computer

Manage computer accounts.

computer add computername [options]

Add a new computer to the Active Directory Domain.

The new computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

computer create computername [options]

Add a new computer. This is a synonym for the samba-tool computer add command and is available for compatibility reasons only. Please use samba-tool computer add instead.

computer delete computername [options]

Delete an existing computer account.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

computer edit computername

Edit a computer AD object.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

computer list

List all computers.

computer move computername new_parent_dn [options]

This command moves a computer account into the specified organizational unit or container.

The computername specified on the command is the sAMAccountName, with or without the trailing dollar sign.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

computer show computername [options]

Display a computer AD object.

The computer name specified on the command is the sAMAccountName, with or without the trailing dollar sign.

contact

Manage contacts.

contact add [contactname] [options]

Add a new contact to the Active Directory Domain.

The name of the new contact can be specified by the first argument 'contactname' or the --given-name, --initial and --surname arguments. If no 'contactname' is given, contact's name will be made up of the given arguments by combining the given-name, initials and surname. Each argument is optional. A dot ('.') will be appended to the initials automatically.

contact create [contactname] [options]

Add a new contact. This is a synonym for the samba-tool contact add command and is available for compatibility reasons only. Please use samba-tool contact add instead.

contact delete contactname [options]

Delete an existing contact.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

contact edit contactname

Modify a contact AD object.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

contact list [options]

List all contacts.

contact move contactname new_parent_dn [options]

This command moves a contact into the specified organizational unit or container.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

contact show contactname [options]

Display a contact AD object.

The contactname specified on the command is the common name or the distinguished name of the contact object. The distinguished name of the contact can be specified with or without the domainDN component.

contact rename contactname [options]

Rename a contact and related attributes.

This command allows to set the contact's name related attributes. The contact's CN will be renamed automatically. The contact's new CN will be made up by combining the given-name, initials and surname. A dot ('.') will be appended to the initials automatically, if required. Use the --force-new-cn option to specify the new CN manually and --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The contact name specified on the command is the CN.

dbcheck

Check the local AD database for errors.

delegation

Manage Delegations.

delegation add-principal accountname principal [options]

Add a principal to msDS-AllowedToActOnBehalfOfOtherIdentity that may delegate to an account.

delegation del-principal accountname principal [options]

Delete a principal from msDS-AllowedToActOnBehalfOfOtherIdentity so that it may no longer delegate to an account.

delegation add-service accountname principal [options]

Add a service principal as msDS-AllowedToDelegateTo.

delegation del-service accountname principal [options]

Delete a service principal as msDS-AllowedToDelegateTo.

delegation for-any-protocol accountname [(on|off)] [options]

Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy) for an account.

delegation for-any-service accountname [(on|off)] [options]

Set/unset UF_TRUSTED_FOR_DELEGATION for an account.

delegation show accountname [options]

Show the delegation setting of an account.

dns

Manage Domain Name Service (DNS).

dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data

Add a DNS record.

dns cleanup server name

Clean up DNS records for a host, so that DNS queries no longer return results. Usually this works by marking the records as deleted in the database.

Example: samba-tool dns cleanup dc1 computer.samdom.test.site

dns delete server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data

Delete a DNS record.

dns query server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL [options] data

Query a name.

dns roothints server [name] [options]

Query root hints.

dns serverinfo server [options]

Query server information.

dns update server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT olddata newdata

Update a DNS record.

dns zonecreate server zone [options]

Create a zone.

dns zonedelete server zone [options]

Delete a zone.

dns zoneinfo server zone [options]

Query zone information.

dns zonelist server [options]

List zones.

dns zoneoptions server zone [options]

Manipulate aging options. This is useful in zones using dynamic DNS.

There are options to change records from static to dynamic based on regular expressions or age, which is useful in some cases where the values got mixed up in old versions of Samba.

domain

Manage Domain.

domain backup

Create or restore a backup of the domain.

domain backup offline

Backup (with proper locking) local domain directories into a tar file.

domain backup online

Copy a running DC's current DB into a backup tar file.

domain backup rename

Copy a running DC's DB to backup file, renaming the domain in the process.

domain backup restore

Restore the domain's DB from a backup-file.

domain auth policy

Manage authentication policies.

domain auth policy list

List authentication policies on the domain.

domain auth policy view

View an authentication policy on the domain.

domain auth policy create

Create authentication policies on the domain.

domain auth policy modify

Modify authentication policies on the domain. The same options apply as for domain auth policy create.

domain auth policy delete

Delete authentication policies on the domain.

domain auth policy user-allowed-to-authenticate-from set

Set the user-allowed-to-authenticate-from property by scenario.

domain auth policy user-allowed-to-authenticate-to set

Set the user-allowed-to-authenticate-to property by scenario.

domain auth policy service-allowed-to-authenticate-from set

Set the service-allowed-to-authenticate-from property by scenario.

domain auth policy service-allowed-to-authenticate-to set

Set the service-allowed-to-authenticate-to property by scenario.

domain auth policy computer-allowed-to-authenticate-to set

Set the computer-allowed-to-authenticate-to property by scenario.

domain auth silo

Manage authentication silos.

domain auth silo list

List authentication silos on the domain.

domain auth silo view

View an authentication silo on the domain.

domain auth silo create

Create authentication silos on the domain.

domain auth silo modify

Modify authentication silos on the domain.

domain auth silo delete

Delete authentication silos on the domain.

domain auth silo member grant

Grant a member access to an authentication silo.

domain auth silo member list

List members in an authentication silo.

domain auth silo member revoke

Revoke a member from an authentication silo.

domain claim claim-type list

List claim types on the domain.

domain claim claim-type view

View a single claim type on the domain.

domain claim claim-type create

Create claim types on the domain.

domain claim claim-type modify

Modify claim types on the domain.

domain claim claim-type delete

Delete claim types on the domain.

domain claim value-type list

List claim value types on the domain.

domain claim value-type view

View a single claim value type on the domain.

domain classicupgrade [options] classic_smb_conf

Upgrade from Samba classic (NT4-like) database to Samba AD DC database.

domain dcpromo dnsdomain [DC|RODC] [options]

Promote an existing domain member or NT4 PDC to an AD DC.

domain demote

Demote ourselves from the role of domain controller.

domain exportkeytab keytab [options]

Dumps Kerberos keys of the domain into a keytab.

domain functionalprep [options]

Prepare a domain for functional level upgrade. If --functional-level is not used, the latest supported version is used (currently 2016).

There are two aspects to this preparation, relating to the forest and the domain. By default both are run. If either of --forest-prep or --domain-prep are used, only the corresponding preparation is made. If both arguments are used together, all preparation is done, just as when neither is used.

domain info ip_address [options]

Print basic info about a domain and the specified DC.

domain join dnsdomain [DC|RODC|MEMBER|SUBDOMAIN] [options]

Join a domain as either member or backup domain controller.

domain kds root-key

Manage Key Distribution Service root keys.

domain kds root-key create [options]

Create KDS root keys

domain kds root-key delete --name={GUID}

Delete the named KDS root key. Use samba-tool domain kds root-key list to find the name of the key.

domain kds root-key list [options]

List KDS root keys. The newest keys are listed first.

domain kds root-key view [options]

View a KDS root key. The default output is similar to that of samba-tool domain kds root-key list --verbose, but with only one key show. The key can be selected by using --latest for the most recent key, or --name to select a key by name.

domain leave [options]

Run on a domain member, this will cause it to leave the domain.

To remove a domain server from the domain, you first need samba-tool domain demote.

domain level show|raise options [options]

Show/raise domain and forest function levels.

domain passwordsettings set options [options]

Set password settings, including complexity requirements, lockout policy, history length, minimum password length, and minimum and maximum password age on a Samba AD DC server.

Use against a Windows DC is possible, but group policy will override it.

domain passwordsettings show options [options]

Display current password settings for the domain.

domain passwordsettings pso

Manage fine-grained Password Settings Objects (PSOs).

domain passwordsettings pso apply pso-name user-or-group-name [options]

Applies a PSO's password policy to a user or group.

domain passwordsettings pso create pso-name precedence [options]

Creates a new Password Settings Object (PSO).

domain passwordsettings pso delete pso-name [options]

Deletes a Password Settings Object (PSO).

domain passwordsettings pso list [options]

Lists all Password Settings Objects (PSOs).

domain passwordsettings pso set pso-name [options]

Modifies a Password Settings Object (PSO).

domain passwordsettings pso show user-name [options]

Displays a Password Settings Object (PSO).

domain passwordsettings pso show-user pso-name [options]

Displays the Password Settings that apply to a user.

domain passwordsettings pso unapply pso-name user-or-group-name [options]

Updates a PSO to no longer apply to a user or group.

domain provision

Promote an existing domain member or NT4 PDC to an AD DC.

domain schemaupgrade [options]

Upgrade the schema.

domain tombstones expunge NC [NC [...]] [options]

domain trust

Domain and forest trust management.

domain trust create DOMAIN options [options]

Create a domain or forest trust.

domain trust modify DOMAIN options [options]

Modify a domain or forest trust.

domain trust delete DOMAIN options [options]

Delete a domain trust.

domain trust list options [options]

List domain trusts.

domain trust namespaces [DOMAIN] options [options]

Manage forest trust namespaces.

domain trust show DOMAIN options [options]

Show trusted domain details.

domain trust validate DOMAIN options [options]

Validate a domain trust.

drs

Manage Directory Replication Services (DRS).

drs bind

Show DRS capabilities of a server.

drs clone-dc-database dnsdomain --targetdir=DIR [options]

Replicate an initial clone of domain, but DO NOT JOIN it.

drs uptodateness [options]

Show uptodateness status.

drs kcc

Trigger knowledge consistency center run.

drs options

Query or change options for NTDS Settings object of a domain controller.

drs replicate destination_DC source_DC NC [options]

Replicate a naming context between two DCs.

drs showrepl

Show replication status. The [--json] option results in JSON output, and with the [--summary] option produces very little output when the replication status seems healthy.

dsacl

Administer DS ACLs

dsacl delete

Delete an access list entry on a directory object.

dsacl get

Print access list on a directory object.

dsacl set

Modify access list on a directory object.

forest

Manage Forest configuration.

forest directory_service

Manage directory_service behaviour for the forest.

forest directory_service dsheuristics VALUE

Modify dsheuristics directory_service configuration for the forest.

forest directory_service show

Show current directory_service configuration for the forest.

fsmo

Manage Flexible Single Master Operations (FSMO).

fsmo seize [options]

Seize the role.

fsmo show

Show the roles.

fsmo transfer [options]

Transfer the role.

gpo

Manage Group Policy Objects (GPO).

gpo aclcheck [options]

Create an empty GPO.

Check all GPOs have matching LDAP and DS ACLs.

gpo admxload [options]

Loads samba admx files to sysvol

gpo backup gpo[options]

Backup a GPO.

gpo create displayname [options]

Create an empty GPO.

gpo cse list

List the registered Client Side Extensions (CSEs) on the current host.

gpo cse register cse_file cse_name [options]

Register a Client Side Extension (CSE) on the current host.

This command takes a CSE filename as an argument, and registers it for applying policy on the current host. This is not necessary for CSEs which are distributed with the current version of Samba, but is useful for installing experimental CSEs or custom built CSEs.

The cse_file argument MUST be a permanent location for the CSE. The register command does not copy the file to some other directory. The samba-gpupdate command will execute the CSE from the exact location specified from this command.

gpo cse unregister GUID

Unregister a Client Side Extension (CSE) from the current host.

This command takes a unique GUID as an argument (representing a registered CSE), and unregisters it for applying policy on the current host. Use the `samba-tool gpo cse list` command to determine the unique GUIDs of CSEs.

gpo del gpo [options]

Delete GPO.

gpo dellink container_dn gpo [options]

Delete GPO link from a container.

gpo fetch gpo [options]

Download a GPO.

gpo getinheritance container_dn [options]

Get inheritance flag for a container.

gpo getlink container_dn [options]

List GPO Links for a container.

gpo list username [options]

List GPOs for an account.

gpo listall

List all GPOs.

gpo listcontainers gpo [options]

List all linked containers for a GPO.

gpo load gpo [options]

Load policies onto a GPO.

Reads json from standard input until EOF, unless a json formatted file is provided via --content.

Example json_input:

[
    {
        "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
        "valuename": "StartPage",
        "class": "USER",
        "type": "REG_SZ",
        "data": "homepage"
    },
    {
        "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
        "valuename": "URL",
        "class": "USER",
        "type": "REG_SZ",
        "data": "google.com"
    },
    {
        "keyname": "Software\Microsoft\Internet Explorer\Toolbar",
        "valuename": "IEToolbar",
        "class": "USER",
        "type": "REG_BINARY",
        "data": [0]
    },
    {
        "keyname": "Software\Policies\Microsoft\InputPersonalization",
        "valuename": "RestrictImplicitTextCollection",
        "class": "USER",
        "type": "REG_DWORD",
        "data": 1
    }
    ]
    

Valid class attributes: MACHINE|USER|BOTH Data arrays are interpreted as bytes.

The --machine-ext-name and --user-ext-name options are multi-value inputs which respectively set the gPCMachineExtensionNames and gPCUserExtensionNames ldap attributes on the GPO. These attributes must be set to the correct GUID names for Windows Group Policy to work correctly. These GUIDs represent the client side extensions to apply on the machine. Linux Group Policy does not enforce this constraint. {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is provided by default, which enables most Registry policies.

gpo manage security list gpo [options]

List Samba Security Group Policy from the sysvol.

This command lists security settings from the sysvol that will be applied to winbind clients. These settings only apply to the AD DC.

Example:

samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9}

gpo manage security set gpo [options]

Set Samba Security Group Policy to the sysvol.

This command sets a security setting to the sysvol for applying to winbind clients. Not providing a value will unset the policy. These settings only apply to the AD DC.

Example:

samba-tool gpo manage security set {31B2F340-016D-11D2-945F-00C04FB984F9} MaxTicketAge 10

Possible policies:

List Samba Security Group Policy from the sysvol.

This command lists security settings from the sysvol that will be applied to winbind clients. These settings only apply to the AD DC.

Example:

samba-tool gpo manage security list {31B2F340-016D-11D2-945F-00C04FB984F9}

gpo manage smb_conf list

List smb.conf settings from the sysvol that will be applied to winbind clients.

Example:

samba-tool gpo manage smb_conf list {31B2F340-016D-11D2-945F-00C04FB984F9}

gpo manage smb_conf set gpo [value] [options]

Set or unset an smb.conf setting to the sysvol for applying to winbind clients.

If a value is provided, that is the smb.conf value used; if no value is provided, the policy is removed.

Example:

samba-tool gpo manage smb_conf set {31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies' yes

gpo setinheritance container_dn block|inherit [options]

Set inheritance flag on a container.

gpo setlink container_dn gpo [options]

Add or Update a GPO link to a container.

gpo removegpo [options]

Show information for a GPO.

Remove policies from a GPO.

Reads json from standard input until EOF, unless a json formatted file is provided via --content.

Example json_input:
[
    {
        "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
        "valuename": "StartPage",
        "class": "USER",
    },
    {
        "keyname": "Software\Policies\Mozilla\Firefox\Homepage",
        "valuename": "URL",
        "class": "USER",
    },
    {
        "keyname": "Software\Microsoft\Internet Explorer\Toolbar",
        "valuename": "IEToolbar",
        "class": "USER"
    },
    {
        "keyname": "Software\Policies\Microsoft\InputPersonalization",
        "valuename": "RestrictImplicitTextCollection",
        "class": "USER"
    }
]

Valid class attributes: MACHINE|USER|BOTH

gpo restore displayname backup location [options]

Restore a GPO to a new container.

gpo show gpo [options]

Show information for a GPO.

gpo manage symlink list

List VGP Symbolic Link Group Policy from the sysvol

gpo manage symlink add

Adds a VGP Symbolic Link Group Policy to the sysvol

gpo manage symlink remove

Removes a VGP Symbolic Link Group Policy from the sysvol

gpo manage files list

List VGP Files Group Policy from the sysvol

gpo manage files add

Add VGP Files Group Policy to the sysvol

gpo manage files remove

Remove VGP Files Group Policy from the sysvol

gpo manage openssh list

List VGP OpenSSH Group Policy from the sysvol

gpo manage openssh set

Sets a VGP OpenSSH Group Policy to the sysvol

gpo manage sudoers add

Adds a Samba Sudoers Group Policy to the sysvol.

gpo manage sudoers list

List Samba Sudoers Group Policy from the sysvol.

gpo manage sudoers remove

Removes a Samba Sudoers Group Policy from the sysvol.

gpo manage scripts startup list

List VGP Startup Script Group Policy from the sysvol

gpo manage scripts startup add

Adds VGP Startup Script Group Policy to the sysvol

gpo manage scripts startup remove

Removes VGP Startup Script Group Policy from the sysvol

gpo manage motd list

List VGP MOTD Group Policy from the sysvol.

gpo manage motd set

Sets a VGP MOTD Group Policy to the sysvol

gpo manage issue list

List VGP Issue Group Policy from the sysvol.

gpo manage issue set

Sets a VGP Issue Group Policy to the sysvol

gpo manage access add

Adds a VGP Host Access Group Policy to the sysvol

gpo manage access list

List VGP Host Access Group Policy from the sysvol

gpo manage access remove

Remove a VGP Host Access Group Policy from the sysvol

group

Manage groups.

group add groupname [options]

Create a new AD group.

group create groupname [options]

Add a new AD group. This is a synonym for the samba-tool group add command and is available for compatibility reasons only. Please use samba-tool group add instead.

group addmembers groupname members [options]

Add members to an AD group.

group addunixattrs groupname gidnumber [options]

Add RFC2307 Unix attributes to a group account in the Active Directory domain. The groupname specified on the command is the sAMaccountName.

Unix (RFC2307) attributes will be added to the group account.

Add 'idmap_ldb:use rfc2307 = Yes' to smb.conf to use these attributes for UID/GID mapping.

The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server.

Example1:

samba-tool group addunixattrs Group1 10000

Example1 shows how to add RFC2307 attributes to a domain enabled group account.

The groups Unix ID will be set to '10000', provided this ID isn't already in use.

group delete groupname [options]

Delete an AD group.

group edit groupname

Edit a group AD object.

group list

List all groups.

group listmembers groupname [options]

List all members of the specified AD group.

By default the sAMAccountNames are listed. If no sAMAccountName is available, the CN will be used instead.

group move groupname new_parent_dn [options]

This command moves a group into the specified organizational unit or container.

The groupname specified on the command is the sAMAccountName.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

group removemembers groupname members [options]

Remove members from the specified AD group.

group show groupname [options]

Show group object and it's attributes.

group stats [options]

Show statistics for overall groups and group memberships.

group rename groupname [options]

Rename a group and related attributes.

This command allows to set the group's name related attributes. The group's CN will be renamed automatically. The group's CN will be the sAMAccountName. Use the --force-new-cn option to specify the new CN manually and the --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The groupname specified on the command is the sAMAccountName.

ldapcmp URL1 URL2 domain|configuration|schema|dnsdomain|dnsforest [options]

Compare two LDAP databases.

ntacl

Manage NT ACLs.

ntacl changedomsid original-domain-SID new-domain-SID file [options]

Change the domain SID for ACLs. Can be used to change all entries in acl_xattr when the machine's SID has accidentally changed or the data set has been copied to another machine either via backup/restore or rsync.

ntacl getdosinfo file [options]

Get DOS info of a file from xattr.

ntacl get file [options]

Get ACLs on a file.

ntacl set acl file [options]

Set ACLs on a file.

ntacl sysvolcheck

Check sysvol ACLs match defaults (including correct ACLs on GPOs).

ntacl sysvolreset

Reset sysvol ACLs to defaults (including correct ACLs on GPOs).

ou

Manage organizational units (OUs).

ou add ou_dn [options]

Add a new organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

ou create ou_dn [options]

Add a new organizational unit. This is a synonym for the samba-tool ou add command and is available for compatibility reasons only. Please use samba-tool ou add instead.

ou delete ou_dn [options]

Delete an organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

ou list [options]

List all organizational units.

ou listobjects ou_dn [options]

List all objects in an organizational unit.

The name of the organizational unit can be specified as a full DN or without the domainDN component.

ou move old_ou_dn new_parent_dn [options]

Move an organizational unit.

The name of the organizational units can be specified as a full DN or without the domainDN component.

ou rename old_ou_dn new_ou_dn [options]

Rename an organizational unit.

The name of the organizational units can be specified as a full DN or without the domainDN component.

processes

List samba server processes.

If no processes are show, but Samba is running, it is possible that samba-tool has not found the correct smb.conf, and the use of -s/--configfile is required.

rodc

Manage Read-Only Domain Controller (RODC).

rodc preload SID|DN|accountname [options]

Preload one account for an RODC.

schema

Manage and query schema.

schema attribute modify attribute [options]

Modify the behaviour of an attribute in schema.

schema attribute show attribute [options]

Display an attribute schema definition.

schema attribute show_oc attribute [options]

Show objectclasses that MAY or MUST contain this attribute.

schema objectclass show objectclass [options]

Display an objectclass schema definition.

service-account

Service account management.

service-account list

List service accounts on the domain.

service-account view

View a single service account on the domain.

service-account create

Create a new service account on the domain.

service-account modify

Modify an existing service account on the domain.

service-account delete

Delete a service accounts on the domain.

service-account group-msa-membership

Service account Group MSA Membership management.

service-account group-msa-membership show

Display Group MSA Membership for a service account.

service-account group-msa-membership add

Add a principal to Group MSA Membership for a service account.

service-account group-msa-membership remove

Remove a principal from Group MSA Membership for a service account.

shell

Opens an interactive Samba Python shell.

shell [options]

Opens an interactive Python shell for Samba ldb connection.

sites

Manage sites.

sites list [options]

List sites.

sites view site [options]

View site details.

sites create site [options]

Create a new site.

sites remove site [options]

Delete an existing site.

sites subnet list site [options]

List subnets for a site.

sites subnet view subnet [options]

View subnet details.

sites subnet create subnet site-of-subnet [options]

Create a new subnet.

sites subnet remove subnet [options]

Delete an existing subnet.

sites subnet set-site subnet site-of-subnet [options]

Assign a subnet to a site.

spn

Manage Service Principal Names (SPN).

spn add name user [options]

Create a new SPN.

spn delete name [user] [options]

Delete an existing SPN.

spn list user [options]

List SPNs of a given user.

testparm

Check the syntax of the configuration file.

time

Retrieve the time on a server.

user

Manage users.

user add username [password]

Add a new user to the Active Directory Domain.

user addunixattrs username uid-number [options]

Add RFC2307 attributes to a user.

This command adds Unix attributes to a user account in the Active Directory domain.

The username specified on the command is the sAMaccountName.

You must supply a unique uid.

Unix (RFC2307) attributes will be added to the user account.

If you supply a group id with '--gid-number', this will be used for the users Unix 'gidNumber' attribute.

If '--gid-number' is not supplied, the users Unix gidNumber will be set to the one found in 'Domain Users', this means Domain Users must have a gidNumber attribute.

If '--unix-home' is not supplied, the users Unix home directory will be set to /home/DOMAIN/username.

If '--login-shell' is not supplied, the users Unix login shell will be set to '/bin/sh'

If ---gecos' is not supplied, the users Unix gecos field will be set to the user's 'CN' attribute.

Add 'idmap_ldb:use rfc2307 = Yes' to the smb.conf on DCs to use these attributes for UID/GID mapping.

The command may be run from the root userid or another authorised userid. The -H or --URL= option can be used to execute the command against a remote server.

Example1:

samba-tool user addunixattrs User1 10001

Example1 shows how to add RFC2307 attributes to a domain enabled user account, Domain Users will be set as the users gidNumber.

The users Unix ID will be set to '10001', provided this ID isn't already in use.

Example2:

samba-tool user addunixattrs User2 10002 --gid-number=10001 --unix-home=/home/User2

Example2 shows how to add RFC2307 attributes to a domain enabled user account.

The users Unix ID will be set to '10002', provided this ID isn't already in use.

The users gidNumber attribute will be set to '10001'

The users Unix home directory will be set to '/home/user2'

Example3:

samba-tool user addunixattrs User3 10003 --gid-number=10001 --login-shell=/bin/false --gecos='User3 test'

Example3 shows how to add RFC2307 attributes to a domain enabled user account.

The users Unix ID will be set to '10003', provided this ID isn't already in use. The users gidNumber attribute will be set to '10001'. The users Unix login shell will be set to '/bin/false'. The users gecos field will be set to 'User3 test'.

user create username [password]

Add a new user. This is a synonym for the samba-tool user add command and is available for compatibility reasons only. Please use samba-tool user add instead.

user delete username [options]

Delete an existing user account.

user disable username

Disable a user account.

user edit username

Edit a user account AD object.

user enable username

Enable a user account.

user list

List all users.

By default the user's sAMAccountNames are listed.

user setprimarygroup username primarygroupname

Set the primary group a user account.

user getgroups username

Get the direct group memberships of a user account.

user show username [options]

Display a user AD object.

user move username new_parent_dn [options]

This command moves a user account into the specified organizational unit or container.

The username specified on the command is the sAMAccountName.

The name of the organizational unit or container can be specified as a full DN or without the domainDN component.

user password [options]

Change password for a user account (the one provided in authentication).

user rename username [options]

Rename a user and related attributes.

This command allows to set the user's name related attributes. The user's CN will be renamed automatically. The user's new CN will be made up by combining the given-name, initials and surname. A dot ('.') will be appended to the initials automatically, if required. Use the --force-new-cn option to specify the new CN manually and --reset-cn to reset this change.

Use an empty attribute value to remove the specified attribute.

The username specified on the command is the sAMAccountName.

user sensitive accountname [show|on|off] [options]

Set/unset or show UF_NOT_DELEGATED for an account.

user setexpiry username [options]

Set the expiration of a user account.

user setpassword username [options]

Sets or resets the password of a user account.

user unlock username [options]

This command unlocks a user account in the Active Directory domain.

user getpassword username [options]

Gets the password of a user account.

user get-kerberos-ticket username [options]

Gets a Kerberos Ticket Granting Ticket as the account.

user syncpasswords --cache-ldb-initialize [options]

Syncs the passwords of all user accounts, using an optional script.

Note that this command should run on a single domain controller only (typically the PDC-emulator).

user auth policy assign username [options]

Set assigned authentication policy for user.

user auth policy remove username

Remove assigned authentication policy from user.

user auth policy view username

View the assigned authentication policy for user.

user auth silo assign username [options]

Set assigned authentication silo for user.

user auth silo remove username

Remove assigned authentication silo from user.

user auth silo view username

View the assigned authentication silo for user.

vampire [options] domain

Join and synchronise a remote AD domain to the local server. Please note that samba-tool vampire is deprecated, please use samba-tool domain join instead.

visualize [options] subcommand

Produce graphical representations of Samba network state. To work out what is happening in a replication graph, it is sometimes helpful to use visualisations.

There are two subcommands, two graphical modes, and (roughly) two modes of operation with respect to the location of authority.

help

Gives usage information.