1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
4 <chapter id="NetCommand">
9 <pubdate>May 9, 2005</pubdate>
12 <title>Remote and Local Management &smbmdash; The Net Command</title>
15 The <command>net</command> command is one of the new features of Samba-3 and is an attempt to provide a useful
16 tool into which the majority of remote management operations necessary for common tasks. The
17 <command>net</command> tool is flexible by design and is intended for command line use as well as for scripted
22 Originally introduced with the intent to mimic the Microsoft Windows command that has the same name, the
23 <command>net</command> command has morphed into a very powerful instrument that has become an essential part
24 of the Samba network administrator's toolbox. The Samba Team have introduced tools, such as
25 <command>smbgroupedit, rpcclient</command> from which really useful have been integrated into the
26 <command>net</command>. The <command>smbgroupedit</command> command was absorbed entirely into the
27 <command>net</command>, while only some features of the <command>rpcclient</command> command have been
28 ported to it. Anyone who finds older references to these utilities and to the functionality they provided
29 should look at the <command>net</command> command before searching elsewhere.
33 A Samba-3 administrator can not afford to gloss over this chapter because to do so will almost certainly cause
34 the infliction of self induced pain, agony and desperation. Be warned, this is an important chapter.
38 <title>Overview</title>
41 The tasks that follow the installation of a Samba-3 server, whether Stand-Alone, Domain Member, of a
42 Domain Controller (PDC or BDC) begins with the need to create administrative rights. Of course, the
43 creation of user and group accounts is essential for both a Stand-Alone server as well as for a PDC.
44 In the case of a BDC or a Domain Member server (DMS) Domain user and group accounts are obtained from
45 the central domain authentication backend.
49 Regardless of the type of server being installed, local UNIX groups must be mapped to the Windows
50 networking domain global group accounts. Do you ask, why? Because Samba always limits its access to
51 the resources of the host server by way of traditional UNIX UID/GID controls. This means that local
52 groups must be mapped to domain global groups so that domain users who are members of the domain
53 global groups can be given access rights based on UIDs and GIDs local to the server that is hosting
54 Samba. Such mappings are implemented using the <command>net</command> command.
58 UNIX systems that are hosting a Samba-3 server that is running as a member (PDC, BDC, or DMS) must have
59 a machine security account in the domain authentication database (or directory). The creation of such
60 security (or trust) accounts is also handled using the <command>net</command> command.
64 The establishment of inter-domain trusts is achieved using the <command>net</command> command also, as
65 may a plethora of typical administrative duties such as: user management, group management, share and
66 printer management, file and printer migration, security identifier management, and so on.
70 The over-all picture should be clear now, the <command>net</command> command plays a central role
71 on the Samba-3 stage. This role will continue to be developed. The inclusion of this chapter is
72 evidence of its importance, one that has grown in complexity to the point that it is no longer considered
73 prudent to cover its use fully in the on-line UNIX man pages.
79 <title>Administrative Tasks And Methods</title>
82 The basic operations of the <command>net</command> command are documented here. This documentation is not
83 exhaustive, and thus it is incomplete. Since the primary focus is on migration from Windows servers to
84 a Samba server the emphasis is on the use of the DCE RPC mode of operation. When used against a server
85 that is a member of an Active Directory domain it is preferable (and often necessary) to use ADS mode
86 operations. The <command>net</command> command supports both, but not for every operation. For most
87 operations, if the mode is not specified <command>net</command> will automatically fall back via
88 the <constant>ads, rpc, rap</constant> modes. Please refer to the man page for a more comprehensive
89 overview of the capabilities of this utility.
95 <title>UNIX and Windows Group Management</title>
98 In repetition of what has been said, the focus in most of this chapter is on use of the <command>net
99 rpc</command> family of operations that are supported by Samba. Most of them are supported by the
100 <command>net ads</command> mode when used in connection with MS Active Directory. The <command>net
101 rap</command> operating mode is also supported for some of these operations. RAP protocols are used
102 by IBM OS/2 and by several earlier SMB servers.
106 Sambas' <command>net</command> tool implements sufficient capability to permit all common administrative
107 tasks to be completed from the command line. In this section each of the essential user and group management
108 facilities are explored.
112 Samba-3 recognizes two types of groups: <emphasis>domain groups</emphasis> and <emphasis>local
113 groups</emphasis>. Domain groups can contain (have as members) only domain user accounts. Local groups
114 can contain local users, domain users, and domain groups as members.
118 The purpose of a local group is to permit file permission to be set for a group account that, like the
119 usual UNIX/Linux group, is persistent across redeployment of a Windows file server.
123 <title>Adding, Renaming, or Deletion of Group Accounts</title>
126 <title>Adding or Creating a New Group</title>
129 Before attempting to add a Windows group account the currently available groups can be listed as shown
132 &rootprompt; net rpc group list -Uroot%not24get
143 A Windows group account called <quote>SupportEngrs</quote> can be added by executing the following
146 &rootprompt; net rpc group add "SupportEngrs" -Uroot%not24get
148 The addition will result in immediate availability of the new group account as validated by executing the
151 &rootprompt; net rpc group list -Uroot%not24get
166 The following demonstrates that the POSIX (UNIX/Linux system account) group has been created by calling
167 the <smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption> interface
170 &rootprompt; getent group
172 Domain Admins:x:512:root
173 Domain Users:x:513:jht,lct,ajt,met
175 Print Operators:x:550:
176 Backup Operators:x:551:
178 Domain Computers:x:553:
182 The following demonstrates that the use of the <command>net</command> command to add a group account
183 results in immediate mapping of the POSIX group that has been created to the Windows group account as shown
186 &rootprompt; net groupmap list
187 Domain Admins (S-1-5-21-72630-4128915-11681869-512) -> Domain Admins
188 Domain Users (S-1-5-21-72630-4128915-11681869-513) -> Domain Users
189 Domain Guests (S-1-5-21-72630-4128915-11681869-514) -> Domain Guests
190 Print Operators (S-1-5-21-72630-4128915-11681869-550) -> Print Operators
191 Backup Operators (S-1-5-21-72630-4128915-11681869-551) -> Backup Operators
192 Replicator (S-1-5-21-72630-4128915-11681869-552) -> Replicator
193 Domain Computers (S-1-5-21-72630-4128915-11681869-553) -> Domain Computers
194 Engineers (S-1-5-21-72630-4128915-11681869-3005) -> Engineers
195 SupportEngrs (S-1-5-21-72630-4128915-11681869-3007) -> SupportEngrs
202 <title>Mapping Windows Groups to UNIX Groups</title>
205 Windows groups must be mapped to UNIX system (POSIX) groups so that file system access controls
206 can be asserted in a manner that is consistent with the methods appropriate to the operating
207 system that is hosting the Samba server.
211 All file system (file and directory) access controls, within the file system of a UNIX/Linux server that is
212 hosting a Samba server, is implemented using a UID/GID identity tuple. Samba does not in any way over-ride
213 or replace UNIX file system semantics. Thus it is necessary that all Windows networking operations that
214 access the file system must provide a mechanism that maps a Windows user to a particular UNIX/Linux group
215 account. The user account must also map to a locally known UID.
219 Samba depends on default mappings for the <constant>Domain Admins, Domain Users</constant> and
220 <constant>Domain Guests</constant> global groups. Additional groups may be added as shown in the
221 examples just given. There are times when it is necessary to map an existing UNIX group account
222 to a Windows group. This operation, in effect, creates a Windows group account as a consequence
223 of creation of the mapping.
227 The operations that are permitted includes: <constant>add, modify, delete</constant>. An example
228 of each operation is shown here.
232 An existing UNIX group may be mapped to an existing Windows group by this example:
234 &rootprompt; net groupmap modify ntgroup="Domain Users" unixgroup=users
236 An existing UNIX group may be mapped to a new Windows group as shown here:
238 &rootprompt; net groupmap add ntgroup="EliteEngrs" unixgroup=Engineers type=d
240 A Windows group may be deleted, and then a new Windows group can be mapped to the UNIX group by
241 executing these commands:
243 &rootprompt; net groupmap delete ntgroup=Engineers
244 &rootprompt; net groupmap add ntgroup=EngineDrivers unixgroup=Engineers type=d
249 Two types of Windows groups can be created: <constant>domain (global),</constant> and <constant>local</constant>.
250 In the above examples the Windows groups created were of type <constant>domain</constant>, or global. The
251 following command will create a Windows group of type <constant>local</constant>.
253 &rootprompt; net groupmap add ntgroup=Pixies unixgroup=pixies type=l
255 Local groups can be used with Samba to enable multiple nested group support.
261 <title>Deleting a Group Account</title>
264 A group account may be deleted by executing the following command:
266 &rootprompt; net rpc group delete SupportEngineers -Uroot%not24get
271 Validation of the deletion is advisable. The same commands may be executed as shown above.
277 <title>Rename Group Accounts</title>
280 This command is not documented in the man pages, it is implemented in the source code, but it does not
281 work. The example given documents (from the source code) how it should work. Watch the release notes
282 of a future release to see when this may have been be fixed.
286 Sometimes it is necessary to rename a group account. Good administrators know how painful some managers
287 demands can be if this simple request is ignored. The following command demonstrates how the Windows group
288 <quote>SupportEngrs</quote> can be renamed to <quote>CustomerSupport</quote>:
290 &rootprompt; net rpc group rename SupportEngrs \
291 CustomerSupport -Uroot%not24get
300 <title>Manipulating Group Memberships</title>
303 Three operations can be performed in respect of group membership. It is possible to (1) add Windows users
304 to Windows group, to (2) delete Windows users from Windows groups, and to (3) list the Windows users that are
305 members of a Windows group.
309 So as to avoid confusion, it makes sense to check group membership before attempting to make and changes.
310 The <command>getent group</command> will list UNIX/Linux group membership. UNIX/Linux group members are
311 seen also as members of a Windows group that has been mapped using the <command>net groupmap</command>
312 command (see <link linkend="groupmapping"/>). The following list of UNIX/Linux group membership shows
313 that the user <constant>ajt</constant> is a member of the UNIX/Linux group <constant>Engineers</constant>.
315 &rootprompt; getent group
317 Domain Admins:x:512:root
318 Domain Users:x:513:jht,lct,ajt,met,vlendecke
320 Print Operators:x:550:
321 Backup Operators:x:551:
323 Domain Computers:x:553:
324 Engineers:x:1000:jht,ajt
326 The UNIX/Linux groups have been mapped to Windows groups, as is shown here:
328 &rootprompt; net groupmap list
329 Domain Admins (S-1-5-21-72630-412605-116429-512) -> Domain Admins
330 Domain Users (S-1-5-21-72630-412605-116429-513) -> Domain Users
331 Domain Guests (S-1-5-21-72630-412605-116429-514) -> Domain Guests
332 Print Operators (S-1-5-21-72630-412605-116429-550) -> Print Operators
333 Backup Operators (S-1-5-21-72630-412605-116429-551) -> Backup Operators
334 Replicator (S-1-5-21-72630-412605-116429-552) -> Replicator
335 Domain Computers (S-1-5-21-72630-412605-116429-553) -> Domain Computers
336 Engineers (S-1-5-21-72630-412605-116429-3001) -> Engineers
341 Given that the user <constant>ajt</constant> is already a member of the UNIX/Linux group, and via the
342 group mapping, a member of the Windows group, an attempt to add this account again should fail. This is
345 &rootprompt; net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
346 Could not add ajt to MIDEARTH\Engineers: NT_STATUS_MEMBER_IN_GROUP
348 This shows that the group mapping between UNIX/Linux groups and Windows groups is effective and
353 To permit the user <constant>ajt</constant> to be added using the <command>net rpc group</command> utility
354 this account must first be removed. The removal, and confirmation of its effect is shown here:
356 &rootprompt; net rpc group delmem "MIDEARTH\Engineers" ajt -Uroot%not24get
357 &rootprompt; getent group Engineers
359 &rootprompt; net rpc group members Engineers -Uroot%not24get
362 In this example both at the UNIX/Linux system level, the group no longer has the <constant>ajt</constant>
363 as a member. The above also shows this to be the case for Windows group membership.
367 The account is now added again, using the <command>net rpc group</command> utility:
369 &rootprompt; net rpc group addmem "MIDEARTH\Engineers" ajt -Uroot%not24get
370 &rootprompt; getent group Engineers
371 Engineers:x:1000:jht,ajt
372 &rootprompt; net rpc group members Engineers -Uroot%not24get
379 In this example the members of the Windows <constant>Domain Users</constant> account is validated using
380 the <command>net rpc group</command> utility. Note that this contents of the UNIX/Linux group was shown
381 4 paragraphs earlier. The Windows (domain) group membership is shown here:
383 &rootprompt; net rpc group members "Domain Users" -Uroot%not24get
390 The example shown here is an express example that Windows group names are treated by Samba (as with
391 MS Windows) in a case insensitive manner:
393 &rootprompt; net rpc group members "DomAiN USerS" -Uroot%not24get
403 An attempt to specify the group name as <constant>MIDEARTH\Domain Users</constant> in place of
404 just simply <constant>Domain Users</constant> will fail. The default behavior of the net rpc group
405 is to direct the command at the local machine. The Windows group is treated as being local to the machine.
406 If it is necessary to query another machine, its name can be specified using the <constant>-S
407 servername</constant> parameter to the <command>net</command> command.
413 <title>Nested Group Support</title>
416 It is possible in Windows (and now in Samba also) to great a local group that has members (contains)
417 domain users and domain global groups. Creation of the local group <constant>demo</constant> is
418 achieved by executing:
420 &rootprompt; net rpc group add demo -L -S MORDON -Uroot%not24get
422 The -L switch means create a local group. Use the -S argument to direct the operation to a particular
423 server. The parameters to the -U argument should be for a user who has appropriate administrative right
424 and privileges on the machine.
428 Addition and removal of group members can be achieved using the <constant>addmem</constant> and
429 <constant>delmem</constant> subcommands of <command>net rpc group</command> command. For example,
430 addition of <quote>DOM\Domain Users</quote> to the local group <constant>demo</constant> would be
433 &rootprompt; net rpc group addmem demo "DOM\Domain Users" -Uroot%not24get
438 The members of a nested group can be listed by executing the following:
440 &rootprompt; net rpc group members demo -Uroot%not24get
449 Nested group members can be removed (deleted) as shown here:
451 &rootprompt; net rpc group delmem demo "DOM\jht" -Uroot%not24get
456 Windows network administrators often ask on the Samba mailing list how it is possible to grant everyone
457 administrative rights on their own workstation. This is of course a very bad practice, but commonly done
458 to avoid user complaints. Here is how it can be done remotely from a Samba PDC or BDC:
460 &rootprompt; net rpc group addmem "Administrators" "Domain Users" \
461 -S WINPC032 -Uadministrator%secret
470 <title>UNIX and Windows User Management</title>
473 Every Windows network user account must be translated to a UNIX/Linux user account. In actual fact,
474 the only account information the UNIX/Linux Samba server needs is a UID. The UID is available either
475 from a system (POSIX) account, or from a pool (range) of UID numbers that is set aside for the purpose
476 of being allocated for use by Windows user accounts. In the case of the UID pool, the UID for a
477 particular user will be allocated by <command>winbindd</command>.
481 Although this is not the appropriate place to discuss the <smbconfoption name="username map"/> facility,
482 this interface is an important method of mapping a Windows user account to a UNIX account that has a
483 different name. Refer to the man page for the &smb.conf; file for more information regarding this
484 facility. User name mappings can not be managed using the <command>net</command> utility.
487 <sect2 id="sbeuseraddn">
488 <title>Adding User Accounts</title>
491 The syntax for adding a user account via the <command>net</command> (according to the man page) is shown
494 net [<method>] user ADD <name> [-c container] [-F user flags] \
495 [misc. options] [targets]
497 The user account password may be set using this syntax:
499 net rpc password <username> [<password>] -Uadmin_username%admin_pass
504 The following demonstrates the addition of an account to the server <constant>FRODO</constant>:
506 &rootprompt; net rpc user add jacko -S FRODO -Uroot%not24get
509 The account password can be set with the following methods (all show the same operation):
511 &rootprompt; net rpc password jacko f4sth0rse -S FRODO -Uroot%not24get
512 &rootprompt; net rpc user password jacko f4sth0rse \
513 -S FRODO -Uroot%not24get
520 <title>Deletion of User Accounts</title>
523 Deletion of a user account can be done using the following syntax:
525 net [<method>] user DELETE <name> [misc. options] [targets]
527 The following command will delete the user account <constant>jacko</constant>:
529 &rootprompt; net rpc user delete jacko -Uroot%not24get
537 <title>Managing User Accounts</title>
540 Two basic user account operations are routinely used, change of password and querying which groups a user
541 is a member of. The change of password operation is shown in <link linkend="sbeuseraddn"/>.
545 The ability to query Windows group membership can be essential. Here is how a remote server may be
546 interrogated to find which groups a user is a member of:
548 &rootprompt; net rpc user info jacko -S SAURON -Uroot%not24get
549 net rpc user info jacko -S SAURON -Uroot%not24get
562 <title>User Mapping</title>
565 In some situations it is unavoidable that a users' Windows logon name will differ from the login ID
566 that user has on the Samba server. It is possible to create a special file on the Samba server that
567 will permit the Windows user name to be mapped to a different UNIX/Linux user name. The &smb.conf;
568 file must also be amended so that the <constant>[global]</constant> stanza contains the parameter:
570 username map = /etc/samba/smbusers
572 The content of the <filename>/etc/samba/smbusers</filename> file is shown here:
574 parsonsw: "William Parsons"
577 In this example the Windows user account <quote>William Parsons</quote> will be mapped to the UNIX user
578 <constant>parsonsw</constant>, and the Windows user account <quote>geeringm</quote> will be mapped to the
579 UNIX user <constant>marygee</constant>.
587 <title>Administering User Rights and Privileges</title>
590 With all versions of Samba earlier than 3.0.11 the only account on a Samba server that had the ability
591 to manage users, groups, shares, printers, etc. is the <constant>root</constant> account. This caused
592 immense problems for some users and was a frequent source of scorn over the necessity to hand out the
593 credentials for the most security sensitive account on a UNIX/Linux system.
597 New to Samba version 3.0.11 is the ability to delegate administrative privileges as necessary to either
598 a normal user, or to groups of users. The significance of the administrative privileges is documented
599 in <link linkend="rights"/>. Examples of use of the <command>net</command> for user rights and privilege
600 management is appropriate to this chapter.
604 When user rights and privileges are correctly set there is no longer a need for there to be a Windows
605 network account for the <constant>root</constant> user (nor for any synonym of it) with a UNIX UID=0.
606 Initial user rights and privileges can be assigned by any account that is a member of the <constant>
607 Domain Admins</constant> group. Rights can be assigned to user as well as group accounts.
611 By default, no privileges and rights are assigned. This is demonstrated by executing the command
614 &rootprompt; net rpc rights list accounts -U root%not24get
615 BUILTIN\Print Operators
616 No privileges assigned
618 BUILTIN\Account Operators
619 No privileges assigned
621 BUILTIN\Backup Operators
622 No privileges assigned
624 BUILTIN\Server Operators
625 No privileges assigned
627 BUILTIN\Administrators
628 No privileges assigned
631 No privileges assigned
636 The <command>net</command> command can be used to obtain the currently supported capabilities for rights
637 and privileges using this method:
639 &rootprompt; net rpc rights list -U root%not24get
640 SeMachineAccountPrivilege Add machines to domain
641 SePrintOperatorPrivilege Manage printers
642 SeAddUsersPrivilege Add users and groups to the domain
643 SeRemoteShutdownPrivilege Force shutdown from a remote system
644 SeDiskOperatorPrivilege Manage disk shares
646 Machine account privilege is necessary to permit a Windows NT4 or later network client to be added to the
647 domain. The disk operator privilege is necessary to permit the user to manage share ACLs and file and
648 directory ACLs for objects not owned by the user.
652 In this example, all rights are assigned to the <constant>Domain Admins</constant> group. This is a good
653 idea since members of this group are generally expected to be all-powerful. This assignment makes that
656 &rootprompt; net rpc rights grant "MIDEARTH\Domain Admins" \
657 SeMachineAccountPrivilege SePrintOperatorPrivilege \
658 SeAddUsersPrivilege SeRemoteShutdownPrivilege \
659 SeDiskOperatorPrivilege -U root%not24get
660 Successfully granted rights.
662 Next, the domain user <constant>jht</constant> is given the privileges needed for day to day
665 &rootprompt; net rpc rights grant "MIDEARTH\jht" \
666 SeMachineAccountPrivilege SePrintOperatorPrivilege \
667 SeAddUsersPrivilege SeDiskOperatorPrivilege \
669 Successfully granted rights.
674 The following step permits validation of the changes just made:
676 &rootprompt; net rpc rights list accounts -U root%not24get
678 SeMachineAccountPrivilege
679 SePrintOperatorPrivilege
681 SeDiskOperatorPrivilege
683 BUILTIN\Print Operators
684 No privileges assigned
686 BUILTIN\Account Operators
687 No privileges assigned
689 BUILTIN\Backup Operators
690 No privileges assigned
692 BUILTIN\Server Operators
693 No privileges assigned
695 BUILTIN\Administrators
696 No privileges assigned
699 No privileges assigned
701 MIDEARTH\Domain Admins
702 SeMachineAccountPrivilege
703 SePrintOperatorPrivilege
705 SeRemoteShutdownPrivilege
706 SeDiskOperatorPrivilege
713 <title>Managing Trust Relationships</title>
716 There are essentially two types of trust relationships. The first between domain controllers and domain
717 member machines (network clients), the second trusts between domains (called inter-domain trusts). All
718 Samba servers that participate in domain security require a domain membership trust account, as do like
719 Windows NT/2KX/XPP workstations.
723 <title>Machine Trust Accounts</title>
726 A Samba server domain trust account can be validated as shown in this example:
728 &rootprompt; net rpc testjoin
729 Join to 'MIDEARTH' is OK
731 Where there is no domain membership account, or when the account credentials are not valid the following
732 results will be observed:
734 net rpc testjoin -S DOLPHIN
735 Join to domain 'WORLDOCEAN' is not valid
740 The equivalent command for joining a Samba server to a Windows ADS domain is shown here:
742 &rootprompt; net ads testjoin
743 Using short domain name -- TAKEAWAY
744 Joined 'LEMONADE' to realm 'TAKEAWAY.BIZ'
746 In the event that the ADS trust was not established, or is broken for one reason or another, the following
747 error message may be obtained:
749 &rootprompt; net ads testjoin -UAdministrator%secret
750 Join to domain is not valid
755 The following demonstrates the process of creating a machine trust account in the target domain for the
756 Samba server from which the command is executed:
758 &rootprompt; net rpc join -S FRODO -Uroot%not24get
759 Joined domain MIDEARTH.
761 The joining of a Samba server to a Samba domain results in the creation of a machine account. An example
762 of this is shown here:
764 &rootprompt; pdbedit -Lw merlin\$
765 merlin$:1009:9B4489D6B90461FD6A3EC3AB96147E16:\
766 176D8C554E99914BDF3407DEA2231D80:[S ]:LCT-42891919:
768 The S in the square brackets means this is a server (PDC/BDC) account. The domain join can be cast to join
769 purely as a workstation, in which case the S is replaced with a W (indicating a workstation account). The
770 following command can be used to affect this:
772 &rootprompt; net rpc join member -S FRODO -Uroot%not24get
773 Joined domain MIDEARTH.
775 Note that the command-line parameter <constant>member</constant> makes this join specific. By default
776 the type is deduced from the &smb.conf; file configuration. To specifically join as a PDC or BDC the
777 command-line parameter will be <constant>[PDC | BDC]</constant>. For example:
779 &rootprompt; net rpc join bdc -S FRODO -Uroot%not24get
780 Joined domain MIDEARTH.
782 It is best to let Samba figure out the domain join type from the settings in the &smb.conf; file.
786 The command to join a Samba server to a Windows ADS domain is shown here:
788 &rootprompt; net ads join -UAdministrator%not24get
789 Using short domain name -- GDANSK
790 Joined 'FRANDIMITZ' to realm 'GDANSK.ABMAS.BIZ'
795 There is no specific option to remove a machine account from ain NT4 domain. When a domain member that is a
796 Windows machine is withdrawn from the domain the domain membership account is not automatically removed
797 either. Inactive domain member accounts can be removed using any convenient tool. If necessary, the
798 machine account can be removed using the following <command>net</command> command:
800 &rootprompt; net rpc user delete HERRING\$ -Uroot%not24get
801 Deleted user account.
803 The removal is made possible because machine account are just like user accounts with a trailing $
804 character. The account management operations treat user and machine accounts in like manner.
808 A Samba-3 server that is a Windows ADS domain member can execute the following command to detach from the
811 &rootprompt; net ads leave
816 Detailed information regarding an ADS domain can be obtained by a Samba DMS machine by executing the
819 &rootprompt; net ads status
821 The volume of information is extensive. Please refer to the book <quote>Samba-3 by Example</quote>,
822 Chapter 7 for more information regarding its use. This book may be obtained either in print, or on line from
823 the <ulink url="http://www.samba.org/samba/docs/Samba-Guide.pdf">Samba-Guide</ulink>.
829 <title>Inter-Domain Trusts</title>
832 Inter-domain trust relationships form the primary mechanism by which users from one domain can be granted
833 access rights and privileges in another domain.
837 To discover what trust relationships are in effect execute this command:
839 &rootprompt; net rpc trustdom list -Uroot%not24get
840 Trusted domains list:
844 Trusting domains list:
848 There are no inter-domain trusts at this time, the following steps will create them.
852 It is necessary to create a trust account in the local domain. A domain controller in a second domain can
853 create a trusted connection with this account. That means that the foreign domain is being trusted
854 to access resources in the local domain. This command creates the local trust account:
856 &rootprompt; net rpc trustdom add damnation f00db4r -Uroot%not24get
858 The account can be revealed by using the <command>pdbedit</command> as shown here:
860 &rootprompt; pdbedit -Lw damnation\$
861 damnation$:1016:9AC1F121DF897688AAD3B435B51404EE: \
862 7F845808B91BB9F7FEF44B247D9DC9A6:[I ]:LCT-428934B1:
864 A trust account will always have an I in the field within the square brackets.
868 If the trusting domain is not capable of being reached the following command will fail
870 &rootprompt; net rpc trustdom list -Uroot%not24get
871 Trusted domains list:
875 Trusting domains list:
877 DAMNATION S-1-5-21-1385457007-882775198-1210191635
879 The above command executed successfully; a failure is indicated when the following response is obtained:
881 net rpc trustdom list -Uroot%not24get
882 Trusted domains list:
884 DAMNATION S-1-5-21-1385457007-882775198-1210191635
886 Trusting domains list:
888 DAMNATION domain controller is not responding
893 Where a trust account has been created on a foreign domain, Samba is able to establish the trust (connect with)
894 the foreign account. In the process it creates a one-way trust to the resources on the remote domain. This
895 command achieves the objective of enjoining the trust relationship:
897 &rootprompt; net rpc trustdom establish damnation
898 Password: xxxxxxx == f00db4r
899 Could not connect to server TRANSGRESSION
900 Trust to domain DAMNATION established
902 Validation of the two-way trust now established is possible as shown here:
904 &rootprompt; net rpc trustdom list -Uroot%not24get
905 Trusted domains list:
907 DAMNATION S-1-5-21-1385457007-882775198-1210191635
909 Trusting domains list:
911 DAMNATION S-1-5-21-1385457007-882775198-1210191635
916 Sometimes it is necessary to remove the ability for local uses to access a foreign domain. The trusting
917 connection can be revoked as shown here:
919 &rootprompt; net rpc trustdom revoke damnation -Uroot%not24get
921 At other times it becomes necessary to remove the ability for users from a foreign domain to be able to
922 access resources in the local domain. The command shown here will do that:
924 &rootprompt; net rpc trustdom del damnation -Uroot%not24get
934 <title>Managing Security Identifiers (SIDS)</title>
937 The basic security identifier that is used b y all Windows networking operations is the Windows security
938 identifier (SID). All Windows network machines (servers and workstations), users, and groups are
939 identified by their respective SID. All desktop profiles are also encoded with user and group SIDs that
940 are specific to the SID of the domain to which the user belongs.
944 It is truly prudent to store the machine and/or domain SID in a file for safe-keeping. Why? Because
945 a change in hostname or in the domain (workgroup) name may result in a change in the SID. When you
946 have the SID on hand it is a simple matter to restore it. The alternative is to suffer the pain of
947 having to recover user desktop profiles and perhaps re-join all member machines to the domain.
951 First, do not forget to store the local sid in a file. It is a good idea to put this in the directory
952 in which the &smb.conf; file is also stored. Here is a simple action to achieve this:
954 &rootprompt; net getlocalsid > /etc/samba/my-sid
956 Good, there is now a safe copy of the local machine SID. On a PDC/BDC this is the domain SID also.
960 The following command reveals what the former one should have placed into the file called
961 <filename>my-sid</filename>:
963 &rootprompt; net getlocalsid
964 SID for domain MERLIN is: S-1-5-21-726309263-4128913605-1168186429
969 If ever it becomes necessary to restore the SID that has been stored in the <filename>my-sid</filename>
970 file, simply copy the SID (the string of characters that begins with <constant>S-1-5-21</constant>) to
971 the command-line shown here:
973 &rootprompt; net setlocalsid S-1-5-21-1385457007-882775198-1210191635
975 Restoration of a machine SID is a simple operation, but the absence of a back-up copy can be very
980 The following operation is useful only for machines that are being configured as a PDC or a BDC.
981 Domain member servers (DMS) and workstation clients should have their own machine SID to avoid
982 any potential name-space collision. Here is the way that the BDC SID can be synchronized to that
983 of the PDC (this is the default NT4 domain practice also):
985 &rootprompt; net rpc getsid -S FRODO -Uroot%not24get
986 Storing SID S-1-5-21-726309263-4128913605-1168186429 \
987 for Domain MIDEARTH in secrets.tdb
989 Usually it is not necessary to specify the target server (-S FRODO) or the administrator account
990 credentials (-Uroot%not24get).
996 <title>Share Management</title>
999 Share management is central to all file serving operations. Typical share operations include:
1003 <listitem><para>Creation/change/deletion of shares</para></listitem>
1004 <listitem><para>Setting/changing ACLs on shares</para></listitem>
1005 <listitem><para>Moving shares from one server to another</para></listitem>
1006 <listitem><para>Change of permissions of share contents</para></listitem>
1010 Each of these are dealt with here in so far as they involve the use of the <command>net</command>
1011 command. Operations outside of this command are covered elsewhere in this document.
1015 <title>Creating, Editing, and Removing Shares</title>
1018 A share can be added using the <command>net rpc share</command> command capabilities.
1019 The target machine may be local or remote and is specified by the -S option. It must be noted
1020 that the addition and deletion of shares using this tool depends on the availability of a suitable
1021 interface script. The interface scripts Sambas <command>smbd</command> uses are called:
1022 <smbconfoption name="add share script"/> and <smbconfoption name="delete share script"/>.
1023 A set of example scripts are provided in the Samba source code tarball in the directory
1024 <filename>~samba/examples/scripts</filename>.
1028 The following steps demonstrate the use of the share management capabilities of the <command>net</command>
1029 utility. In the first step a share called <constant>Bulge</constant> is added. The share-point within the
1030 file system is the directory <filename>/data</filename>. The command that can be executed to perform the
1031 addition of this share is shown here:
1033 &rootprompt; net rpc share add Bulge=/data -S MERLIN -Uroot%not24get
1035 Validation is an important process, and by executing the command <command>net rpc share</command>
1036 with no other operators a listing of available shares is shown here:
1038 &rootprompt; net rpc share -S MERLIN -Uroot%not24get
1041 Bulge <--- This one was added
1052 Often it is desirable also to permit a share to be removed using a command-line tool.
1053 The following step permits the share that was previously added to be removed:
1055 &rootprompt; net rpc share delete Bulge -S MERLIN -Uroot%not24get
1057 A simple validation shown here demonstrates that the share has been removed:
1059 &rootprompt; net rpc share -S MERLIN -Uroot%not24get
1074 <title>Creating and Changing Share ACLs</title>
1077 At this time the net tool can not be used to manage ACLs on Samba shares. In MS Windows
1078 language this is called: Share Permissions.
1082 It is possible to set ACLs on Samba shares using either the SRVTOOLS NT4 Domain Server Manager,
1083 of using the Computer Management MMC snap-in. Neither will be covered here as this subject is
1084 covered in <link linkend="AccessControls"/>.
1090 <title>Share, Directory and File Migration</title>
1093 Shares and files can be migrated in the same manner as user, machine and group accounts.
1094 It is possible to preserve access control settings (ACLs) as well as security settings
1095 throughout the migration process. The <command>net rpc vampire</command> facility is used
1096 to migrate accounts from a Windows NT4 (or later) domain to a Samba server. This process
1097 preserves passwords and account security settings and is a precursor to the migration
1098 of shares and files.
1102 The <command>net rpc share</command> command may be used to migrate shares, directories
1103 files, printers, and all relevant data from a Windows server to a Samba server.
1107 A set of command-line switches permit the creation of almost direct clones of Windows file
1108 servers. For example, when migrating a file-server, file ACLs and DOS file attributes from
1109 the Windows server can be included in the migration process and will reappear, almost identically
1110 on the Samba server when the migration has been completed.
1114 The migration process can be completed only with the Samba server already being fully operational.
1115 This means that the user and group accounts must be migrated before attempting to migrate data
1116 share, files, and printers. The migration of files and printer configurations involves the use
1117 of both SMB and MS DCE RPC services. The benefit of the manner in which the migration process has
1118 been implemented, the possibility now exists to use a Samba server as a man-in-middle migration
1119 service that affects a transfer of data from one server to another. For example, if the Samba
1120 server is called MESSER, the source Windows NT4 server is called PEPPY, and the target Samba
1121 server is called GONZALES, the machine MESSER can be used to affect the migration of all data
1122 (files and shares) from PEPPY to GONZALES. If the target machine is not specified, the local
1123 server is assumed by default.
1127 The success of server migration requires a firm understanding of the structure of the source
1128 server (or domain) as well as the processes on which the migration is critically dependant.
1132 There are two known limitations to the migration process:
1137 The <command>net</command> command requires that the user credentials provided exist both
1138 on the migration source and the migration target.
1142 Printer settings may not be fully or incorrectly migrated. This might in particular happen
1143 when migrating a Windows 2003 print server to Samba.
1148 <title>Share Migration</title>
1151 The <command>net rpc share migrate</command> command operation permits the migration of plain
1152 share stanzas. A stanza contains the parameters within which a file or print share are defined.
1153 The use of this migration method will create share stanzas that have as parameters the file
1154 system directory path, an optional description, and simple security settings that permit write
1155 access to files. One of the first steps necessary following migration is to review the share
1156 stanzas to ensure that the settings are suitable for use.
1160 The shares are created on-the-fly as part of the migration process. The <command>smbd</command>
1161 application does this by calling on the operating system to execute the script specified by the
1162 &smb.conf; parameter <parameter>add share command</parameter>.
1166 There is a suitable example script for the <parameter>add share command</parameter> in the
1167 <filename>$SAMBA_SOURCES/examples/scripts</filename> directory. It should be noted that
1168 the account that is used to drive the migration must, of necessity, have appropriate file system
1169 access privileges and have the right to create shares and to set ACLs on them. Such rights are
1170 conferred by these rights: <parameter>SeAddUsersPrivilege, SeDiskOperatorPrivilege</parameter>.
1171 For more information regarding rights and privileges please refer to <link linkend="rights"/>.
1175 The syntax of the share migration command is shown here:
1177 net rpc share MIGRATE SHARES <share-name> -S <source>
1178 [--destination=localhost] [--exclude=share1,share2] [-v]
1180 When the parameter <share-name> is omitted, all shares will be migrated. The potentially
1181 large list of available shares on the system that is being migrated can be limited using the
1182 <parameter>--exclude</parameter> switch. For example:
1184 &rootprompt; net rpc share migrate shares myshare\
1185 -S win2k -U administrator%secret"
1187 This will migrate the share <constant>myshare</constant> from the server <constant>win2k</constant>
1188 to the Samba Server using the permissions that are tied to the account <constant>administrator</constant>
1189 with the password <constant>secret</constant>. The account that is used must be the same on both the
1190 migration source server, as well as on the target Samba server. The use of the <command>net rpc
1191 vampire</command>, prior to attempting the migration of shares, will ensure that accounts will be
1192 identical on both systems. One precaution worth taking before commencement of migration of shares is
1193 to validate that the migrated accounts (on the Samba server) have the needed rights and privileges.
1194 This can be done as shown here:
1196 &rootprompt; net rpc right list accounts -Uroot%not24get
1198 The steps taken so far performs only the migration of shares. Directories and directory contents
1199 are not migrated by the steps covered up to this point.
1205 <title>File and Directory Migration</title>
1208 Everything covered to this point has been done in preparation for the migration of file and directory
1209 data. For many people preparation is potentially boring and the real excitement only begins when file
1210 data can be used. The next steps demonstrates the techniques that can be used to transfer (migrate)
1211 data files using the <command>net</command> command.
1215 Transfer of files from one server to another has always been a challenge for Microsoft Windows
1216 administrators because Windows NT and 200X servers do not include the tools needed. The
1217 <command>xcopy</command> is not capable of preserving file and directory ACLs. Microsoft do provide a
1218 utility that can copy ACLs (security settings) called <command>scopy</command>, but it is provided only
1219 as part of the Windows NT or 200X Server Resource Kit.
1223 There are several tools, both commercial and freeware, that can be used from Windows server to copy files
1224 and directories with full preservation of security settings. One of the best known of the free tools is
1225 called <command>robocopy</command>.
1229 The <command>net</command> utility can be used to copy files and directories with full preservation of
1230 ACLs as well as DOS file attributes. Note that including ACLs makes sense only where the destination
1231 system will operate within the same security context as the source system. This applies to both a domain
1232 member server (DMS) as well as for domain controllers (DCs) that result from a vampired domain.
1233 Before file and directory migration all shares must already exist.
1237 The syntax for the migration commands is shown here:
1239 net rpc share MIGRATE FILES <share-name> -S <source>
1240 [--destination=localhost] [--exclude=share1,share2]
1241 [--acls] [--attrs] [--timestamps] [-v]
1243 If the <share-name> parameter is omitted, all shares will be migrated. The potentially large
1244 list of shares on the source system can be restricted using the <parameter>--exclude</parameter> command
1249 Where it is necessary to preserve all file ACLs, the <parameter>--acls</parameter> switch should be added
1250 to the above command line. Original file time stamps can be preserved by specifying the
1251 <parameter>--timestamps</parameter> switch, and the DOS file attributes (i.e.: hidden, archive, etc.) cab
1252 be preserved by specifying the <parameter>--attrs</parameter> switch.
1256 The ability to preserve ACLs depends on appropriate support for ACLs, as well as the general file system
1257 semantics of the host operating system on the target server. A migration from one Windows file server to
1258 another will perfectly preserve all file attributes. Because of the difficulty of mapping Windows ACLs
1259 onto a POSIX ACLs supporting system, there can be no perfect migration of Windows ACLs to a Samba server.
1263 The ACLs that result on a Samba server will most probably not match the originating ACLs. Windows support
1264 the possibility of files that are owned only by a group. Group-alone file ownership is not possible under
1265 UNIX/Linux. Errors in migrating group-owned files can be avoided by using the &smb.conf; file
1266 <smbconfoption name="force unknown acl user">yes</smbconfoption> parameter. This facility will
1267 automatically convert group-owned files into correctly user-owned files on the Samba server.
1271 An example for migration of files from a machine called <constant>nt4box</constant> to the Samba server
1272 from which the process will be handled is shown here:
1274 &rootprompt; net rpc share migrate files -S nt4box --acls \
1275 --attrs -U administrator%secret
1280 The above command will migrate all files and directories from all file shares on the Windows server called
1281 <constant>nt4box</constant> to the Samba server from which migration is initiated. Files that are group-owned
1282 will be owned by the user account <constant>administrator</constant>.
1288 <title>Simultaneous Share and File Migration</title>
1291 This operating mode shown here is just a combination of the two above. It first migrates
1292 share-definitions and then all shared files and directories afterwards:
1294 net rpc share MIGRATE ALL <share-name> -S <source>
1295 [--exclude=share1, share2] [--acls] [--attrs] [--timestamps] [-v]
1300 An example of simultaneous migration is shown here:
1302 &rootprompt; net rpc share migrate all -S w2k3server -U administrator%secret
1304 This will generate a complete server clone of the <parameter>w2k3server</parameter> server.
1312 <title>Printer Migration</title>
1315 The installation of a new server, as with the migration to a new network environment, often has similarity
1316 to the building of a house; progress is very rapid from the laying of foundations up to the stage at which
1317 the the house can be locked-up, but the finishing off appears to take longer and longer as building
1318 approaches completion.
1322 Printing needs vary greatly depending on the network environment, and may be very simple or complex. If
1323 the need is very simple the best solution to the implementation of printing support may well be to
1324 re-install everything from a clean slate instead of migrating older configurations. On the other hand,
1325 a complex network that is integrated with many international offices and a multiplexity of local branch
1326 offices, each of which form an inter-twined maze of printing possibilities, the ability to migrate all
1327 printer configurations is decidedly beneficial. To manually re-establish a complex printing network
1328 will take much time and frustration. Often-times it will not be possible to find driver files that are
1329 currently in use thus necessitating the installation of newer drivers. Newer drivers often implement
1330 printing features that will necessitate a change in the printer usage. Additionally, with very complex
1331 printer configurations it becomes almost impossible to re-create the same environment - not matter
1332 how extensively it has been documented.
1336 The migration of an existing printing architecture involves the following:
1340 <listitem><para>Establishment of print queues.</para></listitem>
1342 <listitem><para>Installation of printer drivers (both for the print server and for Windows clients.</para></listitem>
1344 <listitem><para>Configuration of printing forms.</para></listitem>
1346 <listitem><para>Implementation of security settings.</para></listitem>
1348 <listitem><para>Configuration of printer settings.</para></listitem>
1352 The Samba <command>net</command> utility permits printer migration from one Windows print server
1353 to another. When this tool is used to migrate printers to a Samba server <command>smbd</command>,
1354 the application the receives the network requests to create the necessary services, must call-out
1355 to the operating system in order to create the underlying printers. The call-out is implemented
1356 by way of an interface script that can be specified by the &smb.conf; file parameter
1357 <smbconfoption id="add printer script"/>. This script is essential to the migration process.
1358 A suitable example script may be obtained from the <filename>$SAMBA_SOURCES/examples/scripts</filename>
1359 directory. Take note that this script must be customized to suit the operating system environment
1360 and may use its tools to create a print queue.
1364 Each of the components listed above can be completed separately, or they can be completed as part of an
1365 automated operation. Many network administrators prefer to deal with migration issues in a manner that
1366 gives them the most control, particularly when things go wrong. The syntax for each operation will now
1367 be briefly described.
1371 Printer migration from a Windows print server (NT4 or 200X) is shown. This instruction causes the
1372 printer share to be created together with the underlying print queue:
1374 net rpc printer MIGRATE PRINTERS [printer] [misc. options] [targets]
1376 Printer drivers can be migrated from the Windows print server to the Samba server using this
1377 command line instruction:
1379 net rpc printer MIGRATE DRIVERS [printer] [misc. options] [targets]
1381 Printer forms can be migrated with the following operation:
1383 net rpc printer MIGRATE FORMS [printer] [misc. options] [targets]
1385 Printer security settings (ACLs) can be migrated from the Windows server to the Samba server using this command:
1387 net rpc printer MIGRATE SECURITY [printer] [misc. options] [targets]
1389 Printer configuration settings include factors such as paper size, default paper orientation, etc.
1390 These can be migrated from the Windows print server to the Samba server with this command:
1392 net rpc printer MIGRATE SETTINGS [printer] [misc. options] [targets]
1397 Migration of printers including all the above mentioned sets of information may be completed
1398 with a single command using this syntax:
1400 net rpc printer MIGRATE ALL [printer] [misc. options] [targets]
1409 <title>Controlling Open Files</title>
1412 The man page documents the <command>net file</command> function suite. These ability is provided to
1413 close open files using either RAP or RPC function calls. Please refer to the man page for specific
1420 <title>Session and Connection Management</title>
1423 The session management interface of the <command>net session</command> command uses the old RAP
1424 method to obtain the list of connections to the Samba server, as shown here:
1426 &rootprompt; net rap session -S MERLIN -Uroot%not24get
1427 Computer User name Client Type Opens Idle time
1428 ------------------------------------------------------------------------------
1429 \\merlin root Unknown Client 0 00:00:00
1430 \\marvel jht Unknown Client 0 00:00:00
1431 \\maggot jht Unknown Client 0 00:00:00
1432 \\marvel jht Unknown Client 0 00:00:00
1437 A session can be closed by executing a command as shown here:
1439 &rootprompt; net rap session close marvel -Uroot%not24get
1446 <title>Printers and ADS</title>
1449 When Samba-3 is used within as MS Windows ADS environment printers shared via Samba will not be browseable
1450 until they have been published to the ADS domain. Information regarding published printers my be obtained
1451 from the ADS server by executing the <command>net ads print info</command> command following this syntax:
1453 net ads printer info <printer_name> <server_name> -Uadministrator%secret
1455 If the asterisk (*) is used in place of the printer_name argument, a list of all printers will be
1460 To publish (make available) a printer to ADS execute the following command:
1462 net ads printer publish <printer_name> -Uadministrator%secret
1464 This publishes a printer from the local Samba server to ADS.
1468 Removal of a Samba printer from ADS is achieved by executing this command:
1470 net ads printer remove <printer_name> -Uadministrator%secret
1475 A generic search (query) can also be made to locate a printer across the entire ADS domain by executing:
1477 net ads printer search <printer_name> -Uadministrator%secret
1484 <title>Manipulating the Samba Cache</title>
1487 Please refer to the net command man page for information regarding cache management.
1493 <title>Other Miscellaneous Operations</title>
1496 The following command is useful for obtaining basic statistics regarding a Samba domain. This command does
1497 not work against current Windows XP Professional clients.
1499 &rootprompt; net rpc info
1500 Domain Name: RAPIDFLY
1501 Domain SID: S-1-5-21-399034208-633907489-3292421255
1502 Sequence number: 1116312355
1504 Num domain groups: 27
1510 Another useful tool is the <command>net time</command> tool set. This tool may be used to query the
1511 current time on the target server as shown here:
1513 &rootprompt; net time -S SAURON
1514 Tue May 17 00:50:43 2005
1516 In the event that it is the intent to pass the time information obtained to the UNIX
1517 <command>/bin/time</command> it is a good idea to obtain the time from the target server in a format
1518 that is ready to be passed through. This may be done by executing:
1520 &rootprompt; net time system -S FRODO
1523 The time can be set on a target server by executing:
1525 &rootprompt; net time set -S MAGGOT -U Administrator%not24get
1526 Tue May 17 00:55:30 MDT 2005
1528 It is possible to obtain the time-zone a server is in by executing the following command against it:
1530 &rootprompt; net time zone -S SAURON