1PDBEDIT(8) System Administration tools PDBEDIT(8)
2
6 pdbedit - manage the SAM database (Database of Samba Users)
7
9 pdbedit [-L|--list] [-v|--verbose] [-w|--smbpasswd-style]
10 [-u|--user=USER] [-N|--account-desc=STRING] [-f|--fullname=STRING]
11 [-h|--homedir=STRING] [-D|--drive=STRING] [-S|--script=STRING]
12 [-p|--profile=STRING] [-I|--domain=STRING] [-U|--user SID=STRING]
13 [-M|--machine SID=STRING] [-a|--create] [-r|--modify] [-m|--machine]
14 [-x|--delete] [-b|--backend=STRING] [-i|--import=STRING]
15 [-e|--export=STRING] [-g|--group] [-y|--policies] [--policies-reset]
16 [-P|--account-policy=STRING] [-C|--value=LONG]
17 [-c|--account-control=STRING] [--force-initialized-passwords]
18 [-z|--bad-password-count-reset] [-Z|--logon-hours-reset]
19 [--time-format=STRING] [-t|--password-from-stdin]
20 [-K|--kickoff-time=STRING] [--set-nt-hash=STRING] [-?|--help]
21 [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout]
22 [--configfile=CONFIGFILE] [--option=name=value]
23 [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
24
26 This tool is part of the samba(7) suite.
27 The pdbedit program is used to manage the users accounts stored in the
29 sam database and can only be run by root.
30 The pdbedit tool uses the passdb modular interface and is independent
32 from the kind of users database used (currently there are smbpasswd,
33 ldap, nis+ and tdb based and more can be added without changing the
34 tool).
35 There are five main ways to use pdbedit: adding a user account,
37 removing a user account, modifying a user account, listing user
38 accounts, importing users accounts.
39
41 -L|--list
42 This option lists all the user accounts present in the users
43 database. This option prints a list of user/uid pairs separated by
44 the ':' character.
45 Example: pdbedit -L
47 sorce:500:Simo Sorce
49 samba:45:Test User
50 -v|--verbose
52 This option enables the verbose listing format. It causes pdbedit
53 to list the users in the database, printing out the account fields
54 in a descriptive format. Used together with -w also shows passwords
55 hashes.
56 Example: pdbedit -L -v
58 ---------------
60 username: sorce
61 user ID/Group: 500/500
62 user RID/GRID: 2000/2001
63 Full Name: Simo Sorce
64 Home Directory: \\BERSERKER\sorce
65 HomeDir Drive: H:
66 Logon Script: \\BERSERKER\netlogon\sorce.bat
67 Profile Path: \\BERSERKER\profile
68 ---------------
69 username: samba
70 user ID/Group: 45/45
71 user RID/GRID: 1090/1091
72 Full Name: Test User
73 Home Directory: \\BERSERKER\samba
74 HomeDir Drive:
75 Logon Script:
76 Profile Path: \\BERSERKER\profile
77 -w|--smbpasswd-style
79 This option sets the "smbpasswd" listing format. It will make
80 pdbedit list the users in the database, printing out the account
81 fields in a format compatible with the smbpasswd file format. (see
82 the smbpasswd(5) for details). Instead used together with (-v)
83 displays the passwords hashes in verbose output.
84 Example: pdbedit -L -w
86 sorce:500:508818B733CE64BEAAD3B435B51404EE:
88 D2A2418EFC466A8A0F6B1DBB5C3DB80C:
89 [UX ]:LCT-00000000:
90 samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
91 BC281CE3F53B6A5146629CD4751D3490:
92 [UX ]:LCT-3BFA1E8D:
93 -u|--user username
95 This option specifies the username to be used for the operation
96 requested (listing, adding, removing). It is required in add,
97 remove and modify operations and optional in list operations.
98 -f|--fullname fullname
100 This option can be used while adding or modifying a user account.
101 It will specify the user's full name.
102 Example: -f "Simo Sorce"
104 -h|--homedir homedir
106 This option can be used while adding or modifying a user account.
107 It will specify the user's home directory network path.
108 Example: -h "\\\\BERSERKER\\sorce"
110 -D|--drive drive
112 This option can be used while adding or modifying a user account.
113 It will specify the windows drive letter to be used to map the home
114 directory.
115 Example: -D "H:"
117 -S|--script script
119 This option can be used while adding or modifying a user account.
120 It will specify the user's logon script path.
121 Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
123 --set-nt-hash
125 This option can be used while modifying a user account. It will set
126 the user's password using the nt-hash value given as hexadecimal
127 string. Useful to synchronize passwords.
128 Example: --set-nt-hash 8846F7EAEE8FB117AD06BDD830B7586C
130 -p|--profile profile
132 This option can be used while adding or modifying a user account.
133 It will specify the user's profile directory.
134 Example: -p "\\\\BERSERKER\\netlogon"
136 -M|'--machine SID' SID|rid
138 This option can be used while adding or modifying a machine
139 account. It will specify the machines' new primary group SID
140 (Security Identifier) or rid.
141 Example: -M S-1-5-21-2447931902-1787058256-3961074038-1201
143 -U|'--user SID' SID|rid
145 This option can be used while adding or modifying a user account.
146 It will specify the users' new SID (Security Identifier) or rid.
147 Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
149 Example: '--user SID'
151 S-1-5-21-2447931902-1787058256-3961074038-5004
152 Example: -U 5004
154 Example: '--user SID' 5004
156 -c|--account-control account-control
158 This option can be used while adding or modifying a user account.
159 It will specify the users' account control property. Possible flags
160 are listed below.
161 • N: No password required
164 • D: Account disabled
166 • H: Home directory required
168 • T: Temporary duplicate of other account
170 • U: Regular user account
172 • M: MNS logon user account
174 • W: Workstation Trust Account
176 • S: Server Trust Account
178 • L: Automatic Locking
180 • X: Password does not expire
182 • I: Domain Trust Account
184 Example: -c "[X ]"
187 -K|--kickoff-time
189 This option is used to modify the kickoff time for a certain user.
190 Use "never" as argument to set the kickoff time to unlimited.
191 Example: pdbedit -K never user
193 -a|--create
195 This option is used to add a user into the database. This command
196 needs a user name specified with the -u switch. When adding a new
197 user, pdbedit will also ask for the password to be used.
198 Example: pdbedit -a -u sorce
200 new password:
202 retype new password
203 Note
206 pdbedit does not call the unix password synchronization script
207 if unix password sync has been set. It only updates the data in
208 the Samba user database.
209 If you wish to add a user and synchronise the password that
211 immediately, use smbpasswd's -a option.
212 -t|--password-from-stdin
214 This option causes pdbedit to read the password from standard
215 input, rather than from /dev/tty (like the passwd(1) program does).
216 The password has to be submitted twice and terminated by a newline
217 each.
218 -r|--modify
220 This option is used to modify an existing user in the database.
221 This command needs a user name specified with the -u switch. Other
222 options can be specified to modify the properties of the specified
223 user. This flag is kept for backwards compatibility, but it is no
224 longer necessary to specify it.
225 -m|--machine
227 This option may only be used in conjunction with the -a option. It
228 will make pdbedit to add a machine trust account instead of a user
229 account (-u username will provide the machine name).
230 Example: pdbedit -a -m -u w2k-wks
232 -x|--delete
234 This option causes pdbedit to delete an account from the database.
235 It needs a username specified with the -u switch.
236 Example: pdbedit -x -u bob
238 -i|--import passdb-backend
240 Use a different passdb backend to retrieve users than the one
241 specified in smb.conf. Can be used to import data into your local
242 user database.
243 This option will ease migration from one passdb backend to another.
245 Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
247 -e|--export passdb-backend
249 Exports all currently available users to the specified password
250 database backend.
251 This option will ease migration from one passdb backend to another
253 and will ease backing up.
254 Example: pdbedit -e smbpasswd:/root/samba-users.backup
256 -g|--group
258 If you specify -g, then -i in-backend -e out-backend applies to the
259 group mapping instead of the user database.
260 This option will ease migration from one passdb backend to another
262 and will ease backing up.
263 -b|--backend passdb-backend
265 Use a different default passdb backend.
266 Example: pdbedit -b xml:/root/pdb-backup.xml -l
268 -P|--account-policy account-policy
270 Display an account policy
271 Valid policies are: minimum password age, reset count minutes,
273 disconnect time, user must logon to change password, password
274 history, lockout duration, min password length, maximum password
275 age and bad lockout attempt.
276 Example: pdbedit -P "bad lockout attempt"
278 account policy value for bad lockout attempt is 0
280 -C|--value account-policy-value
282 Sets an account policy to a specified value. This option may only
283 be used in conjunction with the -P option.
284 Example: pdbedit -P "bad lockout attempt" -C 3
286 account policy value for bad lockout attempt was 0
288 account policy value for bad lockout attempt is now 3
289 -y|--policies
291 If you specify -y, then -i in-backend -e out-backend applies to the
292 account policies instead of the user database.
293 This option will allow one to migrate account policies from their
295 default tdb-store into a passdb backend, e.g. an LDAP directory
296 server.
297 Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
299 --force-initialized-passwords
301 This option forces all users to change their password upon next
302 login.
303 -N|--account-desc description
305 This option can be used while adding or modifying a user account.
306 It will specify the user's description field.
307 Example: -N "test description"
309 -Z|--logon-hours-reset
311 This option can be used while adding or modifying a user account.
312 It will reset the user's allowed logon hours. A user may login at
313 any time afterwards.
314 Example: -Z
316 -z|--bad-password-count-reset
318 This option can be used while adding or modifying a user account.
319 It will reset the stored bad login counter from a specified user.
320 Example: -z
322 --policies-reset
324 This option can be used to reset the general password policies
325 stored for a domain to their default values.
326 Example: --policies-reset
328 -I|--domain
330 This option can be used while adding or modifying a user account.
331 It will specify the user's domain field.
332 Example: -I "MYDOMAIN"
334 --time-format
336 This option is currently not being used.
337 -?|--help
339 Print a summary of command line options.
340 --usage
342 Display brief usage message.
343 -d|--debuglevel=DEBUGLEVEL
345 level is an integer from 0 to 10. The default value if this
346 parameter is not specified is 1 for client applications.
347 The higher this value, the more detail will be logged to the log
349 files about the activities of the server. At level 0, only critical
350 errors and serious warnings will be logged. Level 1 is a reasonable
351 level for day-to-day running - it generates a small amount of
352 information about operations carried out.
353 Levels above 1 will generate considerable amounts of log data, and
355 should only be used when investigating a problem. Levels above 3
356 are designed for use only by developers and generate HUGE amounts
357 of log data, most of which is extremely cryptic.
358 Note that specifying this parameter here will override the log
360 level parameter in the smb.conf file.
361 --debug-stdout
363 This will redirect debug output to STDOUT. By default all clients
364 are logging to STDERR.
365 --configfile=<configuration file>
367 The file specified contains the configuration details required by
368 the client. The information in this file can be general for client
369 and server or only provide client specific like options such as
370 client smb encrypt. See smb.conf for more information. The default
371 configuration file name is determined at compile time.
372 --option=<name>=<value>
374 Set the smb.conf(5) option "<name>" to value "<value>" from the
375 command line. This overrides compiled-in defaults and options read
376 from the configuration file. If a name or a value includes a space,
377 wrap whole --option=name=value into quotes.
378 -l|--log-basename=logdirectory
380 Base directory name for log/debug files. The extension ".progname"
381 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
382 file is never removed by the client.
383 --leak-report
385 Enable talloc leak reporting on exit.
386 --leak-report-full
388 Enable full talloc leak reporting on exit.
389 -V|--version
391 Prints the program version number.
392
394 This command may be used only by root.
395
397 This man page is part of version 4.15.2 of the Samba suite.
398
400 smbpasswd(5), samba(7)
401
403 The original Samba software and related utilities were created by
404 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
405 Source project similar to the way the Linux kernel is developed.
406 The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
408Samba 4.15.2 11/13/2021 PDBEDIT(8)