'\" t
.\" Title: net
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1
.\" Date: 06/20/2019
.\" Manual: System Administration tools
.\" Source: Samba 4.9.5-Debian
.\" Language: English
.\"
.TH "NET" "8" "06/20/2019" "Samba 4\&.9\&.5\-Debian" "System Administration tools"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
net \- Tool for administration of Samba and remote CIFS servers\&.
.SH "SYNOPSIS"
.HP \w'\ 'u
net {} [\-h|\-\-help] [\-w|\-\-workgroup\ workgroup] [\-W|\-\-myworkgroup\ myworkgroup] [\-U|\-\-user\ user] [\-I|\-\-ipaddress\ ip\-address] [\-p|\-\-port\ port] [\-n\ myname] [\-s\ conffile] [\-S|\-\-server\ server] [\-l|\-\-long] [\-v|\-\-verbose] [\-f|\-\-force] [\-P|\-\-machine\-pass] [\-d\ debuglevel] [\-V] [\-\-request\-timeout\ seconds] [\-t|\-\-timeout\ seconds] [\-i|\-\-stdin] [\-\-tallocreport]
.SH "DESCRIPTION"
.PP
This tool is part of the
\fBsamba\fR(7)
suite\&.
.PP
The Samba net utility is meant to work just like the net utility available for windows and DOS\&. The first argument should be used to specify the protocol to use when executing a certain command\&. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000\&. If this argument is omitted, net will try to determine it automatically\&. Not all commands are available on all protocols\&.
.SH "OPTIONS"
.PP
\-?|\-\-help
.RS 4
Print a summary of command line options\&.
.RE
.PP
\-k|\-\-kerberos
.RS 4
Try to authenticate with kerberos\&. Only useful in an Active Directory environment\&.
.RE
.PP
\-w|\-\-workgroup target\-workgroup
.RS 4
Sets target workgroup or domain\&. You have to specify either this option or the IP address or the name of a server\&.
.RE
.PP
\-W|\-\-myworkgroup workgroup
.RS 4
Sets client workgroup or domain
.RE
.PP
\-U|\-\-user user
.RS 4
User name to use
.RE
.PP
\-I|\-\-ipaddress ip\-address
.RS 4
IP address of target server to use\&. You have to specify either this option or a target workgroup or a target server\&.
.RE
.PP
\-p|\-\-port port
.RS 4
Port on the target server to connect to (usually 139 or 445)\&. Defaults to trying 445 first, then 139\&.
.RE
.PP
\-n|\-\-netbiosname
.RS 4
This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the
\m[blue]\fBnetbios name\fR\m[]
parameter in the
smb\&.conf
file\&. However, a command line setting will take precedence over settings in
smb\&.conf\&.
.RE
.PP
\-S|\-\-server server
.RS 4
Name of target server\&. You should specify either this option or a target workgroup or a target IP address\&.
.RE
.PP
\-l|\-\-long
.RS 4
When listing data, give more information on each item\&.
.RE
.PP
\-v|\-\-verbose
.RS 4
When listing data, give more verbose information on each item\&.
.RE
.PP
\-f|\-\-force
.RS 4
Enforcing a net command\&.
.RE
.PP
\-P|\-\-machine\-pass
.RS 4
Make queries to the external server using the machine account of the local server\&.
.RE
.PP
\-\-request\-timeout 30
.RS 4
Let client requests timeout after 30 seconds the default is 10 seconds\&.
.RE
.PP
\-t|\-\-timeout 30
.RS 4
Set timeout for client operations to 30 seconds\&.
.RE
.PP
\-\-use\-ccache
.RS 4
Try to use the credentials cached by winbind\&.
.RE
.PP
\-i|\-\-stdin
.RS 4
Take input for net commands from standard input\&.
.RE
.PP
\-\-tallocreport
.RS 4
Generate a talloc report while processing a net command\&.
.RE
.PP
\-T|\-\-test
.RS 4
Only test command sequence, dry\-run\&.
.RE
.PP
\-F|\-\-flags FLAGS
.RS 4
Pass down integer flags to a net subcommand\&.
.RE
.PP
\-C|\-\-comment COMMENT
.RS 4
Pass down a comment string to a net subcommand\&.
.RE
.PP
\-n|\-\-myname MYNAME
.RS 4
Use MYNAME as a requester name for a net subcommand\&.
.RE
.PP
\-c|\-\-container CONTAINER
.RS 4
Use a specific AD container for net ads operations\&.
.RE
.PP
\-M|\-\-maxusers MAXUSERS
.RS 4
Fill in the maxusers field in net rpc share operations\&.
.RE
.PP
\-r|\-\-reboot
.RS 4
Reboot a remote machine after a command has been successfully executed (e\&.g\&. in remote join operations)\&.
.RE
.PP
\-\-force\-full\-repl
.RS 4
When calling "net rpc vampire keytab" this option enforces a full re\-creation of the generated keytab file\&.
.RE
.PP
\-\-single\-obj\-repl
.RS 4
When calling "net rpc vampire keytab" this option allows one to replicate just a single object to the generated keytab file\&.
.RE
.PP
\-\-clean\-old\-entries
.RS 4
When calling "net rpc vampire keytab" this option allows one to cleanup old entries from the generated keytab file\&.
.RE
.PP
\-\-db
.RS 4
Define dbfile for "net idmap" commands\&.
.RE
.PP
\-\-lock
.RS 4
Activates locking of the dbfile for "net idmap check" command\&.
.RE
.PP
\-a|\-\-auto
.RS 4
Activates noninteractive mode in "net idmap check"\&.
.RE
.PP
\-\-repair
.RS 4
Activates repair mode in "net idmap check"\&.
.RE
.PP
\-\-acls
.RS 4
Includes ACLs to be copied in "net rpc share migrate"\&.
.RE
.PP
\-\-attrs
.RS 4
Includes file attributes to be copied in "net rpc share migrate"\&.
.RE
.PP
\-\-timestamps
.RS 4
Includes timestamps to be copied in "net rpc share migrate"\&.
.RE
.PP
\-X|\-\-exclude DIRECTORY
.RS 4
Allows one to exclude directories when copying with "net rpc share migrate"\&.
.RE
.PP
\-\-destination SERVERNAME
.RS 4
Defines the target servername of migration process (defaults to localhost)\&.
.RE
.PP
\-L|\-\-local
.RS 4
Sets the type of group mapping to local (used in "net groupmap set")\&.
.RE
.PP
\-D|\-\-domain
.RS 4
Sets the type of group mapping to domain (used in "net groupmap set")\&.
.RE
.PP
\-N|\-\-ntname NTNAME
.RS 4
Sets the ntname of a group mapping (used in "net groupmap set")\&.
.RE
.PP
\-R|\-\-rid RID
.RS 4
Sets the rid of a group mapping (used in "net groupmap set")\&.
.RE
.PP
\-\-reg\-version REG_VERSION
.RS 4
Assume database version {n|1,2,3} (used in "net registry check")\&.
.RE
.PP
\-o|\-\-output FILENAME
.RS 4
Output database file (used in "net registry check")\&.
.RE
.PP
\-\-wipe
.RS 4
Create a new database from scratch (used in "net registry check")\&.
.RE
.PP
\-\-precheck PRECHECK_DB_FILENAME
.RS 4
Defines filename for database prechecking (used in "net registry import")\&.
.RE
.PP
\-\-no\-dns\-updates
.RS 4
Do not perform DNS updates as part of "net ads join"\&.
.RE
.PP
\-\-keep\-account
.RS 4
Prevent the machine account removal as part of "net ads leave"\&.
.RE
.PP
\-e|\-\-encrypt
.RS 4
This command line parameter requires the remote server support the UNIX extensions or that the SMB3 protocol has been selected\&. Requests that the connection be encrypted\&. Negotiates SMB encryption using either SMB3 or POSIX extensions via GSSAPI\&. Uses the given credentials for the encryption negotiation (either kerberos or NTLMv1/v2 if given domain/username/password triple\&. Fails the connection if encryption cannot be negotiated\&.
.RE
.PP
\-d|\-\-debuglevel=level
.RS 4
\fIlevel\fR
is an integer from 0 to 10\&. The default value if this parameter is not specified is 1\&.
.sp
The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.
.sp
Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.
.sp
Note that specifying this parameter here will override the
\m[blue]\fBlog level\fR\m[]
parameter in the
smb\&.conf
file\&.
.RE
.PP
\-V|\-\-version
.RS 4
Prints the program version number\&.
.RE
.PP
\-s|\-\-configfile=
.RS 4
The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See
smb\&.conf
for more information\&. The default configuration file name is determined at compile time\&.
.RE
.PP
\-l|\-\-log\-basename=logdirectory
.RS 4
Base directory name for log/debug files\&. The extension
\fB"\&.progname"\fR
will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&.
.RE
.PP
\-\-option==
.RS 4
Set the
\fBsmb.conf\fR(5)
option "" to value "" from the command line\&. This overrides compiled\-in defaults and options read from the configuration file\&.
.RE
.SH "COMMANDS"
.SS "CHANGESECRETPW"
.PP
This command allows the Samba machine account password to be set from an external application to a machine account password that has already been stored in Active Directory\&. DO NOT USE this command unless you know exactly what you are doing\&. The use of this command requires that the force flag (\-f) be used also\&. There will be NO command prompt\&. Whatever information is piped into stdin, either by typing at the command line or otherwise, will be stored as the literal machine password\&. Do NOT use this without care and attention as it will overwrite a legitimate machine password without warning\&. YOU HAVE BEEN WARNED\&.
.SS "TIME"
.PP
The
NET TIME
command allows you to view the time on a remote server or synchronise the time on the local server with the time on the remote server\&.
.SS "TIME"
.PP
Without any options, the
NET TIME
command displays the time on the remote server\&. The remote server must be specified with the \-S option\&.
.SS "TIME SYSTEM"
.PP
Displays the time on the remote server in a format ready for
/bin/date\&. The remote server must be specified with the \-S option\&.
.SS "TIME SET"
.PP
Tries to set the date and time of the local server to that on the remote server using
/bin/date\&. The remote server must be specified with the \-S option\&.
.SS "TIME ZONE"
.PP
Displays the timezone in hours from GMT on the remote server\&. The remote server must be specified with the \-S option\&.
.SS "[RPC|ADS] JOIN [TYPE] [\-\-no\-dns\-updates] [\-U username[%password]] [createupn=UPN] [createcomputer=OU] [machinepass=PASS] [osName=string osVer=string] [options]"
.PP
Join a domain\&. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically\&. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created\&.
.PP
[TYPE] may be PDC, BDC or MEMBER to specify the type of server joining the domain\&.
.PP
[UPN] (ADS only) set the principalname attribute during the join\&. The default format is host/netbiosname@REALM\&.
.PP
[OU] (ADS only) Precreate the computer account in a specific OU\&. The OU string reads from top to bottom without RDNs, and is delimited by a \*(Aq/\*(Aq\&. Please note that \*(Aq\e\*(Aq is used for escape by both the shell and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter\&.
.PP
[PASS] (ADS only) Set a specific password on the computer account being created by the join\&.
.PP
[osName=string osVer=String] (ADS only) Set the operatingSystem and operatingSystemVersion attribute during the join\&. Both parameters must be specified for either to take effect\&.
.SS "[RPC] OLDJOIN [options]"
.PP
Join a domain\&. Use the OLDJOIN option to join the domain using the old style of domain joining \- you need to create a trust account in server manager first\&.
.SS "[RPC|ADS] USER"
.SS "[RPC|ADS] USER"
.PP
List all users
.SS "[RPC|ADS] USER DELETE target"
.PP
Delete specified user
.SS "[RPC|ADS] USER INFO target"
.PP
List the domain groups of the specified user\&.
.SS "[RPC|ADS] USER RENAME oldname newname"
.PP
Rename specified user\&.
.SS "[RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]"
.PP
Add specified user\&.
.SS "[RPC|ADS] GROUP"
.SS "[RPC|ADS] GROUP [misc options] [targets]"
.PP
List user groups\&.
.SS "[RPC|ADS] GROUP DELETE name [misc. options]"
.PP
Delete specified group\&.
.SS "[RPC|ADS] GROUP ADD name [-C comment]"
.PP
Create specified group\&.
.SS "[ADS] LOOKUP"
.PP
Lookup the closest Domain Controller in our domain and retrieve server information about it\&.
.SS "[RAP|RPC] SHARE"
.SS "[RAP|RPC] SHARE [misc. options] [targets]"
.PP
Enumerates all exported resources (network shares) on target server\&.
.SS "[RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]"
.PP
Adds a share from a server (makes the export active)\&. Maxusers specifies the number of users that can be connected to the share simultaneously\&.
.SS "SHARE DELETE sharename"
.PP
Delete specified share\&.
.SS "[RPC|RAP] FILE"
.SS "[RPC|RAP] FILE"
.PP
List all open files on remote server\&.
.SS "[RPC|RAP] FILE CLOSE fileid"
.PP
Close file with specified
\fIfileid\fR
on remote server\&.
.SS "[RPC|RAP] FILE INFO fileid"
.PP
Print information on specified
\fIfileid\fR\&. Currently listed are: file\-id, username, locks, path, permissions\&.
.SS "[RAP|RPC] FILE USER user"
.PP
List files opened by specified
\fIuser\fR\&. Please note that
net rap file user
does not work against Samba servers\&.
.SS "SESSION"
.SS "RAP SESSION"
.PP
Without any other options, SESSION enumerates all active SMB/CIFS sessions on the target server\&.
.SS "RAP SESSION DELETE|CLOSE CLIENT_NAME"
.PP
Close the specified sessions\&.
.SS "RAP SESSION INFO CLIENT_NAME"
.PP
Give a list with all the open files in specified session\&.
.SS "RAP SERVER \fIDOMAIN\fR"
.PP
List all servers in specified domain or workgroup\&. Defaults to local domain\&.
.SS "RAP DOMAIN"
.PP
Lists all domains and workgroups visible on the current network\&.
.SS "RAP PRINTQ"
.SS "RAP PRINTQ INFO QUEUE_NAME"
.PP
Lists the specified print queue and print jobs on the server\&. If the
\fIQUEUE_NAME\fR
is omitted, all queues are listed\&.
.SS "RAP PRINTQ DELETE JOBID"
.PP
Delete job with specified id\&.
.SS "RAP VALIDATE \fIuser\fR [\fIpassword\fR]"
.PP
Validate whether the specified user can log in to the remote server\&. If the password is not specified on the commandline, it will be prompted\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
.PP
Currently NOT implemented\&.
.sp .5v
.RE
.SS "RAP GROUPMEMBER"
.SS "RAP GROUPMEMBER LIST GROUP"
.PP
List all members of the specified group\&.
.SS "RAP GROUPMEMBER DELETE GROUP USER"
.PP
Delete member from group\&.
.SS "RAP GROUPMEMBER ADD GROUP USER"
.PP
Add member to group\&.
.SS "RAP ADMIN \fIcommand\fR"
.PP
Execute the specified
\fIcommand\fR
on the remote server\&. Only works with OS/2 servers\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
.PP
Currently NOT implemented\&.
.sp .5v
.RE
.SS "RAP SERVICE"
.SS "RAP SERVICE START NAME [arguments...]"
.PP
Start the specified service on the remote server\&. Not implemented yet\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
.PP
Currently NOT implemented\&.
.sp .5v
.RE
.SS "RAP SERVICE STOP"
.PP
Stop the specified service on the remote server\&.
.if n \{\
.sp
.\}
.RS 4
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBNote\fR
.ps -1
.br
.PP
Currently NOT implemented\&.
.sp .5v
.RE
.SS "RAP PASSWORD \fIUSER\fR \fIOLDPASS\fR \fINEWPASS\fR"
.PP
Change password of
\fIUSER\fR
from
\fIOLDPASS\fR
to
\fINEWPASS\fR\&.
.SS "LOOKUP"
.SS "LOOKUP HOST HOSTNAME [TYPE]"
.PP
Lookup the IP address of the given host with the specified type (netbios suffix)\&. The type defaults to 0x20 (workstation)\&.
.SS "LOOKUP LDAP [DOMAIN]"
.PP
Give IP address of LDAP server of specified
\fIDOMAIN\fR\&. Defaults to local domain\&.
.SS "LOOKUP KDC [REALM]"
.PP
Give IP address of KDC for the specified
\fIREALM\fR\&. Defaults to local realm\&.
.SS "LOOKUP DC [DOMAIN]"
.PP
Give IP\*(Aqs of Domain Controllers for specified
\fI DOMAIN\fR\&. Defaults to local domain\&.
.SS "LOOKUP MASTER DOMAIN"
.PP
Give IP of master browser for specified
\fIDOMAIN\fR
or workgroup\&. Defaults to local domain\&.
.SS "CACHE"
.PP
Samba uses a general caching interface called \*(Aqgencache\*(Aq\&. It can be controlled using \*(AqNET CACHE\*(Aq\&.
.PP
All the timeout parameters support the suffixes:
.RS 4
s \- Seconds
.RE
.RS 4
m \- Minutes
.RE
.RS 4
h \- Hours
.RE
.RS 4
d \- Days
.RE
.RS 4
w \- Weeks
.RE
.SS "CACHE ADD key data time-out"
.PP
Add specified key+data to the cache with the given timeout\&.
.SS "CACHE DEL key"
.PP
Delete key from the cache\&.
.SS "CACHE SET key data time-out"
.PP
Update data of existing cache entry\&.
.SS "CACHE SEARCH PATTERN"
.PP
Search for the specified pattern in the cache data\&.
.SS "CACHE LIST"
.PP
List all current items in the cache\&.
.SS "CACHE FLUSH"
.PP
Remove all the current items from the cache\&.
.SS "GETLOCALSID [DOMAIN]"
.PP
Prints the SID of the specified domain, or if the parameter is omitted, the SID of the local server\&.
.SS "SETLOCALSID S\-1\-5\-21\-x\-y\-z"
.PP
Sets SID for the local server to the specified SID\&.
.SS "GETDOMAINSID"
.PP
Prints the local machine SID and the SID of the current domain\&.
.SS "SETDOMAINSID"
.PP
Sets the SID of the current domain\&.
.SS "GROUPMAP"
.PP
Manage the mappings between Windows group SIDs and UNIX groups\&. Common options include:
.RS
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
unixgroup \- Name of the UNIX group
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
ntgroup \- Name of the Windows NT group (must be resolvable to a SID
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
rid \- Unsigned 32\-bit integer
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
sid \- Full SID in the form of "S\-1\-\&.\&.\&."
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
type \- Type of the group; either \*(Aqdomain\*(Aq, \*(Aqlocal\*(Aq, or \*(Aqbuiltin\*(Aq
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
comment \- Freeform text description of the group
.RE
.sp
.RE
.SS "GROUPMAP ADD"
.PP
Add a new group mapping entry:
.sp
.if n \{\
.RS 4
.\}
.nf
net groupmap add {rid=int|sid=string} unixgroup=string \e
[type={domain|local}] [ntgroup=string] [comment=string]
.fi
.if n \{\
.RE
.\}
.sp
.SS "GROUPMAP DELETE"
.PP
Delete a group mapping entry\&. If more than one group name matches, the first entry found is deleted\&.
.PP
net groupmap delete {ntgroup=string|sid=SID}
.SS "GROUPMAP MODIFY"
.PP
Update an existing group entry\&.
.PP
.if n \{\
.RS 4
.\}
.nf
net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \e
[comment=string] [type={domain|local}]
.fi
.if n \{\
.RE
.\}
.sp
.SS "GROUPMAP LIST"
.PP
List existing group mapping entries\&.
.PP
net groupmap list [verbose] [ntgroup=string] [sid=SID]
.SS "MAXRID"
.PP
Prints out the highest RID currently in use on the local server (by the active \*(Aqpassdb backend\*(Aq)\&.
.SS "RPC INFO"
.PP
Print information about the domain of the remote server, such as domain name, domain sid and number of users and groups\&.
.SS "[RPC|ADS] TESTJOIN"
.PP
Check whether participation in a domain is still valid\&.
.SS "[RPC|ADS] CHANGETRUSTPW"
.PP
Force change of domain trust password\&.
.SS "RPC TRUSTDOM"
.SS "RPC TRUSTDOM ADD DOMAIN"
.PP
Add a interdomain trust account for
\fIDOMAIN\fR\&. This is in fact a Samba account named
\fIDOMAIN$\fR
with the account flag
\fB\*(AqI\*(Aq\fR
(interdomain trust account)\&. This is required for incoming trusts to work\&. It makes Samba be a trusted domain of the foreign (trusting) domain\&. Users of the Samba domain will be made available in the foreign domain\&. If the command is used against localhost it has the same effect as
smbpasswd \-a \-i DOMAIN\&. Please note that both commands expect a appropriate UNIX account\&.
.SS "RPC TRUSTDOM DEL DOMAIN"
.PP
Remove interdomain trust account for
\fIDOMAIN\fR\&. If it is used against localhost it has the same effect as
smbpasswd \-x DOMAIN$\&.
.SS "RPC TRUSTDOM ESTABLISH DOMAIN"
.PP
Establish a trust relationship to a trusted domain\&. Interdomain account must already be created on the remote PDC\&. This is required for outgoing trusts to work\&. It makes Samba be a trusting domain of a foreign (trusted) domain\&. Users of the foreign domain will be made available in our domain\&. You\*(Aqll need winbind and a working idmap config to make them appear in your system\&.
.SS "RPC TRUSTDOM REVOKE DOMAIN"
.PP
Abandon relationship to trusted domain
.SS "RPC TRUSTDOM LIST"
.PP
List all interdomain trust relationships\&.
.SS "RPC TRUST"
.SS "RPC TRUST CREATE"
.PP
Create a trust object by calling lsaCreateTrustedDomainEx2\&. The can be done on a single server or on two servers at once with the possibility to use a random trust password\&.
.PP
\fBOptions:\fR
.PP
otherserver
.RS 4
Domain controller of the second domain
.RE
.PP
otheruser
.RS 4
Admin user in the second domain
.RE
.PP
otherdomainsid
.RS 4
SID of the second domain
.RE
.PP
other_netbios_domain
.RS 4
NetBIOS (short) name of the second domain
.RE
.PP
otherdomain
.RS 4
DNS (full) name of the second domain
.RE
.PP
trustpw
.RS 4
Trust password
.RE
.PP
\fBExamples:\fR
.PP
Create a trust object on srv1\&.dom1\&.dom for the domain dom2
.RS 4
.sp
.if n \{\
.RS 4
.\}
.nf
net rpc trust create \e
otherdomainsid=S\-x\-x\-xx\-xxxxxxxxxx\-xxxxxxxxxx\-xxxxxxxxx \e
other_netbios_domain=dom2 \e
otherdomain=dom2\&.dom \e
trustpw=12345678 \e
\-S srv1\&.dom1\&.dom
.fi
.if n \{\
.RE
.\}
.RE
.PP
Create a trust relationship between dom1 and dom2
.RS 4
.sp
.if n \{\
.RS 4
.\}
.nf
net rpc trust create \e
otherserver=srv2\&.dom2\&.test \e
otheruser=dom2adm \e
\-S srv1\&.dom1\&.dom
.fi
.if n \{\
.RE
.\}
.RE
.SS "RPC TRUST DELETE"
.PP
Delete a trust object by calling lsaDeleteTrustedDomain\&. The can be done on a single server or on two servers at once\&.
.PP
\fBOptions:\fR
.PP
otherserver
.RS 4
Domain controller of the second domain
.RE
.PP
otheruser
.RS 4
Admin user in the second domain
.RE
.PP
otherdomainsid
.RS 4
SID of the second domain
.RE
.PP
\fBExamples:\fR
.PP
Delete a trust object on srv1\&.dom1\&.dom for the domain dom2
.RS 4
.sp
.if n \{\
.RS 4
.\}
.nf
net rpc trust delete \e
otherdomainsid=S\-x\-x\-xx\-xxxxxxxxxx\-xxxxxxxxxx\-xxxxxxxxx \e
\-S srv1\&.dom1\&.dom
.fi
.if n \{\
.RE
.\}
.RE
.PP
Delete a trust relationship between dom1 and dom2
.RS 4
.sp
.if n \{\
.RS 4
.\}
.nf
net rpc trust delete \e
otherserver=srv2\&.dom2\&.test \e
otheruser=dom2adm \e
\-S srv1\&.dom1\&.dom
.fi
.if n \{\
.RE
.\}
.RE
.SS ""
.SS "RPC RIGHTS"
.PP
This subcommand is used to view and manage Samba\*(Aqs rights assignments (also referred to as privileges)\&. There are three options currently available:
\fIlist\fR,
\fIgrant\fR, and
\fIrevoke\fR\&. More details on Samba\*(Aqs privilege model and its use can be found in the Samba\-HOWTO\-Collection\&.
.SS "RPC ABORTSHUTDOWN"
.PP
Abort the shutdown of a remote server\&.
.SS "RPC SHUTDOWN [\-t timeout] [\-r] [\-f] [\-C message]"
.PP
Shut down the remote server\&.
.PP
\-r
.RS 4
Reboot after shutdown\&.
.RE
.PP
\-f
.RS 4
Force shutting down all applications\&.
.RE
.PP
\-t timeout
.RS 4
Timeout before system will be shut down\&. An interactive user of the system can use this time to cancel the shutdown\&.
.RE
.PP
\-C message
.RS 4
Display the specified message on the screen to announce the shutdown\&.
.RE
.SS "RPC SAMDUMP"
.PP
Print out sam database of remote server\&. You need to run this against the PDC, from a Samba machine joined as a BDC\&.
.SS "RPC VAMPIRE"
.PP
Export users, aliases and groups from remote server to local server\&. You need to run this against the PDC, from a Samba machine joined as a BDC\&. This vampire command cannot be used against an Active Directory, only against an NT4 Domain Controller\&.
.SS "RPC VAMPIRE KEYTAB"
.PP
Dump remote SAM database to local Kerberos keytab file\&.
.SS "RPC VAMPIRE LDIF"
.PP
Dump remote SAM database to local LDIF file or standard output\&.
.SS "RPC GETSID"
.PP
Fetch domain SID and store it in the local
secrets\&.tdb\&.
.SS "ADS LEAVE [\-\-keep\-account]"
.PP
Make the remote host leave the domain it is part of\&.
.SS "ADS STATUS"
.PP
Print out status of machine account of the local machine in ADS\&. Prints out quite some debug info\&. Aimed at developers, regular users should use
NET ADS TESTJOIN\&.
.SS "ADS PRINTER"
.SS "ADS PRINTER INFO [PRINTER] [SERVER]"
.PP
Lookup info for
\fIPRINTER\fR
on
\fISERVER\fR\&. The printer name defaults to "*", the server name defaults to the local host\&.
.SS "ADS PRINTER PUBLISH PRINTER"
.PP
Publish specified printer using ADS\&.
.SS "ADS PRINTER REMOVE PRINTER"
.PP
Remove specified printer from ADS directory\&.
.SS "ADS SEARCH \fIEXPRESSION\fR \fIATTRIBUTES\&.\&.\&.\fR"
.PP
Perform a raw LDAP search on a ADS server and dump the results\&. The expression is a standard LDAP search expression, and the attributes are a list of LDAP fields to show in the results\&.
.PP
Example:
\fBnet ads search \*(Aq(objectCategory=group)\*(Aq sAMAccountName\fR
.SS "ADS DN \fIDN\fR \fI(attributes)\fR"
.PP
Perform a raw LDAP search on a ADS server and dump the results\&. The DN standard LDAP DN, and the attributes are a list of LDAP fields to show in the result\&.
.PP
Example:
\fBnet ads dn \*(AqCN=administrator,CN=Users,DC=my,DC=domain\*(Aq SAMAccountName\fR
.SS "ADS KEYTAB \fICREATE\fR"
.PP
Creates a new keytab file if one doesn\*(Aqt exist with default entries\&. Default entries are kerberos principals created from the machinename of the client, the UPN (if it exists) and any Windows SPN(s) associated with the computer AD account for the client\&. If a keytab file already exists then only missing kerberos principals from the default entries are added\&. No changes are made to the computer AD account\&.
.SS "ADS KEYTAB \fIADD\fR \fI(principal | machine | serviceclass | windows SPN\fR"
.PP
Adds a new keytab entry, the entry can be either;
.PP
kerberos principal
.RS 4
A kerberos principal (identified by the presence of \*(Aq@\*(Aq) is just added to the keytab file\&.
.RE
.PP
machinename
.RS 4
A machinename (identified by the trailing \*(Aq$\*(Aq) is used to create a a kerberos principal \*(Aqmachinename@realm\*(Aq which is added to the keytab file\&.
.RE
.PP
serviceclass
.RS 4
A serviceclass (such as \*(Aqcifs\*(Aq, \*(Aqhtml\*(Aq etc\&.) is used to create a pair of kerberos principals \*(Aqserviceclass/fully_qualified_dns_name@realm\*(Aq & \*(Aqserviceclass/netbios_name@realm\*(Aq which are added to the keytab file\&.
.RE
.PP
Windows SPN
.RS 4
A Windows SPN is of the format \*(Aqserviceclass/host:port\*(Aq, it is used to create a kerberos principal \*(Aqserviceclass/host@realm\*(Aq which will be written to the keytab file\&.
.RE
.PP
Unlike old versions no computer AD objects are modified by this command\&. To preserve the bevhaviour of older clients \*(Aqnet ads keytab ad_update_ads\*(Aq is available\&.
.SS "ADS KEYTAB \fIADD_UPDATE_ADS\fR \fI(principal | machine | serviceclass | windows SPN\fR"
.PP
Adds a new keytab entry (see section for net ads keytab add)\&. In addition to adding entries to the keytab file corrosponding Windows SPNs are created from the entry passed to this command\&. These SPN(s) added to the AD computer account object associated with the client machine running this command for the following entry types;
.PP
serviceclass
.RS 4
A serviceclass (such as \*(Aqcifs\*(Aq, \*(Aqhtml\*(Aq etc\&.) is used to create a pair of Windows SPN(s) \*(Aqparam/full_qualified_dns\*(Aq & \*(Aqparam/netbios_name\*(Aq which are added to the AD computer account object for this client\&.
.RE
.PP
Windows SPN
.RS 4
A Windows SPN is of the format \*(Aqserviceclass/host:port\*(Aq, it is added as passed to the AD computer account object for this client\&.
.RE
.SS "ADS setspn \fISETSPN LIST [machine]\fR"
.PP
Lists the Windows SPNs stored in the \*(Aqmachine\*(Aq Windows AD Computer object\&. If \*(Aqmachine\*(Aq is not specified then computer account for this client is used instead\&.
.SS "ADS setspn \fISETSPN ADD SPN [machine]\fR"
.PP
Adds the specified Windows SPN to the \*(Aqmachine\*(Aq Windows AD Computer object\&. If \*(Aqmachine\*(Aq is not specified then computer account for this client is used instead\&.
.SS "ADS setspn \fISETSPN DELETE SPN [machine]\fR"
.PP
DELETE the specified Window SPN from the \*(Aqmachine\*(Aq Windows AD Computer object\&. If \*(Aqmachine\*(Aq is not specified then computer account for this client is used instead\&.
.SS "ADS WORKGROUP"
.PP
Print out workgroup name for specified kerberos realm\&.
.SS "ADS ENCTYPES"
.PP
List, modify or delete the value of the "msDS\-SupportedEncryptionTypes" attribute of an account in AD\&.
.PP
This attribute allows one to control which Kerberos encryption types are used for the generation of initial and service tickets\&. The value consists of an integer bitmask with the following values:
.PP
0x00000001 DES\-CBC\-CRC
.PP
0x00000002 DES\-CBC\-MD5
.PP
0x00000004 RC4\-HMAC
.PP
0x00000008 AES128\-CTS\-HMAC\-SHA1\-96
.PP
0x00000010 AES256\-CTS\-HMAC\-SHA1\-96
.SS "ADS ENCTYPES LIST \fI\fR"
.PP
List the value of the "msDS\-SupportedEncryptionTypes" attribute of a given account\&.
.PP
Example:
\fBnet ads enctypes list Computername\fR
.SS "ADS ENCTYPES SET \fI\fR \fI[enctypes]\fR"
.PP
Set the value of the "msDS\-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value\&. If the value is omitted, the value is set to 31 which enables all the currently supported encryption types\&.
.PP
Example:
\fBnet ads enctypes set Computername 24\fR
.SS "ADS ENCTYPES DELETE \fI\fR"
.PP
Deletes the "msDS\-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME\&.
.PP
Example:
\fBnet ads enctypes set Computername 24\fR
.SS "SAM CREATEBUILTINGROUP "
.PP
(Re)Create a BUILTIN group\&. Only a wellknown set of BUILTIN groups can be created with this command\&. This is the list of currently recognized group names: Administrators, Users, Guests, Power Users, Account Operators, Server Operators, Print Operators, Backup Operators, Replicator, RAS Servers, Pre\-Windows 2000 compatible Access\&. This command requires a running Winbindd with idmap allocation properly configured\&. The group gid will be allocated out of the winbindd range\&.
.SS "SAM CREATELOCALGROUP "
.PP
Create a LOCAL group (also known as Alias)\&. This command requires a running Winbindd with idmap allocation properly configured\&. The group gid will be allocated out of the winbindd range\&.
.SS "SAM DELETELOCALGROUP "
.PP
Delete an existing LOCAL group (also known as Alias)\&.
.SS "SAM MAPUNIXGROUP "
.PP
Map an existing Unix group and make it a Domain Group, the domain group will have the same name\&.
.SS "SAM UNMAPUNIXGROUP "
.PP
Remove an existing group mapping entry\&.
.SS "SAM ADDMEM "
.PP
Add a member to a Local group\&. The group can be specified only by name, the member can be specified by name or SID\&.
.SS "SAM DELMEM "
.PP
Remove a member from a Local group\&. The group and the member must be specified by name\&.
.SS "SAM LISTMEM "
.PP
List Local group members\&. The group must be specified by name\&.
.SS "SAM LIST [verbose]"
.PP
List the specified set of accounts by name\&. If verbose is specified, the rid and description is also provided for each account\&.
.SS "SAM RIGHTS LIST"
.PP
List all available privileges\&.
.SS "SAM RIGHTS GRANT "
.PP
Grant one or more privileges to a user\&.
.SS "SAM RIGHTS REVOKE "
.PP
Revoke one or more privileges from a user\&.
.SS "SAM SHOW "
.PP
Show the full DOMAIN\e\eNAME the SID and the type for the corresponding account\&.
.SS "SAM SET HOMEDIR "
.PP
Set the home directory for a user account\&.
.SS "SAM SET PROFILEPATH "
.PP
Set the profile path for a user account\&.
.SS "SAM SET COMMENT "
.PP
Set the comment for a user or group account\&.
.SS "SAM SET FULLNAME "
.PP
Set the full name for a user account\&.
.SS "SAM SET LOGONSCRIPT