1PDBEDIT(8) PDBEDIT(8)
2
6 pdbedit - manage the SAM database (Database of Samba Users)
7
9 pdbedit [-L] [-v] [-w] [-u username] [-f fullname] [-h homedir]
10 [-D drive] [-S script] [-p profile] [-a] [-t, --password-from-stdin]
11 [-m] [-r] [-x] [-i passdb-backend] [-e passdb-backend] [-b passdb-
12 backend] [-g] [-d debuglevel] [-s configfile] [-P account-policy]
13 [-C value] [-c account-control] [-y]
14
16 This tool is part of the samba(7) suite.
17 The pdbedit program is used to manage the users accounts stored in the
19 sam database and can only be run by root.
20 The pdbedit tool uses the passdb modular interface and is independent
22 from the kind of users database used (currently there are smbpasswd,
23 ldap, nis+ and tdb based and more can be added without changing the
24 tool).
25 There are five main ways to use pdbedit: adding a user account, remov‐
27 ing a user account, modifing a user account, listing user accounts,
28 importing users accounts.
29
31 -L
32 This option lists all the user accounts present in the users data‐
33 base. This option prints a list of user/uid pairs separated by the
34 ':' character.
35 Example: pdbedit -L
37 sorce:500:Simo Sorce
43 samba:45:Test User
44 -v
48 This option enables the verbose listing format. It causes pdbedit to
49 list the users in the database, printing out the account fields in a
50 descriptive format.
51 Example: pdbedit -L -v
53 ---------------
59 username: sorce
60 user ID/Group: 500/500
61 user RID/GRID: 2000/2001
62 Full Name: Simo Sorce
63 Home Directory: \BERSERKERce
64 HomeDir Drive: H:
65 Logon Script: \BERSERKER0tlogonce.bat
66 Profile Path: \BERSERKERrofile
67 ---------------
68 username: samba
69 user ID/Group: 45/45
70 user RID/GRID: 1090/1091
71 Full Name: Test User
72 Home Directory: \BERSERKERba
73 HomeDir Drive:
74 Logon Script:
75 Profile Path: \BERSERKERrofile
76 -w
80 This option sets the "smbpasswd" listing format. It will make pdbe‐
81 dit list the users in the database, printing out the account fields
82 in a format compatible with the smbpasswd file format. (see the smb‐
83 passwd(5) for details)
84 Example: pdbedit -L -w
86 sorce:500:508818B733CE64BEAAD3B435B51404EE:
89 D2A2418EFC466A8A0F6B1DBB5C3DB80C:
90 [UX ]:LCT-00000000:
91 samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
92 BC281CE3F53B6A5146629CD4751D3490:
93 [UX ]:LCT-3BFA1E8D:
94 -u username
97 This option specifies the username to be used for the operation
98 requested (listing, adding, removing). It is required in add, remove
99 and modify operations and optional in list operations.
100 -f fullname
102 This option can be used while adding or modifing a user account. It
103 will specify the user's full name.
104 Example: -f "Simo Sorce"
106 -h homedir
108 This option can be used while adding or modifing a user account. It
109 will specify the user's home directory network path.
110 Example: -h "\\\\BERSERKER\\sorce"
112 -D drive
114 This option can be used while adding or modifing a user account. It
115 will specify the windows drive letter to be used to map the home
116 directory.
117 Example: -D "H:"
119 -S script
121 This option can be used while adding or modifing a user account. It
122 will specify the user's logon script path.
123 Example: -S "\\\\BERSERKER\\netlogon\\sorce.bat"
125 -p profile
127 This option can be used while adding or modifing a user account. It
128 will specify the user's profile directory.
129 Example: -p "\\\\BERSERKER\\netlogon"
131 -G SID|rid
133 This option can be used while adding or modifying a user account. It
134 will specify the users' new primary group SID (Security Identifier)
135 or rid.
136 Example: -G S-1-5-21-2447931902-1787058256-3961074038-1201
138 -U SID|rid
140 This option can be used while adding or modifying a user account. It
141 will specify the users' new SID (Security Identifier) or rid.
142 Example: -U S-1-5-21-2447931902-1787058256-3961074038-5004
144 -c account-control
146 This option can be used while adding or modifying a user account. It
147 will specify the users' account control property. Possible flags are
148 listed below.
149 · N: No password required
153 · D: Account disabled
155 · H: Home directory required
157 · T: Temporary duplicate of other account
159 · U: Regular user account
161 · M: MNS logon user account
163 · W: Workstation Trust Account
165 · S: Server Trust Account
167 · L: Automatic Locking
169 · X: Password does not expire
171 · I: Domain Trust Account
173 Example: -c "[X ]"
178 -a
180 This option is used to add a user into the database. This command
181 needs a user name specified with the -u switch. When adding a new
182 user, pdbedit will also ask for the password to be used.
183 Example: pdbedit -a -u sorce
185 new password:
189 retype new password
190 Note
194 pdbedit does not call the unix password syncronisation script if
195 unix password sync has been set. It only updates the data in the
196 Samba user database.
197 If you wish to add a user and synchronise the password that immedi‐
199 ately, use smbpasswd's -a option.
200 -t, --password-from-stdin
202 This option causes pdbedit to read the password from standard input,
203 rather than from /dev/tty (like the passwd(1) program does). The
204 password has to be submitted twice and terminated by a newline each.
205 -r
207 This option is used to modify an existing user in the database. This
208 command needs a user name specified with the -u switch. Other
209 options can be specified to modify the properties of the specified
210 user. This flag is kept for backwards compatibility, but it is no
211 longer necessary to specify it.
212 -m
214 This option may only be used in conjunction with the -a option. It
215 will make pdbedit to add a machine trust account instead of a user
216 account (-u username will provide the machine name).
217 Example: pdbedit -a -m -u w2k-wks
219 -x
221 This option causes pdbedit to delete an account from the database.
222 It needs a username specified with the -u switch.
223 Example: pdbedit -x -u bob
225 -i passdb-backend
227 Use a different passdb backend to retrieve users than the one speci‐
228 fied in smb.conf. Can be used to import data into your local user
229 database.
230 This option will ease migration from one passdb backend to another.
232 Example: pdbedit -i smbpasswd:/etc/smbpasswd.old
234 -e passdb-backend
236 Exports all currently available users to the specified password
237 database backend.
238 This option will ease migration from one passdb backend to another
240 and will ease backing up.
241 Example: pdbedit -e smbpasswd:/root/samba-users.backup
243 -g
245 If you specify -g, then -i in-backend -e out-backend applies to the
246 group mapping instead of the user database.
247 This option will ease migration from one passdb backend to another
249 and will ease backing up.
250 -b passdb-backend
252 Use a different default passdb backend.
253 Example: pdbedit -b xml:/root/pdb-backup.xml -l
255 -P account-policy
257 Display an account policy
258 Valid policies are: minimum password age, reset count minutes, dis‐
260 connect time, user must logon to change password, password history,
261 lockout duration, min password length, maximum password age and bad
262 lockout attempt.
263 Example: pdbedit -P "bad lockout attempt"
265 account policy value for bad lockout attempt is 0
271 -C account-policy-value
275 Sets an account policy to a specified value. This option may only be
276 used in conjunction with the -P option.
277 Example: pdbedit -P "bad lockout attempt" -C 3
279 account policy value for bad lockout attempt was 0
285 account policy value for bad lockout attempt is now 3
286 -y
290 If you specify -y, then -i in-backend -e out-backend applies to the
291 account policies instead of the user database.
292 This option will allow to migrate account policies from their
294 default tdb-store into a passdb backend, e.g. an LDAP directory
295 server.
296 Example: pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host
298 -h|--help
300 Print a summary of command line options.
301 -V
303 Prints the program version number.
304 -s <configuration file>
306 The file specified contains the configuration details required by
307 the server. The information in this file includes server-specific
308 information such as what printcap file to use, as well as descrip‐
309 tions of all the services that the server is to provide. See
310 smb.conf for more information. The default configuration file name
311 is determined at compile time.
312 -d|--debuglevel=level
314 level is an integer from 0 to 10. The default value if this parame‐
315 ter is not specified is zero.
316 The higher this value, the more detail will be logged to the log
318 files about the activities of the server. At level 0, only critical
319 errors and serious warnings will be logged. Level 1 is a reasonable
320 level for day-to-day running - it generates a small amount of infor‐
321 mation about operations carried out.
322 Levels above 1 will generate considerable amounts of log data, and
324 should only be used when investigating a problem. Levels above 3 are
325 designed for use only by developers and generate HUGE amounts of log
326 data, most of which is extremely cryptic.
327 Note that specifying this parameter here will override the
329 parameter in the smb.conf file.
331 -l|--logfile=logdirectory
333 Base directory name for log/debug files. The extension ".progname"
334 will be appended (e.g. log.smbclient, log.smbd, etc...). The log
335 file is never removed by the client.
336
338 This command may be used only by root.
339
341 This man page is correct for version 3.0 of the Samba suite.
342
344 smbpasswd(5), samba(7)
345
347 The original Samba software and related utilities were created by
348 Andrew Tridgell. Samba is now developed by the Samba Team as an Open
349 Source project similar to the way the Linux kernel is developed.
350 The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.
352 PDBEDIT(8)