1
<?xml version="1.0" encoding="iso-8859-1"?>
2
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3
<refentry id="pdbedit.8">
6
<refentrytitle>pdbedit</refentrytitle>
7
<manvolnum>8</manvolnum>
8
<refmiscinfo class="source">Samba</refmiscinfo>
9
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
10
<refmiscinfo class="version">3.4</refmiscinfo>
15
<refname>pdbedit</refname>
16
<refpurpose>manage the SAM database (Database of Samba Users)</refpurpose>
21
<command>pdbedit</command>
22
<arg choice="opt">-L</arg>
23
<arg choice="opt">-v</arg>
24
<arg choice="opt">-w</arg>
25
<arg choice="opt">-u username</arg>
26
<arg choice="opt">-f fullname</arg>
27
<arg choice="opt">-h homedir</arg>
28
<arg choice="opt">-D drive</arg>
29
<arg choice="opt">-S script</arg>
30
<arg choice="opt">-p profile</arg>
31
<arg choice="opt">-K</arg>
32
<arg choice="opt">-a</arg>
33
<arg choice="opt">-t, --password-from-stdin</arg>
34
<arg choice="opt">-m</arg>
35
<arg choice="opt">-r</arg>
36
<arg choice="opt">-x</arg>
37
<arg choice="opt">-i passdb-backend</arg>
38
<arg choice="opt">-e passdb-backend</arg>
39
<arg choice="opt">-b passdb-backend</arg>
40
<arg choice="opt">-g</arg>
41
<arg choice="opt">-d debuglevel</arg>
42
<arg choice="opt">-s configfile</arg>
43
<arg choice="opt">-P account-policy</arg>
44
<arg choice="opt">-C value</arg>
45
<arg choice="opt">-c account-control</arg>
46
<arg choice="opt">-y</arg>
51
<title>DESCRIPTION</title>
53
<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
54
<manvolnum>7</manvolnum></citerefentry> suite.</para>
56
<para>The pdbedit program is used to manage the users accounts
57
stored in the sam database and can only be run by root.</para>
59
<para>The pdbedit tool uses the passdb modular interface and is
60
independent from the kind of users database used (currently there
61
are smbpasswd, ldap, nis+ and tdb based and more can be added
62
without changing the tool).</para>
64
<para>There are five main ways to use pdbedit: adding a user account,
65
removing a user account, modifing a user account, listing user
66
accounts, importing users accounts.</para>
70
<title>OPTIONS</title>
74
<listitem><para>This option lists all the user accounts
75
present in the users database.
76
This option prints a list of user/uid pairs separated by
77
the ':' character.</para>
78
<para>Example: <command>pdbedit -L</command></para>
79
<para><programlisting>
82
</programlisting></para>
90
<listitem><para>This option enables the verbose listing format.
91
It causes pdbedit to list the users in the database, printing
92
out the account fields in a descriptive format.</para>
94
<para>Example: <command>pdbedit -L -v</command></para>
95
<para><programlisting>
98
user ID/Group: 500/500
99
user RID/GRID: 2000/2001
100
Full Name: Simo Sorce
101
Home Directory: \\BERSERKER\sorce
103
Logon Script: \\BERSERKER\netlogon\sorce.bat
104
Profile Path: \\BERSERKER\profile
108
user RID/GRID: 1090/1091
110
Home Directory: \\BERSERKER\samba
113
Profile Path: \\BERSERKER\profile
114
</programlisting></para>
122
<listitem><para>This option sets the "smbpasswd" listing format.
123
It will make pdbedit list the users in the database, printing
124
out the account fields in a format compatible with the
125
<filename>smbpasswd</filename> file format. (see the
126
<citerefentry><refentrytitle>smbpasswd</refentrytitle>
127
<manvolnum>5</manvolnum></citerefentry> for details)</para>
129
<para>Example: <command>pdbedit -L -w</command></para>
131
sorce:500:508818B733CE64BEAAD3B435B51404EE:
132
D2A2418EFC466A8A0F6B1DBB5C3DB80C:
134
samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
135
BC281CE3F53B6A5146629CD4751D3490:
143
<term>-u username</term>
144
<listitem><para>This option specifies the username to be
145
used for the operation requested (listing, adding, removing).
146
It is <emphasis>required</emphasis> in add, remove and modify
147
operations and <emphasis>optional</emphasis> in list
153
<term>-f fullname</term>
154
<listitem><para>This option can be used while adding or
155
modifing a user account. It will specify the user's full
158
<para>Example: <command>-f "Simo Sorce"</command></para>
163
<term>-h homedir</term>
164
<listitem><para>This option can be used while adding or
165
modifing a user account. It will specify the user's home
166
directory network path.</para>
168
<para>Example: <command>-h "\\\\BERSERKER\\sorce"</command>
174
<term>-D drive</term>
175
<listitem><para>This option can be used while adding or
176
modifing a user account. It will specify the windows drive
177
letter to be used to map the home directory.</para>
179
<para>Example: <command>-D "H:"</command>
186
<term>-S script</term>
187
<listitem><para>This option can be used while adding or
188
modifing a user account. It will specify the user's logon
191
<para>Example: <command>-S "\\\\BERSERKER\\netlogon\\sorce.bat"</command>
198
<term>-p profile</term>
199
<listitem><para>This option can be used while adding or
200
modifing a user account. It will specify the user's profile
203
<para>Example: <command>-p "\\\\BERSERKER\\netlogon"</command>
209
<term>-G SID|rid</term>
211
This option can be used while adding or modifying a user account. It
212
will specify the users' new primary group SID (Security Identifier) or
215
<para>Example: <command>-G S-1-5-21-2447931902-1787058256-3961074038-1201</command></para>
220
<term>-U SID|rid</term>
222
This option can be used while adding or modifying a user account. It
223
will specify the users' new SID (Security Identifier) or
226
<para>Example: <command>-U S-1-5-21-2447931902-1787058256-3961074038-5004</command></para>
231
<term>-c account-control</term>
232
<listitem><para>This option can be used while adding or modifying a user
233
account. It will specify the users' account control property. Possible flags are listed below.
238
<listitem><para>N: No password required</para></listitem>
239
<listitem><para>D: Account disabled</para></listitem>
240
<listitem><para>H: Home directory required</para></listitem>
241
<listitem><para>T: Temporary duplicate of other account</para></listitem>
242
<listitem><para>U: Regular user account</para></listitem>
243
<listitem><para>M: MNS logon user account</para></listitem>
244
<listitem><para>W: Workstation Trust Account</para></listitem>
245
<listitem><para>S: Server Trust Account</para></listitem>
246
<listitem><para>L: Automatic Locking</para></listitem>
247
<listitem><para>X: Password does not expire</para></listitem>
248
<listitem><para>I: Domain Trust Account</para></listitem>
252
<para>Example: <command>-c "[X ]"</command></para>
257
<term>-K|--kickoff-time</term>
258
<listitem><para>This option is used to modify the kickoff
259
time for a certain user. Use "never" as argument to set the
260
kickoff time to unlimited.
262
<para>Example: <command>pdbedit -K never user</command></para>
268
<listitem><para>This option is used to add a user into the
269
database. This command needs a user name specified with
270
the -u switch. When adding a new user, pdbedit will also
271
ask for the password to be used.</para>
273
<para>Example: <command>pdbedit -a -u sorce</command>
274
<programlisting>new password:
279
<note><para>pdbedit does not call the unix password syncronisation
280
script if <smbconfoption name="unix password sync"/>
281
has been set. It only updates the data in the Samba
285
<para>If you wish to add a user and synchronise the password
286
that immediately, use <command>smbpasswd</command>'s <option>-a</option> option.
293
<term>-t, --password-from-stdin</term>
294
<listitem><para>This option causes pdbedit to read the password
295
from standard input, rather than from /dev/tty (like the
296
<command>passwd(1)</command> program does). The password has
297
to be submitted twice and terminated by a newline each.</para>
303
<listitem><para>This option is used to modify an existing user
304
in the database. This command needs a user name specified with the -u
305
switch. Other options can be specified to modify the properties of
306
the specified user. This flag is kept for backwards compatibility, but
307
it is no longer necessary to specify it.
313
<listitem><para>This option may only be used in conjunction
314
with the <parameter>-a</parameter> option. It will make
315
pdbedit to add a machine trust account instead of a user
316
account (-u username will provide the machine name).</para>
318
<para>Example: <command>pdbedit -a -m -u w2k-wks</command>
326
<listitem><para>This option causes pdbedit to delete an account
327
from the database. It needs a username specified with the
330
<para>Example: <command>pdbedit -x -u bob</command></para>
336
<term>-i passdb-backend</term>
337
<listitem><para>Use a different passdb backend to retrieve users
338
than the one specified in smb.conf. Can be used to import data into
339
your local user database.</para>
341
<para>This option will ease migration from one passdb backend to
344
<para>Example: <command>pdbedit -i smbpasswd:/etc/smbpasswd.old
350
<term>-e passdb-backend</term>
351
<listitem><para>Exports all currently available users to the
352
specified password database backend.</para>
354
<para>This option will ease migration from one passdb backend to
355
another and will ease backing up.</para>
357
<para>Example: <command>pdbedit -e smbpasswd:/root/samba-users.backup</command></para>
363
<listitem><para>If you specify <parameter>-g</parameter>,
364
then <parameter>-i in-backend -e out-backend</parameter>
365
applies to the group mapping instead of the user database.</para>
367
<para>This option will ease migration from one passdb backend to
368
another and will ease backing up.</para>
374
<term>-b passdb-backend</term>
375
<listitem><para>Use a different default passdb backend. </para>
377
<para>Example: <command>pdbedit -b xml:/root/pdb-backup.xml -l</command></para>
382
<term>-P account-policy</term>
383
<listitem><para>Display an account policy</para>
384
<para>Valid policies are: minimum password age, reset count minutes, disconnect time,
385
user must logon to change password, password history, lockout duration, min password length,
386
maximum password age and bad lockout attempt.</para>
388
<para>Example: <command>pdbedit -P "bad lockout attempt"</command></para>
389
<para><programlisting>
390
account policy value for bad lockout attempt is 0
391
</programlisting></para>
398
<term>-C account-policy-value</term>
399
<listitem><para>Sets an account policy to a specified value.
400
This option may only be used in conjunction
401
with the <parameter>-P</parameter> option.
404
<para>Example: <command>pdbedit -P "bad lockout attempt" -C 3</command></para>
405
<para><programlisting>
406
account policy value for bad lockout attempt was 0
407
account policy value for bad lockout attempt is now 3
408
</programlisting></para>
414
<listitem><para>If you specify <parameter>-y</parameter>,
415
then <parameter>-i in-backend -e out-backend</parameter>
416
applies to the account policies instead of the user database.</para>
418
<para>This option will allow to migrate account policies from their default
419
tdb-store into a passdb backend, e.g. an LDAP directory server.</para>
421
<para>Example: <command>pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host</command></para>
427
&stdarg.server.debug;
437
<para>This command may be used only by root.</para>
442
<title>VERSION</title>
444
<para>This man page is correct for version 3 of
445
the Samba suite.</para>
449
<title>SEE ALSO</title>
450
<para><citerefentry><refentrytitle>smbpasswd</refentrytitle>
451
<manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>samba</refentrytitle>
452
<manvolnum>7</manvolnum></citerefentry></para>
456
<title>AUTHOR</title>
458
<para>The original Samba software and related utilities
459
were created by Andrew Tridgell. Samba is now developed
460
by the Samba Team as an Open Source project similar
461
to the way the Linux kernel is developed.</para>
463
<para>The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.</para>