NET(8) System Administration tools NET(8) NAME net - Tool for administration of Samba and remote CIFS servers. SYNOPSIS net {} [-h|--help] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL] [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=DN] [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE] [--use-winbind-ccache] [--client-protection=sign|encrypt|off] [-V|--version] [-w|--target-workgroup workgroup] [-I|--ipaddress ip-address] [-p|--port port] [--myname] [-S|--server server] [--long] [-v|--verbose] [-f|--force] [--request-timeout seconds] [-t|--timeout seconds] [--dns-ttl TTL-IN-SECONDS] [-i|--stdin] [--witness-registration=REGISTRATION_UUID] [--witness-net-name=REGEX] [--witness-share-name=REGEX] [--witness-ip-address=REGEX] [--witness-client-computer-name=REGEX] [--witness-apply-to-all] [--witness-new-node=NODEID] [--witness-new-ip=IPADDRESS] [--witness-forced-response=JSON] DESCRIPTION This tool is part of the samba(7) suite. The Samba net utility is meant to work just like the net utility available for windows and DOS. The first argument should be used to specify the protocol to use when executing a certain command. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000. If this argument is omitted, net will try to determine it automatically. Not all commands are available on all protocols. OPTIONS -w|--target-workgroup target-workgroup Sets target workgroup or domain. You have to specify either this option or the IP address or the name of a server. -I|--ipaddress ip-address IP address of target server to use. You have to specify either this option or a target workgroup or a target server. -p|--port port Port on the target server to connect to (usually 139 or 445). Defaults to trying 445 first, then 139. -S|--server server Name of target server. You should specify either this option or a target workgroup or a target IP address. --long When listing data, give more information on each item. -v|--verbose When listing data, give more verbose information on each item. -f|--force Enforcing a net command. --request-timeout 30 Let client requests timeout after 30 seconds the default is 10 seconds. -t|--timeout 30 Set timeout for client operations to 30 seconds. -i|--stdin Take input for net commands from standard input. -T|--test Only test command sequence, dry-run. -F|--flags FLAGS Pass down integer flags to a net subcommand. -C|--comment COMMENT Pass down a comment string to a net subcommand. --myname MYNAME Use MYNAME as a requester name for a net subcommand. -c|--container CONTAINER Use a specific AD container for net ads operations. -M|--maxusers MAXUSERS Fill in the maxusers field in net rpc share operations. -r|--reboot Reboot a remote machine after a command has been successfully executed (e.g. in remote join operations). --force-full-repl When calling "net rpc vampire keytab" this option enforces a full re-creation of the generated keytab file. --single-obj-repl When calling "net rpc vampire keytab" this option allows one to replicate just a single object to the generated keytab file. --clean-old-entries When calling "net rpc vampire keytab" this option allows one to cleanup old entries from the generated keytab file. --db Define dbfile for "net idmap" commands. --lock Activates locking of the dbfile for "net idmap check" command. -a|--auto Activates noninteractive mode in "net idmap check". --repair Activates repair mode in "net idmap check". --acls Includes ACLs to be copied in "net rpc share migrate". --attrs Includes file attributes to be copied in "net rpc share migrate". --timestamps Includes timestamps to be copied in "net rpc share migrate". -X|--exclude DIRECTORY Allows one to exclude directories when copying with "net rpc share migrate". --destination SERVERNAME Defines the target servername of migration process (defaults to localhost). -L|--local Sets the type of group mapping to local (used in "net groupmap set"). -D|--domain Sets the type of group mapping to domain (used in "net groupmap set"). -N|--ntname NTNAME Sets the ntname of a group mapping (used in "net groupmap set"). --rid RID Sets the rid of a group mapping (used in "net groupmap set"). --reg-version REG_VERSION Assume database version {n|1,2,3} (used in "net registry check"). -o|--output FILENAME Output database file (used in "net registry check"). --wipe Create a new database from scratch (used in "net registry check"). --precheck PRECHECK_DB_FILENAME Defines filename for database prechecking (used in "net registry import"). --no-dns-updates Do not perform DNS updates as part of "net ads join". --keep-account Prevent the machine account removal as part of "net ads leave". --json Report results in JSON format for "net ads info" and "net ads lookup". --recursive Traverse a directory hierarchy. --continue Continue traversing a directory hierarchy in case conversion of one file fails. --follow-symlinks Follow symlinks encountered while traversing a directory. --dns-ttl TTL-IN-SECONDS Specify the Time to Live (TTL) of DNS records. DNS records will be created or updated with the given TTL. The TTL is specified in seconds. Can be used with "net ads dns register" and "net ads join". The default is 3600 seconds. --witness-registration=REGISTRATION_UUID This does a direct lookup for REGISTRATION_UUID instead of doing a database traversal. --witness-net-name=REGEX This specifies the 'server name' the client registered for monitoring. --witness-share-name=REGEX This specifies the 'share name' the client registered for monitoring. Note that the share name is optional in the registration, otherwise an empty string is matched. --witness-ip-address=REGEX This specifies the ip address the client registered for monitoring. --witness-client-computer-name=REGEX This specifies the client computer name the client specified in the registration. Note it is just a string chosen by the client itself. --witness-apply-to-all This selects all registrations. --witness-new-node=NODEID By specifying a NODEID all ip addresses currently available on the given node are included in the response. By specifying '-1' as NODEID all ip addresses of the cluster are included in the response. --witness-new-ip=IPADDRESS By specifying an IPADDRESS only the specified ip address is included in the response. --witness-forced-response=JSON This allows the generation of very complex witness_notifyResponse structures. -d|--debuglevel=DEBUGLEVEL level is an integer from 0 to 10. The default value if this parameter is not specified is 1 for client applications. The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out. Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic. Note that specifying this parameter here will override the log level parameter in the /etc/samba/smb.conf file. --debug-stdout This will redirect debug output to STDOUT. By default all clients are logging to STDERR. --configfile= The file specified contains the configuration details required by the client. The information in this file can be general for client and server or only provide client specific like options such as client smb encrypt. See /etc/samba/smb.conf for more information. The default configuration file name is determined at compile time. --option== Set the smb.conf(5) option "" to value "" from the command line. This overrides compiled-in defaults and options read from the configuration file. If a name or a value includes a space, wrap whole --option=name=value into quotes. -l|--log-basename=logdirectory Base directory name for log/debug files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). The log file is never removed by the client. --leak-report Enable talloc leak reporting on exit. --leak-report-full Enable full talloc leak reporting on exit. -V|--version Prints the program version number. -R|--name-resolve=NAME-RESOLVE-ORDER This option is used to determine what naming services and in what order to resolve host names to IP addresses. The option takes a space-separated string of different name resolution options. The best is to wrap the whole --name-resolve=NAME-RESOLVE-ORDER into quotes. The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows: o lmhosts: Lookup an IP address in the Samba lmhosts file. If the line in lmhosts has no name type attached to the NetBIOS name (see the lmhosts(5) for details) then any name type matches for lookup. o host: Do a standard host name to IP address resolution, using the system /etc/hosts, NIS, or DNS lookups. This method of name resolution is operating system dependent, for instance on IRIX or Solaris this may be controlled by the /etc/nsswitch.conf file). Note that this method is only used if the NetBIOS name type being queried is the 0x20 (server) name type, otherwise it is ignored. o wins: Query a name with the IP address listed in the wins server parameter. If no WINS server has been specified this method will be ignored. o bcast: Do a broadcast on each of the known local interfaces listed in the interfaces parameter. This is the least reliable of the name resolution methods as it depends on the target host being on a locally connected subnet. If this parameter is not set then the name resolve order defined in the /etc/samba/smb.conf file parameter (name resolve order) will be used. The default order is lmhosts, host, wins, bcast. Without this parameter or any entry in the name resolve order parameter of the /etc/samba/smb.conf file, the name resolution methods will be attempted in this order. -O|--socket-options=SOCKETOPTIONS TCP socket options to set on the client socket. See the socket options parameter in the /etc/samba/smb.conf manual page for the list of valid options. -m|--max-protocol=MAXPROTOCOL The value of the parameter (a string) is the highest protocol level that will be supported by the client. Note that specifying this parameter here will override the client max protocol parameter in the /etc/samba/smb.conf file. -n|--netbiosname=NETBIOSNAME This option allows you to override the NetBIOS name that Samba uses for itself. This is identical to setting the netbios name parameter in the /etc/samba/smb.conf file. However, a command line setting will take precedence over settings in /etc/samba/smb.conf. --netbios-scope=SCOPE This specifies a NetBIOS scope that nmblookup will use to communicate with when generating NetBIOS names. For details on the use of NetBIOS scopes, see rfc1001.txt and rfc1002.txt. NetBIOS scopes are very rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with. -W|--workgroup=WORKGROUP Set the SMB domain of the username. This overrides the default domain which is the domain defined in smb.conf. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM). Note that specifying this parameter here will override the workgroup parameter in the /etc/samba/smb.conf file. -r|--realm=REALM Set the realm for the domain. Note that specifying this parameter here will override the realm parameter in the /etc/samba/smb.conf file. -U|--user=[DOMAIN\]USERNAME[%PASSWORD] Sets the SMB username or username and password. If %PASSWORD is not specified, the user will be prompted. The client will first check the USER environment variable (which is also permitted to also contain the password separated by a %), then the LOGNAME variable (which is not permitted to contain a password) and if either exists, the value is used. If these environmental variables are not found, the username found in a Kerberos Credentials cache may be used. A third option is to use a credentials file which contains the plaintext of the username and password. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the -A for more details. Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit. While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race. -N|--no-pass If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that does not require a password. Unless a password is specified on the command line or this parameter is specified, the client will request a password. If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used. --password Specify the password on the commandline. Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit. If --password is not specified, the tool will check the PASSWD environment variable, followed by PASSWD_FD which is expected to contain an open file descriptor (FD) number. Finally it will check PASSWD_FILE (containing a file path to be opened). The file should only contain the password. Make certain that the permissions on the file restrict access from unwanted users! While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race. --pw-nt-hash The supplied password is the NT hash. -A|--authentication-file=filename This option allows you to specify a file from which to read the username and password used in the connection. The format of the file is: username = password = domain = Make certain that the permissions on the file restrict access from unwanted users! -P|--machine-pass Use stored machine account password. --simple-bind-dn=DN DN to use for a simple bind. --use-kerberos=desired|required|off This parameter determines whether Samba client tools will try to authenticate using Kerberos. For Kerberos authentication you need to use dns names instead of IP addresses when connecting to a service. Note that specifying this parameter here will override the client use kerberos parameter in the /etc/samba/smb.conf file. --use-krb5-ccache=CCACHE Specifies the credential cache location for Kerberos authentication. This will set --use-kerberos=required too. --use-winbind-ccache Try to use the credential cache by winbind. --client-protection=sign|encrypt|off Sets the connection protection the client tool should use. Note that specifying this parameter here will override the client protection parameter in the /etc/samba/smb.conf file. In case you need more fine grained control you can use: --option=clientsmbencrypt=OPTION, --option=clientipcsigning=OPTION, --option=clientsigning=OPTION. COMMANDS CHANGESECRETPW This command allows the Samba machine account password to be set from an external application to a machine account password that has already been stored in Active Directory. DO NOT USE this command unless you know exactly what you are doing. The use of this command requires that the force flag (-f) be used also. There will be NO command prompt. Whatever information is piped into stdin, either by typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use this without care and attention as it will overwrite a legitimate machine password without warning. YOU HAVE BEEN WARNED. TIME The NET TIME command allows you to view the time on a remote server or synchronise the time on the local server with the time on the remote server. TIME Without any options, the NET TIME command displays the time on the remote server. The remote server must be specified with the -S option. TIME SYSTEM Displays the time on the remote server in a format ready for /bin/date. The remote server must be specified with the -S option. TIME SET Tries to set the date and time of the local server to that on the remote server using /bin/date. The remote server must be specified with the -S option. TIME ZONE Displays the timezone in hours from GMT on the remote server. The remote server must be specified with the -S option. [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]] [dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string osVer=string] [options] Join a domain. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created. [TYPE] may be PDC, BDC or MEMBER to specify the type of server joining the domain. [FQDN] (ADS only) set the dnsHostName attribute during the join. The default format is netbiosname.dnsdomain. [UPN] (ADS only) set the principalname attribute during the join. The default format is host/netbiosname@REALM. [OU] (ADS only) Precreate the computer account in a specific OU. The OU string reads from top to bottom without RDNs, and is delimited by a '/'. Please note that '\' is used for escape by both the shell and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter. [PASS] (ADS only) Set a specific password on the computer account being created by the join. [osName=string osVer=String] (ADS only) Set the operatingSystem and operatingSystemVersion attribute during the join. Both parameters must be specified for either to take effect. [RPC] OLDJOIN [options] Join a domain. Use the OLDJOIN option to join the domain using the old style of domain joining - you need to create a trust account in server manager first. [RPC|ADS] USER [RPC|ADS] USER List all users [RPC|ADS] USER DELETE target Delete specified user [RPC|ADS] USER INFO target List the domain groups of the specified user. [RPC|ADS] USER RENAME oldname newname Rename specified user. [RPC|ADS] USER ADD name [password] [-F user flags] [-C comment] Add specified user. [RPC|ADS] GROUP [RPC|ADS] GROUP [misc options] [targets] List user groups. [RPC|ADS] GROUP DELETE name [misc. options] Delete specified group. [RPC|ADS] GROUP ADD name [-C comment] Create specified group. [ADS] LOOKUP Lookup the closest Domain Controller in our domain and retrieve server information about it. [RAP|RPC] SHARE [RAP|RPC] SHARE [misc. options] [targets] Enumerates all exported resources (network shares) on target server. [RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets] Adds a share from a server (makes the export active). Maxusers specifies the number of users that can be connected to the share simultaneously. SHARE DELETE sharename Delete specified share. [RPC|RAP] FILE [RPC|RAP] FILE List all open files on remote server. [RPC|RAP] FILE CLOSE fileid Close file with specified fileid on remote server. [RPC|RAP] FILE INFO fileid Print information on specified fileid. Currently listed are: file-id, username, locks, path, permissions. [RAP|RPC] FILE USER user List files opened by specified user. Please note that net rap file user does not work against Samba servers. SESSION RAP SESSION Without any other options, SESSION enumerates all active SMB/CIFS sessions on the target server. RAP SESSION DELETE|CLOSE CLIENT_NAME Close the specified sessions. RAP SESSION INFO CLIENT_NAME Give a list with all the open files in specified session. RAP SERVER DOMAIN List all servers in specified domain or workgroup. Defaults to local domain. RAP DOMAIN Lists all domains and workgroups visible on the current network. RAP PRINTQ RAP PRINTQ INFO QUEUE_NAME Lists the specified print queue and print jobs on the server. If the QUEUE_NAME is omitted, all queues are listed. RAP PRINTQ DELETE JOBID Delete job with specified id. RAP VALIDATE user [password] Validate whether the specified user can log in to the remote server. If the password is not specified on the commandline, it will be prompted. Note Currently NOT implemented. RAP GROUPMEMBER RAP GROUPMEMBER LIST GROUP List all members of the specified group. RAP GROUPMEMBER DELETE GROUP USER Delete member from group. RAP GROUPMEMBER ADD GROUP USER Add member to group. RAP ADMIN command Execute the specified command on the remote server. Only works with OS/2 servers. Note Currently NOT implemented. RAP SERVICE RAP SERVICE START NAME [arguments...] Start the specified service on the remote server. Not implemented yet. Note Currently NOT implemented. RAP SERVICE STOP Stop the specified service on the remote server. Note Currently NOT implemented. RAP PASSWORD USER OLDPASS NEWPASS Change password of USER from OLDPASS to NEWPASS. LOOKUP LOOKUP HOST HOSTNAME [TYPE] Lookup the IP address of the given host with the specified type (netbios suffix). The type defaults to 0x20 (workstation). LOOKUP LDAP [DOMAIN] Give IP address of LDAP server of specified DOMAIN. Defaults to local domain. LOOKUP KDC [REALM] Give IP address of KDC for the specified REALM. Defaults to local realm. LOOKUP DC [DOMAIN] Give IP's of Domain Controllers for specified DOMAIN. Defaults to local domain. LOOKUP MASTER DOMAIN Give IP of master browser for specified DOMAIN or workgroup. Defaults to local domain. LOOKUP NAME [NAME] Lookup username's sid and type for specified NAME LOOKUP SID [SID] Give sid's name and type for specified SID LOOKUP DSGETDCNAME [NAME] [FLAGS] [SITENAME] Give Domain Controller information for specified domain NAME CACHE Samba uses a general caching interface called 'gencache'. It can be controlled using 'NET CACHE'. All the timeout parameters support the suffixes: s - Seconds m - Minutes h - Hours d - Days w - Weeks CACHE ADD key data time-out Add specified key+data to the cache with the given timeout. CACHE DEL key Delete key from the cache. CACHE SET key data time-out Update data of existing cache entry. CACHE SEARCH PATTERN Search for the specified pattern in the cache data. CACHE LIST List all current items in the cache. CACHE FLUSH Remove all the current items from the cache. GETLOCALSID [DOMAIN] Prints the SID of the specified domain, or if the parameter is omitted, the SID of the local server. SETLOCALSID S-1-5-21-x-y-z Sets SID for the local server to the specified SID. GETDOMAINSID Prints the local machine SID and the SID of the current domain. SETDOMAINSID Sets the SID of the current domain. GROUPMAP Manage the mappings between Windows group SIDs and UNIX groups. Common options include: o unixgroup - Name of the UNIX group o ntgroup - Name of the Windows NT group (must be resolvable to a SID o rid - Unsigned 32-bit integer o sid - Full SID in the form of "S-1-..." o type - Type of the group; either 'domain', 'local', or 'builtin' o comment - Freeform text description of the group GROUPMAP ADD Add a new group mapping entry: net groupmap add {rid=int|sid=string} unixgroup=string \ [type={domain|local}] [ntgroup=string] [comment=string] GROUPMAP DELETE Delete a group mapping entry. If more than one group name matches, the first entry found is deleted. net groupmap delete {ntgroup=string|sid=SID} GROUPMAP MODIFY Update an existing group entry. net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \ [comment=string] [type={domain|local}] GROUPMAP LIST List existing group mapping entries. net groupmap list [verbose] [ntgroup=string] [sid=SID] MAXRID Prints out the highest RID currently in use on the local server (by the active 'passdb backend'). RPC INFO Print information about the domain of the remote server, such as domain name, domain sid and number of users and groups. [RPC|ADS] TESTJOIN Check whether participation in a domain is still valid. [RPC|ADS] CHANGETRUSTPW Force change of domain trust password. RPC TRUSTDOM RPC TRUSTDOM ADD DOMAIN Add a interdomain trust account for DOMAIN. This is in fact a Samba account named DOMAIN$ with the account flag 'I' (interdomain trust account). This is required for incoming trusts to work. It makes Samba be a trusted domain of the foreign (trusting) domain. Users of the Samba domain will be made available in the foreign domain. If the command is used against localhost it has the same effect as smbpasswd -a -i DOMAIN. Please note that both commands expect a appropriate UNIX account. RPC TRUSTDOM DEL DOMAIN Remove interdomain trust account for DOMAIN. If it is used against localhost it has the same effect as smbpasswd -x DOMAIN$. RPC TRUSTDOM ESTABLISH DOMAIN Establish a trust relationship to a trusted domain. Interdomain account must already be created on the remote PDC. This is required for outgoing trusts to work. It makes Samba be a trusting domain of a foreign (trusted) domain. Users of the foreign domain will be made available in our domain. You'll need winbind and a working idmap config to make them appear in your system. RPC TRUSTDOM REVOKE DOMAIN Abandon relationship to trusted domain RPC TRUSTDOM LIST List all interdomain trust relationships. RPC TRUST RPC TRUST CREATE Create a trust object by calling lsaCreateTrustedDomainEx2. The can be done on a single server or on two servers at once with the possibility to use a random trust password. Options: otherserver Domain controller of the second domain otheruser Admin user in the second domain otherdomainsid SID of the second domain other_netbios_domain NetBIOS (short) name of the second domain otherdomain DNS (full) name of the second domain trustpw Trust password Examples: Create a trust object on srv1.dom1.dom for the domain dom2 net rpc trust create \ otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \ other_netbios_domain=dom2 \ otherdomain=dom2.dom \ trustpw=12345678 \ -S srv1.dom1.dom Create a trust relationship between dom1 and dom2 net rpc trust create \ otherserver=srv2.dom2.test \ otheruser=dom2adm \ -S srv1.dom1.dom RPC TRUST DELETE Delete a trust object by calling lsaDeleteTrustedDomain. The can be done on a single server or on two servers at once. Options: otherserver Domain controller of the second domain otheruser Admin user in the second domain otherdomainsid SID of the second domain Examples: Delete a trust object on srv1.dom1.dom for the domain dom2 net rpc trust delete \ otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \ -S srv1.dom1.dom Delete a trust relationship between dom1 and dom2 net rpc trust delete \ otherserver=srv2.dom2.test \ otheruser=dom2adm \ -S srv1.dom1.dom RPC RIGHTS This subcommand is used to view and manage Samba's rights assignments (also referred to as privileges). There are three options currently available: list, grant, and revoke. More details on Samba's privilege model and its use can be found in the Samba-HOWTO-Collection. RPC ABORTSHUTDOWN Abort the shutdown of a remote server. RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message] Shut down the remote server. -r Reboot after shutdown. -f Force shutting down all applications. -t timeout Timeout before system will be shut down. An interactive user of the system can use this time to cancel the shutdown. -C message Display the specified message on the screen to announce the shutdown. RPC SAMDUMP Print out sam database of remote server. You need to run this against the PDC, from a Samba machine joined as a BDC. RPC VAMPIRE Export users, aliases and groups from remote server to local server. You need to run this against the PDC, from a Samba machine joined as a BDC. This vampire command cannot be used against an Active Directory, only against an NT4 Domain Controller. RPC VAMPIRE KEYTAB Dump remote SAM database to local Kerberos keytab file. RPC VAMPIRE LDIF Dump remote SAM database to local LDIF file or standard output. RPC GETSID Fetch domain SID and store it in the local secrets.tdb. ADS GPO ADS GPO APPLY Apply GPOs for a username or machine name. Either username or machine name should be provided to the command, not both. ADS GPO GETGPO [GPO] List specified GPO. ADS GPO LINKADD [LINKDN] [GPODN] Link a container to a GPO. LINKDN Container to link to a GPO. GPODN GPO to link container to. DNs must be provided properly escaped. See RFC 4514 for details. ADS GPO LINKGET [CONTAINER] Lists gPLink of a container. ADS GPO LIST Lists all GPOs for a username or machine name. Either username or machine name should be provided to the command, not both. ADS GPO LISTALL Lists all GPOs on a DC. ADS GPO REFRESH [USERNAME] [MACHINENAME] Lists all GPOs assigned to an account and download them. USERNAME User to refresh GPOs for. MACHINENAME Machine to refresh GPOs for. ADS DNS ADS DNS REGISTER [HOSTNAME [IP [IP.....]]] Add host dns entry to Active Directory. ADS DNS UNREGISTER Remove host dns entry from Active Directory. ADS LEAVE [--keep-account] Make the remote host leave the domain it is part of. ADS STATUS Print out status of machine account of the local machine in ADS. Prints out quite some debug info. Aimed at developers, regular users should use NET ADS TESTJOIN. ADS PRINTER ADS PRINTER INFO [PRINTER] [SERVER] Lookup info for PRINTER on SERVER. The printer name defaults to "*", the server name defaults to the local host. ADS PRINTER PUBLISH PRINTER Publish specified printer using ADS. ADS PRINTER REMOVE PRINTER Remove specified printer from ADS directory. ADS SEARCH EXPRESSION ATTRIBUTES... Perform a raw LDAP search on a ADS server and dump the results. The expression is a standard LDAP search expression, and the attributes are a list of LDAP fields to show in the results. Example: net ads search '(objectCategory=group)' sAMAccountName ADS DN DN (attributes) Perform a raw LDAP search on a ADS server and dump the results. The DN standard LDAP DN, and the attributes are a list of LDAP fields to show in the result. Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName ADS KEYTAB CREATE Creates a new keytab file if one doesn't exist with default entries. Default entries are kerberos principals created from the machinename of the client, the UPN (if it exists) and any Windows SPN(s) associated with the computer AD account for the client. If a keytab file already exists then only missing kerberos principals from the default entries are added. No changes are made to the computer AD account. (Removed!) ADS KEYTAB ADD (principal | machine | serviceclass | windows SPN This command is no longer available in Samba 4.21.0 and newer. See sync machine password to keytab for replacement. To replace e.g. call of net ads keytab add wurst/brot@REALM Add to smb.conf: sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password and run: net ads keytab create Original description of this command: Adds a new keytab entry, the entry can be either; kerberos principal A kerberos principal (identified by the presence of '@') is just added to the keytab file. machinename A machinename (identified by the trailing '$') is used to create a a kerberos principal 'machinename@realm' which is added to the keytab file. serviceclass A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' & 'serviceclass/netbios_name@realm' which are added to the keytab file. Windows SPN A Windows SPN is of the format 'serviceclass/host:port', it is used to create a kerberos principal 'serviceclass/host@realm' which will be written to the keytab file. Unlike old versions no computer AD objects are modified by this command. To preserve the behaviour of older clients 'net ads keytab ad_update_ads' is available. (Removed!) ADS KEYTAB DELETE (principal | machine | serviceclass | windows SPN This command is no longer available in Samba 4.21.0 and newer. See sync machine password to keytab for replacement. To replace e.g. call of net ads keytab delete wurst/brot@REALM Delete from sync machine password to keytab principal "wurst/brot@REALM" and run: net ads keytab create (Removed!) ADS KEYTAB ADD_UPDATE_ADS (principal | machine | serviceclass | windows SPN This command is no longer available in Samba 4.21.0 and newer. See sync machine password to keytab for replacement. To replace e.g. call of net ads keytab add_update_ads wurst/brot@REALM Add to smb.conf: sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password and run: net ads setspn add wurst/brot@REALM net ads keytab create Original description of this command: Adds a new keytab entry (see section for net ads keytab add). In addition to adding entries to the keytab file corresponding Windows SPNs are created from the entry passed to this command. These SPN(s) added to the AD computer account object associated with the client machine running this command for the following entry types; serviceclass A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair of Windows SPN(s) 'param/full_qualified_dns' & 'param/netbios_name' which are added to the AD computer account object for this client. Windows SPN A Windows SPN is of the format 'serviceclass/host:port', it is added as passed to the AD computer account object for this client. ADS setspn SETSPN LIST [machine] Lists the Windows SPNs stored in the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead. ADS setspn SETSPN ADD SPN [machine] Adds the specified Windows SPN to the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead. ADS setspn SETSPN DELETE SPN [machine] DELETE the specified Window SPN from the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead. ADS WORKGROUP Print out workgroup name for specified kerberos realm. ADS ENCTYPES List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD. This attribute allows one to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values: 0x00000001 DES-CBC-CRC 0x00000002 DES-CBC-MD5 0x00000004 RC4-HMAC 0x00000008 AES128-CTS-HMAC-SHA1-96 0x00000010 AES256-CTS-HMAC-SHA1-96 ADS ENCTYPES LIST List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account. Example: net ads enctypes list Computername ADS ENCTYPES SET [enctypes] Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is omitted, the value is set to 31 which enables all the currently supported encryption types. Example: net ads enctypes set Computername 24 ADS ENCTYPES DELETE Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME. Example: net ads enctypes set Computername 24 SAM CREATEBUILTINGROUP (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can be created with this command. This is the list of currently recognized group names: Administrators, Users, Guests, Power Users, Account Operators, Server Operators, Print Operators, Backup Operators, Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This command requires a running Winbindd with idmap allocation properly configured. The group gid will be allocated out of the winbindd range. SAM CREATELOCALGROUP Create a LOCAL group (also known as Alias). This command requires a running Winbindd with idmap allocation properly configured. The group gid will be allocated out of the winbindd range. SAM DELETELOCALGROUP Delete an existing LOCAL group (also known as Alias). SAM MAPUNIXGROUP Map an existing Unix group and make it a Domain Group, the domain group will have the same name. SAM UNMAPUNIXGROUP Remove an existing group mapping entry. SAM ADDMEM Add a member to a Local group. The group can be specified only by name, the member can be specified by name or SID. SAM DELMEM Remove a member from a Local group. The group and the member must be specified by name. SAM LISTMEM List Local group members. The group must be specified by name. SAM LIST [verbose] List the specified set of accounts by name. If verbose is specified, the rid and description is also provided for each account. SAM RIGHTS LIST List all available privileges. SAM RIGHTS GRANT Grant one or more privileges to a user. SAM RIGHTS REVOKE Revoke one or more privileges from a user. SAM SHOW Show the full DOMAIN\\NAME the SID and the type for the corresponding account. SAM SET HOMEDIR Set the home directory for a user account. SAM SET PROFILEPATH Set the profile path for a user account. SAM SET COMMENT Set the comment for a user or group account. SAM SET FULLNAME Set the full name for a user account. SAM SET LOGONSCRIPT