1PDBEDIT(8) System Administration tools PDBEDIT(8)
2
6 pdbedit - manage the SAM database (Database of Samba Users)
7
9 pdbedit [-a] [-b passdb-backend] [-c account-control] [-C value]
10 [-d debuglevel] [-D drive] [-e passdb-backend] [-f fullname]
11 [--force-initialized-passwords] [-g] [-h homedir] [-i passdb-backend]
12 [-I domain] [-K] [-L] [-m] [-M SID|RID] [-N description]
13 [-P account-policy] [-p profile] [--policies-reset] [-r]
14 [-s configfile] [-S script] [-t] [--time-format] [-u username]
15 [-U SID|RID] [-v] [-V] [-w] [-x] [-y] [-z] [-Z]
16
18 This tool is part of the samba(7) suite.
19 The pdbedit program is used to manage the users accounts stored in the
21 sam database and can only be run by root.
22 The pdbedit tool uses the passdb modular interface and is independent
24 from the kind of users database used (currently there are smbpasswd,
25 ldap, nis+ and tdb based and more can be added without changing the
26 tool).
27 There are five main ways to use pdbedit: adding a user account,
29 removing a user account, modifing a user account, listing user
30 accounts, importing users accounts.
31
33 -L|--list
34 This option lists all the user accounts present in the users
35 database. This option prints a list of user/uid pairs separated by
36 the ´:´ character.
37 Example: pdbedit -L
39 sorce:500:Simo Sorce
41 samba:45:Test User
42 -v|--verbose
44 This option enables the verbose listing format. It causes pdbedit
45 to list the users in the database, printing out the account fields
46 in a descriptive format.
47 Example: pdbedit -L -v
49 ---------------
51 username: sorce
52 user ID/Group: 500/500
53 user RID/GRID: 2000/2001
54 Full Name: Simo Sorce
55 Home Directory: \\BERSERKER\sorce
56 HomeDir Drive: H:
57 Logon Script: \\BERSERKER\netlogon\sorce.bat
58 Profile Path: \\BERSERKER\profile
59 ---------------
60 username: samba
61 user ID/Group: 45/45
62 user RID/GRID: 1090/1091
63 Full Name: Test User
64 Home Directory: \\BERSERKER\samba
65 HomeDir Drive:
66 Logon Script:
67 Profile Path: \\BERSERKER\profile
68 -w|--smbpasswd-style
70 This option sets the "smbpasswd" listing format. It will make
71 pdbedit list the users in the database, printing out the account
72 fields in a format compatible with the smbpasswd file format. (see
73 the smbpasswd(5) for details)
74 Example: pdbedit -L -w
76 sorce:500:508818B733CE64BEAAD3B435B51404EE:
78 D2A2418EFC466A8A0F6B1DBB5C3DB80C:
79 [UX ]:LCT-00000000:
80 samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
81 BC281CE3F53B6A5146629CD4751D3490:
82 [UX ]:LCT-3BFA1E8D:
83 -u|--user username
85 This option specifies the username to be used for the operation
86 requested (listing, adding, removing). It is required in add,
87 remove and modify operations and optional in list operations.
88 -f|--fullname fullname
90 This option can be used while adding or modifing a user account. It
91 will specify the user´s full name.
92 Example: -f "Simo Sorce"
94 -h|--homedir homedir
96 This option can be used while adding or modifing a user account. It
97 will specify the user´s home directory network path.
98 Example: -h "\\\\BERSERKER\\sorce"
100 -D|--drive drive
102 This option can be used while adding or modifing a user account. It
103 will specify the windows drive letter to be used to map the home
104 directory.
105 Example: -D "H:"
107 -S|--script script
109 This option can be used while adding or modifing a user account. It
110 will specify the user´s logon script path.
111 Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
113 -p|--profile profile
115 This option can be used while adding or modifing a user account. It
116 will specify the user´s profile directory.
117 Example: -p "\\\\BERSERKER\\netlogon"
119 -M|´--machine SID´ SID|rid
121 This option can be used while adding or modifying a machine
122 account. It will specify the machines´ new primary group SID
123 (Security Identifier) or rid.
124 Example: -M S-1-5-21-2447931902-1787058256-3961074038-1201
126 -U|´--user SID´ SID|rid
128 This option can be used while adding or modifying a user account.
129 It will specify the users´ new SID (Security Identifier) or rid.
130 Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
132 Example: ´--user SID´
134 S-1-5-21-2447931902-1787058256-3961074038-5004
135 Example: -U 5004
137 Example: ´--user SID´ 5004
139 -c|--account-control account-control
141 This option can be used while adding or modifying a user account.
142 It will specify the users´ account control property. Possible flags
143 are listed below.
144 · N: No password required
148 · D: Account disabled
150 · H: Home directory required
152 · T: Temporary duplicate of other account
154 · U: Regular user account
156 · M: MNS logon user account
158 · W: Workstation Trust Account
160 · S: Server Trust Account
162 · L: Automatic Locking
164 · X: Password does not expire
166 · I: Domain Trust Account
168 Example: -c "[X ]"
171 -K|--kickoff-time
173 This option is used to modify the kickoff time for a certain user.
174 Use "never" as argument to set the kickoff time to unlimited.
175 Example: pdbedit -K never user
177 -a|--create
179 This option is used to add a user into the database. This command
180 needs a user name specified with the -u switch. When adding a new
181 user, pdbedit will also ask for the password to be used.
182 Example: pdbedit -a -u sorce
184 new password:
186 retype new password
187 Note
190 pdbedit does not call the unix password syncronisation script
191 if unix password sync has been set. It only updates the data in
192 the Samba user database.
193 If you wish to add a user and synchronise the password that
195 immediately, use smbpasswd´s -a option.
196 -t|--password-from-stdin
198 This option causes pdbedit to read the password from standard
199 input, rather than from /dev/tty (like the passwd(1) program does).
200 The password has to be submitted twice and terminated by a newline
201 each.
202 -r|--modify
204 This option is used to modify an existing user in the database.
205 This command needs a user name specified with the -u switch. Other
206 options can be specified to modify the properties of the specified
207 user. This flag is kept for backwards compatibility, but it is no
208 longer necessary to specify it.
209 -m|--machine
211 This option may only be used in conjunction with the -a option. It
212 will make pdbedit to add a machine trust account instead of a user
213 account (-u username will provide the machine name).
214 Example: pdbedit -a -m -u w2k-wks
216 -x|--delete
218 This option causes pdbedit to delete an account from the database.
219 It needs a username specified with the -u switch.
220 Example: pdbedit -x -u bob
222 -i|--import passdb-backend
224 Use a different passdb backend to retrieve users than the one
225 specified in smb.conf. Can be used to import data into your local
226 user database.
227 This option will ease migration from one passdb backend to another.
229 Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
231 -e|--export passdb-backend
233 Exports all currently available users to the specified password
234 database backend.
235 This option will ease migration from one passdb backend to another
237 and will ease backing up.
238 Example: pdbedit -e smbpasswd:/root/samba-users.backup
240 -g|--group
242 If you specify -g, then -i in-backend -e out-backend applies to the
243 group mapping instead of the user database.
244 This option will ease migration from one passdb backend to another
246 and will ease backing up.
247 -b|--backend passdb-backend
249 Use a different default passdb backend.
250 Example: pdbedit -b xml:/root/pdb-backup.xml -l
252 -P|--account-policy account-policy
254 Display an account policy
255 Valid policies are: minimum password age, reset count minutes,
257 disconnect time, user must logon to change password, password
258 history, lockout duration, min password length, maximum password
259 age and bad lockout attempt.
260 Example: pdbedit -P "bad lockout attempt"
262 account policy value for bad lockout attempt is 0
264 -C|--value account-policy-value
266 Sets an account policy to a specified value. This option may only
267 be used in conjunction with the -P option.
268 Example: pdbedit -P "bad lockout attempt" -C 3
270 account policy value for bad lockout attempt was 0
272 account policy value for bad lockout attempt is now 3
273 -y|--policies
275 If you specify -y, then -i in-backend -e out-backend applies to the
276 account policies instead of the user database.
277 This option will allow to migrate account policies from their
279 default tdb-store into a passdb backend, e.g. an LDAP directory
280 server.
281 Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
283 --force-initialized-passwords
285 This option forces all users to change their password upon next
286 login.
287 -N|--account-desc description
289 This option can be used while adding or modifing a user account. It
290 will specify the user´s description field.
291 Example: -N "test description"
293 -Z|--logon-hours-reset
295 This option can be used while adding or modifing a user account. It
296 will reset the user´s allowed logon hours. A user may login at any
297 time afterwards.
298 Example: -Z
300 -z|--bad-password-count-reset
302 This option can be used while adding or modifing a user account. It
303 will reset the stored bad login counter from a specified user.
304 Example: -z
306 --policies-reset
308 This option can be used to reset the general password policies
309 stored for a domain to their default values.
310 Example: --policies-reset
312 -I|--domain
314 This option can be used while adding or modifing a user account. It
315 will specify the user´s domain field.
316 Example: -I "MYDOMAIN"
318 --time-format
320 This option is currently not being used.
321 -h|--help
323 Print a summary of command line options.
324 -d|--debuglevel=level
326 level is an integer from 0 to 10. The default value if this
327 parameter is not specified is 0.
328 The higher this value, the more detail will be logged to the log
330 files about the activities of the server. At level 0, only critical
331 errors and serious warnings will be logged. Level 1 is a reasonable
332 level for day-to-day running - it generates a small amount of
333 information about operations carried out.
334 Levels above 1 will generate considerable amounts of log data, and
336 should only be used when investigating a problem. Levels above 3
337 are designed for use only by developers and generate HUGE amounts
338 of log data, most of which is extremely cryptic.
339 Note that specifying this parameter here will override the
341 smb.conf.5.html# parameter in the smb.conf file.
342 -V|--version
344 Prints the program version number.
345 -s|--configfile <configuration file>
347 The file specified contains the configuration details required by
348 the server. The information in this file includes server-specific
349 information such as what printcap file to use, as well as
350 descriptions of all the services that the server is to provide. See
351 smb.conf for more information. The default configuration file name
352 is determined at compile time.
353 -l|--log-basename=logdirectory
355 Base directory name for log/debug files. The extension ".progname"
356 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
357 file is never removed by the client.
358
360 This command may be used only by root.
361
363 This man page is correct for version 3 of the Samba suite.
364
366 smbpasswd(5), samba(7)
367
369 The original Samba software and related utilities were created by
370 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
371 Source project similar to the way the Linux kernel is developed.
372 The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
374Samba 3.5 08/02/2011 PDBEDIT(8)