1PDBEDIT(8)                System Administration tools               PDBEDIT(8)
2
3
4

NAME

6       pdbedit - manage the SAM database (Database of Samba Users)
7

SYNOPSIS

9       pdbedit [-a] [-b passdb-backend] [-c account-control] [-C value]
10        [-d debuglevel] [-D drive] [-e passdb-backend] [-f fullname]
11        [--force-initialized-passwords] [-g] [-h homedir] [-i passdb-backend]
12        [-I domain] [-K] [-L] [-m] [-M SID|RID] [-N description]
13        [-P account-policy] [-p profile] [--policies-reset] [-r]
14        [-s configfile] [-S script] [-t] [--time-format] [-u username]
15        [-U SID|RID] [-v] [-V] [-w] [-x] [-y] [-z] [-Z]
16

DESCRIPTION

18       This tool is part of the samba(7) suite.
19
20       The pdbedit program is used to manage the users accounts stored in the
21       sam database and can only be run by root.
22
23       The pdbedit tool uses the passdb modular interface and is independent
24       from the kind of users database used (currently there are smbpasswd,
25       ldap, nis+ and tdb based and more can be added without changing the
26       tool).
27
28       There are five main ways to use pdbedit: adding a user account,
29       removing a user account, modifying a user account, listing user
30       accounts, importing users accounts.
31

OPTIONS

33       -L|--list
34           This option lists all the user accounts present in the users
35           database. This option prints a list of user/uid pairs separated by
36           the ´:´ character.
37
38           Example: pdbedit -L
39
40               sorce:500:Simo Sorce
41               samba:45:Test User
42
43       -v|--verbose
44           This option enables the verbose listing format. It causes pdbedit
45           to list the users in the database, printing out the account fields
46           in a descriptive format.
47
48           Example: pdbedit -L -v
49
50               ---------------
51               username:       sorce
52               user ID/Group:  500/500
53               user RID/GRID:  2000/2001
54               Full Name:      Simo Sorce
55               Home Directory: \\BERSERKER\sorce
56               HomeDir Drive:  H:
57               Logon Script:   \\BERSERKER\netlogon\sorce.bat
58               Profile Path:   \\BERSERKER\profile
59               ---------------
60               username:       samba
61               user ID/Group:  45/45
62               user RID/GRID:  1090/1091
63               Full Name:      Test User
64               Home Directory: \\BERSERKER\samba
65               HomeDir Drive:
66               Logon Script:
67               Profile Path:   \\BERSERKER\profile
68
69       -w|--smbpasswd-style
70           This option sets the "smbpasswd" listing format. It will make
71           pdbedit list the users in the database, printing out the account
72           fields in a format compatible with the smbpasswd file format. (see
73           the smbpasswd(5) for details)
74
75           Example: pdbedit -L -w
76
77               sorce:500:508818B733CE64BEAAD3B435B51404EE:
78                         D2A2418EFC466A8A0F6B1DBB5C3DB80C:
79                         [UX         ]:LCT-00000000:
80               samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
81                         BC281CE3F53B6A5146629CD4751D3490:
82                         [UX         ]:LCT-3BFA1E8D:
83
84       -u|--user username
85           This option specifies the username to be used for the operation
86           requested (listing, adding, removing). It is required in add,
87           remove and modify operations and optional in list operations.
88
89       -f|--fullname fullname
90           This option can be used while adding or modifying a user account.
91           It will specify the user´s full name.
92
93           Example: -f "Simo Sorce"
94
95       -h|--homedir homedir
96           This option can be used while adding or modifying a user account.
97           It will specify the user´s home directory network path.
98
99           Example: -h "\\\\BERSERKER\\sorce"
100
101       -D|--drive drive
102           This option can be used while adding or modifying a user account.
103           It will specify the windows drive letter to be used to map the home
104           directory.
105
106           Example: -D "H:"
107
108       -S|--script script
109           This option can be used while adding or modifying a user account.
110           It will specify the user´s logon script path.
111
112           Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
113
114       -p|--profile profile
115           This option can be used while adding or modifying a user account.
116           It will specify the user´s profile directory.
117
118           Example: -p "\\\\BERSERKER\\netlogon"
119
120       -M|´--machine SID´ SID|rid
121           This option can be used while adding or modifying a machine
122           account. It will specify the machines´ new primary group SID
123           (Security Identifier) or rid.
124
125           Example: -M S-1-5-21-2447931902-1787058256-3961074038-1201
126
127       -U|´--user SID´ SID|rid
128           This option can be used while adding or modifying a user account.
129           It will specify the users´ new SID (Security Identifier) or rid.
130
131           Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
132
133           Example: ´--user SID´
134           S-1-5-21-2447931902-1787058256-3961074038-5004
135
136           Example: -U 5004
137
138           Example: ´--user SID´ 5004
139
140       -c|--account-control account-control
141           This option can be used while adding or modifying a user account.
142           It will specify the users´ account control property. Possible flags
143           are listed below.
144
145
146
147           ·   N: No password required
148
149           ·   D: Account disabled
150
151           ·   H: Home directory required
152
153           ·   T: Temporary duplicate of other account
154
155           ·   U: Regular user account
156
157           ·   M: MNS logon user account
158
159           ·   W: Workstation Trust Account
160
161           ·   S: Server Trust Account
162
163           ·   L: Automatic Locking
164
165           ·   X: Password does not expire
166
167           ·   I: Domain Trust Account
168
169
170       Example: -c "[X ]"
171
172       -K|--kickoff-time
173           This option is used to modify the kickoff time for a certain user.
174           Use "never" as argument to set the kickoff time to unlimited.
175
176           Example: pdbedit -K never user
177
178       -a|--create
179           This option is used to add a user into the database. This command
180           needs a user name specified with the -u switch. When adding a new
181           user, pdbedit will also ask for the password to be used.
182
183           Example: pdbedit -a -u sorce
184
185               new password:
186               retype new password
187
188
189               Note
190               pdbedit does not call the unix password synchronization script
191               if unix password sync has been set. It only updates the data in
192               the Samba user database.
193
194               If you wish to add a user and synchronise the password that
195               immediately, use smbpasswd´s -a option.
196
197       -t|--password-from-stdin
198           This option causes pdbedit to read the password from standard
199           input, rather than from /dev/tty (like the passwd(1) program does).
200           The password has to be submitted twice and terminated by a newline
201           each.
202
203       -r|--modify
204           This option is used to modify an existing user in the database.
205           This command needs a user name specified with the -u switch. Other
206           options can be specified to modify the properties of the specified
207           user. This flag is kept for backwards compatibility, but it is no
208           longer necessary to specify it.
209
210       -m|--machine
211           This option may only be used in conjunction with the -a option. It
212           will make pdbedit to add a machine trust account instead of a user
213           account (-u username will provide the machine name).
214
215           Example: pdbedit -a -m -u w2k-wks
216
217       -x|--delete
218           This option causes pdbedit to delete an account from the database.
219           It needs a username specified with the -u switch.
220
221           Example: pdbedit -x -u bob
222
223       -i|--import passdb-backend
224           Use a different passdb backend to retrieve users than the one
225           specified in smb.conf. Can be used to import data into your local
226           user database.
227
228           This option will ease migration from one passdb backend to another.
229
230           Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
231
232       -e|--export passdb-backend
233           Exports all currently available users to the specified password
234           database backend.
235
236           This option will ease migration from one passdb backend to another
237           and will ease backing up.
238
239           Example: pdbedit -e smbpasswd:/root/samba-users.backup
240
241       -g|--group
242           If you specify -g, then -i in-backend -e out-backend applies to the
243           group mapping instead of the user database.
244
245           This option will ease migration from one passdb backend to another
246           and will ease backing up.
247
248       -b|--backend passdb-backend
249           Use a different default passdb backend.
250
251           Example: pdbedit -b xml:/root/pdb-backup.xml -l
252
253       -P|--account-policy account-policy
254           Display an account policy
255
256           Valid policies are: minimum password age, reset count minutes,
257           disconnect time, user must logon to change password, password
258           history, lockout duration, min password length, maximum password
259           age and bad lockout attempt.
260
261           Example: pdbedit -P "bad lockout attempt"
262
263               account policy value for bad lockout attempt is 0
264
265       -C|--value account-policy-value
266           Sets an account policy to a specified value. This option may only
267           be used in conjunction with the -P option.
268
269           Example: pdbedit -P "bad lockout attempt" -C 3
270
271               account policy value for bad lockout attempt was 0
272               account policy value for bad lockout attempt is now 3
273
274       -y|--policies
275           If you specify -y, then -i in-backend -e out-backend applies to the
276           account policies instead of the user database.
277
278           This option will allow to migrate account policies from their
279           default tdb-store into a passdb backend, e.g. an LDAP directory
280           server.
281
282           Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
283
284       --force-initialized-passwords
285           This option forces all users to change their password upon next
286           login.
287
288       -N|--account-desc description
289           This option can be used while adding or modifying a user account.
290           It will specify the user´s description field.
291
292           Example: -N "test description"
293
294       -Z|--logon-hours-reset
295           This option can be used while adding or modifying a user account.
296           It will reset the user´s allowed logon hours. A user may login at
297           any time afterwards.
298
299           Example: -Z
300
301       -z|--bad-password-count-reset
302           This option can be used while adding or modifying a user account.
303           It will reset the stored bad login counter from a specified user.
304
305           Example: -z
306
307       --policies-reset
308           This option can be used to reset the general password policies
309           stored for a domain to their default values.
310
311           Example: --policies-reset
312
313       -I|--domain
314           This option can be used while adding or modifying a user account.
315           It will specify the user´s domain field.
316
317           Example: -I "MYDOMAIN"
318
319       --time-format
320           This option is currently not being used.
321
322       -?|--help
323           Print a summary of command line options.
324
325       --usage
326           Display brief usage message.
327
328       -d|--debuglevel=level
329           level is an integer from 0 to 10. The default value if this
330           parameter is not specified is 0.
331
332           The higher this value, the more detail will be logged to the log
333           files about the activities of the server. At level 0, only critical
334           errors and serious warnings will be logged. Level 1 is a reasonable
335           level for day-to-day running - it generates a small amount of
336           information about operations carried out.
337
338           Levels above 1 will generate considerable amounts of log data, and
339           should only be used when investigating a problem. Levels above 3
340           are designed for use only by developers and generate HUGE amounts
341           of log data, most of which is extremely cryptic.
342
343           Note that specifying this parameter here will override the log
344           level parameter in the smb.conf file.
345
346       -V|--version
347           Prints the program version number.
348
349       -s|--configfile=<configuration file>
350           The file specified contains the configuration details required by
351           the server. The information in this file includes server-specific
352           information such as what printcap file to use, as well as
353           descriptions of all the services that the server is to provide. See
354           smb.conf for more information. The default configuration file name
355           is determined at compile time.
356
357       -l|--log-basename=logdirectory
358           Base directory name for log/debug files. The extension ".progname"
359           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
360           file is never removed by the client.
361
362       --option=<name>=<value>
363           Set the smb.conf(5) option "<name>" to value "<value>" from the
364           command line. This overrides compiled-in defaults and options read
365           from the configuration file.
366

NOTES

368       This command may be used only by root.
369

VERSION

371       This man page is correct for version 3 of the Samba suite.
372

SEE ALSO

374       smbpasswd(5), samba(7)
375

AUTHOR

377       The original Samba software and related utilities were created by
378       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
379       Source project similar to the way the Linux kernel is developed.
380
381       The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
382
383
384
385Samba 4.2                         06/19/2018                        PDBEDIT(8)
Impressum