| blob | 62ce4e690d451b0f4cde089a67dfa4838d2be5e4 |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="samba-tool.8">
5 <refmeta>
6 <refentrytitle>samba-tool</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">&doc.version;</refmiscinfo>
11 </refmeta>
14 <refnamediv>
15 <refname>samba-tool</refname>
16 <refpurpose>Main Samba administration tool.
17 </refpurpose>
18 </refnamediv>
20 <refsynopsisdiv>
21 <cmdsynopsis>
22 <command>samba-tool</command>
23 <arg choice="opt">-h</arg>
24 <arg choice="opt">-W myworkgroup</arg>
25 <arg choice="opt">-U user</arg>
26 <arg choice="opt">-d debuglevel</arg>
27 <arg choice="opt">--v</arg>
28 </cmdsynopsis>
29 </refsynopsisdiv>
31 <refsect1>
32 <title>DESCRIPTION</title>
33 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
34 <manvolnum>7</manvolnum></citerefentry> suite.</para>
35 </refsect1>
37 <refsect1>
38 <title>OPTIONS</title>
40 <variablelist>
42 <varlistentry>
43 <term>-h|--help</term>
44 <listitem><para>
45 Show this help message and exit
46 </para></listitem>
47 </varlistentry>
49 &cmdline.common.connection.realm;
51 &cmdline.common.credentials.simplebinddn;
53 &cmdline.common.credentials.password;
55 &cmdline.common.credentials.user;
57 &cmdline.common.connection.workgroup;
59 &cmdline.common.credentials.nopass;
61 &cmdline.common.credentials.usekerberos;
63 &cmdline.common.credentials.usekrb5ccache;
65 &cmdline.common.credentials.authenticationfile;
67 <varlistentry>
68 <term>--ipaddress=IPADDRESS</term>
69 <listitem><para>
70 IP address of the server
71 </para></listitem>
72 </varlistentry>
74 <varlistentry>
75 <term>--color=always|never|auto</term>
76 <listitem>
77 <para>
78 Indicate whether samba-tool should use ANSI colour codes
79 in its output. If 'auto' (the default), samba-tool will
80 use colour when its output is directed toward a terminal,
81 unless the NO_COLOR environment variable is set and
82 non-empty.
83 </para>
84 <para>
85 The values 'yes' and 'force' are accepted as synonyms for
86 'always'; 'no' and 'none' for 'never'; and 'tty' and
87 'if-tty' for 'auto'.
88 </para>
89 <para>
90 Note that asking for colour doesn't mean samba-tool will
91 necessarily be very colourful. Many commands are very
92 monochrome, particularly when successful.
93 </para>
94 </listitem>
95 </varlistentry>
97 &cmdline.common.debug.client;
99 </variablelist>
100 </refsect1>
102 <refsect1>
103 <title>COMMANDS</title>
105 <refsect2>
106 <title>computer</title>
107 <para>Manage computer accounts.</para>
108 </refsect2>
110 <refsect3>
111 <title>computer add <replaceable>computername</replaceable> [options]</title>
112 <para>Add a new computer to the Active Directory Domain.</para>
113 <para>The new computer name specified on the command is the
114 sAMAccountName, with or without the trailing dollar sign.</para>
116 <variablelist>
117 <varlistentry>
118 <term>--computerou=COMPUTEROU</term>
119 <listitem><para>
120 DN of alternative location (with or without domainDN counterpart) to
121 default CN=Computers in which new computer object will be created.
122 E.g. 'OU=OUname'.
123 </para></listitem>
124 </varlistentry>
126 <varlistentry>
127 <term>--description=DESCRIPTION</term>
128 <listitem><para>
129 The new computer's description.
130 </para></listitem>
131 </varlistentry>
133 <varlistentry>
134 <term>--ip-address=IP_ADDRESS_LIST</term>
135 <listitem><para>
136 IPv4 address for the computer's A record, or IPv6 address for AAAA record,
137 can be provided multiple times.
138 </para></listitem>
139 </varlistentry>
141 <varlistentry>
142 <term>--service-principal-name=SERVICE_PRINCIPAL_NAME_LIST</term>
143 <listitem><para>
144 Computer's Service Principal Name, can be provided multiple times.
145 </para></listitem>
146 </varlistentry>
148 <varlistentry>
149 <term>--prepare-oldjoin</term>
150 <listitem><para>
151 Prepare enabled machine account for oldjoin mechanism.
152 </para></listitem>
153 </varlistentry>
154 </variablelist>
155 </refsect3>
157 <refsect3>
158 <title>computer create <replaceable>computername</replaceable> [options]</title>
159 <para>Add a new computer. This is a synonym for the
160 <command>samba-tool computer add</command> command and is available
161 for compatibility reasons only. Please use
162 <command>samba-tool computer add</command> instead.</para>
163 </refsect3>
165 <refsect3>
166 <title>computer delete <replaceable>computername</replaceable> [options]</title>
167 <para>Delete an existing computer account.</para>
168 <para>The computer name specified on the command is the
169 sAMAccountName, with or without the trailing dollar sign.</para>
170 </refsect3>
172 <refsect3>
173 <title>computer edit <replaceable>computername</replaceable></title>
174 <para>Edit a computer AD object.</para>
175 <para>The computer name specified on the command is the
176 sAMAccountName, with or without the trailing dollar sign.</para>
178 <variablelist>
179 <varlistentry>
180 <term>--editor=EDITOR</term>
181 <listitem><para>
182 Specifies the editor to use instead of the system default, or 'vi' if no
183 system default is set.
184 </para></listitem>
185 </varlistentry>
186 </variablelist>
187 </refsect3>
189 <refsect3>
190 <title>computer list</title>
191 <para>List all computers.</para>
192 </refsect3>
194 <refsect3>
195 <title>computer move <replaceable>computername</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
196 <para>This command moves a computer account into the specified
197 organizational unit or container.</para>
198 <para>The computername specified on the command is the
199 sAMAccountName, with or without the trailing dollar sign.</para>
200 <para>The name of the organizational unit or container can be
201 specified as a full DN or without the domainDN component.</para>
202 </refsect3>
204 <refsect3>
205 <title>computer show <replaceable>computername</replaceable> [options]</title>
206 <para>Display a computer AD object.</para>
207 <para>The computer name specified on the command is the
208 sAMAccountName, with or without the trailing dollar sign.</para>
210 <variablelist>
211 <varlistentry>
212 <term>--attributes=USER_ATTRS</term>
213 <listitem><para>
214 Comma separated list of attributes, which will be printed.
215 </para></listitem>
216 </varlistentry>
217 </variablelist>
218 </refsect3>
220 <refsect2>
221 <title>contact</title>
222 <para>Manage contacts.</para>
223 </refsect2>
225 <refsect3>
226 <title>contact add [<replaceable>contactname</replaceable>] [options]</title>
227 <para>Add a new contact to the Active Directory Domain.</para>
228 <para>The name of the new contact can be specified by the first
229 argument 'contactname' or the --given-name, --initial and --surname
230 arguments. If no 'contactname' is given, contact's name will be made
231 up of the given arguments by combining the given-name, initials and
232 surname. Each argument is optional. A dot ('.') will be appended to
233 the initials automatically.</para>
235 <variablelist>
236 <varlistentry>
237 <term>--ou=OU</term>
238 <listitem><para>
239 DN of alternative location (with or without domainDN counterpart) in
240 which the new contact will be created.
241 E.g. 'OU=OUname'.
242 Default is the domain base.
243 </para></listitem>
244 </varlistentry>
246 <varlistentry>
247 <term>--description=DESCRIPTION</term>
248 <listitem><para>
249 The new contact's description.
250 </para></listitem>
251 </varlistentry>
253 <varlistentry>
254 <term>--surname=SURNAME</term>
255 <listitem><para>
256 Contact's surname.
257 </para></listitem>
258 </varlistentry>
260 <varlistentry>
261 <term>--given-name=GIVEN_NAME</term>
262 <listitem><para>
263 Contact's given name.
264 </para></listitem>
265 </varlistentry>
267 <varlistentry>
268 <term>--initials=INITIALS</term>
269 <listitem><para>
270 Contact's initials.
271 </para></listitem>
272 </varlistentry>
274 <varlistentry>
275 <term>--display-name=DISPLAY_NAME</term>
276 <listitem><para>
277 Contact's display name.
278 </para></listitem>
279 </varlistentry>
281 <varlistentry>
282 <term>--job-title=JOB_TITLE</term>
283 <listitem><para>
284 Contact's job title.
285 </para></listitem>
286 </varlistentry>
288 <varlistentry>
289 <term>--department=DEPARTMENT</term>
290 <listitem><para>
291 Contact's department.
292 </para></listitem>
293 </varlistentry>
295 <varlistentry>
296 <term>--company=COMPANY</term>
297 <listitem><para>
298 Contact's company.
299 </para></listitem>
300 </varlistentry>
302 <varlistentry>
303 <term>--mail-address=MAIL_ADDRESS</term>
304 <listitem><para>
305 Contact's email address.
306 </para></listitem>
307 </varlistentry>
309 <varlistentry>
310 <term>--internet-address=INTERNET_ADDRESS</term>
311 <listitem><para>
312 Contact's home page.
313 </para></listitem>
314 </varlistentry>
316 <varlistentry>
317 <term>--telephone-number=TELEPHONE_NUMBER</term>
318 <listitem><para>
319 Contact's phone number.
320 </para></listitem>
321 </varlistentry>
323 <varlistentry>
324 <term>--mobile-number=MOBILE_NUMBER</term>
325 <listitem><para>
326 Contact's mobile phone number.
327 </para></listitem>
328 </varlistentry>
330 <varlistentry>
331 <term>--physical-delivery-office=PHYSICAL_DELIVERY_OFFICE</term>
332 <listitem><para>
333 Contact's office location.
334 </para></listitem>
335 </varlistentry>
337 </variablelist>
338 </refsect3>
340 <refsect3>
341 <title>contact create [<replaceable>contactname</replaceable>] [options]</title>
342 <para>Add a new contact. This is a synonym for the
343 <command>samba-tool contact add</command> command and is available
344 for compatibility reasons only. Please use
345 <command>samba-tool contact add</command> instead.</para>
346 </refsect3>
348 <refsect3>
349 <title>contact delete <replaceable>contactname</replaceable> [options]</title>
350 <para>Delete an existing contact.</para>
351 <para>The contactname specified on the command is the common name or the
352 distinguished name of the contact object. The distinguished name of the
353 contact can be specified with or without the domainDN component.</para>
354 </refsect3>
356 <refsect3>
357 <title>contact edit <replaceable>contactname</replaceable></title>
358 <para>Modify a contact AD object.</para>
359 <para>The contactname specified on the command is the common name or the
360 distinguished name of the contact object. The distinguished name of the
361 contact can be specified with or without the domainDN component.</para>
363 <variablelist>
364 <varlistentry>
365 <term>--editor=EDITOR</term>
366 <listitem><para>
367 Specifies the editor to use instead of the system default, or 'vi' if no
368 system default is set.
369 </para></listitem>
370 </varlistentry>
371 </variablelist>
372 </refsect3>
374 <refsect3>
375 <title>contact list [options]</title>
376 <para>List all contacts.</para>
378 <variablelist>
379 <varlistentry>
380 <term>--full-dn</term>
381 <listitem><para>
382 Display contact's full DN instead of the name.
383 </para></listitem>
384 </varlistentry>
385 </variablelist>
386 </refsect3>
388 <refsect3>
389 <title>contact move <replaceable>contactname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
390 <para>This command moves a contact into the specified organizational
391 unit or container.</para>
392 <para>The contactname specified on the command is the common name or the
393 distinguished name of the contact object. The distinguished name of the
394 contact can be specified with or without the domainDN component.</para>
395 </refsect3>
397 <refsect3>
398 <title>contact show <replaceable>contactname</replaceable> [options]</title>
399 <para>Display a contact AD object.</para>
400 <para>The contactname specified on the command is the common name or the
401 distinguished name of the contact object. The distinguished name of the
402 contact can be specified with or without the domainDN component.</para>
404 <variablelist>
405 <varlistentry>
406 <term>--attributes=CONTACT_ATTRS</term>
407 <listitem><para>
408 Comma separated list of attributes, which will be printed.
409 </para></listitem>
410 </varlistentry>
411 </variablelist>
412 </refsect3>
414 <refsect3>
415 <title>contact rename <replaceable>contactname</replaceable> [options]</title>
416 <para>Rename a contact and related attributes.</para>
417 <para>This command allows to set the contact's name related attributes. The contact's
418 CN will be renamed automatically.
419 The contact's new CN will be made up by combining the given-name, initials
420 and surname. A dot ('.') will be appended to the initials automatically,
421 if required.
422 Use the --force-new-cn option to specify the new CN manually and --reset-cn
423 to reset this change.</para>
424 <para>Use an empty attribute value to remove the specified attribute.</para>
425 <para>The contact name specified on the command is the CN.</para>
427 <variablelist>
428 <varlistentry>
429 <term>--surname=SURNAME</term>
430 <listitem><para>
431 New surname.
432 </para></listitem>
433 </varlistentry>
435 <varlistentry>
436 <term>--given-name=GIVEN_NAME</term>
437 <listitem><para>
438 New given name.
439 </para></listitem>
440 </varlistentry>
442 <varlistentry>
443 <term>--initials=INITIALS</term>
444 <listitem><para>
445 New initials.
446 </para></listitem>
447 </varlistentry>
449 <varlistentry>
450 <term>--force-new-cn=NEW_CN</term>
451 <listitem><para>
452 Specify a new CN (RDN) instead of using a combination
453 of the given name, initials and surname.
454 </para></listitem>
455 </varlistentry>
457 <varlistentry>
458 <term>--reset-cn</term>
459 <listitem><para>
460 Set the CN to the default combination of given name,
461 initials and surname.
462 </para></listitem>
463 </varlistentry>
465 <varlistentry>
466 <term>--display-name=DISPLAY_NAME</term>
467 <listitem><para>
468 New display name.
469 </para></listitem>
470 </varlistentry>
472 <varlistentry>
473 <term>--mail-address=MAIL_ADDRESS</term>
474 <listitem><para>
475 New email address.
476 </para></listitem>
477 </varlistentry>
478 </variablelist>
479 </refsect3>
481 <refsect2>
482 <title>dbcheck</title>
483 <para>Check the local AD database for errors.</para>
484 </refsect2>
486 <refsect2>
487 <title>delegation</title>
488 <para>Manage Delegations.</para>
489 </refsect2>
491 <refsect3>
492 <title>delegation add-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
493 <para>Add a service principal as msDS-AllowedToDelegateTo.</para>
494 </refsect3>
496 <refsect3>
497 <title>delegation del-service <replaceable>accountname</replaceable> <replaceable>principal</replaceable> [options]</title>
498 <para>Delete a service principal as msDS-AllowedToDelegateTo.</para>
499 </refsect3>
501 <refsect3>
502 <title>delegation for-any-protocol <replaceable>accountname</replaceable> [(on|off)] [options]</title>
503 <para>Set/unset UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION (S4U2Proxy)
504 for an account.</para>
505 </refsect3>
507 <refsect3>
508 <title>delegation for-any-service <replaceable>accountname</replaceable> [(on|off)] [options]</title>
509 <para>Set/unset UF_TRUSTED_FOR_DELEGATION for an account.</para>
510 </refsect3>
512 <refsect3>
513 <title>delegation show <replaceable>accountname</replaceable> [options] </title>
514 <para>Show the delegation setting of an account.</para>
515 </refsect3>
517 <refsect2>
518 <title>dns</title>
519 <para>Manage Domain Name Service (DNS).</para>
520 </refsect2>
522 <refsect3>
523 <title>dns add <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
524 <para>Add a DNS record.</para>
525 </refsect3>
527 <refsect3>
528 <title>dns delete <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>data</replaceable></title>
529 <para>Delete a DNS record.</para>
530 </refsect3>
532 <refsect3>
533 <title>dns query <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT|ALL</replaceable> [options] <replaceable>data</replaceable></title>
534 <para>Query a name.</para>
535 </refsect3>
537 <refsect3>
538 <title>dns roothints <replaceable>server</replaceable> [<replaceable>name</replaceable>] [options]</title>
539 <para>Query root hints.</para>
540 </refsect3>
542 <refsect3>
543 <title>dns serverinfo <replaceable>server</replaceable> [options]</title>
544 <para>Query server information.</para>
545 </refsect3>
547 <refsect3>
548 <title>dns update <replaceable>server</replaceable> <replaceable>zone</replaceable> <replaceable>name</replaceable> <replaceable>A|AAAA|PTR|CNAME|NS|MX|SRV|TXT</replaceable> <replaceable>olddata</replaceable> <replaceable>newdata</replaceable></title>
549 <para>Update a DNS record.</para>
550 </refsect3>
552 <refsect3>
553 <title>dns zonecreate <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
554 <para>Create a zone.</para>
555 </refsect3>
557 <refsect3>
558 <title>dns zonedelete <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
559 <para>Delete a zone.</para>
560 </refsect3>
562 <refsect3>
563 <title>dns zoneinfo <replaceable>server</replaceable> <replaceable>zone</replaceable> [options]</title>
564 <para>Query zone information.</para>
565 </refsect3>
567 <refsect3>
568 <title>dns zonelist <replaceable>server</replaceable> [options]</title>
569 <para>List zones.</para>
570 </refsect3>
572 <refsect2>
573 <title>domain</title>
574 <para>Manage Domain.</para>
575 </refsect2>
577 <refsect3>
578 <title>domain backup</title>
579 <para>Create or restore a backup of the domain.</para>
580 </refsect3>
582 <refsect3>
583 <title>domain backup offline</title>
584 <para>Backup (with proper locking) local domain directories into a tar file.</para>
585 </refsect3>
587 <refsect3>
588 <title>domain backup online</title>
589 <para>Copy a running DC's current DB into a backup tar file.</para>
590 </refsect3>
592 <refsect3>
593 <title>domain backup rename</title>
594 <para>Copy a running DC's DB to backup file, renaming the domain in the process.</para>
595 </refsect3>
597 <refsect3>
598 <title>domain backup restore</title>
599 <para>Restore the domain's DB from a backup-file.</para>
600 </refsect3>
602 <refsect2>
603 <title>domain auth policy</title>
604 <para>Manage authentication policies.</para>
605 </refsect2>
607 <refsect3>
608 <title>domain auth policy list</title>
609 <para>List authentication policies on the domain.</para>
610 <variablelist>
611 <varlistentry>
612 <term>-H, --URL</term>
613 <listitem><para>
614 LDB URL for database or target server.
615 </para></listitem>
616 </varlistentry>
617 <varlistentry>
618 <term>--json</term>
619 <listitem><para>
620 View authentication policies as JSON instead of a list.
621 </para></listitem>
622 </varlistentry>
623 </variablelist>
624 </refsect3>
626 <refsect3>
627 <title>domain auth policy view</title>
628 <para>View an authentication policy on the domain.</para>
629 <variablelist>
630 <varlistentry>
631 <term>-H, --URL</term>
632 <listitem><para>
633 LDB URL for database or target server.
634 </para></listitem>
635 </varlistentry>
636 <varlistentry>
637 <term>--name</term>
638 <listitem><para>
639 Name of the authentication policy to view (required).
640 </para></listitem>
641 </varlistentry>
642 </variablelist>
643 </refsect3>
645 <refsect3>
646 <title>domain auth policy create</title>
647 <para>Create authentication policies on the domain.</para>
648 <variablelist>
649 <varlistentry>
650 <term>-H, --URL</term>
651 <listitem><para>
652 LDB URL for database or target server.
653 </para></listitem>
654 </varlistentry>
655 <varlistentry>
656 <term>--name</term>
657 <listitem><para>
658 Name of the authentication policy (required).
659 </para></listitem>
660 </varlistentry>
661 <varlistentry>
662 <term>--description</term>
663 <listitem><para>
664 Optional description for the authentication policy.
665 </para></listitem>
666 </varlistentry>
667 <varlistentry>
668 <term>--protect</term>
669 <listitem>
670 <para>
671 Protect authentication policy from accidental deletion.
672 </para>
673 <para>
674 Cannot be used together with --unprotect.
675 </para>
676 </listitem>
677 </varlistentry>
678 <varlistentry>
679 <term>--unprotect</term>
680 <listitem>
681 <para>
682 Unprotect authentication policy from accidental deletion.
683 </para>
684 <para>
685 Cannot be used together with --protect.
686 </para>
687 </listitem>
688 </varlistentry>
689 <varlistentry>
690 <term>--audit</term>
691 <listitem>
692 <para>
693 Only audit authentication policy.
694 </para>
695 <para>
696 Cannot be used together with --enforce.
697 </para>
698 </listitem>
699 </varlistentry>
700 <varlistentry>
701 <term>--enforce</term>
702 <listitem>
703 <para>
704 Enforce authentication policy.
705 </para>
706 <para>
707 Cannot be used together with --audit.
708 </para>
709 </listitem>
710 </varlistentry>
711 <varlistentry>
712 <term>--strong-ntlm-policy</term>
713 <listitem>
714 <para>
715 Strong NTLM Policy (Disabled, Optional, Required).
716 </para>
717 </listitem>
718 </varlistentry>
719 <varlistentry>
720 <term>--user-tgt-lifetime-mins</term>
721 <listitem>
722 <para>
723 Ticket-Granting-Ticket lifetime for user accounts.
724 </para>
725 </listitem>
726 </varlistentry>
727 <varlistentry>
728 <term>--user-allow-ntlm-auth</term>
729 <listitem>
730 <para>
731 Allow <constant>NTLM</constant> and <constant>
732 Interactive NETLOGON SamLogon</constant>
733 authentication despite the
734 fact that
735 <constant>allowed-to-authenticate-from</constant>
736 is in use, which would
737 otherwise restrict the user to selected devices.
738 </para>
739 </listitem>
740 </varlistentry>
741 <varlistentry>
742 <term>--user-allowed-to-authenticate-from</term>
743 <listitem>
744 <para>
745 Conditions a device must meet
746 for users covered by this
747 policy to be allowed to
748 authenticate. While this is a
749 restriction on the device,
750 any conditional ACE rules are
751 expressed as if the device was
752 a user.
753 </para>
754 <para>
755 Must be a valid SDDL string
756 without reference to Device
757 keywords.
758 </para>
759 <para>
760 Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
761 </para>
762 </listitem>
763 </varlistentry>
764 <varlistentry>
765 <term>--user-allowed-to-authenticate-to=SDDL</term>
766 <listitem>
767 <para>
768 This policy, applying to a
769 user account that is offering
770 a service, eg a web server
771 with a user account, restricts
772 which accounts may access it.
773 </para>
774 <para>
775 Must be a valid SDDL string.
776 The SDDL can reference both
777 bare (user) and Device conditions.
778 </para>
779 <para>
780 SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant>
781 </para>
782 </listitem>
783 </varlistentry>
784 <varlistentry>
785 <term>--service-tgt-lifetime-mins</term>
786 <listitem>
787 <para>
788 Ticket-Granting-Ticket lifetime for service accounts.
789 </para>
790 </listitem>
791 </varlistentry>
792 <varlistentry>
793 <term>--service-allow-ntlm-auth</term>
794 <listitem>
795 <para>
796 Allow NTLM network authentication when service
797 is restricted to selected devices.
798 </para>
799 </listitem>
800 </varlistentry>
801 <varlistentry>
802 <term>--service-allowed-to-authenticate-from</term>
803 <listitem>
804 <para>
805 Conditions a device must meet
806 for service accounts covered
807 by this policy to be allowed
808 to authenticate. While this
809 is a restriction on the
810 device, any conditional ACE
811 rules are expressed as if the
812 device was a user.
813 </para>
814 <para>
815 Must be a valid SDDL string
816 without reference to Device
817 keywords.
818 </para>
819 <para>
820 SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))</constant>
821 </para>
822 </listitem>
823 </varlistentry>
824 <varlistentry>
825 <term>--service-allowed-to-authenticate-to=SDDL</term>
826 <listitem>
827 <para>
828 This policy, applying to a
829 service account (eg a Managed
830 Service Account, Group Managed
831 Service Account), restricts
832 which accounts may access it.
833 </para>
834 <para>
835 Must be a valid SDDL string.
836 The SDDL can reference both
837 bare (user) and Device conditions.
838 </para>
839 <para>
840 SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant>
841 </para>
842 </listitem>
843 </varlistentry>
844 <varlistentry>
845 <term>--computer-tgt-lifetime-mins</term>
846 <listitem>
847 <para>
848 Ticket-Granting-Ticket lifetime for computer accounts.
849 </para>
850 </listitem>
851 </varlistentry>
852 <varlistentry>
853 <term>--computer-allowed-to-authenticate-to=SDDL</term>
854 <listitem>
855 <para>
856 This policy, applying to a
857 computer account (eg a server
858 or workstation), restricts
859 which accounts may access it.
860 </para>
861 <para>
862 Must be a valid SDDL string.
863 The SDDL can reference both
864 bare (user) and Device conditions.
865 </para>
866 <para>
867 SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
868 </para>
869 </listitem>
870 </varlistentry>
871 </variablelist>
872 </refsect3>
874 <refsect3>
875 <title>domain auth policy modify</title>
876 <para>Modify authentication policies on the domain. The same
877 options apply as for <constant>domain auth policy create</constant>.</para>
878 </refsect3>
880 <refsect3>
881 <title>domain auth policy delete</title>
882 <para>Delete authentication policies on the domain.</para>
883 <variablelist>
884 <varlistentry>
885 <term>-H, --URL</term>
886 <listitem><para>
887 LDB URL for database or target server.
888 </para></listitem>
889 </varlistentry>
890 <varlistentry>
891 <term>--name</term>
892 <listitem><para>
893 Name of authentication policy to delete (required).
894 </para></listitem>
895 </varlistentry>
896 <varlistentry>
897 <term>--force</term>
898 <listitem><para>
899 Force authentication policy delete even if it is protected.
900 </para></listitem>
901 </varlistentry>
902 </variablelist>
903 </refsect3>
905 <refsect3>
906 <title>domain auth policy user-allowed-to-authenticate-from set</title>
907 <para>Set the user-allowed-to-authenticate-from property by scenario.</para>
908 <variablelist>
909 <varlistentry>
910 <term>-H, --URL</term>
911 <listitem><para>
912 LDB URL for database or target server.
913 </para></listitem>
914 </varlistentry>
915 <varlistentry>
916 <term>--name</term>
917 <listitem><para>
918 Name of authentication policy.
919 </para></listitem>
920 </varlistentry>
921 <varlistentry>
922 <term>--by-group=GROUP</term>
923 <listitem><para>
924 User is allowed to
925 authenticate, if the device they
926 authenticate from is assigned
927 and granted membership of a
928 given <constant>GROUP</constant>.
929 </para></listitem>
930 </varlistentry>
931 <varlistentry>
932 <term>--silo=SILO</term>
933 <listitem><para>
934 User is allowed to
935 authenticate, if the device they
936 authenticate from is assigned
937 and granted membership of a
938 given <constant>SILO</constant>.
939 </para></listitem>
940 </varlistentry>
941 </variablelist>
942 </refsect3>
944 <refsect3>
945 <title>domain auth policy user-allowed-to-authenticate-to set</title>
946 <para>Set the user-allowed-to-authenticate-to property by scenario.</para>
947 <variablelist>
948 <varlistentry>
949 <term>-H, --URL</term>
950 <listitem><para>
951 LDB URL for database or target server.
952 </para></listitem>
953 </varlistentry>
954 <varlistentry>
955 <term>--name</term>
956 <listitem><para>
957 Name of authentication policy.
958 </para></listitem>
959 </varlistentry>
960 <varlistentry>
961 <term>--group=GROUP</term>
962 <listitem><para>
963 The user account, offering a
964 network service, covered by
965 this policy, will only be allowed
966 access from other accounts
967 that are members of the given
968 <constant>GROUP</constant>.
969 </para></listitem>
970 </varlistentry>
971 <varlistentry>
972 <term>--silo=SILO</term>
973 <listitem><para>
974 The user account, offering a
975 network service, covered by
976 this policy, will only be
977 allowed access from other accounts
978 that are assigned to,
979 granted membership of (and
980 meet any authentication
981 conditions of) the given <constant>SILO</constant>.
982 </para></listitem>
983 </varlistentry>
984 </variablelist>
985 </refsect3>
987 <refsect3>
988 <title>domain auth policy service-allowed-to-authenticate-from set</title>
989 <para>Set the service-allowed-to-authenticate-from property by scenario.</para>
990 <variablelist>
991 <varlistentry>
992 <term>-H, --URL</term>
993 <listitem><para>
994 LDB URL for database or target server.
995 </para></listitem>
996 </varlistentry>
997 <varlistentry>
998 <term>--name</term>
999 <listitem><para>
1000 Name of authentication policy.
1001 </para></listitem>
1002 </varlistentry>
1003 <varlistentry>
1004 <term>--group=GROUP</term>
1005 <listitem><para>
1006 The service account (eg a Managed
1007 Service Account, Group Managed
1008 Service Account) is allowed to
1009 authenticate, if the device it
1010 authenticates from is a member
1011 of the given <constant>GROUP</constant>.
1012 </para></listitem>
1013 </varlistentry>
1014 <varlistentry>
1015 <term>--silo=SILO</term>
1016 <listitem><para>
1017 The service account (eg a Managed
1018 Service Account, Group Managed
1019 Service Account) is allowed to
1020 authenticate, if the device it
1021 authenticates from is assigned
1022 and granted membership of a
1023 given <constant>SILO</constant>.
1024 </para></listitem>
1025 </varlistentry>
1026 </variablelist>
1027 </refsect3>
1029 <refsect3>
1030 <title>domain auth policy service-allowed-to-authenticate-to set</title>
1031 <para>Set the service-allowed-to-authenticate-to property by scenario.</para>
1032 <variablelist>
1033 <varlistentry>
1034 <term>-H, --URL</term>
1035 <listitem><para>
1036 LDB URL for database or target server.
1037 </para></listitem>
1038 </varlistentry>
1039 <varlistentry>
1040 <term>--name</term>
1041 <listitem><para>
1042 Name of authentication policy.
1043 </para></listitem>
1044 </varlistentry>
1045 <varlistentry>
1046 <term>--group=GROUP</term>
1047 <listitem><para>
1048 The service account (eg a Managed
1049 Service Account, Group Managed
1050 Service Account), will only be
1051 allowed access by other accounts
1052 that are members of the given
1053 <constant>GROUP</constant>.
1054 </para></listitem>
1055 </varlistentry>
1056 <varlistentry>
1057 <term>--silo=SILO</term>
1058 <listitem><para>
1059 The service account (eg a
1060 Managed Service Account, Group
1061 Managed Service Account), will
1062 only be allowed access by other
1063 accounts that are assigned
1064 to, granted membership of (and
1065 meet any authentication
1066 conditions of) the given <constant>SILO</constant>.
1067 </para></listitem>
1068 </varlistentry>
1069 </variablelist>
1070 </refsect3>
1072 <refsect3>
1073 <title>domain auth policy computer-allowed-to-authenticate-to set</title>
1074 <para>Set the computer-allowed-to-authenticate-to property by scenario.</para>
1075 <variablelist>
1076 <varlistentry>
1077 <term>-H, --URL</term>
1078 <listitem><para>
1079 LDB URL for database or target server.
1080 </para></listitem>
1081 </varlistentry>
1082 <varlistentry>
1083 <term>--name</term>
1084 <listitem><para>
1085 Name of authentication policy.
1086 </para></listitem>
1087 </varlistentry>
1088 <varlistentry>
1089 <term>--group=GROUP</term>
1090 <listitem><para>
1091 The computer account (eg a server
1092 or workstation), will only be
1093 allowed access by other accounts
1094 that are members of the given
1095 <constant>GROUP</constant>.
1096 </para></listitem>
1097 </varlistentry>
1098 <varlistentry>
1099 <term>--silo=SILO</term>
1100 <listitem><para>
1101 The computer account (eg a
1102 server or workstation), will
1103 only be allowed access by
1104 other accounts that are
1105 assigned to, granted
1106 membership of (and meet any
1107 authentication conditions of)
1108 the given <constant>SILO</constant>.
1109 </para></listitem>
1110 </varlistentry>
1111 </variablelist>
1112 </refsect3>
1114 <refsect2>
1115 <title>domain auth silo</title>
1116 <para>Manage authentication silos.</para>
1117 </refsect2>
1119 <refsect3>
1120 <title>domain auth silo list</title>
1121 <para>List authentication silos on the domain.</para>
1122 <variablelist>
1123 <varlistentry>
1124 <term>-H, --URL</term>
1125 <listitem><para>
1126 LDB URL for database or target server.
1127 </para></listitem>
1128 </varlistentry>
1129 <varlistentry>
1130 <term>--json</term>
1131 <listitem><para>
1132 View authentication silos as JSON instead of a list.
1133 </para></listitem>
1134 </varlistentry>
1135 </variablelist>
1136 </refsect3>
1138 <refsect3>
1139 <title>domain auth silo view</title>
1140 <para>View an authentication silo on the domain.</para>
1141 <variablelist>
1142 <varlistentry>
1143 <term>-H, --URL</term>
1144 <listitem><para>
1145 LDB URL for database or target server.
1146 </para></listitem>
1147 </varlistentry>
1148 <varlistentry>
1149 <term>--name</term>
1150 <listitem><para>
1151 Name of the authentication silo to view (required).
1152 </para></listitem>
1153 </varlistentry>
1154 </variablelist>
1155 </refsect3>
1157 <refsect3>
1158 <title>domain auth silo create</title>
1159 <para>Create authentication silos on the domain.</para>
1160 <variablelist>
1161 <varlistentry>
1162 <term>-H, --URL</term>
1163 <listitem><para>
1164 LDB URL for database or target server.
1165 </para></listitem>
1166 </varlistentry>
1167 <varlistentry>
1168 <term>--name</term>
1169 <listitem><para>
1170 Name of the authentication silo (required).
1171 </para></listitem>
1172 </varlistentry>
1173 <varlistentry>
1174 <term>--description</term>
1175 <listitem><para>
1176 Optional description for the authentication silo.
1177 </para></listitem>
1178 </varlistentry>
1179 <varlistentry>
1180 <term>--user-authentication-policy</term>
1181 <listitem><para>
1182 User account authentication policy.
1183 </para></listitem>
1184 </varlistentry>
1185 <varlistentry>
1186 <term>--service-authentication-policy</term>
1187 <listitem><para>
1188 Managed service account authentication policy.
1189 </para></listitem>
1190 </varlistentry>
1191 <varlistentry>
1192 <term>--computer-authentication-policy</term>
1193 <listitem><para>
1194 Computer authentication policy.
1195 </para></listitem>
1196 </varlistentry>
1197 <varlistentry>
1198 <term>--protect</term>
1199 <listitem>
1200 <para>
1201 Protect authentication silo from accidental deletion.
1202 </para>
1203 <para>
1204 Cannot be used together with --unprotect.
1205 </para>
1206 </listitem>
1207 </varlistentry>
1208 <varlistentry>
1209 <term>--unprotect</term>
1210 <listitem>
1211 <para>
1212 Unprotect authentication silo from accidental deletion.
1213 </para>
1214 <para>
1215 Cannot be used together with --protect.
1216 </para>
1217 </listitem>
1218 </varlistentry>
1219 <varlistentry>
1220 <term>--audit</term>
1221 <listitem>
1222 <para>
1223 Only audit silo policies.
1224 </para>
1225 <para>
1226 Cannot be used together with --enforce.
1227 </para>
1228 </listitem>
1229 </varlistentry>
1230 <varlistentry>
1231 <term>--enforce</term>
1232 <listitem>
1233 <para>
1234 Enforce silo policies.
1235 </para>
1236 <para>
1237 Cannot be used together with --audit.
1238 </para>
1239 </listitem>
1240 </varlistentry>
1241 </variablelist>
1242 </refsect3>
1244 <refsect3>
1245 <title>domain auth silo modify</title>
1246 <para>Modify authentication silos on the domain.</para>
1247 <variablelist>
1248 <varlistentry>
1249 <term>-H, --URL</term>
1250 <listitem><para>
1251 LDB URL for database or target server.
1252 </para></listitem>
1253 </varlistentry>
1254 <varlistentry>
1255 <term>--name</term>
1256 <listitem><para>
1257 Name of the authentication silo (required).
1258 </para></listitem>
1259 </varlistentry>
1260 <varlistentry>
1261 <term>--description</term>
1262 <listitem><para>
1263 Optional description for the authentication silo.
1264 </para></listitem>
1265 </varlistentry>
1266 <varlistentry>
1267 <term>--user-authentication-policy</term>
1268 <listitem><para>
1269 User account authentication policy.
1270 </para></listitem>
1271 </varlistentry>
1272 <varlistentry>
1273 <term>--service-authentication-policy</term>
1274 <listitem><para>
1275 Managed service account authentication policy.
1276 </para></listitem>
1277 </varlistentry>
1278 <varlistentry>
1279 <term>--computer-authentication-policy</term>
1280 <listitem><para>
1281 Computer authentication policy.
1282 </para></listitem>
1283 </varlistentry>
1284 <varlistentry>
1285 <term>--protect</term>
1286 <listitem>
1287 <para>
1288 Protect authentication silo from accidental deletion.
1289 </para>
1290 <para>
1291 Cannot be used together with --unprotect.
1292 </para>
1293 </listitem>
1294 </varlistentry>
1295 <varlistentry>
1296 <term>--unprotect</term>
1297 <listitem>
1298 <para>
1299 Unprotect authentication silo from accidental deletion.
1300 </para>
1301 <para>
1302 Cannot be used together with --protect.
1303 </para>
1304 </listitem>
1305 </varlistentry>
1306 <varlistentry>
1307 <term>--audit</term>
1308 <listitem>
1309 <para>
1310 Only audit silo policies.
1311 </para>
1312 <para>
1313 Cannot be used together with --enforce.
1314 </para>
1315 </listitem>
1316 </varlistentry>
1317 <varlistentry>
1318 <term>--enforce</term>
1319 <listitem>
1320 <para>
1321 Enforce silo policies.
1322 </para>
1323 <para>
1324 Cannot be used together with --audit.
1325 </para>
1326 </listitem>
1327 </varlistentry>
1328 </variablelist>
1329 </refsect3>
1331 <refsect3>
1332 <title>domain auth silo delete</title>
1333 <para>Delete authentication silos on the domain.</para>
1334 <variablelist>
1335 <varlistentry>
1336 <term>-H, --URL</term>
1337 <listitem><para>
1338 LDB URL for database or target server.
1339 </para></listitem>
1340 </varlistentry>
1341 <varlistentry>
1342 <term>--name</term>
1343 <listitem><para>
1344 Name of authentication silo to delete (required).
1345 </para></listitem>
1346 </varlistentry>
1347 <varlistentry>
1348 <term>--force</term>
1349 <listitem><para>
1350 Force authentication silo delete even if it is protected.
1351 </para></listitem>
1352 </varlistentry>
1353 </variablelist>
1354 </refsect3>
1356 <refsect3>
1357 <title>domain auth silo member grant</title>
1358 <para>Grant a member access to an authentication silo.</para>
1359 <variablelist>
1360 <varlistentry>
1361 <term>-H, --URL</term>
1362 <listitem><para>
1363 LDB URL for database or target server.
1364 </para></listitem>
1365 </varlistentry>
1366 <varlistentry>
1367 <term>--name</term>
1368 <listitem><para>
1369 Name of authentication silo (required).
1370 </para></listitem>
1371 </varlistentry>
1372 <varlistentry>
1373 <term>--member</term>
1374 <listitem><para>
1375 Member to grant access to the silo (DN or account name).
1376 </para></listitem>
1377 </varlistentry>
1378 </variablelist>
1379 </refsect3>
1381 <refsect3>
1382 <title>domain auth silo member list</title>
1383 <para>List members in an authentication silo.</para>
1384 <variablelist>
1385 <varlistentry>
1386 <term>-H, --URL</term>
1387 <listitem><para>
1388 LDB URL for database or target server.
1389 </para></listitem>
1390 </varlistentry>
1391 <varlistentry>
1392 <term>--name</term>
1393 <listitem><para>
1394 Name of authentication silo (required).
1395 </para></listitem>
1396 </varlistentry>
1397 <varlistentry>
1398 <term>--json</term>
1399 <listitem><para>
1400 View members as JSON instead of a list.
1401 </para></listitem>
1402 </varlistentry>
1403 </variablelist>
1404 </refsect3>
1406 <refsect3>
1407 <title>domain auth silo member revoke</title>
1408 <para>Revoke a member from an authentication silo.</para>
1409 <variablelist>
1410 <varlistentry>
1411 <term>-H, --URL</term>
1412 <listitem><para>
1413 LDB URL for database or target server.
1414 </para></listitem>
1415 </varlistentry>
1416 <varlistentry>
1417 <term>--name</term>
1418 <listitem><para>
1419 Name of authentication silo (required).
1420 </para></listitem>
1421 </varlistentry>
1422 <varlistentry>
1423 <term>--member</term>
1424 <listitem><para>
1425 Member to revoke from the silo (DN or account name).
1426 </para></listitem>
1427 </varlistentry>
1428 </variablelist>
1429 </refsect3>
1431 <refsect3>
1432 <title>domain claim claim-type list</title>
1433 <para>List claim types on the domain.</para>
1434 <variablelist>
1435 <varlistentry>
1436 <term>-H, --URL</term>
1437 <listitem><para>
1438 LDB URL for database or target server.
1439 </para></listitem>
1440 </varlistentry>
1441 <varlistentry>
1442 <term>--json</term>
1443 <listitem><para>
1444 View claim types as JSON instead of a list.
1445 </para></listitem>
1446 </varlistentry>
1447 </variablelist>
1448 </refsect3>
1450 <refsect3>
1451 <title>domain claim claim-type view</title>
1452 <para>View a single claim type on the domain.</para>
1453 <variablelist>
1454 <varlistentry>
1455 <term>-H, --URL</term>
1456 <listitem><para>
1457 LDB URL for database or target server.
1458 </para></listitem>
1459 </varlistentry>
1460 <varlistentry>
1461 <term>--name</term>
1462 <listitem><para>
1463 Display name of claim type to view (required).
1464 </para></listitem>
1465 </varlistentry>
1466 </variablelist>
1467 </refsect3>
1469 <refsect3>
1470 <title>domain claim claim-type create</title>
1471 <para>Create claim types on the domain.</para>
1472 <variablelist>
1473 <varlistentry>
1474 <term>-H, --URL</term>
1475 <listitem><para>
1476 LDB URL for database or target server.
1477 </para></listitem>
1478 </varlistentry>
1479 <varlistentry>
1480 <term>--attribute</term>
1481 <listitem><para>
1482 Attribute of claim type to create (required).
1483 </para></listitem>
1484 </varlistentry>
1485 <varlistentry>
1486 <term>--class</term>
1487 <listitem>
1488 <para>
1489 Object classes to set claim type to.
1490 </para>
1491 <para>
1492 Example: --class=user --class=computer
1493 </para>
1494 </listitem>
1495 </varlistentry>
1496 <varlistentry>
1497 <term>--name</term>
1498 <listitem><para>
1499 Optional display name or use attribute name.
1500 </para></listitem>
1501 </varlistentry>
1502 <varlistentry>
1503 <term>--description</term>
1504 <listitem><para>
1505 Optional description or use from attribute.
1506 </para></listitem>
1507 </varlistentry>
1508 <varlistentry>
1509 <term>--enable</term>
1510 <listitem>
1511 <para>
1512 Enable claim type.
1513 </para>
1514 <para>
1515 Cannot be used together with --disable.
1516 </para>
1517 </listitem>
1518 </varlistentry>
1519 <varlistentry>
1520 <term>--disable</term>
1521 <listitem>
1522 <para>
1523 Disable claim type.
1524 </para>
1525 <para>
1526 Cannot be used together with --enable.
1527 </para>
1528 </listitem>
1529 </varlistentry>
1530 <varlistentry>
1531 <term>--protect</term>
1532 <listitem>
1533 <para>
1534 Protect claim type from accidental deletion.
1535 </para>
1536 <para>
1537 Cannot be used together with --unprotect.
1538 </para>
1539 </listitem>
1540 </varlistentry>
1541 <varlistentry>
1542 <term>--unprotect</term>
1543 <listitem>
1544 <para>
1545 Unprotect claim type from accidental deletion.
1546 </para>
1547 <para>
1548 Cannot be used together with --protect.
1549 </para>
1550 </listitem>
1551 </varlistentry>
1552 </variablelist>
1553 </refsect3>
1555 <refsect3>
1556 <title>domain claim claim-type modify</title>
1557 <para>Modify claim types on the domain.</para>
1558 <variablelist>
1559 <varlistentry>
1560 <term>-H, --URL</term>
1561 <listitem><para>
1562 LDB URL for database or target server.
1563 </para></listitem>
1564 </varlistentry>
1565 <varlistentry>
1566 <term>--name</term>
1567 <listitem><para>
1568 Display name of claim type to modify (required).
1569 </para></listitem>
1570 </varlistentry>
1571 <varlistentry>
1572 <term>--class</term>
1573 <listitem>
1574 <para>
1575 Object classes to set claim type to.
1576 </para>
1577 <para>
1578 Example: --class=user --class=computer
1579 </para>
1580 </listitem>
1581 </varlistentry>
1582 <varlistentry>
1583 <term>--description</term>
1584 <listitem><para>
1585 Set the claim type description.
1586 </para></listitem>
1587 </varlistentry>
1588 <varlistentry>
1589 <term>--enable</term>
1590 <listitem>
1591 <para>
1592 Enable claim type.
1593 </para>
1594 <para>
1595 Cannot be used together with --disable.
1596 </para>
1597 </listitem>
1598 </varlistentry>
1599 <varlistentry>
1600 <term>--disable</term>
1601 <listitem>
1602 <para>
1603 Disable claim type.
1604 </para>
1605 <para>
1606 Cannot be used together with --enable.
1607 </para>
1608 </listitem>
1609 </varlistentry>
1610 <varlistentry>
1611 <term>--protect</term>
1612 <listitem>
1613 <para>
1614 Protect claim type from accidental deletion.
1615 </para>
1616 <para>
1617 Cannot be used together with --unprotect.
1618 </para>
1619 </listitem>
1620 </varlistentry>
1621 <varlistentry>
1622 <term>--unprotect</term>
1623 <listitem>
1624 <para>
1625 Unprotect claim type from accidental deletion.
1626 </para>
1627 <para>
1628 Cannot be used together with --protect.
1629 </para>
1630 </listitem>
1631 </varlistentry>
1632 </variablelist>
1633 </refsect3>
1635 <refsect3>
1636 <title>domain claim claim-type delete</title>
1637 <para>Delete claim types on the domain.</para>
1638 <variablelist>
1639 <varlistentry>
1640 <term>-H, --URL</term>
1641 <listitem><para>
1642 LDB URL for database or target server.
1643 </para></listitem>
1644 </varlistentry>
1645 <varlistentry>
1646 <term>--name</term>
1647 <listitem><para>
1648 Display name of claim type to delete (required).
1649 </para></listitem>
1650 </varlistentry>
1651 <varlistentry>
1652 <term>--force</term>
1653 <listitem><para>
1654 Force claim type delete even if it is protected.
1655 </para></listitem>
1656 </varlistentry>
1657 </variablelist>
1658 </refsect3>
1660 <refsect3>
1661 <title>domain claim value-type list</title>
1662 <para>List claim value types on the domain.</para>
1663 <variablelist>
1664 <varlistentry>
1665 <term>-H, --URL</term>
1666 <listitem><para>
1667 LDB URL for database or target server.
1668 </para></listitem>
1669 </varlistentry>
1670 <varlistentry>
1671 <term>--json</term>
1672 <listitem><para>
1673 View claim value types as JSON instead of a list.
1674 </para></listitem>
1675 </varlistentry>
1676 </variablelist>
1677 </refsect3>
1679 <refsect3>
1680 <title>domain claim value-type view</title>
1681 <para>View a single claim value type on the domain.</para>
1682 <variablelist>
1683 <varlistentry>
1684 <term>-H, --URL</term>
1685 <listitem><para>
1686 LDB URL for database or target server.
1687 </para></listitem>
1688 </varlistentry>
1689 <varlistentry>
1690 <term>--name</term>
1691 <listitem><para>
1692 Display name of claim value type to view (required).
1693 </para></listitem>
1694 </varlistentry>
1695 </variablelist>
1696 </refsect3>
1698 <refsect2>
1699 <title>service-account</title>
1700 <para>Service account management.</para>
1701 </refsect2>
1703 <refsect3>
1704 <title>service-account list</title>
1705 <para>List service accounts on the domain.</para>
1706 <variablelist>
1707 <varlistentry>
1708 <term>-H, --URL</term>
1709 <listitem><para>
1710 LDB URL for database or target server.
1711 </para></listitem>
1712 </varlistentry>
1713 <varlistentry>
1714 <term>--json</term>
1715 <listitem><para>
1716 View service accounts as JSON instead of a list.
1717 </para></listitem>
1718 </varlistentry>
1719 </variablelist>
1720 </refsect3>
1722 <refsect3>
1723 <title>service-account view</title>
1724 <para>View a single service account on the domain.</para>
1725 <variablelist>
1726 <varlistentry>
1727 <term>-H, --URL</term>
1728 <listitem><para>
1729 LDB URL for database or target server.
1730 </para></listitem>
1731 </varlistentry>
1732 <varlistentry>
1733 <term>--name</term>
1734 <listitem><para>
1735 Account name of service account to view (required).
1736 </para></listitem>
1737 </varlistentry>
1738 </variablelist>
1739 </refsect3>
1741 <refsect3>
1742 <title>service-account create</title>
1743 <para>Create a new service account on the domain.</para>
1744 <variablelist>
1745 <varlistentry>
1746 <term>-H, --URL</term>
1747 <listitem><para>
1748 LDB URL for database or target server.
1749 </para></listitem>
1750 </varlistentry>
1751 <varlistentry>
1752 <term>--name</term>
1753 <listitem><para>
1754 Account name of service account (required).
1755 </para></listitem>
1756 </varlistentry>
1757 <varlistentry>
1758 <term>--dns-host-name</term>
1759 <listitem><para>
1760 DNS hostname of this service account (required).
1761 </para></listitem>
1762 </varlistentry>
1763 <varlistentry>
1764 <term>--group-msa-membership</term>
1765 <listitem><para>
1766 Optional Group MSA Membership SDDL.
1767 </para></listitem>
1768 </varlistentry>
1769 <varlistentry>
1770 <term>--managed-password-interval</term>
1771 <listitem><para>
1772 Managed password refresh interval in days.
1773 </para></listitem>
1774 </varlistentry>
1775 </variablelist>
1776 </refsect3>
1778 <refsect3>
1779 <title>service-account modify</title>
1780 <para>Modify an existing service account on the domain.</para>
1781 <variablelist>
1782 <varlistentry>
1783 <term>-H, --URL</term>
1784 <listitem><para>
1785 LDB URL for database or target server.
1786 </para></listitem>
1787 </varlistentry>
1788 <varlistentry>
1789 <term>--name</term>
1790 <listitem><para>
1791 Account name of service account (required).
1792 </para></listitem>
1793 </varlistentry>
1794 <varlistentry>
1795 <term>--dns-host-name</term>
1796 <listitem><para>
1797 Update DNS hostname of this service account.
1798 </para></listitem>
1799 </varlistentry>
1800 <varlistentry>
1801 <term>--group-msa-membership</term>
1802 <listitem><para>
1803 Update Group MSA Membership SDDL.
1804 </para></listitem>
1805 </varlistentry>
1806 </variablelist>
1807 </refsect3>
1809 <refsect3>
1810 <title>service-account delete</title>
1811 <para>Delete a service accounts on the domain.</para>
1812 <variablelist>
1813 <varlistentry>
1814 <term>-H, --URL</term>
1815 <listitem><para>
1816 LDB URL for database or target server.
1817 </para></listitem>
1818 </varlistentry>
1819 <varlistentry>
1820 <term>--name</term>
1821 <listitem><para>
1822 Account name of service account to delete.
1823 </para></listitem>
1824 </varlistentry>
1825 </variablelist>
1826 </refsect3>
1828 <refsect2>
1829 <title>service-account group-msa-membership</title>
1830 <para>Service account Group MSA Membership management.</para>
1831 </refsect2>
1833 <refsect3>
1834 <title>service-account group-msa-membership show</title>
1835 <para>Display Group MSA Membership for a service account.</para>
1836 <variablelist>
1837 <varlistentry>
1838 <term>-H, --URL</term>
1839 <listitem><para>
1840 LDB URL for database or target server.
1841 </para></listitem>
1842 </varlistentry>
1843 <varlistentry>
1844 <term>--name</term>
1845 <listitem><para>
1846 Account name of service account (required).
1847 </para></listitem>
1848 </varlistentry>
1849 <varlistentry>
1850 <term>--json</term>
1851 <listitem><para>
1852 Return as JSON instead of a list.
1853 </para></listitem>
1854 </varlistentry>
1855 </variablelist>
1856 </refsect3>
1858 <refsect3>
1859 <title>service-account group-msa-membership add</title>
1860 <para>Add a principal to Group MSA Membership for a service account.</para>
1861 <variablelist>
1862 <varlistentry>
1863 <term>-H, --URL</term>
1864 <listitem><para>
1865 LDB URL for database or target server.
1866 </para></listitem>
1867 </varlistentry>
1868 <varlistentry>
1869 <term>--name</term>
1870 <listitem><para>
1871 Account name of service account (required).
1872 </para></listitem>
1873 </varlistentry>
1874 <varlistentry>
1875 <term>--principal</term>
1876 <listitem><para>
1877 Name, DN or SID of principal to add.
1878 </para></listitem>
1879 </varlistentry>
1880 </variablelist>
1881 </refsect3>
1883 <refsect3>
1884 <title>service-account group-msa-membership remove</title>
1885 <para>Remove a principal from Group MSA Membership for a service account.</para>
1886 <variablelist>
1887 <varlistentry>
1888 <term>-H, --URL</term>
1889 <listitem><para>
1890 LDB URL for database or target server.
1891 </para></listitem>
1892 </varlistentry>
1893 <varlistentry>
1894 <term>--name</term>
1895 <listitem><para>
1896 Account name of service account (required).
1897 </para></listitem>
1898 </varlistentry>
1899 <varlistentry>
1900 <term>--principal</term>
1901 <listitem><para>
1902 Name, DN or SID of principal to remove.
1903 </para></listitem>
1904 </varlistentry>
1905 </variablelist>
1906 </refsect3>
1908 <refsect3>
1909 <title>domain classicupgrade [options] <replaceable>classic_smb_conf</replaceable></title>
1910 <para>Upgrade from Samba classic (NT4-like) database to Samba AD DC
1911 database.</para>
1912 </refsect3>
1914 <refsect3>
1915 <title>domain dcpromo <replaceable>dnsdomain</replaceable> [DC|RODC] [options]</title>
1916 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
1917 </refsect3>
1919 <refsect3>
1920 <title>domain demote</title>
1921 <para>Demote ourselves from the role of domain controller.</para>
1922 </refsect3>
1924 <refsect3>
1925 <title>domain exportkeytab <replaceable>keytab</replaceable> [options]</title>
1926 <para>Dumps Kerberos keys of the domain into a keytab.</para>
1927 </refsect3>
1929 <refsect3>
1930 <title>domain info <replaceable>ip_address</replaceable> [options]</title>
1931 <para>Print basic info about a domain and the specified DC.
1932 </para>
1933 </refsect3>
1935 <refsect3>
1936 <title>domain join <replaceable>dnsdomain</replaceable> [DC|RODC|MEMBER|SUBDOMAIN] [options]</title>
1937 <para>Join a domain as either member or backup domain controller.</para>
1938 </refsect3>
1940 <refsect3>
1941 <title>domain level <replaceable>show|raise</replaceable> <replaceable>options</replaceable> [options]</title>
1942 <para>Show/raise domain and forest function levels.</para>
1943 </refsect3>
1945 <refsect3>
1946 <title>domain passwordsettings <replaceable>show|set</replaceable> <replaceable>options</replaceable> [options]</title>
1947 <para>Show/set password settings.</para>
1948 </refsect3>
1950 <refsect3>
1951 <title>domain passwordsettings pso</title>
1952 <para>Manage fine-grained Password Settings Objects (PSOs).</para>
1953 </refsect3>
1955 <refsect3>
1956 <title>domain passwordsettings pso apply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
1957 <para>Applies a PSO's password policy to a user or group.</para>
1958 </refsect3>
1960 <refsect3>
1961 <title>domain passwordsettings pso create <replaceable>pso-name</replaceable> <replaceable>precedence</replaceable> [options]</title>
1962 <para>Creates a new Password Settings Object (PSO).</para>
1963 </refsect3>
1965 <refsect3>
1966 <title>domain passwordsettings pso delete <replaceable>pso-name</replaceable> [options]</title>
1967 <para>Deletes a Password Settings Object (PSO).</para>
1968 </refsect3>
1970 <refsect3>
1971 <title>domain passwordsettings pso list [options]</title>
1972 <para>Lists all Password Settings Objects (PSOs).</para>
1973 </refsect3>
1975 <refsect3>
1976 <title>domain passwordsettings pso set <replaceable>pso-name</replaceable> [options]</title>
1977 <para>Modifies a Password Settings Object (PSO).</para>
1978 </refsect3>
1980 <refsect3>
1981 <title>domain passwordsettings pso show <replaceable>user-name</replaceable> [options]</title>
1982 <para>Displays a Password Settings Object (PSO).</para>
1983 </refsect3>
1985 <refsect3>
1986 <title>domain passwordsettings pso show-user <replaceable>pso-name</replaceable> [options]</title>
1987 <para>Displays the Password Settings that apply to a user.</para>
1988 </refsect3>
1990 <refsect3>
1991 <title>domain passwordsettings pso unapply <replaceable>pso-name</replaceable> <replaceable>user-or-group-name</replaceable> [options]</title>
1992 <para>Updates a PSO to no longer apply to a user or group.</para>
1993 </refsect3>
1995 <refsect3>
1996 <title>domain provision</title>
1997 <para>Promote an existing domain member or NT4 PDC to an AD DC.</para>
1998 </refsect3>
2000 <refsect3>
2001 <title>domain trust</title>
2002 <para>Domain and forest trust management.</para>
2003 </refsect3>
2005 <refsect3>
2006 <title>domain trust create <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
2007 <para>Create a domain or forest trust.</para>
2008 </refsect3>
2010 <refsect3>
2011 <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
2012 <para>Modify a domain or forest trust.</para>
2013 </refsect3>
2015 <refsect3>
2016 <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
2017 <para>Delete a domain trust.</para>
2018 </refsect3>
2020 <refsect3>
2021 <title>domain trust list <replaceable>options</replaceable> [options]</title>
2022 <para>List domain trusts.</para>
2023 </refsect3>
2025 <refsect3>
2026 <title>domain trust namespaces [<replaceable>DOMAIN</replaceable>] <replaceable>options</replaceable> [options]</title>
2027 <para>Manage forest trust namespaces.</para>
2028 </refsect3>
2030 <refsect3>
2031 <title>domain trust show <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
2032 <para>Show trusted domain details.</para>
2033 </refsect3>
2035 <refsect3>
2036 <title>domain trust validate <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
2037 <para>Validate a domain trust.</para>
2038 </refsect3>
2040 <refsect2>
2041 <title>drs</title>
2042 <para>Manage Directory Replication Services (DRS).</para>
2043 </refsect2>
2045 <refsect3>
2046 <title>drs bind</title>
2047 <para>Show DRS capabilities of a server.</para>
2048 </refsect3>
2050 <refsect3>
2051 <title>drs kcc</title>
2052 <para>Trigger knowledge consistency center run.</para>
2053 </refsect3>
2055 <refsect3>
2056 <title>drs options</title>
2057 <para>Query or change <replaceable>options</replaceable> for NTDS Settings
2058 object of a domain controller.</para>
2059 </refsect3>
2061 <refsect3>
2062 <title>drs replicate <replaceable>destination_DC</replaceable> <replaceable>source_DC</replaceable> <replaceable>NC</replaceable> [options]</title>
2063 <para>Replicate a naming context between two DCs.</para>
2064 </refsect3>
2066 <refsect3>
2067 <title>drs showrepl</title>
2068 <para>Show replication status. The <arg
2069 choice="opt">--json</arg> option results in JSON output, and
2070 with the <arg choice="opt">--summary</arg> option produces
2071 very little output when the replication status seems healthy.
2072 </para>
2073 </refsect3>
2075 <refsect2>
2076 <title>dsacl</title>
2077 <para>Administer DS ACLs</para>
2078 </refsect2>
2080 <refsect3>
2081 <title>dsacl delete</title>
2082 <para>Delete an access list entry on a directory object.</para>
2083 </refsect3>
2085 <refsect3>
2086 <title>dsacl get</title>
2087 <para>Print access list on a directory object.</para>
2088 </refsect3>
2090 <refsect3>
2091 <title>dsacl set</title>
2092 <para>Modify access list on a directory object.</para>
2093 </refsect3>
2095 <refsect2>
2096 <title>forest</title>
2097 <para>Manage Forest configuration.</para>
2098 </refsect2>
2100 <refsect3>
2101 <title>forest directory_service</title>
2102 <para>Manage directory_service behaviour for the forest.</para>
2103 </refsect3>
2105 <refsect3>
2106 <title>forest directory_service dsheuristics <replaceable>VALUE</replaceable></title>
2107 <para>Modify dsheuristics directory_service configuration for the forest.</para>
2108 </refsect3>
2110 <refsect3>
2111 <title>forest directory_service show</title>
2112 <para>Show current directory_service configuration for the forest.</para>
2113 </refsect3>
2115 <refsect2>
2116 <title>fsmo</title>
2117 <para>Manage Flexible Single Master Operations (FSMO).</para>
2118 </refsect2>
2120 <refsect3>
2121 <title>fsmo seize [options]</title>
2122 <para>Seize the role.</para>
2123 </refsect3>
2125 <refsect3>
2126 <title>fsmo show</title>
2127 <para>Show the roles.</para>
2128 </refsect3>
2130 <refsect3>
2131 <title>fsmo transfer [options]</title>
2132 <para>Transfer the role.</para>
2133 </refsect3>
2135 <refsect2>
2136 <title>gpo</title>
2137 <para>Manage Group Policy Objects (GPO).</para>
2138 </refsect2>
2140 <refsect3>
2141 <title>gpo create <replaceable>displayname</replaceable> [options]</title>
2142 <para>Create an empty GPO.</para>
2143 </refsect3>
2145 <refsect3>
2146 <title>gpo del <replaceable>gpo</replaceable> [options]</title>
2147 <para>Delete GPO.</para>
2148 </refsect3>
2150 <refsect3>
2151 <title>gpo dellink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
2152 <para>Delete GPO link from a container.</para>
2153 </refsect3>
2155 <refsect3>
2156 <title>gpo fetch <replaceable>gpo</replaceable> [options]</title>
2157 <para>Download a GPO.</para>
2158 </refsect3>
2160 <refsect3>
2161 <title>gpo getinheritance <replaceable>container_dn</replaceable> [options]</title>
2162 <para>Get inheritance flag for a container.</para>
2163 </refsect3>
2165 <refsect3>
2166 <title>gpo getlink <replaceable>container_dn</replaceable> [options]</title>
2167 <para>List GPO Links for a container.</para>
2168 </refsect3>
2170 <refsect3>
2171 <title>gpo list <replaceable>username</replaceable> [options]</title>
2172 <para>List GPOs for an account.</para>
2173 </refsect3>
2175 <refsect3>
2176 <title>gpo listall</title>
2177 <para>List all GPOs.</para>
2178 </refsect3>
2180 <refsect3>
2181 <title>gpo listcontainers <replaceable>gpo</replaceable> [options]</title>
2182 <para>List all linked containers for a GPO.</para>
2183 </refsect3>
2185 <refsect3>
2186 <title>gpo setinheritance <replaceable>container_dn</replaceable> <replaceable>block|inherit</replaceable> [options]</title>
2187 <para>Set inheritance flag on a container.</para>
2188 </refsect3>
2190 <refsect3>
2191 <title>gpo setlink <replaceable>container_dn</replaceable> <replaceable>gpo</replaceable> [options]</title>
2192 <para>Add or Update a GPO link to a container.</para>
2193 </refsect3>
2195 <refsect3>
2196 <title>gpo show <replaceable>gpo</replaceable> [options]</title>
2197 <para>Show information for a GPO.</para>
2198 </refsect3>
2200 <refsect3>
2201 <title>gpo manage symlink list</title>
2202 <para>List VGP Symbolic Link Group Policy from the sysvol</para>
2203 </refsect3>
2205 <refsect3>
2206 <title>gpo manage symlink add</title>
2207 <para>Adds a VGP Symbolic Link Group Policy to the sysvol</para>
2208 </refsect3>
2210 <refsect3>
2211 <title>gpo manage symlink remove</title>
2212 <para>Removes a VGP Symbolic Link Group Policy from the sysvol</para>
2213 </refsect3>
2215 <refsect3>
2216 <title>gpo manage files list</title>
2217 <para>List VGP Files Group Policy from the sysvol</para>
2218 </refsect3>
2220 <refsect3>
2221 <title>gpo manage files add</title>
2222 <para>Add VGP Files Group Policy to the sysvol</para>
2223 </refsect3>
2225 <refsect3>
2226 <title>gpo manage files remove</title>
2227 <para>Remove VGP Files Group Policy from the sysvol</para>
2228 </refsect3>
2230 <refsect3>
2231 <title>gpo manage openssh list</title>
2232 <para>List VGP OpenSSH Group Policy from the sysvol</para>
2233 </refsect3>
2235 <refsect3>
2236 <title>gpo manage openssh set</title>
2237 <para>Sets a VGP OpenSSH Group Policy to the sysvol</para>
2238 </refsect3>
2240 <refsect3>
2241 <title>gpo manage sudoers add</title>
2242 <para>Adds a Samba Sudoers Group Policy to the sysvol.</para>
2243 </refsect3>
2245 <refsect3>
2246 <title>gpo manage sudoers list</title>
2247 <para>List Samba Sudoers Group Policy from the sysvol.</para>
2248 </refsect3>
2250 <refsect3>
2251 <title>gpo manage sudoers remove</title>
2252 <para>Removes a Samba Sudoers Group Policy from the sysvol.</para>
2253 </refsect3>
2255 <refsect3>
2256 <title>gpo manage scripts startup list</title>
2257 <para>List VGP Startup Script Group Policy from the sysvol</para>
2258 </refsect3>
2260 <refsect3>
2261 <title>gpo manage scripts startup add</title>
2262 <para>Adds VGP Startup Script Group Policy to the sysvol</para>
2263 </refsect3>
2265 <refsect3>
2266 <title>gpo manage scripts startup remove</title>
2267 <para>Removes VGP Startup Script Group Policy from the sysvol</para>
2268 </refsect3>
2270 <refsect3>
2271 <title>gpo manage motd list</title>
2272 <para>List VGP MOTD Group Policy from the sysvol.</para>
2273 </refsect3>
2275 <refsect3>
2276 <title>gpo manage motd set</title>
2277 <para>Sets a VGP MOTD Group Policy to the sysvol</para>
2278 </refsect3>
2280 <refsect3>
2281 <title>gpo manage issue list</title>
2282 <para>List VGP Issue Group Policy from the sysvol.</para>
2283 </refsect3>
2285 <refsect3>
2286 <title>gpo manage issue set</title>
2287 <para>Sets a VGP Issue Group Policy to the sysvol</para>
2288 </refsect3>
2290 <refsect3>
2291 <title>gpo manage access add</title>
2292 <para>Adds a VGP Host Access Group Policy to the sysvol</para>
2293 </refsect3>
2295 <refsect3>
2296 <title>gpo manage access list</title>
2297 <para>List VGP Host Access Group Policy from the sysvol</para>
2298 </refsect3>
2300 <refsect3>
2301 <title>gpo manage access remove</title>
2302 <para>Remove a VGP Host Access Group Policy from the sysvol</para>
2303 </refsect3>
2305 <refsect2>
2306 <title>group</title>
2307 <para>Manage groups.</para>
2308 </refsect2>
2310 <refsect3>
2311 <title>group add <replaceable>groupname</replaceable> [options]</title>
2312 <para>Create a new AD group.</para>
2313 </refsect3>
2315 <refsect3>
2316 <title>group create <replaceable>groupname</replaceable> [options]</title>
2317 <para>Add a new AD group. This is a synonym for the
2318 <command>samba-tool group add</command> command and is available
2319 for compatibility reasons only. Please use
2320 <command>samba-tool group add</command> instead.</para>
2321 </refsect3>
2323 <refsect3>
2324 <title>group addmembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
2325 <para>Add members to an AD group.</para>
2326 </refsect3>
2328 <refsect3>
2329 <title>group delete <replaceable>groupname</replaceable> [options]</title>
2330 <para>Delete an AD group.</para>
2331 </refsect3>
2333 <refsect3>
2334 <title>group edit <replaceable>groupname</replaceable></title>
2335 <para>Edit a group AD object.</para>
2337 <variablelist>
2338 <varlistentry>
2339 <term>--editor=EDITOR</term>
2340 <listitem><para>
2341 Specifies the editor to use instead of the system default, or 'vi' if no
2342 system default is set.
2343 </para></listitem>
2344 </varlistentry>
2345 </variablelist>
2346 </refsect3>
2348 <refsect3>
2349 <title>group list</title>
2350 <para>List all groups.</para>
2351 </refsect3>
2353 <refsect3>
2354 <title>group listmembers <replaceable>groupname</replaceable> [options]</title>
2355 <para>List all members of the specified AD group.</para>
2356 <para>By default the sAMAccountNames are listed. If no sAMAccountName
2357 is available, the CN will be used instead.</para>
2358 <variablelist>
2359 <varlistentry>
2360 <term>--full-dn</term>
2361 <listitem><para>
2362 List the distinguished names instead of the sAMAccountNames.
2363 </para></listitem>
2364 </varlistentry>
2365 <varlistentry>
2366 <term>--hide-expired</term>
2367 <listitem><para>
2368 Do not list expired group members.
2369 </para></listitem>
2370 </varlistentry>
2371 <varlistentry>
2372 <term>--hide-disabled</term>
2373 <listitem><para>
2374 Do not list disabled group members.
2375 </para></listitem>
2376 </varlistentry>
2377 </variablelist>
2378 </refsect3>
2380 <refsect3>
2381 <title>group move <replaceable>groupname</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
2382 <para>This command moves a group into the specified organizational unit
2383 or container.</para>
2384 <para>The groupname specified on the command is the sAMAccountName.
2385 </para>
2386 <para>The name of the organizational unit or container can be
2387 specified as a full DN or without the domainDN component.</para>
2388 <para></para>
2389 </refsect3>
2391 <refsect3>
2392 <title>group removemembers <replaceable>groupname</replaceable> <replaceable>members</replaceable> [options]</title>
2393 <para>Remove members from the specified AD group.</para>
2394 </refsect3>
2396 <refsect3>
2397 <title>group show <replaceable>groupname</replaceable> [options]</title>
2398 <para>Show group object and it's attributes.</para>
2399 </refsect3>
2401 <refsect3>
2402 <title>group stats [options]</title>
2403 <para>Show statistics for overall groups and group memberships.</para>
2404 </refsect3>
2406 <refsect3>
2407 <title>group rename <replaceable>groupname</replaceable> [options]</title>
2408 <para>Rename a group and related attributes.</para>
2409 <para>This command allows to set the group's name related attributes. The
2410 group's CN will be renamed automatically.
2411 The group's CN will be the sAMAccountName.
2412 Use the --force-new-cn option to specify the new CN manually and the
2413 --reset-cn to reset this change.</para>
2414 <para>Use an empty attribute value to remove the specified attribute.</para>
2415 <para>The groupname specified on the command is the sAMAccountName.</para>
2417 <variablelist>
2418 <varlistentry>
2419 <term>--force-new-cn=NEW_CN</term>
2420 <listitem><para>
2421 Specify a new CN (RDN) instead of using the sAMAccountName.
2422 </para></listitem>
2423 </varlistentry>
2425 <varlistentry>
2426 <term>--reset-cn</term>
2427 <listitem><para>
2428 Set the CN to the sAMAccountName.
2429 </para></listitem>
2430 </varlistentry>
2432 <varlistentry>
2433 <term>--mail-address=MAIL_ADDRESS</term>
2434 <listitem><para>
2435 New mail address
2436 </para></listitem>
2437 </varlistentry>
2439 <varlistentry>
2440 <term>--samaccountname=SAMACCOUNTNAME</term>
2441 <listitem><para>
2442 New account name (sAMAccountName/logon name)
2443 </para></listitem>
2444 </varlistentry>
2445 </variablelist>
2446 </refsect3>
2448 <refsect2>
2449 <title>ldapcmp <replaceable>URL1</replaceable> <replaceable>URL2</replaceable> <replaceable>domain|configuration|schema|dnsdomain|dnsforest</replaceable> [options] </title>
2450 <para>Compare two LDAP databases.</para>
2451 </refsect2>
2453 <refsect2>
2454 <title>ntacl</title>
2455 <para>Manage NT ACLs.</para>
2456 </refsect2>
2458 <refsect3>
2459 <title>ntacl changedomsid <replaceable>original-domain-SID</replaceable> <replaceable>new-domain-SID</replaceable> <replaceable>file</replaceable> [options]</title>
2460 <para>Change the domain SID for ACLs.
2461 Can be used to change all entries in acl_xattr when the machine's SID
2462 has accidentally changed or the data set has been copied
2463 to another machine either via backup/restore or rsync.</para>
2465 <variablelist>
2466 <varlistentry>
2467 <term>--use-ntvfs</term>
2468 <listitem><para>
2469 Set the ACLs directly to the TDB or xattr. The POSIX permissions will
2470 NOT be changed, only the NT ACL will be stored.
2471 </para></listitem>
2472 </varlistentry>
2474 <varlistentry>
2475 <term>--service=SERVICE</term>
2476 <listitem><para>
2477 Specify the name of the smb.conf service to use. This option is
2478 required in combination with the --use-s3fs option.
2479 </para></listitem>
2480 </varlistentry>
2482 <varlistentry>
2483 <term>--use-s3fs</term>
2484 <listitem><para>
2485 Set the ACLs for use with the default s3fs file server via the VFS
2486 layer. This option requires a smb.conf service, specified by the
2487 --service=SERVICE option.
2488 </para></listitem>
2489 </varlistentry>
2491 <varlistentry>
2492 <term>--xattr-backend=[native|tdb]</term>
2493 <listitem><para>
2494 Specify the xattr backend type (native fs or tdb).
2495 </para></listitem>
2496 </varlistentry>
2498 <varlistentry>
2499 <term>--eadb-file=EADB_FILE</term>
2500 <listitem><para>
2501 Name of the tdb file where attributes are stored.
2502 </para></listitem>
2503 </varlistentry>
2505 <varlistentry>
2506 <term>--recursive</term>
2507 <listitem><para>
2508 Set the ACLs for directories and their contents recursively.
2509 </para></listitem>
2510 </varlistentry>
2512 <varlistentry>
2513 <term>--follow-symlinks</term>
2514 <listitem><para>
2515 Follow symlinks when --recursive is specified.
2516 </para></listitem>
2517 </varlistentry>
2519 <varlistentry>
2520 <term>--verbose</term>
2521 <listitem><para>
2522 Verbosely list files and ACLs which are being processed.
2523 </para></listitem>
2524 </varlistentry>
2525 </variablelist>
2526 </refsect3>
2529 <refsect3>
2530 <title>ntacl get <replaceable>file</replaceable> [options]</title>
2531 <para>Get ACLs on a file.</para>
2532 </refsect3>
2534 <refsect3>
2535 <title>ntacl set <replaceable>acl</replaceable> <replaceable>file</replaceable> [options]</title>
2536 <para>Set ACLs on a file.</para>
2537 </refsect3>
2539 <refsect3>
2540 <title>ntacl sysvolcheck</title>
2541 <para>Check sysvol ACLs match defaults (including correct ACLs on GPOs).</para>
2542 </refsect3>
2544 <refsect3>
2545 <title>ntacl sysvolreset</title>
2546 <para>Reset sysvol ACLs to defaults (including correct ACLs on GPOs).</para>
2547 </refsect3>
2549 <refsect2>
2550 <title>ou</title>
2551 <para>Manage organizational units (OUs).</para>
2552 </refsect2>
2554 <refsect3>
2555 <title>ou add <replaceable>ou_dn</replaceable> [options]</title>
2556 <para>Add a new organizational unit.</para>
2557 <para>The name of the organizational unit can be specified as a full DN
2558 or without the domainDN component.</para>
2560 <variablelist>
2561 <varlistentry>
2562 <term>--description=DESCRIPTION</term>
2563 <listitem><para>
2564 Specify OU's description.
2565 </para></listitem>
2566 </varlistentry>
2567 </variablelist>
2568 </refsect3>
2570 <refsect3>
2571 <title>ou create <replaceable>ou_dn</replaceable> [options]</title>
2572 <para>Add a new organizational unit. This is a synonym for the
2573 <command>samba-tool ou add</command> command and is available
2574 for compatibility reasons only. Please use
2575 <command>samba-tool ou add</command> instead.</para>
2576 </refsect3>
2578 <refsect3>
2579 <title>ou delete <replaceable>ou_dn</replaceable> [options]</title>
2580 <para>Delete an organizational unit.</para>
2581 <para>The name of the organizational unit can be specified as a full DN
2582 or without the domainDN component.</para>
2584 <variablelist>
2585 <varlistentry>
2586 <term>--force-subtree-delete</term>
2587 <listitem><para>
2588 Delete organizational unit and all children recursively.
2589 </para></listitem>
2590 </varlistentry>
2591 </variablelist>
2592 </refsect3>
2594 <refsect3>
2595 <title>ou list [options]</title>
2596 <para>List all organizational units.</para>
2597 <variablelist>
2598 <varlistentry>
2599 <term>--full-dn</term>
2600 <listitem><para>
2601 Display DNs including the base DN.
2602 </para></listitem>
2603 </varlistentry>
2604 </variablelist>
2605 </refsect3>
2607 <refsect3>
2608 <title>ou listobjects <replaceable>ou_dn</replaceable> [options]</title>
2609 <para>List all objects in an organizational unit.</para>
2610 <para>The name of the organizational unit can be specified as a full DN
2611 or without the domainDN component.</para>
2613 <variablelist>
2614 <varlistentry>
2615 <term>--full-dn</term>
2616 <listitem><para>
2617 Display DNs including the base DN.
2618 </para></listitem>
2619 </varlistentry>
2621 <varlistentry>
2622 <term>-r|--recursive</term>
2623 <listitem><para>
2624 List objects recursively.
2625 </para></listitem>
2626 </varlistentry>
2627 </variablelist>
2628 </refsect3>
2630 <refsect3>
2631 <title>ou move <replaceable>old_ou_dn</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
2632 <para>Move an organizational unit.</para>
2633 <para>The name of the organizational units can be specified as a full DN
2634 or without the domainDN component.</para>
2635 </refsect3>
2637 <refsect3>
2638 <title>ou rename <replaceable>old_ou_dn</replaceable> <replaceable>new_ou_dn</replaceable> [options]</title>
2639 <para>Rename an organizational unit.</para>
2640 <para>The name of the organizational units can be specified as a full DN
2641 or without the domainDN component.</para>
2642 </refsect3>
2644 <refsect2>
2645 <title>rodc</title>
2646 <para>Manage Read-Only Domain Controller (RODC).</para>
2647 </refsect2>
2649 <refsect3>
2650 <title>rodc preload <replaceable>SID</replaceable>|<replaceable>DN</replaceable>|<replaceable>accountname</replaceable> [options]</title>
2651 <para>Preload one account for an RODC.</para>
2652 </refsect3>
2654 <refsect2>
2655 <title>schema</title>
2656 <para>Manage and query schema.</para>
2657 </refsect2>
2659 <refsect3>
2660 <title>schema attribute modify <replaceable>attribute</replaceable> [options]</title>
2661 <para>Modify the behaviour of an attribute in schema.</para>
2662 </refsect3>
2664 <refsect3>
2665 <title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
2666 <para>Display an attribute schema definition.</para>
2667 </refsect3>
2669 <refsect3>
2670 <title>schema attribute show_oc <replaceable>attribute</replaceable> [options]</title>
2671 <para>Show objectclasses that MAY or MUST contain this attribute.</para>
2672 </refsect3>
2674 <refsect3>
2675 <title>schema objectclass show <replaceable>objectclass</replaceable> [options]</title>
2676 <para>Display an objectclass schema definition.</para>
2677 </refsect3>
2679 <refsect2>
2680 <title>shell</title>
2681 <para>Opens an interactive Samba Python shell.</para>
2682 </refsect2>
2684 <refsect3>
2685 <title>shell [options]</title>
2686 <para>Opens an interactive Python shell for Samba ldb connection.</para>
2687 <variablelist>
2688 <varlistentry>
2689 <term>-H, --URL</term>
2690 <listitem><para>
2691 LDB URL for database or target server.
2692 </para></listitem>
2693 </varlistentry>
2694 </variablelist>
2695 </refsect3>
2697 <refsect2>
2698 <title>sites</title>
2699 <para>Manage sites.</para>
2700 </refsect2>
2702 <refsect3>
2703 <title>sites list [options]</title>
2704 <para>List sites.</para>
2705 <variablelist>
2706 <varlistentry>
2707 <term>--json</term>
2708 <listitem><para>
2709 Output as JSON instead of a list
2710 </para></listitem>
2711 </varlistentry>
2712 </variablelist>
2713 </refsect3>
2715 <refsect3>
2716 <title>sites view <replaceable>site</replaceable> [options]</title>
2717 <para>View site details.</para>
2718 </refsect3>
2720 <refsect3>
2721 <title>sites create <replaceable>site</replaceable> [options]</title>
2722 <para>Create a new site.</para>
2723 </refsect3>
2725 <refsect3>
2726 <title>sites remove <replaceable>site</replaceable> [options]</title>
2727 <para>Delete an existing site.</para>
2728 </refsect3>
2730 <refsect3>
2731 <title>sites subnet list <replaceable>site</replaceable> [options]</title>
2732 <para>List subnets for a site.</para>
2733 <variablelist>
2734 <varlistentry>
2735 <term>--json</term>
2736 <listitem><para>
2737 Output as JSON instead of a list
2738 </para></listitem>
2739 </varlistentry>
2740 </variablelist>
2741 </refsect3>
2743 <refsect3>
2744 <title>sites subnet view <replaceable>subnet</replaceable> [options]</title>
2745 <para>View subnet details.</para>
2746 </refsect3>
2748 <refsect3>
2749 <title>sites subnet create <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
2750 <para>Create a new subnet.</para>
2751 </refsect3>
2753 <refsect3>
2754 <title>sites subnet remove <replaceable>subnet</replaceable> [options]</title>
2755 <para>Delete an existing subnet.</para>
2756 </refsect3>
2758 <refsect3>
2759 <title>sites subnet set-site <replaceable>subnet</replaceable> <replaceable>site-of-subnet</replaceable> [options]</title>
2760 <para>Assign a subnet to a site.</para>
2761 </refsect3>
2763 <refsect2>
2764 <title>spn</title>
2765 <para>Manage Service Principal Names (SPN).</para>
2766 </refsect2>
2768 <refsect3>
2769 <title>spn add <replaceable>name</replaceable> <replaceable>user</replaceable> [options]</title>
2770 <para>Create a new SPN.</para>
2771 </refsect3>
2773 <refsect3>
2774 <title>spn delete <replaceable>name</replaceable> [<replaceable>user</replaceable>] [options]</title>
2775 <para>Delete an existing SPN.</para>
2776 </refsect3>
2778 <refsect3>
2779 <title>spn list <replaceable>user</replaceable> [options]</title>
2780 <para>List SPNs of a given user.</para>
2781 </refsect3>
2783 <refsect2>
2784 <title>testparm</title>
2785 <para>Check the syntax of the configuration file.</para>
2786 </refsect2>
2788 <refsect2>
2789 <title>time</title>
2790 <para>Retrieve the time on a server.</para>
2791 </refsect2>
2793 <refsect2>
2794 <title>user</title>
2795 <para>Manage users.</para>
2796 </refsect2>
2798 <refsect3>
2799 <title>user add <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
2800 <para>Add a new user to the Active Directory Domain.</para>
2801 </refsect3>
2803 <refsect3>
2804 <title>user create <replaceable>username</replaceable> [<replaceable>password</replaceable>]</title>
2805 <para>Add a new user. This is a synonym for the
2806 <command>samba-tool user add</command> command and is available
2807 for compatibility reasons only. Please use
2808 <command>samba-tool user add</command> instead.</para>
2809 </refsect3>
2811 <refsect3>
2812 <title>user delete <replaceable>username</replaceable> [options]</title>
2813 <para>Delete an existing user account.</para>
2814 </refsect3>
2816 <refsect3>
2817 <title>user disable <replaceable>username</replaceable></title>
2818 <para>Disable a user account.</para>
2819 </refsect3>
2821 <refsect3>
2822 <title>user edit <replaceable>username</replaceable></title>
2823 <para>Edit a user account AD object.</para>
2825 <variablelist>
2826 <varlistentry>
2827 <term>--editor=EDITOR</term>
2828 <listitem><para>
2829 Specifies the editor to use instead of the system default, or 'vi' if no
2830 system default is set.
2831 </para></listitem>
2832 </varlistentry>
2833 </variablelist>
2834 </refsect3>
2836 <refsect3>
2837 <title>user enable <replaceable>username</replaceable></title>
2838 <para>Enable a user account.</para>
2839 </refsect3>
2841 <refsect3>
2842 <title>user list</title>
2843 <para>List all users.</para>
2844 <para>By default the user's sAMAccountNames are listed.</para>
2845 <variablelist>
2846 <varlistentry>
2847 <term>--full-dn</term>
2848 <listitem><para>
2849 List user's distinguished names instead of the sAMAccountNames.
2850 </para></listitem>
2851 </varlistentry>
2852 <varlistentry>
2853 <term>-b BASE_DN|--base-dn=BASE_DN</term>
2854 <listitem><para>
2855 Specify base DN to use. Only users under the specified base DN will be
2856 listed.
2857 </para></listitem>
2858 </varlistentry>
2859 <varlistentry>
2860 <term>--hide-expired</term>
2861 <listitem><para>
2862 Do not list expired user accounts.
2863 </para></listitem>
2864 </varlistentry>
2865 <varlistentry>
2866 <term>--hide-disabled</term>
2867 <listitem><para>
2868 Do not list disabled user accounts.
2869 </para></listitem>
2870 </varlistentry>
2871 <varlistentry>
2872 <term>--locked-only</term>
2873 <listitem><para>
2874 Only list locked user accounts.
2875 </para></listitem>
2876 </varlistentry>
2877 </variablelist>
2878 </refsect3>
2880 <refsect3>
2881 <title>user setprimarygroup <replaceable>username</replaceable> <replaceable>primarygroupname</replaceable></title>
2882 <para>Set the primary group a user account.</para>
2883 </refsect3>
2885 <refsect3>
2886 <title>user getgroups <replaceable>username</replaceable></title>
2887 <para>Get the direct group memberships of a user account.</para>
2888 </refsect3>
2890 <refsect3>
2891 <title>user show <replaceable>username</replaceable> [options]</title>
2892 <para>Display a user AD object.</para>
2894 <variablelist>
2895 <varlistentry>
2896 <term>--attributes=USER_ATTRS</term>
2897 <listitem><para>
2898 Comma separated list of attributes, which will be printed.
2899 </para></listitem>
2900 </varlistentry>
2901 </variablelist>
2902 </refsect3>
2904 <refsect3>
2905 <title>user move <replaceable>username</replaceable> <replaceable>new_parent_dn</replaceable> [options]</title>
2906 <para>This command moves a user account into the specified
2907 organizational unit or container.</para>
2908 <para>The username specified on the command is the
2909 sAMAccountName.</para>
2910 <para>The name of the organizational unit or container can be
2911 specified as a full DN or without the domainDN component.</para>
2912 </refsect3>
2914 <refsect3>
2915 <title>user password [options]</title>
2916 <para>Change password for a user account (the one provided in
2917 authentication).</para>
2918 </refsect3>
2920 <refsect3>
2921 <title>user rename <replaceable>username</replaceable> [options]</title>
2922 <para>Rename a user and related attributes.</para>
2923 <para>This command allows to set the user's name related attributes. The user's
2924 CN will be renamed automatically.
2925 The user's new CN will be made up by combining the given-name, initials
2926 and surname. A dot ('.') will be appended to the initials automatically,
2927 if required.
2928 Use the --force-new-cn option to specify the new CN manually and --reset-cn
2929 to reset this change.</para>
2930 <para>Use an empty attribute value to remove the specified attribute.</para>
2931 <para>The username specified on the command is the sAMAccountName.</para>
2933 <variablelist>
2934 <varlistentry>
2935 <term>--surname=SURNAME</term>
2936 <listitem><para>
2937 New surname
2938 </para></listitem>
2939 </varlistentry>
2941 <varlistentry>
2942 <term>--given-name=GIVEN_NAME</term>
2943 <listitem><para>
2944 New given name
2945 </para></listitem>
2946 </varlistentry>
2948 <varlistentry>
2949 <term>--initials=INITIALS</term>
2950 <listitem><para>
2951 New initials
2952 </para></listitem>
2953 </varlistentry>
2955 <varlistentry>
2956 <term>--force-new-cn=NEW_CN</term>
2957 <listitem><para>
2958 Specify a new CN (RDN) instead of using a combination
2959 of the given name, initials and surname.
2960 </para></listitem>
2961 </varlistentry>
2963 <varlistentry>
2964 <term>--reset-cn</term>
2965 <listitem><para>
2966 Set the CN to the default combination of given name,
2967 initials and surname.
2968 </para></listitem>
2969 </varlistentry>
2971 <varlistentry>
2972 <term>--display-name=DISPLAY_NAME</term>
2973 <listitem><para>
2974 New display name
2975 </para></listitem>
2976 </varlistentry>
2978 <varlistentry>
2979 <term>--mail-address=MAIL_ADDRESS</term>
2980 <listitem><para>
2981 New email address
2982 </para></listitem>
2983 </varlistentry>
2985 <varlistentry>
2986 <term>--samaccountname=SAMACCOUNTNAME</term>
2987 <listitem><para>
2988 New account name (sAMAccountName/logon name)
2989 </para></listitem>
2990 </varlistentry>
2992 <varlistentry>
2993 <term>--upn=UPN</term>
2994 <listitem><para>
2995 New user principal name
2996 </para></listitem>
2997 </varlistentry>
2998 </variablelist>
2999 </refsect3>
3001 <refsect3>
3002 <title>user setexpiry <replaceable>username</replaceable> [options]</title>
3003 <para>Set the expiration of a user account.</para>
3004 </refsect3>
3006 <refsect3>
3007 <title>user setpassword <replaceable>username</replaceable> [options]</title>
3008 <para>Sets or resets the password of a user account.</para>
3009 </refsect3>
3011 <refsect3>
3012 <title>user unlock <replaceable>username</replaceable> [options]</title>
3013 <para>This command unlocks a user account in the Active Directory
3014 domain.</para>
3015 </refsect3>
3017 <refsect3>
3018 <title>user getpassword <replaceable>username</replaceable> [options]</title>
3019 <para>Gets the password of a user account.</para>
3020 </refsect3>
3022 <refsect3>
3023 <title>user get-kerberos-ticket <replaceable>username</replaceable> [options]</title>
3024 <para>Gets a Kerberos Ticket Granting Ticket as the account.</para>
3025 </refsect3>
3027 <refsect3>
3028 <title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
3029 <para>Syncs the passwords of all user accounts, using an optional script.</para>
3030 <para>Note that this command should run on a single domain controller only
3031 (typically the PDC-emulator).</para>
3032 </refsect3>
3034 <refsect3>
3035 <title>user auth policy assign <replaceable>username</replaceable> [options]</title>
3036 <para>Set assigned authentication policy for user.</para>
3037 <variablelist>
3038 <varlistentry>
3039 <term>--policy</term>
3040 <listitem><para>
3041 Name of authentication policy to assign or leave empty to remove.
3042 </para></listitem>
3043 </varlistentry>
3044 </variablelist>
3045 </refsect3>
3047 <refsect3>
3048 <title>user auth policy remove <replaceable>username</replaceable></title>
3049 <para>Remove assigned authentication policy from user.</para>
3050 </refsect3>
3052 <refsect3>
3053 <title>user auth policy view <replaceable>username</replaceable></title>
3054 <para>View the assigned authentication policy for user.</para>
3055 </refsect3>
3057 <refsect3>
3058 <title>user auth silo assign <replaceable>username</replaceable> [options]</title>
3059 <para>Set assigned authentication silo for user.</para>
3060 <variablelist>
3061 <varlistentry>
3062 <term>--silo</term>
3063 <listitem><para>
3064 Name of authentication silo to assign or leave empty to remove.
3065 </para></listitem>
3066 </varlistentry>
3067 </variablelist>
3068 </refsect3>
3070 <refsect3>
3071 <title>user auth silo remove <replaceable>username</replaceable></title>
3072 <para>Remove assigned authentication silo from user.</para>
3073 </refsect3>
3075 <refsect3>
3076 <title>user auth silo view <replaceable>username</replaceable></title>
3077 <para>View the assigned authentication silo for user.</para>
3078 </refsect3>
3080 <refsect2>
3081 <title>vampire [options] <replaceable>domain</replaceable></title>
3082 <para>Join and synchronise a remote AD domain to the local server.
3083 Please note that <command>samba-tool vampire</command> is deprecated,
3084 please use <command>samba-tool domain join</command> instead.</para>
3085 </refsect2>
3087 <refsect2>
3088 <title>visualize [options] <replaceable>subcommand</replaceable></title>
3089 <para>Produce graphical representations of Samba network state.
3090 To work out what is happening in a replication graph, it is sometimes
3091 helpful to use visualisations.</para>
3093 <para>
3094 There are two subcommands, two graphical modes, and (roughly) two modes
3095 of operation with respect to the location of authority.</para>
3097 <refsect3><title>MODES OF OPERATION</title>
3098 <varlistentry>
3099 <term>samba-tool visualize ntdsconn</term>
3100 <listitem><para>Looks at NTDS connections.
3101 </para></listitem>
3102 </varlistentry>
3104 <varlistentry>
3105 <term>samba-tool visualize reps</term>
3106 <listitem><para>Looks at repsTo and repsFrom objects.
3107 </para></listitem>
3108 </varlistentry>
3110 <varlistentry>
3111 <term>samba-tool visualize uptodateness</term>
3112 <listitem><para>Looks at replication lag as shown by the
3113 uptodateness vectors.
3114 </para></listitem>
3115 </varlistentry>
3116 </refsect3>
3118 <refsect3><title>GRAPHICAL MODES</title>
3119 <varlistentry>
3120 <term>--distance</term>
3121 <listitem><para>Distances between DCs are shown in a matrix in
3122 the terminal.
3123 </para></listitem>
3124 </varlistentry>
3126 <varlistentry>
3127 <term>--dot</term>
3128 <listitem><para>Generate Graphviz dot output (for
3129 ntdsconn and reps modes). When viewed using dot or
3130 xdot, this shows the network as a graph with DCs as
3131 vertices and connections edges. Certain types of
3132 degenerate edges are shown in different colours or
3133 line-styles. </para></listitem>
3134 </varlistentry>
3135 <varlistentry>
3136 <term>--xdot</term>
3137 <listitem><para>Generate Graphviz dot output as with
3138 <arg choice="opt">--dot</arg> and attempt to view it
3139 immediately using <command>/usr/bin/xdot</command>.
3140 </para></listitem>
3141 </varlistentry>
3142 </refsect3>
3144 <varlistentry>
3145 <term>-r</term>
3146 <listitem><para>Normally,
3147 <command>samba-tool</command> talks to one database;
3148 with the <arg choice="opt">-r</arg> option attempts
3149 are made to contact all the DCs known to the first
3150 database. This is necessary for <command>samba-tool
3151 visualize uptodateness</command> and for
3152 <command>samba-tool visualize reps</command> because
3153 the repsFrom/To objects are not replicated, and it can
3154 reveal replication issues in other modes.
3155 </para></listitem>
3156 </varlistentry>
3157 </refsect2>
3159 <refsect2>
3160 <title>help</title>
3161 <para>Gives usage information.</para>
3162 </refsect2>
3164 </refsect1>
3166 <refsect1>
3167 <title>VERSION</title>
3169 <para>This man page is complete for version &doc.version; of the Samba
3170 suite.</para>
3171 </refsect1>
3173 <refsect1>
3174 <title>AUTHOR</title>
3176 <para>The original Samba software and related utilities
3177 were created by Andrew Tridgell. Samba is now developed
3178 by the Samba Team as an Open Source project similar
3179 to the way the Linux kernel is developed.</para>
3180 </refsect1>
3182 </refentry>