From SambaWiki

This wiki page documents the current externals of the samba-tool command in the first table below and proposed externals to the samba-tool command in the second table below. The purpose of the proposed changes is to make the samba-tool command more consistent and easier to use. Additionally, help for command completion will be provided in a more consistent manner, again for usability.

Current commands listed in in samba 4 Version 4.0.0alpha15-GIT-a8a6433

samba-tool current commands

samba-tool current commands
Subcommand Description Parameters Command specific options Net command
acl get or set acls on a file nt get <file> --as-sddl
nt set <file> --quiet=
ds set <file> --host=
domainlevel Raises domain and forest function level show -H
drs various directory replication services bind <dc>
kcc <dc>
replicate <dest_dc> <source_dc> <nc> --add-ref
showrepl <dc>
enableaccount enable a user <username> --filter=
export Dumps kerberos keys of the domain into a keytab keytab <keytab> net export keytab <keytab>
fsmo Makes the target DC transfer or seize fsmo role (server connection needed)
transfer: request the role from current owner
seize: take the role by force, current master is dead
show --url
transfer --url
seize --url
group Add or delete groups or add members to or remove members from a group add <groupname> -H
delete <groupname> -H
addmembers <groupname> <listofmembers> -H
removemembers <groupname> <listofmembers> -H
gpo2 List group policies list <username> -H
join Join a domain as either a member or a backup domain controller
(server connection required)
<dnsdomain> DC --server=
<dnsdomain> RODC
<dnsdomain> MEMBER
ldapcmp compare two ldap databases <url1> <url2> <context1?> <context2?> <context3?> --two
machinepw get machine PW out of SAM <accountname> net machinepw <accountname>
newuser Create a new user <username> <password?> -H
pwsettings Sets password settings set -H
password set or change password, set <username> <password>
setexpiry Sets the expiration of a user account <username> -H
setpassword set user password locally, need write access to ldb files <username?> -H
time Retrieve the time on a remote server (server connection needed) <servername?> net time <servername>
user create or delete a user add <username> <password?>
delete <username>
vampire Join and synchronise a remote AD domain to the local server
(server connection needed)

General options are options that can be used on all commands and are as follows:

  • Samba Options
    • list samba options here***
  • Version Options
    • -V
    • --version
  • Credential Options
    • list cred options***

Also possibly open for discussion is the formats of some of the global options. Improvements for improved usability should be considered.

samba-tool proposal for command syntax changes

The proposed format for all new / existing functions on the samba-tool command are as follows: Where is makes sense and is possible, the command syntax will follow the format: samba-tool <object> <action> <parameter(s)> <command specific options> <global options>

Also, help will be improved and made consistent.

  • When the samba-tool command is issued without a subcommand, it will return a list of valid subcommands (it does this today)
  • After each subcommand is entered, if more parameters are required a list of what comes next will be shown (sometimes does this today)
  • If the command syntax is completely incorrect, will give the format of the subcommand (sometimes does this today)
  • For each subcommand, help will be provided
  • Error handling will be improved, more errors will be caught with useable messages being issued where applicable
samba-tool command proposed syntax changes
Object Action Parameters Specific Options Global Options Comments and Equivalent net command (samba 3)
acl get nt <file> --as-sddl
global options Could combine get and nt into one action getnt
Of leave as get <space> nt for historical purposes
set nt <file> --xattr-backend=native|tdb
global options Could combine set and nt into one action setnt
set ds <file> --objectdn=objectdn
--car=control right
global options Could combine set and ds into one action setds
domainlevel show global options
raise -H
global options
drs bind <dc> global options
kcc <dc> global options
replicate <dest_dc> <source_dc> <nc> --add-ref
global options
showrepl <dc> global options
options <dc> --dsa-option=+|-IS_GC |
global options
group add <groupname> -H
global options
delete <groupname> -H global options
addmembers <groupname> <listofmembers> -H global options
removemembers <groupname> <listofmembers> -H global options
gpo list -H global options
listall -H global options
DC join <dnsdomain> --server=
global options An alternative is to keep join <dnsdomain> DC|RODC|MEMBER
MEMBER --server=
fsmo show add options global options
transfer add options global options What is the object?
seize add options global options What is the object?
export keytab add options global options What is the object?
ldap compare URL1, URL2 add options Change to split into ldap compare.
pwsettings show
set add parameters that can be set
password set user
change user
time server-name Change format? add an optional action: show ?
user create username global options Changing add to create, can / should make an alias?
The help on this command already says add - create a new user
create makes more sense, add sounds like it already exists and adding it to a group, for instance
opposite of removemembers is addmembers
delete username global options
setexpiry username -H help global options this used to be setexpiry username command
enableaccount username -H help global options this used to be enableaccount username command
vampire domain global options Keep as vampire command for usability / historical purposes
Do not change to object action format