1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="pdbedit.8">
6 <refentrytitle>pdbedit</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">3.6</refmiscinfo>
15 <refname>pdbedit</refname>
16 <refpurpose>manage the SAM database (Database of Samba Users)</refpurpose>
21 <command>pdbedit</command>
22 <arg choice="opt">-a</arg>
23 <arg choice="opt">-b passdb-backend</arg>
24 <arg choice="opt">-c account-control</arg>
25 <arg choice="opt">-C value</arg>
26 <arg choice="opt">-d debuglevel</arg>
27 <arg choice="opt">-D drive</arg>
28 <arg choice="opt">-e passdb-backend</arg>
29 <arg choice="opt">-f fullname</arg>
30 <arg choice="opt">--force-initialized-passwords</arg>
31 <arg choice="opt">-g</arg>
32 <arg choice="opt">-G SID|RID</arg>
33 <arg choice="opt">-h homedir</arg>
34 <arg choice="opt">-i passdb-backend</arg>
35 <arg choice="opt">-I domain</arg>
36 <arg choice="opt">-L </arg>
37 <arg choice="opt">-m</arg>
38 <arg choice="opt">-N description</arg>
39 <arg choice="opt">-P account-policy</arg>
40 <arg choice="opt">-p profile</arg>
41 <arg choice="opt">--policies-reset</arg>
42 <arg choice="opt">-r</arg>
43 <arg choice="opt">-s configfile</arg>
44 <arg choice="opt">-S script</arg>
45 <arg choice="opt">-t</arg>
46 <arg choice="opt">--time-format</arg>
47 <arg choice="opt">-u username</arg>
48 <arg choice="opt">-U SID|RID</arg>
49 <arg choice="opt">-v</arg>
50 <arg choice="opt">-V</arg>
51 <arg choice="opt">-w</arg>
52 <arg choice="opt">-x</arg>
53 <arg choice="opt">-y</arg>
54 <arg choice="opt">-z</arg>
55 <arg choice="opt">-Z</arg>
60 <title>DESCRIPTION</title>
62 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
63 <manvolnum>7</manvolnum></citerefentry> suite.</para>
65 <para>The pdbedit program is used to manage the users accounts
66 stored in the sam database and can only be run by root.</para>
68 <para>The pdbedit tool uses the passdb modular interface and is
69 independent from the kind of users database used (currently there
70 are smbpasswd, ldap, nis+ and tdb based and more can be added
71 without changing the tool).</para>
73 <para>There are five main ways to use pdbedit: adding a user account,
74 removing a user account, modifing a user account, listing user
75 accounts, importing users accounts.</para>
79 <title>OPTIONS</title>
82 <term>-L|--list</term>
83 <listitem><para>This option lists all the user accounts
84 present in the users database.
85 This option prints a list of user/uid pairs separated by
86 the ':' character.</para>
87 <para>Example: <command>pdbedit -L</command></para>
88 <para><programlisting>
91 </programlisting></para>
98 <term>-v|--verbose</term>
99 <listitem><para>This option enables the verbose listing format.
100 It causes pdbedit to list the users in the database, printing
101 out the account fields in a descriptive format.</para>
103 <para>Example: <command>pdbedit -L -v</command></para>
104 <para><programlisting>
107 user ID/Group: 500/500
108 user RID/GRID: 2000/2001
109 Full Name: Simo Sorce
110 Home Directory: \\BERSERKER\sorce
112 Logon Script: \\BERSERKER\netlogon\sorce.bat
113 Profile Path: \\BERSERKER\profile
117 user RID/GRID: 1090/1091
119 Home Directory: \\BERSERKER\samba
122 Profile Path: \\BERSERKER\profile
123 </programlisting></para>
130 <term>-w|--smbpasswd-style</term>
131 <listitem><para>This option sets the "smbpasswd" listing format.
132 It will make pdbedit list the users in the database, printing
133 out the account fields in a format compatible with the
134 <filename>smbpasswd</filename> file format. (see the
135 <citerefentry><refentrytitle>smbpasswd</refentrytitle>
136 <manvolnum>5</manvolnum></citerefentry> for details)</para>
138 <para>Example: <command>pdbedit -L -w</command></para>
140 sorce:500:508818B733CE64BEAAD3B435B51404EE:
141 D2A2418EFC466A8A0F6B1DBB5C3DB80C:
143 samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
144 BC281CE3F53B6A5146629CD4751D3490:
152 <term>-u|--user username</term>
153 <listitem><para>This option specifies the username to be
154 used for the operation requested (listing, adding, removing).
155 It is <emphasis>required</emphasis> in add, remove and modify
156 operations and <emphasis>optional</emphasis> in list
162 <term>-f|--fullname fullname</term>
163 <listitem><para>This option can be used while adding or
164 modifing a user account. It will specify the user's full
167 <para>Example: <command>-f "Simo Sorce"</command></para>
172 <term>-h|--homedir homedir</term>
173 <listitem><para>This option can be used while adding or
174 modifing a user account. It will specify the user's home
175 directory network path.</para>
177 <para>Example: <command>-h "\\\\BERSERKER\\sorce"</command>
183 <term>-D|--drive drive</term>
184 <listitem><para>This option can be used while adding or
185 modifing a user account. It will specify the windows drive
186 letter to be used to map the home directory.</para>
188 <para>Example: <command>-D "H:"</command>
195 <term>-S|--script script</term>
196 <listitem><para>This option can be used while adding or
197 modifing a user account. It will specify the user's logon
200 <para>Example: <command>-S "\\\\BERSERKER\\netlogon\\sorce.bat"</command>
207 <term>-p|--profile profile</term>
208 <listitem><para>This option can be used while adding or
209 modifing a user account. It will specify the user's profile
212 <para>Example: <command>-p "\\\\BERSERKER\\netlogon"</command>
218 <term>-G|'--group SID' SID|rid</term>
220 This option can be used while adding or modifying a user account. It
221 will specify the users' new primary group SID (Security Identifier) or
224 <para>Example: <command>-G S-1-5-21-2447931902-1787058256-3961074038-1201</command></para>
229 <term>-U|'--user SID' SID|rid</term>
231 This option can be used while adding or modifying a user account. It
232 will specify the users' new SID (Security Identifier) or
235 <para>Example: <command>-U S-1-5-21-2447931902-1787058256-3961074038-5004</command></para>
236 <para>Example: <command>'--user SID' S-1-5-21-2447931902-1787058256-3961074038-5004</command></para>
237 <para>Example: <command>-U 5004</command></para>
238 <para>Example: <command>'--user SID' 5004</command></para>
243 <term>-c|--account-control account-control</term>
244 <listitem><para>This option can be used while adding or modifying a user
245 account. It will specify the users' account control property. Possible flags are listed below.
250 <listitem><para>N: No password required</para></listitem>
251 <listitem><para>D: Account disabled</para></listitem>
252 <listitem><para>H: Home directory required</para></listitem>
253 <listitem><para>T: Temporary duplicate of other account</para></listitem>
254 <listitem><para>U: Regular user account</para></listitem>
255 <listitem><para>M: MNS logon user account</para></listitem>
256 <listitem><para>W: Workstation Trust Account</para></listitem>
257 <listitem><para>S: Server Trust Account</para></listitem>
258 <listitem><para>L: Automatic Locking</para></listitem>
259 <listitem><para>X: Password does not expire</para></listitem>
260 <listitem><para>I: Domain Trust Account</para></listitem>
264 <para>Example: <command>-c "[X ]"</command></para>
269 <term>-K|--kickoff-time</term>
270 <listitem><para>This option is used to modify the kickoff
271 time for a certain user. Use "never" as argument to set the
272 kickoff time to unlimited.
274 <para>Example: <command>pdbedit -K never user</command></para>
279 <term>-a|--create</term>
280 <listitem><para>This option is used to add a user into the
281 database. This command needs a user name specified with
282 the -u switch. When adding a new user, pdbedit will also
283 ask for the password to be used.</para>
285 <para>Example: <command>pdbedit -a -u sorce</command>
286 <programlisting>new password:
291 <note><para>pdbedit does not call the unix password syncronisation
292 script if <smbconfoption name="unix password sync"/>
293 has been set. It only updates the data in the Samba
297 <para>If you wish to add a user and synchronise the password
298 that immediately, use <command>smbpasswd</command>'s <option>-a</option> option.
305 <term>-t|--password-from-stdin</term>
306 <listitem><para>This option causes pdbedit to read the password
307 from standard input, rather than from /dev/tty (like the
308 <command>passwd(1)</command> program does). The password has
309 to be submitted twice and terminated by a newline each.</para>
314 <term>-r|--modify</term>
315 <listitem><para>This option is used to modify an existing user
316 in the database. This command needs a user name specified with the -u
317 switch. Other options can be specified to modify the properties of
318 the specified user. This flag is kept for backwards compatibility, but
319 it is no longer necessary to specify it.
324 <term>-m|--machine</term>
325 <listitem><para>This option may only be used in conjunction
326 with the <parameter>-a</parameter> option. It will make
327 pdbedit to add a machine trust account instead of a user
328 account (-u username will provide the machine name).</para>
330 <para>Example: <command>pdbedit -a -m -u w2k-wks</command>
337 <term>-x|--delete</term>
338 <listitem><para>This option causes pdbedit to delete an account
339 from the database. It needs a username specified with the
342 <para>Example: <command>pdbedit -x -u bob</command></para>
348 <term>-i|--import passdb-backend</term>
349 <listitem><para>Use a different passdb backend to retrieve users
350 than the one specified in smb.conf. Can be used to import data into
351 your local user database.</para>
353 <para>This option will ease migration from one passdb backend to
356 <para>Example: <command>pdbedit -i smbpasswd:/etc/smbpasswd.old
362 <term>-e|--export passdb-backend</term>
363 <listitem><para>Exports all currently available users to the
364 specified password database backend.</para>
366 <para>This option will ease migration from one passdb backend to
367 another and will ease backing up.</para>
369 <para>Example: <command>pdbedit -e smbpasswd:/root/samba-users.backup</command></para>
374 <term>-g|--group</term>
375 <listitem><para>If you specify <parameter>-g</parameter>,
376 then <parameter>-i in-backend -e out-backend</parameter>
377 applies to the group mapping instead of the user database.</para>
379 <para>This option will ease migration from one passdb backend to
380 another and will ease backing up.</para>
386 <term>-b|--backend passdb-backend</term>
387 <listitem><para>Use a different default passdb backend. </para>
389 <para>Example: <command>pdbedit -b xml:/root/pdb-backup.xml -l</command></para>
394 <term>-P|--account-policy account-policy</term>
395 <listitem><para>Display an account policy</para>
396 <para>Valid policies are: minimum password age, reset count minutes, disconnect time,
397 user must logon to change password, password history, lockout duration, min password length,
398 maximum password age and bad lockout attempt.</para>
400 <para>Example: <command>pdbedit -P "bad lockout attempt"</command></para>
401 <para><programlisting>
402 account policy value for bad lockout attempt is 0
403 </programlisting></para>
410 <term>-C|--value account-policy-value</term>
411 <listitem><para>Sets an account policy to a specified value.
412 This option may only be used in conjunction
413 with the <parameter>-P</parameter> option.
416 <para>Example: <command>pdbedit -P "bad lockout attempt" -C 3</command></para>
417 <para><programlisting>
418 account policy value for bad lockout attempt was 0
419 account policy value for bad lockout attempt is now 3
420 </programlisting></para>
425 <term>-y|--policies</term>
426 <listitem><para>If you specify <parameter>-y</parameter>,
427 then <parameter>-i in-backend -e out-backend</parameter>
428 applies to the account policies instead of the user database.</para>
430 <para>This option will allow to migrate account policies from their default
431 tdb-store into a passdb backend, e.g. an LDAP directory server.</para>
433 <para>Example: <command>pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host</command></para>
439 <term>--force-initialized-passwords</term>
440 <listitem><para>This option forces all users to change their
441 password upon next login.
447 <term>-N|--account-desc description</term>
448 <listitem><para>This option can be used while adding or
449 modifing a user account. It will specify the user's description
452 <para>Example: <command>-N "test description"</command>
458 <term>-Z|--logon-hours-reset</term>
459 <listitem><para>This option can be used while adding or
460 modifing a user account. It will reset the user's allowed logon
461 hours. A user may login at any time afterwards.</para>
463 <para>Example: <command>-Z</command>
469 <term>-z|--bad-password-count-reset</term>
470 <listitem><para>This option can be used while adding or
471 modifing a user account. It will reset the stored bad login
472 counter from a specified user.</para>
474 <para>Example: <command>-z</command>
480 <term>--policies-reset</term>
481 <listitem><para>This option can be used to reset the general
482 password policies stored for a domain to their
483 default values.</para>
484 <para>Example: <command>--policies-reset</command>
490 <term>-I|--domain</term>
491 <listitem><para>This option can be used while adding or
492 modifing a user account. It will specify the user's domain field.</para>
494 <para>Example: <command>-I "MYDOMAIN"</command>
500 <term>--time-format</term>
501 <listitem><para>This option is currently not being used.</para>
506 &stdarg.server.debug;
516 <para>This command may be used only by root.</para>
521 <title>VERSION</title>
523 <para>This man page is correct for version 3 of
524 the Samba suite.</para>
528 <title>SEE ALSO</title>
529 <para><citerefentry><refentrytitle>smbpasswd</refentrytitle>
530 <manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>samba</refentrytitle>
531 <manvolnum>7</manvolnum></citerefentry></para>
535 <title>AUTHOR</title>
537 <para>The original Samba software and related utilities
538 were created by Andrew Tridgell. Samba is now developed
539 by the Samba Team as an Open Source project similar
540 to the way the Linux kernel is developed.</para>
542 <para>The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.</para>