Samba-tool-external
From SambaWiki
This wiki page documents the current externals of the samba-tool command in the first table below and proposed externals to the samba-tool command in the second table below. The purpose of the proposed changes is to make the samba-tool command more consistent and easier to use. Additionally, help for command completion will be provided in a more consistent manner, again for usability.
Current commands listed in __init__.py in samba 4 Version 4.0.0alpha15-GIT-a8a6433
samba-tool current commands
| Subcommand | Description | Parameters | Command specific options | Net command |
| acl | get or set acls on a file | nt get <file> | --as-sddl --xattr\-backend=native|tdb --eadb-file=<file> |
|
| nt set <file> | --quiet= --xattr-backend=native|tdb --eadb-file=<file> |
|||
| ds set <file> | --host= --car=... --action=allow|deny --objectdn= --trusteedn= --sddl= --eadb-file=<file> |
|||
| domainlevel | Raises domain and forest function level | show | -H --quiet --forest=2003|2008|2008_R2 --domain=2003|2008|2008_R2 |
|
| raise | ||||
| drs | various directory replication services | bind <dc> | ||
| kcc <dc> | ||||
| replicate <dest_dc> <source_dc> <nc> | --add-ref --sync-force |
|||
| showrepl <dc> | ||||
| enableaccount | enable a user | <username> | --filter= | |
| export | Dumps kerberos keys of the domain into a keytab | keytab <keytab> | net export keytab <keytab> | |
| fsmo | Makes the target DC transfer or seize fsmo role (server connection needed) transfer: request the role from current owner seize: take the role by force, current master is dead |
show | --url --force --role=rid|pdc|infrastructure|schema|naming|all |
|
| transfer | --url --force --role=rid|pdc|infrastructure|schema|naming|all |
|||
| seize | --url --force --role=rid|pdc|infrastructure|schema|naming|all |
|||
| group | Add or delete groups or add members to or remove members from a group | add <groupname> | -H --groupou= --group-type=Security|Distribution --description= --mail-address= --notest= |
|
| delete <groupname> | -H | |||
| addmembers <groupname> <listofmembers> | -H |
|||
| removemembers <groupname> <listofmembers> | -H |
|||
| gpo2 | List group policies | list <username> | -H | |
| listall | ||||
| join | Join a domain as either a member or a backup domain controller (server connection required) |
<dnsdomain> DC | --server= --site= |
|
| <dnsdomain> RODC | ||||
| <dnsdomain> MEMBER | ||||
| ldapcmp | compare two ldap databases | <url1> <url2> <context1?> <context2?> <context3?> | --two --quiet --verbose --sd --sort-aces --view --base --base2 --scope |
|
| machinepw | get machine PW out of SAM | <accountname> | net machinepw <accountname> | |
| newuser | Create a new user | <username> <password?> | -H --must-change-at_next-login --user-username-as-cn<br.--userou --surname --given-name --initials --profile-path --script-path --home-drive --home-directory --job-title --department --company --description --mail-address --internet-address --telephone-number --physical-delivery-office |
|
| pwsettings | Sets password settings | set | -H --quiet --complexity=on|off|default --store-plaintext=on|off|default --history-length= --min-pwd-length= --min-pwd-age= --max-pwd-age= |
|
| show | ||||
| password | set or change password, | set <username> <password> | ||
| change | ||||
| setexpiry | Sets the expiration of a user account | <username> | -H --filter --days= --noexpiry |
|
| setpassword | set user password locally, need write access to ldb files | <username?> | -H --filter --newpassword --must-change-at-next-login |
|
| time | Retrieve the time on a remote server (server connection needed) | <servername?> | net time <servername> | |
| user | create or delete a user | add <username> <password?> | ||
| delete <username> | ||||
| vampire | Join and synchronise a remote AD domain to the local server (server connection needed) |
domain |
General options are options that can be used on all commands and are as follows:
- Samba Options
- list samba options here***
- Version Options
- -V
- --version
- Credential Options
- list cred options***
Also possibly open for discussion is the formats of some of the global options. Improvements for improved usability should be considered.
samba-tool proposal for command syntax changes
The proposed format for all new / existing functions on the samba-tool command are as follows: Where is makes sense and is possible, the command syntax will follow the format: samba-tool <object> <action> <parameter(s)> <command specific options> <global options>
Also, help will be improved and made consistent.
- When the samba-tool command is issued without a subcommand, it will return a list of valid subcommands (it does this today)
- After each subcommand is entered, if more parameters are required a list of what comes next will be shown (sometimes does this today)
- If the command syntax is completely incorrect, will give the format of the subcommand (sometimes does this today)
- For each subcommand, help will be provided
- Error handling will be improved, more errors will be caught with useable messages being issued where applicable
- Would a --verbose option make sense on all the commands? consider when implementing (some commands have it today)
| Object | Action | Parameters | Specific Options | Global Options | Comments and Equivalent net command (samba 3) |
| acl | get nt | <file> | --as-sddl --xattr-backend=native|tdb --eadb-file=file |
global options | Could combine get and nt into one action getnt Of leave as get <space> nt for historical purposes |
| set nt | <file> | --xattr-backend=native|tdb --eadb-file=file |
global options | Could combine set and nt into one action setnt | |
| set ds | <file> | --objectdn=objectdn --car=control right --action=deny|allow --trusteedn=trustee-dn |
global options | Could combine set and ds into one action setds | |
| domainlevel | show | global options | |||
| raise | -H --quiet --forest --domain |
global options | |||
| drs | bind | <dc> | global options | ||
| kcc | <dc> | global options | |||
| replicate | <dest_dc> <source_dc> <nc> | --add-ref --sync-force |
global options | ||
| showrepl | <dc> | global options | |||
| options | <dc> | --dsa-option=+|-IS_GC | --dsa-option=+|-DISABLE_INBOUND_REPL --dsa-option=+|-DISABLE_OUTBOUND_REPL --dsa-option=+|-DISABLE_NTDSCONN_XLATE |
global options | ||
| group | add | <groupname> | -H --groupou= --group-type=Security|Distribution --description= --mail-address= --notest= |
global options | |
| delete | <groupname> | -H | global options | ||
| addmembers | <groupname> <listofmembers> | -H | global options | ||
| removemembers | <groupname> <listofmembers> | -H | global options | ||
| gpo | list | -H | global options | ||
| listall | -H | global options | |||
| DC | join | <dnsdomain> | --server= --site= --mode=R0|<none,default> |
global options | An alternative is to keep join <dnsdomain> DC|RODC|MEMBER |
| MEMBER | --server= --site= |
||||
| fsmo | show | --url= --force --role=rid|pdc|infrastructure|schema|naming|all |
global options | ||
| transfer | |||||
| seize | |||||
| keytab | export | <keytab> | add options | global options | What is the object? |
| ldap | compare | <url1> <url2> <context1?> <context2?> context3?> |
--two --quiet --verbose --sd --sort-aces --view --base --base2 --scope |
global options | Change to split into ldap compare. |
| pwsettings | show | global options | |||
| set | -H --quiet --complexity=on|off|default --store-plaintext=on|off|default --history-length= --min-pwd-length= --min-pwd-age= --max-pwd-age= |
||||
| password | set | user | |||
| change | user | ||||
| time | server-name | Change format? add an optional action: show ? | |||
| user | create | username | global options | Changing add to create, can / should make an alias? The help on this command already says add - create a new user create makes more sense, add sounds like it already exists and adding it to a group, for instance opposite of removemembers is addmembers |
|
| delete | username | global options | |||
| setexpiry | username | -H help | global options | this used to be setexpiry username command | |
| --days=int | |||||
| --filter=str | |||||
| --noexpiry | |||||
| enableaccount | username | -H help | global options | this used to be enableaccount username command | |
| --filter=str | |||||
| vampire | domain | global options | Keep as vampire command for usability / historical purposes Do not change to object action format |