1PDBEDIT(8)                System Administration tools               PDBEDIT(8)
2
3
4

NAME

6       pdbedit - manage the SAM database (Database of Samba Users)
7

SYNOPSIS

9       pdbedit [-a] [-b passdb-backend] [-c account-control] [-C value]
10        [-d debuglevel] [-D drive] [-e passdb-backend] [-f fullname]
11        [--force-initialized-passwords] [-g] [-h homedir] [-i passdb-backend]
12        [-I domain] [-K] [-L] [-m] [-M SID|RID] [-N description]
13        [-P account-policy] [-p profile] [--policies-reset] [-r]
14        [-s configfile] [-S script] [--set-nt-hash] [-t] [--time-format]
15        [-u username] [-U SID|RID] [-v] [-V] [-w] [-x] [-y] [-z] [-Z]
16

DESCRIPTION

18       This tool is part of the samba(7) suite.
19
20       The pdbedit program is used to manage the users accounts stored in the
21       sam database and can only be run by root.
22
23       The pdbedit tool uses the passdb modular interface and is independent
24       from the kind of users database used (currently there are smbpasswd,
25       ldap, nis+ and tdb based and more can be added without changing the
26       tool).
27
28       There are five main ways to use pdbedit: adding a user account,
29       removing a user account, modifying a user account, listing user
30       accounts, importing users accounts.
31

OPTIONS

33       -L|--list
34           This option lists all the user accounts present in the users
35           database. This option prints a list of user/uid pairs separated by
36           the ':' character.
37
38           Example: pdbedit -L
39
40               sorce:500:Simo Sorce
41               samba:45:Test User
42
43       -v|--verbose
44           This option enables the verbose listing format. It causes pdbedit
45           to list the users in the database, printing out the account fields
46           in a descriptive format. Used together with -w also shows passwords
47           hashes.
48
49           Example: pdbedit -L -v
50
51               ---------------
52               username:       sorce
53               user ID/Group:  500/500
54               user RID/GRID:  2000/2001
55               Full Name:      Simo Sorce
56               Home Directory: \\BERSERKER\sorce
57               HomeDir Drive:  H:
58               Logon Script:   \\BERSERKER\netlogon\sorce.bat
59               Profile Path:   \\BERSERKER\profile
60               ---------------
61               username:       samba
62               user ID/Group:  45/45
63               user RID/GRID:  1090/1091
64               Full Name:      Test User
65               Home Directory: \\BERSERKER\samba
66               HomeDir Drive:
67               Logon Script:
68               Profile Path:   \\BERSERKER\profile
69
70       -w|--smbpasswd-style
71           This option sets the "smbpasswd" listing format. It will make
72           pdbedit list the users in the database, printing out the account
73           fields in a format compatible with the smbpasswd file format. (see
74           the smbpasswd(5) for details). Instead used together with (-v)
75           displays the passwords hashes in verbose output.
76
77           Example: pdbedit -L -w
78
79               sorce:500:508818B733CE64BEAAD3B435B51404EE:
80                         D2A2418EFC466A8A0F6B1DBB5C3DB80C:
81                         [UX         ]:LCT-00000000:
82               samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
83                         BC281CE3F53B6A5146629CD4751D3490:
84                         [UX         ]:LCT-3BFA1E8D:
85
86       -u|--user username
87           This option specifies the username to be used for the operation
88           requested (listing, adding, removing). It is required in add,
89           remove and modify operations and optional in list operations.
90
91       -f|--fullname fullname
92           This option can be used while adding or modifying a user account.
93           It will specify the user's full name.
94
95           Example: -f "Simo Sorce"
96
97       -h|--homedir homedir
98           This option can be used while adding or modifying a user account.
99           It will specify the user's home directory network path.
100
101           Example: -h "\\\\BERSERKER\\sorce"
102
103       -D|--drive drive
104           This option can be used while adding or modifying a user account.
105           It will specify the windows drive letter to be used to map the home
106           directory.
107
108           Example: -D "H:"
109
110       -S|--script script
111           This option can be used while adding or modifying a user account.
112           It will specify the user's logon script path.
113
114           Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
115
116       --set-nt-hash
117           This option can be used while modifying a user account. It will set
118           the user's password using the nt-hash value given as hexadecimal
119           string. Useful to synchronize passwords.
120
121           Example: --set-nt-hash 8846F7EAEE8FB117AD06BDD830B7586C
122
123       -p|--profile profile
124           This option can be used while adding or modifying a user account.
125           It will specify the user's profile directory.
126
127           Example: -p "\\\\BERSERKER\\netlogon"
128
129       -M|'--machine SID' SID|rid
130           This option can be used while adding or modifying a machine
131           account. It will specify the machines' new primary group SID
132           (Security Identifier) or rid.
133
134           Example: -M S-1-5-21-2447931902-1787058256-3961074038-1201
135
136       -U|'--user SID' SID|rid
137           This option can be used while adding or modifying a user account.
138           It will specify the users' new SID (Security Identifier) or rid.
139
140           Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
141
142           Example: '--user SID'
143           S-1-5-21-2447931902-1787058256-3961074038-5004
144
145           Example: -U 5004
146
147           Example: '--user SID' 5004
148
149       -c|--account-control account-control
150           This option can be used while adding or modifying a user account.
151           It will specify the users' account control property. Possible flags
152           are listed below.
153
154
155                  ·   N: No password required
156
157                  ·   D: Account disabled
158
159                  ·   H: Home directory required
160
161                  ·   T: Temporary duplicate of other account
162
163                  ·   U: Regular user account
164
165                  ·   M: MNS logon user account
166
167                  ·   W: Workstation Trust Account
168
169                  ·   S: Server Trust Account
170
171                  ·   L: Automatic Locking
172
173                  ·   X: Password does not expire
174
175                  ·   I: Domain Trust Account
176
177
178           Example: -c "[X ]"
179
180       -K|--kickoff-time
181           This option is used to modify the kickoff time for a certain user.
182           Use "never" as argument to set the kickoff time to unlimited.
183
184           Example: pdbedit -K never user
185
186       -a|--create
187           This option is used to add a user into the database. This command
188           needs a user name specified with the -u switch. When adding a new
189           user, pdbedit will also ask for the password to be used.
190
191           Example: pdbedit -a -u sorce
192
193               new password:
194               retype new password
195
196
197               Note
198               pdbedit does not call the unix password synchronization script
199               if unix password sync has been set. It only updates the data in
200               the Samba user database.
201
202               If you wish to add a user and synchronise the password that
203               immediately, use smbpasswd's -a option.
204
205       -t|--password-from-stdin
206           This option causes pdbedit to read the password from standard
207           input, rather than from /dev/tty (like the passwd(1) program does).
208           The password has to be submitted twice and terminated by a newline
209           each.
210
211       -r|--modify
212           This option is used to modify an existing user in the database.
213           This command needs a user name specified with the -u switch. Other
214           options can be specified to modify the properties of the specified
215           user. This flag is kept for backwards compatibility, but it is no
216           longer necessary to specify it.
217
218       -m|--machine
219           This option may only be used in conjunction with the -a option. It
220           will make pdbedit to add a machine trust account instead of a user
221           account (-u username will provide the machine name).
222
223           Example: pdbedit -a -m -u w2k-wks
224
225       -x|--delete
226           This option causes pdbedit to delete an account from the database.
227           It needs a username specified with the -u switch.
228
229           Example: pdbedit -x -u bob
230
231       -i|--import passdb-backend
232           Use a different passdb backend to retrieve users than the one
233           specified in smb.conf. Can be used to import data into your local
234           user database.
235
236           This option will ease migration from one passdb backend to another.
237
238           Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
239
240       -e|--export passdb-backend
241           Exports all currently available users to the specified password
242           database backend.
243
244           This option will ease migration from one passdb backend to another
245           and will ease backing up.
246
247           Example: pdbedit -e smbpasswd:/root/samba-users.backup
248
249       -g|--group
250           If you specify -g, then -i in-backend -e out-backend applies to the
251           group mapping instead of the user database.
252
253           This option will ease migration from one passdb backend to another
254           and will ease backing up.
255
256       -b|--backend passdb-backend
257           Use a different default passdb backend.
258
259           Example: pdbedit -b xml:/root/pdb-backup.xml -l
260
261       -P|--account-policy account-policy
262           Display an account policy
263
264           Valid policies are: minimum password age, reset count minutes,
265           disconnect time, user must logon to change password, password
266           history, lockout duration, min password length, maximum password
267           age and bad lockout attempt.
268
269           Example: pdbedit -P "bad lockout attempt"
270
271               account policy value for bad lockout attempt is 0
272
273       -C|--value account-policy-value
274           Sets an account policy to a specified value. This option may only
275           be used in conjunction with the -P option.
276
277           Example: pdbedit -P "bad lockout attempt" -C 3
278
279               account policy value for bad lockout attempt was 0
280               account policy value for bad lockout attempt is now 3
281
282       -y|--policies
283           If you specify -y, then -i in-backend -e out-backend applies to the
284           account policies instead of the user database.
285
286           This option will allow one to migrate account policies from their
287           default tdb-store into a passdb backend, e.g. an LDAP directory
288           server.
289
290           Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
291
292       --force-initialized-passwords
293           This option forces all users to change their password upon next
294           login.
295
296       -N|--account-desc description
297           This option can be used while adding or modifying a user account.
298           It will specify the user's description field.
299
300           Example: -N "test description"
301
302       -Z|--logon-hours-reset
303           This option can be used while adding or modifying a user account.
304           It will reset the user's allowed logon hours. A user may login at
305           any time afterwards.
306
307           Example: -Z
308
309       -z|--bad-password-count-reset
310           This option can be used while adding or modifying a user account.
311           It will reset the stored bad login counter from a specified user.
312
313           Example: -z
314
315       --policies-reset
316           This option can be used to reset the general password policies
317           stored for a domain to their default values.
318
319           Example: --policies-reset
320
321       -I|--domain
322           This option can be used while adding or modifying a user account.
323           It will specify the user's domain field.
324
325           Example: -I "MYDOMAIN"
326
327       --time-format
328           This option is currently not being used.
329
330       -?|--help
331           Print a summary of command line options.
332
333       --usage
334           Display brief usage message.
335
336       -d|--debuglevel=level
337           level is an integer from 0 to 10. The default value if this
338           parameter is not specified is 0.
339
340           The higher this value, the more detail will be logged to the log
341           files about the activities of the server. At level 0, only critical
342           errors and serious warnings will be logged. Level 1 is a reasonable
343           level for day-to-day running - it generates a small amount of
344           information about operations carried out.
345
346           Levels above 1 will generate considerable amounts of log data, and
347           should only be used when investigating a problem. Levels above 3
348           are designed for use only by developers and generate HUGE amounts
349           of log data, most of which is extremely cryptic.
350
351           Note that specifying this parameter here will override the log
352           level parameter in the smb.conf file.
353
354       -V|--version
355           Prints the program version number.
356
357       -s|--configfile=<configuration file>
358           The file specified contains the configuration details required by
359           the server. The information in this file includes server-specific
360           information such as what printcap file to use, as well as
361           descriptions of all the services that the server is to provide. See
362           smb.conf for more information. The default configuration file name
363           is determined at compile time.
364
365       -l|--log-basename=logdirectory
366           Base directory name for log/debug files. The extension ".progname"
367           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
368           file is never removed by the client.
369
370       --option=<name>=<value>
371           Set the smb.conf(5) option "<name>" to value "<value>" from the
372           command line. This overrides compiled-in defaults and options read
373           from the configuration file.
374

NOTES

376       This command may be used only by root.
377

VERSION

379       This man page is part of version 4.12.2 of the Samba suite.
380

SEE ALSO

382       smbpasswd(5), samba(7)
383

AUTHOR

385       The original Samba software and related utilities were created by
386       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
387       Source project similar to the way the Linux kernel is developed.
388
389       The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
390
391
392
393Samba 4.12.2                      04/28/2020                        PDBEDIT(8)
Impressum