1PDBEDIT(8)                System Administration tools               PDBEDIT(8)
2
3
4

NAME

6       pdbedit - manage the SAM database (Database of Samba Users)
7

SYNOPSIS

9       pdbedit [-L|--list] [-v|--verbose] [-w|--smbpasswd-style]
10        [-u|--user=USER] [-N|--account-desc=STRING] [-f|--fullname=STRING]
11        [-h|--homedir=STRING] [-D|--drive=STRING] [-S|--script=STRING]
12        [-p|--profile=STRING] [-I|--domain=STRING] [-U|--user SID=STRING]
13        [-M|--machine SID=STRING] [-a|--create] [-r|--modify] [-m|--machine]
14        [-x|--delete] [-b|--backend=STRING] [-i|--import=STRING]
15        [-e|--export=STRING] [-g|--group] [-y|--policies] [--policies-reset]
16        [-P|--account-policy=STRING] [-C|--value=LONG]
17        [-c|--account-control=STRING] [--force-initialized-passwords]
18        [-z|--bad-password-count-reset] [-Z|--logon-hours-reset]
19        [--time-format=STRING] [-t|--password-from-stdin]
20        [-K|--kickoff-time=STRING] [--set-nt-hash=STRING] [-?|--help]
21        [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout]
22        [--configfile=CONFIGFILE] [--option=name=value]
23        [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
24

DESCRIPTION

26       This tool is part of the samba(7) suite.
27
28       The pdbedit program is used to manage the users accounts stored in the
29       sam database and can only be run by root.
30
31       The pdbedit tool uses the passdb modular interface and is independent
32       from the kind of users database used (currently there are smbpasswd,
33       ldap, nis+ and tdb based and more can be added without changing the
34       tool).
35
36       There are five main ways to use pdbedit: adding a user account,
37       removing a user account, modifying a user account, listing user
38       accounts, importing users accounts.
39

OPTIONS

41       -L|--list
42           This option lists all the user accounts present in the users
43           database. This option prints a list of user/uid pairs separated by
44           the ':' character.
45
46           Example: pdbedit -L
47
48               sorce:500:Simo Sorce
49               samba:45:Test User
50
51       -v|--verbose
52           This option enables the verbose listing format. It causes pdbedit
53           to list the users in the database, printing out the account fields
54           in a descriptive format. Used together with -w also shows passwords
55           hashes.
56
57           Example: pdbedit -L -v
58
59               ---------------
60               username:       sorce
61               user ID/Group:  500/500
62               user RID/GRID:  2000/2001
63               Full Name:      Simo Sorce
64               Home Directory: \\BERSERKER\sorce
65               HomeDir Drive:  H:
66               Logon Script:   \\BERSERKER\netlogon\sorce.bat
67               Profile Path:   \\BERSERKER\profile
68               ---------------
69               username:       samba
70               user ID/Group:  45/45
71               user RID/GRID:  1090/1091
72               Full Name:      Test User
73               Home Directory: \\BERSERKER\samba
74               HomeDir Drive:
75               Logon Script:
76               Profile Path:   \\BERSERKER\profile
77
78       -w|--smbpasswd-style
79           This option sets the "smbpasswd" listing format. It will make
80           pdbedit list the users in the database, printing out the account
81           fields in a format compatible with the smbpasswd file format. (see
82           the smbpasswd(5) for details). Instead used together with (-v)
83           displays the passwords hashes in verbose output.
84
85           Example: pdbedit -L -w
86
87               sorce:500:508818B733CE64BEAAD3B435B51404EE:
88                         D2A2418EFC466A8A0F6B1DBB5C3DB80C:
89                         [UX         ]:LCT-00000000:
90               samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
91                         BC281CE3F53B6A5146629CD4751D3490:
92                         [UX         ]:LCT-3BFA1E8D:
93
94       -u|--user username
95           This option specifies the username to be used for the operation
96           requested (listing, adding, removing). It is required in add,
97           remove and modify operations and optional in list operations.
98
99       -f|--fullname fullname
100           This option can be used while adding or modifying a user account.
101           It will specify the user's full name.
102
103           Example: -f "Simo Sorce"
104
105       -h|--homedir homedir
106           This option can be used while adding or modifying a user account.
107           It will specify the user's home directory network path.
108
109           Example: -h "\\\\BERSERKER\\sorce"
110
111       -D|--drive drive
112           This option can be used while adding or modifying a user account.
113           It will specify the windows drive letter to be used to map the home
114           directory.
115
116           Example: -D "H:"
117
118       -S|--script script
119           This option can be used while adding or modifying a user account.
120           It will specify the user's logon script path.
121
122           Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
123
124       --set-nt-hash
125           This option can be used while modifying a user account. It will set
126           the user's password using the nt-hash value given as hexadecimal
127           string. Useful to synchronize passwords.
128
129           Example: --set-nt-hash 8846F7EAEE8FB117AD06BDD830B7586C
130
131       -p|--profile profile
132           This option can be used while adding or modifying a user account.
133           It will specify the user's profile directory.
134
135           Example: -p "\\\\BERSERKER\\netlogon"
136
137       -M|'--machine SID' SID|rid
138           This option can be used while adding or modifying a machine
139           account. It will specify the machines' new primary group SID
140           (Security Identifier) or rid.
141
142           Example: -M S-1-5-21-2447931902-1787058256-3961074038-1201
143
144       -U|'--user SID' SID|rid
145           This option can be used while adding or modifying a user account.
146           It will specify the users' new SID (Security Identifier) or rid.
147
148           Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
149
150           Example: '--user SID'
151           S-1-5-21-2447931902-1787058256-3961074038-5004
152
153           Example: -U 5004
154
155           Example: '--user SID' 5004
156
157       -c|--account-control account-control
158           This option can be used while adding or modifying a user account.
159           It will specify the users' account control property. Possible flags
160           are listed below.
161
162
163                  •   N: No password required
164
165                  •   D: Account disabled
166
167                  •   H: Home directory required
168
169                  •   T: Temporary duplicate of other account
170
171                  •   U: Regular user account
172
173                  •   M: MNS logon user account
174
175                  •   W: Workstation Trust Account
176
177                  •   S: Server Trust Account
178
179                  •   L: Automatic Locking
180
181                  •   X: Password does not expire
182
183                  •   I: Domain Trust Account
184
185
186           Example: -c "[X ]"
187
188       -K|--kickoff-time
189           This option is used to modify the kickoff time for a certain user.
190           Use "never" as argument to set the kickoff time to unlimited.
191
192           Example: pdbedit -K never user
193
194       -a|--create
195           This option is used to add a user into the database. This command
196           needs a user name specified with the -u switch. When adding a new
197           user, pdbedit will also ask for the password to be used.
198
199           Example: pdbedit -a -u sorce
200
201               new password:
202               retype new password
203
204
205               Note
206               pdbedit does not call the unix password synchronization script
207               if unix password sync has been set. It only updates the data in
208               the Samba user database.
209
210               If you wish to add a user and synchronise the password that
211               immediately, use smbpasswd's -a option.
212
213       -t|--password-from-stdin
214           This option causes pdbedit to read the password from standard
215           input, rather than from /dev/tty (like the passwd(1) program does).
216           The password has to be submitted twice and terminated by a newline
217           each.
218
219       -r|--modify
220           This option is used to modify an existing user in the database.
221           This command needs a user name specified with the -u switch. Other
222           options can be specified to modify the properties of the specified
223           user. This flag is kept for backwards compatibility, but it is no
224           longer necessary to specify it.
225
226       -m|--machine
227           This option may only be used in conjunction with the -a option. It
228           will make pdbedit to add a machine trust account instead of a user
229           account (-u username will provide the machine name).
230
231           Example: pdbedit -a -m -u w2k-wks
232
233       -x|--delete
234           This option causes pdbedit to delete an account from the database.
235           It needs a username specified with the -u switch.
236
237           Example: pdbedit -x -u bob
238
239       -i|--import passdb-backend
240           Use a different passdb backend to retrieve users than the one
241           specified in smb.conf. Can be used to import data into your local
242           user database.
243
244           This option will ease migration from one passdb backend to another.
245
246           Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
247
248       -e|--export passdb-backend
249           Exports all currently available users to the specified password
250           database backend.
251
252           This option will ease migration from one passdb backend to another
253           and will ease backing up.
254
255           Example: pdbedit -e smbpasswd:/root/samba-users.backup
256
257       -g|--group
258           If you specify -g, then -i in-backend -e out-backend applies to the
259           group mapping instead of the user database.
260
261           This option will ease migration from one passdb backend to another
262           and will ease backing up.
263
264       -b|--backend passdb-backend
265           Use a different default passdb backend.
266
267           Example: pdbedit -b xml:/root/pdb-backup.xml -l
268
269       -P|--account-policy account-policy
270           Display an account policy
271
272           Valid policies are: minimum password age, reset count minutes,
273           disconnect time, user must logon to change password, password
274           history, lockout duration, min password length, maximum password
275           age and bad lockout attempt.
276
277           Example: pdbedit -P "bad lockout attempt"
278
279               account policy value for bad lockout attempt is 0
280
281       -C|--value account-policy-value
282           Sets an account policy to a specified value. This option may only
283           be used in conjunction with the -P option.
284
285           Example: pdbedit -P "bad lockout attempt" -C 3
286
287               account policy value for bad lockout attempt was 0
288               account policy value for bad lockout attempt is now 3
289
290       -y|--policies
291           If you specify -y, then -i in-backend -e out-backend applies to the
292           account policies instead of the user database.
293
294           This option will allow one to migrate account policies from their
295           default tdb-store into a passdb backend, e.g. an LDAP directory
296           server.
297
298           Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
299
300       --force-initialized-passwords
301           This option forces all users to change their password upon next
302           login.
303
304       -N|--account-desc description
305           This option can be used while adding or modifying a user account.
306           It will specify the user's description field.
307
308           Example: -N "test description"
309
310       -Z|--logon-hours-reset
311           This option can be used while adding or modifying a user account.
312           It will reset the user's allowed logon hours. A user may login at
313           any time afterwards.
314
315           Example: -Z
316
317       -z|--bad-password-count-reset
318           This option can be used while adding or modifying a user account.
319           It will reset the stored bad login counter from a specified user.
320
321           Example: -z
322
323       --policies-reset
324           This option can be used to reset the general password policies
325           stored for a domain to their default values.
326
327           Example: --policies-reset
328
329       -I|--domain
330           This option can be used while adding or modifying a user account.
331           It will specify the user's domain field.
332
333           Example: -I "MYDOMAIN"
334
335       --time-format
336           This option is currently not being used.
337
338       -?|--help
339           Print a summary of command line options.
340
341       --usage
342           Display brief usage message.
343
344       -d|--debuglevel=DEBUGLEVEL
345           level is an integer from 0 to 10. The default value if this
346           parameter is not specified is 1 for client applications.
347
348           The higher this value, the more detail will be logged to the log
349           files about the activities of the server. At level 0, only critical
350           errors and serious warnings will be logged. Level 1 is a reasonable
351           level for day-to-day running - it generates a small amount of
352           information about operations carried out.
353
354           Levels above 1 will generate considerable amounts of log data, and
355           should only be used when investigating a problem. Levels above 3
356           are designed for use only by developers and generate HUGE amounts
357           of log data, most of which is extremely cryptic.
358
359           Note that specifying this parameter here will override the log
360           level parameter in the /etc/samba/smb.conf file.
361
362       --debug-stdout
363           This will redirect debug output to STDOUT. By default all clients
364           are logging to STDERR.
365
366       --configfile=<configuration file>
367           The file specified contains the configuration details required by
368           the client. The information in this file can be general for client
369           and server or only provide client specific like options such as
370           client smb encrypt. See /etc/samba/smb.conf for more information.
371           The default configuration file name is determined at compile time.
372
373       --option=<name>=<value>
374           Set the smb.conf(5) option "<name>" to value "<value>" from the
375           command line. This overrides compiled-in defaults and options read
376           from the configuration file. If a name or a value includes a space,
377           wrap whole --option=name=value into quotes.
378
379       -l|--log-basename=logdirectory
380           Base directory name for log/debug files. The extension ".progname"
381           will be appended (e.g. log.smbclient, log.smbd, etc...). The log
382           file is never removed by the client.
383
384       --leak-report
385           Enable talloc leak reporting on exit.
386
387       --leak-report-full
388           Enable full talloc leak reporting on exit.
389
390       -V|--version
391           Prints the program version number.
392

NOTES

394       This command may be used only by root.
395

VERSION

397       This man page is part of version 4.17.5 of the Samba suite.
398

SEE ALSO

400       smbpasswd(5), samba(7)
401

AUTHOR

403       The original Samba software and related utilities were created by
404       Andrew Tridgell. Samba is now developed by the Samba Team as an Open
405       Source project similar to the way the Linux kernel is developed.
406
407       The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
408
409
410
411Samba 4.17.5                      01/26/2023                        PDBEDIT(8)
Impressum