1PDBEDIT(8) System Administration tools PDBEDIT(8)
2
3
4
6 pdbedit - manage the SAM database (Database of Samba Users)
7
9 pdbedit [-L|--list] [-v|--verbose] [-w|--smbpasswd-style]
10 [-u|--user=USER] [-N|--account-desc=STRING] [-f|--fullname=STRING]
11 [-h|--homedir=STRING] [-D|--drive=STRING] [-S|--script=STRING]
12 [-p|--profile=STRING] [-I|--domain=STRING] [-U|--user SID=STRING]
13 [-M|--machine SID=STRING] [-a|--create] [-r|--modify] [-m|--machine]
14 [-x|--delete] [-b|--backend=STRING] [-i|--import=STRING]
15 [-e|--export=STRING] [-g|--group] [-y|--policies] [--policies-reset]
16 [-P|--account-policy=STRING] [-C|--value=LONG]
17 [-c|--account-control=STRING] [--force-initialized-passwords]
18 [-z|--bad-password-count-reset] [-Z|--logon-hours-reset]
19 [--time-format=STRING] [-t|--password-from-stdin]
20 [-K|--kickoff-time=STRING] [--set-nt-hash=STRING] [-?|--help]
21 [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout]
22 [--configfile=CONFIGFILE] [--option=name=value]
23 [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
24
26 This tool is part of the samba(7) suite.
27
28 The pdbedit program is used to manage the users accounts stored in the
29 sam database and can only be run by root.
30
31 The pdbedit tool uses the passdb modular interface and is independent
32 from the kind of users database used (currently there are smbpasswd,
33 ldap, nis+ and tdb based and more can be added without changing the
34 tool).
35
36 There are five main ways to use pdbedit: adding a user account,
37 removing a user account, modifying a user account, listing user
38 accounts, importing users accounts.
39
41 -L|--list
42 This option lists all the user accounts present in the users
43 database. This option prints a list of user/uid pairs separated by
44 the ':' character.
45
46 Example: pdbedit -L
47
48 sorce:500:Simo Sorce
49 samba:45:Test User
50
51 -v|--verbose
52 This option enables the verbose listing format. It causes pdbedit
53 to list the users in the database, printing out the account fields
54 in a descriptive format. Used together with -w also shows passwords
55 hashes.
56
57 Example: pdbedit -L -v
58
59 ---------------
60 username: sorce
61 user ID/Group: 500/500
62 user RID/GRID: 2000/2001
63 Full Name: Simo Sorce
64 Home Directory: \\BERSERKER\sorce
65 HomeDir Drive: H:
66 Logon Script: \\BERSERKER\netlogon\sorce.bat
67 Profile Path: \\BERSERKER\profile
68 ---------------
69 username: samba
70 user ID/Group: 45/45
71 user RID/GRID: 1090/1091
72 Full Name: Test User
73 Home Directory: \\BERSERKER\samba
74 HomeDir Drive:
75 Logon Script:
76 Profile Path: \\BERSERKER\profile
77
78 -w|--smbpasswd-style
79 This option sets the "smbpasswd" listing format. It will make
80 pdbedit list the users in the database, printing out the account
81 fields in a format compatible with the smbpasswd file format. (see
82 the smbpasswd(5) for details). Instead used together with (-v)
83 displays the passwords hashes in verbose output.
84
85 Example: pdbedit -L -w
86
87 sorce:500:508818B733CE64BEAAD3B435B51404EE:
88 D2A2418EFC466A8A0F6B1DBB5C3DB80C:
89 [UX ]:LCT-00000000:
90 samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
91 BC281CE3F53B6A5146629CD4751D3490:
92 [UX ]:LCT-3BFA1E8D:
93
94 -u|--user username
95 This option specifies the username to be used for the operation
96 requested (listing, adding, removing). It is required in add,
97 remove and modify operations and optional in list operations.
98
99 -f|--fullname fullname
100 This option can be used while adding or modifying a user account.
101 It will specify the user's full name.
102
103 Example: -f "Simo Sorce"
104
105 -h|--homedir homedir
106 This option can be used while adding or modifying a user account.
107 It will specify the user's home directory network path.
108
109 Example: -h "\\\\BERSERKER\\sorce"
110
111 -D|--drive drive
112 This option can be used while adding or modifying a user account.
113 It will specify the windows drive letter to be used to map the home
114 directory.
115
116 Example: -D "H:"
117
118 -S|--script script
119 This option can be used while adding or modifying a user account.
120 It will specify the user's logon script path.
121
122 Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
123
124 --set-nt-hash
125 This option can be used while modifying a user account. It will set
126 the user's password using the nt-hash value given as hexadecimal
127 string. Useful to synchronize passwords.
128
129 Example: --set-nt-hash 8846F7EAEE8FB117AD06BDD830B7586C
130
131 -p|--profile profile
132 This option can be used while adding or modifying a user account.
133 It will specify the user's profile directory.
134
135 Example: -p "\\\\BERSERKER\\netlogon"
136
137 -M|'--machine SID' SID|rid
138 This option can be used while adding or modifying a machine
139 account. It will specify the machines' new primary group SID
140 (Security Identifier) or rid.
141
142 Example: -M S-1-5-21-2447931902-1787058256-3961074038-1201
143
144 -U|'--user SID' SID|rid
145 This option can be used while adding or modifying a user account.
146 It will specify the users' new SID (Security Identifier) or rid.
147
148 Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
149
150 Example: '--user SID'
151 S-1-5-21-2447931902-1787058256-3961074038-5004
152
153 Example: -U 5004
154
155 Example: '--user SID' 5004
156
157 -c|--account-control account-control
158 This option can be used while adding or modifying a user account.
159 It will specify the users' account control property. Possible flags
160 are listed below.
161
162
163 • N: No password required
164
165 • D: Account disabled
166
167 • H: Home directory required
168
169 • T: Temporary duplicate of other account
170
171 • U: Regular user account
172
173 • M: MNS logon user account
174
175 • W: Workstation Trust Account
176
177 • S: Server Trust Account
178
179 • L: Automatic Locking
180
181 • X: Password does not expire
182
183 • I: Domain Trust Account
184
185
186 Example: -c "[X ]"
187
188 -K|--kickoff-time
189 This option is used to modify the kickoff time for a certain user.
190 Use "never" as argument to set the kickoff time to unlimited.
191
192 Example: pdbedit -K never user
193
194 -a|--create
195 This option is used to add a user into the database. This command
196 needs a user name specified with the -u switch. When adding a new
197 user, pdbedit will also ask for the password to be used.
198
199 Example: pdbedit -a -u sorce
200
201 new password:
202 retype new password
203
204
205 Note
206 pdbedit does not call the unix password synchronization script
207 if unix password sync has been set. It only updates the data in
208 the Samba user database.
209
210 If you wish to add a user and synchronise the password that
211 immediately, use smbpasswd's -a option.
212
213 -t|--password-from-stdin
214 This option causes pdbedit to read the password from standard
215 input, rather than from /dev/tty (like the passwd(1) program does).
216 The password has to be submitted twice and terminated by a newline
217 each.
218
219 -r|--modify
220 This option is used to modify an existing user in the database.
221 This command needs a user name specified with the -u switch. Other
222 options can be specified to modify the properties of the specified
223 user. This flag is kept for backwards compatibility, but it is no
224 longer necessary to specify it.
225
226 -m|--machine
227 This option may only be used in conjunction with the -a option. It
228 will make pdbedit to add a machine trust account instead of a user
229 account (-u username will provide the machine name).
230
231 Example: pdbedit -a -m -u w2k-wks
232
233 -x|--delete
234 This option causes pdbedit to delete an account from the database.
235 It needs a username specified with the -u switch.
236
237 Example: pdbedit -x -u bob
238
239 -i|--import passdb-backend
240 Use a different passdb backend to retrieve users than the one
241 specified in smb.conf. Can be used to import data into your local
242 user database.
243
244 This option will ease migration from one passdb backend to another.
245
246 Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
247
248 -e|--export passdb-backend
249 Exports all currently available users to the specified password
250 database backend.
251
252 This option will ease migration from one passdb backend to another
253 and will ease backing up.
254
255 Example: pdbedit -e smbpasswd:/root/samba-users.backup
256
257 -g|--group
258 If you specify -g, then -i in-backend -e out-backend applies to the
259 group mapping instead of the user database.
260
261 This option will ease migration from one passdb backend to another
262 and will ease backing up.
263
264 -b|--backend passdb-backend
265 Use a different default passdb backend.
266
267 Example: pdbedit -b xml:/root/pdb-backup.xml -l
268
269 -P|--account-policy account-policy
270 Display an account policy
271
272 Valid policies are: minimum password age, reset count minutes,
273 disconnect time, user must logon to change password, password
274 history, lockout duration, min password length, maximum password
275 age and bad lockout attempt.
276
277 Example: pdbedit -P "bad lockout attempt"
278
279 account policy value for bad lockout attempt is 0
280
281 -C|--value account-policy-value
282 Sets an account policy to a specified value. This option may only
283 be used in conjunction with the -P option.
284
285 Example: pdbedit -P "bad lockout attempt" -C 3
286
287 account policy value for bad lockout attempt was 0
288 account policy value for bad lockout attempt is now 3
289
290 -y|--policies
291 If you specify -y, then -i in-backend -e out-backend applies to the
292 account policies instead of the user database.
293
294 This option will allow one to migrate account policies from their
295 default tdb-store into a passdb backend, e.g. an LDAP directory
296 server.
297
298 Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
299
300 --force-initialized-passwords
301 This option forces all users to change their password upon next
302 login.
303
304 -N|--account-desc description
305 This option can be used while adding or modifying a user account.
306 It will specify the user's description field.
307
308 Example: -N "test description"
309
310 -Z|--logon-hours-reset
311 This option can be used while adding or modifying a user account.
312 It will reset the user's allowed logon hours. A user may login at
313 any time afterwards.
314
315 Example: -Z
316
317 -z|--bad-password-count-reset
318 This option can be used while adding or modifying a user account.
319 It will reset the stored bad login counter from a specified user.
320
321 Example: -z
322
323 --policies-reset
324 This option can be used to reset the general password policies
325 stored for a domain to their default values.
326
327 Example: --policies-reset
328
329 -I|--domain
330 This option can be used while adding or modifying a user account.
331 It will specify the user's domain field.
332
333 Example: -I "MYDOMAIN"
334
335 --time-format
336 This option is currently not being used.
337
338 -?|--help
339 Print a summary of command line options.
340
341 --usage
342 Display brief usage message.
343
344 -d|--debuglevel=DEBUGLEVEL
345 level is an integer from 0 to 10. The default value if this
346 parameter is not specified is 1 for client applications.
347
348 The higher this value, the more detail will be logged to the log
349 files about the activities of the server. At level 0, only critical
350 errors and serious warnings will be logged. Level 1 is a reasonable
351 level for day-to-day running - it generates a small amount of
352 information about operations carried out.
353
354 Levels above 1 will generate considerable amounts of log data, and
355 should only be used when investigating a problem. Levels above 3
356 are designed for use only by developers and generate HUGE amounts
357 of log data, most of which is extremely cryptic.
358
359 Note that specifying this parameter here will override the log
360 level parameter in the /etc/samba/smb.conf file.
361
362 --debug-stdout
363 This will redirect debug output to STDOUT. By default all clients
364 are logging to STDERR.
365
366 --configfile=<configuration file>
367 The file specified contains the configuration details required by
368 the client. The information in this file can be general for client
369 and server or only provide client specific like options such as
370 client smb encrypt. See /etc/samba/smb.conf for more information.
371 The default configuration file name is determined at compile time.
372
373 --option=<name>=<value>
374 Set the smb.conf(5) option "<name>" to value "<value>" from the
375 command line. This overrides compiled-in defaults and options read
376 from the configuration file. If a name or a value includes a space,
377 wrap whole --option=name=value into quotes.
378
379 -l|--log-basename=logdirectory
380 Base directory name for log/debug files. The extension ".progname"
381 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
382 file is never removed by the client.
383
384 --leak-report
385 Enable talloc leak reporting on exit.
386
387 --leak-report-full
388 Enable full talloc leak reporting on exit.
389
390 -V|--version
391 Prints the program version number.
392
394 This command may be used only by root.
395
397 This man page is part of version 4.18.9 of the Samba suite.
398
400 smbpasswd(5), samba(7)
401
403 The original Samba software and related utilities were created by
404 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
405 Source project similar to the way the Linux kernel is developed.
406
407 The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
408
409
410
411Samba 4.18.9 11/30/2023 PDBEDIT(8)