1
<?xml version="1.0" encoding="iso-8859-1"?>
2
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
6
<refentrytitle>net</refentrytitle>
7
<manvolnum>8</manvolnum>
8
<refmiscinfo class="source">Samba</refmiscinfo>
9
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
10
<refmiscinfo class="version">3.4</refmiscinfo>
15
<refname>net</refname>
16
<refpurpose>Tool for administration of Samba and remote
23
<command>net</command>
24
<arg choice="req"><ads|rap|rpc></arg>
25
<arg choice="opt">-h</arg>
26
<arg choice="opt">-w workgroup</arg>
27
<arg choice="opt">-W myworkgroup</arg>
28
<arg choice="opt">-U user</arg>
29
<arg choice="opt">-I ip-address</arg>
30
<arg choice="opt">-p port</arg>
31
<arg choice="opt">-n myname</arg>
32
<arg choice="opt">-s conffile</arg>
33
<arg choice="opt">-S server</arg>
34
<arg choice="opt">-l</arg>
35
<arg choice="opt">-P</arg>
36
<arg choice="opt">-d debuglevel</arg>
37
<arg choice="opt">-V</arg>
38
<arg choice="opt">--request-timeout seconds</arg>
43
<title>DESCRIPTION</title>
45
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
46
<manvolnum>7</manvolnum></citerefentry> suite.</para>
48
<para>The Samba net utility is meant to work just like the net utility
49
available for windows and DOS. The first argument should be used
50
to specify the protocol to use when executing a certain command.
51
ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
52
clients and RPC can be used for NT4 and Windows 2000. If this
53
argument is omitted, net will try to determine it automatically.
54
Not all commands are available on all protocols.
60
<title>OPTIONS</title>
66
<term>-w target-workgroup</term>
68
Sets target workgroup or domain. You have to specify
69
either this option or the IP address or the name of a server.
74
<term>-W workgroup</term>
76
Sets client workgroup or domain
88
<term>-I ip-address</term>
90
IP address of target server to use. You have to
91
specify either this option or a target workgroup or
99
Port on the target server to connect to (usually 139 or 445).
100
Defaults to trying 445 first, then 139.
104
&stdarg.netbios.name;
108
<term>-S server</term>
110
Name of target server. You should specify either
111
this option or a target workgroup or a target IP address.
118
When listing data, give more information on each item.
125
Make queries to the external server using the machine account of the local server.
130
<term>--request-timeout 30</term>
132
Let client requests timeout after 30 seconds the default is 10
137
&stdarg.server.debug;
142
<title>COMMANDS</title>
145
<title>CHANGESECRETPW</title>
147
<para>This command allows the Samba machine account password to be set from an external application
148
to a machine account password that has already been stored in Active Directory. DO NOT USE this command
149
unless you know exactly what you are doing. The use of this command requires that the force flag (-f)
150
be used also. There will be NO command prompt. Whatever information is piped into stdin, either by
151
typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use
152
this without care and attention as it will overwrite a legitimate machine password without warning.
153
YOU HAVE BEEN WARNED.
161
<para>The <command>NET TIME</command> command allows you to view the time on a remote server
162
or synchronise the time on the local server with the time on the remote server.</para>
167
<para>Without any options, the <command>NET TIME</command> command
168
displays the time on the remote server.
174
<title>TIME SYSTEM</title>
176
<para>Displays the time on the remote server in a format ready for <command>/bin/date</command>.</para>
181
<title>TIME SET</title>
182
<para>Tries to set the date and time of the local server to that on
183
the remote server using <command>/bin/date</command>. </para>
188
<title>TIME ZONE</title>
190
<para>Displays the timezone in hours from GMT on the remote computer.</para>
196
<title>[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN] [createcomputer=OU] [options]</title>
199
Join a domain. If the account already exists on the server, and
200
[TYPE] is MEMBER, the machine will attempt to join automatically.
201
(Assuming that the machine has been created in server manager)
202
Otherwise, a password will be prompted for, and a new account may
206
[TYPE] may be PDC, BDC or MEMBER to specify the type of server
211
[UPN] (ADS only) set the principalname attribute during the join. The default
212
format is host/netbiosname@REALM.
216
[OU] (ADS only) Precreate the computer account in a specific OU. The
217
OU string reads from top to bottom without RDNs, and is delimited by
218
a '/'. Please note that '\' is used for escape by both the shell
219
and ldap, so it may need to be doubled or quadrupled to pass through,
220
and it is not used as a delimiter.
225
<title>[RPC] OLDJOIN [options]</title>
227
<para>Join a domain. Use the OLDJOIN option to join the domain
228
using the old style of domain joining - you need to create a trust
229
account in server manager first.</para>
233
<title>[RPC|ADS] USER</title>
236
<title>[RPC|ADS] USER</title>
238
<para>List all users</para>
243
<title>[RPC|ADS] USER DELETE <replaceable>target</replaceable></title>
245
<para>Delete specified user</para>
250
<title>[RPC|ADS] USER INFO <replaceable>target</replaceable></title>
252
<para>List the domain groups of the specified user.</para>
257
<title>[RPC|ADS] USER RENAME <replaceable>oldname</replaceable> <replaceable>newname</replaceable></title>
259
<para>Rename specified user.</para>
264
<title>[RPC|ADS] USER ADD <replaceable>name</replaceable> [password] [-F user flags] [-C comment]</title>
266
<para>Add specified user.</para>
271
<title>[RPC|ADS] GROUP</title>
274
<title>[RPC|ADS] GROUP [misc options] [targets]</title>
275
<para>List user groups.</para>
279
<title>[RPC|ADS] GROUP DELETE <replaceable>name</replaceable> [misc. options]</title>
281
<para>Delete specified group.</para>
286
<title>[RPC|ADS] GROUP ADD <replaceable>name</replaceable> [-C comment]</title>
288
<para>Create specified group.</para>
294
<title>[RAP|RPC] SHARE</title>
297
<title>[RAP|RPC] SHARE [misc. options] [targets]</title>
299
<para>Enumerates all exported resources (network shares) on target server.</para>
304
<title>[RAP|RPC] SHARE ADD <replaceable>name=serverpath</replaceable> [-C comment] [-M maxusers] [targets]</title>
306
<para>Adds a share from a server (makes the export active). Maxusers
307
specifies the number of users that can be connected to the
308
share simultaneously.</para>
313
<title>SHARE DELETE <replaceable>sharename</replaceable></title>
315
<para>Delete specified share.</para>
320
<title>[RPC|RAP] FILE</title>
323
<title>[RPC|RAP] FILE</title>
325
<para>List all open files on remote server.</para>
330
<title>[RPC|RAP] FILE CLOSE <replaceable>fileid</replaceable></title>
332
<para>Close file with specified <replaceable>fileid</replaceable> on
333
remote server.</para>
338
<title>[RPC|RAP] FILE INFO <replaceable>fileid</replaceable></title>
341
Print information on specified <replaceable>fileid</replaceable>.
342
Currently listed are: file-id, username, locks, path, permissions.
348
<title>[RAP|RPC] FILE USER <replaceable>user</replaceable></title>
351
List files opened by specified <replaceable>user</replaceable>.
352
Please note that <command>net rap file user</command> does not work
353
against Samba servers.
361
<title>SESSION</title>
364
<title>RAP SESSION</title>
366
<para>Without any other options, SESSION enumerates all active SMB/CIFS
367
sessions on the target server.</para>
372
<title>RAP SESSION DELETE|CLOSE <replaceable>CLIENT_NAME</replaceable></title>
374
<para>Close the specified sessions.</para>
379
<title>RAP SESSION INFO <replaceable>CLIENT_NAME</replaceable></title>
381
<para>Give a list with all the open files in specified session.</para>
388
<title>RAP SERVER <replaceable>DOMAIN</replaceable></title>
390
<para>List all servers in specified domain or workgroup. Defaults
391
to local domain.</para>
396
<title>RAP DOMAIN</title>
398
<para>Lists all domains and workgroups visible on the
399
current network.</para>
404
<title>RAP PRINTQ</title>
407
<title>RAP PRINTQ INFO <replaceable>QUEUE_NAME</replaceable></title>
409
<para>Lists the specified print queue and print jobs on the server.
410
If the <replaceable>QUEUE_NAME</replaceable> is omitted, all
411
queues are listed.</para>
416
<title>RAP PRINTQ DELETE <replaceable>JOBID</replaceable></title>
418
<para>Delete job with specified id.</para>
425
<title>RAP VALIDATE <replaceable>user</replaceable> [<replaceable>password</replaceable>]</title>
428
Validate whether the specified user can log in to the
429
remote server. If the password is not specified on the commandline, it
438
<title>RAP GROUPMEMBER</title>
441
<title>RAP GROUPMEMBER LIST <replaceable>GROUP</replaceable></title>
443
<para>List all members of the specified group.</para>
448
<title>RAP GROUPMEMBER DELETE <replaceable>GROUP</replaceable> <replaceable>USER</replaceable></title>
450
<para>Delete member from group.</para>
455
<title>RAP GROUPMEMBER ADD <replaceable>GROUP</replaceable> <replaceable>USER</replaceable></title>
457
<para>Add member to group.</para>
464
<title>RAP ADMIN <replaceable>command</replaceable></title>
466
<para>Execute the specified <replaceable>command</replaceable> on
467
the remote server. Only works with OS/2 servers.
475
<title>RAP SERVICE</title>
478
<title>RAP SERVICE START <replaceable>NAME</replaceable> [arguments...]</title>
480
<para>Start the specified service on the remote server. Not implemented yet.</para>
487
<title>RAP SERVICE STOP</title>
489
<para>Stop the specified service on the remote server.</para>
498
<title>RAP PASSWORD <replaceable>USER</replaceable> <replaceable>OLDPASS</replaceable> <replaceable>NEWPASS</replaceable></title>
501
Change password of <replaceable>USER</replaceable> from <replaceable>OLDPASS</replaceable> to <replaceable>NEWPASS</replaceable>.
507
<title>LOOKUP</title>
510
<title>LOOKUP HOST <replaceable>HOSTNAME</replaceable> [<replaceable>TYPE</replaceable>]</title>
513
Lookup the IP address of the given host with the specified type (netbios suffix).
514
The type defaults to 0x20 (workstation).
520
<title>LOOKUP LDAP [<replaceable>DOMAIN</replaceable>]</title>
522
<para>Give IP address of LDAP server of specified <replaceable>DOMAIN</replaceable>. Defaults to local domain.</para>
527
<title>LOOKUP KDC [<replaceable>REALM</replaceable>]</title>
529
<para>Give IP address of KDC for the specified <replaceable>REALM</replaceable>.
530
Defaults to local realm.</para>
535
<title>LOOKUP DC [<replaceable>DOMAIN</replaceable>]</title>
537
<para>Give IP's of Domain Controllers for specified <replaceable>
538
DOMAIN</replaceable>. Defaults to local domain.</para>
543
<title>LOOKUP MASTER <replaceable>DOMAIN</replaceable></title>
545
<para>Give IP of master browser for specified <replaceable>DOMAIN</replaceable>
546
or workgroup. Defaults to local domain.</para>
555
<para>Samba uses a general caching interface called 'gencache'. It
556
can be controlled using 'NET CACHE'.</para>
558
<para>All the timeout parameters support the suffixes:
561
<member>s - Seconds</member>
562
<member>m - Minutes</member>
563
<member>h - Hours</member>
564
<member>d - Days</member>
565
<member>w - Weeks</member>
571
<title>CACHE ADD <replaceable>key</replaceable> <replaceable>data</replaceable> <replaceable>time-out</replaceable></title>
573
<para>Add specified key+data to the cache with the given timeout.</para>
578
<title>CACHE DEL <replaceable>key</replaceable></title>
580
<para>Delete key from the cache.</para>
585
<title>CACHE SET <replaceable>key</replaceable> <replaceable>data</replaceable> <replaceable>time-out</replaceable></title>
587
<para>Update data of existing cache entry.</para>
592
<title>CACHE SEARCH <replaceable>PATTERN</replaceable></title>
594
<para>Search for the specified pattern in the cache data.</para>
599
<title>CACHE LIST</title>
602
List all current items in the cache.
608
<title>CACHE FLUSH</title>
610
<para>Remove all the current items from the cache.</para>
617
<title>GETLOCALSID [DOMAIN]</title>
619
<para>Prints the SID of the specified domain, or if the parameter is
620
omitted, the SID of the local server.</para>
625
<title>SETLOCALSID S-1-5-21-x-y-z</title>
627
<para>Sets SID for the local server to the specified SID.</para>
632
<title>GETDOMAINSID</title>
634
<para>Prints the local machine SID and the SID of the current
640
<title>SETDOMAINSID</title>
642
<para>Sets the SID of the current domain.</para>
647
<title>GROUPMAP</title>
649
<para>Manage the mappings between Windows group SIDs and UNIX groups.
650
Common options include:</para>
653
<listitem><para>unixgroup - Name of the UNIX group</para></listitem>
654
<listitem><para>ntgroup - Name of the Windows NT group (must be
655
resolvable to a SID</para></listitem>
656
<listitem><para>rid - Unsigned 32-bit integer</para></listitem>
657
<listitem><para>sid - Full SID in the form of "S-1-..."</para></listitem>
658
<listitem><para>type - Type of the group; either 'domain', 'local',
659
or 'builtin'</para></listitem>
660
<listitem><para>comment - Freeform text description of the group</para></listitem>
664
<title>GROUPMAP ADD</title>
667
Add a new group mapping entry:
669
net groupmap add {rid=int|sid=string} unixgroup=string \
670
[type={domain|local}] [ntgroup=string] [comment=string]
677
<title>GROUPMAP DELETE</title>
679
<para>Delete a group mapping entry. If more than one group name matches, the first entry found is deleted.</para>
681
<para>net groupmap delete {ntgroup=string|sid=SID}</para>
686
<title>GROUPMAP MODIFY</title>
688
<para>Update en existing group entry.</para>
692
net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
693
[comment=string] [type={domain|local}]
699
<title>GROUPMAP LIST</title>
701
<para>List existing group mapping entries.</para>
703
<para>net groupmap list [verbose] [ntgroup=string] [sid=SID]</para>
711
<title>MAXRID</title>
713
<para>Prints out the highest RID currently in use on the local
714
server (by the active 'passdb backend').
720
<title>RPC INFO</title>
722
<para>Print information about the domain of the remote server,
723
such as domain name, domain sid and number of users and groups.
729
<title>[RPC|ADS] TESTJOIN</title>
731
<para>Check whether participation in a domain is still valid.</para>
736
<title>[RPC|ADS] CHANGETRUSTPW</title>
738
<para>Force change of domain trust password.</para>
743
<title>RPC TRUSTDOM</title>
746
<title>RPC TRUSTDOM ADD <replaceable>DOMAIN</replaceable></title>
748
<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>.
749
This is in fact a Samba account named <replaceable>DOMAIN$</replaceable>
750
with the account flag <constant>'I'</constant> (interdomain trust account).
751
If the command is used against localhost it has the same effect as
752
<command>smbpasswd -a -i DOMAIN</command>. Please note that both commands
753
expect a appropriate UNIX account.
759
<title>RPC TRUSTDOM DEL <replaceable>DOMAIN</replaceable></title>
761
<para>Remove interdomain trust account for
762
<replaceable>DOMAIN</replaceable>. If it is used against localhost
763
it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
769
<title>RPC TRUSTDOM ESTABLISH <replaceable>DOMAIN</replaceable></title>
772
Establish a trust relationship to a trusting domain.
773
Interdomain account must already be created on the remote PDC.
779
<title>RPC TRUSTDOM REVOKE <replaceable>DOMAIN</replaceable></title>
780
<para>Abandon relationship to trusted domain</para>
785
<title>RPC TRUSTDOM LIST</title>
787
<para>List all current interdomain trust relationships.</para>
792
<title>RPC RIGHTS</title>
794
<para>This subcommand is used to view and manage Samba's rights assignments (also
795
referred to as privileges). There are three options currently available:
796
<parameter>list</parameter>, <parameter>grant</parameter>, and
797
<parameter>revoke</parameter>. More details on Samba's privilege model and its use
798
can be found in the Samba-HOWTO-Collection.</para>
806
<title>RPC ABORTSHUTDOWN</title>
808
<para>Abort the shutdown of a remote server.</para>
813
<title>RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]</title>
815
<para>Shut down the remote server.</para>
821
Reboot after shutdown.
828
Force shutting down all applications.
833
<term>-t timeout</term>
835
Timeout before system will be shut down. An interactive
836
user of the system can use this time to cancel the shutdown.
841
<term>-C message</term>
842
<listitem><para>Display the specified message on the screen to
843
announce the shutdown.</para></listitem>
850
<title>RPC SAMDUMP</title>
852
<para>Print out sam database of remote server. You need
853
to run this against the PDC, from a Samba machine joined as a BDC. </para>
857
<title>RPC VAMPIRE</title>
859
<para>Export users, aliases and groups from remote server to
860
local server. You need to run this against the PDC, from a Samba machine joined as a BDC.
865
<title>RPC VAMPIRE KEYTAB</title>
867
<para>Dump remote SAM database to local Kerberos keytab file.
872
<title>RPC VAMPIRE LDIF</title>
874
<para>Dump remote SAM database to local LDIF file or standard output.
879
<title>RPC GETSID</title>
881
<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename>. </para>
886
<title>ADS LEAVE</title>
888
<para>Make the remote host leave the domain it is part of. </para>
893
<title>ADS STATUS</title>
895
<para>Print out status of machine account of the local machine in ADS.
896
Prints out quite some debug info. Aimed at developers, regular
897
users should use <command>NET ADS TESTJOIN</command>.</para>
902
<title>ADS PRINTER</title>
905
<title>ADS PRINTER INFO [<replaceable>PRINTER</replaceable>] [<replaceable>SERVER</replaceable>]</title>
908
Lookup info for <replaceable>PRINTER</replaceable> on <replaceable>SERVER</replaceable>. The printer name defaults to "*", the
909
server name defaults to the local host.</para>
914
<title>ADS PRINTER PUBLISH <replaceable>PRINTER</replaceable></title>
916
<para>Publish specified printer using ADS.</para>
921
<title>ADS PRINTER REMOVE <replaceable>PRINTER</replaceable></title>
923
<para>Remove specified printer from ADS directory.</para>
930
<title>ADS SEARCH <replaceable>EXPRESSION</replaceable> <replaceable>ATTRIBUTES...</replaceable></title>
932
<para>Perform a raw LDAP search on a ADS server and dump the results. The
933
expression is a standard LDAP search expression, and the
934
attributes are a list of LDAP fields to show in the results.</para>
936
<para>Example: <userinput>net ads search '(objectCategory=group)' sAMAccountName</userinput>
942
<title>ADS DN <replaceable>DN</replaceable> <replaceable>(attributes)</replaceable></title>
945
Perform a raw LDAP search on a ADS server and dump the results. The
946
DN standard LDAP DN, and the attributes are a list of LDAP fields
947
to show in the result.
950
<para>Example: <userinput>net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName</userinput></para>
955
<title>ADS WORKGROUP</title>
957
<para>Print out workgroup name for specified kerberos realm.</para>
962
<title>SAM CREATEBUILTINGROUP <NAME></title>
965
(Re)Create a BUILTIN group.
966
Only a wellknown set of BUILTIN groups can be created with this command.
967
This is the list of currently recognized group names: Administrators,
968
Users, Guests, Power Users, Account Operators, Server Operators, Print
969
Operators, Backup Operators, Replicator, RAS Servers, Pre-Windows 2000
972
This command requires a running Winbindd with idmap allocation properly
973
configured. The group gid will be allocated out of the winbindd range.
979
<title>SAM CREATELOCALGROUP <NAME></title>
982
Create a LOCAL group (also known as Alias).
984
This command requires a running Winbindd with idmap allocation properly
985
configured. The group gid will be allocated out of the winbindd range.
991
<title>SAM DELETELOCALGROUP <NAME></title>
994
Delete an existing LOCAL group (also known as Alias).
1001
<title>SAM MAPUNIXGROUP <NAME></title>
1004
Map an existing Unix group and make it a Domain Group, the domain group
1005
will have the same name.
1011
<title>SAM UNMAPUNIXGROUP <NAME></title>
1014
Remove an existing group mapping entry.
1020
<title>SAM ADDMEM <GROUP> <MEMBER></title>
1023
Add a member to a Local group. The group can be specified only by name,
1024
the member can be specified by name or SID.
1030
<title>SAM DELMEM <GROUP> <MEMBER></title>
1033
Remove a member from a Local group. The group and the member must be
1040
<title>SAM LISTMEM <GROUP></title>
1043
List Local group members. The group must be specified by name.
1049
<title>SAM LIST <users|groups|localgroups|builtin|workstations> [verbose]</title>
1052
List the specified set of accounts by name. If verbose is specified,
1053
the rid and description is also provided for each account.
1059
<title>SAM RIGHTS LIST</title>
1062
List all available privileges.
1068
<title>SAM RIGHTS GRANT <NAME> <PRIVILEGE></title>
1071
Grant one or more privileges to a user.
1077
<title>SAM RIGHTS REVOKE <NAME> <PRIVILEGE></title>
1080
Revoke one or more privileges from a user.
1086
<title>SAM SHOW <NAME></title>
1089
Show the full DOMAIN\\NAME the SID and the type for the corresponding
1096
<title>SAM SET HOMEDIR <NAME> <DIRECTORY></title>
1099
Set the home directory for a user account.
1105
<title>SAM SET PROFILEPATH <NAME> <PATH></title>
1108
Set the profile path for a user account.
1114
<title>SAM SET COMMENT <NAME> <COMMENT></title>
1117
Set the comment for a user or group account.
1123
<title>SAM SET FULLNAME <NAME> <FULL NAME></title>
1126
Set the full name for a user account.
1132
<title>SAM SET LOGONSCRIPT <NAME> <SCRIPT></title>
1135
Set the logon script for a user account.
1141
<title>SAM SET HOMEDRIVE <NAME> <DRIVE></title>
1144
Set the home drive for a user account.
1150
<title>SAM SET WORKSTATIONS <NAME> <WORKSTATIONS></title>
1153
Set the workstations a user account is allowed to log in from.
1159
<title>SAM SET DISABLE <NAME></title>
1162
Set the "disabled" flag for a user account.
1168
<title>SAM SET PWNOTREQ <NAME></title>
1171
Set the "password not required" flag for a user account.
1177
<title>SAM SET AUTOLOCK <NAME></title>
1180
Set the "autolock" flag for a user account.
1186
<title>SAM SET PWNOEXP <NAME></title>
1189
Set the "password do not expire" flag for a user account.
1195
<title>SAM SET PWDMUSTCHANGENOW <NAME> [yes|no]</title>
1198
Set or unset the "password must change" flag for a user account.
1204
<title>SAM POLICY LIST</title>
1207
List the available account policies.
1213
<title>SAM POLICY SHOW <account policy></title>
1216
Show the account policy value.
1222
<title>SAM POLICY SET <account policy> <value></title>
1225
Set a value for the account policy.
1226
Valid values can be: "forever", "never", "off", or a number.
1232
<title>SAM PROVISION</title>
1235
Only available if ldapsam:editposix is set and winbindd is running.
1236
Properly populates the ldap tree with the basic accounts (Administrator)
1237
and groups (Domain Users, Domain Admins, Domain Guests) on the ldap tree.
1243
<title>IDMAP DUMP <local tdb file name></title>
1246
Dumps the mappings contained in the local tdb file specified.
1247
This command is useful to dump only the mappings produced by the idmap_tdb backend.
1253
<title>IDMAP RESTORE [input file]</title>
1256
Restore the mappings from the specified file or stdin.
1262
<title>IDMAP SECRET <DOMAIN>|ALLOC <secret></title>
1265
Store a secret for the specified domain, used primarily for domains
1266
that use idmap_ldap as a backend. In this case the secret is used
1267
as the password for the user DN used to bind to the ldap server.
1273
<title>USERSHARE</title>
1275
<para>Starting with version 3.0.23, a Samba server now supports the ability for
1276
non-root users to add user defined shares to be exported using the "net usershare"
1281
To set this up, first set up your smb.conf by adding to the [global] section:
1283
usershare path = /usr/local/samba/lib/usershares
1285
Next create the directory /usr/local/samba/lib/usershares, change the owner to root and
1286
set the group owner to the UNIX group who should have the ability to create usershares,
1287
for example a group called "serverops".
1289
Set the permissions on /usr/local/samba/lib/usershares to 01770.
1291
(Owner and group all access, no access for others, plus the sticky bit,
1292
which means that a file in that directory can be renamed or deleted only
1293
by the owner of the file).
1295
Finally, tell smbd how many usershares you will allow by adding to the [global]
1296
section of smb.conf a line such as :
1298
usershare max shares = 100.
1300
To allow 100 usershare definitions. Now, members of the UNIX group "serverops"
1301
can create user defined shares on demand using the commands below.
1304
<para>The usershare commands are:
1307
<member>net usershare add sharename path [comment [acl] [guest_ok=[y|n]]] - to add or change a user defined share.</member>
1308
<member>net usershare delete sharename - to delete a user defined share.</member>
1309
<member>net usershare info [-l|--long] [wildcard sharename] - to print info about a user defined share.</member>
1310
<member>net usershare list [-l|--long] [wildcard sharename] - to list user defined shares.</member>
1316
<title>USERSHARE ADD <replaceable>sharename</replaceable> <replaceable>path</replaceable> <replaceable>[comment]</replaceable> <replaceable>[acl]</replaceable> <replaceable>[guest_ok=[y|n]]</replaceable></title>
1319
Add or replace a new user defined share, with name "sharename".
1323
"path" specifies the absolute pathname on the system to be exported.
1324
Restrictions may be put on this, see the global smb.conf parameters:
1325
"usershare owner only", "usershare prefix allow list", and
1326
"usershare prefix deny list".
1330
The optional "comment" parameter is the comment that will appear
1331
on the share when browsed to by a client.
1334
<para>The optional "acl" field
1335
specifies which users have read and write access to the entire share.
1336
Note that guest connections are not allowed unless the smb.conf parameter
1337
"usershare allow guests" has been set. The definition of a user
1338
defined share acl is: "user:permission", where user is a valid
1339
username on the system and permission can be "F", "R", or "D".
1340
"F" stands for "full permissions", ie. read and write permissions.
1341
"D" stands for "deny" for a user, ie. prevent this user from accessing
1343
"R" stands for "read only", ie. only allow read access to this
1344
share (no creation of new files or directories or writing to files).
1348
The default if no "acl" is given is "Everyone:R", which means any
1349
authenticated user has read-only access.
1353
The optional "guest_ok" has the same effect as the parameter of the
1354
same name in smb.conf, in that it allows guest access to this user
1355
defined share. This parameter is only allowed if the global parameter
1356
"usershare allow guests" has been set to true in the smb.conf.
1359
There is no separate command to modify an existing user defined share,
1360
just use the "net usershare add [sharename]" command using the same
1361
sharename as the one you wish to modify and specify the new options
1362
you wish. The Samba smbd daemon notices user defined share modifications
1363
at connect time so will see the change immediately, there is no need
1364
to restart smbd on adding, deleting or changing a user defined share.
1368
<title>USERSHARE DELETE <replaceable>sharename</replaceable></title>
1371
Deletes the user defined share by name. The Samba smbd daemon
1372
immediately notices this change, although it will not disconnect
1373
any users currently connected to the deleted share.
1379
<title>USERSHARE INFO <replaceable>[-l|--long]</replaceable> <replaceable>[wildcard sharename]</replaceable></title>
1382
Get info on user defined shares owned by the current user matching the given pattern, or all users.
1386
net usershare info on its own dumps out info on the user defined shares that were
1387
created by the current user, or restricts them to share names that match the given
1388
wildcard pattern ('*' matches one or more characters, '?' matches only one character).
1389
If the '-l' or '--long' option is also given, it prints out info on user defined
1390
shares created by other users.
1394
The information given about a share looks like:
1399
usershare_acl=Everyone:F
1402
And is a list of the current settings of the user defined share that can be
1403
modified by the "net usershare add" command.
1409
<title>USERSHARE LIST <replaceable>[-l|--long]</replaceable> <replaceable>wildcard sharename</replaceable></title>
1412
List all the user defined shares owned by the current user matching the given pattern, or all users.
1416
net usershare list on its own list out the names of the user defined shares that were
1417
created by the current user, or restricts the list to share names that match the given
1418
wildcard pattern ('*' matches one or more characters, '?' matches only one character).
1419
If the '-l' or '--long' option is also given, it includes the names of user defined
1420
shares created by other users.
1430
<para>Starting with version 3.2.0, a Samba server can be configured by data
1431
stored in registry. This configuration data can be edited with the new "net
1436
The deployment of this configuration data can be activated in two levels from the
1437
<emphasis>smb.conf</emphasis> file: Share definitions from registry are
1438
activated by setting <parameter>registry shares</parameter> to
1439
<quote>yes</quote> in the [global] section and global configuration options are
1440
activated by setting <smbconfoption name="include">registry</smbconfoption> in
1441
the [global] section for a mixed configuration or by setting
1442
<smbconfoption name="config backend">registry</smbconfoption> in the [global]
1443
section for a registry-only configuration.
1444
See the <citerefentry><refentrytitle>smb.conf</refentrytitle>
1445
<manvolnum>5</manvolnum></citerefentry> manpage for details.
1448
<para>The conf commands are:
1450
<member>net conf list - Dump the complete configuration in smb.conf like
1452
<member>net conf import - Import configuration from file in smb.conf
1454
<member>net conf listshares - List the registry shares.</member>
1455
<member>net conf drop - Delete the complete configuration from
1457
<member>net conf showshare - Show the definition of a registry share.</member>
1458
<member>net conf addshare - Create a new registry share.</member>
1459
<member>net conf delshare - Delete a registry share.</member>
1460
<member>net conf setparm - Store a parameter.</member>
1461
<member>net conf getparm - Retrieve the value of a parameter.</member>
1462
<member>net conf delparm - Delete a parameter.</member>
1463
<member>net conf getincludes - Show the includes of a share definition.</member>
1464
<member>net conf setincludes - Set includes for a share.</member>
1465
<member>net conf delincludes - Delete includes from a share definition.</member>
1470
<title>CONF LIST</title>
1473
Print the configuration data stored in the registry in a smb.conf-like format to
1479
<title>CONF IMPORT <replaceable>[--test|-T]</replaceable> <replaceable>filename</replaceable> <replaceable>[section]</replaceable></title>
1482
This command imports configuration from a file in smb.conf format.
1483
If a section encountered in the input file is present in registry,
1484
its contents is replaced. Sections of registry configuration that have
1485
no counterpart in the input file are not affected. If you want to delete these,
1486
you will have to use the "net conf drop" or "net conf delshare" commands.
1487
Optionally, a section may be specified to restrict the effect of the
1488
import command to that specific section. A test mode is enabled by specifying
1489
the parameter "-T" on the commandline. In test mode, no changes are made to the
1490
registry, and the resulting configuration is printed to standard output instead.
1495
<title>CONF LISTSHARES</title>
1498
List the names of the shares defined in registry.
1503
<title>CONF DROP</title>
1506
Delete the complete configuration data from registry.
1511
<title>CONF SHOWSHARE <replaceable>sharename</replaceable></title>
1514
Show the definition of the share or section specified. It is valid to specify
1515
"global" as sharename to retrieve the global configuration options from
1521
<title>CONF ADDSHARE <replaceable>sharename</replaceable> <replaceable>path</replaceable> [<replaceable>writeable={y|N}</replaceable> [<replaceable>guest_ok={y|N}</replaceable> [<replaceable>comment</replaceable>]]] </title>
1523
<para>Create a new share definition in registry.
1524
The sharename and path have to be given. The share name may
1525
<emphasis>not</emphasis> be "global". Optionally, values for the very
1526
common options "writeable", "guest ok" and a "comment" may be specified.
1527
The same result may be obtained by a sequence of "net conf setparm"
1533
<title>CONF DELSHARE <replaceable>sharename</replaceable></title>
1536
Delete a share definition from registry.
1541
<title>CONF SETPARM <replaceable>section</replaceable> <replaceable>parameter</replaceable> <replaceable>value</replaceable></title>
1544
Store a parameter in registry. The section may be global or a sharename.
1545
The section is created if it does not exist yet.
1550
<title>CONF GETPARM <replaceable>section</replaceable> <replaceable>parameter</replaceable></title>
1553
Show a parameter stored in registry.
1558
<title>CONF DELPARM <replaceable>section</replaceable> <replaceable>parameter</replaceable></title>
1561
Delete a parameter stored in registry.
1566
<title>CONF GETINCLUDES <replaceable>section</replaceable></title>
1569
Get the list of includes for the provided section (global or share).
1573
Note that due to the nature of the registry database and the nature of include directives,
1574
the includes need special treatment: Parameters are stored in registry by the parameter
1575
name as valuename, so there is only ever one instance of a parameter per share.
1576
Also, a specific order like in a text file is not guaranteed. For all real
1577
parameters, this is perfectly ok, but the include directive is rather a meta
1578
parameter, for which, in the smb.conf text file, the place where it is specified
1579
between the other parameters is very important. This can not be achieved by the
1580
simple registry smbconf data model, so there is one ordered list of includes
1581
per share, and this list is evaluated after all the parameters of the share.
1585
Further note that currently, only files can be included from registry
1586
configuration. In the future, there will be the ability to include configuration
1587
data from other registry keys.
1592
<title>CONF SETINCLUDES <replaceable>section</replaceable> [<replaceable>filename</replaceable>]+</title>
1595
Set the list of includes for the provided section (global or share) to the given
1596
list of one or more filenames. The filenames may contain the usual smb.conf
1602
<title>CONF DELINCLUDES <replaceable>section</replaceable></title>
1605
Delete the list of includes from the provided section (global or share).
1612
<title>EVENTLOG</title>
1614
<para>Starting with version 3.4.0 net can read, dump, import and export native
1615
win32 eventlog files (usually *.evt). evt files are used by the native Windows eventviewer tools.
1619
The import and export of evt files can only succeed when <parameter>eventlog list</parameter> is used in
1620
<emphasis>smb.conf</emphasis> file.
1621
See the <citerefentry><refentrytitle>smb.conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manpage for details.
1624
<para>The eventlog commands are:
1626
<member>net eventlog dump - Dump a eventlog *.evt file on the screen.</member>
1627
<member>net eventlog import - Import a eventlog *.evt into the samba internal
1628
tdb based representation of eventlogs.</member>
1629
<member>net eventlog export - Export the samba internal tdb based representation
1630
of eventlogs into an eventlog *.evt file.</member>
1635
<title>EVENTLOG DUMP <replaceable>filename</replaceable></title>
1638
Prints a eventlog *.evt file to standard output.
1643
<title>EVENTLOG IMPORT <replaceable>filename</replaceable> <replaceable>eventlog</replaceable></title>
1646
Imports a eventlog *.evt file defined by <replaceable>filename</replaceable> into the
1647
samba internal tdb representation of eventlog defined by <replaceable>eventlog</replaceable>.
1648
<replaceable>eventlog</replaceable> needs to part of the <parameter>eventlog list</parameter>
1649
defined in smb.conf.
1650
See the <citerefentry><refentrytitle>smb.conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manpage for details.
1656
<title>EVENTLOG EXPORT <replaceable>filename</replaceable> <replaceable>eventlog</replaceable></title>
1659
Exports the samba internal tdb representation of eventlog defined by <replaceable>eventlog</replaceable>
1660
to a eventlog *.evt file defined by <replaceable>filename</replaceable>.
1661
<replaceable>eventlog</replaceable> needs to part of the <parameter>eventlog list</parameter>
1662
defined in smb.conf.
1663
See the <citerefentry><refentrytitle>smb.conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry> manpage for details.
1673
<para>Starting with version 3.2.0 Samba has support for remote join and unjoin APIs, both client and server-side. Windows supports remote join capabilities since Windows 2000.
1675
<para>In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege.
1678
<para>The client side support for remote join is implemented in the net dom commands which are:
1680
<member>net dom join - Join a remote computer into a domain.</member>
1681
<member>net dom unjoin - Unjoin a remote computer from a domain.</member>
1682
<member>net dom renamecomputer - Renames a remote computer joined to a domain.</member>
1687
<title>DOM JOIN <replaceable>domain=DOMAIN</replaceable> <replaceable>ou=OU</replaceable> <replaceable>account=ACCOUNT</replaceable> <replaceable>password=PASSWORD</replaceable> <replaceable>reboot</replaceable></title>
1690
Joins a computer into a domain. This command supports the following additional parameters:
1695
<listitem><para><replaceable>DOMAIN</replaceable> can be a NetBIOS domain name (also known as short domain name) or a DNS domain name for Active Directory Domains. As in Windows, it is also possible to control which Domain Controller to use. This can be achieved by appending the DC name using the \ separator character. Example: MYDOM\MYDC. The <replaceable>DOMAIN</replaceable> parameter cannot be NULL.</para></listitem>
1697
<listitem><para><replaceable>OU</replaceable> can be set to a RFC 1779 LDAP DN, like <emphasis>ou=mymachines,cn=Users,dc=example,dc=com</emphasis> in order to create the machine account in a non-default LDAP containter. This optional parameter is only supported when joining Active Directory Domains.</para></listitem>
1699
<listitem><para><replaceable>ACCOUNT</replaceable> defines a domain account that will be used to join the machine to the domain. This domain account needs to have sufficient privileges to join machines.</para></listitem>
1701
<listitem><para><replaceable>PASSWORD</replaceable> defines the password for the domain account defined with <replaceable>ACCOUNT</replaceable>.</para></listitem>
1703
<listitem><para><replaceable>REBOOT</replaceable> is an optional parameter that can be set to reboot the remote machine after successful join to the domain.</para></listitem>
1708
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to join. These additional parameters include: -S computer and -U user.
1712
net dom join -S xp -U XP\\administrator%secret domain=MYDOM account=MYDOM\\administrator password=topsecret reboot.
1715
This example would connect to a computer named XP as the local administrator using password secret, and join the computer into a domain called MYDOM using the MYDOM domain administrator account and password topsecret. After successful join, the computer would reboot.
1721
<title>DOM UNJOIN <replaceable>account=ACCOUNT</replaceable> <replaceable>password=PASSWORD</replaceable> <replaceable>reboot</replaceable></title>
1724
Unjoins a computer from a domain. This command supports the following additional parameters:
1729
<listitem><para><replaceable>ACCOUNT</replaceable> defines a domain account that will be used to unjoin the machine from the domain. This domain account needs to have sufficient privileges to unjoin machines.</para></listitem>
1731
<listitem><para><replaceable>PASSWORD</replaceable> defines the password for the domain account defined with <replaceable>ACCOUNT</replaceable>.</para></listitem>
1733
<listitem><para><replaceable>REBOOT</replaceable> is an optional parameter that can be set to reboot the remote machine after successful unjoin from the domain.</para></listitem>
1738
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to unjoin. These additional parameters include: -S computer and -U user.
1742
net dom unjoin -S xp -U XP\\administrator%secret account=MYDOM\\administrator password=topsecret reboot.
1745
This example would connect to a computer named XP as the local administrator using password secret, and unjoin the computer from the domain using the MYDOM domain administrator account and password topsecret. After successful unjoin, the computer would reboot.
1751
<title>DOM RENAMECOMPUTER <replaceable>newname=NEWNAME</replaceable> <replaceable>account=ACCOUNT</replaceable> <replaceable>password=PASSWORD</replaceable> <replaceable>reboot</replaceable></title>
1754
Renames a computer that is joined to a domain. This command supports the following additional parameters:
1759
<listitem><para><replaceable>NEWNAME</replaceable> defines the new name of the machine in the domain.</para></listitem>
1761
<listitem><para><replaceable>ACCOUNT</replaceable> defines a domain account that will be used to rename the machine in the domain. This domain account needs to have sufficient privileges to rename machines.</para></listitem>
1763
<listitem><para><replaceable>PASSWORD</replaceable> defines the password for the domain account defined with <replaceable>ACCOUNT</replaceable>.</para></listitem>
1765
<listitem><para><replaceable>REBOOT</replaceable> is an optional parameter that can be set to reboot the remote machine after successful rename in the domain.</para></listitem>
1770
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to rename in the domain. These additional parameters include: -S computer and -U user.
1774
net dom renamecomputer -S xp -U XP\\administrator%secret newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
1777
This example would connect to a computer named XP as the local administrator using password secret, and rename the joined computer to XPNEW using the MYDOM domain administrator account and password topsecret. After successful rename, the computer would reboot.
1785
<title>HELP [COMMAND]</title>
1787
<para>Gives usage information for the specified command.</para>
1794
<title>VERSION</title>
1796
<para>This man page is complete for version 3 of the Samba
1801
<title>AUTHOR</title>
1803
<para>The original Samba software and related utilities
1804
were created by Andrew Tridgell. Samba is now developed
1805
by the Samba Team as an Open Source project similar
1806
to the way the Linux kernel is developed.</para>
1808
<para>The net manpage was written by Jelmer Vernooij.</para>