool group add</command> command and is available
901 for compatibility reasons only. Please use
902 <command>samba-tool group add</command> instead.</para>
906 <title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
907 <para>Add members to an AD group.</para>
911 <title>group delete <replaceable>groupname</replaceable> [options]</title>
912 <para>Delete an AD group.</para>
916 <title>group edit <replaceable>groupname</replaceable></title>
917 <para>Edit a group AD object.</para>
921 <term>--editor=EDITOR</term>
923 Specifies the editor to use instead of the system default, or 'vi' if no
924 system default is set.
931 <title>group list</title>
932 <para>List all groups.</para>
936 <title>group listmembers <replaceable>groupname</replaceable> [options]</title>
937 <para>List all members of the specified AD group.</para>
941 <title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
942 <para>This command moves a group into the specified organizational unit
944 <para>The groupname specified on the command is the sAMAccountName.
946 <para>The name of the organizational unit or container can be
947 specified as a full DN or without the domainDN component.</para>
952 <title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
953 <para>Remove members from the specified AD group.</para>
957 <title>group show <replaceable>groupname</replaceable> [options]</title>
958 <para>Show group object and it's attributes.</para>
962 <title>group stats [options]</title>
963 <para>Show statistics for overall groups and group memberships.</para>
967 <title>group rename <replaceable>groupname</replaceable> [options]</title>
968 <para>Rename a group and related attributes.</para>
969 <para>This command allows to set the group's name related attributes. The
970 group's CN will be renamed automatically.
971 The group's CN will be the sAMAccountName.
972 Use the --force-new-cn option to specify the new CN manually and the
973 --reset-cn to reset this change.</para>
974 <para>Use an empty attribute value to remove the specified attribute.</para>
975 <para>The groupname specified on the command is the sAMAccountName.</para>
979 <term>--force-new-cn=NEW_CN</term>
981 Specify a new CN (RDN) instead of using the sAMAccountName.
986 <term>--reset-cn</term>
988 Set the CN to the sAMAccountName.
993 <term>--mail-address=MAIL_ADDRESS</term>
1000 <term>--samaccountname=SAMACCOUNTNAME</term>
1002 New account name (sAMAccountName/logon name)
1009 <title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
1010 <para>Compare two LDAP databases.</para>
1014 <title>ntacl</title>
1015 <para>Manage NT ACLs.</para>
1019 <title>ntacl changedomsid <replaceable>original-domain-SID</replaceable> <replaceable>new-domain-SID</replaceable> <replaceable>file</replaceable> [options]</title>
1020 <para>Change the domain SID for ACLs.
1021 Can be used to change all entries in acl_xattr when the machine's SID
1022 has accidentally changed or the data set has been copied
1023 to another machine either via backup/restore or rsync.</para>
1027 <term>--use-ntvfs</term>
1029 Set the ACLs directly to the TDB or xattr. The POSIX permissions will
1030 NOT be changed, only the NT ACL will be stored.
1035 <term>--service=SERVICE</term>
1037 Specify the name of the smb.conf service to use. This option is
1038 required in combination with the --use-s3fs option.
1043 <term>--use-s3fs</term>
1045 Set the ACLs for use with the default s3fs file server via the VFS
1046 layer. This option requires a smb.conf service, specified by the
1047 --service=SERVICE option.
1052 <term>--xattr-backend=[native|tdb]</term>
1054 Specify the xattr backend type (native fs or tdb).
1059 <term>--eadb-file=EADB_FILE</term>
1061 Name of the tdb file where attributes are stored.
1066 <term>--recursive</term>
1068 Set the ACLs for directories and their contents recursively.
1073 <term>--follow-symlinks</term>
1075 Follow symlinks when --recursive is specified.
1080 <term>--verbose</term>
1082 Verbosely list files and ACLs which are being processed.
1090 <title>ntacl get <replaceable>file</replaceable> [options]</title>
1091 <para>Get ACLs on a file.</para>
1095 <title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
1096 <para>Set ACLs on a file.</para>
1100 <title>ntacl sysvolcheck</title>
1101 <para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
1105 <title>ntacl sysvolreset</title>
1106 <para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
1111 <para>Manage organizational units (OUs).</para>
1115 <title>ou add <replaceable>ou_dn</replaceable> [options]</title>
1116 <para>Add a new organizational unit.</para>
1117 <para>The name of the organizational unit can be specified as a full DN
1118 or without the domainDN component.</para>
1122 <term>--description=DESCRIPTION</term>
1124 Specify OU's description.
1131 <title>ou create <replaceable>ou_dn</replaceable> [options]</title>
1132 <para>Add a new organizational unit. This is a synonym for the
1133 <command>samba-tool ou add</command> command and is available
1134 for compatibility reasons only. Please use
1135 <command>samba-tool ou add</command> instead.</para>
1139 <title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
1140 <para>Delete an organizational unit.</para>
1141 <para>The name of the organizational unit can be specified as a full DN
1142 or without the domainDN component.</para>
1146 <term>--force-subtree-delete</term>
1148 Delete organizational unit and all children reclusively.
1155 <title>ou list [options]</title>
1156 <para>List all organizational units.</para>
1159 <term>--full-dn</term>
1161 Display DNs including the base DN.
1168 <title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
1169 <para>List all objects in an organizational unit.</para>
1170 <para>The name of the organizational unit can be specified as a full DN
1171 or without the domainDN component.</para>
1175 <term>--full-dn</term>
1177 Display DNs including the base DN.
1182 <term>-r|--recursive</term>
1184 List objects recursively.
1191 <title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
1192 <para>Move an organizational unit.</para>
1193 <para>The name of the organizational units can be specified as a full DN
1194 or without the domainDN component.</para>
1198 <title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
1199 <para>Rename an organizational unit.</para>
1200 <para>The name of the organizational units can be specified as a full DN
1201 or without the domainDN component.</para>
1206 <para>Manage Read-Only Domain Controller (RODC).</para>
1210 <title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
1211 <para>Preload one account for an RODC.</para>
1215 <title>schema</title>
1216 <para>Manage and query schema.</para>
1220 <title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
1221 <para>Modify the behaviour of an attribute in schema.</para>
1225 <title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
1226 <para>Display an attribute schema definition.</para>
1230 <title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
1231 <para>Show objectclasses that MAY or MUST contain this attribute.</para>
1235 <title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
1236 <para>Display an objectclass schema definition.</para>
1240 <title>sites</title>
1241 <para>Manage sites.</para>
1245 <title>sites create <replaceable>site</replaceable> [options]</title>
1246 <para>Create a new site.</para>
1250 <title>sites remove <replaceable>site</replaceable> [options]</title>
1251 <para>Delete an existing site.</para>
1256 <para>Manage Service Principal Names (SPN).</para>
1260 <title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
1261 <para>Create a new SPN.</para>
1265 <title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
1266 <para>Delete an existing SPN.</para>
1270 <title>spn list <replaceable>user</replaceable> [options]</title>
1271 <para>List SPNs of a given user.</para>
1275 <title>testparm</title>
1276 <para>Check the syntax of the configuration file.</para>
1281 <para>Retrieve the time on a server.</para>
1286 <para>Manage users.</para>
1290 <title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
1291 <para>Add a new user to the Active Directory Domain.</para>
1295 <title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
1296 <para>Add a new user. This is a synonym for the
1297 <command>samba-tool user add</command> command and is available
1298 for compatibility reasons only. Please use
1299 <command>samba-tool user add</command> instead.</para>
1303 <title>user delete <replaceable>username</replaceable> [options]</title>
1304 <para>Delete an existing user account.</para>
1308 <title>user disable <replaceable>username</replaceable></title>
1309 <para>Disable a user account.</para>
1313 <title>user edit <replaceable>username</replaceable></title>
1314 <para>Edit a user account AD object.</para>
1318 <term>--editor=EDITOR</term>
1320 Specifies the editor to use instead of the system default, or 'vi' if no
1321 system default is set.
1328 <title>user enable <replaceable>username</replaceable></title>
1329 <para>Enable a user account.</para>
1333 <title>user list</title>
1334 <para>List all users.</para>
1338 <title>user setprimarygroup <replaceable>username</replaceable> <replaceable>primarygroupname</replaceable></title>
1339 <para>Set the primary group a user account.</para>
1343 <title>user getgroups <replaceable>username</replaceable></title>
1344 <para>Get the direct group memberships of a user account.</para>
1348 <title>user show <replaceable>username</replaceable> [options]</title>
1349 <para>Display a user AD object.</para>
1353 <term>--attributes=USER_ATTRS</term>
1355 Comma separated list of attributes, which will be printed.
1362 <title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
1363 <para>This command moves a user account into the specified
1364 organizational unit or container.</para>
1365 <para>The username specified on the command is the
1366 sAMAccountName.</para>
1367 <para>The name of the organizational unit or container can be
1368 specified as a full DN or without the domainDN component.</para>
1372 <title>user password [options]</title>
1373 <para>Change password for a user account (the one provided in
1374 authentication).</para>
1378 <title>user rename <replaceable>username</replaceable> [options]</title>
1379 <para>Rename a user and related attributes.</para>
1380 <para>This command allows to set the user's name related attributes. The user's
1381 CN will be renamed automatically.
1382 The user's new CN will be made up by combining the given-name, initials
1383 and surname. A dot ('.') will be appended to the initials automatically,
1385 Use the --force-new-cn option to specify the new CN manually and --reset-cn
1386 to reset this change.</para>
1387 <para>Use an empty attribute value to remove the specified attribute.</para>
1388 <para>The username specified on the command is the sAMAccountName.</para>
1392 <term>--surname=SURNAME</term>
1399 <term>--given-name=GIVEN_NAME</term>
1406 <term>--initials=INITIALS</term>
1413 <term>--force-new-cn=NEW_CN</term>
1415 Specify a new CN (RDN) instead of using a combination
1416 of the given name, initials and surname.
1421 <term>--reset-cn</term>
1423 Set the CN to the default combination of given name,
1424 initials and surname.
1429 <term>--display-name=DISPLAY_NAME</term>
1436 <term>--mail-address=MAIL_ADDRESS</term>
1443 <term>--samaccountname=SAMACCOUNTNAME</term>
1445 New account name (sAMAccountName/logon name)
1450 <term>--upn=UPN</term>
1452 New user principal name
1459 <title>user setexpiry <replaceable>username</replaceable> [options]</title>
1460 <para>Set the expiration of a user account.</para>
1464 <title>user setpassword <replaceable>username</replaceable> [options]</title>
1465 <para>Sets or resets the password of a user account.</para>
1469 <title>user unlock <replaceable>username</replaceable> [options]</title>
1470 <para>This command unlocks a user account in the Active Directory
1475 <title>user getpassword <replaceable>username</replaceable> [options]</title>
1476 <para>Gets the password of a user account.</para>
1480 <title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
1481 <para>Syncs the passwords of all user accounts, using an optional script.</para>
1482 <para>Note that this command should run on a single domain controller only
1483 (typically the PDC-emulator).</para>
1487 <title>vampire [options] <replaceable>domain</replaceable></title>
1488 <para>Join and synchronise a remote AD domain to the local server.
1489 Please note that <command>samba-tool vampire</command> is deprecated,
1490 please use <command>samba-tool domain join</command> instead.</para>
1494 <title>visualize [options] <replaceable>subcommand</replaceable></title>
1495 <para>Produce graphical representations of Samba network state.
1496 To work out what is happening in a replication graph, it is sometimes
1497 helpful to use visualisations.</para>
1500 There are two subcommands, two graphical modes, and (roughly) two modes
1501 of operation with respect to the location of authority.</para>
1503 <refsect3><title>MODES OF OPERATION</title>
1505 <term>samba-tool visualize ntdsconn</term>
1506 <listitem><para>Looks at NTDS connections.
1511 <term>samba-tool visualize reps</term>
1512 <listitem><para>Looks at repsTo and repsFrom objects.
1517 <term>samba-tool visualize uptodateness</term>
1518 <listitem><para>Looks at replication lag as shown by the
1519 uptodateness vectors.
1524 <refsect3><title>GRAPHICAL MODES</title>
1526 <term>--distance</term>
1527 <listitem><para>Distances between DCs are shown in a matrix in
1534 <listitem><para>Generate Graphviz dot output (for
1535 ntdsconn and reps modes). When viewed using dot or
1536 xdot, this shows the network as a graph with DCs as
1537 vertices and connections edges. Certain types of
1538 degenerate edges are shown in different colours or
1539 line-styles. </para></listitem>
1543 <listitem><para>Generate Graphviz dot output as with
1544 <arg choice="opt">--dot</arg> and attempt to view it
1545 immediately using <command>/usr/bin/xdot</command>.
1552 <listitem><para>Normally,
1553 <command>samba-tool</command> talks to one database;
1554 with the <arg choice="opt">-r</arg> option attempts
1555 are made to contact all the DCs known to the first
1556 database. This is necessary for <command>samba-tool
1557 visualize uptodateness</command> and for
1558 <command>samba-tool visualize reps</command> because
1559 the repsFrom/To objects are not replicated, and it can
1560 reveal replication issues in other modes.
1567 <para>Gives usage information.</para>
1573 <title>VERSION</title>
1575 <para>This man page is complete for version &doc.version; of the Samba
1580 <title>AUTHOR</title>
1582 <para>The original Samba software and related utilities
1583 were created by Andrew Tridgell. Samba is now developed
1584 by the Samba Team as an Open Source project similar
1585 to the way the Linux kernel is developed.</para>
git.samba.org / bbaumbach / samba-autobuild / .git / blob