pdbedit
Manage user accounts in the Samba database
TLDR
List all Samba users (use verbose flag to show their settings)
Add an existing Unix user to Samba (will prompt for password)
Remove a Samba user
Reset a Samba user's failed password counter
SYNOPSIS
pdbedit [options] [username]
Examples:
pdbedit -L (Lists all users)
pdbedit -a newuser (Adds a new user)
pdbedit -x olduser (Deletes a user)
pdbedit -u username -P newpassword (Sets/changes a user's password)
pdbedit -D disableduser (Disables an account)
PARAMETERS
-L, --list
Lists all users in the Samba password database.
-a, --add
Adds a new user to the database.
-x, --delete
Deletes a user from the database.
-u, --user=
Specifies the target username for an operation.
-w, --password=
Sets or changes the password for the specified user. If not provided, pdbedit will prompt interactively.
-P, --primary-group-rid=
Sets the primary group RID for a user.
-D, --disable
Disables the specified user or machine account.
-E, --enable
Enables the specified user or machine account.
-m, --machine
Treats the specified account as a machine account.
-c, --comment=
Sets or changes the user's comment string.
-f, --full-name=
Sets or changes the user's full name.
-v, --verbose
Increases verbosity of output.
-i, --import=
Imports user data from an smbpasswd format file.
-e, --export=
Exports user data to an smbpasswd format file.
DESCRIPTION
pdbedit is a command-line utility used to manage the Samba user and machine account database. It allows administrators to add, delete, modify, and list accounts stored in various password backends, such as the TDB (Trivial Database), LDAP, or others configured in smb.conf.
This tool is essential for managing user authentication and authorization within a Samba domain controller or a standalone Samba server. It provides granular control over account attributes like passwords, account status (enabled/disabled), full names, comments, and SIDs (Security Identifiers), making it a crucial component for Samba administrators.
CAVEATS
pdbedit typically requires root privileges (or sudo) to operate, as it modifies system-wide user databases. Its behavior is directly dependent on the passdb backend setting in your smb.conf file; the specific backend configured determines which database pdbedit will manipulate (e.g., TDB, LDAP, Winbind). Be cautious when managing SIDs (Security Identifiers) manually, as incorrect changes can lead to authentication issues.
BACKEND CONFIGURATION
The functionality of pdbedit is heavily influenced by the passdb backend directive in smb.conf. Ensure this setting is correctly configured to point to the desired user database (e.g., tdbsam, ldapsam, smbpasswd). Operations performed by pdbedit will apply to the currently active backend.
PASSWORD HASHING
pdbedit handles password hashing automatically based on the configured backend and Samba's security settings. It typically stores NTLM hashes, but its capabilities can extend to other formats depending on the backend (e.g., Kerberos keys for machine accounts when integrated with a KDC).
HISTORY
pdbedit is an integral part of the Samba suite, developed to provide a unified and flexible interface for managing Samba's diverse user password database backends. It emerged as a more advanced and backend-agnostic alternative to older tools like smbpasswd, particularly as Samba evolved to support various authentication methods, including integration with LDAP and Active Directory. Its design allows administrators to seamlessly manage user and machine accounts regardless of the underlying database technology.