| blob | f6b5d2e5eb913db3882270160e8a17b8d8536ecf |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <refentry id="pdbedit.8">
5 <refmeta>
6 <refentrytitle>pdbedit</refentrytitle>
7 <manvolnum>8</manvolnum>
8 <refmiscinfo class="source">Samba</refmiscinfo>
9 <refmiscinfo class="manual">System Administration tools</refmiscinfo>
10 <refmiscinfo class="version">3.4</refmiscinfo>
11 </refmeta>
14 <refnamediv>
15 <refname>pdbedit</refname>
16 <refpurpose>manage the SAM database (Database of Samba Users)</refpurpose>
17 </refnamediv>
19 <refsynopsisdiv>
20 <cmdsynopsis>
21 <command>pdbedit</command>
22 <arg choice="opt">-L</arg>
23 <arg choice="opt">-v</arg>
24 <arg choice="opt">-w</arg>
25 <arg choice="opt">-u username</arg>
26 <arg choice="opt">-f fullname</arg>
27 <arg choice="opt">-h homedir</arg>
28 <arg choice="opt">-D drive</arg>
29 <arg choice="opt">-S script</arg>
30 <arg choice="opt">-p profile</arg>
31 <arg choice="opt">-K</arg>
32 <arg choice="opt">-a</arg>
33 <arg choice="opt">-t, --password-from-stdin</arg>
34 <arg choice="opt">-m</arg>
35 <arg choice="opt">-r</arg>
36 <arg choice="opt">-x</arg>
37 <arg choice="opt">-i passdb-backend</arg>
38 <arg choice="opt">-e passdb-backend</arg>
39 <arg choice="opt">-b passdb-backend</arg>
40 <arg choice="opt">-g</arg>
41 <arg choice="opt">-d debuglevel</arg>
42 <arg choice="opt">-s configfile</arg>
43 <arg choice="opt">-P account-policy</arg>
44 <arg choice="opt">-C value</arg>
45 <arg choice="opt">-c account-control</arg>
46 <arg choice="opt">-y</arg>
47 </cmdsynopsis>
48 </refsynopsisdiv>
50 <refsect1>
51 <title>DESCRIPTION</title>
53 <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
54 <manvolnum>7</manvolnum></citerefentry> suite.</para>
56 <para>The pdbedit program is used to manage the users accounts
57 stored in the sam database and can only be run by root.</para>
59 <para>The pdbedit tool uses the passdb modular interface and is
60 independent from the kind of users database used (currently there
61 are smbpasswd, ldap, nis+ and tdb based and more can be added
62 without changing the tool).</para>
64 <para>There are five main ways to use pdbedit: adding a user account,
65 removing a user account, modifing a user account, listing user
66 accounts, importing users accounts.</para>
67 </refsect1>
69 <refsect1>
70 <title>OPTIONS</title>
71 <variablelist>
72 <varlistentry>
73 <term>-L</term>
74 <listitem><para>This option lists all the user accounts
75 present in the users database.
76 This option prints a list of user/uid pairs separated by
77 the ':' character.</para>
78 <para>Example: <command>pdbedit -L</command></para>
79 <para><programlisting>
80 sorce:500:Simo Sorce
81 samba:45:Test User
82 </programlisting></para>
83 </listitem>
84 </varlistentry>
88 <varlistentry>
89 <term>-v</term>
90 <listitem><para>This option enables the verbose listing format.
91 It causes pdbedit to list the users in the database, printing
92 out the account fields in a descriptive format.</para>
94 <para>Example: <command>pdbedit -L -v</command></para>
95 <para><programlisting>
96 ---------------
97 username: sorce
98 user ID/Group: 500/500
99 user RID/GRID: 2000/2001
100 Full Name: Simo Sorce
101 Home Directory: \\BERSERKER\sorce
102 HomeDir Drive: H:
103 Logon Script: \\BERSERKER\netlogon\sorce.bat
104 Profile Path: \\BERSERKER\profile
105 ---------------
106 username: samba
107 user ID/Group: 45/45
108 user RID/GRID: 1090/1091
109 Full Name: Test User
110 Home Directory: \\BERSERKER\samba
111 HomeDir Drive:
112 Logon Script:
113 Profile Path: \\BERSERKER\profile
114 </programlisting></para>
115 </listitem>
116 </varlistentry>
120 <varlistentry>
121 <term>-w</term>
122 <listitem><para>This option sets the "smbpasswd" listing format.
123 It will make pdbedit list the users in the database, printing
124 out the account fields in a format compatible with the
125 <filename>smbpasswd</filename> file format. (see the
126 <citerefentry><refentrytitle>smbpasswd</refentrytitle>
127 <manvolnum>5</manvolnum></citerefentry> for details)</para>
129 <para>Example: <command>pdbedit -L -w</command></para>
130 <programlisting>
131 sorce:500:508818B733CE64BEAAD3B435B51404EE:
132 D2A2418EFC466A8A0F6B1DBB5C3DB80C:
133 [UX ]:LCT-00000000:
134 samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
135 BC281CE3F53B6A5146629CD4751D3490:
136 [UX ]:LCT-3BFA1E8D:
137 </programlisting>
138 </listitem>
139 </varlistentry>
142 <varlistentry>
143 <term>-u username</term>
144 <listitem><para>This option specifies the username to be
145 used for the operation requested (listing, adding, removing).
146 It is <emphasis>required</emphasis> in add, remove and modify
147 operations and <emphasis>optional</emphasis> in list
148 operations.</para>
149 </listitem>
150 </varlistentry>
152 <varlistentry>
153 <term>-f fullname</term>
154 <listitem><para>This option can be used while adding or
155 modifing a user account. It will specify the user's full
156 name. </para>
158 <para>Example: <command>-f "Simo Sorce"</command></para>
159 </listitem>
160 </varlistentry>
162 <varlistentry>
163 <term>-h homedir</term>
164 <listitem><para>This option can be used while adding or
165 modifing a user account. It will specify the user's home
166 directory network path.</para>
168 <para>Example: <command>-h "\\\\BERSERKER\\sorce"</command>
169 </para>
170 </listitem>
171 </varlistentry>
173 <varlistentry>
174 <term>-D drive</term>
175 <listitem><para>This option can be used while adding or
176 modifing a user account. It will specify the windows drive
177 letter to be used to map the home directory.</para>
179 <para>Example: <command>-D "H:"</command>
180 </para>
181 </listitem>
182 </varlistentry>
185 <varlistentry>
186 <term>-S script</term>
187 <listitem><para>This option can be used while adding or
188 modifing a user account. It will specify the user's logon
189 script path.</para>
191 <para>Example: <command>-S "\\\\BERSERKER\\netlogon\\sorce.bat"</command>
192 </para>
193 </listitem>
194 </varlistentry>
197 <varlistentry>
198 <term>-p profile</term>
199 <listitem><para>This option can be used while adding or
200 modifing a user account. It will specify the user's profile
201 directory.</para>
203 <para>Example: <command>-p "\\\\BERSERKER\\netlogon"</command>
204 </para>
205 </listitem>
206 </varlistentry>
208 <varlistentry>
209 <term>-G SID|rid</term>
210 <listitem><para>
211 This option can be used while adding or modifying a user account. It
212 will specify the users' new primary group SID (Security Identifier) or
213 rid. </para>
215 <para>Example: <command>-G S-1-5-21-2447931902-1787058256-3961074038-1201</command></para>
216 </listitem>
217 </varlistentry>
219 <varlistentry>
220 <term>-U SID|rid</term>
221 <listitem><para>
222 This option can be used while adding or modifying a user account. It
223 will specify the users' new SID (Security Identifier) or
224 rid. </para>
226 <para>Example: <command>-U S-1-5-21-2447931902-1787058256-3961074038-5004</command></para>
227 </listitem>
228 </varlistentry>
230 <varlistentry>
231 <term>-c account-control</term>
232 <listitem><para>This option can be used while adding or modifying a user
233 account. It will specify the users' account control property. Possible flags are listed below.
234 </para>
236 <para>
237 <itemizedlist>
238 <listitem><para>N: No password required</para></listitem>
239 <listitem><para>D: Account disabled</para></listitem>
240 <listitem><para>H: Home directory required</para></listitem>
241 <listitem><para>T: Temporary duplicate of other account</para></listitem>
242 <listitem><para>U: Regular user account</para></listitem>
243 <listitem><para>M: MNS logon user account</para></listitem>
244 <listitem><para>W: Workstation Trust Account</para></listitem>
245 <listitem><para>S: Server Trust Account</para></listitem>
246 <listitem><para>L: Automatic Locking</para></listitem>
247 <listitem><para>X: Password does not expire</para></listitem>
248 <listitem><para>I: Domain Trust Account</para></listitem>
249 </itemizedlist>
250 </para>
252 <para>Example: <command>-c "[X ]"</command></para>
253 </listitem>
254 </varlistentry>
256 <varlistentry>
257 <term>-K|--kickoff-time</term>
258 <listitem><para>This option is used to modify the kickoff
259 time for a certain user. Use "never" as argument to set the
260 kickoff time to unlimited.
261 </para>
262 <para>Example: <command>pdbedit -K never user</command></para>
263 </listitem>
264 </varlistentry>
266 <varlistentry>
267 <term>-a</term>
268 <listitem><para>This option is used to add a user into the
269 database. This command needs a user name specified with
270 the -u switch. When adding a new user, pdbedit will also
271 ask for the password to be used.</para>
273 <para>Example: <command>pdbedit -a -u sorce</command>
274 <programlisting>new password:
275 retype new password
276 </programlisting>
277 </para>
279 <note><para>pdbedit does not call the unix password syncronisation
280 script if <smbconfoption name="unix password sync"/>
281 has been set. It only updates the data in the Samba
282 user database.
283 </para>
285 <para>If you wish to add a user and synchronise the password
286 that immediately, use <command>smbpasswd</command>'s <option>-a</option> option.
287 </para>
288 </note>
289 </listitem>
290 </varlistentry>
292 <varlistentry>
293 <term>-t, --password-from-stdin</term>
294 <listitem><para>This option causes pdbedit to read the password
295 from standard input, rather than from /dev/tty (like the
296 <command>passwd(1)</command> program does). The password has
297 to be submitted twice and terminated by a newline each.</para>
298 </listitem>
299 </varlistentry>
301 <varlistentry>
302 <term>-r</term>
303 <listitem><para>This option is used to modify an existing user
304 in the database. This command needs a user name specified with the -u
305 switch. Other options can be specified to modify the properties of
306 the specified user. This flag is kept for backwards compatibility, but
307 it is no longer necessary to specify it.
308 </para></listitem>
309 </varlistentry>
311 <varlistentry>
312 <term>-m</term>
313 <listitem><para>This option may only be used in conjunction
314 with the <parameter>-a</parameter> option. It will make
315 pdbedit to add a machine trust account instead of a user
316 account (-u username will provide the machine name).</para>
318 <para>Example: <command>pdbedit -a -m -u w2k-wks</command>
319 </para>
320 </listitem>
321 </varlistentry>
324 <varlistentry>
325 <term>-x</term>
326 <listitem><para>This option causes pdbedit to delete an account
327 from the database. It needs a username specified with the
328 -u switch.</para>
330 <para>Example: <command>pdbedit -x -u bob</command></para>
331 </listitem>
332 </varlistentry>
335 <varlistentry>
336 <term>-i passdb-backend</term>
337 <listitem><para>Use a different passdb backend to retrieve users
338 than the one specified in smb.conf. Can be used to import data into
339 your local user database.</para>
341 <para>This option will ease migration from one passdb backend to
342 another.</para>
344 <para>Example: <command>pdbedit -i smbpasswd:/etc/smbpasswd.old
345 </command></para>
346 </listitem>
347 </varlistentry>
349 <varlistentry>
350 <term>-e passdb-backend</term>
351 <listitem><para>Exports all currently available users to the
352 specified password database backend.</para>
354 <para>This option will ease migration from one passdb backend to
355 another and will ease backing up.</para>
357 <para>Example: <command>pdbedit -e smbpasswd:/root/samba-users.backup</command></para>
358 </listitem>
359 </varlistentry>
361 <varlistentry>
362 <term>-g</term>
363 <listitem><para>If you specify <parameter>-g</parameter>,
364 then <parameter>-i in-backend -e out-backend</parameter>
365 applies to the group mapping instead of the user database.</para>
367 <para>This option will ease migration from one passdb backend to
368 another and will ease backing up.</para>
370 </listitem>
371 </varlistentry>
373 <varlistentry>
374 <term>-b passdb-backend</term>
375 <listitem><para>Use a different default passdb backend. </para>
377 <para>Example: <command>pdbedit -b xml:/root/pdb-backup.xml -l</command></para>
378 </listitem>
379 </varlistentry>
381 <varlistentry>
382 <term>-P account-policy</term>
383 <listitem><para>Display an account policy</para>
384 <para>Valid policies are: minimum password age, reset count minutes, disconnect time,
385 user must logon to change password, password history, lockout duration, min password length,
386 maximum password age and bad lockout attempt.</para>
388 <para>Example: <command>pdbedit -P "bad lockout attempt"</command></para>
389 <para><programlisting>
390 account policy value for bad lockout attempt is 0
391 </programlisting></para>
393 </listitem>
394 </varlistentry>
397 <varlistentry>
398 <term>-C account-policy-value</term>
399 <listitem><para>Sets an account policy to a specified value.
400 This option may only be used in conjunction
401 with the <parameter>-P</parameter> option.
402 </para>
404 <para>Example: <command>pdbedit -P "bad lockout attempt" -C 3</command></para>
405 <para><programlisting>
406 account policy value for bad lockout attempt was 0
407 account policy value for bad lockout attempt is now 3
408 </programlisting></para>
409 </listitem>
410 </varlistentry>
412 <varlistentry>
413 <term>-y</term>
414 <listitem><para>If you specify <parameter>-y</parameter>,
415 then <parameter>-i in-backend -e out-backend</parameter>
416 applies to the account policies instead of the user database.</para>
418 <para>This option will allow to migrate account policies from their default
419 tdb-store into a passdb backend, e.g. an LDAP directory server.</para>
421 <para>Example: <command>pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host</command></para>
423 </listitem>
424 </varlistentry>
426 &stdarg.help;
427 &stdarg.server.debug;
428 &popt.common.samba;
430 </variablelist>
431 </refsect1>
434 <refsect1>
435 <title>NOTES</title>
437 <para>This command may be used only by root.</para>
438 </refsect1>
441 <refsect1>
442 <title>VERSION</title>
444 <para>This man page is correct for version 3 of
445 the Samba suite.</para>
446 </refsect1>
448 <refsect1>
449 <title>SEE ALSO</title>
450 <para><citerefentry><refentrytitle>smbpasswd</refentrytitle>
451 <manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>samba</refentrytitle>
452 <manvolnum>7</manvolnum></citerefentry></para>
453 </refsect1>
455 <refsect1>
456 <title>AUTHOR</title>
458 <para>The original Samba software and related utilities
459 were created by Andrew Tridgell. Samba is now developed
460 by the Samba Team as an Open Source project similar
461 to the way the Linux kernel is developed.</para>
463 <para>The pdbedit manpage was written by Simo Sorce and Jelmer Vernooij.</para>
465 </refsect1>
467 </refentry>