Samba-tool-external: Difference between revisions

From SambaWiki
mNo edit summary
mNo edit summary
Line 321: Line 321:
<tr>
<tr>
<td>show</td>
<td>show</td>
<td></td>
<td><accountname></td>
<td></td>
<td></td>
<td></td>
<td></td>

Revision as of 15:06, 28 September 2011

This wiki page documents the current externals of the samba-tool command in the first table below and proposed externals to the samba-tool command in the second table below. The purpose of the proposed changes is to make the samba-tool command more consistent and easier to use. Additionally, help for command completion will be provided in a more consistent manner, again for usability.

Current commands listed in __init__.py in samba 4 Version 4.0.0alpha15-GIT-a8a6433

samba-tool current commands

samba-tool current commands
Ref Num Subcommand Description Parameters Command specific options Net command
1 acl get or set acls on a file nt get <file> --as-sddl
--xattr\-backend=native|tdb
--eadb-file=<file>
nt set <file> --quiet=
--xattr-backend=native|tdb
--eadb-file=<file>
ds set <file> --host=
--car=...
--action=allow|deny
--objectdn=
--trusteedn=
--sddl=
--eadb-file=<file>
2 domainlevel Raises domain and forest function level show -H
--quiet
--forest=2003|2008|2008_R2
--domain=2003|2008|2008_R2
raise
3 drs various directory replication services bind <dc>
kcc <dc>
replicate <dest_dc> <source_dc> <nc> --add-ref
--sync-force
showrepl <dc>
4 enableaccount enable a user <username> --filter=
5 export Dumps kerberos keys of the domain into a keytab keytab <keytab> net export keytab <keytab>
6 fsmo Makes the target DC transfer or seize fsmo role (server connection needed)
transfer: request the role from current owner
seize: take the role by force, current master is dead
show --url
--force
--role=rid|pdc|infrastructure|schema|naming|all
transfer --url
--force
--role=rid|pdc|infrastructure|schema|naming|all
seize --url
--force
--role=rid|pdc|infrastructure|schema|naming|all
7 group Add or delete groups or add members to or remove members from a group add <groupname> -H
--groupou=
--group-type=Security|Distribution
--description=
--mail-address=
--notest=
delete <groupname> -H
addmembers <groupname> <listofmembers> -H
removemembers <groupname> <listofmembers> -H
8 gpo2 List group policies list <username> -H
listall
9 join Join a domain as either a member or a backup domain controller
(server connection required)
<dnsdomain> DC --server=
--site=
<dnsdomain> RODC
<dnsdomain> MEMBER
10 ldapcmp compare two ldap databases <url1> <url2> <context1?> <context2?> <context3?> --two
--quiet
--verbose
--sd
--sort-aces
--view
--base
--base2
--scope
11 machinepw get machine PW out of SAM <accountname> net machinepw <accountname>
12 newuser Create a new user <username> <password?> -H
--must-change-at_next-login
--user-username-as-cn<br.--userou
--surname
--given-name
--initials
--profile-path
--script-path
--home-drive
--home-directory
--job-title
--department
--company
--description
--mail-address
--internet-address
--telephone-number
--physical-delivery-office
13 pwsettings Sets password settings set -H
--quiet
--complexity=on|off|default
--store-plaintext=on|off|default
--history-length=
--min-pwd-length=
--min-pwd-age=
--max-pwd-age=
show
14 password set or change password, set <username> <password>
change
15 setexpiry Sets the expiration of a user account <username> -H
--filter
--days=
--noexpiry
16 setpassword set user password locally, need write access to ldb files <username?> -H
--filter
--newpassword
--must-change-at-next-login
17 time Retrieve the time on a remote server (server connection needed) <servername?> net time <servername>
18 user create or delete a user add <username> <password?>
delete <username>
19 vampire Join and synchronise a remote AD domain to the local server
(server connection needed)
domain

General options are options that can be used on all commands and are as follows:

  • Samba Options
    • list samba options here***
  • Version Options
    • -V
    • --version
  • Credential Options
    • list cred options***

Also possibly open for discussion is the formats of some of the global options. Improvements for improved usability should be considered.


samba-tool proposal for command syntax changes

The proposed format for all new / existing functions on the samba-tool command are as follows: Where is makes sense and is possible, the command syntax will follow the format: samba-tool <object> <action> <parameter(s)> <command specific options> <global options>

Also, help will be improved and made consistent.

  • When the samba-tool command is issued without a subcommand, it will return a list of valid subcommands (it does this today)
  • After each subcommand is entered, if more parameters are required a list of what comes next will be shown (sometimes does this today)
  • If the command syntax is completely incorrect, will give the format of the subcommand (sometimes does this today)
  • For each subcommand, help will be provided
  • Error handling will be improved, more errors will be caught with useable messages being issued where applicable
  • Would a --verbose option make sense on all the commands? consider when implementing (some commands have it today)
samba-tool command proposed syntax changes
Ref num from previous table Object Action Parameters Specific Options Global Options Comments and Equivalent net command (samba 3)
dbcheck <dn> should this be db <sp> check?
delegation add-service Global options
del-service
for-any-protocol
for-any-service
show <accountname>
1 ntacl get <file> --as-sddl
--xattr-backend=native|tdb
--eadb-file=file
global options
set <file> --xattr-backend=native|tdb
--eadb-file=file
global options
1 dsacl set <file> --objectdn=objectdn
--car=control right
--action=deny|allow
--trusteedn=trustee-dn
global options Could combine set and nt into one action setnt
2,5,9,11,13 domain level show global options
raise -H
--quiet
--forest
--domain
global options
join <dnsdomain> DC|RODC|MEMBER --server=
--site=
global options
exportkeytab <keytab> global options
machinepassword <accountname> global options
passwordsettings show global options
set -H
--quiet
--complexity=on|off|default
--store-plaintext=on|off|default
--history-length=
--min-pwd-length=
--min-pwd-age=
--max-pwd-age=
samba3upgrade <samba3 smb conf> global options
3 drs bind <dc> global options
kcc <dc> global options
replicate <dest_dc> <source_dc> <nc> --add-ref
--sync-force
global options
showrepl <dc> global options
options <dc> --dsa-option=+|-IS_GC |
--dsa-option=+|-DISABLE_INBOUND_REPL
--dsa-option=+|-DISABLE_OUTBOUND_REPL
--dsa-option=+|-DISABLE_NTDSCONN_XLATE
global options
7 group create <groupname> -H
--groupou=
--group-type=Security|Distribution
--description=
--mail-address=
--notest=
global options change "add" to create
more exact
now we have create/delete and
addmembers/removemembers
delete <groupname> -H global options
addmembers <groupname> <listofmembers> -H global options
removemembers <groupname> <listofmembers> -H global options
8 gpo list -H global options
listall -H global options
6 fsmo show --url=
--force
--role=rid|pdc|infrastructure|schema|naming|all
global options
transfer
seize
10 ldap compare <url1> <url2>
<context1?>
<context2?>
<context3?>
--two
--quiet
--verbose
--sd
--sort-aces
--view
--base
--base2
--scope
global options Change to split into ldap compare.
Not done yet.
17 time <servername?> global options
4,12,14,15 user create <username> global options Changing add to create
The help on this command already says add - create a new user
create makes more sense, add sounds like it already exists and adding it to a group, for instance
opposite of removemembers is addmembers
delete <username> global options
setexpiry <username> -H help global options this used to be setexpiry username command
--days=int
--filter=str
--noexpiry this might be confusing
--noexpiry changes the password setting to "Never expires"
there is also an account "Never expires" setting which is what I thought this was
the reason I thought this is because the setexpiry --days command sets the account expiration, not the password expiration
--filter needs additional doc.
the format is --filter=samaccountname=<username>
Also, my understanding is the sam is internal and should not be on the command.
possibly this parameter should change, as samaccountname is an internal concept, not to be used for an external of a command.
comments?
also, I haven't yet figured out the format for second filter parameter
something like accountexpires=xx (except thats not it!)
enable <username?> -H help global options this used to be enableaccount username command
Do we need a disableaccount as well?
Seems like it should be easy enough to implement.
--filter needs additional doc
the format is --filter=samaccountname=<username>
Also, my understanding is the sam is internal and should not be on the command.
possibly this parameter should change, as samaccountname is an internal concept, not to be used for an external of a command.
also***samba-tool user add/delete <user> requires userid and password (e.g. -Uadministrator%xxx), but enable does not.
should enable require userid and password?
--filter=str
setpassword <username> <password> -H
--filter=
--must-change-at-next-login
global options This command combines samba-tool setpassword and samba-tool password set
this password command is intended to admins to set passwords for end users
usually requires admin password for authority
prompts for input if not specified on the command
changepassword <username> <password> global options This command is intended for end users to change their password
prompting for input if not specified on the command
19 vampire domain global options Keep as vampire command for usability / historical purposes
Do not change to object action format