source: trunk/samba-3.0.25pre1/docs/manpages/net.8@ 1

.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "NET" 8 "" "" ""
.SH NAME
net \- Tool for administration of Samba and remote CIFS servers.
.SH "SYNOPSIS"
.ad l
.hy 0
.HP 4
\fBnet\fR {<ads|rap|rpc>} [\-h] [\-w\ workgroup] [\-W\ myworkgroup] [\-U\ user] [\-I\ ip\-address] [\-p\ port] [\-n\ myname] [\-s\ conffile] [\-S\ server] [\-l] [\-P] [\-d\ debuglevel] [\-V]
.ad
.hy

.SH "DESCRIPTION"

.PP
This tool is part of the \fBsamba\fR(7) suite\&.

.PP
The samba net utility is meant to work just like the net utility available for windows and DOS\&. The first argument should be used to specify the protocol to use when executing a certain command\&. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000\&. If this argument is omitted, net will try to determine it automatically\&. Not all commands are available on all protocols\&.

.SH "OPTIONS"

.TP
\-h|\-\-help
Print a summary of command line options\&.

.TP
\-w target\-workgroup
Sets target workgroup or domain\&. You have to specify either this option or the IP address or the name of a server\&.

.TP
\-W workgroup
Sets client workgroup or domain

.TP
\-U user
User name to use

.TP
\-I ip\-address
IP address of target server to use\&. You have to specify either this option or a target workgroup or a target server\&.

.TP
\-p port
Port on the target server to connect to (usually 139 or 445)\&. Defaults to trying 445 first, then 139\&.

.TP
\-n <primary NetBIOS name>
This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the  parameter in the \fIsmb\&.conf\fR file\&. However, a command line setting will take precedence over settings in \fIsmb\&.conf\fR\&.

.TP
\-s <configuration file>
The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See \fIsmb\&.conf\fR for more information\&. The default configuration file name is determined at compile time\&.

.TP
\-S server
Name of target server\&. You should specify either this option or a target workgroup or a target IP address\&.

.TP
\-l
When listing data, give more information on each item\&.

.TP
\-P
Make queries to the external server using the machine account of the local server\&.

.TP
\-d|\-\-debuglevel=level
\fIlevel\fR is an integer from 0 to 10\&. The default value if this parameter is not specified is zero\&.

The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&.

Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&.

Note that specifying this parameter here will override the  parameter in the \fIsmb\&.conf\fR file\&.

.SH "COMMANDS"

.SS "CHANGESECRETPW"

.PP
This command allows the Samba machine account password to be set from an external application to a machine account password that has already been stored in Active Directory\&. DO NOT USE this command unless you know exactly what you are doing\&. The use of this command requires that the force flag (\-f) be used also\&. There will be NO command prompt\&. Whatever information is piped into stdin, either by typing at the command line or otherwise, will be stored as the literal machine password\&. Do NOT use this without care and attention as it will overwrite a legitimate machine password without warning\&. YOU HAVE BEEN WARNED\&.

.SS "TIME"

.PP
The \fBNET TIME\fR command allows you to view the time on a remote server or synchronise the time on the local server with the time on the remote server\&.

.SS "TIME"

.PP
Without any options, the \fBNET TIME\fR command displays the time on the remote server\&.

.SS "TIME SYSTEM"

.PP
Displays the time on the remote server in a format ready for \fB/bin/date\fR

.SS "TIME SET"

.PP
Tries to set the date and time of the local server to that on the remote server using \fB/bin/date\fR\&.

.SS "TIME ZONE"

.PP
Displays the timezone in hours from GMT on the remote computer\&.

.SS "[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN] [createcomputer=OU] [options]"

.PP
Join a domain\&. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically\&. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created\&.

.PP
[TYPE] may be PDC, BDC or MEMBER to specify the type of server joining the domain\&.

.PP
[UPN] (ADS only) set the principalname attribute during the join\&. The default format is host/netbiosname@REALM\&.

.PP
[OU] (ADS only) Precreate the computer account in a specific OU\&. The OU string reads from top to bottom without RDNs, and is delimited by a '/'\&. Please note that '\\' is used for escape by both the shell and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter\&.

.SS "[RPC] OLDJOIN [options]"

.PP
Join a domain\&. Use the OLDJOIN option to join the domain using the old style of domain joining \- you need to create a trust account in server manager first\&.

.SS "[RPC|ADS] USER"

.SS "[RPC|ADS] USER"

.PP
List all users

.SS "[RPC|ADS] USER DELETE target"

.PP
Delete specified user

.SS "[RPC|ADS] USER INFO target"

.PP
List the domain groups of a the specified user\&.

.SS "[RPC|ADS] USER RENAME oldname newname"

.PP
Rename specified user\&.

.SS "[RPC|ADS] USER ADD name [password] [-F user flags] [-C comment]"

.PP
Add specified user\&.

.SS "[RPC|ADS] GROUP"

.SS "[RPC|ADS] GROUP [misc options] [targets]"

.PP
List user groups\&.

.SS "[RPC|ADS] GROUP DELETE name [misc. options]"

.PP
Delete specified group\&.

.SS "[RPC|ADS] GROUP ADD name [-C comment]"

.PP
Create specified group\&.

.SS "[RAP|RPC] SHARE"

.SS "[RAP|RPC] SHARE [misc. options] [targets]"

.PP
Enumerates all exported resources (network shares) on target server\&.

.SS "[RAP|RPC] SHARE ADD name=serverpath [-C comment] [-M maxusers] [targets]"

.PP
Adds a share from a server (makes the export active)\&. Maxusers specifies the number of users that can be connected to the share simultaneously\&.

.SS "SHARE DELETE sharenam"

.PP
Delete specified share\&.

.SS "[RPC|RAP] FILE"

.SS "[RPC|RAP] FILE"

.PP
List all open files on remote server\&.

.SS "[RPC|RAP] FILE CLOSE fileid"

.PP
Close file with specified \fIfileid\fR on remote server\&.

.SS "[RPC|RAP] FILE INFO fileid"

.PP
Print information on specified \fIfileid\fR\&. Currently listed are: file\-id, username, locks, path, permissions\&.

.SS "[RAP|RPC] FILE USER"

.RS
.Sh "Note"

.PP
Currently NOT implemented\&.

.RE

.SS "SESSION"

.SS "RAP SESSION"

.PP
Without any other options, SESSION enumerates all active SMB/CIFS sessions on the target server\&.

.SS "RAP SESSION DELETE|CLOSE CLIENT_NAME"

.PP
Close the specified sessions\&.

.SS "RAP SESSION INFO CLIENT_NAME"

.PP
Give a list with all the open files in specified session\&.

.SS "RAP SERVER DOMAIN"

.PP
List all servers in specified domain or workgroup\&. Defaults to local domain\&.

.SS "RAP DOMAIN"

.PP
Lists all domains and workgroups visible on the current network\&.

.SS "RAP PRINTQ"

.SS "RAP PRINTQ LIST QUEUE_NAME"

.PP
Lists the specified print queue and print jobs on the server\&. If the \fIQUEUE_NAME\fR is omitted, all queues are listed\&.

.SS "RAP PRINTQ DELETE JOBID"

.PP
Delete job with specified id\&.

.SS "RAP VALIDATE user [password]"

.PP
Validate whether the specified user can log in to the remote server\&. If the password is not specified on the commandline, it will be prompted\&.

.RS
.Sh "Note"

.PP
Currently NOT implemented\&.

.RE

.SS "RAP GROUPMEMBER"

.SS "RAP GROUPMEMBER LIST GROUP"

.PP
List all members of the specified group\&.

.SS "RAP GROUPMEMBER DELETE GROUP USER"

.PP
Delete member from group\&.

.SS "RAP GROUPMEMBER ADD GROUP USER"

.PP
Add member to group\&.

.SS "RAP ADMIN command"

.PP
Execute the specified \fIcommand\fR on the remote server\&. Only works with OS/2 servers\&.

.RS
.Sh "Note"

.PP
Currently NOT implemented\&.

.RE

.SS "RAP SERVICE"

.SS "RAP SERVICE START NAME [arguments...]"

.PP
Start the specified service on the remote server\&. Not implemented yet\&.

.RS
.Sh "Note"

.PP
Currently NOT implemented\&.

.RE

.SS "RAP SERVICE STOP"

.PP
Stop the specified service on the remote server\&.

.RS
.Sh "Note"

.PP
Currently NOT implemented\&.

.RE

.SS "RAP PASSWORD USER OLDPASS NEWPASS"

.PP
Change password of \fIUSER\fR from \fIOLDPASS\fR to \fINEWPASS\fR\&.

.SS "LOOKUP"

.SS "LOOKUP HOST HOSTNAME [TYPE]"

.PP
Lookup the IP address of the given host with the specified type (netbios suffix)\&. The type defaults to 0x20 (workstation)\&.

.SS "LOOKUP LDAP [DOMAIN"

.PP
Give IP address of LDAP server of specified \fIDOMAIN\fR\&. Defaults to local domain\&.

.SS "LOOKUP KDC [REALM]"

.PP
Give IP address of KDC for the specified \fIREALM\fR\&. Defaults to local realm\&.

.SS "LOOKUP DC [DOMAIN]"

.PP
Give IP's of Domain Controllers for specified \fI DOMAIN\fR\&. Defaults to local domain\&.

.SS "LOOKUP MASTER DOMAIN"

.PP
Give IP of master browser for specified \fIDOMAIN\fR or workgroup\&. Defaults to local domain\&.

.SS "CACHE"

.PP
Samba uses a general caching interface called 'gencache'\&. It can be controlled using 'NET CACHE'\&.

.PP
All the timeout parameters support the suffixes: 
s \- Secondsm \- Minutesh \- Hoursd \- Daysw \- Weeks 

.SS "CACHE ADD key data time-out"

.PP
Add specified key+data to the cache with the given timeout\&.

.SS "CACHE DEL key"

.PP
Delete key from the cache\&.

.SS "CACHE SET key data time-out"

.PP
Update data of existing cache entry\&.

.SS "CACHE SEARCH PATTERN"

.PP
Search for the specified pattern in the cache data\&.

.SS "CACHE LIST"

.PP
List all current items in the cache\&.

.SS "CACHE FLUSH"

.PP
Remove all the current items from the cache\&.

.SS "GETLOCALSID [DOMAIN]"

.PP
Print the SID of the specified domain, or if the parameter is omitted, the SID of the domain the local server is in\&.

.SS "SETLOCALSID S-1-5-21-x-y-z"

.PP
Sets domain sid for the local server to the specified SID\&.

.SS "GROUPMAP"

.PP
Manage the mappings between Windows group SIDs and UNIX groups\&. Parameters take the for "parameter=value"\&. Common options include:

.TP 3
\(bu
unixgroup \- Name of the UNIX group
.TP
\(bu
ntgroup \- Name of the Windows NT group (must be resolvable to a SID
.TP
\(bu
rid \- Unsigned 32\-bit integer
.TP
\(bu
sid \- Full SID in the form of "S\-1\-\&.\&.\&."
.TP
\(bu
type \- Type of the group; either 'domain', 'local', or 'builtin'
.TP
\(bu
comment \- Freeform text description of the group
.LP

.SS "GROUPMAP ADD"

.PP
Add a new group mapping entry: 

.nf

net groupmap add {rid=int|sid=string} unixgroup=string \\
      [type={domain|local}] [ntgroup=string] [comment=string]

.fi
 

.SS "GROUPMAP DELETE"

.PP
Delete a group mapping entry\&. If more then one group name matches, the first entry found is deleted\&.

.PP
net groupmap delete {ntgroup=string|sid=SID}

.SS "GROUPMAP MODIFY"

.PP
Update en existing group entry

.PP
 

.nf

net groupmap modify {ntgroup=string|sid=SID} [unixgroup=string] \\
       [comment=string] [type={domain|local}]

.fi
 

.SS "GROUPMAP LIST"

.PP
List existing group mapping entries

.PP
net groupmap list [verbose] [ntgroup=string] [sid=SID]

.SS "MAXRID"

.PP
Prints out the highest RID currently in use on the local server (by the active 'passdb backend')\&.

.SS "RPC INFO"

.PP
Print information about the domain of the remote server, such as domain name, domain sid and number of users and groups\&.

.SS "[RPC|ADS] TESTJOIN"

.PP
Check whether participation in a domain is still valid\&.

.SS "[RPC|ADS] CHANGETRUSTPW"

.PP
Force change of domain trust password\&.

.SS "RPC TRUSTDOM"

.SS "RPC TRUSTDOM ADD DOMAIN"

.PP
Add a interdomain trust account for \fIDOMAIN\fR to the remote server\&.

.SS "RPC TRUSTDOM DEL DOMAIM"

.PP
Remove interdomain trust account for \fIDOMAIN\fR from the remote server\&.

.RS
.Sh "Note"

.PP
Currently NOT implemented\&.

.RE

.SS "RPC TRUSTDOM ESTABLISH DOMAIN"

.PP
Establish a trust relationship to a trusting domain\&. Interdomain account must already be created on the remote PDC\&.

.SS "RPC TRUSTDOM REVOKE DOMAIN"

.PP
Abandon relationship to trusted domain

.SS "RPC TRUSTDOM LIST"

.PP
List all current interdomain trust relationships\&.

.SS "RPC RIGHTS"

.PP
This subcommand is used to view and manage Samba's rights assignments (also referred to as privileges)\&. There are three options current available: \fIlist\fR, \fIgrant\fR, and \fIrevoke\fR\&. More details on Samba's privilege model and its use can be found in the Samba\-HOWTO\-Collection\&.

.SS "RPC ABORTSHUTDOWN"

.PP
Abort the shutdown of a remote server\&.

.SS "RPC SHUTDOWN [-t timeout] [-r] [-f] [-C message]"

.PP
Shut down the remote server\&.

.TP
\-r
Reboot after shutdown\&.

.TP
\-f
Force shutting down all applications\&.

.TP
\-t timeout
Timeout before system will be shut down\&. An interactive user of the system can use this time to cancel the shutdown\&.

.TP
\-C message
Display the specified message on the screen to announce the shutdown\&.

.SS "RPC SAMDUMP"

.PP
Print out sam database of remote server\&. You need to run this against the PDC, from a Samba machine joined as a BDC\&.

.SS "RPC VAMPIRE"

.PP
Export users, aliases and groups from remote server to local server\&. You need to run this against the PDC, from a Samba machine joined as a BDC\&.

.SS "RPC GETSID"

.PP
Fetch domain SID and store it in the local \fIsecrets\&.tdb\fR\&.

.SS "ADS LEAVE"

.PP
Make the remote host leave the domain it is part of\&.

.SS "ADS STATUS"

.PP
Print out status of machine account of the local machine in ADS\&. Prints out quite some debug info\&. Aimed at developers, regular users should use \fBNET ADS TESTJOIN\fR\&.

.SS "ADS PRINTER"

.SS "ADS PRINTER INFO [PRINTER] [SERVER]"

.PP
Lookup info for \fIPRINTER\fR on \fISERVER\fR\&. The printer name defaults to "*", the server name defaults to the local host\&.

.SS "ADS PRINTER PUBLISH PRINTER"

.PP
Publish specified printer using ADS\&.

.SS "ADS PRINTER REMOVE PRINTER"

.PP
Remove specified printer from ADS directory\&.

.SS "ADS SEARCH EXPRESSION ATTRIBUTES..."

.PP
Perform a raw LDAP search on a ADS server and dump the results\&. The expression is a standard LDAP search expression, and the attributes are a list of LDAP fields to show in the results\&.

.PP
Example: \fBnet ads search '(objectCategory=group)' sAMAccountName\fR 

.SS "ADS DN DN (attributes)"

.PP
Perform a raw LDAP search on a ADS server and dump the results\&. The DN standard LDAP DN, and the attributes are a list of LDAP fields to show in the result\&.

.PP
Example: \fBnet ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName\fR

.SS "ADS WORKGROUP"

.PP
Print out workgroup name for specified kerberos realm\&.

.SS "USERSHARE"

.PP
Starting with version 3\&.0\&.23, a Samba server now supports the ability for non\-root users to add user define shares to be exported using the "net usershare" commands\&.

.PP
To set this up, first set up your smb\&.conf by adding to the [global] section : usershare path = /usr/local/samba/lib/usershares Next create the directory /usr/local/samba/lib/usershares, change the owner to root and set the group owner to the UNIX group who should have the ability to create usershares, for example a group called "serverops"\&. Set the permissions on /usr/local/samba/lib/usershares to 01770\&. (Owner and group all access, no access for others, plus the sticky bit, which means that a file in that directory can be renamed or deleted only by the owner of the file)\&. Finally, tell smbd how many usershares you will allow by adding to the [global] section of smb\&.conf a line such as : usershare max shares = 100\&. To allow 100 usershare definitions\&. Now, members of the UNIX group "serverops" can create user defined shares on demand using the commands below\&.

.PP
The usershare commands are: 
net usershare add sharename path [comment] [acl] [guest_ok=[y|n]] \- to add or change a user defined share\&.net usershare delete sharename \- to delete a user defined share\&.net usershare info [\-l|\-\-long] [wildcard sharename] \- to print info about a user defined share\&.net usershare list [\-l|\-\-long] [wildcard sharename] \- to list user defined shares\&. 

.SS "USERSHARE ADD sharename path [comment] [acl] [guest_ok=[y|n]]"

.PP
Add or replace a new user defined share, with name "sharename"\&.

.PP
"path" specifies the absolute pathname on the system to be exported\&. Restrictions may be put on this, see the global smb\&.conf parameters : "usershare owner only", "usershare prefix allow list", and "usershare prefix deny list"\&.

.PP
The optional "comment" parameter is the comment that will appear on the share when browsed to by a client\&.

.PP
The optional "acl" field specifies which users have read and write access to the entire share\&. Note that guest connections are not allowed unless the smb\&.conf parameter "usershare allow guests" has been set\&. The definition of a user defined share acl is : "user:permission", where user is a valid username on the system and permission can be "F", "R", or "D"\&. "F" stands for "full permissions", ie\&. read and write permissions\&. "D" stands for "deny" for a user, ie\&. prevent this user from accessing this share\&. "R" stands for "read only", ie\&. only allow read access to this share (no creation of new files or directories or writing to files)\&.

.PP
The default if no "acl" is given is "Everyone:R", which means any authenticated user has read\-only access\&.

.PP
The optional "guest_ok" has the same effect as the parameter of the same name in smb\&.conf, in that it allows guest access to this user defined share\&. This parameter is only allowed if the global parameter "usershare allow guests" has been set to true in the smb\&.conf\&.


There is no separate command to modify an existing user defined share,
just use the "net usershare add [sharename]" command using the same
sharename as the one you wish to modify and specify the new options
you wish\&. The Samba smbd daemon notices user defined share modifications
at connect time so will see the change immediately, there is no need
to restart smbd on adding, deleting or changing a user defined share\&.

.SS "USERSHARE DELETE sharename"

.PP
Deletes the user defined share by name\&. The Samba smbd daemon immediately notices this change, although it will not disconnect any users currently connected to the deleted share\&.

.SS "USERSHARE INFO [-l|--long] [wildcard sharename]"

.PP
Get info on user defined shares owned by the current user matching the given pattern, or all users\&.

.PP
net usershare info on its own dumps out info on the user defined shares that were created by the current user, or restricts them to share names that match the given wildcard pattern ('*' matches one or more characters, '?' matches only one character)\&. If the '\-l' or '\-\-long' option is also given, it prints out info on user defined shares created by other users\&.

.PP
The information given about a share looks like : [foobar] path=/home/jeremy comment=testme usershare_acl=Everyone:F guest_ok=n And is a list of the current settings of the user defined share that can be modified by the "net usershare add" command\&.

.SS "USERSHARE LIST [-l|--long] wildcard sharename"

.PP
List all the user defined shares owned by the current user matching the given pattern, or all users\&.

.PP
net usershare list on its own list out the names of the user defined shares that were created by the current user, or restricts the list to share names that match the given wildcard pattern ('*' matches one or more characters, '?' matches only one character)\&. If the '\-l' or '\-\-long' option is also given, it includes the names of user defined shares created by other users\&.

.SS "HELP [COMMAND]"

.PP
Gives usage information for the specified command\&.

.SH "VERSION"

.PP
This man page is complete for version 3\&.0 of the Samba suite\&.

.SH "AUTHOR"

.PP
The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&.

.PP
The net manpage was written by Jelmer Vernooij\&.