1PDBEDIT(8) System Administration tools PDBEDIT(8)
2
3
4
6 pdbedit - manage the SAM database (Database of Samba Users)
7
9 pdbedit [-a] [-b passdb-backend] [-c account-control] [-C value]
10 [-d debuglevel] [-D drive] [-e passdb-backend] [-f fullname]
11 [--force-initialized-passwords] [-g] [-h homedir] [-i passdb-backend]
12 [-I domain] [-K] [-L] [-m] [-M SID|RID] [-N description]
13 [-P account-policy] [-p profile] [--policies-reset] [-r]
14 [-s configfile] [-S script] [--set-nt-hash] [-t] [--time-format]
15 [-u username] [-U SID|RID] [-v] [-V] [-w] [-x] [-y] [-z] [-Z]
16
18 This tool is part of the samba(7) suite.
19
20 The pdbedit program is used to manage the users accounts stored in the
21 sam database and can only be run by root.
22
23 The pdbedit tool uses the passdb modular interface and is independent
24 from the kind of users database used (currently there are smbpasswd,
25 ldap, nis+ and tdb based and more can be added without changing the
26 tool).
27
28 There are five main ways to use pdbedit: adding a user account,
29 removing a user account, modifying a user account, listing user
30 accounts, importing users accounts.
31
33 -L|--list
34 This option lists all the user accounts present in the users
35 database. This option prints a list of user/uid pairs separated by
36 the ':' character.
37
38 Example: pdbedit -L
39
40 sorce:500:Simo Sorce
41 samba:45:Test User
42
43 -v|--verbose
44 This option enables the verbose listing format. It causes pdbedit
45 to list the users in the database, printing out the account fields
46 in a descriptive format. Used together with -w also shows passwords
47 hashes.
48
49 Example: pdbedit -L -v
50
51 ---------------
52 username: sorce
53 user ID/Group: 500/500
54 user RID/GRID: 2000/2001
55 Full Name: Simo Sorce
56 Home Directory: \\BERSERKER\sorce
57 HomeDir Drive: H:
58 Logon Script: \\BERSERKER\netlogon\sorce.bat
59 Profile Path: \\BERSERKER\profile
60 ---------------
61 username: samba
62 user ID/Group: 45/45
63 user RID/GRID: 1090/1091
64 Full Name: Test User
65 Home Directory: \\BERSERKER\samba
66 HomeDir Drive:
67 Logon Script:
68 Profile Path: \\BERSERKER\profile
69
70 -w|--smbpasswd-style
71 This option sets the "smbpasswd" listing format. It will make
72 pdbedit list the users in the database, printing out the account
73 fields in a format compatible with the smbpasswd file format. (see
74 the smbpasswd(5) for details). Instead used together with (-v)
75 displays the passwords hashes in verbose output.
76
77 Example: pdbedit -L -w
78
79 sorce:500:508818B733CE64BEAAD3B435B51404EE:
80 D2A2418EFC466A8A0F6B1DBB5C3DB80C:
81 [UX ]:LCT-00000000:
82 samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
83 BC281CE3F53B6A5146629CD4751D3490:
84 [UX ]:LCT-3BFA1E8D:
85
86 -u|--user username
87 This option specifies the username to be used for the operation
88 requested (listing, adding, removing). It is required in add,
89 remove and modify operations and optional in list operations.
90
91 -f|--fullname fullname
92 This option can be used while adding or modifying a user account.
93 It will specify the user's full name.
94
95 Example: -f "Simo Sorce"
96
97 -h|--homedir homedir
98 This option can be used while adding or modifying a user account.
99 It will specify the user's home directory network path.
100
101 Example: -h "\\\\BERSERKER\\sorce"
102
103 -D|--drive drive
104 This option can be used while adding or modifying a user account.
105 It will specify the windows drive letter to be used to map the home
106 directory.
107
108 Example: -D "H:"
109
110 -S|--script script
111 This option can be used while adding or modifying a user account.
112 It will specify the user's logon script path.
113
114 Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
115
116 --set-nt-hash
117 This option can be used while modifying a user account. It will set
118 the user's password using the nt-hash value given as hexadecimal
119 string. Useful to synchronize passwords.
120
121 Example: --set-nt-hash 8846F7EAEE8FB117AD06BDD830B7586C
122
123 -p|--profile profile
124 This option can be used while adding or modifying a user account.
125 It will specify the user's profile directory.
126
127 Example: -p "\\\\BERSERKER\\netlogon"
128
129 -M|'--machine SID' SID|rid
130 This option can be used while adding or modifying a machine
131 account. It will specify the machines' new primary group SID
132 (Security Identifier) or rid.
133
134 Example: -M S-1-5-21-2447931902-1787058256-3961074038-1201
135
136 -U|'--user SID' SID|rid
137 This option can be used while adding or modifying a user account.
138 It will specify the users' new SID (Security Identifier) or rid.
139
140 Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
141
142 Example: '--user SID'
143 S-1-5-21-2447931902-1787058256-3961074038-5004
144
145 Example: -U 5004
146
147 Example: '--user SID' 5004
148
149 -c|--account-control account-control
150 This option can be used while adding or modifying a user account.
151 It will specify the users' account control property. Possible flags
152 are listed below.
153
154
155 · N: No password required
156
157 · D: Account disabled
158
159 · H: Home directory required
160
161 · T: Temporary duplicate of other account
162
163 · U: Regular user account
164
165 · M: MNS logon user account
166
167 · W: Workstation Trust Account
168
169 · S: Server Trust Account
170
171 · L: Automatic Locking
172
173 · X: Password does not expire
174
175 · I: Domain Trust Account
176
177
178 Example: -c "[X ]"
179
180 -K|--kickoff-time
181 This option is used to modify the kickoff time for a certain user.
182 Use "never" as argument to set the kickoff time to unlimited.
183
184 Example: pdbedit -K never user
185
186 -a|--create
187 This option is used to add a user into the database. This command
188 needs a user name specified with the -u switch. When adding a new
189 user, pdbedit will also ask for the password to be used.
190
191 Example: pdbedit -a -u sorce
192
193 new password:
194 retype new password
195
196
197 Note
198 pdbedit does not call the unix password synchronization script
199 if unix password sync has been set. It only updates the data in
200 the Samba user database.
201
202 If you wish to add a user and synchronise the password that
203 immediately, use smbpasswd's -a option.
204
205 -t|--password-from-stdin
206 This option causes pdbedit to read the password from standard
207 input, rather than from /dev/tty (like the passwd(1) program does).
208 The password has to be submitted twice and terminated by a newline
209 each.
210
211 -r|--modify
212 This option is used to modify an existing user in the database.
213 This command needs a user name specified with the -u switch. Other
214 options can be specified to modify the properties of the specified
215 user. This flag is kept for backwards compatibility, but it is no
216 longer necessary to specify it.
217
218 -m|--machine
219 This option may only be used in conjunction with the -a option. It
220 will make pdbedit to add a machine trust account instead of a user
221 account (-u username will provide the machine name).
222
223 Example: pdbedit -a -m -u w2k-wks
224
225 -x|--delete
226 This option causes pdbedit to delete an account from the database.
227 It needs a username specified with the -u switch.
228
229 Example: pdbedit -x -u bob
230
231 -i|--import passdb-backend
232 Use a different passdb backend to retrieve users than the one
233 specified in smb.conf. Can be used to import data into your local
234 user database.
235
236 This option will ease migration from one passdb backend to another.
237
238 Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
239
240 -e|--export passdb-backend
241 Exports all currently available users to the specified password
242 database backend.
243
244 This option will ease migration from one passdb backend to another
245 and will ease backing up.
246
247 Example: pdbedit -e smbpasswd:/root/samba-users.backup
248
249 -g|--group
250 If you specify -g, then -i in-backend -e out-backend applies to the
251 group mapping instead of the user database.
252
253 This option will ease migration from one passdb backend to another
254 and will ease backing up.
255
256 -b|--backend passdb-backend
257 Use a different default passdb backend.
258
259 Example: pdbedit -b xml:/root/pdb-backup.xml -l
260
261 -P|--account-policy account-policy
262 Display an account policy
263
264 Valid policies are: minimum password age, reset count minutes,
265 disconnect time, user must logon to change password, password
266 history, lockout duration, min password length, maximum password
267 age and bad lockout attempt.
268
269 Example: pdbedit -P "bad lockout attempt"
270
271 account policy value for bad lockout attempt is 0
272
273 -C|--value account-policy-value
274 Sets an account policy to a specified value. This option may only
275 be used in conjunction with the -P option.
276
277 Example: pdbedit -P "bad lockout attempt" -C 3
278
279 account policy value for bad lockout attempt was 0
280 account policy value for bad lockout attempt is now 3
281
282 -y|--policies
283 If you specify -y, then -i in-backend -e out-backend applies to the
284 account policies instead of the user database.
285
286 This option will allow one to migrate account policies from their
287 default tdb-store into a passdb backend, e.g. an LDAP directory
288 server.
289
290 Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
291
292 --force-initialized-passwords
293 This option forces all users to change their password upon next
294 login.
295
296 -N|--account-desc description
297 This option can be used while adding or modifying a user account.
298 It will specify the user's description field.
299
300 Example: -N "test description"
301
302 -Z|--logon-hours-reset
303 This option can be used while adding or modifying a user account.
304 It will reset the user's allowed logon hours. A user may login at
305 any time afterwards.
306
307 Example: -Z
308
309 -z|--bad-password-count-reset
310 This option can be used while adding or modifying a user account.
311 It will reset the stored bad login counter from a specified user.
312
313 Example: -z
314
315 --policies-reset
316 This option can be used to reset the general password policies
317 stored for a domain to their default values.
318
319 Example: --policies-reset
320
321 -I|--domain
322 This option can be used while adding or modifying a user account.
323 It will specify the user's domain field.
324
325 Example: -I "MYDOMAIN"
326
327 --time-format
328 This option is currently not being used.
329
330 -?|--help
331 Print a summary of command line options.
332
333 --usage
334 Display brief usage message.
335
336 -d|--debuglevel=level
337 level is an integer from 0 to 10. The default value if this
338 parameter is not specified is 0.
339
340 The higher this value, the more detail will be logged to the log
341 files about the activities of the server. At level 0, only critical
342 errors and serious warnings will be logged. Level 1 is a reasonable
343 level for day-to-day running - it generates a small amount of
344 information about operations carried out.
345
346 Levels above 1 will generate considerable amounts of log data, and
347 should only be used when investigating a problem. Levels above 3
348 are designed for use only by developers and generate HUGE amounts
349 of log data, most of which is extremely cryptic.
350
351 Note that specifying this parameter here will override the log
352 level parameter in the smb.conf file.
353
354 -V|--version
355 Prints the program version number.
356
357 -s|--configfile=<configuration file>
358 The file specified contains the configuration details required by
359 the server. The information in this file includes server-specific
360 information such as what printcap file to use, as well as
361 descriptions of all the services that the server is to provide. See
362 smb.conf for more information. The default configuration file name
363 is determined at compile time.
364
365 -l|--log-basename=logdirectory
366 Base directory name for log/debug files. The extension ".progname"
367 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
368 file is never removed by the client.
369
370 --option=<name>=<value>
371 Set the smb.conf(5) option "<name>" to value "<value>" from the
372 command line. This overrides compiled-in defaults and options read
373 from the configuration file.
374
376 This command may be used only by root.
377
379 This man page is part of version 4.12.2 of the Samba suite.
380
382 smbpasswd(5), samba(7)
383
385 The original Samba software and related utilities were created by
386 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
387 Source project similar to the way the Linux kernel is developed.
388
389 The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
390
391
392
393Samba 4.12.2 04/28/2020 PDBEDIT(8)