mirror of
https://github.com/samba-team/samba.git
synced 2024-12-24 21:34:56 +03:00
93f4be1647
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
3183 lines
84 KiB
XML
3183 lines
84 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<refentry id="samba-tool.8">
|
|
|
|
<refmeta>
|
|
<refentrytitle>samba-tool</refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
<refmiscinfo class="source">Samba</refmiscinfo>
|
|
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
|
|
<refmiscinfo class="version">&doc.version;</refmiscinfo>
|
|
</refmeta>
|
|
|
|
|
|
<refnamediv>
|
|
<refname>samba-tool</refname>
|
|
<refpurpose>Main Samba administration tool.
|
|
</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>samba-tool</command>
|
|
<arg choice="opt">-h</arg>
|
|
<arg choice="opt">-W myworkgroup</arg>
|
|
<arg choice="opt">-U user</arg>
|
|
<arg choice="opt">-d debuglevel</arg>
|
|
<arg choice="opt">--v</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
|
|
<manvolnum>7</manvolnum></citerefentry> suite.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>OPTIONS</title>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term>-h|--help</term>
|
|
<listitem><para>
|
|
Show this help message and exit
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
&cmdline.common.connection.realm;
|
|
|
|
&cmdline.common.credentials.simplebinddn;
|
|
|
|
&cmdline.common.credentials.password;
|
|
|
|
&cmdline.common.credentials.user;
|
|
|
|
&cmdline.common.connection.workgroup;
|
|
|
|
&cmdline.common.credentials.nopass;
|
|
|
|
&cmdline.common.credentials.usekerberos;
|
|
|
|
&cmdline.common.credentials.usekrb5ccache;
|
|
|
|
&cmdline.common.credentials.authenticationfile;
|
|
|
|
<varlistentry>
|
|
<term>--ipaddress=IPADDRESS</term>
|
|
<listitem><para>
|
|
IP address of the server
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--color=always|never|auto</term>
|
|
<listitem>
|
|
<para>
|
|
Indicate whether samba-tool should use ANSI colour codes
|
|
in its output. If 'auto' (the default), samba-tool will
|
|
use colour when its output is directed toward a terminal,
|
|
unless the NO_COLOR environment variable is set and
|
|
non-empty.
|
|
</para>
|
|
<para>
|
|
The values 'yes' and 'force' are accepted as synonyms for
|
|
'always'; 'no' and 'none' for 'never'; and 'tty' and
|
|
'if-tty' for 'auto'.
|
|
</para>
|
|
<para>
|
|
Note that asking for colour doesn't mean samba-tool will
|
|
necessarily be very colourful. Many commands are very
|
|
monochrome, particularly when successful.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
&cmdline.common.debug.client;
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>COMMANDS</title>
|
|
|
|
<refsect2>
|
|
<title>computer</title>
|
|
<para>Manage computer accounts.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>computer add <replaceable>computername</replaceable> [options]</title>
|
|
<para>Add a new computer to the Active Directory Domain.</para>
|
|
<para>The new computer name specified on the command is the
|
|
sAMAccountName, with or without the trailing dollar sign.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--computerou=COMPUTEROU</term>
|
|
<listitem><para>
|
|
DN of alternative location (with or without domainDN counterpart) to
|
|
default CN=Computers in which new computer object will be created.
|
|
E.g. 'OU=OUname'.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--description=DESCRIPTION</term>
|
|
<listitem><para>
|
|
The new computer's description.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--ip-address=IP_ADDRESS_LIST</term>
|
|
<listitem><para>
|
|
IPv4 address for the computer's A record, or IPv6 address for AAAA record,
|
|
can be provided multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST</term>
|
|
<listitem><para>
|
|
Computer's Service Principal Name, can be provided multiple times.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--prepare-oldjoin</term>
|
|
<listitem><para>
|
|
Prepare enabled machine account for oldjoin mechanism.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>computer create <replaceable>computername</replaceable> [options]</title>
|
|
<para>Add a new computer. This is a synonym for the
|
|
<command>samba-tool computer add</command> command and is available
|
|
for compatibility reasons only. Please use
|
|
<command>samba-tool computer add</command> instead.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>computer delete <replaceable>computername</replaceable> [options]</title>
|
|
<para>Delete an existing computer account.</para>
|
|
<para>The computer name specified on the command is the
|
|
sAMAccountName, with or without the trailing dollar sign.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>computer edit <replaceable>computername</replaceable></title>
|
|
<para>Edit a computer AD object.</para>
|
|
<para>The computer name specified on the command is the
|
|
sAMAccountName, with or without the trailing dollar sign.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--editor=EDITOR</term>
|
|
<listitem><para>
|
|
Specifies the editor to use instead of the system default, or 'vi' if no
|
|
system default is set.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>computer list</title>
|
|
<para>List all computers.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
|
|
<para>This command moves a computer account into the specified
|
|
organizational unit or container.</para>
|
|
<para>The computername specified on the command is the
|
|
sAMAccountName, with or without the trailing dollar sign.</para>
|
|
<para>The name of the organizational unit or container can be
|
|
specified as a full DN or without the domainDN component.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>computer show <replaceable>computername</replaceable> [options]</title>
|
|
<para>Display a computer AD object.</para>
|
|
<para>The computer name specified on the command is the
|
|
sAMAccountName, with or without the trailing dollar sign.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--attributes=USER_ATTRS</term>
|
|
<listitem><para>
|
|
Comma separated list of attributes, which will be printed.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>contact</title>
|
|
<para>Manage contacts.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>contact add [<replaceable>contactname</replaceable>] [options]</title>
|
|
<para>Add a new contact to the Active Directory Domain.</para>
|
|
<para>The name of the new contact can be specified by the first
|
|
argument 'contactname' or the --given-name, --initial and --surname
|
|
arguments. If no 'contactname' is given, contact's name will be made
|
|
up of the given arguments by combining the given-name, initials and
|
|
surname. Each argument is optional. A dot ('.') will be appended to
|
|
the initials automatically.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--ou=OU</term>
|
|
<listitem><para>
|
|
DN of alternative location (with or without domainDN counterpart) in
|
|
which the new contact will be created.
|
|
E.g. 'OU=OUname'.
|
|
Default is the domain base.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--description=DESCRIPTION</term>
|
|
<listitem><para>
|
|
The new contact's description.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--surname=SURNAME</term>
|
|
<listitem><para>
|
|
Contact's surname.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--given-name=GIVEN_NAME</term>
|
|
<listitem><para>
|
|
Contact's given name.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--initials=INITIALS</term>
|
|
<listitem><para>
|
|
Contact's initials.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--display-name=DISPLAY_NAME</term>
|
|
<listitem><para>
|
|
Contact's display name.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--job-title=JOB_TITLE</term>
|
|
<listitem><para>
|
|
Contact's job title.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--department=DEPARTMENT</term>
|
|
<listitem><para>
|
|
Contact's department.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--company=COMPANY</term>
|
|
<listitem><para>
|
|
Contact's company.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--mail-address=MAIL_ADDRESS</term>
|
|
<listitem><para>
|
|
Contact's email address.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--internet-address=INTERNET_ADDRESS</term>
|
|
<listitem><para>
|
|
Contact's home page.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--telephone-number=TELEPHONE_NUMBER</term>
|
|
<listitem><para>
|
|
Contact's phone number.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--mobile-number=MOBILE_NUMBER</term>
|
|
<listitem><para>
|
|
Contact's mobile phone number.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE</term>
|
|
<listitem><para>
|
|
Contact's office location.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>contact create [<replaceable>contactname</replaceable>] [options]</title>
|
|
<para>Add a new contact. This is a synonym for the
|
|
<command>samba-tool contact add</command> command and is available
|
|
for compatibility reasons only. Please use
|
|
<command>samba-tool contact add</command> instead.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>contact delete <replaceable>contactname</replaceable> [options]</title>
|
|
<para>Delete an existing contact.</para>
|
|
<para>The contactname specified on the command is the common name or the
|
|
distinguished name of the contact object. The distinguished name of the
|
|
contact can be specified with or without the domainDN component.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>contact edit <replaceable>contactname</replaceable></title>
|
|
<para>Modify a contact AD object.</para>
|
|
<para>The contactname specified on the command is the common name or the
|
|
distinguished name of the contact object. The distinguished name of the
|
|
contact can be specified with or without the domainDN component.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--editor=EDITOR</term>
|
|
<listitem><para>
|
|
Specifies the editor to use instead of the system default, or 'vi' if no
|
|
system default is set.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>contact list [options]</title>
|
|
<para>List all contacts.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--full-dn</term>
|
|
<listitem><para>
|
|
Display contact's full DN instead of the name.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>contact move <replaceable>contactname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
|
|
<para>This command moves a contact into the specified organizational
|
|
unit or container.</para>
|
|
<para>The contactname specified on the command is the common name or the
|
|
distinguished name of the contact object. The distinguished name of the
|
|
contact can be specified with or without the domainDN component.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>contact show <replaceable>contactname</replaceable> [options]</title>
|
|
<para>Display a contact AD object.</para>
|
|
<para>The contactname specified on the command is the common name or the
|
|
distinguished name of the contact object. The distinguished name of the
|
|
contact can be specified with or without the domainDN component.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--attributes=CONTACT_ATTRS</term>
|
|
<listitem><para>
|
|
Comma separated list of attributes, which will be printed.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>contact rename <replaceable>contactname</replaceable> [options]</title>
|
|
<para>Rename a contact and related attributes.</para>
|
|
<para>This command allows to set the contact's name related attributes. The contact's
|
|
CN will be renamed automatically.
|
|
The contact's new CN will be made up by combining the given-name, initials
|
|
and surname. A dot ('.') will be appended to the initials automatically,
|
|
if required.
|
|
Use the --force-new-cn option to specify the new CN manually and --reset-cn
|
|
to reset this change.</para>
|
|
<para>Use an empty attribute value to remove the specified attribute.</para>
|
|
<para>The contact name specified on the command is the CN.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--surname=SURNAME</term>
|
|
<listitem><para>
|
|
New surname.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--given-name=GIVEN_NAME</term>
|
|
<listitem><para>
|
|
New given name.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--initials=INITIALS</term>
|
|
<listitem><para>
|
|
New initials.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--force-new-cn=NEW_CN</term>
|
|
<listitem><para>
|
|
Specify a new CN (RDN) instead of using a combination
|
|
of the given name, initials and surname.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--reset-cn</term>
|
|
<listitem><para>
|
|
Set the CN to the default combination of given name,
|
|
initials and surname.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--display-name=DISPLAY_NAME</term>
|
|
<listitem><para>
|
|
New display name.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--mail-address=MAIL_ADDRESS</term>
|
|
<listitem><para>
|
|
New email address.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>dbcheck</title>
|
|
<para>Check the local AD database for errors.</para>
|
|
</refsect2>
|
|
|
|
<refsect2>
|
|
<title>delegation</title>
|
|
<para>Manage Delegations.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
|
|
<para>Add a service principal as msDS-AllowedToDelegateTo.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
|
|
<para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
|
|
<para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
|
|
for an account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
|
|
<para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>delegation show <replaceable>accountname</replaceable> [options] </title>
|
|
<para>Show the delegation setting of an account.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>dns</title>
|
|
<para>Manage Domain Name Service (DNS).</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
|
|
<para>Add a DNS record.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
|
|
<para>Delete a DNS record.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
|
|
<para>Query a name.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
|
|
<para>Query root hints.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns serverinfo <replaceable>server</replaceable> [options]</title>
|
|
<para>Query server information.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
|
|
<para>Update a DNS record.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
|
|
<para>Create a zone.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
|
|
<para>Delete a zone.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
|
|
<para>Query zone information.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dns zonelist <replaceable>server</replaceable> [options]</title>
|
|
<para>List zones.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>domain</title>
|
|
<para>Manage Domain.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>domain backup</title>
|
|
<para>Create or restore a backup of the domain.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain backup offline</title>
|
|
<para>Backup (with proper locking) local domain directories into a tar file.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain backup online</title>
|
|
<para>Copy a running DC's current DB into a backup tar file.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain backup rename</title>
|
|
<para>Copy a running DC's DB to backup file, renaming the domain in the process.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain backup restore</title>
|
|
<para>Restore the domain's DB from a backup-file.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>domain auth policy</title>
|
|
<para>Manage authentication policies.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy list</title>
|
|
<para>List authentication policies on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
View authentication policies as JSON instead of a list.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy view</title>
|
|
<para>View an authentication policy on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of the authentication policy to view (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy create</title>
|
|
<para>Create authentication policies on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of the authentication policy (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--description</term>
|
|
<listitem><para>
|
|
Optional description for the authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--protect</term>
|
|
<listitem>
|
|
<para>
|
|
Protect authentication policy from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --unprotect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--unprotect</term>
|
|
<listitem>
|
|
<para>
|
|
Unprotect authentication policy from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --protect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--audit</term>
|
|
<listitem>
|
|
<para>
|
|
Only audit authentication policy.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --enforce.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--enforce</term>
|
|
<listitem>
|
|
<para>
|
|
Enforce authentication policy.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --audit.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--strong-ntlm-policy</term>
|
|
<listitem>
|
|
<para>
|
|
Strong NTLM Policy (Disabled, Optional, Required).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--user-tgt-lifetime-mins</term>
|
|
<listitem>
|
|
<para>
|
|
Ticket-Granting-Ticket lifetime for user accounts.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--user-allow-ntlm-auth</term>
|
|
<listitem>
|
|
<para>
|
|
Allow <constant>NTLM</constant> and <constant>
|
|
Interactive NETLOGON SamLogon</constant>
|
|
authentication despite the
|
|
fact that
|
|
<constant>allowed-to-authenticate-from</constant>
|
|
is in use, which would
|
|
otherwise restrict the user to selected devices.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--user-allowed-to-authenticate-from</term>
|
|
<listitem>
|
|
<para>
|
|
Conditions a device must meet
|
|
for users covered by this
|
|
policy to be allowed to
|
|
authenticate. While this is a
|
|
restriction on the device,
|
|
any conditional ACE rules are
|
|
expressed as if the device was
|
|
a user.
|
|
</para>
|
|
<para>
|
|
Must be a valid SDDL string
|
|
without reference to Device
|
|
keywords.
|
|
</para>
|
|
<para>
|
|
Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--user-allowed-to-authenticate-to=SDDL</term>
|
|
<listitem>
|
|
<para>
|
|
This policy, applying to a
|
|
user account that is offering
|
|
a service, eg a web server
|
|
with a user account, restricts
|
|
which accounts may access it.
|
|
</para>
|
|
<para>
|
|
Must be a valid SDDL string.
|
|
The SDDL can reference both
|
|
bare (user) and Device conditions.
|
|
</para>
|
|
<para>
|
|
SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant>
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--service-tgt-lifetime-mins</term>
|
|
<listitem>
|
|
<para>
|
|
Ticket-Granting-Ticket lifetime for service accounts.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--service-allow-ntlm-auth</term>
|
|
<listitem>
|
|
<para>
|
|
Allow NTLM network authentication when service
|
|
is restricted to selected devices.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--service-allowed-to-authenticate-from</term>
|
|
<listitem>
|
|
<para>
|
|
Conditions a device must meet
|
|
for service accounts covered
|
|
by this policy to be allowed
|
|
to authenticate. While this
|
|
is a restriction on the
|
|
device, any conditional ACE
|
|
rules are expressed as if the
|
|
device was a user.
|
|
</para>
|
|
<para>
|
|
Must be a valid SDDL string
|
|
without reference to Device
|
|
keywords.
|
|
</para>
|
|
<para>
|
|
SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))</constant>
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--service-allowed-to-authenticate-to=SDDL</term>
|
|
<listitem>
|
|
<para>
|
|
This policy, applying to a
|
|
service account (eg a Managed
|
|
Service Account, Group Managed
|
|
Service Account), restricts
|
|
which accounts may access it.
|
|
</para>
|
|
<para>
|
|
Must be a valid SDDL string.
|
|
The SDDL can reference both
|
|
bare (user) and Device conditions.
|
|
</para>
|
|
<para>
|
|
SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant>
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--computer-tgt-lifetime-mins</term>
|
|
<listitem>
|
|
<para>
|
|
Ticket-Granting-Ticket lifetime for computer accounts.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--computer-allowed-to-authenticate-to=SDDL</term>
|
|
<listitem>
|
|
<para>
|
|
This policy, applying to a
|
|
computer account (eg a server
|
|
or workstation), restricts
|
|
which accounts may access it.
|
|
</para>
|
|
<para>
|
|
Must be a valid SDDL string.
|
|
The SDDL can reference both
|
|
bare (user) and Device conditions.
|
|
</para>
|
|
<para>
|
|
SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy modify</title>
|
|
<para>Modify authentication policies on the domain. The same
|
|
options apply as for <constant>domain auth policy create</constant>.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy delete</title>
|
|
<para>Delete authentication policies on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication policy to delete (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--force</term>
|
|
<listitem><para>
|
|
Force authentication policy delete even if it is protected.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy user-allowed-to-authenticate-from set</title>
|
|
<para>Set the user-allowed-to-authenticate-from property by scenario.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--by-group=GROUP</term>
|
|
<listitem><para>
|
|
User is allowed to
|
|
authenticate, if the device they
|
|
authenticate from is assigned
|
|
and granted membership of a
|
|
given <constant>GROUP</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--silo=SILO</term>
|
|
<listitem><para>
|
|
User is allowed to
|
|
authenticate, if the device they
|
|
authenticate from is assigned
|
|
and granted membership of a
|
|
given <constant>SILO</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy user-allowed-to-authenticate-to set</title>
|
|
<para>Set the user-allowed-to-authenticate-to property by scenario.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--group=GROUP</term>
|
|
<listitem><para>
|
|
The user account, offering a
|
|
network service, covered by
|
|
this policy, will only be allowed
|
|
access from other accounts
|
|
that are members of the given
|
|
<constant>GROUP</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--silo=SILO</term>
|
|
<listitem><para>
|
|
The user account, offering a
|
|
network service, covered by
|
|
this policy, will only be
|
|
allowed access from other accounts
|
|
that are assigned to,
|
|
granted membership of (and
|
|
meet any authentication
|
|
conditions of) the given <constant>SILO</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy service-allowed-to-authenticate-from set</title>
|
|
<para>Set the service-allowed-to-authenticate-from property by scenario.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--group=GROUP</term>
|
|
<listitem><para>
|
|
The service account (eg a Managed
|
|
Service Account, Group Managed
|
|
Service Account) is allowed to
|
|
authenticate, if the device it
|
|
authenticates from is a member
|
|
of the given <constant>GROUP</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--silo=SILO</term>
|
|
<listitem><para>
|
|
The service account (eg a Managed
|
|
Service Account, Group Managed
|
|
Service Account) is allowed to
|
|
authenticate, if the device it
|
|
authenticates from is assigned
|
|
and granted membership of a
|
|
given <constant>SILO</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy service-allowed-to-authenticate-to set</title>
|
|
<para>Set the service-allowed-to-authenticate-to property by scenario.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--group=GROUP</term>
|
|
<listitem><para>
|
|
The service account (eg a Managed
|
|
Service Account, Group Managed
|
|
Service Account), will only be
|
|
allowed access by other accounts
|
|
that are members of the given
|
|
<constant>GROUP</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--silo=SILO</term>
|
|
<listitem><para>
|
|
The service account (eg a
|
|
Managed Service Account, Group
|
|
Managed Service Account), will
|
|
only be allowed access by other
|
|
accounts that are assigned
|
|
to, granted membership of (and
|
|
meet any authentication
|
|
conditions of) the given <constant>SILO</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth policy computer-allowed-to-authenticate-to set</title>
|
|
<para>Set the computer-allowed-to-authenticate-to property by scenario.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--group=GROUP</term>
|
|
<listitem><para>
|
|
The computer account (eg a server
|
|
or workstation), will only be
|
|
allowed access by other accounts
|
|
that are members of the given
|
|
<constant>GROUP</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--silo=SILO</term>
|
|
<listitem><para>
|
|
The computer account (eg a
|
|
server or workstation), will
|
|
only be allowed access by
|
|
other accounts that are
|
|
assigned to, granted
|
|
membership of (and meet any
|
|
authentication conditions of)
|
|
the given <constant>SILO</constant>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>domain auth silo</title>
|
|
<para>Manage authentication silos.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>domain auth silo list</title>
|
|
<para>List authentication silos on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
View authentication silos as JSON instead of a list.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth silo view</title>
|
|
<para>View an authentication silo on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of the authentication silo to view (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth silo create</title>
|
|
<para>Create authentication silos on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of the authentication silo (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--description</term>
|
|
<listitem><para>
|
|
Optional description for the authentication silo.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--user-authentication-policy</term>
|
|
<listitem><para>
|
|
User account authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--service-authentication-policy</term>
|
|
<listitem><para>
|
|
Managed service account authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--computer-authentication-policy</term>
|
|
<listitem><para>
|
|
Computer authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--protect</term>
|
|
<listitem>
|
|
<para>
|
|
Protect authentication silo from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --unprotect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--unprotect</term>
|
|
<listitem>
|
|
<para>
|
|
Unprotect authentication silo from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --protect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--audit</term>
|
|
<listitem>
|
|
<para>
|
|
Only audit silo policies.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --enforce.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--enforce</term>
|
|
<listitem>
|
|
<para>
|
|
Enforce silo policies.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --audit.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth silo modify</title>
|
|
<para>Modify authentication silos on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of the authentication silo (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--description</term>
|
|
<listitem><para>
|
|
Optional description for the authentication silo.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--user-authentication-policy</term>
|
|
<listitem><para>
|
|
User account authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--service-authentication-policy</term>
|
|
<listitem><para>
|
|
Managed service account authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--computer-authentication-policy</term>
|
|
<listitem><para>
|
|
Computer authentication policy.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--protect</term>
|
|
<listitem>
|
|
<para>
|
|
Protect authentication silo from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --unprotect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--unprotect</term>
|
|
<listitem>
|
|
<para>
|
|
Unprotect authentication silo from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --protect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--audit</term>
|
|
<listitem>
|
|
<para>
|
|
Only audit silo policies.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --enforce.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--enforce</term>
|
|
<listitem>
|
|
<para>
|
|
Enforce silo policies.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --audit.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth silo delete</title>
|
|
<para>Delete authentication silos on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication silo to delete (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--force</term>
|
|
<listitem><para>
|
|
Force authentication silo delete even if it is protected.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth silo member grant</title>
|
|
<para>Grant a member access to an authentication silo.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication silo (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--member</term>
|
|
<listitem><para>
|
|
Member to grant access to the silo (DN or account name).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth silo member list</title>
|
|
<para>List members in an authentication silo.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication silo (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
View members as JSON instead of a list.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain auth silo member revoke</title>
|
|
<para>Revoke a member from an authentication silo.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Name of authentication silo (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--member</term>
|
|
<listitem><para>
|
|
Member to revoke from the silo (DN or account name).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain claim claim-type list</title>
|
|
<para>List claim types on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
View claim types as JSON instead of a list.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain claim claim-type view</title>
|
|
<para>View a single claim type on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Display name of claim type to view (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain claim claim-type create</title>
|
|
<para>Create claim types on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--attribute</term>
|
|
<listitem><para>
|
|
Attribute of claim type to create (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--class</term>
|
|
<listitem>
|
|
<para>
|
|
Object classes to set claim type to.
|
|
</para>
|
|
<para>
|
|
Example: --class=user --class=computer
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Optional display name or use attribute name.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--description</term>
|
|
<listitem><para>
|
|
Optional description or use from attribute.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--enable</term>
|
|
<listitem>
|
|
<para>
|
|
Enable claim type.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --disable.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--disable</term>
|
|
<listitem>
|
|
<para>
|
|
Disable claim type.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --enable.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--protect</term>
|
|
<listitem>
|
|
<para>
|
|
Protect claim type from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --unprotect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--unprotect</term>
|
|
<listitem>
|
|
<para>
|
|
Unprotect claim type from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --protect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain claim claim-type modify</title>
|
|
<para>Modify claim types on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Display name of claim type to modify (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--class</term>
|
|
<listitem>
|
|
<para>
|
|
Object classes to set claim type to.
|
|
</para>
|
|
<para>
|
|
Example: --class=user --class=computer
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--description</term>
|
|
<listitem><para>
|
|
Set the claim type description.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--enable</term>
|
|
<listitem>
|
|
<para>
|
|
Enable claim type.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --disable.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--disable</term>
|
|
<listitem>
|
|
<para>
|
|
Disable claim type.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --enable.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--protect</term>
|
|
<listitem>
|
|
<para>
|
|
Protect claim type from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --unprotect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--unprotect</term>
|
|
<listitem>
|
|
<para>
|
|
Unprotect claim type from accidental deletion.
|
|
</para>
|
|
<para>
|
|
Cannot be used together with --protect.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain claim claim-type delete</title>
|
|
<para>Delete claim types on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Display name of claim type to delete (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--force</term>
|
|
<listitem><para>
|
|
Force claim type delete even if it is protected.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain claim value-type list</title>
|
|
<para>List claim value types on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
View claim value types as JSON instead of a list.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain claim value-type view</title>
|
|
<para>View a single claim value type on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Display name of claim value type to view (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>service-account</title>
|
|
<para>Service account management.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>service-account list</title>
|
|
<para>List service accounts on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
View service accounts as JSON instead of a list.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>service-account view</title>
|
|
<para>View a single service account on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Account name of service account to view (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>service-account create</title>
|
|
<para>Create a new service account on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Account name of service account (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--dns-host-name</term>
|
|
<listitem><para>
|
|
DNS hostname of this service account (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--group-msa-membership</term>
|
|
<listitem><para>
|
|
Optional Group MSA Membership SDDL.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--managed-password-interval</term>
|
|
<listitem><para>
|
|
Managed password refresh interval in days.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>service-account modify</title>
|
|
<para>Modify an existing service account on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Account name of service account (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--dns-host-name</term>
|
|
<listitem><para>
|
|
Update DNS hostname of this service account.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--group-msa-membership</term>
|
|
<listitem><para>
|
|
Update Group MSA Membership SDDL.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>service-account delete</title>
|
|
<para>Delete a service accounts on the domain.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Account name of service account to delete.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>service-account group-msa-membership</title>
|
|
<para>Service account Group MSA Membership management.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>service-account group-msa-membership show</title>
|
|
<para>Display Group MSA Membership for a service account.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Account name of service account (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
Return as JSON instead of a list.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>service-account group-msa-membership add</title>
|
|
<para>Add a principal to Group MSA Membership for a service account.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Account name of service account (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--principal</term>
|
|
<listitem><para>
|
|
Name, DN or SID of principal to add.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>service-account group-msa-membership remove</title>
|
|
<para>Remove a principal from Group MSA Membership for a service account.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--name</term>
|
|
<listitem><para>
|
|
Account name of service account (required).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--principal</term>
|
|
<listitem><para>
|
|
Name, DN or SID of principal to remove.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
|
|
<para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
|
|
database.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
|
|
<para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain demote</title>
|
|
<para>Demote ourselves from the role of domain controller.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
|
|
<para>Dumps Kerberos keys of the domain into a keytab.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain info <replaceable>ip_address</replaceable> [options]</title>
|
|
<para>Print basic info about a domain and the specified DC.
|
|
</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
|
|
<para>Join a domain as either member or backup domain controller.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
|
|
<para>Show/raise domain and forest function levels.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
|
|
<para>Show/set password settings.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso</title>
|
|
<para>Manage fine-grained Password Settings Objects (PSOs).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
|
|
<para>Applies a PSO's password policy to a user or group.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
|
|
<para>Creates a new Password Settings Object (PSO).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
|
|
<para>Deletes a Password Settings Object (PSO).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso list [options]</title>
|
|
<para>Lists all Password Settings Objects (PSOs).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
|
|
<para>Modifies a Password Settings Object (PSO).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
|
|
<para>Displays a Password Settings Object (PSO).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
|
|
<para>Displays the Password Settings that apply to a user.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
|
|
<para>Updates a PSO to no longer apply to a user or group.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain provision</title>
|
|
<para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain trust</title>
|
|
<para>Domain and forest trust management.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
|
|
<para>Create a domain or forest trust.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
|
|
<para>Modify a domain or forest trust.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
|
|
<para>Delete a domain trust.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain trust list <replaceable>options</replaceable> [options]</title>
|
|
<para>List domain trusts.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
|
|
<para>Manage forest trust namespaces.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
|
|
<para>Show trusted domain details.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
|
|
<para>Validate a domain trust.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>drs</title>
|
|
<para>Manage Directory Replication Services (DRS).</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>drs bind</title>
|
|
<para>Show DRS capabilities of a server.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>drs kcc</title>
|
|
<para>Trigger knowledge consistency center run.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>drs options</title>
|
|
<para>Query or change <replaceable>options</replaceable> for NTDS Settings
|
|
object of a domain controller.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
|
|
<para>Replicate a naming context between two DCs.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>drs showrepl</title>
|
|
<para>Show replication status. The <arg
|
|
choice="opt">--json</arg> option results in JSON output, and
|
|
with the <arg choice="opt">--summary</arg> option produces
|
|
very little output when the replication status seems healthy.
|
|
</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>dsacl</title>
|
|
<para>Administer DS ACLs</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>dsacl delete</title>
|
|
<para>Delete an access list entry on a directory object.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dsacl get</title>
|
|
<para>Print access list on a directory object.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>dsacl set</title>
|
|
<para>Modify access list on a directory object.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>forest</title>
|
|
<para>Manage Forest configuration.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>forest directory_service</title>
|
|
<para>Manage directory_service behaviour for the forest.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
|
|
<para>Modify dsheuristics directory_service configuration for the forest.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>forest directory_service show</title>
|
|
<para>Show current directory_service configuration for the forest.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>fsmo</title>
|
|
<para>Manage Flexible Single Master Operations (FSMO).</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>fsmo seize [options]</title>
|
|
<para>Seize the role.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>fsmo show</title>
|
|
<para>Show the roles.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>fsmo transfer [options]</title>
|
|
<para>Transfer the role.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>gpo</title>
|
|
<para>Manage Group Policy Objects (GPO).</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>gpo create <replaceable>displayname</replaceable> [options]</title>
|
|
<para>Create an empty GPO.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo del <replaceable>gpo</replaceable> [options]</title>
|
|
<para>Delete GPO.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
|
|
<para>Delete GPO link from a container.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
|
|
<para>Download a GPO.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
|
|
<para>Get inheritance flag for a container.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
|
|
<para>List GPO Links for a container.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo list <replaceable>username</replaceable> [options]</title>
|
|
<para>List GPOs for an account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo listall</title>
|
|
<para>List all GPOs.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
|
|
<para>List all linked containers for a GPO.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
|
|
<para>Set inheritance flag on a container.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
|
|
<para>Add or Update a GPO link to a container.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo show <replaceable>gpo</replaceable> [options]</title>
|
|
<para>Show information for a GPO.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage symlink list</title>
|
|
<para>List VGP Symbolic Link Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage symlink add</title>
|
|
<para>Adds a VGP Symbolic Link Group Policy to the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage symlink remove</title>
|
|
<para>Removes a VGP Symbolic Link Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage files list</title>
|
|
<para>List VGP Files Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage files add</title>
|
|
<para>Add VGP Files Group Policy to the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage files remove</title>
|
|
<para>Remove VGP Files Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage openssh list</title>
|
|
<para>List VGP OpenSSH Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage openssh set</title>
|
|
<para>Sets a VGP OpenSSH Group Policy to the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage sudoers add</title>
|
|
<para>Adds a Samba Sudoers Group Policy to the sysvol.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage sudoers list</title>
|
|
<para>List Samba Sudoers Group Policy from the sysvol.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage sudoers remove</title>
|
|
<para>Removes a Samba Sudoers Group Policy from the sysvol.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage scripts startup list</title>
|
|
<para>List VGP Startup Script Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage scripts startup add</title>
|
|
<para>Adds VGP Startup Script Group Policy to the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage scripts startup remove</title>
|
|
<para>Removes VGP Startup Script Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage motd list</title>
|
|
<para>List VGP MOTD Group Policy from the sysvol.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage motd set</title>
|
|
<para>Sets a VGP MOTD Group Policy to the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage issue list</title>
|
|
<para>List VGP Issue Group Policy from the sysvol.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage issue set</title>
|
|
<para>Sets a VGP Issue Group Policy to the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage access add</title>
|
|
<para>Adds a VGP Host Access Group Policy to the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage access list</title>
|
|
<para>List VGP Host Access Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>gpo manage access remove</title>
|
|
<para>Remove a VGP Host Access Group Policy from the sysvol</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>group</title>
|
|
<para>Manage groups.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>group add <replaceable>groupname</replaceable> [options]</title>
|
|
<para>Create a new AD group.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group create <replaceable>groupname</replaceable> [options]</title>
|
|
<para>Add a new AD group. This is a synonym for the
|
|
<command>samba-tool group add</command> command and is available
|
|
for compatibility reasons only. Please use
|
|
<command>samba-tool group add</command> instead.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
|
|
<para>Add members to an AD group.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group delete <replaceable>groupname</replaceable> [options]</title>
|
|
<para>Delete an AD group.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group edit <replaceable>groupname</replaceable></title>
|
|
<para>Edit a group AD object.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--editor=EDITOR</term>
|
|
<listitem><para>
|
|
Specifies the editor to use instead of the system default, or 'vi' if no
|
|
system default is set.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group list</title>
|
|
<para>List all groups.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group listmembers <replaceable>groupname</replaceable> [options]</title>
|
|
<para>List all members of the specified AD group.</para>
|
|
<para>By default the sAMAccountNames are listed. If no sAMAccountName
|
|
is available, the CN will be used instead.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--full-dn</term>
|
|
<listitem><para>
|
|
List the distinguished names instead of the sAMAccountNames.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--hide-expired</term>
|
|
<listitem><para>
|
|
Do not list expired group members.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--hide-disabled</term>
|
|
<listitem><para>
|
|
Do not list disabled group members.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
|
|
<para>This command moves a group into the specified organizational unit
|
|
or container.</para>
|
|
<para>The groupname specified on the command is the sAMAccountName.
|
|
</para>
|
|
<para>The name of the organizational unit or container can be
|
|
specified as a full DN or without the domainDN component.</para>
|
|
<para></para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
|
|
<para>Remove members from the specified AD group.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group show <replaceable>groupname</replaceable> [options]</title>
|
|
<para>Show group object and it's attributes.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group stats [options]</title>
|
|
<para>Show statistics for overall groups and group memberships.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>group rename <replaceable>groupname</replaceable> [options]</title>
|
|
<para>Rename a group and related attributes.</para>
|
|
<para>This command allows to set the group's name related attributes. The
|
|
group's CN will be renamed automatically.
|
|
The group's CN will be the sAMAccountName.
|
|
Use the --force-new-cn option to specify the new CN manually and the
|
|
--reset-cn to reset this change.</para>
|
|
<para>Use an empty attribute value to remove the specified attribute.</para>
|
|
<para>The groupname specified on the command is the sAMAccountName.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--force-new-cn=NEW_CN</term>
|
|
<listitem><para>
|
|
Specify a new CN (RDN) instead of using the sAMAccountName.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--reset-cn</term>
|
|
<listitem><para>
|
|
Set the CN to the sAMAccountName.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--mail-address=MAIL_ADDRESS</term>
|
|
<listitem><para>
|
|
New mail address
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--samaccountname=SAMACCOUNTNAME</term>
|
|
<listitem><para>
|
|
New account name (sAMAccountName/logon name)
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
|
|
<para>Compare two LDAP databases.</para>
|
|
</refsect2>
|
|
|
|
<refsect2>
|
|
<title>ntacl</title>
|
|
<para>Manage NT ACLs.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>ntacl changedomsid <replaceable>original-domain-SID</replaceable> <replaceable>new-domain-SID</replaceable> <replaceable>file</replaceable> [options]</title>
|
|
<para>Change the domain SID for ACLs.
|
|
Can be used to change all entries in acl_xattr when the machine's SID
|
|
has accidentally changed or the data set has been copied
|
|
to another machine either via backup/restore or rsync.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--use-ntvfs</term>
|
|
<listitem><para>
|
|
Set the ACLs directly to the TDB or xattr. The POSIX permissions will
|
|
NOT be changed, only the NT ACL will be stored.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--service=SERVICE</term>
|
|
<listitem><para>
|
|
Specify the name of the smb.conf service to use. This option is
|
|
required in combination with the --use-s3fs option.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--use-s3fs</term>
|
|
<listitem><para>
|
|
Set the ACLs for use with the default s3fs file server via the VFS
|
|
layer. This option requires a smb.conf service, specified by the
|
|
--service=SERVICE option.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--xattr-backend=[native|tdb]</term>
|
|
<listitem><para>
|
|
Specify the xattr backend type (native fs or tdb).
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--eadb-file=EADB_FILE</term>
|
|
<listitem><para>
|
|
Name of the tdb file where attributes are stored.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--recursive</term>
|
|
<listitem><para>
|
|
Set the ACLs for directories and their contents recursively.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--follow-symlinks</term>
|
|
<listitem><para>
|
|
Follow symlinks when --recursive is specified.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--verbose</term>
|
|
<listitem><para>
|
|
Verbosely list files and ACLs which are being processed.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
|
|
<refsect3>
|
|
<title>ntacl get <replaceable>file</replaceable> [options]</title>
|
|
<para>Get ACLs on a file.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
|
|
<para>Set ACLs on a file.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ntacl sysvolcheck</title>
|
|
<para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ntacl sysvolreset</title>
|
|
<para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>ou</title>
|
|
<para>Manage organizational units (OUs).</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>ou add <replaceable>ou_dn</replaceable> [options]</title>
|
|
<para>Add a new organizational unit.</para>
|
|
<para>The name of the organizational unit can be specified as a full DN
|
|
or without the domainDN component.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--description=DESCRIPTION</term>
|
|
<listitem><para>
|
|
Specify OU's description.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ou create <replaceable>ou_dn</replaceable> [options]</title>
|
|
<para>Add a new organizational unit. This is a synonym for the
|
|
<command>samba-tool ou add</command> command and is available
|
|
for compatibility reasons only. Please use
|
|
<command>samba-tool ou add</command> instead.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
|
|
<para>Delete an organizational unit.</para>
|
|
<para>The name of the organizational unit can be specified as a full DN
|
|
or without the domainDN component.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--force-subtree-delete</term>
|
|
<listitem><para>
|
|
Delete organizational unit and all children recursively.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ou list [options]</title>
|
|
<para>List all organizational units.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--full-dn</term>
|
|
<listitem><para>
|
|
Display DNs including the base DN.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
|
|
<para>List all objects in an organizational unit.</para>
|
|
<para>The name of the organizational unit can be specified as a full DN
|
|
or without the domainDN component.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--full-dn</term>
|
|
<listitem><para>
|
|
Display DNs including the base DN.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-r|--recursive</term>
|
|
<listitem><para>
|
|
List objects recursively.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
|
|
<para>Move an organizational unit.</para>
|
|
<para>The name of the organizational units can be specified as a full DN
|
|
or without the domainDN component.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
|
|
<para>Rename an organizational unit.</para>
|
|
<para>The name of the organizational units can be specified as a full DN
|
|
or without the domainDN component.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>rodc</title>
|
|
<para>Manage Read-Only Domain Controller (RODC).</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
|
|
<para>Preload one account for an RODC.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>schema</title>
|
|
<para>Manage and query schema.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
|
|
<para>Modify the behaviour of an attribute in schema.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
|
|
<para>Display an attribute schema definition.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
|
|
<para>Show objectclasses that MAY or MUST contain this attribute.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
|
|
<para>Display an objectclass schema definition.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>shell</title>
|
|
<para>Opens an interactive Samba Python shell.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>shell [options]</title>
|
|
<para>Opens an interactive Python shell for Samba ldb connection.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-H, --URL</term>
|
|
<listitem><para>
|
|
LDB URL for database or target server.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>sites</title>
|
|
<para>Manage sites.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>sites list [options]</title>
|
|
<para>List sites.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
Output as JSON instead of a list
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>sites view <replaceable>site</replaceable> [options]</title>
|
|
<para>View site details.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>sites create <replaceable>site</replaceable> [options]</title>
|
|
<para>Create a new site.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>sites remove <replaceable>site</replaceable> [options]</title>
|
|
<para>Delete an existing site.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>sites subnet list <replaceable>site</replaceable> [options]</title>
|
|
<para>List subnets for a site.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--json</term>
|
|
<listitem><para>
|
|
Output as JSON instead of a list
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>sites subnet view <replaceable>subnet</replaceable> [options]</title>
|
|
<para>View subnet details.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>sites subnet create <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
|
|
<para>Create a new subnet.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>sites subnet remove <replaceable>subnet</replaceable> [options]</title>
|
|
<para>Delete an existing subnet.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>sites subnet set-site <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
|
|
<para>Assign a subnet to a site.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>spn</title>
|
|
<para>Manage Service Principal Names (SPN).</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
|
|
<para>Create a new SPN.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
|
|
<para>Delete an existing SPN.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>spn list <replaceable>user</replaceable> [options]</title>
|
|
<para>List SPNs of a given user.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>testparm</title>
|
|
<para>Check the syntax of the configuration file.</para>
|
|
</refsect2>
|
|
|
|
<refsect2>
|
|
<title>time</title>
|
|
<para>Retrieve the time on a server.</para>
|
|
</refsect2>
|
|
|
|
<refsect2>
|
|
<title>user</title>
|
|
<para>Manage users.</para>
|
|
</refsect2>
|
|
|
|
<refsect3>
|
|
<title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
|
|
<para>Add a new user to the Active Directory Domain.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
|
|
<para>Add a new user. This is a synonym for the
|
|
<command>samba-tool user add</command> command and is available
|
|
for compatibility reasons only. Please use
|
|
<command>samba-tool user add</command> instead.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user delete <replaceable>username</replaceable> [options]</title>
|
|
<para>Delete an existing user account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user disable <replaceable>username</replaceable></title>
|
|
<para>Disable a user account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user edit <replaceable>username</replaceable></title>
|
|
<para>Edit a user account AD object.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--editor=EDITOR</term>
|
|
<listitem><para>
|
|
Specifies the editor to use instead of the system default, or 'vi' if no
|
|
system default is set.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user enable <replaceable>username</replaceable></title>
|
|
<para>Enable a user account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user list</title>
|
|
<para>List all users.</para>
|
|
<para>By default the user's sAMAccountNames are listed.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--full-dn</term>
|
|
<listitem><para>
|
|
List user's distinguished names instead of the sAMAccountNames.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>-b BASE_DN|--base-dn=BASE_DN</term>
|
|
<listitem><para>
|
|
Specify base DN to use. Only users under the specified base DN will be
|
|
listed.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--hide-expired</term>
|
|
<listitem><para>
|
|
Do not list expired user accounts.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--hide-disabled</term>
|
|
<listitem><para>
|
|
Do not list disabled user accounts.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--locked-only</term>
|
|
<listitem><para>
|
|
Only list locked user accounts.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user setprimarygroup <replaceable>username</replaceable> <replaceable>primarygroupname</replaceable></title>
|
|
<para>Set the primary group a user account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user getgroups <replaceable>username</replaceable></title>
|
|
<para>Get the direct group memberships of a user account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user show <replaceable>username</replaceable> [options]</title>
|
|
<para>Display a user AD object.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--attributes=USER_ATTRS</term>
|
|
<listitem><para>
|
|
Comma separated list of attributes, which will be printed.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
|
|
<para>This command moves a user account into the specified
|
|
organizational unit or container.</para>
|
|
<para>The username specified on the command is the
|
|
sAMAccountName.</para>
|
|
<para>The name of the organizational unit or container can be
|
|
specified as a full DN or without the domainDN component.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user password [options]</title>
|
|
<para>Change password for a user account (the one provided in
|
|
authentication).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user rename <replaceable>username</replaceable> [options]</title>
|
|
<para>Rename a user and related attributes.</para>
|
|
<para>This command allows to set the user's name related attributes. The user's
|
|
CN will be renamed automatically.
|
|
The user's new CN will be made up by combining the given-name, initials
|
|
and surname. A dot ('.') will be appended to the initials automatically,
|
|
if required.
|
|
Use the --force-new-cn option to specify the new CN manually and --reset-cn
|
|
to reset this change.</para>
|
|
<para>Use an empty attribute value to remove the specified attribute.</para>
|
|
<para>The username specified on the command is the sAMAccountName.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--surname=SURNAME</term>
|
|
<listitem><para>
|
|
New surname
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--given-name=GIVEN_NAME</term>
|
|
<listitem><para>
|
|
New given name
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--initials=INITIALS</term>
|
|
<listitem><para>
|
|
New initials
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--force-new-cn=NEW_CN</term>
|
|
<listitem><para>
|
|
Specify a new CN (RDN) instead of using a combination
|
|
of the given name, initials and surname.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--reset-cn</term>
|
|
<listitem><para>
|
|
Set the CN to the default combination of given name,
|
|
initials and surname.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--display-name=DISPLAY_NAME</term>
|
|
<listitem><para>
|
|
New display name
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--mail-address=MAIL_ADDRESS</term>
|
|
<listitem><para>
|
|
New email address
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--samaccountname=SAMACCOUNTNAME</term>
|
|
<listitem><para>
|
|
New account name (sAMAccountName/logon name)
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--upn=UPN</term>
|
|
<listitem><para>
|
|
New user principal name
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user setexpiry <replaceable>username</replaceable> [options]</title>
|
|
<para>Set the expiration of a user account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user setpassword <replaceable>username</replaceable> [options]</title>
|
|
<para>Sets or resets the password of a user account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user unlock <replaceable>username</replaceable> [options]</title>
|
|
<para>This command unlocks a user account in the Active Directory
|
|
domain.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user getpassword <replaceable>username</replaceable> [options]</title>
|
|
<para>Gets the password of a user account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user get-kerberos-ticket <replaceable>username</replaceable> [options]</title>
|
|
<para>Gets a Kerberos Ticket Granting Ticket as the account.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
|
|
<para>Syncs the passwords of all user accounts, using an optional script.</para>
|
|
<para>Note that this command should run on a single domain controller only
|
|
(typically the PDC-emulator).</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user auth policy assign <replaceable>username</replaceable> [options]</title>
|
|
<para>Set assigned authentication policy for user.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--policy</term>
|
|
<listitem><para>
|
|
Name of authentication policy to assign or leave empty to remove.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user auth policy remove <replaceable>username</replaceable></title>
|
|
<para>Remove assigned authentication policy from user.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user auth policy view <replaceable>username</replaceable></title>
|
|
<para>View the assigned authentication policy for user.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user auth silo assign <replaceable>username</replaceable> [options]</title>
|
|
<para>Set assigned authentication silo for user.</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>--silo</term>
|
|
<listitem><para>
|
|
Name of authentication silo to assign or leave empty to remove.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user auth silo remove <replaceable>username</replaceable></title>
|
|
<para>Remove assigned authentication silo from user.</para>
|
|
</refsect3>
|
|
|
|
<refsect3>
|
|
<title>user auth silo view <replaceable>username</replaceable></title>
|
|
<para>View the assigned authentication silo for user.</para>
|
|
</refsect3>
|
|
|
|
<refsect2>
|
|
<title>vampire [options] <replaceable>domain</replaceable></title>
|
|
<para>Join and synchronise a remote AD domain to the local server.
|
|
Please note that <command>samba-tool vampire</command> is deprecated,
|
|
please use <command>samba-tool domain join</command> instead.</para>
|
|
</refsect2>
|
|
|
|
<refsect2>
|
|
<title>visualize [options] <replaceable>subcommand</replaceable></title>
|
|
<para>Produce graphical representations of Samba network state.
|
|
To work out what is happening in a replication graph, it is sometimes
|
|
helpful to use visualisations.</para>
|
|
|
|
<para>
|
|
There are two subcommands, two graphical modes, and (roughly) two modes
|
|
of operation with respect to the location of authority.</para>
|
|
|
|
<refsect3><title>MODES OF OPERATION</title>
|
|
<varlistentry>
|
|
<term>samba-tool visualize ntdsconn</term>
|
|
<listitem><para>Looks at NTDS connections.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>samba-tool visualize reps</term>
|
|
<listitem><para>Looks at repsTo and repsFrom objects.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>samba-tool visualize uptodateness</term>
|
|
<listitem><para>Looks at replication lag as shown by the
|
|
uptodateness vectors.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</refsect3>
|
|
|
|
<refsect3><title>GRAPHICAL MODES</title>
|
|
<varlistentry>
|
|
<term>--distance</term>
|
|
<listitem><para>Distances between DCs are shown in a matrix in
|
|
the terminal.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>--dot</term>
|
|
<listitem><para>Generate Graphviz dot output (for
|
|
ntdsconn and reps modes). When viewed using dot or
|
|
xdot, this shows the network as a graph with DCs as
|
|
vertices and connections edges. Certain types of
|
|
degenerate edges are shown in different colours or
|
|
line-styles. </para></listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>--xdot</term>
|
|
<listitem><para>Generate Graphviz dot output as with
|
|
<arg choice="opt">--dot</arg> and attempt to view it
|
|
immediately using <command>/usr/bin/xdot</command>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</refsect3>
|
|
|
|
<varlistentry>
|
|
<term>-r</term>
|
|
<listitem><para>Normally,
|
|
<command>samba-tool</command> talks to one database;
|
|
with the <arg choice="opt">-r</arg> option attempts
|
|
are made to contact all the DCs known to the first
|
|
database. This is necessary for <command>samba-tool
|
|
visualize uptodateness</command> and for
|
|
<command>samba-tool visualize reps</command> because
|
|
the repsFrom/To objects are not replicated, and it can
|
|
reveal replication issues in other modes.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
</refsect2>
|
|
|
|
<refsect2>
|
|
<title>help</title>
|
|
<para>Gives usage information.</para>
|
|
</refsect2>
|
|
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>VERSION</title>
|
|
|
|
<para>This man page is complete for version &doc.version; of the Samba
|
|
suite.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>AUTHOR</title>
|
|
|
|
<para>The original Samba software and related utilities
|
|
were created by Andrew Tridgell. Samba is now developed
|
|
by the Samba Team as an Open Source project similar
|
|
to the way the Linux kernel is developed.</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|