Samba-tool-external: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 515: | Line 515: | ||
</tr> |
</tr> |
||
<tr> |
<tr> |
||
<td></td> |
<td rowspan="3"></td> |
||
<td>spn |
<td rowspan="3">spn</td> |
||
<td>add</td> |
<td>add</td> |
||
<td><name></td> |
<td rowspan="2"><name></td> |
||
<td rowspan="2"><user></td> |
|||
⚫ | |||
<td rowspan="3"></td> |
|||
⚫ | |||
<tr> |
|||
<td>delete</td> |
|||
</tr> |
|||
<tr> |
|||
<td>list</td> |
|||
<td><user></td> |
<td><user></td> |
||
⚫ | |||
<td></td> |
<td></td> |
||
</tr> |
</tr> |
||
<tr> |
<tr> |
||
⚫ | |||
<td></td> |
<td></td> |
||
<td>testparm</td> |
<td>testparm</td> |
||
Line 532: | Line 539: | ||
<td>global options</td> |
<td>global options</td> |
||
<td></td> |
<td></td> |
||
</tr> |
|||
<tr> |
<tr> |
||
<td>17</td> |
<td>17</td> |
Revision as of 23:34, 28 September 2011
This wiki page documents the current externals of the samba-tool command in the first table below and proposed externals to the samba-tool command in the second table below. The purpose of the proposed changes is to make the samba-tool command more consistent and easier to use. Additionally, help for command completion will be provided in a more consistent manner, again for usability.
Current commands listed in __init__.py in samba 4 Version 4.0.0alpha15-GIT-a8a6433
samba-tool current commands
Ref Num | Subcommand | Description | Parameters | Command specific options | Net command |
1 | acl | get or set acls on a file | nt get <file> | --as-sddl --xattr\-backend=native|tdb --eadb-file=<file> |
|
nt set <file> | --quiet= --xattr-backend=native|tdb --eadb-file=<file> |
||||
ds set <file> | --host= --car=... --action=allow|deny --objectdn= --trusteedn= --sddl= --eadb-file=<file> |
||||
2 | domainlevel | Raises domain and forest function level | show | -H --quiet --forest=2003|2008|2008_R2 --domain=2003|2008|2008_R2 |
|
raise | |||||
3 | drs | various directory replication services | bind <dc> | ||
kcc <dc> | |||||
replicate <dest_dc> <source_dc> <nc> | --add-ref --sync-force |
||||
showrepl <dc> | |||||
4 | enableaccount | enable a user | <username> | --filter= | |
5 | export | Dumps kerberos keys of the domain into a keytab | keytab <keytab> | net export keytab <keytab> | |
6 | fsmo | Makes the target DC transfer or seize fsmo role (server connection needed) transfer: request the role from current owner seize: take the role by force, current master is dead |
show | --url --force --role=rid|pdc|infrastructure|schema|naming|all |
|
transfer | --url --force --role=rid|pdc|infrastructure|schema|naming|all |
||||
seize | --url --force --role=rid|pdc|infrastructure|schema|naming|all |
||||
7 | group | Add or delete groups or add members to or remove members from a group | add <groupname> | -H --groupou= --group-type=Security|Distribution --description= --mail-address= --notest= |
|
delete <groupname> | -H | ||||
addmembers <groupname> <listofmembers> | -H |
||||
removemembers <groupname> <listofmembers> | -H |
||||
8 | gpo2 | List group policies | list <username> | -H | |
listall | |||||
9 | join | Join a domain as either a member or a backup domain controller (server connection required) |
<dnsdomain> DC | --server= --site= |
|
<dnsdomain> RODC | |||||
<dnsdomain> MEMBER | |||||
10 | ldapcmp | compare two ldap databases | <url1> <url2> <context1?> <context2?> <context3?> | --two --quiet --verbose --sd --sort-aces --view --base --base2 --scope |
|
11 | machinepw | get machine PW out of SAM | <accountname> | net machinepw <accountname> | |
12 | newuser | Create a new user | <username> <password?> | -H --must-change-at_next-login --user-username-as-cn<br.--userou --surname --given-name --initials --profile-path --script-path --home-drive --home-directory --job-title --department --company --description --mail-address --internet-address --telephone-number --physical-delivery-office |
|
13 | pwsettings | Sets password settings | set | -H --quiet --complexity=on|off|default --store-plaintext=on|off|default --history-length= --min-pwd-length= --min-pwd-age= --max-pwd-age= |
|
show | |||||
14 | password | set or change password, | set <username> <password> | ||
change | |||||
15 | setexpiry | Sets the expiration of a user account | <username> | -H --filter --days= --noexpiry |
|
16 | setpassword | set user password locally, need write access to ldb files | <username?> | -H --filter --newpassword --must-change-at-next-login |
|
17 | time | Retrieve the time on a remote server (server connection needed) | <servername?> | net time <servername> | |
18 | user | create or delete a user | add <username> <password?> | ||
delete <username> | |||||
19 | vampire | Join and synchronise a remote AD domain to the local server (server connection needed) |
domain |
General options are options that can be used on all commands and are as follows:
- Samba Options
- list samba options here***
- Version Options
- -V
- --version
- Credential Options
- list cred options***
Also possibly open for discussion is the formats of some of the global options. Improvements for improved usability should be considered.
samba-tool proposal for command syntax changes
The proposed format for all new / existing functions on the samba-tool command are as follows: Where is makes sense and is possible, the command syntax will follow the format: samba-tool <object> <action> <parameter(s)> <command specific options> <global options>
Also, help will be improved and made consistent.
- When the samba-tool command is issued without a subcommand, it will return a list of valid subcommands (it does this today)
- After each subcommand is entered, if more parameters are required a list of what comes next will be shown (sometimes does this today)
- If the command syntax is completely incorrect, will give the format of the subcommand (sometimes does this today)
- For each subcommand, help will be provided
- Error handling will be improved, more errors will be caught with useable messages being issued where applicable
- Would a --verbose option make sense on all the commands? consider when implementing (some commands have it today)
Ref num from previous table | Object | Action | Parameters | Specific Options | Global Options | Comments and Equivalent net command (samba 3) |
dbcheck | <dn> | should this be db <sp> check? | ||||
delegation | add-service | <accountname> | <principal> | Global options | ||
del-service | ||||||
for-any-protocol | on | off | |||||
for-any-service | ||||||
show | ||||||
2,5,9,11,13 | domain | level | show | global options | ||
raise | -H --quiet --forest --domain |
global options | ||||
join | <dnsdomain> DC|RODC|MEMBER | --server= --site= |
global options | |||
exportkeytab | <keytab> | global options | ||||
machinepassword | <accountname> | global options | ||||
passwordsettings | show | global options | ||||
set | -H --quiet --complexity=on|off|default --store-plaintext=on|off|default --history-length= --min-pwd-length= --min-pwd-age= --max-pwd-age= |
|||||
samba3upgrade | <samba3 smb conf> | global options | ||||
3 | drs | bind | <dc> | global options | ||
kcc | <dc> | global options | ||||
replicate | <dest_dc> <source_dc> <nc> | --add-ref --sync-force |
global options | |||
showrepl | <dc> | global options | ||||
options | <dc> | --dsa-option=+|-IS_GC | --dsa-option=+|-DISABLE_INBOUND_REPL --dsa-option=+|-DISABLE_OUTBOUND_REPL --dsa-option=+|-DISABLE_NTDSCONN_XLATE |
global options | |||
1 | dsacl | set | <file> | --objectdn=objectdn --car=control right --action=deny|allow --trusteedn=trustee-dn |
global options | Could combine set and nt into one action setnt |
6 | fsmo | show | --url= --force --role=rid|pdc|infrastructure|schema|naming|all |
global options | ||
transfer | ||||||
seize | ||||||
8 | gpo | list | -H | global options | ||
listall | -H | global options | ||||
7 | group | create | <groupname> | -H --groupou= --group-type=Security|Distribution --description= --mail-address= --notest= |
global options | change "add" to create more exact now we have create/delete and addmembers/removemembers |
delete | <groupname> | -H | global options | |||
addmembers | <groupname> <listofmembers> | -H | global options | |||
removemembers | <groupname> <listofmembers> | -H | global options | |||
10 | ldap | compare | <url1> <url2> <context1?> <context2?> <context3?> |
--two --quiet --verbose --sd --sort-aces --view --base --base2 --scope |
global options | Change to split into ldap compare. Not done yet. |
1 | ntacl | get | <file> | --as-sddl --xattr-backend=native|tdb --eadb-file=file |
global options | |
set | <file> | --xattr-backend=native|tdb --eadb-file=file |
global options | |||
rodc | preload | <SID> | <DN> | <accountname> | global options | |||
spn | add | <name> | <user> | global options | ||
delete | ||||||
list | <user> | |||||
testparm | global options | |||||
17 | time | <servername?> | global options | |||
4,12,14,15 | user | create | <username> | global options | Changing add to create The help on this command already says add - create a new user create makes more sense, add sounds like it already exists and adding it to a group, for instance opposite of removemembers is addmembers |
|
delete | <username> | global options | ||||
setexpiry | <username> | -H help | global options | this used to be setexpiry username command | ||
--days=int | ||||||
--filter=str | ||||||
--noexpiry | this might be confusing --noexpiry changes the password setting to "Never expires" there is also an account "Never expires" setting which is what I thought this was the reason I thought this is because the setexpiry --days command sets the account expiration, not the password expiration --filter needs additional doc. the format is --filter=samaccountname=<username> Also, my understanding is the sam is internal and should not be on the command. possibly this parameter should change, as samaccountname is an internal concept, not to be used for an external of a command. comments? also, I haven't yet figured out the format for second filter parameter something like accountexpires=xx (except thats not it!) |
|||||
enable | <username?> | -H help | global options | this used to be enableaccount username command Do we need a disableaccount as well? Seems like it should be easy enough to implement. --filter needs additional doc the format is --filter=samaccountname=<username> Also, my understanding is the sam is internal and should not be on the command. possibly this parameter should change, as samaccountname is an internal concept, not to be used for an external of a command. also***samba-tool user add/delete <user> requires userid and password (e.g. -Uadministrator%xxx), but enable does not. should enable require userid and password? |
||
--filter=str | ||||||
setpassword | <username> <password> | -H --filter= --must-change-at-next-login |
global options | This command combines samba-tool setpassword and samba-tool password set this password command is intended to admins to set passwords for end users usually requires admin password for authority prompts for input if not specified on the command |
||
changepassword | <username> <password> | global options | This command is intended for end users to change their password prompting for input if not specified on the command |
|||
19 | vampire | domain | global options | Keep as vampire command for usability / historical purposes Do not change to object action format |