1PDBEDIT(8) System Administration tools PDBEDIT(8)
2
6 pdbedit - manage the SAM database (Database of Samba Users)
7
9 pdbedit [-a] [-b passdb-backend] [-c account-control] [-C value]
10 [-d debuglevel] [-D drive] [-e passdb-backend] [-f fullname]
11 [--force-initialized-passwords] [-g] [-h homedir] [-i passdb-backend]
12 [-I domain] [-K] [-L] [-m] [-M SID|RID] [-N description]
13 [-P account-policy] [-p profile] [--policies-reset] [-r]
14 [-s configfile] [-S script] [-t] [--time-format] [-u username]
15 [-U SID|RID] [-v] [-V] [-w] [-x] [-y] [-z] [-Z]
16
18 This tool is part of the samba(7) suite.
19 The pdbedit program is used to manage the users accounts stored in the
21 sam database and can only be run by root.
22 The pdbedit tool uses the passdb modular interface and is independent
24 from the kind of users database used (currently there are smbpasswd,
25 ldap, nis+ and tdb based and more can be added without changing the
26 tool).
27 There are five main ways to use pdbedit: adding a user account,
29 removing a user account, modifying a user account, listing user
30 accounts, importing users accounts.
31
33 -L|--list
34 This option lists all the user accounts present in the users
35 database. This option prints a list of user/uid pairs separated by
36 the ':' character.
37 Example: pdbedit -L
39 sorce:500:Simo Sorce
41 samba:45:Test User
42 -v|--verbose
44 This option enables the verbose listing format. It causes pdbedit
45 to list the users in the database, printing out the account fields
46 in a descriptive format.
47 Example: pdbedit -L -v
49 ---------------
51 username: sorce
52 user ID/Group: 500/500
53 user RID/GRID: 2000/2001
54 Full Name: Simo Sorce
55 Home Directory: \\BERSERKER\sorce
56 HomeDir Drive: H:
57 Logon Script: \\BERSERKER\netlogon\sorce.bat
58 Profile Path: \\BERSERKER\profile
59 ---------------
60 username: samba
61 user ID/Group: 45/45
62 user RID/GRID: 1090/1091
63 Full Name: Test User
64 Home Directory: \\BERSERKER\samba
65 HomeDir Drive:
66 Logon Script:
67 Profile Path: \\BERSERKER\profile
68 -w|--smbpasswd-style
70 This option sets the "smbpasswd" listing format. It will make
71 pdbedit list the users in the database, printing out the account
72 fields in a format compatible with the smbpasswd file format. (see
73 the smbpasswd(5) for details)
74 Example: pdbedit -L -w
76 sorce:500:508818B733CE64BEAAD3B435B51404EE:
78 D2A2418EFC466A8A0F6B1DBB5C3DB80C:
79 [UX ]:LCT-00000000:
80 samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
81 BC281CE3F53B6A5146629CD4751D3490:
82 [UX ]:LCT-3BFA1E8D:
83 -u|--user username
85 This option specifies the username to be used for the operation
86 requested (listing, adding, removing). It is required in add,
87 remove and modify operations and optional in list operations.
88 -f|--fullname fullname
90 This option can be used while adding or modifying a user account.
91 It will specify the user's full name.
92 Example: -f "Simo Sorce"
94 -h|--homedir homedir
96 This option can be used while adding or modifying a user account.
97 It will specify the user's home directory network path.
98 Example: -h "\\\\BERSERKER\\sorce"
100 -D|--drive drive
102 This option can be used while adding or modifying a user account.
103 It will specify the windows drive letter to be used to map the home
104 directory.
105 Example: -D "H:"
107 -S|--script script
109 This option can be used while adding or modifying a user account.
110 It will specify the user's logon script path.
111 Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
113 -p|--profile profile
115 This option can be used while adding or modifying a user account.
116 It will specify the user's profile directory.
117 Example: -p "\\\\BERSERKER\\netlogon"
119 -M|'--machine SID' SID|rid
121 This option can be used while adding or modifying a machine
122 account. It will specify the machines' new primary group SID
123 (Security Identifier) or rid.
124 Example: -M S-1-5-21-2447931902-1787058256-3961074038-1201
126 -U|'--user SID' SID|rid
128 This option can be used while adding or modifying a user account.
129 It will specify the users' new SID (Security Identifier) or rid.
130 Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
132 Example: '--user SID'
134 S-1-5-21-2447931902-1787058256-3961074038-5004
135 Example: -U 5004
137 Example: '--user SID' 5004
139 -c|--account-control account-control
141 This option can be used while adding or modifying a user account.
142 It will specify the users' account control property. Possible flags
143 are listed below.
144 · N: No password required
146 · D: Account disabled
148 · H: Home directory required
150 · T: Temporary duplicate of other account
152 · U: Regular user account
154 · M: MNS logon user account
156 · W: Workstation Trust Account
158 · S: Server Trust Account
160 · L: Automatic Locking
162 · X: Password does not expire
164 · I: Domain Trust Account
166 Example: -c "[X ]"
169 -K|--kickoff-time
171 This option is used to modify the kickoff time for a certain user.
172 Use "never" as argument to set the kickoff time to unlimited.
173 Example: pdbedit -K never user
175 -a|--create
177 This option is used to add a user into the database. This command
178 needs a user name specified with the -u switch. When adding a new
179 user, pdbedit will also ask for the password to be used.
180 Example: pdbedit -a -u sorce
182 new password:
184 retype new password
185 Note
188 pdbedit does not call the unix password syncronisation script
189 if unix password sync has been set. It only updates the data in
190 the Samba user database.
191 If you wish to add a user and synchronise the password that
193 immediately, use smbpasswd's -a option.
194 -t|--password-from-stdin
196 This option causes pdbedit to read the password from standard
197 input, rather than from /dev/tty (like the passwd(1) program does).
198 The password has to be submitted twice and terminated by a newline
199 each.
200 -r|--modify
202 This option is used to modify an existing user in the database.
203 This command needs a user name specified with the -u switch. Other
204 options can be specified to modify the properties of the specified
205 user. This flag is kept for backwards compatibility, but it is no
206 longer necessary to specify it.
207 -m|--machine
209 This option may only be used in conjunction with the -a option. It
210 will make pdbedit to add a machine trust account instead of a user
211 account (-u username will provide the machine name).
212 Example: pdbedit -a -m -u w2k-wks
214 -x|--delete
216 This option causes pdbedit to delete an account from the database.
217 It needs a username specified with the -u switch.
218 Example: pdbedit -x -u bob
220 -i|--import passdb-backend
222 Use a different passdb backend to retrieve users than the one
223 specified in smb.conf. Can be used to import data into your local
224 user database.
225 This option will ease migration from one passdb backend to another.
227 Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
229 -e|--export passdb-backend
231 Exports all currently available users to the specified password
232 database backend.
233 This option will ease migration from one passdb backend to another
235 and will ease backing up.
236 Example: pdbedit -e smbpasswd:/root/samba-users.backup
238 -g|--group
240 If you specify -g, then -i in-backend -e out-backend applies to the
241 group mapping instead of the user database.
242 This option will ease migration from one passdb backend to another
244 and will ease backing up.
245 -b|--backend passdb-backend
247 Use a different default passdb backend.
248 Example: pdbedit -b xml:/root/pdb-backup.xml -l
250 -P|--account-policy account-policy
252 Display an account policy
253 Valid policies are: minimum password age, reset count minutes,
255 disconnect time, user must logon to change password, password
256 history, lockout duration, min password length, maximum password
257 age and bad lockout attempt.
258 Example: pdbedit -P "bad lockout attempt"
260 account policy value for bad lockout attempt is 0
262 -C|--value account-policy-value
264 Sets an account policy to a specified value. This option may only
265 be used in conjunction with the -P option.
266 Example: pdbedit -P "bad lockout attempt" -C 3
268 account policy value for bad lockout attempt was 0
270 account policy value for bad lockout attempt is now 3
271 -y|--policies
273 If you specify -y, then -i in-backend -e out-backend applies to the
274 account policies instead of the user database.
275 This option will allow to migrate account policies from their
277 default tdb-store into a passdb backend, e.g. an LDAP directory
278 server.
279 Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
281 --force-initialized-passwords
283 This option forces all users to change their password upon next
284 login.
285 -N|--account-desc description
287 This option can be used while adding or modifying a user account.
288 It will specify the user's description field.
289 Example: -N "test description"
291 -Z|--logon-hours-reset
293 This option can be used while adding or modifying a user account.
294 It will reset the user's allowed logon hours. A user may login at
295 any time afterwards.
296 Example: -Z
298 -z|--bad-password-count-reset
300 This option can be used while adding or modifying a user account.
301 It will reset the stored bad login counter from a specified user.
302 Example: -z
304 --policies-reset
306 This option can be used to reset the general password policies
307 stored for a domain to their default values.
308 Example: --policies-reset
310 -I|--domain
312 This option can be used while adding or modifying a user account.
313 It will specify the user's domain field.
314 Example: -I "MYDOMAIN"
316 --time-format
318 This option is currently not being used.
319 -?|--help
321 Print a summary of command line options.
322 -d|--debuglevel=level
324 level is an integer from 0 to 10. The default value if this
325 parameter is not specified is 0.
326 The higher this value, the more detail will be logged to the log
328 files about the activities of the server. At level 0, only critical
329 errors and serious warnings will be logged. Level 1 is a reasonable
330 level for day-to-day running - it generates a small amount of
331 information about operations carried out.
332 Levels above 1 will generate considerable amounts of log data, and
334 should only be used when investigating a problem. Levels above 3
335 are designed for use only by developers and generate HUGE amounts
336 of log data, most of which is extremely cryptic.
337 Note that specifying this parameter here will override the log
339 level parameter in the smb.conf file.
340 -V|--version
342 Prints the program version number.
343 -s|--configfile <configuration file>
345 The file specified contains the configuration details required by
346 the server. The information in this file includes server-specific
347 information such as what printcap file to use, as well as
348 descriptions of all the services that the server is to provide. See
349 smb.conf for more information. The default configuration file name
350 is determined at compile time.
351 -l|--log-basename=logdirectory
353 Base directory name for log/debug files. The extension ".progname"
354 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
355 file is never removed by the client.
356
358 This command may be used only by root.
359
361 This man page is correct for version 3 of the Samba suite.
362
364 smbpasswd(5), samba(7)
365
367 The original Samba software and related utilities were created by
368 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
369 Source project similar to the way the Linux kernel is developed.
370 The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
372Samba 3.6 04/11/2016 PDBEDIT(8)