FreeBSD Manual Pages
SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8) NAME samba-tool - Main Samba administration tool. SYNOPSIS samba-tool [-h] [-W myworkgroup] [-U user] [-d debuglevel] [--v] DESCRIPTION This tool is part of the samba(7) suite. OPTIONS -h|--help Show this help message and exit -r|--realm=REALM Set the realm for the domain. Note that specifying this parameter here will override the realm parameter in the smb.conf file. --simple-bind-dn=DN DN to use for a simple bind. --password Specify the password on the commandline. Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit. If --password is not specified, the tool will check the PASSWD environment variable, followed by PASSWD_FD which is expected to contain an open file descriptor (FD) number. Finally it will check PASSWD_FILE (containing a file path to be opened). The file should only contain the password. Make certain that the permissions on the file restrict access from unwanted users! While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race. -U|--user=[DOMAIN\]USERNAME[%PASSWORD] Sets the SMB username or username and password. If %PASSWORD is not specified, the user will be prompted. The client will first check the USER environment variable (which is also permitted to also contain the password seperated by a %), then the LOGNAME variable (which is not permitted to contain a password) and if either exists, the value is used. If these environmental variables are not found, the username found in a Kerberos Credentials cache may be used. A third option is to use a credentials file which contains the plaintext of the username and password. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the -A for more details. Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit. While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race. -W|--workgroup=WORKGROUP Set the SMB domain of the username. This overrides the default domain which is the domain defined in smb.conf. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM). Note that specifying this parameter here will override the workgroup parameter in the smb.conf file. -N|--no-pass If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that does not require a password. Unless a password is specified on the command line or this parameter is specified, the client will request a password. If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used. --use-kerberos=desired|required|off This parameter determines whether Samba client tools will try to authenticate using Kerberos. For Kerberos authentication you need to use dns names instead of IP addresses when connnecting to a service. Note that specifying this parameter here will override the client use kerberos parameter in the smb.conf file. --use-krb5-ccache=CCACHE Specifies the credential cache location for Kerberos authentication. This will set --use-kerberos=required too. --ipaddress=IPADDRESS IP address of the server -d|--debuglevel=DEBUGLEVEL level is an integer from 0 to 10. The default value if this parameter is not specified is 1 for client applications. The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out. Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic. Note that specifying this parameter here will override the log level parameter in the smb.conf file. --debug-stdout This will redirect debug output to STDOUT. By default all clients are logging to STDERR. COMMANDS computer Manage computer accounts. computer add computername [options] Add a new computer to the Active Directory Domain. The new computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign. --computerou=COMPUTEROU DN of alternative location (with or without domainDN counterpart) to default CN=Computers in which new computer object will be created. E.g. 'OU=OUname'. --description=DESCRIPTION The new computers's description. --ip-address=IP_ADDRESS_LIST IPv4 address for the computer's A record, or IPv6 address for AAAA record, can be provided multiple times. --service-principal-name=SERVICE_PRINCIPAL_NAME_LIST Computer's Service Principal Name, can be provided multiple times. --prepare-oldjoin Prepare enabled machine account for oldjoin mechanism. computer create computername [options] Add a new computer. This is a synonym for the samba-tool computer add command and is available for compatibility reasons only. Please use samba-tool computer add instead. computer delete computername [options] Delete an existing computer account. The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign. computer edit computername Edit a computer AD object. The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign. --editor=EDITOR Specifies the editor to use instead of the system default, or 'vi' if no system default is set. computer list List all computers. computer move computername new_parent_dn [options] This command moves a computer account into the specified organizational unit or container. The computername specified on the command is the sAMAccountName, with or without the trailing dollar sign. The name of the organizational unit or container can be specified as a full DN or without the domainDN component. computer show computername [options] Display a computer AD object. The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign. --attributes=USER_ATTRS Comma separated list of attributes, which will be printed. contact Manage contacts. contact add [contactname] [options] Add a new contact to the Active Directory Domain. The name of the new contact can be specified by the first argument 'contactname' or the --given-name, --initial and --surname arguments. If no 'contactname' is given, contact's name will be made up of the given arguments by combining the given-name, initials and surname. Each argument is optional. A dot ('.') will be appended to the initials automatically. --ou=OU DN of alternative location (with or without domainDN counterpart) in which the new contact will be created. E.g. 'OU=OUname'. Default is the domain base. --description=DESCRIPTION The new contacts's description. --surname=SURNAME Contact's surname. --given-name=GIVEN_NAME Contact's given name. --initials=INITIALS Contact's initials. --display-name=DISPLAY_NAME Contact's display name. --job-title=JOB_TITLE Contact's job title. --department=DEPARTMENT Contact's department. --company=COMPANY Contact's company. --mail-address=MAIL_ADDRESS Contact's email address. --internet-address=INTERNET_ADDRESS Contact's home page. --telephone-number=TELEPHONE_NUMBER Contact's phone number. --mobile-number=MOBILE_NUMBER Contact's mobile phone number. --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE Contact's office location. contact create [contactname] [options] Add a new contact. This is a synonym for the samba-tool contact add command and is available for compatibility reasons only. Please use samba-tool contact add instead. contact delete contactname [options] Delete an existing contact. The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component. contact edit contactname Modify a contact AD object. The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component. --editor=EDITOR Specifies the editor to use instead of the system default, or 'vi' if no system default is set. contact list [options] List all contacts. --full-dn Display contact's full DN instead of the name. contact move contactname new_parent_dn [options] This command moves a contact into the specified organizational unit or container. The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component. contact show contactname [options] Display a contact AD object. The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component. --attributes=CONTACT_ATTRS Comma separated list of attributes, which will be printed. contact rename contactname [options] Rename a contact and related attributes. This command allows to set the contact's name related attributes. The contact's CN will be renamed automatically. The contact's new CN will be made up by combining the given-name, initials and surname. A dot ('.') will be appended to the initials automatically, if required. Use the --force-new-cn option to specify the new CN manually and --reset-cn to reset this change. Use an empty attribute value to remove the specified attribute. The contact name specified on the command is the CN. --surname=SURNAME New surname. --given-name=GIVEN_NAME New given name. --initials=INITIALS New initials. --force-new-cn=NEW_CN Specify a new CN (RDN) instead of using a combination of the given name, initials and surname. --reset-cn Set the CN to the default combination of given name, initials and surname. --display-name=DISPLAY_NAME New display name. --mail-address=MAIL_ADDRESS New email address. dbcheck Check the local AD database for errors. delegation Manage Delegations. delegation add-service accountname principal [options] Add a service principal as msDS-AllowedToDelegateTo. delegation del-service accountname principal [options] Delete a service principal as msDS-AllowedToDelegateTo. delegation for-any-protocol accountname [(on|off)] [options] Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account. delegation for-any-service accountname [(on|off)] [options] Set/unset UF_TRUSTED_FOR_DELEGATION for an account. delegation show accountname [options] Show the delegation setting of an account. dns Manage Domain Name Service (DNS). dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data Add a DNS record. dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data Delete a DNS record. dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options] data Query a name. dns roothints server [name] [options] Query root hints. dns serverinfo server [options] Query server information. dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata Update a DNS record. dns zonecreate server zone [options] Create a zone. dns zonedelete server zone [options] Delete a zone. dns zoneinfo server zone [options] Query zone information. dns zonelist server [options] List zones. domain Manage Domain. domain backup Create or restore a backup of the domain. domain backup offline Backup (with proper locking) local domain directories into a tar file. domain backup online Copy a running DC's current DB into a backup tar file. domain backup rename Copy a running DC's DB to backup file, renaming the domain in the process. domain backup restore Restore the domain's DB from a backup-file. domain classicupgrade [options] classic_smb_conf Upgrade from Samba classic (NT4-like) database to Samba AD DC database. domain dcpromo dnsdomain [DC|RODC] [options] Promote an existing domain member or NT4 PDC to an AD DC. domain demote Demote ourselves from the role of domain controller. domain exportkeytab keytab [options] Dumps Kerberos keys of the domain into a keytab. domain info ip_address [options] Print basic info about a domain and the specified DC. domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options] Join a domain as either member or backup domain controller. domain level show|raise options [options] Show/raise domain and forest function levels. domain passwordsettings show|set options [options] Show/set password settings. domain passwordsettings pso Manage fine-grained Password Settings Objects (PSOs). domain passwordsettings pso apply pso-name user-or-group-name [options] Applies a PSO's password policy to a user or group. domain passwordsettings pso create pso-name precedence [options] Creates a new Password Settings Object (PSO). domain passwordsettings pso delete pso-name [options] Deletes a Password Settings Object (PSO). domain passwordsettings pso list [options] Lists all Password Settings Objects (PSOs). domain passwordsettings pso set pso-name [options] Modifies a Password Settings Object (PSO). domain passwordsettings pso show user-name [options] Displays a Password Settings Object (PSO). domain passwordsettings pso show-user pso-name [options] Displays the Password Settings that apply to a user. domain passwordsettings pso unapply pso-name user-or-group-name [options] Updates a PSO to no longer apply to a user or group. domain provision Promote an existing domain member or NT4 PDC to an AD DC. domain trust Domain and forest trust management. domain trust create DOMAIN options [options] Create a domain or forest trust. domain trust modify DOMAIN options [options] Modify a domain or forest trust. domain trust delete DOMAIN options [options] Delete a domain trust. domain trust list options [options] List domain trusts. domain trust namespaces [DOMAIN] options [options] Manage forest trust namespaces. domain trust show DOMAIN options [options] Show trusted domain details. domain trust validate DOMAIN options [options] Validate a domain trust. drs Manage Directory Replication Services (DRS). drs bind Show DRS capabilities of a server. drs kcc Trigger knowledge consistency center run. drs options Query or change options for NTDS Settings object of a domain controller. drs replicate destination_DC source_DC NC [options] Replicate a naming context between two DCs. drs showrepl Show replication status. The [--json] option results in JSON output, and with the [--summary] option produces very little output when the replication status seems healthy. dsacl Administer DS ACLs dsacl set Modify access list on a directory object. forest Manage Forest configuration. forest directory_service Manage directory_service behaviour for the forest. forest directory_service dsheuristics VALUE Modify dsheuristics directory_service configuration for the forest. forest directory_service show Show current directory_service configuration for the forest. fsmo Manage Flexible Single Master Operations (FSMO). fsmo seize [options] Seize the role. fsmo show Show the roles. fsmo transfer [options] Transfer the role. gpo Manage Group Policy Objects (GPO). gpo create displayname [options] Create an empty GPO. gpo del gpo [options] Delete GPO. gpo dellink container_dn gpo [options] Delete GPO link from a container. gpo fetch gpo [options] Download a GPO. gpo getinheritance container_dn [options] Get inheritance flag for a container. gpo getlink container_dn [options] List GPO Links for a container. gpo list username [options] List GPOs for an account. gpo listall List all GPOs. gpo listcontainers gpo [options] List all linked containers for a GPO. gpo setinheritance container_dn block|inherit [options] Set inheritance flag on a container. gpo setlink container_dn gpo [options] Add or Update a GPO link to a container. gpo show gpo [options] Show information for a GPO. gpo manage symlink list List VGP Symbolic Link Group Policy from the sysvol gpo manage symlink add Adds a VGP Symbolic Link Group Policy to the sysvol gpo manage symlink remove Removes a VGP Symbolic Link Group Policy from the sysvol gpo manage files list List VGP Files Group Policy from the sysvol gpo manage files add Add VGP Files Group Policy to the sysvol gpo manage files remove Remove VGP Files Group Policy from the sysvol gpo manage openssh list List VGP OpenSSH Group Policy from the sysvol gpo manage openssh set Sets a VGP OpenSSH Group Policy to the sysvol gpo manage sudoers add Adds a Samba Sudoers Group Policy to the sysvol. gpo manage sudoers list List Samba Sudoers Group Policy from the sysvol. gpo manage sudoers remove Removes a Samba Sudoers Group Policy from the sysvol. gpo manage scripts startup list List VGP Startup Script Group Policy from the sysvol gpo manage scripts startup add Adds VGP Startup Script Group Policy to the sysvol gpo manage scripts startup remove Removes VGP Startup Script Group Policy from the sysvol gpo manage motd list List VGP MOTD Group Policy from the sysvol. gpo manage motd set Sets a VGP MOTD Group Policy to the sysvol gpo manage issue list List VGP Issue Group Policy from the sysvol. gpo manage issue set Sets a VGP Issue Group Policy to the sysvol gpo manage access add Adds a VGP Host Access Group Policy to the sysvol gpo manage access list List VGP Host Access Group Policy from the sysvol gpo manage access remove Remove a VGP Host Access Group Policy from the sysvol group Manage groups. group add groupname [options] Create a new AD group. group create groupname [options] Add a new AD group. This is a synonym for the samba-tool group add command and is available for compatibility reasons only. Please use samba-tool group add instead. group addmembers groupname members [options] Add members to an AD group. group delete groupname [options] Delete an AD group. group edit groupname Edit a group AD object. --editor=EDITOR Specifies the editor to use instead of the system default, or 'vi' if no system default is set. group list List all groups. group listmembers groupname [options] List all members of the specified AD group. By default the sAMAccountNames are listed. If no sAMAccountName is available, the CN will be used instead. --full-dn List the distinguished names instead of the sAMAccountNames. --hide-expired Do not list expired group members. --hide-disabled Do not list disabled group members. group move groupname new_parent_dn [options] This command moves a group into the specified organizational unit or container. The groupname specified on the command is the sAMAccountName. The name of the organizational unit or container can be specified as a full DN or without the domainDN component. group removemembers groupname members [options] Remove members from the specified AD group. group show groupname [options] Show group object and it's attributes. group stats [options] Show statistics for overall groups and group memberships. group rename groupname [options] Rename a group and related attributes. This command allows to set the group's name related attributes. The group's CN will be renamed automatically. The group's CN will be the sAMAccountName. Use the --force-new-cn option to specify the new CN manually and the --reset-cn to reset this change. Use an empty attribute value to remove the specified attribute. The groupname specified on the command is the sAMAccountName. --force-new-cn=NEW_CN Specify a new CN (RDN) instead of using the sAMAccountName. --reset-cn Set the CN to the sAMAccountName. --mail-address=MAIL_ADDRESS New mail address --samaccountname=SAMACCOUNTNAME New account name (sAMAccountName/logon name) ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options] Compare two LDAP databases. ntacl Manage NT ACLs. ntacl changedomsid original-domain-SID new-domain-SID file [options] Change the domain SID for ACLs. Can be used to change all entries in acl_xattr when the machine's SID has accidentally changed or the data set has been copied to another machine either via backup/restore or rsync. --use-ntvfs Set the ACLs directly to the TDB or xattr. The POSIX permissions will NOT be changed, only the NT ACL will be stored. --service=SERVICE Specify the name of the smb.conf service to use. This option is required in combination with the --use-s3fs option. --use-s3fs Set the ACLs for use with the default s3fs file server via the VFS layer. This option requires a smb.conf service, specified by the --service=SERVICE option. --xattr-backend=[native|tdb] Specify the xattr backend type (native fs or tdb). --eadb-file=EADB_FILE Name of the tdb file where attributes are stored. --recursive Set the ACLs for directories and their contents recursively. --follow-symlinks Follow symlinks when --recursive is specified. --verbose Verbosely list files and ACLs which are being processed. ntacl get file [options] Get ACLs on a file. ntacl set acl file [options] Set ACLs on a file. ntacl sysvolcheck Check sysvol ACLs match defaults (including correct ACLs on GPOs). ntacl sysvolreset Reset sysvol ACLs to defaults (including correct ACLs on GPOs). ou Manage organizational units (OUs). ou add ou_dn [options] Add a new organizational unit. The name of the organizational unit can be specified as a full DN or without the domainDN component. --description=DESCRIPTION Specify OU's description. ou create ou_dn [options] Add a new organizational unit. This is a synonym for the samba-tool ou add command and is available for compatibility reasons only. Please use samba-tool ou add instead. ou delete ou_dn [options] Delete an organizational unit. The name of the organizational unit can be specified as a full DN or without the domainDN component. --force-subtree-delete Delete organizational unit and all children reclusively. ou list [options] List all organizational units. --full-dn Display DNs including the base DN. ou listobjects ou_dn [options] List all objects in an organizational unit. The name of the organizational unit can be specified as a full DN or without the domainDN component. --full-dn Display DNs including the base DN. -r|--recursive List objects recursively. ou move old_ou_dn new_parent_dn [options] Move an organizational unit. The name of the organizational units can be specified as a full DN or without the domainDN component. ou rename old_ou_dn new_ou_dn [options] Rename an organizational unit. The name of the organizational units can be specified as a full DN or without the domainDN component. rodc Manage Read-Only Domain Controller (RODC). rodc preload SID|DN|accountname [options] Preload one account for an RODC. schema Manage and query schema. schema attribute modify attribute [options] Modify the behaviour of an attribute in schema. schema attribute show attribute [options] Display an attribute schema definition. schema attribute show_oc attribute [options] Show objectclasses that MAY or MUST contain this attribute. schema objectclass show objectclass [options] Display an objectclass schema definition. sites Manage sites. sites create site [options] Create a new site. sites remove site [options] Delete an existing site. spn Manage Service Principal Names (SPN). spn add name user [options] Create a new SPN. spn delete name [user] [options] Delete an existing SPN. spn list user [options] List SPNs of a given user. testparm Check the syntax of the configuration file. time Retrieve the time on a server. user Manage users. user add username [password] Add a new user to the Active Directory Domain. user create username [password] Add a new user. This is a synonym for the samba-tool user add command and is available for compatibility reasons only. Please use samba-tool user add instead. user delete username [options] Delete an existing user account. user disable username Disable a user account. user edit username Edit a user account AD object. --editor=EDITOR Specifies the editor to use instead of the system default, or 'vi' if no system default is set. user enable username Enable a user account. user list List all users. By default the user's sAMAccountNames are listed. --full-dn List user's distinguished names instead of the sAMAccountNames. -b BASE_DN|--base-dn=BASE_DN Specify base DN to use. Only users under the specified base DN will be listed. --hide-expired Do not list expired user accounts. --hide-disabled Do not list disabled user accounts. user setprimarygroup username primarygroupname Set the primary group a user account. user getgroups username Get the direct group memberships of a user account. user show username [options] Display a user AD object. --attributes=USER_ATTRS Comma separated list of attributes, which will be printed. user move username new_parent_dn [options] This command moves a user account into the specified organizational unit or container. The username specified on the command is the sAMAccountName. The name of the organizational unit or container can be specified as a full DN or without the domainDN component. user password [options] Change password for a user account (the one provided in authentication). user rename username [options] Rename a user and related attributes. This command allows to set the user's name related attributes. The user's CN will be renamed automatically. The user's new CN will be made up by combining the given-name, initials and surname. A dot ('.') will be appended to the initials automatically, if required. Use the --force-new-cn option to specify the new CN manually and --reset-cn to reset this change. Use an empty attribute value to remove the specified attribute. The username specified on the command is the sAMAccountName. --surname=SURNAME New surname --given-name=GIVEN_NAME New given name --initials=INITIALS New initials --force-new-cn=NEW_CN Specify a new CN (RDN) instead of using a combination of the given name, initials and surname. --reset-cn Set the CN to the default combination of given name, initials and surname. --display-name=DISPLAY_NAME New display name --mail-address=MAIL_ADDRESS New email address --samaccountname=SAMACCOUNTNAME New account name (sAMAccountName/logon name) --upn=UPN New user principal name user setexpiry username [options] Set the expiration of a user account. user setpassword username [options] Sets or resets the password of a user account. user unlock username [options] This command unlocks a user account in the Active Directory domain. user getpassword username [options] Gets the password of a user account. user syncpasswords --cache-ldb-initialize [options] Syncs the passwords of all user accounts, using an optional script. Note that this command should run on a single domain controller only (typically the PDC-emulator). vampire [options] domain Join and synchronise a remote AD domain to the local server. Please note that samba-tool vampire is deprecated, please use samba-tool domain join instead. visualize [options] subcommand Produce graphical representations of Samba network state. To work out what is happening in a replication graph, it is sometimes helpful to use visualisations. There are two subcommands, two graphical modes, and (roughly) two modes of operation with respect to the location of authority. MODES OF OPERATION samba-tool visualize ntdsconn Looks at NTDS connections. samba-tool visualize reps Looks at repsTo and repsFrom objects. samba-tool visualize uptodateness Looks at replication lag as shown by the uptodateness vectors. GRAPHICAL MODES --distance Distances between DCs are shown in a matrix in the terminal. --dot Generate Graphviz dot output (for ntdsconn and reps modes). When viewed using dot or xdot, this shows the network as a graph with DCs as vertices and connections edges. Certain types of degenerate edges are shown in different colours or line-styles. --xdot Generate Graphviz dot output as with [--dot] and attempt to view it immediately using /usr/bin/xdot. -r Normally, samba-tool talks to one database; with the [-r] option attempts are made to contact all the DCs known to the first database. This is necessary for samba-tool visualize uptodateness and for samba-tool visualize reps because the repsFrom/To objects are not replicated, and it can reveal replication issues in other modes. help Gives usage information. VERSION This man page is complete for version 4.16.8 of the Samba suite. AUTHOR The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. Samba 4.16.8 12/15/2022 SAMBA-TOOL(8)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | COMMANDS | VERSION | AUTHOR
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=samba-tool&sektion=8&manpath=FreeBSD+13.1-RELEASE+and+Ports>