docs: Update doc to use absolute path for 'dedicated keytab file'
[sfrench/samba-autobuild/.git] / docs-xml / manpages / samba-tool.8.xml
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="samba-tool.8">
4
5 <refmeta>
6         <refentrytitle>samba-tool</refentrytitle>
7         <manvolnum>8</manvolnum>
8         <refmiscinfo class="source">Samba</refmiscinfo>
9         <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10         <refmiscinfo class="version">4.6</refmiscinfo>
11 </refmeta>
12
13
14 <refnamediv>
15         <refname>samba-tool</refname>
16         <refpurpose>Main Samba administration tool.
17         </refpurpose>
18 </refnamediv>
19
20 <refsynopsisdiv>
21         <cmdsynopsis>
22                 <command>samba-tool</command>
23                 <arg choice="opt">-h</arg>
24                 <arg choice="opt">-W myworkgroup</arg>
25                 <arg choice="opt">-U user</arg>
26                 <arg choice="opt">-d debuglevel</arg>
27                 <arg choice="opt">--v</arg>
28         </cmdsynopsis>
29 </refsynopsisdiv>
30
31 <refsect1>
32         <title>DESCRIPTION</title>
33         <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
34         <manvolnum>7</manvolnum></citerefentry> suite.</para>
35 </refsect1>
36
37 <refsect1>
38         <title>OPTIONS</title>
39
40         <variablelist>
41
42         <varlistentry>
43         <term>-h|--help</term>
44         <listitem><para>
45         Show this help message and exit
46         </para></listitem>
47         </varlistentry>
48
49         <varlistentry>
50         <term>--realm=REALM</term>
51         <listitem><para>
52         Set the realm name
53         </para></listitem>
54         </varlistentry>
55
56         <varlistentry>
57         <term>--simple-bind-dn=DN</term>
58         <listitem><para>
59         DN to use for a simple bind
60         </para></listitem>
61         </varlistentry>
62
63         <varlistentry>
64         <term>--password=PASSWORD</term>
65         <listitem><para>
66         Password
67         </para></listitem>
68         </varlistentry>
69
70         <varlistentry>
71         <term>-U USERNAME|--username=USERNAME</term>
72         <listitem><para>
73         Username
74         </para></listitem>
75         </varlistentry>
76
77         <varlistentry>
78         <term>-W WORKGROUP|--workgroup=WORKGROUP</term>
79         <listitem><para>
80         Workgroup
81         </para></listitem>
82         </varlistentry>
83
84         <varlistentry>
85         <term>-N|--no-pass</term>
86         <listitem><para>
87         Don't ask for a password
88         </para></listitem>
89         </varlistentry>
90
91         <varlistentry>
92         <term>-k KERBEROS|--kerberos=KERBEROS</term>
93         <listitem><para>
94         Use Kerberos
95         </para></listitem>
96         </varlistentry>
97
98         <varlistentry>
99         <term>--ipaddress=IPADDRESS</term>
100         <listitem><para>
101         IP address of the server
102         </para></listitem>
103         </varlistentry>
104
105         &popt.common.samba.client;
106
107         </variablelist>
108 </refsect1>
109
110 <refsect1>
111 <title>COMMANDS</title>
112
113 <refsect2>
114         <title>dbcheck</title>
115         <para>Check the local AD database for errors.</para>
116 </refsect2>
117
118 <refsect2>
119         <title>delegation</title>
120         <para>Manage Delegations.</para>
121 </refsect2>
122
123 <refsect3>
124         <title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
125         <para>Add a service principal as msDS-AllowedToDelegateTo.</para>
126 </refsect3>
127
128 <refsect3>
129         <title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
130         <para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
131 </refsect3>
132
133 <refsect3>
134         <title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
135         <para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
136         for an account.</para>
137 </refsect3>
138
139 <refsect3>
140         <title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
141         <para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
142 </refsect3>
143
144 <refsect3>
145         <title>delegation show <replaceable>accountname</replaceable> [options] </title>
146         <para>Show the delegation setting of an account.</para>
147 </refsect3>
148
149 <refsect2>
150         <title>dns</title>
151         <para>Manage Domain Name Service (DNS).</para>
152 </refsect2>
153
154 <refsect3>
155         <title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
156         <para>Add a DNS record.</para>
157 </refsect3>
158
159 <refsect3>
160         <title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
161         <para>Delete a DNS record.</para>
162 </refsect3>
163
164 <refsect3>
165         <title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
166         <para>Query a name.</para>
167 </refsect3>
168
169 <refsect3>
170         <title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
171         <para>Query root hints.</para>
172 </refsect3>
173
174 <refsect3>
175         <title>dns serverinfo <replaceable>server</replaceable> [options]</title>
176         <para>Query server information.</para>
177 </refsect3>
178
179 <refsect3>
180         <title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
181         <para>Update a DNS record.</para>
182 </refsect3>
183
184 <refsect3>
185         <title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
186         <para>Create a zone.</para>
187 </refsect3>
188
189 <refsect3>
190         <title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
191         <para>Delete a zone.</para>
192 </refsect3>
193
194 <refsect3>
195         <title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
196         <para>Query zone information.</para>
197 </refsect3>
198
199 <refsect3>
200         <title>dns zonelist <replaceable>server</replaceable> [options]</title>
201         <para>List zones.</para>
202 </refsect3>
203
204 <refsect2>
205         <title>domain</title>
206         <para>Manage Domain.</para>
207 </refsect2>
208
209 <refsect3>
210         <title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
211         <para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
212         database.</para>
213 </refsect3>
214
215 <refsect3>
216         <title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
217         <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
218 </refsect3>
219
220 <refsect3>
221         <title>domain demote</title>
222         <para>Demote ourselves from the role of domain controller.</para>
223 </refsect3>
224
225 <refsect3>
226         <title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
227         <para>Dumps Kerberos keys of the domain into a keytab.</para>
228 </refsect3>
229
230 <refsect3>
231         <title>domain info <replaceable>ip_address</replaceable> [options]</title>
232         <para>Print basic info about a domain and the specified DC.
233 </para>
234 </refsect3>
235
236 <refsect3>
237         <title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
238         <para>Join a domain as either member or backup domain controller.</para>
239 </refsect3>
240
241 <refsect3>
242         <title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
243         <para>Show/raise domain and forest function levels.</para>
244 </refsect3>
245
246 <refsect3>
247         <title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
248         <para>Show/set password settings.</para>
249 </refsect3>
250
251 <refsect3>
252         <title>domain provision</title>
253         <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
254 </refsect3>
255
256 <refsect3>
257         <title>domain trust</title>
258         <para>Domain and forest trust management.</para>
259 </refsect3>
260
261 <refsect3>
262         <title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
263         <para>Create a domain or forest trust.</para>
264 </refsect3>
265
266 <refsect3>
267         <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
268         <para>Delete a domain trust.</para>
269 </refsect3>
270
271 <refsect3>
272         <title>domain trust list <replaceable>options</replaceable> [options]</title>
273         <para>List domain trusts.</para>
274 </refsect3>
275
276 <refsect3>
277         <title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
278         <para>Manage forest trust namespaces.</para>
279 </refsect3>
280
281 <refsect3>
282         <title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
283         <para>Show trusted domain details.</para>
284 </refsect3>
285
286 <refsect3>
287         <title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
288         <para>Validate a domain trust.</para>
289 </refsect3>
290
291 <refsect2>
292         <title>drs</title>
293         <para>Manage Directory Replication Services (DRS).</para>
294 </refsect2>
295
296 <refsect3>
297         <title>drs bind</title>
298         <para>Show DRS capabilities of a server.</para>
299 </refsect3>
300
301 <refsect3>
302         <title>drs kcc</title>
303         <para>Trigger knowledge consistency center run.</para>
304 </refsect3>
305
306 <refsect3>
307         <title>drs options</title>
308         <para>Query or change <replaceable>options</replaceable> for NTDS Settings
309         object of a domain controller.</para>
310 </refsect3>
311
312 <refsect3>
313         <title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
314         <para>Replicate a naming context between two DCs.</para>
315 </refsect3>
316
317 <refsect3>
318         <title>drs showrepl</title>
319         <para>Show replication status.</para>
320 </refsect3>
321
322 <refsect2>
323         <title>dsacl</title>
324         <para>Administer DS ACLs</para>
325 </refsect2>
326
327 <refsect3>
328         <title>dsacl set</title>
329         <para>Modify access list on a directory object.</para>
330 </refsect3>
331
332 <refsect2>
333         <title>fsmo</title>
334         <para>Manage Flexible Single Master Operations (FSMO).</para>
335 </refsect2>
336
337 <refsect3>
338         <title>fsmo seize [options]</title>
339         <para>Seize the role.</para>
340 </refsect3>
341
342 <refsect3>
343         <title>fsmo show</title>
344         <para>Show the roles.</para>
345 </refsect3>
346
347 <refsect3>
348         <title>fsmo transfer [options]</title>
349         <para>Transfer the role.</para>
350 </refsect3>
351
352 <refsect2>
353         <title>gpo</title>
354         <para>Manage Group Policy Objects (GPO).</para>
355 </refsect2>
356
357 <refsect3>
358         <title>gpo create <replaceable>displayname</replaceable> [options]</title>
359         <para>Create an empty GPO.</para>
360 </refsect3>
361
362 <refsect3>
363         <title>gpo del <replaceable>gpo</replaceable> [options]</title>
364         <para>Delete GPO.</para>
365 </refsect3>
366
367 <refsect3>
368         <title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
369         <para>Delete GPO link from a container.</para>
370 </refsect3>
371
372 <refsect3>
373         <title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
374         <para>Download a GPO.</para>
375 </refsect3>
376
377 <refsect3>
378         <title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
379         <para>Get inheritance flag for a container.</para>
380 </refsect3>
381
382 <refsect3>
383         <title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
384         <para>List GPO Links for a container.</para>
385 </refsect3>
386
387 <refsect3>
388         <title>gpo list <replaceable>username</replaceable> [options]</title>
389         <para>List GPOs for an account.</para>
390 </refsect3>
391
392 <refsect3>
393         <title>gpo listall</title>
394         <para>List all GPOs.</para>
395 </refsect3>
396
397 <refsect3>
398         <title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
399         <para>List all linked containers for a GPO.</para>
400 </refsect3>
401
402 <refsect3>
403         <title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
404         <para>Set inheritance flag on a container.</para>
405 </refsect3>
406
407 <refsect3>
408         <title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
409         <para>Add or Update a GPO link to a container.</para>
410 </refsect3>
411
412 <refsect3>
413         <title>gpo show <replaceable>gpo</replaceable> [options]</title>
414         <para>Show information for a GPO.</para>
415 </refsect3>
416
417 <refsect2>
418         <title>group</title>
419         <para>Manage groups.</para>
420 </refsect2>
421
422 <refsect3>
423         <title>group add <replaceable>groupname</replaceable> [options]</title>
424         <para>Create a new AD group.</para>
425 </refsect3>
426
427 <refsect3>
428         <title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
429         <para>Add members to an AD group.</para>
430 </refsect3>
431
432 <refsect3>
433         <title>group delete <replaceable>groupname</replaceable> [options]</title>
434         <para>Delete an AD group.</para>
435 </refsect3>
436
437 <refsect3>
438         <title>group list</title>
439         <para>List all groups.</para>
440 </refsect3>
441
442 <refsect3>
443         <title>group listmembers <replaceable>groupname</replaceable> [options]</title>
444         <para>List all members of the specified AD group.</para>
445 </refsect3>
446
447 <refsect3>
448         <title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
449         <para>Remove members from the specified AD group.</para>
450 </refsect3>
451
452 <refsect2>
453         <title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
454         <para>Compare two LDAP databases.</para>
455 </refsect2>
456
457 <refsect2>
458         <title>ntacl</title>
459         <para>Manage NT ACLs.</para>
460 </refsect2>
461
462 <refsect3>
463         <title>ntacl get <replaceable>file</replaceable> [options]</title>
464         <para>Get ACLs on a file.</para>
465 </refsect3>
466
467 <refsect3>
468         <title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
469         <para>Set ACLs on a file.</para>
470 </refsect3>
471
472 <refsect3>
473         <title>ntacl sysvolcheck</title>
474         <para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
475 </refsect3>
476
477 <refsect3>
478         <title>ntacl sysvolreset</title>
479         <para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
480 </refsect3>
481
482 <refsect2>
483         <title>rodc</title>
484         <para>Manage Read-Only Domain Controller (RODC).</para>
485 </refsect2>
486
487 <refsect3>
488         <title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
489         <para>Preload one account for an RODC.</para>
490 </refsect3>
491
492 <refsect2>
493         <title>sites</title>
494         <para>Manage sites.</para>
495 </refsect2>
496
497 <refsect3>
498         <title>sites create <replaceable>site</replaceable> [options]</title>
499         <para>Create a new site.</para>
500 </refsect3>
501
502 <refsect3>
503         <title>sites remove <replaceable>site</replaceable> [options]</title>
504         <para>Delete an existing site.</para>
505 </refsect3>
506
507 <refsect2>
508         <title>spn</title>
509         <para>Manage Service Principal Names (SPN).</para>
510 </refsect2>
511
512 <refsect3>
513         <title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
514         <para>Create a new SPN.</para>
515 </refsect3>
516
517 <refsect3>
518         <title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
519         <para>Delete an existing SPN.</para>
520 </refsect3>
521
522 <refsect3>
523         <title>spn list <replaceable>user</replaceable> [options]</title>
524         <para>List SPNs of a given user.</para>
525 </refsect3>
526
527 <refsect2>
528         <title>testparm</title>
529         <para>Check the syntax of the configuration file.</para>
530 </refsect2>
531
532 <refsect2>
533         <title>time</title>
534         <para>Retrieve the time on a server.</para>
535 </refsect2>
536
537 <refsect2>
538         <title>user</title>
539         <para>Manage users.</para>
540 </refsect2>
541
542 <refsect3>
543         <title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
544         <para>Create a new user. Please note that this subcommand is deprecated
545         and available for compatibility reasons only. Please use
546         <command>samba-tool user create</command> instead.</para>
547 </refsect3>
548
549 <refsect3>
550         <title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
551         <para>Create a new user in the Active Directory Domain.</para>
552 </refsect3>
553
554 <refsect3>
555         <title>user delete <replaceable>username</replaceable> [options]</title>
556         <para>Delete an existing user account.</para>
557 </refsect3>
558
559 <refsect3>
560         <title>user disable <replaceable>username</replaceable></title>
561         <para>Disable an user account.</para>
562 </refsect3>
563
564 <refsect3>
565         <title>user enable <replaceable>username</replaceable></title>
566         <para>Enable an user account.</para>
567 </refsect3>
568
569 <refsect3>
570         <title>user list</title>
571         <para>List all users.</para>
572 </refsect3>
573
574 <refsect3>
575         <title>user password [options]</title>
576         <para>Change password for an user account (the one provided in
577         authentication).</para>
578 </refsect3>
579
580 <refsect3>
581         <title>user setexpiry <replaceable>username</replaceable> [options]</title>
582         <para>Set the expiration of an user account.</para>
583 </refsect3>
584
585 <refsect3>
586         <title>user setpassword <replaceable>username</replaceable> [options]</title>
587         <para>Sets or resets the password of an user account.</para>
588 </refsect3>
589
590 <refsect3>
591         <title>user getpassword <replaceable>username</replaceable> [options]</title>
592         <para>Gets the password of an user account.</para>
593 </refsect3>
594
595 <refsect3>
596         <title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
597         <para>Syncs the passwords of all user accounts, using an optional script.</para>
598         <para>Note that this command should run on a single domain controller only
599         (typically the PDC-emulator).</para>
600 </refsect3>
601
602 <refsect2>
603         <title>vampire [options] <replaceable>domain</replaceable></title>
604         <para>Join and synchronise a remote AD domain to the local server.
605         Please note that <command>samba-tool vampire</command> is deprecated,
606         please use <command>samba-tool domain join</command> instead.</para>
607 </refsect2>
608
609 <refsect2>
610 <title>help</title>
611 <para>Gives usage information.</para>
612 </refsect2>
613
614 </refsect1>
615
616 <refsect1>
617         <title>VERSION</title>
618
619         <para>This man page is complete for version 4 of the Samba
620         suite.</para>
621 </refsect1>
622
623 <refsect1>
624         <title>AUTHOR</title>
625
626         <para>The original Samba software and related utilities
627         were created by Andrew Tridgell. Samba is now developed
628         by the Samba Team as an Open Source project similar
629         to the way the Linux kernel is developed.</para>
630
631         <para>The samba-tool manpage was written by Karolin Seeger.</para>
632 </refsect1>
633
634 </refentry>