Section 11.5. Remote Administration with net

11.5. Remote Administration with net

The net command was mentioned in Chapter 5, when we discussed Samba's group mapping and user privileges features and again in Chapter 10 as the tool used to join Samba servers to a domain. Its original design mimicked the net.exe command found on Windows hosts. Since the tool's introduction in Samba 3.0.0, it has become the kitchen sink of Samba administration tools and a stable alternative to the more developer oriented rpcclient utility.

There are two roles for net. One is the protocol administration tool used for such things as managing users or groups to remote servers. The other is the local database administration role for manipulating such things as group mapping entries. Our primary concern this section is the first side, the protocol interface to remote administration functions.

net supports three administration protocols identified by the following case-insensitive keywords:


The CIFS Remote Administration Protocol (RAP), used primarily by Windows 9x/Me clients and OS/2 hosts. RAP should be considered to be historical at this point in time and of interest only to CIFS developers.[*]

[*] OS/2 administrators might disagree on this point.


Microsoft's Remote Protocol Call (RPC) implementation, loosely based on the Distributed Computing Environment/Remote Procedure Call (DCE/RPC) specification. This is the primary interface for managing Windows clients and servers.


Active Directory specific functions based upon Lightweight Directory Access Protocol (LDAP) requests, with a small dash of RPC when necessary. This protocol can be used only when communicating with AD domain controllers.

There is a great deal of overlap in subcommands between these three administration methods. For example, all three interfaces return identical results, only differing in order, when enumerating users:

 $ net rap user -S windc -U Administrator Password: <enter Administrator's password> Administrator Guest krbtgt IWAM_WIN2K-KDC IUSR_WIN2K-KDC gcarter TsInternetUser lizard $ net rpc         user -S windc -U Administrator Password: <enter Administrator's password> Administrator gcarter Guest IUSR_WIN2K-KDC IWAM_WIN2K-KDC krbtgt lizard TsInternetUser $ net ads user -S windc -U Administrator Password: <enter Administrator's password> Administrator Guest IWAM_WIN2K-KDC IUSR_WIN2K-KDC krbtgt gcarter TsInternetUser lizard 

If we were to examine the traffic on the network, however, we would see very different search queries.

This brings up the next question: which method is preferable? As a general rule, we recommend using either RPC or ADS, depending on which provides the functionality you desire. As you will soon see, some features are available only in one or the other.

11.5.1. net rpc

The first task discussed here is managing users and groups. net rpc provides two subcommands, user and group, for viewing and manipulating accounts. You can find out more about each subcommand using the help option. The following command demonstrates the available features of the user subcommand. This help listing shows that the user subcommand is available for all three interfaces: RAP, RPC, and ADS:

 $ net rpc help user  net [<method>] user [misc. options] [targets]         List users  <...output deleted...> Valid methods: (auto-detected if not specified)         ads           Active Directory (LDAP/Kerberos)         rpc           DCE-RPC         rap           RAP (older systems) 

The miscellaneous options for user are composed of information such as the user credentials used in the connection request (-U option) or the log level (--debuglevel option). A valid target is generally a specific server (-S option), workgroup (-w option), or IP address (-I option). The order of command-line arguments prefaced by an option flag does not matter. You can string these options and parameters together to enumerate users on a CIFS server by running this command:

 $ net rpc user -S windc -U lizard Password: <enter password for lizard> Administrator gcarter Guest IUSR_WIN2K-KDC IWAM_WIN2K-KDC krbtgt lizard TsInternetUser 

If you wish to find out the groups to which a particular user belongs, add the info argument to the user subcommand.

 $ net rpc user info lizard -S windc -U lizard Password: <enter password for lizard> Linux Users Domain Admins Printer Admins Domain Users 

You may add, delete, and rename users as well. For example, you can create a new user account for jsmith and then rename the account to smitty. Although you do not have to run the net command as root, you do have to specify an account with sufficient rights, such as Administrator, on the target server to change user or group settings.

 $ net rpc user add jsmith -S windc -U Administrator Password: <enter password for Administrator> Added user jsmith $ net rpc user rename jsmith smitty -S windc -U Administrator Password: <enter password for Administrator> Renamed user from jsmith to smitty 

One of the most tedious jobs that system administrators often have to perform is resetting forgotten passwords for users. The net rpc password command allows you to do this for accounts on any Windows or Samba server from your Unix desktop. As an example, the following command sets the password for the account just created to be LeAv3:. If all goes well, you will be returned immediately to a shell prompt.

 $ net rpc password smitty LeAv3: -S windc -U Administrator Password: <enter password for Administrator> 

You can always check the return code from net to determine success or failure. A simple echo $? at a shell prompt or test $? -eq 0 in a script will inform you whether the command succeeded.

After creating a new user, you can add the account to specific groups using the group subcommand. The following example adds the user smitty to the Domain Admins group on the host windc, which is a domain controller in the BOOKS domain. Note that net rpc group addmem provides feedback only when the operation fails, not when it is completed successfully.

 $ net rpc group addmem "Domain Admins" smitty -S windc -U Administrator Password: <enter password for Administrator> $ net rpc group members "Domain Admins" -S windc -U Administrator Password: <enter password for Administrator> BOOKS\Administrator BOOKS\gcarter BOOKS\smitty 

Table 11-4 gives a summary of the subcommands available to net rpc user and net rpc group.

Table 11-4. Parameters for the net rpc subcommands user and group







Enumerate user accounts.



username [password]

Create a user account with an optional password.




Remove a user account.




List the group membership for a user account.



oldname newname

Rename a user account from oldname to newname.



Enumerate groups.



[ global | local | builtin ]

Enumerate groups of a specific type.




Create a new group.




Remove a group.




List the members of a group.



group user

Add user to group.



group user

Remove user from group. Shares

In addition, with net you can manage shared resources on a server just as you manage user and group accounts. The share option to net rpc allows you to view existing shares, migrate data, and add or remove resources.

We'll start by enumerating the shares on a particular server. net rpc share doesn't list as many details as smbclient -L, but it does include shares with long names:

 $ net rpc share -S windc -U Administrator Password: <enter password for Administrator> public IPC$ print$ NETLOGON CertEnroll ADMIN$ SYSVOL C$ files 

You can create new SMB/CIFS shares for existing directories. Assume that the path C:\users has been previously created on the host windc. You can create a file share named UserHome that points to this directory by running this command. No response is displayed unless the command fails.

 $ net rpc share add "UserHome=c:\\users" -S windc -U Administrator Password: <enter password for Administrator> 

If you enumerate the shares again, you will see the new UserHome share in the output. There is also a complementary delete option to net rpc share. This command only stops the server from sharing the directory. It does not remove any files on the server.

Table 11-5 describes the various net rpc share options.

Table 11-5. net rpc share commands






Enumerate shares on the server.



Create a new file share for the path on the server.



Display or set a list of SIDs which are allowed to access this share.



Stop sharing the directory path on the server.


<all|files|security|share> [share]

Migrate share settings from the remote server to the local server. Services

Like Unix, Windows hosts possess numerous long-running processes that operate in the background to perform specific tasks. You can enumerate the services using the net rpc service list command. The lefthand column presents the service name and the righthand column gives its more friendly display name:

 $ net rpc service list -S windc -U Administrator Password: <enter password for Administrator> <...output deleted...> UPS             "Uninterruptible Power Supply" UtilMan         "Utility Manager" VMTools         "VMware Tools Service" W32Time         "Windows Time" WinMgmt         "Windows Management Instrumentation" WINS            "Windows Internet Name Service (WINS)" Wmi             "Windows Management Instrumentation Driver Extensions" wuauserv        "Automatic Updates" WZCSVC          "Wireless Configuration" 

The status subcommand provides more detail about the current state of a service:

 $ net rpc service status w32time -S windc -U Administrator Password: <enter password for Administrator> w32time service is running. Configuration details:         Controls Accepted    = 0x1         Service Type         = 0x20         Start Type           = 0x2         Error Control        = 0x1         Tag ID               = 0x0         Executable Path      = C:\WINNT\System32\services.exe         Load Order Group     =         Dependencies         = /         Start Name           = LocalSystem         Display Name         = Windows Time 

If the need arises, you can stop and start a specific service using its shorter service name. The following commands stop and then restart the w32time service on a Windows host:

 $ net rpc service stop w32time -S windc -U Administrator Password: <enter password for Administrator> .............................. w32time service is stop pending. $ net rpc service start w32time -S windc -U Administrator Password: <enter password for Administrator> . Successfully started service: w32time 

Sometimes, however, restarting a single service is not enough to restore a host to a working state. In these cases, a reboot is necessary. You can use the shutdown command to reboot a host. The -r flag instructs the host to reboot after the shutdown and the -t option defines the number of seconds to delay the reboot process. You may also specify an informational message using the -C option. Following is an example that reboots a server in 120 seconds and informs any logged-on user of the server maintenance. The client sees the reboot dialog box shown in Figure 11-5.

Figure 11-5. Reboot dialog box issued by net rpc shutdown

 $ net rpc shutdown -r -t 120 \   -C "Maintenance reboot required.  Please log off"   -S dorn -U Administrator Password: <enter password for Administrator> Shutdown of remote machine succeeded 

If you change your mind, there is an abortshutdown command that can cancel your previous reboot request.

Table 11-6 finishes this section with a short summary of the commands to manage services using net rpc service.

Table 11-6. net rpc service commands






Enumerate installed services on the server.



Pause the service. Not all services support this control, which is the equivalent of using ^Z to stop a job in a Unix shell.



Start the service.



Display the service configuration and current status.



Stop the service.



Resume a paused service.

11.5.2. net ads

The ADS method of the net command shares some of the same functions as the RPC method. For example, you can reset passwords and manage users and groups. The main advantage of net ads over net rpc is the ability in ADS to use Kerberos tickets for authentication and to communicate with Active Directory using LDAP. Using Kerberos removes the need to enter a password every time you run the net command. To observe how this works, first initialize your Krb5 ticket cache using the kinit command:

 $ kinit Administrator Password for Administrator@BOOKS.PLAINJOE.ORG: <enter password> 

You can now list users in the AD domain by running net ads user:

 $ net ads user Administrator Guest IWAM_WIN2K-KDC IUSR_WIN2K-KDC krbtgt gcarter TsInternetUser lizard smitty 

Upon examining your ticket cache, you will see that you now possess a service ticket for a DC in your domain. In our example, the machine account windc$ is one of the domain controllers in the AD domain:

 $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@BOOKS.PLAINJOE.ORG Valid starting     Expires            Service principal 07/26/06 17:46:58  07/27/06 03:46:35  krbtgt/BOOKS.PLAINJOE.ORG@BOOKS.PLAINJOE.ORG         renew until 07/27/06 17:46:58 07/26/06 17:47:21  07/27/06 03:46:35  windc$@BOOKS.PLAINJOE.ORG         renew until 07/27/06 17:46:58 

Because Active Directory can be searched using LDAP queries, the net ads command provides a simple search interface as an alternative to tools such as ldapsearch. The search command accepts an LDAP search filter, followed by an optional list of attribute names to return. The following example looks up the SID assigned to the user smitty. The sAMAccountName attribute stores the value for user and machine account names, so the LDAP filter matches against it.

 $ net ads search "(sAMAccountName=smitty)" objectSID Got 1 replies objectSid: S-1-5-21-4200961138-2496335650-1239021823-1273 

This next search returns a list of all machines in the domain, including their operating systems if available, by matching the computer object class value:

 # net ads search "(objectclass=computer)" sAMAccountName Got 6 replies operatingSystem: Windows 2000 Professional sAMAccountName: BLITZ$ operatingSystem: Windows XP Professional sAMAccountName: LETTUCE$ operatingSystem: Windows XP Professional sAMAccountName: DORN$ operatingSystem: Windows 2000 Professional sAMAccountName: POLE$ sAMAccountName: zero$ operatingSystem: Windows 2000 Server sAMAccountName: WINDC$ 

net ads search can be a valuable auditing and debugging tool and is much faster than firing up a graphical LDAP search tool, especially if that approach involves logging onto a Windows client.

Using Samba
Using Samba: A File and Print Server for Linux, Unix & Mac OS X, 3rd Edition
ISBN: 0596007698
EAN: 2147483647
Year: 2004
Pages: 135 © 2008-2017.
If you may any questions please contact us: