SAMBA-TOOL(8) System Administration tools SAMBA-TOOL(8)

samba-tool - Main Samba administration tool.

samba-tool[-h][-W myworkgroup][-U user][-d debuglevel][--v]

This tool is part of the samba(7) suite.

Samba-tool consists of many sub-commands, each of which have their own set of options. The options listed in this section are common across several sub-commands.

-h|--help

Show a help message and exit.

-r|--realm=REALM

Set the realm for the domain.

Note that specifying this parameter here will override the realm parameter in the /etc/samba/smb.conf file.

--simple-bind-dn=DN

DN to use for a simple bind.

--password

Specify the password on the commandline.

Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit.

If --password is not specified, the tool will check the PASSWD environment variable, followed by PASSWD_FD which is expected to contain an open file descriptor (FD) number.

Finally it will check PASSWD_FILE (containing a file path to be opened). The file should only contain the password. Make certain that the permissions on the file restrict access from unwanted users!

While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.

-U|--user=[DOMAIN\]USERNAME[%PASSWORD]

Sets the SMB username or username and password.

If %PASSWORD is not specified, the user will be prompted. The client will first check the USER environment variable (which is also permitted to also contain the password separated by a %), then the LOGNAME variable (which is not permitted to contain a password) and if either exists, the value is used. If these environmental variables are not found, the username found in a Kerberos Credentials cache may be used.

A third option is to use a credentials file which contains the plaintext of the username and password. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the -A for more details.

Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit.

While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.

-W|--workgroup=WORKGROUP

Set the SMB domain of the username. This overrides the default domain which is the domain defined in smb.conf. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM).

Note that specifying this parameter here will override the workgroup parameter in the /etc/samba/smb.conf file.

-N|--no-pass

If specified, this parameter suppresses the normal password prompt from the client to the user. This is useful when accessing a service that does not require a password.

Unless a password is specified on the command line or this parameter is specified, the client will request a password.

If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used.

--use-kerberos=desired|required|off

This parameter determines whether Samba client tools will try to authenticate using Kerberos. For Kerberos authentication you should use DNS names instead of IP addresses when connecting to a service. By default Samba client tools will try to use the default Kerberos credential cache (ccache). In case the ccache does not exist or -U|--user option was specified, clients will ask to enter a password and will obtain a Kerberos ticket (kinit) for you. If you want to use an alternative Kerberos credentical cache, use the --use-krb5-ccache option.

Note that specifying this parameter here will override the client use kerberos parameter in the /etc/samba/smb.conf file.

--use-krb5-ccache=CCACHE

Specifies the credential cache location for Kerberos authentication.

This will enforce --use-kerberos=required.

-A|--authentication-file=filename

This option allows you to specify a file from which to read the username and password used in the connection. The format of the file is: 
username = <value>
password = <value>
domain   = <value>

Make certain that the permissions on the file restrict access from unwanted users!

-H URL, --URL=URL

LDB URL for database or target server.

The URL can either be a plain file path, or use one of the schemes listed here. If a plain path is used, it is treated as if 'tdb://' was used.

tdb://PATH

PATH is the location of a TDB database.

mdb://PATH

PATH is the location of an LMDB database.

ldb://PATH

PATH is the location of an LDB database, in either LMDB or TDB format. The formats will be tried one after another until one succeeds or all fail. It is safe to use this if you don't know the format of the file.

ldap://HOSTNAME, ldaps://HOSTNAME

The LDB backend is the named ldap server. ldaps:// wraps the connection in TLS.

ldapi://SOCKET

The backend server is a local ldap server using a unix domain socket.

--color=always|never|auto

use colour if available (default: auto)

--ipaddress=IPADDRESS

IP address of the server

-s FILE, --configfile=FILE

Use this smb.conf configuration file.

--color=always|never|auto

Indicate whether samba-tool should use ANSI colour codes in its output. If 'auto' (the default), samba-tool will use colour when its output is directed toward a terminal, unless the NO_COLOR environment variable is set and non-empty.

The values 'yes' and 'force' are accepted as synonyms for 'always'; 'no' and 'none' for 'never'; and 'tty' and 'if-tty' for 'auto'.

Note that asking for colour doesn't mean samba-tool will necessarily be very colourful. Many commands are very monochrome, particularly when successful.

-V, --version

Display the version number and exit.

-d|--debuglevel=level

level is an integer from 0 to 10. The default value if this parameter is not specified is 1 for client applications.

The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.

Note that specifying this parameter here will override the log level parameter in the /etc/samba/smb.conf file.

--debug-stdout

This will redirect debug output to STDOUT. By default all clients are logging to STDERR.

Manage computer accounts.

Add a new computer to the Active Directory Domain.

The new computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

--computerou=COMPUTEROU

DN of alternative location (with or without domainDN counterpart) to default CN=Computers in which new computer object will be created. E.g. 'OU=OUname'.

--description=DESCRIPTION

The new computer's description.

--ip-address=IP_ADDRESS_LIST

IPv4 address for the computer's A record, or IPv6 address for AAAA record, can be provided multiple times.

--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST

Computer's Service Principal Name, can be provided multiple times.

--prepare-oldjoin

Prepare enabled machine account for oldjoin mechanism.

Add a new computer. This is a synonym for the samba-tool computer add command and is available for compatibility reasons only. Please use samba-tool computer add instead.

Delete an existing computer account.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

Edit a computer AD object.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

--editor=EDITOR

Specifies the editor to use instead of the system default, or 'vi' if no system default is set.

List all computers.

This command moves a computer account into the specified organizational unit or container.

The computername specified on the command is the sAMAccountName, with or without the trailing dollar sign.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

Display a computer AD object.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

--attributes=USER_ATTRS

Comma separated list of attributes, which will be printed.

Manage contacts.

Add a new contact to the Active Directory Domain.

The name of the new contact can be specified by the first argument 'contactname' or the --given-name, --initial and --surname arguments. If no 'contactname' is given, contact's name will be made up of the given arguments by combining the given-name, initials and surname. Each argument is optional. A dot ('.') will be appended to the initials automatically.

--ou=OU

DN of alternative location (with or without domainDN counterpart) in which the new contact will be created. E.g. 'OU=OUname'. Default is the domain base.

--description=DESCRIPTION

The new contact's description.

--surname=SURNAME

Contact's surname.

--given-name=GIVEN_NAME

Contact's given name.

--initials=INITIALS

Contact's initials.

--display-name=DISPLAY_NAME

Contact's display name.

--job-title=JOB_TITLE

Contact's job title.

--department=DEPARTMENT

Contact's department.

--company=COMPANY

Contact's company.

--mail-address=MAIL_ADDRESS

Contact's email address.

--internet-address=INTERNET_ADDRESS

Contact's home page.

--telephone-number=TELEPHONE_NUMBER

Contact's phone number.

--mobile-number=MOBILE_NUMBER

Contact's mobile phone number.

--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE

Contact's office location.

Add a new contact. This is a synonym for the samba-tool contact add command and is available for compatibility reasons only. Please use samba-tool contact add instead.

Delete an existing contact.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

Modify a contact AD object.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

--editor=EDITOR

Specifies the editor to use instead of the system default, or 'vi' if no system default is set.

List all contacts.

--full-dn

Display contact's full DN instead of the name.

This command moves a contact into the specified organizational unit or container.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

Display a contact AD object.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

--attributes=CONTACT_ATTRS

Comma separated list of attributes, which will be printed.

Rename a contact and related attributes.

This command allows to set the contact's name related attributes. The contact's CN will be renamed automatically. The contact's new CN will be made up by combining the given-name, initials and surname. A dot ('.') will be appended to the initials automatically, if required. Use the --force-new-cn option to specify the new CN manually and --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The contact name specified on the command is the CN.

--surname=SURNAME

New surname.

--given-name=GIVEN_NAME

New given name.

--initials=INITIALS

New initials.

--force-new-cn=NEW_CN

Specify a new CN (RDN) instead of using a combination of the given name, initials and surname.

--reset-cn

Set the CN to the default combination of given name, initials and surname.

--display-name=DISPLAY_NAME

New display name.

--mail-address=MAIL_ADDRESS

New email address.

Check the local AD database for errors.

Manage Delegations.

Add a principal to msDS-AllowedToActOnBehalfOfOtherIdentity that may delegate to an account.

Delete a principal from msDS-AllowedToActOnBehalfOfOtherIdentity so that it may no longer delegate to an account.

Add a service principal as msDS-AllowedToDelegateTo.

Delete a service principal as msDS-AllowedToDelegateTo.

Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account.

Set/unset UF_TRUSTED_FOR_DELEGATION for an account.

Show the delegation setting of an account.

Manage Domain Name Service (DNS).

Add a DNS record.

--allow-existing

Do not treat an existing record of this name and type as an error. This has no functional change (the new DNS record is not added) but the message and samba-tool return code will not indicate error.

Clean up DNS records for a host, so that DNS queries no longer return results. Usually this works by marking the records as deleted in the database.

Example: samba-tool dns cleanup dc1 computer.samdom.test.site

Delete a DNS record.

Query a name.

Query root hints.

Query server information.

Update a DNS record.

Create a zone.

Delete a zone.

Query zone information.

List zones.

Manipulate aging options. This is useful in zones using dynamic DNS.

There are options to change records from static to dynamic based on regular expressions or age, which is useful in some cases where the values got mixed up in old versions of Samba.

-n, --dry-run

Do not actually change anything, but show what would happen.

--client-version=w2k|dotnet|longhorn

Windows client protocol version. The default is longhorn, which is probably what you want.

--mark-old-records-static=YYYY-MM-DD

Mark records older than the specified date as static.

--mark-records-static-regex=REGEXP

Mark records that match the given perl-compatible regular expression as static.

--mark-records-dynamic-regex=REGEXP

Mark records that match the given perl-compatible regular expression as dynamic.

--aging=0|1

--aging=1 to enable aging for this zone.

--aging=0 to disable aging for this zone.

--norefreshinterval=HOURS

avoid further refreshes for this long after a dynamic update. Set to zero to use the default.

--refreshinterval=HOURS

Dynamic refresh interval in hours (0: use default)

Manage Domain.

Create or restore a backup of the domain.

Backup (with proper locking) local domain directories into a tar file.

Copy a running DC's current DB into a backup tar file.

Copy a running DC's DB to backup file, renaming the domain in the process.

Restore the domain's DB from a backup-file.

Manage authentication policies.

List authentication policies on the domain.

-H, --URL

LDB URL for database or target server.

--json

View authentication policies as JSON instead of a list.

View an authentication policy on the domain.

-H, --URL

LDB URL for database or target server.

--name

Name of the authentication policy to view (required).

Create authentication policies on the domain.

-H, --URL

LDB URL for database or target server.

--name

Name of the authentication policy (required).

--description

Optional description for the authentication policy.

--protect

Protect authentication policy from accidental deletion.

Cannot be used together with --unprotect.

--unprotect

Unprotect authentication policy from accidental deletion.

Cannot be used together with --protect.

--audit

Only audit authentication policy.

Cannot be used together with --enforce.

--enforce

Enforce authentication policy.

Cannot be used together with --audit.

--strong-ntlm-policy

Strong NTLM Policy (Disabled, Optional, Required).

--user-tgt-lifetime-mins

Ticket-Granting-Ticket lifetime for user accounts.

--user-allow-ntlm-auth

Allow NTLM and Interactive NETLOGON SamLogon authentication despite the fact that allowed-to-authenticate-from is in use, which would otherwise restrict the user to selected devices.

--user-allowed-to-authenticate-from

Conditions a device must meet for users covered by this policy to be allowed to authenticate. While this is a restriction on the device, any conditional ACE rules are expressed as if the device was a user.

Must be a valid SDDL string without reference to Device keywords.

Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))

--user-allowed-to-authenticate-to=SDDL

This policy, applying to a user account that is offering a service, eg a web server with a user account, restricts which accounts may access it.

Must be a valid SDDL string. The SDDL can reference both bare (user) and Device conditions.

SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))

--service-tgt-lifetime-mins

Ticket-Granting-Ticket lifetime for service accounts.

--service-allow-ntlm-auth

Allow NTLM network authentication when service is restricted to selected devices.

--service-allowed-to-authenticate-from

Conditions a device must meet for service accounts covered by this policy to be allowed to authenticate. While this is a restriction on the device, any conditional ACE rules are expressed as if the device was a user.

Must be a valid SDDL string without reference to Device keywords.

SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))

--service-allowed-to-authenticate-to=SDDL

This policy, applying to a service account (eg a Managed Service Account, Group Managed Service Account), restricts which accounts may access it.

Must be a valid SDDL string. The SDDL can reference both bare (user) and Device conditions.

SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))

--computer-tgt-lifetime-mins

Ticket-Granting-Ticket lifetime for computer accounts.

--computer-allowed-to-authenticate-to=SDDL

This policy, applying to a computer account (eg a server or workstation), restricts which accounts may access it.

Must be a valid SDDL string. The SDDL can reference both bare (user) and Device conditions.

SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))

Modify authentication policies on the domain. The same options apply as for domain auth policy create.

Delete authentication policies on the domain.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication policy to delete (required).

--force

Force authentication policy delete even if it is protected.

Set the user-allowed-to-authenticate-from property by scenario.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication policy.

--by-group=GROUP

User is allowed to authenticate, if the device they authenticate from is assigned and granted membership of a given GROUP.

--silo=SILO

User is allowed to authenticate, if the device they authenticate from is assigned and granted membership of a given SILO.

Set the user-allowed-to-authenticate-to property by scenario.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication policy.

--group=GROUP

The user account, offering a network service, covered by this policy, will only be allowed access from other accounts that are members of the given GROUP.

--silo=SILO

The user account, offering a network service, covered by this policy, will only be allowed access from other accounts that are assigned to, granted membership of (and meet any authentication conditions of) the given SILO.

Set the service-allowed-to-authenticate-from property by scenario.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication policy.

--group=GROUP

The service account (eg a Managed Service Account, Group Managed Service Account) is allowed to authenticate, if the device it authenticates from is a member of the given GROUP.

--silo=SILO

The service account (eg a Managed Service Account, Group Managed Service Account) is allowed to authenticate, if the device it authenticates from is assigned and granted membership of a given SILO.

Set the service-allowed-to-authenticate-to property by scenario.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication policy.

--group=GROUP

The service account (eg a Managed Service Account, Group Managed Service Account), will only be allowed access by other accounts that are members of the given GROUP.

--silo=SILO

The service account (eg a Managed Service Account, Group Managed Service Account), will only be allowed access by other accounts that are assigned to, granted membership of (and meet any authentication conditions of) the given SILO.

Set the computer-allowed-to-authenticate-to property by scenario.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication policy.

--group=GROUP

The computer account (eg a server or workstation), will only be allowed access by other accounts that are members of the given GROUP.

--silo=SILO

The computer account (eg a server or workstation), will only be allowed access by other accounts that are assigned to, granted membership of (and meet any authentication conditions of) the given SILO.

Manage authentication silos.

List authentication silos on the domain.

-H, --URL

LDB URL for database or target server.

--json

View authentication silos as JSON instead of a list.

View an authentication silo on the domain.

-H, --URL

LDB URL for database or target server.

--name

Name of the authentication silo to view (required).

Create authentication silos on the domain.

-H, --URL

LDB URL for database or target server.

--name

Name of the authentication silo (required).

--description

Optional description for the authentication silo.

--user-authentication-policy

User account authentication policy.

--service-authentication-policy

Managed service account authentication policy.

--computer-authentication-policy

Computer authentication policy.

--protect

Protect authentication silo from accidental deletion.

Cannot be used together with --unprotect.

--unprotect

Unprotect authentication silo from accidental deletion.

Cannot be used together with --protect.

--audit

Only audit silo policies.

Cannot be used together with --enforce.

--enforce

Enforce silo policies.

Cannot be used together with --audit.

Modify authentication silos on the domain.

-H, --URL

LDB URL for database or target server.

--name

Name of the authentication silo (required).

--description

Optional description for the authentication silo.

--user-authentication-policy

User account authentication policy.

--service-authentication-policy

Managed service account authentication policy.

--computer-authentication-policy

Computer authentication policy.

--protect

Protect authentication silo from accidental deletion.

Cannot be used together with --unprotect.

--unprotect

Unprotect authentication silo from accidental deletion.

Cannot be used together with --protect.

--audit

Only audit silo policies.

Cannot be used together with --enforce.

--enforce

Enforce silo policies.

Cannot be used together with --audit.

Delete authentication silos on the domain.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication silo to delete (required).

--force

Force authentication silo delete even if it is protected.

Grant a member access to an authentication silo.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication silo (required).

--member

Member to grant access to the silo (DN or account name).

List members in an authentication silo.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication silo (required).

--json

View members as JSON instead of a list.

Revoke a member from an authentication silo.

-H, --URL

LDB URL for database or target server.

--name

Name of authentication silo (required).

--member

Member to revoke from the silo (DN or account name).

List claim types on the domain.

-H, --URL

LDB URL for database or target server.

--json

View claim types as JSON instead of a list.

View a single claim type on the domain.

-H, --URL

LDB URL for database or target server.

--name

Display name of claim type to view (required).

Create claim types on the domain.

-H, --URL

LDB URL for database or target server.

--attribute

Attribute of claim type to create (required).

--class

Object classes to set claim type to.

Example: --class=user --class=computer

--name

Optional display name or use attribute name.

--description

Optional description or use from attribute.

--enable

Enable claim type.

Cannot be used together with --disable.

--disable

Disable claim type.

Cannot be used together with --enable.

--protect

Protect claim type from accidental deletion.

Cannot be used together with --unprotect.

--unprotect

Unprotect claim type from accidental deletion.

Cannot be used together with --protect.

Modify claim types on the domain.

-H, --URL

LDB URL for database or target server.

--name

Display name of claim type to modify (required).

--class

Object classes to set claim type to.

Example: --class=user --class=computer

--description

Set the claim type description.

--enable

Enable claim type.

Cannot be used together with --disable.

--disable

Disable claim type.

Cannot be used together with --enable.

--protect

Protect claim type from accidental deletion.

Cannot be used together with --unprotect.

--unprotect

Unprotect claim type from accidental deletion.

Cannot be used together with --protect.

Delete claim types on the domain.

-H, --URL

LDB URL for database or target server.

--name

Display name of claim type to delete (required).

--force

Force claim type delete even if it is protected.

List claim value types on the domain.

-H, --URL

LDB URL for database or target server.

--json

View claim value types as JSON instead of a list.

View a single claim value type on the domain.

-H, --URL

LDB URL for database or target server.

--name

Display name of claim value type to view (required).

Upgrade from Samba classic (NT4-like) database to Samba AD DC database.

Promote an existing domain member or NT4 PDC to an AD DC.

Demote ourselves from the role of domain controller.

Dumps Kerberos keys of the domain into a keytab.

Prepare a domain for functional level upgrade. If --functional-level is not used, the latest supported version is used (currently 2016).

There are two aspects to this preparation, relating to the forest and the domain. By default both are run. If either of --forest-prep or --domain-prep are used, only the corresponding preparation is made. If both arguments are used together, all preparation is done, just as when neither is used.

-H, --URL

LDB URL for database or target server.

--functional-level [2008_R2|2012|2012_R2|2016]

The functional level to prepare for. The default is 2016.

--forest-prep

Run forest preparation only (unless --domain-prep is also used).

--domain-prep

Run domain preparation only (unless --forest-prep is also used).

Print basic info about a domain and the specified DC.

Join a domain as either member or backup domain controller.

Manage Key Distribution Service root keys.

Create KDS root keys

-H, --URL

LDB URL for database or target server.

--use-start-time=["now"|iso8601 or LDIF time string]

The key will be valid from this time.

Valid time format are the string "now", the LDIF format YYYYmmddHHMMSS.0Z, or the ISO format YYYY-mm-dd[*HH[:MM[:SS[.fff[fff]]]][+HH:MM[:SS[.ffffff]]]] where the '*' can be any character, and the optional last '[+HH:MM[:SS[.ffffff]]]' is a timezone offset (e.g. '+00:00' for UTC).

--json

Output results in JSON format.

Delete the named KDS root key. Use samba-tool domain kds root-key list to find the name of the key.

-H, --URL

LDB URL for database or target server.

--name=NAME

The name of the key to delete. It will be a GUID.

-v, --verbose

Print all attributes (except secret ones, unless --show secrets is used).

--json

Output results in JSON format.

List KDS root keys. The newest keys are listed first.

-H, --URL

LDB URL for database or target server.

--show-secrets

Print secret or potentially sensitive attributes, namely msKds-RootKeyData and msKds-SecretAgreementParam.

-v, --verbose

Print more attributes (but not secret ones, unless --show secrets is also used).

--json

Output results in JSON format.

View a KDS root key. The default output is similar to that of samba-tool domain kds root-key list --verbose, but with only one key show. The key can be selected by using --latest for the most recent key, or --name to select a key by name.

-H, --URL

LDB URL for database or target server.

--latest

View the most recent root key.

--name=NAME

The name of the key to view. It will be a GUID.

-v, --verbose

Print all attributes (except secret ones, unless --show secrets is used). This includes attributes that are only useful for LDB bookkeeping.

--json

Output results in JSON format.

Run on a domain member, this will cause it to leave the domain.

To remove a domain server from the domain, you first need samba-tool domain demote.

--keep-account

Disable the machine account instead of deleting it.

Show/raise domain and forest function levels.

Set password settings, including complexity requirements, lockout policy, history length, minimum password length, and minimum and maximum password age on a Samba AD DC server.

Use against a Windows DC is possible, but group policy will override it.

-H URL, --URL=URL

LDB URL for database or target server

-q, --quiet

Be quiet

--complexity=COMPLEXITY

The password complexity (on | off | default). Default is 'on'

--store-plaintext=STORE_PLAINTEXT

Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'

--history-length=HISTORY_LENGTH

The password history length (integer | default). Default is 24.

--min-pwd-length=MIN_PWD_LENGTH

The minimum password length (integer | default). Default is 7.

--min-pwd-age=MIN_PWD_AGE

The minimum password age (number of days | default). Default is 1.

--max-pwd-age=MAX_PWD_AGE

The maximum password age (number of days | default). Default is 43.

--account-lockout-duration=ACCOUNT_LOCKOUT_DURATION

The length of time an account is locked out after exceeding the limit on bad password attempts (number of minutes | default). Default is 30 mins.

--account-lockout-threshold=ACCOUNT_LOCKOUT_THRESHOLD

The number of bad password attempts allowed before locking out the account (integer | default). Default is 0 (never lock out).

--reset-account-lockout-after=RESET_ACCOUNT_LOCKOUT_AFTER

After this time is elapsed, the recorded number of attempts restarts from zero (integer | default). Default is 30.

Display current password settings for the domain.

-H URL, --URL=URL

LDB URL for database or target server

Manage fine-grained Password Settings Objects (PSOs).

Applies a PSO's password policy to a user or group.

Creates a new Password Settings Object (PSO).

Deletes a Password Settings Object (PSO).

Lists all Password Settings Objects (PSOs).

Modifies a Password Settings Object (PSO).

Displays a Password Settings Object (PSO).

Displays the Password Settings that apply to a user.

Updates a PSO to no longer apply to a user or group.

Promote an existing domain member or NT4 PDC to an AD DC.

Upgrade the schema.

-H, --URL

LDB URL for database or target server.

--schema [2012|2012_R2|2016|2019]

Upgrade to this Windows schema level. The default is 2019.

--ldf-file

Apply the schema changes in this LDIF file, rather than updating to a standard schema level.

--base-dir

Specify an alternate location to find schema LDIF files.

-H URL, --URL=URL

LDB URL for database or target server

--current-time=YYYY-MM-DD

The current time to evaluate the tombstone lifetime from, expressed as YYYY-MM-DD

--tombstone-lifetime=DAYS

Number of days a tombstone should be preserved for

Domain and forest trust management.

Create a domain or forest trust.

Modify a domain or forest trust.

Delete a domain trust.

List domain trusts.

Manage forest trust namespaces.

Show trusted domain details.

Validate a domain trust.

Manage Directory Replication Services (DRS).

Show DRS capabilities of a server.


--targetdir=DIR [options]"

Replicate an initial clone of domain, but DO NOT JOIN it.

--server=DC

Clone this DC.

--targetdir=TARGETDIR

where to store provision (required).

-q, --quiet

Be quiet.

--include-secrets

Also replicate secret values.

--backend-store=BACKENDSTORE

Specify the database backend to be used (default is tdb).

--backend-store-size=SIZE

Specify the size of the backend database, currentlyonly supported by lmdb backends (default is 8 GB).

Show uptodateness status.

-H URL, --URL=URL

LDB URL for database or target server

-p PARTITION, --partition=PARTITION

restrict to this partition

--json

Print data in json format

--maximum

Print maximum out-of-date-ness only

--median

Print median out-of-date-ness only

--full

Print full out-of-date-ness data

Trigger knowledge consistency center run.

Query or change options for NTDS Settings object of a domain controller.

Replicate a naming context between two DCs.

Show replication status. The [--json] option results in JSON output, and with the [--summary] option produces very little output when the replication status seems healthy.

Administer DS ACLs

Delete an access list entry on a directory object.

Print access list on a directory object.

Modify access list on a directory object.

Manage Forest configuration.

Manage directory_service behaviour for the forest.

Modify dsheuristics directory_service configuration for the forest.

Show current directory_service configuration for the forest.

Manage Flexible Single Master Operations (FSMO).

Seize the role.

Show the roles.

Transfer the role.

Manage Group Policy Objects (GPO).

Create an empty GPO.

Check all GPOs have matching LDAP and DS ACLs.

-H URL, --URL=URL

LDB URL for database or target server

Loads samba admx files to sysvol

-H URL, --URL=URL

LDB URL for database or target server

--admx-dir=ADMX_DIR

Directory where admx templates are stored

Backup a GPO.

-H H

LDB URL for database or target server

--tmpdir=TMPDIR

Temporary directory for copying policy files

--generalize

Generalize XML entities to restore

--entities=ENT_FILE

File to export defining XML entities for the restore

Create an empty GPO.

List the registered Client Side Extensions (CSEs) on the current host.

Register a Client Side Extension (CSE) on the current host.

This command takes a CSE filename as an argument, and registers it for applying policy on the current host. This is not necessary for CSEs which are distributed with the current version of Samba, but is useful for installing experimental CSEs or custom built CSEs.

The cse_file argument MUST be a permanent location for the CSE. The register command does not copy the file to some other directory. The samba-gpupdate command will execute the CSE from the exact location specified from this command.

--machine

Whether to register the CSE as Machine policy

--user

Whether to register the CSE as User policy

Unregister a Client Side Extension (CSE) from the current host.

This command takes a unique GUID as an argument (representing a registered CSE), and unregisters it for applying policy on the current host. Use the `samba-tool gpo cse list` command to determine the unique GUIDs of CSEs.

Delete GPO.

Delete GPO link from a container.

Download a GPO.

Get inheritance flag for a container.

List GPO Links for a container.

List GPOs for an account.

List all GPOs.

List all linked containers for a GPO.

Load policies onto a GPO.

Reads json from standard input until EOF, unless a json formatted file is provided via --content.

Example json_input:

[
    {
        "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
        "valuename": "StartPage",
        "class": "USER",
        "type": "REG_SZ",
        "data": "homepage"
    },
    {
        "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
        "valuename": "URL",
        "class": "USER",
        "type": "REG_SZ",
        "data": "google.com"
    },
    {
        "keyname": "Software\Microsoft\Internet Explorer\Toolbar",
        "valuename": "IEToolbar",
        "class": "USER",
        "type": "REG_BINARY",
        "data": [0]
    },
    {
        "keyname": "Software\Policies\Microsoft\InputPersonalization",
        "valuename": "RestrictImplicitTextCollection",
        "class": "USER",
        "type": "REG_DWORD",
        "data": 1
    }
    ]

Valid class attributes: MACHINE|USER|BOTH Data arrays are interpreted as bytes.

The --machine-ext-name and --user-ext-name options are multi-value inputs which respectively set the gPCMachineExtensionNames and gPCUserExtensionNames ldap attributes on the GPO. These attributes must be set to the correct GUID names for Windows Group Policy to work correctly. These GUIDs represent the client side extensions to apply on the machine. Linux Group Policy does not enforce this constraint. {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is provided by default, which enables most Registry policies.

-H H

LDB URL for database or target server

--content=CONTENT

JSON file of policy inputs

--machine-ext-name=MACHINE_EXTS

A machine extension name to add to gPCMachineExtensionNames

--user-ext-name=USER_EXTS

A user extension name to add to gPCUserExtensionNames

--replace

Replace the existing Group Policies, rather than merging

List Samba Security Group Policy from the sysvol.

This command lists security settings from the sysvol that will be applied to winbind clients. These settings only apply to the AD DC.

Example:

samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9}

-H URL, --URL=URL

LDB URL for database or target server

Set Samba Security Group Policy to the sysvol.

This command sets a security setting to the sysvol for applying to winbind clients. Not providing a value will unset the policy. These settings only apply to the AD DC.

Example:

samba-tool gpo manage security set {31B2F340-016D-11D2-945F-00C04FB984F9} MaxTicketAge 10

Possible policies:

MaxTicketAge

Maximum lifetime for user ticket (hours).

MaxServiceAge

Maximum lifetime for service ticket in minutes. Defined in minutes

MaxRenewAge

Maximum lifetime for user ticket renewal, in minutes.

MinimumPasswordAge

Minimum password age, in days.

MaximumPasswordAge

Maximum password age, in days.

MinimumPasswordLength

Minimum password length, in characters.

PasswordComplexity

Password must meet complexity requirements. 1 is Enabled, 0 is Disabled.

-H URL, --URL=URL

LDB URL for database or target server

List Samba Security Group Policy from the sysvol.

This command lists security settings from the sysvol that will be applied to winbind clients. These settings only apply to the AD DC.

Example:

samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9}

-H URL, --URL=URL

LDB URL for database or target server

List smb.conf settings from the sysvol that will be applied to winbind clients.

Example:

samba-tool gpo manage smb_conf list {31B2F340-016D-11D2-945F-00C04FB984F9}

-H URL, --URL=URL

LDB URL for database or target server

Set or unset an smb.conf setting to the sysvol for applying to winbind clients.

If a value is provided, that is the smb.conf value used; if no value is provided, the policy is removed.

Example:

samba-tool gpo manage smb_conf set {31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies' yes

-H URL, --URL=URL

LDB URL for database or target server

Set inheritance flag on a container.

Add or Update a GPO link to a container.

Show information for a GPO.

Remove policies from a GPO.

Reads json from standard input until EOF, unless a json formatted file is provided via --content.

Example json_input:
[
    {
        "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
        "valuename": "StartPage",
        "class": "USER",
    },
    {
        "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
        "valuename": "URL",
        "class": "USER",
    },
    {
        "keyname": "Software\Microsoft\Internet Explorer\Toolbar",
        "valuename": "IEToolbar",
        "class": "USER"
    },
    {
        "keyname": "Software\Policies\Microsoft\InputPersonalization",
        "valuename": "RestrictImplicitTextCollection",
        "class": "USER"
    }
]

Valid class attributes: MACHINE|USER|BOTH

-H H

LDB URL for database or target server

--content=CONTENT

JSON file of policy inputs

--machine-ext-name=MACHINE_EXTS

A machine extension name to remove from gPCMachineExtensionNames

--user-ext-name=USER_EXTS

A user extension name to remove from gPCUserExtensionNames

--color=always|never|auto

use colour if available (default: auto)

Restore a GPO to a new container.

-H H

LDB URL for database or target server

--tmpdir=TMPDIR

Temporary directory for copying policy files

--entities=ENTITIES

File defining XML entities to insert into DOCTYPE header

--restore-metadata

Keep the old GPT.INI file and associated version number

Show information for a GPO.

List VGP Symbolic Link Group Policy from the sysvol

Adds a VGP Symbolic Link Group Policy to the sysvol

Removes a VGP Symbolic Link Group Policy from the sysvol

List VGP Files Group Policy from the sysvol

Add VGP Files Group Policy to the sysvol

Remove VGP Files Group Policy from the sysvol

List VGP OpenSSH Group Policy from the sysvol

Sets a VGP OpenSSH Group Policy to the sysvol

Adds a Samba Sudoers Group Policy to the sysvol.

List Samba Sudoers Group Policy from the sysvol.

Removes a Samba Sudoers Group Policy from the sysvol.

List VGP Startup Script Group Policy from the sysvol

Adds VGP Startup Script Group Policy to the sysvol

Removes VGP Startup Script Group Policy from the sysvol

List VGP MOTD Group Policy from the sysvol.

Sets a VGP MOTD Group Policy to the sysvol

List VGP Issue Group Policy from the sysvol.

Sets a VGP Issue Group Policy to the sysvol

Adds a VGP Host Access Group Policy to the sysvol

List VGP Host Access Group Policy from the sysvol

Remove a VGP Host Access Group Policy from the sysvol

Manage groups.

Create a new AD group.

Add a new AD group. This is a synonym for the samba-tool group add command and is available for compatibility reasons only. Please use samba-tool group add instead.

Add members to an AD group.

Add RFC2307 Unix attributes to a group account in the Active Directory domain. The groupname specified on the command is the sAMaccountName.

Unix (RFC2307) attributes will be added to the group account.

Add 'idmap_ldb:use rfc2307 = Yes' to smb.conf to use these attributes for UID/GID mapping.

The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server.

Example1:

samba-tool group addunixattrs Group1 10000

Example1 shows how to add RFC2307 attributes to a domain enabled group account.

The groups Unix ID will be set to '10000', provided this ID isn't already in use.

-H URL, --URL=URL

LDB URL for database or target server

Delete an AD group.

Edit a group AD object.

--editor=EDITOR

Specifies the editor to use instead of the system default, or 'vi' if no system default is set.

List all groups.

List all members of the specified AD group.

By default the sAMAccountNames are listed. If no sAMAccountName is available, the CN will be used instead.

--full-dn

List the distinguished names instead of the sAMAccountNames.

--hide-expired

Do not list expired group members.

--hide-disabled

Do not list disabled group members.

This command moves a group into the specified organizational unit or container.

The groupname specified on the command is the sAMAccountName.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

Remove members from the specified AD group.

Show group object and it's attributes.

Show statistics for overall groups and group memberships.

Rename a group and related attributes.

This command allows to set the group's name related attributes. The group's CN will be renamed automatically. The group's CN will be the sAMAccountName. Use the --force-new-cn option to specify the new CN manually and the --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The groupname specified on the command is the sAMAccountName.

--force-new-cn=NEW_CN

Specify a new CN (RDN) instead of using the sAMAccountName.

--reset-cn

Set the CN to the sAMAccountName.

--mail-address=MAIL_ADDRESS

New mail address

--samaccountname=SAMACCOUNTNAME

New account name (sAMAccountName/logon name)

Compare two LDAP databases.

Manage NT ACLs.

Change the domain SID for ACLs. Can be used to change all entries in acl_xattr when the machine's SID has accidentally changed or the data set has been copied to another machine either via backup/restore or rsync.

--use-ntvfs

Set the ACLs directly to the TDB or xattr. The POSIX permissions will NOT be changed, only the NT ACL will be stored.

--service=SERVICE

Specify the name of the smb.conf service to use. This option is required in combination with the --use-s3fs option.

--use-s3fs

Set the ACLs for use with the default s3fs file server via the VFS layer. This option requires a smb.conf service, specified by the --service=SERVICE option.

--xattr-backend=[native|tdb]

Specify the xattr backend type (native fs or tdb).

--eadb-file=EADB_FILE

Name of the tdb file where attributes are stored.

--recursive

Set the ACLs for directories and their contents recursively.

--follow-symlinks

Follow symlinks when --recursive is specified.

--verbose

Verbosely list files and ACLs which are being processed.

Get DOS info of a file from xattr.

Get ACLs on a file.

Set ACLs on a file.

Check sysvol ACLs match defaults (including correct ACLs on GPOs).

Reset sysvol ACLs to defaults (including correct ACLs on GPOs).

Manage organizational units (OUs).

Add a new organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

--description=DESCRIPTION

Specify OU's description.

Add a new organizational unit. This is a synonym for the samba-tool ou add command and is available for compatibility reasons only. Please use samba-tool ou add instead.

Delete an organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

--force-subtree-delete

Delete organizational unit and all children recursively.

List all organizational units.

--full-dn

Display DNs including the base DN.

List all objects in an organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

--full-dn

Display DNs including the base DN.

-r|--recursive

List objects recursively.

Move an organizational unit.

The name of the organizational units can be specified as a full DN or without the domainDN component.

Rename an organizational unit.

The name of the organizational units can be specified as a full DN or without the domainDN component.

List samba server processes.

If no processes are show, but Samba is running, it is possible that samba-tool has not found the correct smb.conf, and the use of -s/--configfile is required.

--name=NAME

Show processes associated with the given name.

--pid=PID

Show names associated with the PID.

Manage Read-Only Domain Controller (RODC).

Preload one account for an RODC.

Manage and query schema.

Modify the behaviour of an attribute in schema.

Display an attribute schema definition.

Show objectclasses that MAY or MUST contain this attribute.

Display an objectclass schema definition.

Service account management.

List service accounts on the domain.

-H, --URL

LDB URL for database or target server.

--json

View service accounts as JSON instead of a list.

View a single service account on the domain.

-H, --URL

LDB URL for database or target server.

--name

Account name of service account to view (required).

Create a new service account on the domain.

-H, --URL

LDB URL for database or target server.

--name

Account name of service account (required).

--dns-host-name

DNS hostname of this service account (required).

--group-msa-membership

Optional Group MSA Membership SDDL.

--managed-password-interval

Managed password refresh interval in days.

Modify an existing service account on the domain.

-H, --URL

LDB URL for database or target server.

--name

Account name of service account (required).

--dns-host-name

Update DNS hostname of this service account.

--group-msa-membership

Update Group MSA Membership SDDL.

Delete a service accounts on the domain.

-H, --URL

LDB URL for database or target server.

--name

Account name of service account to delete.

service-account group-msa-membership

Service account Group MSA Membership management.

Display Group MSA Membership for a service account.

-H, --URL

LDB URL for database or target server.

--name

Account name of service account (required).

--json

Return as JSON instead of a list.

Add a principal to Group MSA Membership for a service account.

-H, --URL

LDB URL for database or target server.

--name

Account name of service account (required).

--principal

Name, DN or SID of principal to add.

Remove a principal from Group MSA Membership for a service account.

-H, --URL

LDB URL for database or target server.

--name

Account name of service account (required).

--principal

Name, DN or SID of principal to remove.

Opens an interactive Samba Python shell.

Opens an interactive Python shell for Samba ldb connection.

-H, --URL

LDB URL for database or target server.

Manage sites.

List sites.

--json

Output as JSON instead of a list

View site details.

Create a new site.

Delete an existing site.

List subnets for a site.

--json

Output as JSON instead of a list

View subnet details.

Create a new subnet.

Delete an existing subnet.

Assign a subnet to a site.

Manage Service Principal Names (SPN).

Create a new SPN.

Delete an existing SPN.

List SPNs of a given user.

Check the syntax of the configuration file.

Retrieve the time on a server.

Manage users.

Add a new user to the Active Directory Domain.

Add RFC2307 attributes to a user.

This command adds Unix attributes to a user account in the Active Directory domain.

The username specified on the command is the sAMaccountName.

You must supply a unique uid.

Unix (RFC2307) attributes will be added to the user account.

If you supply a group id with '--gid-number', this will be used for the users Unix 'gidNumber' attribute.

If '--gid-number' is not supplied, the users Unix gidNumber will be set to the one found in 'Domain Users', this means Domain Users must have a gidNumber attribute.

If '--unix-home' is not supplied, the users Unix home directory will be set to /home/DOMAIN/username.

If '--login-shell' is not supplied, the users Unix login shell will be set to '/bin/sh'

If ---gecos' is not supplied, the users Unix gecos field will be set to the user's 'CN' attribute.

Add 'idmap_ldb:use rfc2307 = Yes' to the smb.conf on DCs to use these attributes for UID/GID mapping.

The command may be run from the root userid or another authorised userid. The -H or --URL= option can be used to execute the command against a remote server.

Example1:

samba-tool user addunixattrs User1 10001

Example1 shows how to add RFC2307 attributes to a domain enabled user account, Domain Users will be set as the users gidNumber.

The users Unix ID will be set to '10001', provided this ID isn't already in use.

Example2:

samba-tool user addunixattrs User2 10002 --gid-number=10001 --unix-home=/home/User2

Example2 shows how to add RFC2307 attributes to a domain enabled user account.

The users Unix ID will be set to '10002', provided this ID isn't already in use.

The users gidNumber attribute will be set to '10001'

The users Unix home directory will be set to '/home/user2'

Example3:

samba-tool user addunixattrs User3 10003 --gid-number=10001 --login-shell=/bin/false --gecos='User3 test'

Example3 shows how to add RFC2307 attributes to a domain enabled user account.

The users Unix ID will be set to '10003', provided this ID isn't already in use. The users gidNumber attribute will be set to '10001'. The users Unix login shell will be set to '/bin/false'. The users gecos field will be set to 'User3 test'.

-H URL, --URL=URL

LDB URL for database or target server

--gid-number=GROUP_ID

User's Unix/RFC2307 GID

--unix-home=DIR

User's Unix/RFC2307 home directory

--login-shell=SHELL

User's Unix/RFC2307 login shell

--gecos=GECOS

User's Unix/RFC2307 GECOS field

--uid=USER_ID

User's Unix/RFC2307 user id

Add a new user. This is a synonym for the samba-tool user add command and is available for compatibility reasons only. Please use samba-tool user add instead.

Delete an existing user account.

Disable a user account.

--remove-supplemental-groups

Remove user from all groups, but keep the primary group.

Edit a user account AD object.

--editor=EDITOR

Specifies the editor to use instead of the system default, or 'vi' if no system default is set.

Enable a user account.

List all users.

By default the user's sAMAccountNames are listed.

--full-dn

List user's distinguished names instead of the sAMAccountNames.

-b BASE_DN|--base-dn=BASE_DN

Specify base DN to use. Only users under the specified base DN will be listed.

--hide-expired

Do not list expired user accounts.

--hide-disabled

Do not list disabled user accounts.

--locked-only

Only list locked user accounts.

Set the primary group a user account.

Get the direct group memberships of a user account.

Display a user AD object.

--attributes=USER_ATTRS

Comma separated list of attributes, which will be printed.

This command moves a user account into the specified organizational unit or container.

The username specified on the command is the sAMAccountName.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

Change password for a user account (the one provided in authentication).

Rename a user and related attributes.

This command allows to set the user's name related attributes. The user's CN will be renamed automatically. The user's new CN will be made up by combining the given-name, initials and surname. A dot ('.') will be appended to the initials automatically, if required. Use the --force-new-cn option to specify the new CN manually and --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The username specified on the command is the sAMAccountName.

--surname=SURNAME

New surname

--given-name=GIVEN_NAME

New given name

--initials=INITIALS

New initials

--force-new-cn=NEW_CN

Specify a new CN (RDN) instead of using a combination of the given name, initials and surname.

--reset-cn

Set the CN to the default combination of given name, initials and surname.

--display-name=DISPLAY_NAME

New display name

--mail-address=MAIL_ADDRESS

New email address

--samaccountname=SAMACCOUNTNAME

New account name (sAMAccountName/logon name)

--upn=UPN

New user principal name

Set/unset or show UF_NOT_DELEGATED for an account.

-H URL, --URL=URL

LDB URL for database or target server

Set the expiration of a user account.

Sets or resets the password of a user account.

This command unlocks a user account in the Active Directory domain.

Gets the password of a user account.

Gets a Kerberos Ticket Granting Ticket as the account.

Syncs the passwords of all user accounts, using an optional script.

Note that this command should run on a single domain controller only (typically the PDC-emulator).

Set assigned authentication policy for user.

--policy

Name of authentication policy to assign or leave empty to remove.

Remove assigned authentication policy from user.

View the assigned authentication policy for user.

Set assigned authentication silo for user.

--silo

Name of authentication silo to assign or leave empty to remove.

Remove assigned authentication silo from user.

View the assigned authentication silo for user.

Join and synchronise a remote AD domain to the local server. Please note that samba-tool vampire is deprecated, please use samba-tool domain join instead.

Produce graphical representations of Samba network state. To work out what is happening in a replication graph, it is sometimes helpful to use visualisations.

There are two subcommands, two graphical modes, and (roughly) two modes of operation with respect to the location of authority.

samba-tool visualize ntdsconn

Looks at NTDS connections.

samba-tool visualize reps

Looks at repsTo and repsFrom objects.

samba-tool visualize uptodateness

Looks at replication lag as shown by the uptodateness vectors.

--distance

Distances between DCs are shown in a matrix in the terminal.

--dot

Generate Graphviz dot output (for ntdsconn and reps modes). When viewed using dot or xdot, this shows the network as a graph with DCs as vertices and connections edges. Certain types of degenerate edges are shown in different colours or line-styles.

--xdot

Generate Graphviz dot output as with [--dot] and attempt to view it immediately using /usr/bin/xdot.

-r

Normally, samba-tool talks to one database; with the [-r] option attempts are made to contact all the DCs known to the first database. This is necessary for samba-tool visualize uptodateness and for samba-tool visualize reps because the repsFrom/To objects are not replicated, and it can reveal replication issues in other modes.

Gives usage information.

This man page is complete for version 4.23.2 of the Samba suite.

The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.

10/16/2025 Samba 4.23.2