pdbedit

List all Samba users (use verbose flag to show their settings)

$ sudo pdbedit --list --verbose

$ sudo pdbedit --user [username] --create

$ sudo pdbedit --user [username] --delete

$ sudo pdbedit --user [username] --bad-password-count-reset

pdbedit [options] [username]

Examples:
pdbedit -L (Lists all users)
pdbedit -a newuser (Adds a new user)
pdbedit -x olduser (Deletes a user)
pdbedit -u username -P newpassword (Sets/changes a user's password)
pdbedit -D disableduser (Disables an account)

-L, --list
    Lists all users in the Samba password database.

-a, --add
    Adds a new user to the database.

-x, --delete
    Deletes a user from the database.

-u, --user=
    Specifies the target username for an operation.

-w, --password=
    Sets or changes the password for the specified user. If not provided, pdbedit will prompt interactively.

-P, --primary-group-rid=
    Sets the primary group RID for a user.

-D, --disable
    Disables the specified user or machine account.

-E, --enable
    Enables the specified user or machine account.

-m, --machine
    Treats the specified account as a machine account.

-c, --comment=
    Sets or changes the user's comment string.

-f, --full-name=
    Sets or changes the user's full name.

-v, --verbose
    Increases verbosity of output.

-i, --import=
    Imports user data from an smbpasswd format file.

-e, --export=
    Exports user data to an smbpasswd format file.

pdbedit is a command-line utility used to manage the Samba user and machine account database. It allows administrators to add, delete, modify, and list accounts stored in various password backends, such as the TDB (Trivial Database), LDAP, or others configured in smb.conf.

This tool is essential for managing user authentication and authorization within a Samba domain controller or a standalone Samba server. It provides granular control over account attributes like passwords, account status (enabled/disabled), full names, comments, and SIDs (Security Identifiers), making it a crucial component for Samba administrators.

pdbedit typically requires root privileges (or sudo) to operate, as it modifies system-wide user databases. Its behavior is directly dependent on the passdb backend setting in your smb.conf file; the specific backend configured determines which database pdbedit will manipulate (e.g., TDB, LDAP, Winbind). Be cautious when managing SIDs (Security Identifiers) manually, as incorrect changes can lead to authentication issues.

The functionality of pdbedit is heavily influenced by the passdb backend directive in smb.conf. Ensure this setting is correctly configured to point to the desired user database (e.g., tdbsam, ldapsam, smbpasswd). Operations performed by pdbedit will apply to the currently active backend.

pdbedit handles password hashing automatically based on the configured backend and Samba's security settings. It typically stores NTLM hashes, but its capabilities can extend to other formats depending on the backend (e.g., Kerberos keys for machine accounts when integrated with a KDC).

pdbedit is an integral part of the Samba suite, developed to provide a unified and flexible interface for managing Samba's diverse user password database backends. It emerged as a more advanced and backend-agnostic alternative to older tools like smbpasswd, particularly as Samba evolved to support various authentication methods, including integration with LDAP and Active Directory. Its design allows administrators to seamlessly manage user and machine accounts regardless of the underlying database technology.

smb.conf(5), samba(7), smbpasswd(8), net(8)