NET(8) | System Administration tools | NET(8) |
net - Tool for administration of Samba and remote CIFS servers.
net {<ads|rap|rpc>} [-h|--help] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout] [--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL] [-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=DN] [--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE] [--use-winbind-ccache] [--client-protection=sign|encrypt|off] [-V|--version] [-w|--target-workgroup workgroup] [-I|--ipaddress ip-address] [-p|--port port] [--myname] [-S|--server server] [--long] [-v|--verbose] [-f|--force] [--request-timeout seconds] [-t|--timeout seconds] [--dns-ttl TTL-IN-SECONDS] [-i|--stdin] [--witness-registration=REGISTRATION_UUID] [--witness-net-name=REGEX] [--witness-share-name=REGEX] [--witness-ip-address=REGEX] [--witness-client-computer-name=REGEX] [--witness-apply-to-all] [--witness-new-node=NODEID] [--witness-new-ip=IPADDRESS] [--witness-forced-response=JSON]
This tool is part of the samba(7) suite.
The Samba net utility is meant to work just like the net utility available for windows and DOS. The first argument should be used to specify the protocol to use when executing a certain command. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000. If this argument is omitted, net will try to determine it automatically. Not all commands are available on all protocols.
-w|--target-workgroup target-workgroup
-I|--ipaddress ip-address
-p|--port port
-S|--server server
--long
-v|--verbose
-f|--force
--request-timeout 30
-t|--timeout 30
-i|--stdin
-T|--test
-F|--flags FLAGS
-C|--comment COMMENT
--myname MYNAME
-c|--container CONTAINER
-M|--maxusers MAXUSERS
-r|--reboot
--force-full-repl
--single-obj-repl
--clean-old-entries
--db
--lock
-a|--auto
--repair
--acls
--attrs
--timestamps
-X|--exclude DIRECTORY
--destination SERVERNAME
-L|--local
-D|--domain
-N|--ntname NTNAME
--rid RID
--reg-version REG_VERSION
-o|--output FILENAME
--wipe
--precheck PRECHECK_DB_FILENAME
--no-dns-updates
--keep-account
--json
--recursive
--continue
--follow-symlinks
--dns-ttl TTL-IN-SECONDS
--witness-registration=REGISTRATION_UUID
--witness-net-name=REGEX
--witness-share-name=REGEX
--witness-ip-address=REGEX
--witness-client-computer-name=REGEX
--witness-apply-to-all
--witness-new-node=NODEID
--witness-new-ip=IPADDRESS
--witness-forced-response=JSON
-d|--debuglevel=DEBUGLEVEL
The higher this value, the more detail will be logged to the log files about the activities of the server. At level 0, only critical errors and serious warnings will be logged. Level 1 is a reasonable level for day-to-day running - it generates a small amount of information about operations carried out.
Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic.
Note that specifying this parameter here will override the log level parameter in the /etc/samba/smb.conf file.
--debug-stdout
--configfile=<configuration file>
--option=<name>=<value>
-l|--log-basename=logdirectory
--leak-report
--leak-report-full
-V|--version
-R|--name-resolve=NAME-RESOLVE-ORDER
The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows:
The default order is lmhosts, host, wins, bcast. Without this parameter or any entry in the name resolve order parameter of the /etc/samba/smb.conf file, the name resolution methods will be attempted in this order.
-O|--socket-options=SOCKETOPTIONS
-m|--max-protocol=MAXPROTOCOL
Note that specifying this parameter here will override the client max protocol parameter in the /etc/samba/smb.conf file.
-n|--netbiosname=NETBIOSNAME
--netbios-scope=SCOPE
-W|--workgroup=WORKGROUP
Note that specifying this parameter here will override the workgroup parameter in the /etc/samba/smb.conf file.
-r|--realm=REALM
Note that specifying this parameter here will override the realm parameter in the /etc/samba/smb.conf file.
-U|--user=[DOMAIN\]USERNAME[%PASSWORD]
If %PASSWORD is not specified, the user will be prompted. The client will first check the USER environment variable (which is also permitted to also contain the password separated by a %), then the LOGNAME variable (which is not permitted to contain a password) and if either exists, the value is used. If these environmental variables are not found, the username found in a Kerberos Credentials cache may be used.
A third option is to use a credentials file which contains the plaintext of the username and password. This option is mainly provided for scripts where the admin does not wish to pass the credentials on the command line or via environment variables. If this method is used, make certain that the permissions on the file restrict access from unwanted users. See the -A for more details.
Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit.
While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.
-N|--no-pass
Unless a password is specified on the command line or this parameter is specified, the client will request a password.
If a password is specified on the command line and this option is also defined the password on the command line will be silently ignored and no password will be used.
--password
Be cautious about including passwords in scripts or passing user-supplied values onto the command line. For security it is better to let the Samba client tool ask for the password if needed, or obtain the password once with kinit.
If --password is not specified, the tool will check the PASSWD environment variable, followed by PASSWD_FD which is expected to contain an open file descriptor (FD) number.
Finally it will check PASSWD_FILE (containing a file path to be opened). The file should only contain the password. Make certain that the permissions on the file restrict access from unwanted users!
While Samba will attempt to scrub the password from the process title (as seen in ps), this is after startup and so is subject to a race.
--pw-nt-hash
-A|--authentication-file=filename
username = <value> password = <value> domain = <value>
Make certain that the permissions on the file restrict access from unwanted users!
-P|--machine-pass
--simple-bind-dn=DN
--use-kerberos=desired|required|off
Note that specifying this parameter here will override the client use kerberos parameter in the /etc/samba/smb.conf file.
--use-krb5-ccache=CCACHE
This will set --use-kerberos=required too.
--use-winbind-ccache
--client-protection=sign|encrypt|off
Note that specifying this parameter here will override the client protection parameter in the /etc/samba/smb.conf file.
In case you need more fine grained control you can use: --option=clientsmbencrypt=OPTION, --option=clientipcsigning=OPTION, --option=clientsigning=OPTION.
This command allows the Samba machine account password to be set from an external application to a machine account password that has already been stored in Active Directory. DO NOT USE this command unless you know exactly what you are doing. The use of this command requires that the force flag (-f) be used also. There will be NO command prompt. Whatever information is piped into stdin, either by typing at the command line or otherwise, will be stored as the literal machine password. Do NOT use this without care and attention as it will overwrite a legitimate machine password without warning. YOU HAVE BEEN WARNED.
The NET TIME command allows you to view the time on a remote server or synchronise the time on the local server with the time on the remote server.
Without any options, the NET TIME command displays the time on the remote server. The remote server must be specified with the -S option.
Displays the time on the remote server in a format ready for /bin/date. The remote server must be specified with the -S option.
Tries to set the date and time of the local server to that on the remote server using /bin/date. The remote server must be specified with the -S option.
Displays the timezone in hours from GMT on the remote server. The remote server must be specified with the -S option.
Join a domain. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created.
[TYPE] may be PDC, BDC or MEMBER to specify the type of server joining the domain.
[FQDN] (ADS only) set the dnsHostName attribute during the join. The default format is netbiosname.dnsdomain.
[UPN] (ADS only) set the principalname attribute during the join. The default format is host/netbiosname@REALM.
[OU] (ADS only) Precreate the computer account in a specific OU. The OU string reads from top to bottom without RDNs, and is delimited by a '/'. Please note that '\' is used for escape by both the shell and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter.
[PASS] (ADS only) Set a specific password on the computer account being created by the join.
[osName=string osVer=String] (ADS only) Set the operatingSystem and operatingSystemVersion attribute during the join. Both parameters must be specified for either to take effect.
Join a domain. Use the OLDJOIN option to join the domain using the old style of domain joining - you need to create a trust account in server manager first.
List all users
Delete specified user
List the domain groups of the specified user.
Rename specified user.
Add specified user.
List user groups.
Delete specified group.
Create specified group.
Lookup the closest Domain Controller in our domain and retrieve server information about it.
Enumerates all exported resources (network shares) on target server.
Adds a share from a server (makes the export active). Maxusers specifies the number of users that can be connected to the share simultaneously.
Delete specified share.
List all open files on remote server.
Close file with specified fileid on remote server.
Print information on specified fileid. Currently listed are: file-id, username, locks, path, permissions.
List files opened by specified user. Please note that net rap file user does not work against Samba servers.
Without any other options, SESSION enumerates all active SMB/CIFS sessions on the target server.
Close the specified sessions.
Give a list with all the open files in specified session.
List all servers in specified domain or workgroup. Defaults to local domain.
Lists all domains and workgroups visible on the current network.
Lists the specified print queue and print jobs on the server. If the QUEUE_NAME is omitted, all queues are listed.
Delete job with specified id.
Validate whether the specified user can log in to the remote server. If the password is not specified on the commandline, it will be prompted.
Currently NOT implemented.
List all members of the specified group.
Delete member from group.
Add member to group.
Execute the specified command on the remote server. Only works with OS/2 servers.
Currently NOT implemented.
Start the specified service on the remote server. Not implemented yet.
Currently NOT implemented.
Stop the specified service on the remote server.
Currently NOT implemented.
Change password of USER from OLDPASS to NEWPASS.
Lookup the IP address of the given host with the specified type (netbios suffix). The type defaults to 0x20 (workstation).
Give IP address of LDAP server of specified DOMAIN. Defaults to local domain.
Give IP address of KDC for the specified REALM. Defaults to local realm.
Give IP's of Domain Controllers for specified DOMAIN. Defaults to local domain.
Give IP of master browser for specified DOMAIN or workgroup. Defaults to local domain.
Lookup username's sid and type for specified NAME
Give sid's name and type for specified SID
Give Domain Controller information for specified domain NAME
Samba uses a general caching interface called 'gencache'. It can be controlled using 'NET CACHE'.
All the timeout parameters support the suffixes:
Add specified key+data to the cache with the given timeout.
Delete key from the cache.
Update data of existing cache entry.
Search for the specified pattern in the cache data.
List all current items in the cache.
Remove all the current items from the cache.
Prints the SID of the specified domain, or if the parameter is omitted, the SID of the local server.
Sets SID for the local server to the specified SID.
Prints the local machine SID and the SID of the current domain.
Sets the SID of the current domain.
Manage the mappings between Windows group SIDs and UNIX groups. Common options include:
Add a new group mapping entry:
net groupmap add {rid=int|sid=string} unixgroup=string \ [type={domain|local}] [ntgroup=string] [comment=string]
Delete a group mapping entry. If more than one group name matches, the first entry found is deleted.
net groupmap delete {ntgroup=string|sid=SID}
Update an existing group entry.
net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \
[comment=string] [type={domain|local}]
List existing group mapping entries.
net groupmap list [verbose] [ntgroup=string] [sid=SID]
Prints out the highest RID currently in use on the local server (by the active 'passdb backend').
Print information about the domain of the remote server, such as domain name, domain sid and number of users and groups.
Check whether participation in a domain is still valid.
Force change of domain trust password.
Add a interdomain trust account for DOMAIN. This is in fact a Samba account named DOMAIN$ with the account flag 'I' (interdomain trust account). This is required for incoming trusts to work. It makes Samba be a trusted domain of the foreign (trusting) domain. Users of the Samba domain will be made available in the foreign domain. If the command is used against localhost it has the same effect as smbpasswd -a -i DOMAIN. Please note that both commands expect a appropriate UNIX account.
Remove interdomain trust account for DOMAIN. If it is used against localhost it has the same effect as smbpasswd -x DOMAIN$.
Establish a trust relationship to a trusted domain. Interdomain account must already be created on the remote PDC. This is required for outgoing trusts to work. It makes Samba be a trusting domain of a foreign (trusted) domain. Users of the foreign domain will be made available in our domain. You'll need winbind and a working idmap config to make them appear in your system.
Abandon relationship to trusted domain
List all interdomain trust relationships.
Create a trust object by calling lsaCreateTrustedDomainEx2. The can be done on a single server or on two servers at once with the possibility to use a random trust password.
Options:
otherserver
otheruser
otherdomainsid
other_netbios_domain
otherdomain
trustpw
Examples:
Create a trust object on srv1.dom1.dom for the domain dom2
net rpc trust create \
otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
other_netbios_domain=dom2 \
otherdomain=dom2.dom \
trustpw=12345678 \
-S srv1.dom1.dom
Create a trust relationship between dom1 and dom2
net rpc trust create \
otherserver=srv2.dom2.test \
otheruser=dom2adm \
-S srv1.dom1.dom
Delete a trust object by calling lsaDeleteTrustedDomain. The can be done on a single server or on two servers at once.
Options:
otherserver
otheruser
otherdomainsid
Examples:
Delete a trust object on srv1.dom1.dom for the domain dom2
net rpc trust delete \
otherdomainsid=S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx \
-S srv1.dom1.dom
Delete a trust relationship between dom1 and dom2
net rpc trust delete \
otherserver=srv2.dom2.test \
otheruser=dom2adm \
-S srv1.dom1.dom
This subcommand is used to view and manage Samba's rights assignments (also referred to as privileges). There are three options currently available: list, grant, and revoke. More details on Samba's privilege model and its use can be found in the Samba-HOWTO-Collection.
Abort the shutdown of a remote server.
Shut down the remote server.
-r
-f
-t timeout
-C message
Print out sam database of remote server. You need to run this against the PDC, from a Samba machine joined as a BDC.
Export users, aliases and groups from remote server to local server. You need to run this against the PDC, from a Samba machine joined as a BDC. This vampire command cannot be used against an Active Directory, only against an NT4 Domain Controller.
Dump remote SAM database to local Kerberos keytab file.
Dump remote SAM database to local LDIF file or standard output.
Fetch domain SID and store it in the local secrets.tdb.
Apply GPOs for a username or machine name. Either username or machine name should be provided to the command, not both.
List specified GPO.
Link a container to a GPO. LINKDN Container to link to a GPO. GPODN GPO to link container to. DNs must be provided properly escaped. See RFC 4514 for details.
Lists gPLink of a container.
Lists all GPOs for a username or machine name. Either username or machine name should be provided to the command, not both.
Lists all GPOs on a DC.
Lists all GPOs assigned to an account and download them. USERNAME User to refresh GPOs for. MACHINENAME Machine to refresh GPOs for.
Add host dns entry to Active Directory.
Remove host dns entry from Active Directory.
Make the remote host leave the domain it is part of.
Print out status of machine account of the local machine in ADS. Prints out quite some debug info. Aimed at developers, regular users should use NET ADS TESTJOIN.
Lookup info for PRINTER on SERVER. The printer name defaults to "*", the server name defaults to the local host.
Publish specified printer using ADS.
Remove specified printer from ADS directory.
Perform a raw LDAP search on a ADS server and dump the results. The expression is a standard LDAP search expression, and the attributes are a list of LDAP fields to show in the results.
Example: net ads search '(objectCategory=group)' sAMAccountName
Perform a raw LDAP search on a ADS server and dump the results. The DN standard LDAP DN, and the attributes are a list of LDAP fields to show in the result.
Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName
Creates a new keytab file if one doesn't exist with default entries. Default entries are kerberos principals created from the machinename of the client, the UPN (if it exists) and any Windows SPN(s) associated with the computer AD account for the client. If a keytab file already exists then only missing kerberos principals from the default entries are added. No changes are made to the computer AD account.
Adds a new keytab entry, the entry can be either;
kerberos principal
machinename
serviceclass
Windows SPN
Unlike old versions no computer AD objects are modified by this command. To preserve the behaviour of older clients 'net ads keytab ad_update_ads' is available.
Adds a new keytab entry (see section for net ads keytab add). In addition to adding entries to the keytab file corresponding Windows SPNs are created from the entry passed to this command. These SPN(s) added to the AD computer account object associated with the client machine running this command for the following entry types;
serviceclass
Windows SPN
Lists the Windows SPNs stored in the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead.
Adds the specified Windows SPN to the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead.
DELETE the specified Window SPN from the 'machine' Windows AD Computer object. If 'machine' is not specified then computer account for this client is used instead.
Print out workgroup name for specified kerberos realm.
List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
This attribute allows one to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
0x00000001 DES-CBC-CRC
0x00000002 DES-CBC-MD5
0x00000004 RC4-HMAC
0x00000008 AES128-CTS-HMAC-SHA1-96
0x00000010 AES256-CTS-HMAC-SHA1-96
List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
Example: net ads enctypes list Computername
Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is omitted, the value is set to 31 which enables all the currently supported encryption types.
Example: net ads enctypes set Computername 24
Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
Example: net ads enctypes set Computername 24
(Re)Create a BUILTIN group. Only a wellknown set of BUILTIN groups can be created with this command. This is the list of currently recognized group names: Administrators, Users, Guests, Power Users, Account Operators, Server Operators, Print Operators, Backup Operators, Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This command requires a running Winbindd with idmap allocation properly configured. The group gid will be allocated out of the winbindd range.
Create a LOCAL group (also known as Alias). This command requires a running Winbindd with idmap allocation properly configured. The group gid will be allocated out of the winbindd range.
Delete an existing LOCAL group (also known as Alias).
Map an existing Unix group and make it a Domain Group, the domain group will have the same name.
Remove an existing group mapping entry.
Add a member to a Local group. The group can be specified only by name, the member can be specified by name or SID.
Remove a member from a Local group. The group and the member must be specified by name.
List Local group members. The group must be specified by name.
List the specified set of accounts by name. If verbose is specified, the rid and description is also provided for each account.
List all available privileges.
Grant one or more privileges to a user.
Revoke one or more privileges from a user.
Show the full DOMAIN\\NAME the SID and the type for the corresponding account.
Set the home directory for a user account.
Set the profile path for a user account.
Set the comment for a user or group account.
Set the full name for a user account.
Set the logon script for a user account.
Set the home drive for a user account.
Set the workstations a user account is allowed to log in from.
Set the "disabled" flag for a user account.
Set the "password not required" flag for a user account.
Set the "autolock" flag for a user account.
Set the "password do not expire" flag for a user account.
Set or unset the "password must change" flag for a user account.
List the available account policies.
Show the account policy value.
Set a value for the account policy. Valid values can be: "forever", "never", "off", or a number.
Only available if ldapsam:editposix is set and winbindd is running. Properly populates the ldap tree with the basic accounts (Administrator) and groups (Domain Users, Domain Admins, Domain Guests) on the ldap tree.
Dumps the mappings contained in the local tdb file specified. This command is useful to dump only the mappings produced by the idmap_tdb backend.
Restore the mappings from the specified file or stdin.
Store a secret for the specified domain, used primarily for domains that use idmap_ldap as a backend. In this case the secret is used as the password for the user DN used to bind to the ldap server.
Store a domain-range mapping for a given domain (and index) in autorid database.
Update CONFIG entry in autorid database.
Get the range for a given domain and index from autorid database.
Get ranges for all domains or for one identified by given SID.
Get CONFIG entry from autorid database.
Delete a mapping sid <-> gid or sid <-> uid from the IDMAP database. The mapping is given by <ID> which may either be a sid: S-x-..., a gid: "GID number" or a uid: "UID number". Use -f to delete an invalid partial mapping <ID> -> xx
Use "smbcontrol all idmap ..." to notify running smbd instances. See the smbcontrol(1) manpage for details.
Delete a domain range mapping identified by 'RANGE' or "domain SID and INDEX" from autorid database. Use -f to delete invalid mappings.
Delete all domain range mappings for a domain identified by SID. Use -f to delete invalid mappings.
Check and repair the IDMAP database. If no option is given a read only check of the database is done. Among others an interactive or automatic repair mode may be chosen with one of the following options:
-r|--repair
-a|--auto
-v|--verbose
-f|--force
-T|--test
-l|--lock
--db <DB>
Missing reverse mapping:
Invalid mapping:
Missing or invalid HWM:
Invalid record:
Starting with version 3.0.23, a Samba server now supports the ability for non-root users to add user defined shares to be exported using the "net usershare" commands.
To set this up, first set up your /etc/samba/smb.conf by adding to the [global] section: usershare path = /usr/local/samba/lib/usershares Next create the directory /usr/local/samba/lib/usershares, change the owner to root and set the group owner to the UNIX group who should have the ability to create usershares, for example a group called "serverops". Set the permissions on /usr/local/samba/lib/usershares to 01770. (Owner and group all access, no access for others, plus the sticky bit, which means that a file in that directory can be renamed or deleted only by the owner of the file). Finally, tell smbd how many usershares you will allow by adding to the [global] section of /etc/samba/smb.conf a line such as : usershare max shares = 100. To allow 100 usershare definitions. Now, members of the UNIX group "serverops" can create user defined shares on demand using the commands below.
The usershare commands are:
Add or replace a new user defined share, with name "sharename".
"path" specifies the absolute pathname on the system to be exported. Restrictions may be put on this, see the global /etc/samba/smb.conf parameters: "usershare owner only", "usershare prefix allow list", and "usershare prefix deny list".
The optional "comment" parameter is the comment that will appear on the share when browsed to by a client.
The optional "acl" field specifies which users have read and write access to the entire share. Note that guest connections are not allowed unless the /etc/samba/smb.conf parameter "usershare allow guests" has been set. The definition of a user defined share acl is: "user:permission", where user is a valid username on the system and permission can be "F", "R", or "D". "F" stands for "full permissions", ie. read and write permissions. "D" stands for "deny" for a user, ie. prevent this user from accessing this share. "R" stands for "read only", ie. only allow read access to this share (no creation of new files or directories or writing to files).
The default if no "acl" is given is "Everyone:R", which means any authenticated user has read-only access.
The optional "guest_ok" has the same effect as the parameter of the same name in /etc/samba/smb.conf, in that it allows guest access to this user defined share. This parameter is only allowed if the global parameter "usershare allow guests" has been set to true in the /etc/samba/smb.conf.
There is no separate command to modify an existing user defined share, just use the "net usershare add [sharename]" command using the same sharename as the one you wish to modify and specify the new options you wish. The Samba smbd daemon notices user defined share modifications at connect time so will see the change immediately, there is no need to restart smbd on adding, deleting or changing a user defined share.
Deletes the user defined share by name. The Samba smbd daemon immediately notices this change, although it will not disconnect any users currently connected to the deleted share.
Get info on user defined shares owned by the current user matching the given pattern, or all users.
net usershare info on its own dumps out info on the user defined shares that were created by the current user, or restricts them to share names that match the given wildcard pattern ('*' matches one or more characters, '?' matches only one character). If the '--long' option is also given, it prints out info on user defined shares created by other users.
The information given about a share looks like: [foobar] path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n And is a list of the current settings of the user defined share that can be modified by the "net usershare add" command.
List all the user defined shares owned by the current user matching the given pattern, or all users.
net usershare list on its own list out the names of the user defined shares that were created by the current user, or restricts the list to share names that match the given wildcard pattern ('*' matches one or more characters, '?' matches only one character). If the '--long' option is also given, it includes the names of user defined shares created by other users.
Starting with version 3.2.0, a Samba server can be configured by data stored in registry. This configuration data can be edited with the new "net conf" commands. There is also the possibility to configure a remote Samba server by enabling the RPC conf mode and specifying the address of the remote server.
The deployment of this configuration data can be activated in two levels from the /etc/samba/smb.conf file: Share definitions from registry are activated by setting registry shares to “yes” in the [global] section and global configuration options are activated by setting include = registry in the [global] section for a mixed configuration or by setting config backend = registry in the [global] section for a registry-only configuration. See the smb.conf(5) manpage for details.
The conf commands are:
Print the configuration data stored in the registry in a smb.conf-like format to standard output.
This command imports configuration from a file in smb.conf format. If a section encountered in the input file is present in registry, its contents is replaced. Sections of registry configuration that have no counterpart in the input file are not affected. If you want to delete these, you will have to use the "net conf drop" or "net conf delshare" commands. Optionally, a section may be specified to restrict the effect of the import command to that specific section. A test mode is enabled by specifying the parameter "-T" on the commandline. In test mode, no changes are made to the registry, and the resulting configuration is printed to standard output instead.
List the names of the shares defined in registry.
Delete the complete configuration data from registry.
Show the definition of the share or section specified. It is valid to specify "global" as sharename to retrieve the global configuration options from registry.
Create a new share definition in registry. The sharename and path have to be given. The share name may not be "global". Optionally, values for the very common options "writeable", "guest ok" and a "comment" may be specified. The same result may be obtained by a sequence of "net conf setparm" commands.
Delete a share definition from registry.
Store a parameter in registry. The section may be global or a sharename. The section is created if it does not exist yet.
Show a parameter stored in registry.
Delete a parameter stored in registry.
Get the list of includes for the provided section (global or share).
Note that due to the nature of the registry database and the nature of include directives, the includes need special treatment: Parameters are stored in registry by the parameter name as valuename, so there is only ever one instance of a parameter per share. Also, a specific order like in a text file is not guaranteed. For all real parameters, this is perfectly ok, but the include directive is rather a meta parameter, for which, in the smb.conf text file, the place where it is specified between the other parameters is very important. This can not be achieved by the simple registry smbconf data model, so there is one ordered list of includes per share, and this list is evaluated after all the parameters of the share.
Further note that currently, only files can be included from registry configuration. In the future, there will be the ability to include configuration data from other registry keys.
Set the list of includes for the provided section (global or share) to the given list of one or more filenames. The filenames may contain the usual smb.conf macros like %I.
Delete the list of includes from the provided section (global or share).
Manipulate Samba's registry.
The registry commands are:
Enumerate subkeys and values of key.
Enumerate values of key and its subkeys.
Create a new key if not yet existing.
Delete the given key and its values from the registry, if it has no subkeys.
Delete the given key and all of its subkeys and values from the registry.
Output type and actual value of the value name of the given key.
Output the actual value of the value name of the given key.
Set the value name of an existing key. type may be one of sz, multi_sz or dword. In case of multi_sz value may be given multiple times.
Increment the DWORD value name of key by inc while holding a g_lock. inc defaults to 1.
Delete the value name of the given key.
Get the security descriptor of the given key.
Get the security descriptor of the given key as a Security Descriptor Definition Language (SDDL) string.
Set the security descriptor of the given key from a Security Descriptor Definition Language (SDDL) string sd.
Import a registration entries (.reg) file.
The following options are available:
--precheck check-file
The check-file follows the normal registry file syntax with the following semantics:
Export a key to a registration entries (.reg) file.
Convert a registration entries (.reg) file in.
Check and repair the registry database. If no option is given a read only check of the database is done. Among others an interactive or automatic repair mode may be chosen with one of the following options
-r|--repair
-a|--auto
-v|--verbose
-T|--test
-l|--lock
--reg-version={1,2,3}
[--db] <DB>
-o|--output <ODB>
--wipe
Starting with version 3.4.0 net can read, dump, import and export native win32 eventlog files (usually *.evt). evt files are used by the native Windows eventviewer tools.
The import and export of evt files can only succeed when eventlog list is used in /etc/samba/smb.conf file. See the smb.conf(5) manpage for details.
The eventlog commands are:
Prints a eventlog *.evt file to standard output.
Imports a eventlog *.evt file defined by filename into the samba internal tdb representation of eventlog defined by eventlog. eventlog needs to part of the eventlog list defined in /etc/samba/smb.conf. See the smb.conf(5) manpage for details.
Exports the samba internal tdb representation of eventlog defined by eventlog to a eventlog *.evt file defined by filename. eventlog needs to part of the eventlog list defined in /etc/samba/smb.conf. See the smb.conf(5) manpage for details.
Starting with version 3.2.0 Samba has support for remote join and unjoin APIs, both client and server-side. Windows supports remote join capabilities since Windows 2000.
In order for Samba to be joined or unjoined remotely an account must be used that is either member of the Domain Admins group, a member of the local Administrators group or a user that is granted the SeMachineAccountPrivilege privilege.
The client side support for remote join is implemented in the net dom commands which are:
Joins a computer into a domain. This command supports the following additional parameters:
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to join. These additional parameters include: -S computer and -U user.
Example: net dom join -S xp -U XP\\administrator%secret domain=MYDOM account=MYDOM\\administrator password=topsecret reboot.
This example would connect to a computer named XP as the local administrator using password secret, and join the computer into a domain called MYDOM using the MYDOM domain administrator account and password topsecret. After successful join, the computer would reboot.
Unjoins a computer from a domain. This command supports the following additional parameters:
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to unjoin. These additional parameters include: -S computer and -U user.
Example: net dom unjoin -S xp -U XP\\administrator%secret account=MYDOM\\administrator password=topsecret reboot.
This example would connect to a computer named XP as the local administrator using password secret, and unjoin the computer from the domain using the MYDOM domain administrator account and password topsecret. After successful unjoin, the computer would reboot.
Renames a computer that is joined to a domain. This command supports the following additional parameters:
Note that you also need to use standard net parameters to connect and authenticate to the remote machine that you want to rename in the domain. These additional parameters include: -S computer and -U user.
Example: net dom renamecomputer -S xp -U XP\\administrator%secret newname=XPNEW account=MYDOM\\administrator password=topsecret reboot.
This example would connect to a computer named XP as the local administrator using password secret, and rename the joined computer to XPNEW using the MYDOM domain administrator account and password topsecret. After successful rename, the computer would reboot.
Manage global locks.
Execute a shell command under a global lock. This might be useful to define the order in which several shell commands will be executed. The locking information is stored in a file called g_lock.tdb. In setups with CTDB running, the locking information will be available on all cluster nodes.
Print a list of all currently existing locknames.
Dump the locking table of a certain global lock.
Print information from tdb records.
List sharename, filename and number of share modes for a record from locking.tdb. With the optional DUMP options, dump the complete record.
Access shared filesystem through the VFS.
Convert file streams to AppleDouble files.
Options:
--recursive
--verbose
--continue
--follow-symlinks
Display the security descriptor of a file or directory.
Starting with version 4.15 Samba has support for offline join APIs. Windows supports offline join capabilities since Windows 7 and Windows 2008 R2.
The following offline commands are implemented:
Provisions a machine account in AD. This command needs network connectivity to the domain controller to succeed. This command supports the following additional parameters:
Example: net offlinejoin provision -U administrator%secret domain=MYDOM machine_name=MYHOST savefile=provisioning.txt
Requests an offline domain join by providing file-based provisioning data. This command supports the following additional parameters:
Example: net offlinejoin requestodj -U administrator%secret loadfile=provisioning.txt
Starting with version 4.20 Samba has support for the SMB Witness service in a cluster.
The following witness commands are implemented:
net witness list List witness registrations from rpcd_witness_registration.tdb.
net witness client-move Generate client move notifications for witness registrations to a new ip or node.
net witness share-move Generate share move notifications for witness registrations to a new ip or node.
net witness force-unregister Force unregistrations for witness registrations.
net witness force-response Force an AsyncNotify response based on json input (mostly for testing).
List witness registrations from rpcd_witness_registration.tdb
Note: Only supported with clustering=yes!
Machine readable output can be generated with the following option:
--json
The selection of registrations can be limited by the following options:
--witness-registration=REGISTRATION_UUID
This does a direct lookup for REGISTRATION_UUID instead of doing a database traversal.
The following options all take a POSIX Extended Regular Expression, which can further filter the selection of registrations. These options are applied as logical AND, but each REGEX allows specifying multiple strings using the pipe symbol.
--witness-net-name=REGEX
This specifies the 'server name' the client registered for monitoring.
--witness-share-name=REGEX
This specifies the 'share name' the client registered for monitoring. Note that the share name is optional in the registration, otherwise an empty string is matched.
--witness-ip-address=REGEX
This specifies the ip address the client registered for monitoring.
--witness-client-computer-name=REGEX
This specifies the client computer name the client specified in the registration. Note it is just a string chosen by the client itself.
Generate client move notifications for witness registrations to a new ip or node
Note: Only supported with clustering=yes!
Machine readable output can be generated with the following option:
--json
The selection of registrations can be limited by the following options:
--witness-registration=REGISTRATION_UUID
This does a direct lookup for REGISTRATION_UUID instead of doing a database traversal.
The following options all take a POSIX Extended Regular Expression, which can further filter the selection of registrations. These options are applied as logical AND, but each REGEX allows specifying multiple strings using the pipe symbol.
--witness-net-name=REGEX
This specifies the 'server name' the client registered for monitoring.
--witness-share-name=REGEX
This specifies the 'share name' the client registered for monitoring. Note that the share name is optional in the registration, otherwise an empty string is matched.
--witness-ip-address=REGEX
This specifies the ip address the client registered for monitoring.
--witness-client-computer-name=REGEX
This specifies the client computer name the client specified in the registration. Note it is just a string chosen by the client itself.
If the update should be applied to all registrations it needs to be explicitly specified:
--witness-apply-to-all
This selects all registrations. Note: This is mutual exclusive to the above options.
The content of the CLIENT_MOVE notification contains ip addresses specified by (exactly one) of the following options:
--witness-new-node=NODEID
By specifying a NODEID all ip addresses currently available on the given node are included in the response. By specifying '-1' as NODEID all ip addresses of the cluster are included in the response.
--witness-new-ip=IPADDRESS
By specifying an IPADDRESS only the specified ip address is included in the response.
Generate share move notifications for witness registrations to a new ip or node
Note: Only supported with clustering=yes!
Machine readable output can be generated with the following option:
--json
The selection of registrations can be limited by the following options:
--witness-registration=REGISTRATION_UUID
This does a direct lookup for REGISTRATION_UUID instead of doing a database traversal.
The following options all take a POSIX Extended Regular Expression, which can further filter the selection of registrations. These options are applied as logical AND, but each REGEX allows specifying multiple strings using the pipe symbol.
--witness-net-name=REGEX
This specifies the 'server name' the client registered for monitoring.
--witness-share-name=REGEX
This specifies the 'share name' the client registered for monitoring. Note that the share name is optional in the registration, otherwise an empty string is matched.
--witness-ip-address=REGEX
This specifies the ip address the client registered for monitoring.
--witness-client-computer-name=REGEX
This specifies the client computer name the client specified in the registration. Note it is just a string chosen by the client itself.
If the update should be applied to all registrations it needs to be explicitly specified:
--witness-apply-to-all
This selects all registrations. Note: This is mutual exclusive to the above options.
Note: This only applies to registrations with a non empty share name!
The content of the SHARE_MOVE notification contains ip addresses specified by (exactly one) of the following options:
--witness-new-node=NODEID
By specifying a NODEID all ip addresses currently available on the given node are included in the response. By specifying '-1' as NODEID all ip addresses of the cluster are included in the response.
--witness-new-ip=IPADDRESS
By specifying an IPADDRESS only the specified ip address is included in the response.
Force unregistrations for witness registrations
Note: Only supported with clustering=yes!
Machine readable output can be generated with the following option:
--json
The selection of registrations can be limited by the following options:
--witness-registration=REGISTRATION_UUID
This does a direct lookup for REGISTRATION_UUID instead of doing a database traversal.
The following options all take a POSIX Extended Regular Expression, which can further filter the selection of registrations. These options are applied as logical AND, but each REGEX allows specifying multiple strings using the pipe symbol.
--witness-net-name=REGEX
This specifies the 'server name' the client registered for monitoring.
--witness-share-name=REGEX
This specifies the 'share name' the client registered for monitoring. Note that the share name is optional in the registration, otherwise an empty string is matched.
--witness-ip-address=REGEX
This specifies the ip address the client registered for monitoring.
--witness-client-computer-name=REGEX
This specifies the client computer name the client specified in the registration. Note it is just a string chosen by the client itself.
If the update should be applied to all registrations it needs to be explicitly specified:
--witness-apply-to-all
This selects all registrations. Note: This is mutual exclusive to the above options.
The selected registrations are removed on the server and any pending AsyncNotify request will get a NOT_FOUND error.
Typically this triggers a clean re-registration on the client.
Force an AsyncNotify response based on json input (mostly for testing)
Note: Only supported with clustering=yes!
Machine readable output can be generated with the following option:
--json
The selection of registrations can be limited by the following options:
--witness-registration=REGISTRATION_UUID
This does a direct lookup for REGISTRATION_UUID instead of doing a database traversal.
The following options all take a POSIX Extended Regular Expression, which can further filter the selection of registrations. These options are applied as logical AND, but each REGEX allows specifying multiple strings using the pipe symbol.
--witness-net-name=REGEX
This specifies the 'server name' the client registered for monitoring.
--witness-share-name=REGEX
This specifies the 'share name' the client registered for monitoring. Note that the share name is optional in the registration, otherwise an empty string is matched.
--witness-ip-address=REGEX
This specifies the ip address the client registered for monitoring.
--witness-client-computer-name=REGEX
This specifies the client computer name the client specified in the registration. Note it is just a string chosen by the client itself.
If the update should be applied to all registrations it needs to be explicitly specified:
--witness-apply-to-all
This selects all registrations. Note: This is mutual exclusive to the above options.
Note this is designed for testing and debugging!
In short it is not designed to be used by administrators, but developers and automated tests.
By default an empty response with WERR_OK is generated, but basically any valid response can be specified by a specifying a JSON string:
--witness-forced-response=JSON
This allows the generation of very complex witness_notifyResponse structures.
As this is for developers, please read the code in order to understand all possible values of the JSON string format...
See 'net help witness force-response' for further details.
Gives usage information for the specified command.
This man page is complete for version 3 of the Samba suite.
The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed.
The net manpage was written by Jelmer Vernooij.
05/26/2024 | Samba 4.20.1 |